home.social

#emailadmin — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #emailadmin, aggregated by home.social.

  1. the most common DMARC mistake I see is publishing the record and walking away

    it's the right first step

    but I see domains that have been at p=none for years

    the path is:

    - p=none
    - collect reports for 4-8 weeks
    - identify all legitimate senders
    - move subdomain policy to reject
    - move organizational policy to quarantine
    - then reject

    dmarcguard.io/blog/dmarc-polic

    #DMARC #EmailSecurity #EmailAdmin #InfoSec

  2. the most common DMARC mistake I see is publishing the record and walking away

    it's the right first step

    but I see domains that have been at p=none for years

    the path is:

    - p=none
    - collect reports for 4-8 weeks
    - identify all legitimate senders
    - move subdomain policy to reject
    - move organizational policy to quarantine
    - then reject

    dmarcguard.io/blog/dmarc-polic

    #DMARC #EmailSecurity #EmailAdmin #InfoSec

  3. the most common DMARC mistake I see is publishing the record and walking away

    it's the right first step

    but I see domains that have been at p=none for years

    the path is:

    - p=none
    - collect reports for 4-8 weeks
    - identify all legitimate senders
    - move subdomain policy to reject
    - move organizational policy to quarantine
    - then reject

    dmarcguard.io/blog/dmarc-polic

    #DMARC #EmailSecurity #EmailAdmin #InfoSec

  4. the most common DMARC mistake I see is publishing the record and walking away

    it's the right first step

    but I see domains that have been at p=none for years

    the path is:

    - p=none
    - collect reports for 4-8 weeks
    - identify all legitimate senders
    - move subdomain policy to reject
    - move organizational policy to quarantine
    - then reject

    dmarcguard.io/blog/dmarc-polic

    #DMARC #EmailSecurity #EmailAdmin #InfoSec

  5. A major new spam campaign has been launched by Linode servers using 3rd and 4th tier subdomains of throwaway domains, mostly .us and .cl all with
    Return-Path: <[email protected]>

    #EmailAdmin #SpamAlert

  6. A major new spam campaign has been launched by Linode servers using 3rd and 4th tier subdomains of throwaway domains, mostly .us and .cl all with
    Return-Path: <[email protected]>

    #EmailAdmin #SpamAlert

  7. A major new spam campaign has been launched by Linode servers using 3rd and 4th tier subdomains of throwaway domains, mostly .us and .cl all with
    Return-Path: <[email protected]>

    #EmailAdmin #SpamAlert

  8. A major new spam campaign has been launched by Linode servers using 3rd and 4th tier subdomains of throwaway domains, mostly .us and .cl all with
    Return-Path: <[email protected]>

    #EmailAdmin #SpamAlert

  9. I have an enforcing #DMARC policy set up on my personal email domain. I use #DMARCAnalyzer for processing aggregate reports from servers that send them. Every week I log in and check to make sure everything's fine, i.e., (a) there isn't a significant uptick of people forging emails from my domain that I should look into (unlikely), and (b) I haven't broken something stupid in my infrastructure and caused my own outbound emails to violate my policy.
    #SMTP #emailAdmin #sysAdmin (1/2)

  10. I have an enforcing #DMARC policy set up on my personal email domain. I use #DMARCAnalyzer for processing aggregate reports from servers that send them. Every week I log in and check to make sure everything's fine, i.e., (a) there isn't a significant uptick of people forging emails from my domain that I should look into (unlikely), and (b) I haven't broken something stupid in my infrastructure and caused my own outbound emails to violate my policy.
    #SMTP #emailAdmin #sysAdmin (1/2)

  11. I have an enforcing #DMARC policy set up on my personal email domain. I use #DMARCAnalyzer for processing aggregate reports from servers that send them. Every week I log in and check to make sure everything's fine, i.e., (a) there isn't a significant uptick of people forging emails from my domain that I should look into (unlikely), and (b) I haven't broken something stupid in my infrastructure and caused my own outbound emails to violate my policy.
    #SMTP #emailAdmin #sysAdmin (1/2)

  12. I have an enforcing #DMARC policy set up on my personal email domain. I use #DMARCAnalyzer for processing aggregate reports from servers that send them. Every week I log in and check to make sure everything's fine, i.e., (a) there isn't a significant uptick of people forging emails from my domain that I should look into (unlikely), and (b) I haven't broken something stupid in my infrastructure and caused my own outbound emails to violate my policy.
    #SMTP #emailAdmin #sysAdmin (1/2)

