
dmstork
@dmstork@mastodon.social
New blog post: Why every organization should enable DANE https://davestork.nl/why-every-organization-should-enable-dane/
#security #SMTP #mail #MSExchange #Microsoft365 #DNSSEC #AzureDNS

@dmstork@mastodon.social
New blog post: Why every organization should enable DANE https://davestork.nl/why-every-organization-should-enable-dane/
#security #SMTP #mail #MSExchange #Microsoft365 #DNSSEC #AzureDNS
@dmstork@mastodon.social
New blog post: Why every organization should enable DANE https://davestork.nl/why-every-organization-should-enable-dane/
#security #SMTP #mail #MSExchange #Microsoft365 #DNSSEC #AzureDNS
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@hongminhee@hollo.social
Introducing #Upyo!
A simple, cross-runtime email library that works seamlessly on #Deno, #Node.js, #Bun, and edge functions. Zero dependencies, unified API, and excellent testability with built-in mock transport.
Switch between #SMTP, #Mailgun, #SendGrid without changing your code. Available on #JSR & #npm!
@mirabilos@toot.mirbsd.org
Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?
We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).
Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66
This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.
So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.
While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.
Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.
① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904
@mirabilos@toot.mirbsd.org
Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?
We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).
Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66
This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.
So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.
While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.
Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.
① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904
@smallcircles@social.coop
Hi @delta 👋
I am making updates to https://delightful.coding.social/delightful-activitypub-development and bumped into this interesting #SMTP to #ActivityPub proof of concept. Just a heads-up to make you aware, in case it is interesting for #DeltaChat in some way or other.
@mirabilos@toot.mirbsd.org · Reply to mirabilos's post
@rl_dane @ShinjiLE if you or someone else wants to help argue, the thread is at https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427 (Discourse, so JS webbrowser), I’m exhausted.
#LetsEncrypt #SSL #TLS #certificates #X509 #X509v3 #sendmail #SMTP #XMPP #Jabber
@jschauma@mstdn.social · Reply to Jan Schaumann's post
System Administration
Week 8, The Simple Mail Transfer Protocol, Part III
In this video, we look at ways to combat Spam. In the process, we learn about email headers, the Sender Policy Framework (#SPF), DomainKeys Identified Mail (#DKIM), and Domain-based Message Authentication, Reporting and Conformance (#DMARC). #SMTP doesn't seem quite so simple any more...
@jschauma@mstdn.social · Reply to Jan Schaumann's post
System Administration
Week 8, The Simple Mail Transfer Protocol, Part II
In this video, we observe the incoming mail on our MTA, look at how STARTTLS can help protect information in transit, how MTA-STS can help defeat a MitM performing a STARTTLS-stripping attack, and how DANE can be used to verify the authenticity of the mail server's certificate.
@jschauma@mstdn.social · Reply to Jan Schaumann's post
System Administration
Week 8, The Simple Mail Transfer Protocol
In this video, we begin our discussion of E-Mail by looking at the components of the larger mail system (the Mail User Agent, Mail Transfer Agent, Mail Delivery Agent, Access Agent); we observe the packets involved in a simple #SMTP exchange and track an email from one system to the other, both through the logs and on the wire, before we then learn to speak SMTP via telnet(1).
@pitrh@mastodon.social
I thought I had seen it all when it comes to mail delivery and security issues.
But this morning I was introduced to the fact that there are Exchange admins who will implement a rule that all incoming mail from outside their own organization should be flagged as potentially dangerous and presented to the user with the option to block sender and no option to mark the message or the sender as valid.
Yes, that for every single message.
@pitrh@mastodon.social
I thought I had seen it all when it comes to mail delivery and security issues.
But this morning I was introduced to the fact that there are Exchange admins who will implement a rule that all incoming mail from outside their own organization should be flagged as potentially dangerous and presented to the user with the option to block sender and no option to mark the message or the sender as valid.
Yes, that for every single message.
@pitrh@mastodon.social
The Problem Isn't Email, It's Microsoft Exchange -- it turns out my 2011-vintage rant still rings true, now also available trackerless: https://nxdomain.no/~peter/the_problem_isnt_email_its_microsoft_exchange.html #inefficiency #timewasted #email #archiving #microsoft #exchange #compliance #deduplication #unsolvedproblems #smtp #mail #annoyances
@pitrh@mastodon.social
The Problem Isn't Email, It's Microsoft Exchange -- it turns out my 2011-vintage rant still rings true, now also available trackerless: https://nxdomain.no/~peter/the_problem_isnt_email_its_microsoft_exchange.html #inefficiency #timewasted #email #archiving #microsoft #exchange #compliance #deduplication #unsolvedproblems #smtp #mail #annoyances
@davidism@mas.to
Announcing Email-Simplified (and Flask-Email-Simplified), a library for creating and sending email in Python. I blogged about it here: https://davidism.com/email-simplified/
Sets up TLS trust correctly, handles international domains, HTML with inline attachments, converting to/from MIME. Works in plain Python, has an API for integrating with frameworks, and an API for writing new service providers in addition to the built-in SMTP provider. And much more! #python #email #smtp
@floppy@fosstodon.org
TIL: JMAP, to replace IMAP
https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol
💬 "The JSON Meta Application Protocol (JMAP) is a set of related open Internet Standard protocols for handling email.
