0sg.net bouncing for bad reverse lookups?

Use this forum to get help.

Re: 0sg.net bouncing for bad reverse lookups?

Postby hilde4705 » Sat Feb 04, 2023 8:47 pm



No, JFK,

  1. I'm using SG since 2011 and I didn't have that massive problems so far.
    So I don't think there is a general problem with gmx responsible for the current problems.
  2. If you wipe my 10 cents out this way: why are gmx and web on "the list of providers" and why others probe them?

Best regards
Hilde
hilde4705
 
Posts: 6
Joined: Sun Jan 29, 2023 9:04 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Tue Feb 07, 2023 7:26 am

Mail is still not being forwarded to my protected address, which is on a provider that has DANE enabled. I suspect the Spamgourmet mailserver software is attempting to set up a TLS connection to DANE-enabled providers and incorrectly failing to validate the connection, as my provider is not having problems with other senders. Unfortunately, I have lost some important emails.

@hilde4705

If you wipe my 10 cents out this way: why are gmx and web on "the list of providers" and why others probe them?


GMX is there because I was looking for points of commonality to see if I could diagnose what is going on. I wasn't aware that problems had existed delivering to gmx for a long time - problems that are likely unrelated to the current issue. I have no connection with Spamgourmet other than being a user of the service for more than 10 years, and I was trying to give some useful feedback/diagnosis to the volunteers that run the service.

In my opinion we should be in a different thread, as I don't think the current problems are due to bad reverse DNS lookups - I could be wrong, but I have no access to logging information or servers that would enable me to find out. I just hope the volunteers have not given up.

Clewby
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby JFK » Wed Feb 08, 2023 12:48 am

Has anyone tried do get in contact with SysKoll (or maybe josiah) or anyone else, who has a deeper insight (or maybe access) to the Spamgourmet mailserver software?

Cheers,

JFK
JFK
 
Posts: 12
Joined: Mon Mar 30, 2020 7:53 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Dianeslaak » Wed Feb 08, 2023 12:21 pm

I have been in touch with Syskoll. I asked that Syskoll would post what was told to me, here also, but that has unfortunately not happened yet.
The message about all my mail being blocked since jan 16th is that a certificate is expired/absrnt in the TLS handshake. Correcting that apparantly needs a server update. And that is only possible for Josh, who lives in an area with current power outages.

I am no sysadmin, so maybe I paraphrased wrongly. I find it strange that if there were no certificate problems before, why there would be now. And if the certificate expired, why it can't be replaced without a full server update.

On the other hand, this is not my field of work, and this is a free hobby-like volunteer project, so no complaints. Nevertheless this has a huge impact on my life as all mail goes through spamgourmet. I really hope a solution can be found
Dianeslaak
 
Posts: 2
Joined: Sat Feb 04, 2023 10:07 am

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Fri Feb 10, 2023 7:44 pm

Dianeslaak wrote:I have been in touch with Syskoll. I asked that Syskoll would post what was told to me, here also, but that has unfortunately not happened yet.
The message about all my mail being blocked since jan 16th is that a certificate is expired/absrnt in the TLS handshake. Correcting that apparantly needs a server update. And that is only possible for Josh, who lives in an area with current power outages.

I am no sysadmin, so maybe I paraphrased wrongly. I find it strange that if there were no certificate problems before, why there would be now. And if the certificate expired, why it can't be replaced without a full server update.


The certificate(s) in question have an expiry date built into them. This makes it difficult to use an old certificate to impersonate someone. It also means that you periodically need to replace the certificate with a new one to extend the expiry date into the future - much like passports, which are valid for a limited time.

The certificates are linked in an hierarchical trust structure, and when certificates are checked for validity, the whole hierarchy/chain of certificates back to a root certificate is checked - each certificate is 'signed' by another certificate closer to the root certificate. The root certificate also expires and needs replacing periodically. The process to do this is a little complicated, as you don't want to be in a situation where an expired root certificate renders all the subsidiary certificates invalid. Depending on which certificate or certificates have expired, and how the maintenance of the trust hierarchy has been carried out, the job to recover from a certificate expiry could be quite difficult.