  13. I have an enforcing #DMARC policy set up on my personal email domain. I use #DMARCAnalyzer for processing aggregate reports from servers that send them. Every week I log in and check to make sure everything's fine, i.e., (a) there isn't a significant uptick of people forging emails from my domain that I should look into (unlikely), and (b) I haven't broken something stupid in my infrastructure and caused my own outbound emails to violate my policy.
    #SMTP #emailAdmin #sysAdmin (1/2)

  14. tfw you can't get the verification code sent by your health insurance company to your email because the IP address it's coming from is listed in Spamhaus AND the email they're sending violates their enforcing DMARC policy. *sigh*
    #infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance

  15. tfw you can't get the verification code sent by your health insurance company to your email because the IP address it's coming from is listed in Spamhaus AND the email they're sending violates their enforcing DMARC policy. *sigh*
    #infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance

  16. tfw you can't get the verification code sent by your health insurance company to your email because the IP address it's coming from is listed in Spamhaus AND the email they're sending violates their enforcing DMARC policy. *sigh*
    #infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance

  17. tfw you can't get the verification code sent by your health insurance company to your email because the IP address it's coming from is listed in Spamhaus AND the email they're sending violates their enforcing DMARC policy. *sigh*
    #infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance

  18. tfw you can't get the verification code sent by your health insurance company to your email because the IP address it's coming from is listed in Spamhaus AND the email they're sending violates their enforcing DMARC policy. *sigh*
    #infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance

  19. it only takes 2 DNS records to fully disallow sending email as your domain to protect yourself from forgery

    TXT record . ( example.com ) - "v=spf1 -all"
    TXT record _dmarc ( _dmarc.example.com ) - "v=DMARC1;p=reject;rua=mailto:<your email>;adkim=s;aspf=s;sp=reject"
    

    yall should do it

    • the SPF record indicates that no mail servers are authorized to send emails on behalf of your domain ( the -all specifies a hard fail, meaning that any email sent from this domain will be rejected )
    • the DMARC record instructs receiving mail servers to reject any emails that fail DMARC checks ( the p=reject policy ensures that unauthorized emails are not delivered, rua tag allows you to receive reports about any failed authentication attempts ( which are optional and you can remove it if you dont want it ), while adkim=s and aspf=s enforce strict alignment for DKIM and SPF )

    it can always be undone later, but if you dont have an email server running, its a smart idea to disable emails though these dns records

    #email #sysadmin #spoofing #dns #emailspoof #emailadmin #domains #dmarc #spf

  20. it only takes 2 DNS records to fully disallow sending email as your domain to protect yourself from forgery

    TXT record . ( example.com ) - "v=spf1 -all"
    TXT record _dmarc ( _dmarc.example.com ) - "v=DMARC1;p=reject;rua=mailto:<your email>;adkim=s;aspf=s;sp=reject"
    

    yall should do it

    • the SPF record indicates that no mail servers are authorized to send emails on behalf of your domain ( the -all specifies a hard fail, meaning that any email sent from this domain will be rejected )
    • the DMARC record instructs receiving mail servers to reject any emails that fail DMARC checks ( the p=reject policy ensures that unauthorized emails are not delivered, rua tag allows you to receive reports about any failed authentication attempts ( which are optional and you can remove it if you dont want it ), while adkim=s and aspf=s enforce strict alignment for DKIM and SPF )

    it can always be undone later, but if you dont have an email server running, its a smart idea to disable emails though these dns records

    #email #sysadmin #spoofing #dns #emailspoof #emailadmin #domains #dmarc #spf

  21. CORRECTION!

    I made a post about OPENPGPKEY DNS records, and turns out I misread the content relating to it. It is the hash as bytes that is truncated, not the digest itself.

    I have corrected my DNS records, the script at https://gist.github.com/TruncatedDinoSour/a0874bf1e90647a9a49985e531d9d15f and the blog post at https://blog.ari.lt/b/openpgpkey-records-are-cool/ - It was an honest mistake!

    Regardless, all good now and I have put in efforts to retract the wrong version ASAP 😭 The RFC by “octets” means a byte in the actual hash of sha-256 output, not the hex digest.

