On 8/02/2017, at 12:53 PM, Brian Gibbons wrote:

Relaying email is the perfect recipe to get blacklisted, the solution is fix the problem by hosting the email locally and have end user collect email from multiple hosts.

Never been an issue before now and have been doing this for 20 years. Maybe I am using the wrong terminology abcd(a)mydomain.nz mailto:abcd(a)mydomain.nz is delivered locally - no problem efgh(a)mydomain.nz mailto:efgh(a)mydomain.nz is forwarded/redirected/relayed to efgh(a)xtra.co.nz mailto:efgh(a)xtra.co.nz - only a problem when SPF has a hard fail set Most of our customers want email to work this way. The end users are in most case NOT prepared to have complicated email setups.

The xtra.co.nz domain doesn't seem to have a DKIM or SPF record attached to it, in fact there isn't any txt record on the domain. But I believe that is coming once the migration has been completed. On Wed, Feb 8, 2017 at 1:16 PM, Blair Harrison wrote:

Easiest solution I've found is for the problematic sender domains - you'll have to get the users to set the sites to send the e-mail directly to the end address rather than the domain that's relaying.

Thankfully there's only a few big ones of note. Twitter is a prime culprit that I've noticed :)

Cheers, Blair

On 8 February 2017 at 13:11, Glen Eustace wrote:

...

On 8/02/2017, at 12:53 PM, Brian Gibbons wrote:

Relaying email is the perfect recipe to get blacklisted, the solution is fix the problem by hosting the email locally and have end user collect email from multiple hosts.

Never been an issue before now and have been doing this for 20 years. Maybe I am using the wrong terminology

abcd(a)mydomain.nz is delivered locally - no problem efgh(a)mydomain.nz is forwarded/redirected/relayed to efgh(a)xtra.co.nz - only a problem when SPF has a hard fail set

Most of our customers want email to work this way. The end users are in most case NOT prepared to have complicated email setups.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

Any indication of them bouncing messages with no SPF at all? Cheers JT From: "Glen Eustace" To: "Peter Lambrechtsen" Cc: "NZNOG" Sent: Wednesday, February 8, 2017 1:33:56 PM Subject: Re: [nznog] Xtra and SPF On 8/02/2017, at 1:24 PM, Peter Lambrechtsen < peter(a)crypt.nz > wrote: The xtra.co.nz domain doesn't seem to have a DKIM or SPF record attached to it, in fact there isn't any txt record on the domain. This isn’t a case of an SPF on xtra.co.nz but SPFs from senders that end up with final delivery being an Xtra mailbox. < xxxxxxxxxx(a)xtra.co.nz > (expanded from < admin(a)yyyyyyyyyy.nz >): host mx.xtra.co.nz [210.55.143.33] said: 550 5.7.1 Message rejected due to SPF policy (in reply to end of DATA command) where senders domain has -all on its SPF record. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

On Wed, 8 Feb 2017 at 11:11 Glen Eustace wrote:

Never been an issue before now and have been doing this for 20 years.

Well there's your problem. You need to fix your attitude before we get within a country mile of a technical discussion.

On 2/04/2017, at 2:07 PM, Nathan Ward wrote:

My recommendation if you’re building a mail product with the option for forwarding, is to: 1) Rewrite envelope recipient (obviously)

This was done as soon as I was made aware of the SRS stuff for Postfix and to date seems to have ‘fixed’ the issue for us. I am still of the opinion that SPF is broken but seem to be fairly alone holding that opinion. I suppose if I had encountered issues with relaying earlier I might have become aware of SRS sooner but as I hadn’t I didn’t. Old story that one doesn’t know what one doesn’t know. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Glen Eustace, GodZone Internet Services, a division of AGRE Enterprises Ltd., P.O. Box 8020, Palmerston North, New Zealand 4446 Ph +64 6 357 8168, Mob +64 27 542 4015 “Specialising in providing low-cost professional Internet Services since 1997"

