I'm using SendGrid to deliver emails and the recent test I conducted from my server, using their API, ended up having SpamAssassin flagging my email. Here is the result:
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information.
[URIs: sendgrid.net]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
2.0 HTTPS_HTTP_MISMATCH BODY: No description available.
1.1 KAM_REALLYHUGEIMGSRC RAW: Spam with image tags with ridiculously huge
http urls
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
2.6 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
X-Spam-Flag: YES
The webhosting company I'm using just came back to me saying that they fixed the problem by disabling SpamAssassin from my server. I might need a better solution.
So the main question I have is: who should I contact to get the following lines fixed? My webhost, Sendgrid or someone else?
2.6 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS
2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
HELO_DYNAMIC_IPADDR indicates that the sending server connected to the receiving server and announced itself with an IP address rather than a Fully Qualified Domain Name (FQDN), and RDNS_DYNAMIC indicates that the Reverse DNS check on that IP address resolves to something that resembles the FQDN of a dynamically issued IP address.
To rectify this you would need to get the rDNS of your sending IP to resolve to a plausible FQDN, and in turn use that FQDN in the HELO / EHLO handshake. Both of these relate to the MX phase of your message exchange, and would be caused by the sending server, but maybe your sender doesn't want to announce themselves overtly to avoid other more direct SPAM rules from being applied to their perceived sender reputation ?
I would have expected SendGrid to send on your behalf using your domain name during the HELO handshake, and consequently require their sending IP ranges to be included in any SPF records for your domain.
Historically it used to be misconfigured Exchange Servers that announced the IP address during the HELO handshake, because unwitting admins entered an IP address in the FQDN field of their Send Connectors.
Related
I'm using Amazon SES to send emails from ec2 instance to the app users, I've sent emails using the sandbox ses account. I want to move out of sandbox, I'm little bit confused after gone through the documents,
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/
I've sent the support mail to raise the daily limits,(I don't need to send much emails, only forgot password emails + welcome).
Should I need to open port 25 on the ec2 instance? Should I need to
create DNS A record?.
Thanks in advance.
No, you do not need to open any ports in AWS security group.
1) You need to send request to raise your AWS SES sending limits
Sandbox limit is 1/sec, 200/day is very low, and 1/sec very easy to exceed without exceeding 200/day and if your app does not support retries = no email.
2) As far as you send email from ec2 instance - this means you are connecting to another email server.
Your ec2 instance -> SES (25 port)
Email servers listen on standard ports, 25 is most common smtp port to connect to send emails. Because it is most common - it presumably gets more spam, third-party services may block ip because of spam - and that's why amazon throttles traffic that is send to 25 port.
So, you also need to remove 25 port throttle for your ec2 instance by filing a request.
For this you also need valid domain name associated with your ec2 instance - dns A record. I.e. mydomain.domain.com pointing to your ec2 elasctic ip 22.22.22.22. This is also to ensure you are a valid sender, not spam.
So, if emails are from #mydomain.domain.com domain - any mail server can tell email origin.
Things to consider:
Your ec2 instance has elastic ip (or you can add one).
you have your own domain name registered with some domain registrar, i.e. myowndomain.domain.com
You can buy your own domain name from Route 53, other domain registrars
Most registrars provide integrated DNS management (at least basic)
you need to add dns A record pointing to your ec2 elastic ip
To send email using SES, you need to verify sending domains or individual email address. verifying the domain is convenient because it will be a hazzle setting up each individual email address.
in regards to DNS record, yes you will need to add few dns entries to confirm your ownership.
in regards to opening port 22, you don't need to open port 22. But you will need to have outgoing ports 465 or 587 enabled because thats the ports used for SSL.
Yes, port 25 has throttling issues, you don't have that issue, if you use SSL to send out emails.
I'm reading the spec and trying to understand exactly when 421 might be returned. An example is given but I don't completely understand it.
Background
The spec establishes two conditions that allow for connection reuse:
For TCP connections without TLS, this depends on the host having resolved to the same IP address.
and
For https resources, connection reuse additionally depends on having a
certificate that is valid for the host in the URI.
If the certificate used in the connection has multiple subjectAltName or any of the subjectAltName is a wildcard, then the connection can be reused for any request that has a hostname that is in the list of subjectAltNames or matches any of the wildcards.
Specific Example In the spec
In some deployments, reusing a connection for multiple origins can
result in requests being directed to the wrong origin server. For
example, TLS termination might be performed by a middlebox that uses
the TLS Server Name Indication (SNI) [TLS-EXT] extension to select an
origin server. This means that it is possible for clients to send
confidential information to servers that might not be the intended
target for the request, even though the server is otherwise
authoritative.
Please explain where my understanding of this example is wrong:
An https connection is established to a middlebox with a request that has domain x.com. The middlebox has IP address 1.2.3.4 and x.com resolves to that address. Using SNI, the TLS handshake has x.com and the middlebox returns a certificate valid for that domain. All messages on this connection go from the client to the middlebox or from middlebox to client. Applicaiton level messages from client to middlebox are forwarded by middlebox to an origin on a different connection. Messages from origin to middlebox are forwarded to the client. If the connection is to be reused, meeting the two conditions discussed above is not enough. Specifically, for a request with domain y.com: if y.com resolves to 1.2.3.4 and the middlebox has a certificate valid for y.com, there can still be a problem. Because the original connection did its TLS handshake using x.com and because handshakes are only done at the beginning of new connections, there is no way establishing an https connection that would get the certificate for y.com. So the client incorrectly sends a request on the same connection to y.com. The middlebox rejects the request because the certificate associated with the connection is valid for x.com - not y.com. (The x.com certificate is only valid for x.com and the y.com certificate is only valid for y.com).