    Anyway, you should still set OPENPGPKEY stuff up :p Ofc now hearing with CORRECT information :D

    #email #pgp #gpg #sysadmin #emailadmin #dns #rfc

  22. CORRECTION!

    I made a post about OPENPGPKEY DNS records, and turns out I misread the content relating to it. It is the hash as bytes that is truncated, not the digest itself.

    I have corrected my DNS records, the script at https://gist.github.com/TruncatedDinoSour/a0874bf1e90647a9a49985e531d9d15f and the blog post at https://blog.ari.lt/b/openpgpkey-records-are-cool/ - It was an honest mistake!

    Regardless, all good now and I have put in efforts to retract the wrong version ASAP 😭 The RFC by “octets” means a byte in the actual hash of sha-256 output, not the hex digest.

    Anyway, you should still set OPENPGPKEY stuff up :p Ofc now hearing with CORRECT information :D

    #email #pgp #gpg #sysadmin #emailadmin #dns #rfc

  23. CORRECTION!

    I made a post about OPENPGPKEY DNS records, and turns out I misread the content relating to it. It is the hash as bytes that is truncated, not the digest itself.

    I have corrected my DNS records, the script at https://gist.github.com/TruncatedDinoSour/a0874bf1e90647a9a49985e531d9d15f and the blog post at https://blog.ari.lt/b/openpgpkey-records-are-cool/ - It was an honest mistake!

    Regardless, all good now and I have put in efforts to retract the wrong version ASAP 😭 The RFC by “octets” means a byte in the actual hash of sha-256 output, not the hex digest.

    Anyway, you should still set OPENPGPKEY stuff up :p Ofc now hearing with CORRECT information :D

    #email #pgp #gpg #sysadmin #emailadmin #dns #rfc

  24. Hello #MailServer maintainers! If you are using rbl.realtimeblacklist.com, you should be aware that as of around 4am US/Eastern this morning their domain has been parked and is returning bogus #DNSBL results. I suspect that the registration lapsed and a domain resale stalker snapped it up, though I can't say for certain. Perhaps it's a temporary blip that will be resolved, but you should stop using it in the meantime.
    #SysAdmin #SMTP #EmailAdmin

  25. Hello #MailServer maintainers! If you are using rbl.realtimeblacklist.com, you should be aware that as of around 4am US/Eastern this morning their domain has been parked and is returning bogus #DNSBL results. I suspect that the registration lapsed and a domain resale stalker snapped it up, though I can't say for certain. Perhaps it's a temporary blip that will be resolved, but you should stop using it in the meantime.
    #SysAdmin #SMTP #EmailAdmin

  26. Hello #MailServer maintainers! If you are using rbl.realtimeblacklist.com, you should be aware that as of around 4am US/Eastern this morning their domain has been parked and is returning bogus #DNSBL results. I suspect that the registration lapsed and a domain resale stalker snapped it up, though I can't say for certain. Perhaps it's a temporary blip that will be resolved, but you should stop using it in the meantime.
    #SysAdmin #SMTP #EmailAdmin

  27. Hello #MailServer maintainers! If you are using rbl.realtimeblacklist.com, you should be aware that as of around 4am US/Eastern this morning their domain has been parked and is returning bogus #DNSBL results. I suspect that the registration lapsed and a domain resale stalker snapped it up, though I can't say for certain. Perhaps it's a temporary blip that will be resolved, but you should stop using it in the meantime.
    #SysAdmin #SMTP #EmailAdmin

  28. Hello #MailServer maintainers! If you are using rbl.realtimeblacklist.com, you should be aware that as of around 4am US/Eastern this morning their domain has been parked and is returning bogus #DNSBL results. I suspect that the registration lapsed and a domain resale stalker snapped it up, though I can't say for certain. Perhaps it's a temporary blip that will be resolved, but you should stop using it in the meantime.
    #SysAdmin #SMTP #EmailAdmin

  29. "Why are you rejecting our emails?”

    “Your SPF doesn’t include the servers your mail comes from.”

    “What’s SPF?”

    “A thing that says which servers can send mail for your domain.”

    “Why do I need to do that? I don’t have problems writing to anyone else.”

    “You will, and you really should fix it. Just let your mail admin know.”

    “OK fine, but I’m the mail admin… so how do I fix it?”

    “You just have to update a DNS record.”

    “What’s DNS?”

    💀 💀 💀

    #SysAdmin #EmailAdmin

  30. "Why are you rejecting our emails?”

