Tag Archives: EMail

Italian Government mail servers STARTTLS support

After reading Antonio Prado’s Reverse DNS lookup for Italian Government’s mail exchangers post I got intrigued by the idea of checking how many of those Italian Government’s MX mail servers support STARTTLS.

STARTTLS “offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection” (Wikipedia) and, when it’s implemented on the MX SMTP server, it allows a STARTTLS-aware user’s outbound mail server to encrypt the traffic toward the recipient’s server.

STARTTLS User to MX mail server

Read more …

DNS_FROM_AHBL_RHSBL 2.699 on Spamassassin

The public DNSBL services offered by AHBL have been shutdown.

Services and programs which used dnsbl.ahbl.org, ircbl.ahbl.org and rhsbl.ahbl.org need to be updated in order to avoid false positives:

X-Spam-Status: No, score=0.789 tagged_above=-999 required=6
	tests=[BAYES_00=-1.9, DNS_FROM_AHBL_RHSBL=2.699,
	T_RP_MATCHES_RCVD=-0.01] autolearn=no

Spamassassin configuration, for example, needs to be fixed:

# cat /usr/share/spamassassin/20_dnsbl_tests.cf | grep AHBL
header DNS_FROM_AHBL_RHSBL    eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
describe DNS_FROM_AHBL_RHSBL  Envelope sender listed in dnsbl.ahbl.org
tflags DNS_FROM_AHBL_RHSBL    net
reuse  DNS_FROM_AHBL_RHSBL

Comment that block or (at least) force a score zero for the rule in your local configuration:

# cat /etc/spamassassin/local.cf | grep AHBL
score DNS_FROM_AHBL_RHSBL 0

GMail fails SPF checks on POP3 fetched messages

It seems that, under certain conditions, GMail reports failed SPF checks for messages fetched via POP3 from other mail servers.

I noticed this behaviour on messages received, for example, by mail servers where an internal relay is used, like the following message sent from PayPal (which uses an hard-fail policy):

Delivered-To: MYSELF@gmail.com
...
Received-SPF: fail (google.com: domain of xxxyyyzzz@emea.e.paypal.com does not
        designate A.B.C.D as permitted sender) client-ip=A.B.C.D;
Received: by 10.64.225.172 with POP3 ...
X-Gmail-Fetch-Info: MYSELF@MYDOMAIN.TLD 3 pop3.MYDOMAIN.TLD
        995 MYSELF@MYDOMAIN.TLD
Return-Path: <xxxyyyzzz@emea.e.paypal.com>
Delivered-To: MYSELF@MYDOMAIN.TLD
Received: from server1.MYPROVIDER.TLD (A.B.C.D)
        by server2.MYPROVIDER.TLD with SMTP; ...
Received: from outbound.emea.e.paypal.com (96.47.30.179)
        by mx1.MYPROVIDER.TLD with SMTP; ...
Return-Path: <xxxyyyzzz@emea.e.paypal.com>
...
From: "PayPal" <paypal@e.paypal.it>
To: MYSELF@MYDOMAIN.TLD

Read more …

Verifying DKIM signatures on Thunderbird with DNSSEC

I’m happy to see that more and more tools are developed to increase the security level and trustworthiness of Internet applications. I already talked about DNSSEC and tools to check the validity of domain names, many others blogged about DANE and TLSA validation support in browsers; this time I would like to focus on DKIM and on a Thunderbird add-on to verify its signatures taking advantage of DNSSEC end-to-end validation.

DNSSEC+DKIM

Read more …