None of your examples will trigger a 421 as far as I can see.
Yes you are correct that a connection needs both the IP address and the SAN field in the certificate to be valid - without those a connection should not be reused.
So what would trigger a 421? As far as I can tell it will be mostly due to different SSL/TLS setups.
For example:
Assume website A (siteA.example.com) and website B (www.example.com) are both on same IP address. Assume website A has a wildcard cert for *.example.com and website B has a specific one. Could be a few reasons for this: for example it serves an EV cert for the main website which can't be a wildcard cert.
So cert A covers website A and website B. As does the IP address. So if you are connected to website siteA.example.com, and then try to connect to www.example.com then technically, by HTTP/2 standards, you could reuse the connection. But we wouldn't want that to happen, as we want to use our EV cert. So the server should reject with a 421. Now in this example the webserver is able to distinguish the correct host and has a valid cert for that host so could, in theory, serve the correct content under the wildcard cert, instead of sending a 421 - but since that wildcard cert is not defined for that virtualhost it should not do this.
Other examples include if you have different ciphers set up on different hosts. For example site A has super lax HTTPS config, because it's not really secure content and they want to reach even legacy browsers, but site B has super secure config and only accepts the latest TLS version and strong ciphers. Here you obviously wouldn't want them to reuse the same connection details. See here for a real would example of this.
Also this is only an issue for certain browsers, depending on how they decide to connection share. This page shows how different each of them do this (at least at the time of this blog post not not aware of anything changing since then): https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
Also note that some bugs will exist with this (for example: https://bugs.chromium.org/p/chromium/issues/detail?id=546991). Best advice is: if you do not want connection sharing to happen, have a different IP address and/or ensure no overlaps in certificates.
We have two exchange servers internally which are being served by Zen Load Balancer on 10.101.1.105 / 106.
When mail arrives, half of it gets blocked because of failed SPF checks.
The headers in the email:
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (10.101.1.105) by
EXCH02.prfm.co.uk (10.101.7.102) with Microsoft SMTP Server id
15.0.1210.3 via Frontend Transport; Wed, 4 Jan 2017 09:20:48 +0000
The SPF in the headers
authentication-results: spf=none (sender IP is )
smtp.mailfrom=madeup#madeup.madeup;
Sender IP is blank, I haven't removed that for security.
When I check the MX record for madeup.madeup, I get the SPF record
v=spf1 include:spf.protection.outlook.com -all
And the MX record
madeup-madeup.mail.protection.outlook.com
Is there a way to get ZLB to preserve the original IP address so it doesn't get blocked by SPF?
You can try to make Exchange aware of the internal SMTP Servers (your loadbalancer via):
Set-TransportConfig -InternalSMTPServers IP
or for multiple IPs:
Set-TransportConfig -InternalSMTPServers #{Add="ip address1","ip address2"...}
For more info's see here:
The InternalSMTPServers parameter specifies a list of internal SMTP
server IP addresses or IP address ranges that should be ignored by
Sender ID and connection filtering
I checked my domain in mxtoolbox and found following errors/warnings:
dmarc Missing or Invalid Record
https The Certificate is invalid
smtp Reverse DNS does not match SMTP Banner
dns At least one name server failed to respond in a timely manner
dns SOA Expire Value out of recommended range
I added a txt record in DNS zone for as "_dmarc" and checked it
nslookup -query=txt _dmarc.mydomain.com
its showing our server IP
Please advise how can I fix all these errors or warnings?
Best regards
#lifesaver That's a tall order without knowing what your domain is to evaluate.
But here's your general answers.
If you're missing a DMARC Record in DNS Add it. If it's invalid we need to know what you added
Why is the certificate invalid?
You need to make it match for smtp (Also it's a good idea to make it match for pop and imap
mxtoolbox has a small timeout window on DNS queries use a different tool
This is pretty subjective - but it's talking about the SOA TTL value in DNS is outside of their recommended range. Not sure what their recommended range is, but RFC 1912 recommends 14-28 days.
If you need answers to the questions above send an email to mailtest#unlocktheinbox.com - It will auto-respond and give you a lot more insight, to what's going on.
I'm using Twilio to send and respond to messages. It was working normally, but since we moved to bay area the responding function doesn't work now.
So what happens is when the user send message to us(the IP address of our own computers) from their phones, our server can't receive anything. When we check our Twilio account, we know that the msg was indeed sent to the Twilio server. So we think it's the problem of linking between Twilio server and our IP address. We are suspecting that the IP address is virtual IP address here, which makes Twilio server can't find us. Is our suspection correct? if yes, what should we do? If not, what would be the possible problems?
Apologize for having a description not very clear, but it's pretty much everything of the problem. Please tell me if you need any additional information.
You probably need to use a dynamic dns service. Then you need to find what port Twilio sends the SMSs to the client(your computer), and make sure your firewall is forwarding that port to your computer. Odds are this is a firewall issue, especially since you say everything worked before you moved. Has there been a change in your network setup? You need to be aware of both hardware and software firewalls in your setup.
How is the firewall configured on your router? You need to forward requests to your router to your local IP address. Example: My local ip is 192.168.1.5 my external ip is 245.932.4.3 (This is the value you get from myipaddress.com) Thus you need to set your router (which has ip 245.932.4.3) to forward requests on port x (where x= the twilio outgoing port) to 192.168.1.5