    “Your SPF doesn’t include the servers your mail comes from.”

    “What’s SPF?”

    “A thing that says which servers can send mail for your domain.”

    “Why do I need to do that? I don’t have problems writing to anyone else.”

    “You will, and you really should fix it. Just let your mail admin know.”

    “OK fine, but I’m the mail admin… so how do I fix it?”

    “You just have to update a DNS record.”

    “What’s DNS?”

    💀 💀 💀

    #SysAdmin #EmailAdmin

  31. "Why are you rejecting our emails?”

    “Your SPF doesn’t include the servers your mail comes from.”

    “What’s SPF?”

    “A thing that says which servers can send mail for your domain.”

    “Why do I need to do that? I don’t have problems writing to anyone else.”

    “You will, and you really should fix it. Just let your mail admin know.”

    “OK fine, but I’m the mail admin… so how do I fix it?”

    “You just have to update a DNS record.”

    “What’s DNS?”

    💀 💀 💀

    #SysAdmin #EmailAdmin

  32. "Why are you rejecting our emails?”

    “Your SPF doesn’t include the servers your mail comes from.”

    “What’s SPF?”

    “A thing that says which servers can send mail for your domain.”

    “Why do I need to do that? I don’t have problems writing to anyone else.”

    “You will, and you really should fix it. Just let your mail admin know.”

    “OK fine, but I’m the mail admin… so how do I fix it?”

    “You just have to update a DNS record.”

    “What’s DNS?”

    💀 💀 💀

    #SysAdmin #EmailAdmin

  33. "Why are you rejecting our emails?”

    “Your SPF doesn’t include the servers your mail comes from.”

    “What’s SPF?”

    “A thing that says which servers can send mail for your domain.”

    “Why do I need to do that? I don’t have problems writing to anyone else.”

    “You will, and you really should fix it. Just let your mail admin know.”

    “OK fine, but I’m the mail admin… so how do I fix it?”

    “You just have to update a DNS record.”

    “What’s DNS?”

    💀 💀 💀

    #SysAdmin #EmailAdmin

  34. Received a bunch of phishing messages from random senders at the domain of a large, prestigious university. They passed SPF checks, so out of curiosity I looked up their record. It includes two entire /16 networks. And to top it off their DMARC policy is set to “none”. 😭 #SysAdmin #EmailAdmin

  35. Received a bunch of phishing messages from random senders at the domain of a large, prestigious university. They passed SPF checks, so out of curiosity I looked up their record. It includes two entire /16 networks. And to top it off their DMARC policy is set to “none”. 😭 #SysAdmin #EmailAdmin

  36. Received a bunch of phishing messages from random senders at the domain of a large, prestigious university. They passed SPF checks, so out of curiosity I looked up their record. It includes two entire /16 networks. And to top it off their DMARC policy is set to “none”. 😭 #SysAdmin #EmailAdmin

  37. Received a bunch of phishing messages from random senders at the domain of a large, prestigious university. They passed SPF checks, so out of curiosity I looked up their record. It includes two entire /16 networks. And to top it off their DMARC policy is set to “none”. 😭 #SysAdmin #EmailAdmin

  38. Received a bunch of phishing messages from random senders at the domain of a large, prestigious university. They passed SPF checks, so out of curiosity I looked up their record. It includes two entire /16 networks. And to top it off their DMARC policy is set to “none”. 😭 #SysAdmin #EmailAdmin

  39. If anyone is following along, I came up with a solution to my Gmail gateway.

    It’s bash because is there any other way?

    It scrapes Google’s list of networks from DNS and collects them in a temp file.

    If a network isn’t already allowed in iptables, a rule gets added.

    It diffs against my production list. If the files don’t match it updates the production one and restarts Postfix.

    The file is assigned to mynetworks in Postfix:
    mynetworks = /etc/postfix/mynetworks.cidr

    #SysAdmin #EmailAdmin

  40. If anyone is following along, I came up with a solution to my Gmail gateway.

    It’s bash because is there any other way?

    It scrapes Google’s list of networks from DNS and collects them in a temp file.

    If a network isn’t already allowed in iptables, a rule gets added.

    It diffs against my production list. If the files don’t match it updates the production one and restarts Postfix.

