bulkanized new tlds

renHave heard of .ren ? or Renren Inc – apparently it is a chinese social media thing not skincare which made it an odd sighting in the mail.log

Anyhow i am none the wiser but i do wonder if this use of .ren breaks the icann rules of the global top level domain i mean the zoo is not in China.  If somebody can pass this along to the great firewall f china team it be most appreciated.

 

caa records the hardish way

Sisyphus is still a role model

Sisyphus is still a role model

Caa* records are a bit rare and unless you run a very new dns server version many of these records will be tossed out as too new since it is either not supported either by the name server or dnssec wrapper.

To do caa records in an ‘older’ server i had to use rfc 3597 syntax which does look like voodoo compared to normal dns records its not the kind of thing the bbc think is not worth reporting on (my blog).  It is some kind of machine readable format of which i have not delved in to but looks a bit like atps.

mafia run the british red cross

the ssl mafia

Not all ca’s (not a typo) support caa for since when i write this gandi don’t, but letsencrypt do so if your shopping for tls its another limiter.

So two zoo domains do have caa records from two suppliers. But two do not. As many dns things like tlsa (my blog) are not checked by browsers i doubt they will be doing caa checks anytime soon.

So I will keep the two records i have and see how maintainable they are. Stay tuned for updates!

It will be doubtful the zoo will purchase gandi ssl (tls) again

*nothing to do with aircraft

atps and adsp records (featuring asl too) and dmarc reporting

Sisyphus is still a role model

Sisyphus is still a role model

Yes i am doing dmarc today once again,exciting stuff this.and i have finally figured out opendmarc-reports which for the zoo atps is apparently needed.

These records are fun and once you do one domain, the others also need doing ala.

  • example.com
  • example.net
  • etc
_adsp._domainkey.example.com IN TXT "dkim=all; atps=y; asl=example.net;"
YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps.example.com IN TXT "v=atps01; d=example.net;"

The YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ is sha1 hashed example.net.  opendkim-atpszone can make this with

opendkim-atpszone -h sha1 -u example.com -A example.net -vvv

The rest of the dns lines from above  is where your on your own

YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps TXT 86400 "v=ATPS1; d=example.net"

Eagle eyed readers will note that v=ATPS1; and v=atps01; differ and no adsp record is made.

The has found that atps01 works and is unwilling to test the capital variant.

The only reason i have this is for opendmarc-report which for some reason if i do not have them i get a dmarc error of no.

postfix/smtp[*]: *:
status=bounced (host aspmx.l.google.com[74.125.71.26] 
said: 550-5.7.1 Unauthenticated email from example is not accepted 
due to 550-5.7.1 domain's DMARC policy. 
Please contact the administrator of 550-5.7.1 example domain if this 
was a legitimate mail.

That’s it which is what brought me to this vague corner of dns and email

The dmarc report i received back the next day was interesting.

<source_ip>munged .com</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.net</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>example.net</domain>
<result>pass</result>
<selector>mail2</selector>
</dkim>
<dkim>
<domain>example.net</domain>
<result>pass</result>
<selector>mailxx</selector>
</dkim>
<spf>
<domain>example.net</domain>
<result>pass</result>
</spf>
</auth_results>

rubberduckSo perhaps more evidence that atps is needed when its a dead duck considered to say spf .

Maybe the zoo’s way of doing things is weird to openmarc-reports which is good at keeping secrets on our live mail server, so it is happy with adsp and human emaail gets sent properly with aligned spf,dkim and dmarc i will say no more.

So that fixes opendmarc-reporting.  Yay

 

 

 

 

opendmarc reporting and extended thoughts

thxI decided to install some very crappy software to get dmarc reporting (my blog) working and adapted a script to suit from a blog,  it works you import, report and expire the db.

This is week long plus blog post so i may contradict myself the longer i document stuff.

However with stuff inbound to the database i got no email reports out which i can assume is due to either an error on my part, the policy not to bother them with strict compliance or the software is broken.

