Differences

This shows you the differences between two versions of the page.

--- system:annoyances [2021-04-27T02:01:30+0000] – michael_paoli
+++ system:annoyances [2021-05-06T06:05:20+0000] (current) – reverted the temporarily increase of max queue time from 4 days to 7 days michael_paoli
@@ Line 520: / Line 520: @@
 $
 So, that looks much better now.
+</file>
+<file>
+wordpress also sends mail:
+From www-data@balug.org Tue Apr 27 02:12:48 2021
+From: WordPress <wordpress@berkeleylug.com>
+So, @berkeleylug.com needs to be set up to send - and at least minimally receive, email (e.g. postmaster ...)
+So, ... SPF first, as that has the longer TTL presently ...
+from:
+berkeleylug.com.        172800  IN      TXT     "v=spf1 -all"
+to:
+berkeleylug.com.        3600    IN      TXT     "v=spf1 ip4:96.86.170.229 ip6:2001:470:1f05:19e::2 -all"
+And, added bit more for digitalwitness.org. and sf-lug.org. (latter of which thus far still uses @linuxmafia.com for mail), now have:
+balug.org.              3600    IN      TXT     "v=spf1 ip4:96.86.170.229 ip6:2001:470:1f05:19e::2 -all"
+lists.balug.org.        3600    IN      TXT     "v=spf1 ip4:96.86.170.229 ip6:2001:470:1f05:19e::2 -all"
+tmp.balug.org.          3600    IN      TXT     "v=spf1 ip4:96.86.170.228 ip6:2001:470:1f05:19e::f -all"
+berkeleylug.com.        3600    IN      TXT     "v=spf1 ip4:96.86.170.229 ip6:2001:470:1f05:19e::2 -all"
+digitalwitness.org.     86400   IN      TXT     "v=spf1 -all"
+sf-lug.com.             172800  IN      TXT     "v=spf1 -all"
+sf-lug.net.             172800  IN      TXT     "v=spf1 -all"
+sf-lug.org.             86400   IN      TXT     "v=spf1 -all"
+sflug.com.              172800  IN      TXT     "v=spf1 -all"
+sflug.net.              172800  IN      TXT     "v=spf1 -all"
+sflug.org.              86400   IN      TXT     "v=spf1 -all"
+SPF version 2 could be good/better ... but later, not a top priority.
+</file>
+<file>
+So, let's look into enabling SPF checking upon receipt of incoming ...
+I also noticed what looks like something about a daemon - which may be preferable for large volumes/streams of incoming ...
+let's look at documentation bit more ...
+$ man spfd.mail-spf-perl
+$ systemctl list-unit-files | fgrep spf
+$
+So, nothin' in systemd unit files nor exim4 config that supports the spf daemon, so doing that would mean fair bit more manual configuring.
+For now let's presume spfquery (non-daemonized) is quite "good enough" for now - we can change later if we need to.
+So ... let's configure that ...
+added ...:
+# tail -n 1 conf.d/main/000_localmacros
+CHECK_RCPT_SPF = true
+# systemctl restart exim4.service
+# That should be enough for that to now be operational - that should stop >> 50% of the incoming spam (attempts).  Should see results in logs
+quite soon (if not already).
+</file>
+<file>
+Not seeing an SPF failure in the logs ... quite yet.
+Let's test something that should fail ...
+Drats - test made it through, even though the config should'a rejected it.
+Oh, let's also add berkeleylug.com to the email domains, so that should work.
+# DEBIAN_PRIORITY=medium dpkg-reconfigure exim4-config
+# systemctl start exim4.service
+Let's try sending to postmaster@berkeleylug.com
+and yes, that got delivered fine.
+So ... why is SPF check not working?
+</file>
+<file>
+# systemctl stop exim4.service
+# ls -d /usr/*bin/*exim*conf*
+/usr/sbin/update-exim4.conf  /usr/sbin/update-exim4.conf.template
+# update-exim4.conf
+# systemctl start exim4.service
+SPF check still not working.
+</file>
+<file>
+Wordpress email ... something to circle back on later.