+1 to Martin this week. I've got folk getting IRD messages being bounced. Personally the only thing I really find of use in my mail stack is grey listing, for stopping spam. I've just about stripped the rest out and just let people deal with the noise as they see fit. LIke others here, I don't find SFP useful and more often than not I find it causes people a headake as no one really understands it properly (my self included) and are often very unwilling to even engage to attempt to fix it. Even tracking down the mail admin for a company can be time consuming to the point of pointlessness. D On 2/04/2017 3:28 PM, Martin Kealey wrote:

On 2 Apr. 2017 12:32, "Glen Eustace" mailto:geustace(a)godzone.net.nz> wrote:

...

I am still of the opinion that SPF is broken but seem to be fairly alone holding that opinion.

Well I somewhat share your opinion.

I don't think that SPF /per-se/ is broken, but typical implementations definitely /are/ broken.

I do think that applying SPF to /inbound/ relays is definitely broken. A service provider should allow customers to nominate their own inbound relays, and customer service should not be spouting obvious nonsense such as "the sender should fix their SPF".

-MK

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

-- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699 Ph: +61 3 9111 1821 (Melb) www.thinkdesignprint.co.nz skype: don.gould.nz

On 5/04/2017, at 2:21 PM, Damian Kissick wrote:

Personally the only thing I really find of use in my mail stack is grey listing, for stopping spam. I've just about stripped the rest out and just let people deal with the noise as they see fit.

I'm actually surprised you are finding greylisting still useful.

Our experience matches Don’s. We are still finding greylisting the most effective tool in dealing with spam. I agree that it may not continue to be so but I haven’t seen anything yet that we might use instead. Glen

botnets now talk proper SMTP, so sadly this catches very, very little these days. Steve On 05/04/17 15:21, Stephan Hughson wrote:

Hi all,

One very effective but rarely implemented trick is to put in a 1 second delay before the SMTP greeting. Botnets do not wait for 1 second, they post their whole spam in one shot. Then the mail server says its ready and they've already gone. 1 second is not much of a delay, so no real risk of timeouts.

It's a nice alternative to greylisting. It gets rid of the botnets, which is what greylisting is really for. Greylisting is no use if the spam is coming from a real mail server.

We do use greylisting at Manukau Institute of Technology and it's great. No complaints from the users in almost 6 years. We do it based on /24 ranges which is less of a problem that unique IPs and we have built up a large database.

We don't bounce based on SPF (unless specified in DMARC policy) as so many people have their SPF records set up incorrectly. We just mark as spam for that.

Best Regards,

Stephan Hughson| Technical Architect Private Bag 94006, Manukau, Auckland 2241 p: 09 968 7611 | m: 027 568 7611 | w: manukau.ac.nz

------------------------------------------------------------------------ *From:* nznog-bounces(a)list.waikato.ac.nz [nznog-bounces(a)list.waikato.ac.nz] on behalf of Glen Eustace [geustace(a)godzone.net.nz] *Sent:* Wednesday, 5 April 2017 3:08 p.m. *To:* Damian Kissick *Cc:* nznog(a)list.waikato.ac.nz *Subject:* Re: [nznog] Xtra and SPF

...

On 5/04/2017, at 2:21 PM, Damian Kissick mailto:me(a)damo.net.nz> wrote:

Personally the only thing I really find of use in my mail stack is grey listing, for stopping spam. I've just about stripped the rest out and just let people deal with the noise as they see fit.

I'm actually surprised you are finding greylisting still useful.

Our experience matches Don’s. We are still finding greylisting the most effective tool in dealing with spam. I agree that it may not continue to be so but I haven’t seen anything yet that we might use instead.

Glen

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

-- Steve Holdoway BSc(Hons) MIITP https://www.greengecko.co.nz/ Linkedin: https://www.linkedin.com/in/steveholdoway Skype: sholdowa