A brainwave I had on exploring this was that as a low traffic host (the zoo is not gmail) that email we do get is strictly controlled by rules where gmail i guess might be lax on say spam where as we are not.

So most of the email dealt with needs no dmarc action.

I will run the import , report and expire once a day and see if dmarc reporting via opendmarc is worthwhile.

Later on with reports being sent i observed some issues…

Dmarc can be abused by marketing people, and it depends on who runs the report address they specified take pure360.com.

(host x.GOOGLE.com[74.125.x.x] said:
450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 – gsmtp (in reply to RCPT TO command))
dmarcreporting@pure360.com

minion

It is amusing to note that they also use gmail.

So dmarc might mismanaged by some who might know better.  Does this mean pure360.com dmarc should be ignored? what do you think.

Another retard with dmarc did the below humorous issue – Please note this was collected by dmarc, and sent by dmarc it is not a typo error by a human.

opendmarc-reports: sent report for email3.telegraph.co.uk 
to craig.millar@telegraph.co.uk (2.0.0 Ok: queued as 5F1F4BD6315)

<craig.millar@telegraph.co.uk>: host <host>.google.com[74.125.x.x] said:
550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient’s email address for typos

Plenty of other idiots exist.

(host eu-smtp-inbound-1.mimecast.com[91.220.42.241] said: 451 IP temporarily blacklisted – https://community.mimecast.com/docs/DOC-1369#451 (in reply to RCPT TO command))
dmarc@communicatorcorp.com

mindreaderNot sure they want dmarc although they request it.

(host eu-smtp-inbound-2.mimecast.com[91.220.42.241] said: 451 IP temporarily blacklisted – https://community.mimecast.com/docs/DOC-1369#451 (in reply to RCPT TO command))
rua@rac.co.uk

These appear to go hours and hours later that is getting the dmarc report back (rac do send spam) and piss off hosts when it reports back – Oh to be a mind reader.

Yet another brainwave i had was that there is no way to block ‘pfishing’ emails via opendkmarc unless there is a strict policy setup.  Unless you search headers for dmarc rules but thats down to the mta or spambotter not opendmarc.  There is an example below.

Routing loops could be a problem – ala i send mail, they send mail, we mail back etc.  Have to see on that one.  I guess you could turn off reporting which kind of makes dmarc reporting an odd idea to start with.

In the real world i found out:

If you do not import messages into sql and then close down opendmarc (say for an kernel upgrade) then opendmarc deletes the text file is one bug i noticed – not an end of the world issue but occasional one.

Another bug i noticed in 1.3.0 release (1.3.2 is debian experimental) is that opendmarc-reports will still send email out even if you had a typo in the address or email set in script (the zoo has four domains)

I noticed as our dkim signing did not initiate when it should have (my typo).

The sql data is stored although its not designed for humans to read, the xml reports which it makes and we also get from others as the zoo has dmarc are more human readable.

Microsoft (microshit) are pretty crap at dmarc -there reports leave a lot to be desired due to \n issues.

They also bounce failure – this is pure microshit in action. I perceive this as bit spammy.  It took a little time to sanitize here.

Subject x has left you a private message
From No signature information staff@hotmail.com
To technical_dmarc@zoo
Date Thu 07:46 PM
This is an email abuse report for an email message received from IP 201.217.243.222 on Thu, 19 Jan 2017 11:xx:40 -0800.
The message below did not meet the sending domain’s authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.
Subject x has left you a private message
From Signature is not valid ! verified by VMessage
Sender notification+bingxia006@zoo
To REDACTED
Date Thu 04:44 PM
You have 1 new message
Crook

Crook

Typical crap from microsoft, it was spamcop proof too

Criminals also have odd dmarc setups an good example is quantumaccountingservices . net which is scammy* returned at time of wtiting

Host not found, try again

So i guess your going to get a lot of domains to ignore.