[...] using JSON APIs over HTTP
[...] developed as an alternative to IMAP/SMTP
[...] potential replacements for CardDAV and CalDAV"
@delta@chaos.social
Preventing enshittification of platforms rests on credible exit for users and devs. #ActivityPub and #SMTP are not perfect but
a) are implemented und understood by many players,
b) enable freedom of choice of servers and clients,
c) implement #RightToMigrate as well as self/community custody
Many #p2p projects promise to remove servers but often promote and depend on a single implementation stack, have no spec and no interop among #p2p islands, and thus struggle to provide credible exit.
@delta@chaos.social
Preventing enshittification of platforms rests on credible exit for users and devs. #ActivityPub and #SMTP are not perfect but
a) are implemented und understood by many players,
b) enable freedom of choice of servers and clients,
c) implement #RightToMigrate as well as self/community custody
Many #p2p projects promise to remove servers but often promote and depend on a single implementation stack, have no spec and no interop among #p2p islands, and thus struggle to provide credible exit.
@delta@chaos.social
Preventing enshittification of platforms rests on credible exit for users and devs. #ActivityPub and #SMTP are not perfect but
a) are implemented und understood by many players,
b) enable freedom of choice of servers and clients,
c) implement #RightToMigrate as well as self/community custody
Many #p2p projects promise to remove servers but often promote and depend on a single implementation stack, have no spec and no interop among #p2p islands, and thus struggle to provide credible exit.
@delta@chaos.social
Preventing enshittification of platforms rests on credible exit for users and devs. #ActivityPub and #SMTP are not perfect but
a) are implemented und understood by many players,
b) enable freedom of choice of servers and clients,
c) implement #RightToMigrate as well as self/community custody
Many #p2p projects promise to remove servers but often promote and depend on a single implementation stack, have no spec and no interop among #p2p islands, and thus struggle to provide credible exit.
@splitbrain@octodon.social
My google foo is failing me. So lets ask here.
Is there a drop-in replacement for the /usr/bin/sendmail binary that:
* accepts the same parameters as the orignal
* can directly deliver mails to the recipient's SMTP server without an intermediary SMTP server
* can optionally be configured via environment variables to send mails via a relay server
* does NOT listen to any ports, interaction via CLI only
I feel like this should be easy to write in Go but I can't find anything suitable.
@prma@fosstodon.org
@arthurzenika@pouet.chapril.org · Reply to Arthur Lutz (Zenika)'s post
J'ai pas forcément fait la liste exhaustive de tous les outils, mais si vous en avez que vous appréciez pour ce type de travaux, je suis preneur de vos retours ! Notamment si il y a un endroit où les formulaires de delist sont listés, pour les "gros" acteurs du mail...
Et n'oubliez pas :
> le mail c'est le turfu
@arthurzenika@pouet.chapril.org · Reply to Arthur Lutz (Zenika)'s post
Tout cela est "gratuit" bien évidemment. Coté trucs payants (je vous laisse nommer ce type de pratique) :
💸
Chez Outlook, pas de "allow list", mais (le gros MAIS), vous pouvez aller payer chez "Return Path Inc." qui s'appelle à présent Validity / Everest : https://www.validity.com/everest/
Chez UCEProtect https://www.uceprotect.net/en/rblcheck.php ils ont 3 niveaux de listes : par IP, par subnet, par AS. Pour retirer un AS c'est payant ... j'imagine que le level3 est peu utilisé.
@arthurzenika@pouet.chapril.org · Reply to Arthur Lutz (Zenika)'s post
🟠 Sur Orange en ce moment il semblerait qu'ils utilisent un service qui s'appelle Abusix https://lookup.abusix.com/ permet de vérifier ses IPs et ensuite on peut créer un compte pour les delister.
Chez Microsoft il y a aussi https://sender.office.com/ pour une IP et autre formulaire plus long https://olcsupport.office.com/ pour créer un ticket.
Je crois que https://senderscore.org/ peut être utile aussi.
Coté Yahoo, il y a la possibilité de créer un ticket https://senders.yahooinc.com/contact/
@arthurzenika@pouet.chapril.org · Reply to Arthur Lutz (Zenika)'s post
Si vous voulez plus d'outils pour tester les mails sortants, @bortzmeyer a fait une excellente liste sur son blog :
là on rajoute plein de tests pour SPF, DKIM, DMARC etc.
Pour se familiariser avec ces concepts je trouve que les articles de CloudFlare sont bien faits https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
@arthurzenika@pouet.chapril.org · Reply to Arthur Lutz (Zenika)'s post
Coté outils pour s'assurer que les mails sont bien formés et que la configuration DNS est bien, il y a bien évidemment l'incontournable MXToolbox
Qui fait aussi des vérifications sur les blacklist accessoirement.
@arthurzenika@pouet.chapril.org · Reply to Arthur Lutz (Zenika)'s post
Coté black list monitoring on utilise HetrixTools
Ça permet de faire un check toutes les 24h sur le fait que les IPs sortantes des serveurs SMTP sont pas listées dans des listes de mauvaise réputation.
Par exemple SpamHaus https://check.spamhaus.org/
Et si c'est le cas, t'as un lien vers le formulaire de delisting
@arthurzenika@pouet.chapril.org · Reply to Arthur Lutz (Zenika)'s post
On utilise Postal pour que les applications envoient leur mail
C'est du libre, en ruby, le projet est plutôt chouette avec une interface web pour gérer. Ils répondent plutôt bien sur les suggestions et anomalies sur github...