User Tools

Site Tools


system:annoyances

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
system:annoyances [2021-04-27T07:43:43+0000]
michael_paoli
system:annoyances [2021-05-06T06:05:20+0000] (current)
michael_paoli reverted the temporarily increase of max queue time from 4 days to 7 days
Line 574: Line 574:
 and yes, that got delivered fine. and yes, that got delivered fine.
 So ... why is SPF check not working? So ... why is SPF check not working?
 +</​file>​
 +<​file>​
 +# systemctl stop exim4.service
 +# ls -d /​usr/​*bin/​*exim*conf*
 +/​usr/​sbin/​update-exim4.conf ​ /​usr/​sbin/​update-exim4.conf.template
 +# update-exim4.conf
 +# systemctl start exim4.service
 +SPF check still not working.
 +</​file>​
 +<​file>​
 +Wordpress email ... something to circle back on later.
 +For now, for header it uses:
 +From: WordPress <​wordpress@berkeleylug.com>​
 +Looks like the only bit of that that's easy to change is the domain. ​ Looks like it uses php mail.  There are plugins to change that, but
 +that's then more complications. ​ As for envelope, since it's using Apache, between that and exim, that ends up as:
 +MAIL FROM:<​www-data@balug.org>​
 +Again, not simple to change that.  More to circle back on for later.
 +For now, dropped in aliases for www-data and wordpress, so at least attempts to those - and for now at least, won't bounce at those domains if
 +attempted. ​ So, that should help deliverability (and, on the receiving side, probably some more spam for postmaster as I presently aliased those to
 +postmaster ... "good enough"​ for now).
 +</​file>​
 +<​file>​
 +Looks like the SPF checks are now working.
 +I also found an older spdf process running and killed that off - maybe that made the difference?
 +So, yes, and seeing SPF fail/​rejects in the log e.g.:
 +# fgrep -ai spf rejectlog
 +2021-04-28 02:29:33 H=(sweja-se.mail.protection.outlook.com) [183.199.220.44] F=<​oefydgodea@ottawa.ca>​ rejected RCPT <​rsvp@balug.org>:​ SPF check failed.
 +2021-04-28 03:50:56 H=(smail1.vub.sk) [222.77.253.120] F=<​jhylunrrhc@swebolt.se>​ rejected RCPT <​rsvp@balug.org>:​ SPF check failed.
 +# dig +noall +answer +nottl ottawa.ca. TXT ottawa.ca. SPF swebolt.se. TXT swebolt.se. SPF | fgrep \"​v=spf
 +ottawa.ca. ​             IN      TXT     "​v=spf1 include:​spf.protection.outlook.com include:​_spf.esolutionsgroup.ca include:​emsd1.com -all"
 +swebolt.se. ​            ​IN ​     TXT     "​v=spf1 mx ip4:​167.99.44.246 include:​spf.protection.outlook.com a:​smtp05.dgcsystems.net -all"
 +# spfquery --scope mfrom --id oefydgodea@ottawa.ca --ip 183.199.220.44;​ echo "​$?"​
 +fail
 +Please see http://​www.openspf.org/​Why?​s=mfrom;​id=oefydgodea%40ottawa.ca;​ip=183.199.220.44;​r=balug-sf-lug-v2.balug.org
 +ottawa.ca: Sender is not authorized by default to use '​oefydgodea@ottawa.ca'​ in '​mfrom'​ identity (mechanism '​-all'​ matched)
 +Received-SPF:​ fail (ottawa.ca: Sender is not authorized by default to use '​oefydgodea@ottawa.ca'​ in '​mfrom'​ identity (mechanism '​-all'​ matched)) receiver=balug-sf-lug-v2.balug.org;​ identity=mailfrom;​ envelope-from="​oefydgodea@ottawa.ca";​ client-ip=183.199.220.44
 +1
 +# spfquery --scope mfrom --id jhylunrrhc@swebolt.se --ip 222.77.253.120;​ echo "​$?"​
 +fail
 +Please see http://​www.openspf.org/​Why?​s=mfrom;​id=jhylunrrhc%40swebolt.se;​ip=222.77.253.120;​r=balug-sf-lug-v2.balug.org
 +swebolt.se: Sender is not authorized by default to use '​jhylunrrhc@swebolt.se'​ in '​mfrom'​ identity (mechanism '​-all'​ matched)
 +Received-SPF:​ fail (swebolt.se:​ Sender is not authorized by default to use '​jhylunrrhc@swebolt.se'​ in '​mfrom'​ identity (mechanism '​-all'​ matched)) receiver=balug-sf-lug-v2.balug.org;​ identity=mailfrom;​ envelope-from="​jhylunrrhc@swebolt.se";​ client-ip=222.77.253.120
 +1
 +
 +</​file>​
 +<​file>​
 +Wrote a handy little program to summarize the exim rejectlog failure from the most recent few such log files:
 +# Rejectlog_report
 +6313 Unrouteable address
 +1013 relay not permitted
 +8 SPF check failed
 +7 SMTP protocol synchronization error (input sent without waiting for greeting)
 +7 maximum allowed line length
 +3 unqualified address not permitted
 +1 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised)
 +1 missing or malformed local part
 +1 syntactically invalid
 +
 +Look at least the top couple items would be good candidates for adding configurations for fail2ban.
 +Some others beyond that may also be worth doing - but not as high a priority.
 +</​file>​
 +<​file>​
 +// reverted the temporarily increase of max queue time from 4 days to 7 days:
 +# awk '​{if($1~/​^[^#​]/​||$1~/​^#​\*/​||$0~/​^#​ temp/​)print;​}'​ conf.d/​retry/​30_exim4-config
 +*                      *           ​F,​2h,​15m;​ G,​16h,​1h,​1.5;​ F,4d,6h
 +# systemctl reload exim4.service
 +
 </​file>​ </​file>​
system/annoyances.1619509423.txt.bz2 ยท Last modified: 2021-04-27T07:43:43+0000 by michael_paoli