A problem i have is with multiple domain reporting (say mail.zoo mail.zoo1 etc). In the debian 1.3.0 version the first report run for mail.zoo has all the fun the other opendmarc report scripts run but have nothing to report on.  That might be a level of complexity most with one domain and one host never get to see or care about and might be down to the shit sql server it uses.

My adsp and atps lines in dns needed some tweaking since reporting uses port 25 and i use the other port for outbound mail which for over a week i failed to comprehend so this might be a postfix / amavis or some other issue i cannot resolve currently.

The zoo will not be sending reports until we figure out adsp (my blog) even though the sql import and expire work

opendmarc-spam looks interesting although a thought experiment needing a look at source code to guess how it works

That’s about it for opendmarc reporting. Tomorrow I will be delving into the science of mind reading** after all it appears to be a required skill with dmarc.

*the hint is in the name. ** i joke

rpz zones for the few not the many

Bananas was interested in rpz zones which nothing to do with car parking or planning regulations but dns zones, they look quite simple until you try and get one.

seocrookHowever with a bit searching rpz zones could be manually created and work but then its a little out of date, most threat zones are small rather than large so having a good mail server is way more important than a rpz zone blocking a specific url sent in a scammy email say.

bank.barclays.co.uk.olb-auth-loginlink.action. asdasd45.as4d56asdas.da 4s65d46asdasdsd. ta77lia. com _b

Whois says Egypt owner and hosted in DE  and  I guess it depends on how dumb your network users are, how money grabbing and unethical an ssl certificate provider is and how long it takes them to ignore abuse emails to the hosting provider to shutdown something.

Getting bad site data is quite easy once you start but making it rpz friendly is another  Theme and user content directories are popular for bad permissions and like the link above look shady.

Some malware domains just use an ip address so whether or not an rpz zone would work is a little more questionable.  A general and unscientific match of mail server abuse to phlishing domains (a grep) seems that these are tasked to one job only so there is no overlap by domain name.

rpz’s sound great but with freshness and everybody playing catch up perhaps its best that there left as something that just cisco users have.

even more dmarc fun

winnerChina wins again as top spoofer (my blog) Exciting stuff this honest, and since the quantity outweighs the more interesting single entries (these are all crooks and scammers) and they have mentioned before lets admire the Chinese trying again and again.

