Setup dmarc record? and rDNS for codema.in ip?

We can use the vpn ip or smtp over ssh https://p5r.uk/blog/2017/smtp-via-ssh-tunnel.html (which I have tested on oracle free vm - I have to ssh to the oracle free vm and relay the mail from there).

cc @bady @bhe @asd @akhilvarkey @abbyck

Since libreinfra.org was not reliable, Akshay has configured his personal mail server for now. But it is on some blacklists due to missing rDNS entry. Instead of maintaining two ips for mail server reputation, I think it is easier to maintain just one and since we already maintain lists.fsci.in we should reuse that effort as well.

• Alternatively ask Akshay if he wants to continue offering his smtp server since he already has good reputation. Either way we have to cleanup unused MX records and unused servers listed in SPF record.

Update: Akshay agreed to continue offering the smtp service, so we can stay with it.

• Setup dmarc record?

Akshay has configured his personal mail server for now. But it is on some blacklists due to missing rDNS entry.

Just to clarify, my mail server (mail.free.gen.in) has proper rDNS, SPF, DKIM, and DMARC and doesn't show up in any blacklist at https://dnschecker.org/ip-blacklist-checker.php?query=65.108.245.227 or https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a65.108.245.227&run=toolpage

https://dnschecker.org/ip-blacklist-checker.php?query=162.215.3.26 this shows 3 blacklists, reported by vasundhar.

If you are maintaining its ip reputation anyway and want to continue hosting the mails, that works too :)

That's the IP address of mailhostbox.com which the tool vasundhar used picked up from the MX record of codema.in

codema.in is 135.181.250.25 at the moment

and

mail.free.gen.in is 65.108.245.227

So he was checking a wrong ip address I guess.

I guess we need to cleanup the other mx records?

also remove those from spf records and make it strict? "?all" to "-all"?

May be the old entries in SPF record is pulling in unnecessary blacklists?

pravi@ilvala2:~$ dig -t mx codema.in

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> -t mx codema.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25868
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;codema.in.			IN	MX

;; ANSWER SECTION:
codema.in.		38400	IN	MX	100 us2.mx3.mailhostbox.com.
codema.in.		7200	IN	MX	10 codema.in.
codema.in.		38400	IN	MX	100 us2.mx2.mailhostbox.com.
codema.in.		38400	IN	MX	100 us2.mx1.mailhostbox.com.

;; Query time: 800 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sun Nov 26 16:14:37 IST 2023
;; MSG SIZE  rcvd: 141

pravi@ilvala2:~$ dig -t txt codema.in

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> -t txt codema.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52790
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;codema.in.			IN	TXT

;; ANSWER SECTION:
codema.in.		21600	IN	TXT	"v=spf1 a mx a:mail.free.gen.in ip4:185.145.203.133 include:_netblocks1.mailhostbox.com include:_netblocks2.mailhostbox.com include:_netblocks3.mailhostbox.com ?all"

;; Query time: 364 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sun Nov 26 16:16:34 IST 2023
;; MSG SIZE  rcvd: 214

changed title from Switch codema.im smtp server to lists.fsci.in to Switch codema.im smtp server to lists.fsci.in or ask Akshay if he wants to continue offering his smtp server

changed the description

I don't have access to the domain panel to remove the unused mx records and spf addresses, so either someone should give me the access or someone with access should remove it.

I do have access to domain panel

I think softfail might be okay: https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail

I've removed the extra MX records and kept only a, mx and mail.free.gen.in in the SPF record.

thanks, then I will also switch back to soft fail for my personal domain as well.

Btw do we need this long TTL?

$ dig -t txt codema.in @dns5.coolwrks.com

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> -t txt codema.in @dns5.coolwrks.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37847
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;codema.in.			IN	TXT

;; ANSWER SECTION:
codema.in.		28800	IN	TXT	"v=spf1 a mx a:mail.free.gen.in ip4:185.145.203.133 include:_netblocks1.mailhostbox.com include:_netblocks2.mailhostbox.com include:_netblocks3.mailhostbox.com ?all"

;; Query time: 336 msec
;; SERVER: 162.251.82.250#53(dns5.coolwrks.com) (UDP)
;; WHEN: Sun Nov 26 16:58:23 IST 2023
;; MSG SIZE  rcvd: 214

I think 300 (5 hours) is fine.

I have no problem in keeping the codema notifications going via mine because it doesn't take up any storage. And I'm already involved in codema maintenance.

Additionally, setting up postfix or something on lists when it already runs mailman might be complicated. So, till we anyhow need a mailserver, we can continue with the status quo.

I don't think there is any complication, for example I can send mails for camp@fsci.in directly from the server with sendmail command. We just have to add codema.in as an allowed domain in mailman.

Yeah, sending is unlikely to be difficult. Receiving might be complicated by transport maps, etc. Anyhow, it doesn't look like codema.in receives any mail.

Codema is supposed to receive mails too I guess, you can reply to notifications.

Should we also set a dmarc record?

also do we need rDNS for codema.in as well or rDNS for mail.free.gen.in is sufficient?

https://matrix.spfbl.net/135.181.250.25 so I think we need to setup rDNS for this domain as well.

I guess this should be done from hetzner console.

Ideally only the outgoing mailserver's rDNS should be checked. Because, otherwise services like Amazon's SES will have trouble with various people having domains without rDNS.

https://dnschecker.org/ip-blacklist-checker.php?query=notifications%40codema.in suggests checking this ip address and that shows the rDNS missing. Safer to add? or not worth the trouble?

I think that tool just has one algorithm - fetch the MX record, check that IP address. It cannot figure out the fact that the mail is being sent through another server.

changed title from Switch codema.im smtp server to lists.fsci.in or ask Akshay if he wants to continue offering his smtp server to Setup dmarc record?

changed the description

marked the checklist item Alternatively ask Akshay if he wants to continue offering his smtp server since he already has good reputation. Either way we have to cleanup unused MX records and unused servers listed in SPF record. as completed

changed title from Setup dmarc record? to Setup dmarc record? and rDNS for codema.in ip?