    The file is assigned to mynetworks in Postfix:
    mynetworks = /etc/postfix/mynetworks.cidr

    #SysAdmin #EmailAdmin

  41. If anyone is following along, I came up with a solution to my Gmail gateway.

    It’s bash because is there any other way?

    It scrapes Google’s list of networks from DNS and collects them in a temp file.

    If a network isn’t already allowed in iptables, a rule gets added.

    It diffs against my production list. If the files don’t match it updates the production one and restarts Postfix.

    The file is assigned to mynetworks in Postfix:
    mynetworks = /etc/postfix/mynetworks.cidr

    #SysAdmin #EmailAdmin

  42. If anyone is following along, I came up with a solution to my Gmail gateway.

    It’s bash because is there any other way?

    It scrapes Google’s list of networks from DNS and collects them in a temp file.

    If a network isn’t already allowed in iptables, a rule gets added.

    It diffs against my production list. If the files don’t match it updates the production one and restarts Postfix.

    The file is assigned to mynetworks in Postfix:
    mynetworks = /etc/postfix/mynetworks.cidr

    #SysAdmin #EmailAdmin

  43. If anyone is following along, I came up with a solution to my Gmail gateway.

    It’s bash because is there any other way?

    It scrapes Google’s list of networks from DNS and collects them in a temp file.

    If a network isn’t already allowed in iptables, a rule gets added.

    It diffs against my production list. If the files don’t match it updates the production one and restarts Postfix.

    The file is assigned to mynetworks in Postfix:
    mynetworks = /etc/postfix/mynetworks.cidr

    #SysAdmin #EmailAdmin

  44. Our students are on Gmail. Staff are on-prem for now.

    Staff see “external sender” warnings on student mail (added by Barracuda). I’d like to skip that via an outbound gateway in Google. <support.google.com/a/answer/17>

    I can programmatically get Google netblocks from _spf.google.com

    What's the best approach to keeping them up-to-date in Postfix or Sendmail as permitted relay hosts?

    I can kludge something together but wondering if anyone already did it and has recommendations.

    #SysAdmin #EmailAdmin

  45. Our students are on Gmail. Staff are on-prem for now.

    Staff see “external sender” warnings on student mail (added by Barracuda). I’d like to skip that via an outbound gateway in Google. <support.google.com/a/answer/17>

    I can programmatically get Google netblocks from _spf.google.com

    What's the best approach to keeping them up-to-date in Postfix or Sendmail as permitted relay hosts?

    I can kludge something together but wondering if anyone already did it and has recommendations.

    #SysAdmin #EmailAdmin

  46. Our students are on Gmail. Staff are on-prem for now.

    Staff see “external sender” warnings on student mail (added by Barracuda). I’d like to skip that via an outbound gateway in Google. <support.google.com/a/answer/17>

    I can programmatically get Google netblocks from _spf.google.com

    What's the best approach to keeping them up-to-date in Postfix or Sendmail as permitted relay hosts?

    I can kludge something together but wondering if anyone already did it and has recommendations.

    #SysAdmin #EmailAdmin

  47. Our students are on Gmail. Staff are on-prem for now.

    Staff see “external sender” warnings on student mail (added by Barracuda). I’d like to skip that via an outbound gateway in Google. <support.google.com/a/answer/17>

    I can programmatically get Google netblocks from _spf.google.com

    What's the best approach to keeping them up-to-date in Postfix or Sendmail as permitted relay hosts?

    I can kludge something together but wondering if anyone already did it and has recommendations.

    #SysAdmin #EmailAdmin

  48. Our students are on Gmail. Staff are on-prem for now.

    Staff see “external sender” warnings on student mail (added by Barracuda). I’d like to skip that via an outbound gateway in Google. <support.google.com/a/answer/17>

    I can programmatically get Google netblocks from _spf.google.com

    What's the best approach to keeping them up-to-date in Postfix or Sendmail as permitted relay hosts?

    I can kludge something together but wondering if anyone already did it and has recommendations.

    #SysAdmin #EmailAdmin

  49. Email blacklists that still use Dynamic User and Host Lists (DUHL) should be smacked. Why no, I don't want to jump through hoops on your website made in 2002 to get off you blacklist, thank you.

    #sysadmin #emailadmin

  50. Email blacklists that still use Dynamic User and Host Lists (DUHL) should be smacked. Why no, I don't want to jump through hoops on your website made in 2002 to get off you blacklist, thank you.

    #sysadmin #emailadmin