Its a shame we know but they still dont know.   Dont tell them please

I like dmarc

        1    CN    101.71.192.51    101.64.0.0/13AS4837, China Unicom Zhejiang Province Network        
        1    CN    101.71.192.96            
        1    CN    101.71.192.99            
        1    CN    101.71.193.19            
        1    CN    101.71.193.235            
        1    CN    101.71.194.100            
        1    CN    101.71.194.166            
        1    CN    101.71.194.191            
        1    CN    101.71.194.198            
        1    CN    101.71.194.207            
        1    CN    101.71.194.240            
        1    CN    101.71.195.125            
        1    CN    101.71.195.171            
        1    CN    101.71.196.140            
        1    CN    101.71.196.203            
        1    CN    101.71.196.208            
        1    CN    101.71.196.214            
        1    CN    101.71.196.233            
        1    CN    101.71.196.49            
        1    CN    101.71.196.63            
        1    CN    101.71.196.66            
        1    CN    101.71.196.70            
        1    CN    101.71.196.8            
        1    CN    101.71.196.90            
        1    CN    101.71.197.149            
        1    CN    101.71.197.22            
        1    CN    101.71.197.248            
        1    CN    101.71.197.4            
        1    CN    101.71.197.41            
        1    CN    101.71.197.60            
        1    CN    101.71.216.162            
        1    CN    101.71.216.234            
        1    CN    101.71.216.50            
        1    CN    101.71.216.64            
        1    CN    101.71.216.84            
        1    CN    101.71.217.144            
        1    CN    101.71.217.15            
        1    CN    101.71.217.192            38
        1    CN    116.216.28.57    116.216.0.0/16AS4837 CNC Group CHINA169 Sichuan Province Network        
        1    CN    116.216.28.62            2
        1    CN    118.244.252.36    118.244.0.0/16 CNC Group CHINA169 Sichuan Province network        1
        1    CN    123.158.32.39    123.152.0.0/13AS4837 CNC Group CHINA169 Zhejiang Province Network        
        1    CN    123.158.32.43            
        1    CN    123.158.33.124            
        1    CN    123.158.33.139            
        1    CN    123.158.33.145            
        1    CN    123.158.33.197            
        1    CN    123.158.33.45            
        1    CN    123.158.33.73            8
        1    CN    124.90.194.179    124.90.0.0/15AS4837 CNC Group CHINA169 Zhejiang Province Network        
        1    CN    124.90.194.31            
        1    CN    124.90.197.44            
        1    CN    124.90.198.239            
        1    CN    124.90.199.159            
        1    CN    124.90.199.235            
        1    CN    124.90.68.112            
        1    CN    124.90.68.131            
        1    CN    124.90.68.21            
        1    CN    124.90.68.223            
        1    CN    124.90.69.208            
        1    CN    124.90.69.226            
        1    CN    124.90.69.93            
        1    CN    124.90.70.193            
        1    CN    124.90.70.21            
        1    CN    124.90.70.61            
        1    CN    124.90.70.78            
        1    CN    124.90.70.79            
        1    CN    124.90.71.50            
        1    CN    124.90.71.85            20
        1    CN    218.109.10.216    WASU-BB        
        1    CN    218.109.102.29            
        1    CN    218.109.103.0            
        1    CN    218.109.104.62            
        1    CN    218.109.105.249            
        1    CN    218.109.106.230            
        1    CN    218.109.106.253            
        1    CN    218.109.106.74            
        1    CN    218.109.107.134            
        1    CN    218.109.107.152            
        1    CN    218.109.10.75            
        1    CN    218.109.108.84            
        1    CN    218.109.17.115            
        1    CN    218.109.17.7            
        1    CN    218.109.17.73            
        1    CN    218.109.220.125            
        1    CN    218.109.220.97            
        1    CN    218.109.221.247            
        1    CN    218.109.225.31            
        1    CN    218.109.228.236            
        1    CN    218.109.230.63            
        1    CN    218.109.243.110            
        1    CN    218.109.243.207            
        1    CN    218.109.253.141            
        1    CN    218.109.97.191            
        1    CN    218.109.98.81            
        1    CN    219.82.112.145            
        1    CN    219.82.112.65            
        1    CN    219.82.160.124            
        1    CN    219.82.160.96            
        1    CN    219.82.163.10            
        1    CN    219.82.164.18            
        1    CN    219.82.165.3            
        1    CN    219.82.166.132            
        1    CN    219.82.184.136            
        1    CN    219.82.185.146            
        1    CN    219.82.186.176            
        1    CN    219.82.187.68            
        1    CN    219.82.189.21            
