Mailing List Archive

On 27/07/2023 18:11, Marc wrote:

> I am always using -all. I honestly can't think of a good argument to
> use anything else.

I agree.

It's my belief that ~all is only useful for a "production entry test
phase", once your happy, move to -all

Like DMARC's p=none it's a "getting it going" method that's for you to
get shit right, then move to p=quarantine, although from memory some
European countries (Germany?) require or use to require you to either
accept the message and deliver it, or outright block it with a reject
message, I'd like to think they've changed that though.

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

Marc skrev den 2023-07-27 09:48:

>> The oldest mail server log I can find is from mx-in-08 sadly even that
>> one is only from 2005 but confirms we were using it then, quite a bit
>> longer than 2014 :P
> Why retire? To go fishing or so? I think GDPR even prohibits keeping
> very old log files, if there is no specific reason for that.

now that ipv6 exists and working we should all stop using ipv4 problems
:=)

>On 7/26/23 2:34?AM, Benny Pedersen wrote:
>>milters should not be spam scanners, spamassassin is better

On 26.07.23 13:32, Grant Taylor via users wrote:
>{spamass-milter,milter-spamc} combined with SpamAssassin cause me to
>question the veracity of that statement.

+1

>Milter implies doing the filtering during the SMTP transaction. I
>consider the ability to reject messages that SpamAssassin declares as
>(bad enough) spam at SMTP time to be a good thing.

I use spamass-milter on my system and amavisd-milter on other systems
especially to be able to reject spam at SMTP time. Definitely a good thing.

You just should not use it for "outgoing" mail from your clients, so they
don't complain about sending mail taking ages.

You may need to limit SA processing to some 270 seconds to avoid 5-minutes
timeout (which contradicts RFC5321 section 4.5.3.2.6. which mandates
10-minute timeout on DATA termination, but here we are).

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]

>> I assume that you mean so that your outbound SMTP server is actually
>> authorized in some capacity and fall under "all". Is that correct?

... and does NOT dall under "all".

On 27.07.23 08:11, Marc wrote:
>indeed afaik -all is all authorized

pardon me? -all means everyone except previously mentioned it UNAUTHORIZED
to send mail.

fantomas.sk. 43200 IN TXT "v=spf1 mx -all"

meant only "mx" servers for fantomas.sk can send mail from this domain, all
the rest is unauthorized.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

>
> >> I assume that you mean so that your outbound SMTP server is actually
> >> authorized in some capacity and fall under "all". Is that correct?
>
> ... and does NOT dall under "all".
>
> On 27.07.23 08:11, Marc wrote:
> >indeed afaik -all is all authorized
>
> pardon me? -all means everyone except previously mentioned it
> UNAUTHORIZED
> to send mail.
>
> fantomas.sk. 43200 IN TXT "v=spf1 mx -all"
>
> meant only "mx" servers for fantomas.sk can send mail from this domain,
> all
> the rest is unauthorized.
>

so we agree :). "-all" means only authorized can deliver, authorized as in mentioned in the text record.

On 7/27/23 6:25?AM, Matus UHLAR - fantomas wrote:
> I use spamass-milter on my system and amavisd-milter on other systems
> especially to be able to reject spam at SMTP time. Definitely a good thing.

:-)

> You just should not use it for "outgoing" mail from your clients, so
> they don't complain about sending mail taking ages.

Eh ....

I'm an advocate for spam filtering all email coming into the server,
even email coming into the MSA on it's way out to another server across
the Big Bad Internet.

> You may need to limit SA processing to some 270 seconds to avoid
> 5-minutes timeout (which contradicts RFC5321 section 4.5.3.2.6. which
> mandates 10-minute timeout on DATA termination, but here we are).

This is one of the reasons that I mentioned configuring the MSA with
much longer timeouts in another recent thread (though I don't remember
which list).

I have in the past configured an MSA to accept messages (with really
long for email timeouts) and relay the messages through the local MTA
where I applied the filtering that I'm talking about.

This allowed clients, even on dial up, to send larger email with
attachments to not time out /and/ to be able to be filtered to avoid
contributing to spam if (when) accounts were compromised.

Seeing as how the MUAs authenticated to the MSA to send, I have a very
good idea who I needed to have a chat with in the event that something
unsavory was making it through the MSA to the filtering MTA, or worse
out to the Big Bad Internet.



Grant. . . .