My mailserver is very German.
-
My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop
@jwildeboer
Historically speaking, because of all the things I had to do to keep my web and mail servers functional and trustworthy, that's the reason that got me so deep into the inner workings of DNS. So yeah, can confirm. -
@jwildeboer
You mean i can test setup by sending an email to you?@Wolf Feel free to try! You might land on my blocklist faster than you expect, though
There are good services out there for such kind of checks that test even more things 
I use https://mxtoolbox.com/diagnostic.aspx and a few more. -
My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop
@jwildeboer but checking quad a records breaks many mailservers of german public services. Kind of reverse german behavior
-
@jwildeboer but checking quad a records breaks many mailservers of german public services. Kind of reverse german behavior
@bkastl IPv6 is still maybe max 6-8% of incoming mail on my server. And around 98% of those actually have their DNS configured correctly
-
My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop
LOL.
apparently i'm very german
yup. HELO must be an actual DNS name, forward and reverse DNS must be correct, and if you haven't sent tuple of (sender,host,recip) in last 24 hours, you get a 5 minute greylisting.
that and sbl-xbl check blow out about 70% of the stupid spammers before i ever get to transferring actual email payload.
-
@Wolf Feel free to try! You might land on my blocklist faster than you expect, though
There are good services out there for such kind of checks that test even more things I use https://mxtoolbox.com/diagnostic.aspx and a few more.@jwildeboer
Yes, I know these toolbox site, I mean most of my setup is green... What's ur preferred Test address? -
My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop
@jwildeboer exactly how to do it.....even if i wouldn't call it the "german way" of doing it
-
My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop
I wonder how close that is to how @hallo @ubernauten do it
-
My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop
Obviously that's just the start of my German Mail Server vetting you. Blocklist, SPF, DKIM, DMARC checks follow. And I had to make some allowlist exceptions for mail providers whose emails I begrudgingly accept, even though they messed up their config. For a geeky deep dive, my blog series on all of that starts here: https://jan.wildeboer.net/2022/08/Email-0-The-Journey-2022/
-
My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop
@jwildeboer this is actually a major issue for hosting mailserver on regular ISP fiber, as you usually don't have control over PTR
-
@jwildeboer this is actually a major issue for hosting mailserver on regular ISP fiber, as you usually don't have control over PTR
@halfa A cheap VPS (Virtual Private Server) solves that problem. My mail server is a β¬5 VPS since 10+ years. 1 CPU, 2GB RAM, serves 20+ domains. Full PTR control for IPv4 and IPv6 included.
-
R relay@relay.infosec.exchange shared this topic