        1    CN    219.82.190.230            
        1    CN    219.82.190.57            
        1    CN    219.82.35.1            
        1    CN    219.82.48.40            
        1    CN    219.82.50.249            
        1    CN    219.82.51.206            
        1    CN    219.82.51.75            
        1    CN    219.82.52.52            
        1    CN    219.82.54.106            
        1    CN    219.82.55.214            
        1    CN    219.82.57.167            
        1    CN    219.82.61.107            
        1    CN    219.82.62.50            52
        1    CN    58.100.0.105    Huashu media&Network Limited        
        2    CN    58.100.0.110            
        1    CN    58.100.0.130            
        1    CN    58.100.0.14            
        1    CN    58.100.0.152            
        1    CN    58.100.0.166            
        1    CN    58.100.0.173            
        1    CN    58.100.0.205            
        1    CN    58.100.0.207            
        1    CN    58.100.0.236            
        1    CN    58.100.0.252            
        1    CN    58.100.0.26            
        1    CN    58.100.0.32            
        1    CN    58.100.0.37            
        1    CN    58.100.0.41            
        2    CN    58.100.0.46            
        1    CN    58.100.0.61            
        2    CN    58.100.0.71            
        1    CN    58.100.0.73            
        1    CN    58.100.1.124            
        1    CN    58.100.1.142            
        1    CN    58.100.1.145            
        1    CN    58.100.1.155            
        1    CN    58.100.1.168            
        1    CN    58.100.1.190            
        1    CN    58.100.1.192            
        1    CN    58.100.1.194            
        1    CN    58.100.1.211            
        1    CN    58.100.1.217            
        1    CN    58.100.1.242            
        1    CN    58.100.1.251            
        1    CN    58.100.1.254            
        1    CN    58.100.1.26            
        1    CN    58.100.1.30            
        1    CN    58.100.1.44            
        1    CN    58.100.180.106            
        1    CN    58.100.180.237            
        1    CN    58.100.180.90            
        1    CN    58.100.1.81            
        1    CN    58.100.182.224            
        1    CN    58.100.1.97            
        1    CN    58.100.201.100            
        1    CN    58.100.201.104            
        2    CN    58.100.201.105            
        1    CN    58.100.201.109            
        1    CN    58.100.201.117            
        1    CN    58.100.201.121            
        1    CN    58.100.201.131            
        2    CN    58.100.201.138            
        1    CN    58.100.201.140            
        1    CN    58.100.201.147            
        1    CN    58.100.201.152            
        1    CN    58.100.201.155            
        1    CN    58.100.201.162            
        2    CN    58.100.201.163            
        2    CN    58.100.201.175            
        1    CN    58.100.201.189            
        1    CN    58.100.201.199            
        1    CN    58.100.201.207            
        1    CN    58.100.201.236            
        1    CN    58.100.201.244            
        1    CN    58.100.201.246            
        1    CN    58.100.201.253            
        1    CN    58.100.201.255            
        1    CN    58.100.201.40            
        1    CN    58.100.201.59            
        1    CN    58.100.201.81            
        1    CN    58.100.201.86            
        1    CN    58.100.201.88            
        2    CN    58.100.2.100            
        1    CN    58.100.2.108            
        1    CN    58.100.2.118            
        1    CN    58.100.2.119            
        1    CN    58.100.2.128            
        1    CN    58.100.2.153            
        1    CN    58.100.2.156            
        1    CN    58.100.2.170            
        1    CN    58.100.2.176            
        1    CN    58.100.2.186            
        1    CN    58.100.2.187            
        2    CN    58.100.2.19            
        1    CN    58.100.2.192            
        1    CN    58.100.2.197            
        1    CN    58.100.2.2            
        1    CN    58.100.2.201            
        1    CN    58.100.2.216            
        1    CN    58.100.2.220            
        1    CN    58.100.2.223            
        1    CN    58.100.2.240            
        1    CN    58.100.2.253            
        1    CN    58.100.2.29            
        1    CN    58.100.2.3            
        1    CN    58.100.2.31            
        1    CN    58.100.2.34            
        1    CN    58.100.24.0            
        1    CN    58.100.24.171            
        1    CN    58.100.24.219            
        1    CN    58.100.24.4            
        1    CN    58.100.24.57            
        1    CN    58.100.24.8            
        1    CN    58.100.24.95            
        1    CN    58.100.2.52            
        1    CN    58.100.2.55            
        1    CN    58.100.2.69            
        1    CN    58.100.2.81            
        1    CN    58.100.2.82            
