After reading Antonio Prado’s Reverse DNS lookup for Italian Government’s mail exchangers post I got intrigued by the idea of checking how many of those Italian Government’s MX mail servers support STARTTLS.
STARTTLS “offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection” (Wikipedia) and, when it’s implemented on the MX SMTP server, it allows a STARTTLS-aware user’s outbound mail server to encrypt the traffic toward the recipient’s server.
The public DNSBL services offered by AHBL have been shutdown.
Services and programs which used dnsbl.ahbl.org, ircbl.ahbl.org and rhsbl.ahbl.org need to be updated in order to avoid false positives:
X-Spam-Status: No, score=0.789 tagged_above=-999 required=6 tests=[BAYES_00=-1.9, DNS_FROM_AHBL_RHSBL=2.699, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Spamassassin configuration, for example, needs to be fixed:
# cat /usr/share/spamassassin/20_dnsbl_tests.cf | grep AHBL
header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
tflags DNS_FROM_AHBL_RHSBL net
reuse DNS_FROM_AHBL_RHSBL
Comment that block or (at least) force a score zero for the rule in your local configuration:
# cat /etc/spamassassin/local.cf | grep AHBL score DNS_FROM_AHBL_RHSBL 0
It seems that, under certain conditions, GMail reports failed SPF checks for messages fetched via POP3 from other mail servers.
I noticed this behaviour on messages received, for example, by mail servers where an internal relay is used, like the following message sent from PayPal (which uses an hard-fail policy):
Delivered-To: MYSELF@gmail.com ... Received-SPF: fail (google.com: domain of xxxyyyzzz@emea.e.paypal.com does not designate A.B.C.D as permitted sender) client-ip=A.B.C.D; Received: by 10.64.225.172 with POP3 ... X-Gmail-Fetch-Info: MYSELF@MYDOMAIN.TLD 3 pop3.MYDOMAIN.TLD 995 MYSELF@MYDOMAIN.TLD Return-Path: <xxxyyyzzz@emea.e.paypal.com> Delivered-To: MYSELF@MYDOMAIN.TLD Received: from server1.MYPROVIDER.TLD (A.B.C.D) by server2.MYPROVIDER.TLD with SMTP; ... Received: from outbound.emea.e.paypal.com (96.47.30.179) by mx1.MYPROVIDER.TLD with SMTP; ... Return-Path: <xxxyyyzzz@emea.e.paypal.com> ... From: "PayPal" <paypal@e.paypal.it> To: MYSELF@MYDOMAIN.TLD
I’m happy to see that more and more tools are developed to increase the security level and trustworthiness of Internet applications. I already talked about DNSSEC and tools to check the validity of domain names, many others blogged about DANE and TLSA validation support in browsers; this time I would like to focus on DKIM and on a Thunderbird add-on to verify its signatures taking advantage of DNSSEC end-to-end validation.