+For now, for header it uses:
+From: WordPress <wordpress@berkeleylug.com>
+Looks like the only bit of that that's easy to change is the domain.  Looks like it uses php mail.  There are plugins to change that, but
+that's then more complications.  As for envelope, since it's using Apache, between that and exim, that ends up as:
+MAIL FROM:<www-data@balug.org>
+Again, not simple to change that.  More to circle back on for later.
+For now, dropped in aliases for www-data and wordpress, so at least attempts to those - and for now at least, won't bounce at those domains if
+attempted.  So, that should help deliverability (and, on the receiving side, probably some more spam for postmaster as I presently aliased those to
+postmaster ... "good enough" for now).
+</file>
+<file>
+Looks like the SPF checks are now working.
+I also found an older spdf process running and killed that off - maybe that made the difference?
+So, yes, and seeing SPF fail/rejects in the log e.g.:
+# fgrep -ai spf rejectlog
+-04-28 02:29:33 H=(sweja-se.mail.protection.outlook.com) [183.199.220.44] F=<oefydgodea@ottawa.ca> rejected RCPT <rsvp@balug.org>: SPF check failed.
+-04-28 03:50:56 H=(smail1.vub.sk) [222.77.253.120] F=<jhylunrrhc@swebolt.se> rejected RCPT <rsvp@balug.org>: SPF check failed.
+# dig +noall +answer +nottl ottawa.ca. TXT ottawa.ca. SPF swebolt.se. TXT swebolt.se. SPF | fgrep \"v=spf
+ottawa.ca.              IN      TXT     "v=spf1 include:spf.protection.outlook.com include:_spf.esolutionsgroup.ca include:emsd1.com -all"
+swebolt.se.             IN      TXT     "v=spf1 mx ip4:167.99.44.246 include:spf.protection.outlook.com a:smtp05.dgcsystems.net -all"
+# spfquery --scope mfrom --id oefydgodea@ottawa.ca --ip 183.199.220.44; echo "$?"
+fail
+Please see http://www.openspf.org/Why?s=mfrom;id=oefydgodea%40ottawa.ca;ip=183.199.220.44;r=balug-sf-lug-v2.balug.org
+ottawa.ca: Sender is not authorized by default to use 'oefydgodea@ottawa.ca' in 'mfrom' identity (mechanism '-all' matched)
+Received-SPF: fail (ottawa.ca: Sender is not authorized by default to use 'oefydgodea@ottawa.ca' in 'mfrom' identity (mechanism '-all' matched)) receiver=balug-sf-lug-v2.balug.org; identity=mailfrom; envelope-from="oefydgodea@ottawa.ca"; client-ip=183.199.220.44
+# spfquery --scope mfrom --id jhylunrrhc@swebolt.se --ip 222.77.253.120; echo "$?"
+fail
+Please see http://www.openspf.org/Why?s=mfrom;id=jhylunrrhc%40swebolt.se;ip=222.77.253.120;r=balug-sf-lug-v2.balug.org
+swebolt.se: Sender is not authorized by default to use 'jhylunrrhc@swebolt.se' in 'mfrom' identity (mechanism '-all' matched)
+Received-SPF: fail (swebolt.se: Sender is not authorized by default to use 'jhylunrrhc@swebolt.se' in 'mfrom' identity (mechanism '-all' matched)) receiver=balug-sf-lug-v2.balug.org; identity=mailfrom; envelope-from="jhylunrrhc@swebolt.se"; client-ip=222.77.253.120
+#
+</file>
+<file>
+Wrote a handy little program to summarize the exim rejectlog failure from the most recent few such log files:
+# Rejectlog_report
+Unrouteable address
+relay not permitted
+SPF check failed
+SMTP protocol synchronization error (input sent without waiting for greeting)
+maximum allowed line length
+unqualified address not permitted
+SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised)
+missing or malformed local part
+syntactically invalid
+#
+Look at least the top couple items would be good candidates for adding configurations for fail2ban.
+Some others beyond that may also be worth doing - but not as high a priority.
+</file>
+<file>
+// reverted the temporarily increase of max queue time from 4 days to 7 days:
+# awk '{if($1~/^[^#]/||$1~/^#\*/||$0~/^# temp/)print;}' conf.d/retry/30_exim4-config
+*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+# systemctl reload exim4.service
+#
+</file>