        1    CN    58.100.2.94            
        1    CN    58.100.2.97            
        2    CN    58.100.3.10            
        1    CN    58.100.3.105            
        1    CN    58.100.3.107            
        1    CN    58.100.3.113            
        2    CN    58.100.3.13            
        1    CN    58.100.3.132            
        1    CN    58.100.3.14            
        1    CN    58.100.3.140            
        1    CN    58.100.3.147            
        1    CN    58.100.3.15            
        1    CN    58.100.3.154            
        1    CN    58.100.3.16            
        1    CN    58.100.3.175            
        1    CN    58.100.3.179            
        1    CN    58.100.3.184            
        2    CN    58.100.3.194            
        1    CN    58.100.3.196            
        1    CN    58.100.3.20            
        3    CN    58.100.3.208            
        1    CN    58.100.3.211            
        2    CN    58.100.3.215            
        1    CN    58.100.3.216            
        1    CN    58.100.3.218            
        1    CN    58.100.3.242            
        2    CN    58.100.3.27            
        1    CN    58.100.3.34            
        1    CN    58.100.3.4            
        1    CN    58.100.3.40            
        1    CN    58.100.3.45            
        1    CN    58.100.3.50            
        1    CN    58.100.3.51            
        1    CN    58.100.3.55            
        1    CN    58.100.3.64            
        1    CN    58.100.3.80            
        1    CN    58.100.3.9            
        1    CN    58.100.3.90            
        1    CN    58.100.4.14            
        1    CN    58.100.4.170            
        1    CN    58.100.4.177            
        1    CN    58.100.4.18            
        1    CN    58.100.4.218            
        1    CN    58.100.4.237            
        1    CN    58.100.4.248            
        1    CN    58.100.4.35            
        1    CN    58.100.4.5            
        1    CN    58.100.5.105            
        2    CN    58.100.5.13            
        1    CN    58.100.5.146            
        1    CN    58.100.5.15            
        1    CN    58.100.5.18            
        1    CN    58.100.5.180            
        1    CN    58.100.5.200            
        1    CN    58.100.5.24            
        1    CN    58.100.5.34            
        1    CN    58.100.5.72            
        1    CN    58.100.5.94            
        1    CN    58.100.6.106            
        1    CN    58.100.6.110            
        1    CN    58.100.6.124            
        1    CN    58.100.6.132            
        1    CN    58.100.6.135            
        1    CN    58.100.6.145            
        1    CN    58.100.6.198            
        1    CN    58.100.6.216            
        1    CN    58.100.6.219            
        1    CN    58.100.6.22            
        1    CN    58.100.6.247            
        1    CN    58.100.6.254            
        1    CN    58.100.6.39            
        1    CN    58.100.7.107            
        1    CN    58.100.7.113            
        1    CN    58.100.7.135            
        1    CN    58.100.7.149            
        1    CN    58.100.7.169            
        1    CN    58.100.7.18            
        1    CN    58.100.7.22            
        1    CN    58.100.7.228            
        1    CN    58.100.7.56            
        1    CN    58.100.7.84            204
        1    CN    58.101.107.89    Huashu media&Network Limited        
        1    CN    58.101.149.134            
        1    CN    58.101.149.139            
        1    CN    58.101.149.140            
        1    CN    58.101.149.143            
        1    CN    58.101.149.148            
        1    CN    58.101.149.158            
        1    CN    58.101.149.160            
        2    CN    58.101.149.177            
        1    CN    58.101.149.180            
        1    CN    58.101.149.191            
        1    CN    58.101.149.220            
        1    CN    58.101.149.221            
        1    CN    58.101.149.222            
        1    CN    58.101.149.223            
        1    CN    58.101.149.228            
        2    CN    58.101.149.233            
        3    CN    58.101.149.234            
        1    CN    58.101.149.245            
        1    CN    58.101.149.254            
        1    CN    58.101.208.115            
        1    CN    58.101.208.41            
        1    CN    58.101.211.1            
        1    CN    58.101.213.197            
        1    CN    58.101.214.24            
97% 355 1    CN    58.101.215.223            30
0.28%   1    HK    59.148.253.2    abuse@hkbn.net        1
        1    JP    114.148.3.208    OCN,JP        1
0.55% 2 1    JP    202.181.99.15    SRS SAKURA Internet Inc.        1
0.28%   1    None    228.143.204.76    Dmarc report error (not my mistake)        1
        1    US    128.238.7.189    nyu.edu        1
        1    US    131.44.184.194    754th electronic systems group 7esg        1
        1    US    140.28.152.236    disa.columbus.ns.mbx.hostmaster-dod-nic@mail.mil        1
1.10% 4 1    US    65.20.0.12    saas.noc@cp.net        1
                            
