On 2020-10-27 13:15, Gert Doering wrote:
Hi,
On Tue, Oct 27, 2020 at 01:00:59PM +0100, Jeroen Massar wrote:
Making sure one only egress mail that one is supposed to send (SPF/DKIM/DMARC/ARC) is the only way to do that and would mean being a good citizen on the Internet,
Much easier said than done...
Of course it is easily said, this is a mailinglist, not a big slide deck or a huge howto how to run a mailserver. Needs quite some experience that ;)
For many folks on this list, SPF came, then DKIM, then DMARC, then ARC and their installations started supporting them one by a time, thus evolution is easy.
Starting from 0, not so much.
But, SwiNOG is here to help. If people have setup questions, we can answer them here, another good citizen on the internet is a win for everybody.
which is why lists like UCEProtect exist: if you configure your stuff correctly, you won't end up on them.
You totally miss the "you have a contract with the customer to run their mail for them, so of course you accept the mail, and then they mess up their SPF records in DNS" part.
And then your whole mail server is blocked.
Yes, what UCEProtect does in 'one fail and you are out' is a bit over aggressive. That is completely out of your control. Rejecting the mail would be good enough indeed, as the collateral damage is too much. (Would be fun if they listed Google + MS MXs though, will quickly stop people using those kind of lists... and considering the amount of spam originating through google, though with valid SPF/DKIM etc... should happen at one point :) -- maybe it a threshold "X mails out Y bad, then block", and a low volume sender then gets blocked quicker than a high volume spammer...
One variant: as the domain needs also DKIM + SPF, and if the customer is not as tech savvy: always take over domain hosting...
And/or monitoring DKIM/SPF records that they are valid for your setup and warning the customer that you stop relaying their messages as their setup is wrong.
Greets, Jeroen