evil james bond cat
The zoo got a dmarc [my blog] email as stated it should have from google which reported both the ipv4 and ipv6 authentication results.
Great if your still have a clue what i am going on about but I have no idea if it used ipv4 or v6 to transport it which we have here in the zoo [my blog]. If inbound its normally probably ipv4, and outbound from us its ipv6 if you have it.
It passed its tests in the zoo good news !, when it got to google then things went interesting as it failed those.
At least dmarc [including spf and dkim] does work but as to specifics well lets call it a success and leave it there.
Hmm well it got there at least.
Time of the year last year. I miss those probers and spammers*
Exim has been in wars recently and got an update for a tls issue. In the zoo exim is tolerated internally and so was not an issue as it relays email internally and then off to postfix.
I tried exim many years ago and did not like it
However ipv6 was then activated by the exim update which caused internal relay issues (my blog) so i am stuck with ipv4 doing the internal emailing until i either change mta or figure out ipv6 relaying in both exim and postfix
Exim was returned tp ipv4 action with
Which suits the zoo fine. Ipv6 internally and no ipv4* seems a long way off.
Dmarc (my blog) is interesting and while it does not lie to use it as a metric to say email to an inbox is delivered is an incorrect way to represent the reports you may get.
The zoo has a mail server (not hosted by google) people with dmarc records send us email.
That email is validated for dkim, spf, dmarc mx records, reverse dns, valid users and then in the spam and virus filter
So if your email passed some of the tests but not all then your email was delivered but not to a user.
dmarc reports say so much but to guarantee as a in an inbox metric your sadly delusional.
Dmarc reports can also often be confusing.
They are google servers
Which report that the above servers are failing the spf check on the zoo’s servers which again in correct. However assuming nothing bad is coming from those addresses and it is recording the ip as it goes means misconfiguration is an issue for google not the zoo.
50% of this picture is racist by bbc logic
The zoo’s dmarc is correct and dmarc is working correctly but to claim dmarc is a email delivered metric is a bonkers proposition if your a a spammer or email campaign professional the dmarc reports do not mean what you hope they mean.
There ipv6 range is 2607:5500::/31 – ipv4 ranges worth blocking here (my blog). Yes they have a reputation with the monkey house,
Reason for mallet-ing – (my blog) attempted relay of fake zoo email to the zoo via postfix so some thought was put in here there not being idiots but targeting specifically.
I believe this is the first range of ipv6 addresses (a lot of them) i have had to null route for nefarious reasons.
Determining genuine and crook here is hard. Since they do not seem to subnet below /31 say a [small] /64 so it seems the /31 is safer assuming we start playing whack a mole if i block per ipv6 address.
Its kind of amazing with the small user base of ipv6 that my first block is from a usual suspect perhaps being too trusting of the address space is a mistake although spamhaus has a ipv6 list of subnets it distrusts which i am aware of.
guess who this person is
Where are they, it seems only ipv4 people do them. Sure it is early days and most people are using a big email provider and maybe ipv6 if they have a more modern mobile phone.
Its rather nice ipv6 if quiet compared to ipv4.
In fact nobody seems to use ipv6 and yes we do send and receive ipv6 mail unless your nerdy or a few specific internet behemoths .
I do not do a lot of testing of servers and recently revisited a few of them since the zoo now has ipv6 (my blog) and tls 1.3 (my blog)
I was surprised that many commercial offerings still had issues (my blog) say ocsp stapling and also did not support ipv6.
Oh well ipv6 is rocket science then.
Works, although it does feel a little incoherent setup wise it  sometimes required and not required, and having access to reverse dns means i can mail google in ipv6, your experience might be different (not here) than the zoo’s
Don’t forget about spf records
Being ipv6 is very mostly silicon valley based (not amazon) i was surprised that some try and abuse ipv6 and the domain name system
Domain unknown senders
Although we do see them trying this from ipv4 too
No damage was done and the ipv6 and ipv4 protocol matched the fake domain.
Ipv6 accounts for 25% of dns traffic and not many ipv6 mx entries so 1% of email traffic unless you email gmail all the time.
Covered here and there (both my blog) with ipv6 i decided to have another go at reporting with extra hosts available with ipv6.
I kept the importer running even if reports where not being sent but with ipv6 and ipv4 mail servers dmarc reporting remains stubbornly ipv4 based.
Not all is well with dmarc reporting and auto responders with spam getting sent to dmarc inboxes and bar the big providers nobody seems to take dmarc reporting seriously.
Could be a non issue from 2009 (it is 2019 now)
tls_ssl_options = NO_RENEGOTIATION
see (not here) I guess its less junk traffic while some wholesome person tests for ssl2 ciphers and openssl (my blog) issues.
Ive seen them so as i dont have ssl2 in the zoo its a pointless probe. It seems to do no harm.