100.00%    363                        363

 

An ill-informed and a rather late look at dns security logs

teamamericaSome months ago i switched on dns logging and promptly forgot about it as fail2ban (my blog) was using it and was doing stuff to my satisfaction with the stuff.

Months later and i still have that data and 13000+ events logged, and in my quick and dirty attempts at geolocating (my blog) i wanted to know what troublesome hosts where and from which my first attempts where poor due to the horrid log format used but it appears from some back of an enveloped grep’s that America was in the top percentile of probers.

Team America fuck yeah – alas no .kp (north korea) but i suppose after they supposedly hacked Sony nothing else is of interest to them on the internet

malletMost attempts where under 5 events, thirteen ip’s had counts of 100 events (including a tribe of native american’s reservation ip range) and over, with two 500+ so i found 15 ip addresses that persistently probed and action was taken with our mallet of choice.   Mallets are cool.

We can excuse some issues from some hosts but clearly constant probing from some means they do not really seek an honest response from the zoo’s dns servers and do not look at the results so they are bad actors despite there ‘security’ credentials.

Since this has been posted i had some fun with python (my blog)  and i can now make spreadsheet importable data which is where bash scripting failed me,  so once a week the computer sends me a report where i will add to the fifteen still blocked and i doubt those spotted as persistent abusers will ever be removed.

So keep probing.

fun with postfix tls and user certs

hipsterSo you have a dane (my blog) compatible dnssec setup (my blog) running on all the mx’s in the domain list which entails at least two certificate authorities so what else can you do ?

Well being a bored ape one day i decide to test user certificates in postfix not simply three extra lines to enable tls support in postfix which requires more steps with some hairy eyeballs on the postfix tls support document.

danehttpsresultIt does work although its just mentioned in the headers. Reports can be semi informative

8 Anonymous: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 Untrusted: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

mafia run the british red crossThat is a self certified tls with ‘Untrusted’. Signed tls (eg bought) it seems impossible to issue client certificates like you can with self signed ssl. so it seems unlikely that i will ever get ‘Trusted’.   The setiing ‘Anonymous’ is dane tls in default.

Bloody mafia (my blog).

Self certified user certs are nice if a little extra mile and something that does need a mammal at a keyboard.  So it sort of explains why it is not popular although our friends at the nsa (my blog) probably helped.

No wonder user certificates (opposed to server instances) are missing from most postfix setups and even Google get untrusted status.

Received: from mail-*.google.com (unknown [ip])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (not verified))
by mail2.zoo (Postfix) with ESMTPS id x

So dane will only get you so far.The mafia wont help either.

DSN’s are a handled oddly too. example

postfix/smtp[x]: xyz: to=<553@zoo>, relay=zoo[ip.addr]:25, delay=x, delays=1018/0.01/0.09/0, dsn=4.7.5, status=deferred (Server certificate not verified)

which in postfix is classed as

4.7.5: Transient failure: Security/policy status: Cryptographic failure

ipv6 and dmarc

hipsterWorks this comes from ubc.ca which is canadian place of learning.

Sure ipv4 works (my blog) but this was our first zoo report to feature ipv6.

<source_ip>2607:f8f0:610:4000:6564:a62:ce0c:1392</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>quarantine</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>forwarded</type>
<comment>looks forwarded, downgrade to quarantine with phishing warning</comment>
</reason>
</policy_evaluated>

So it is good to see that dmarc is agnostic and not specific to an ip specification, as to some ipv6 web lookups you better try harder.