It's not just mail. This reasonably readable article about certificate expiry goes into more detail for a related area: Scott Helme: The Impending Doom of Expiring Root CAs and Legacy Clients

So the statement of the problem is simple: a certificate (or some certificates) have expired.
The resolution of the problem could well not be simple. I don't know why a full server update is needed.


Dianeslaak wrote:On the other hand, this is not my field of work, and this is a free hobby-like volunteer project, so no complaints. Nevertheless this has a huge impact on my life as all mail goes through spamgourmet. I really hope a solution can be found


I really hope this can be resolved quickly too.
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Fri Feb 10, 2023 10:24 pm

Hmm. Curious.

I read this interesting web-page: geekrant.org: Install exim4 STARTTLS using a free LetsEncrypt certificate

So a swift test of 216.75.62.102 (which is the IP address of ob.0sg.net and gourmet7.spamgourmet.com) using swaks

Code: Select all
$ swaks --tls-get-peer-cert -a -tls -q HELO -s 216.75.62.102 -au test -ap '<>'
=== Trying 216.75.62.102:25...
=== Connected to 216.75.62.102.
<-  220 spamgourmet. helo.
 -> EHLO <redacted>
<-  250-gourmet7.spamgourmet.com Hello <redacted> [xxx.xxx.xxx.xxx]
<-  250-SIZE 26214400
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-PIPE_CONNECT
<-  250-CHUNKING
<-  250-STARTTLS
<-  250-SMTPUTF8
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started with cipher UNKNOWN(0x0304):TLS_AES_256_GCM_SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/C=US/ST=Texas/L=Houston/O=spamgourmet/OU=spamgourmet/CN=gourmet7.spamgourmet.com/emailAddress=cert.sginfo@spamgourmet.com"
=== -----BEGIN CERTIFICATE-----
=== MIIDJDCCAo2gAwIBAgIJAJLaN4eoiB1hMA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD
=== VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xFDASBgNV
=== BAoMC3NwYW1nb3VybWV0MRQwEgYDVQQLDAtzcGFtZ291cm1ldDEhMB8GA1UEAwwY
=== Z291cm1ldDcuc3BhbWdvdXJtZXQuY29tMSowKAYJKoZIhvcNAQkBFhtjZXJ0LnNn
=== aW5mb0BzcGFtZ291cm1ldC5jb20wHhcNMTQwNDA5MTUwNDQ5WhcNMzgxMTI5MTUw
=== NDQ5WjCBqjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdI
=== b3VzdG9uMRQwEgYDVQQKDAtzcGFtZ291cm1ldDEUMBIGA1UECwwLc3BhbWdvdXJt
=== ZXQxITAfBgNVBAMMGGdvdXJtZXQ3LnNwYW1nb3VybWV0LmNvbTEqMCgGCSqGSIb3
=== DQEJARYbY2VydC5zZ2luZm9Ac3BhbWdvdXJtZXQuY29tMIGfMA0GCSqGSIb3DQEB
=== AQUAA4GNADCBiQKBgQCdpRITrdsRyok6lVY7q9SQH7sLhJrS6vvLp2+Hg/y5qGfp
=== 3QRtWw3zaxPyTKwXcXy2JQ5r0e8OES2yJpkbCAN6CZYjgWplM3K6TuRqOZJzsDEr
=== Yz0gRrgFa63g6D0sfvVynIiCzQw2Cnt7zX9Xjt5FYb5QPcQp4kN+OXWBdz+IxQID
=== AQABo1AwTjAdBgNVHQ4EFgQU0bozVaLFn2o7ISnxLfQrjz/itLcwHwYDVR0jBBgw
=== FoAU0bozVaLFn2o7ISnxLfQrjz/itLcwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
=== AQUFAAOBgQCJnj6V7JkZ3Gd5EtNJ5ahzayXxu63g9pw8+ZaGoLlY7CkDX/OVxJGT
=== HOQ6/0i2QNKy1JWhKOzwpMtIJclBnxfNrWURAKWBrClg1EF6DrNS8NC7hL6kXKYl
=== 6k7hl3/AR8ZC9WLK8RTdNcKSy2K5HOHYOnX+WToNPs3MMYNvrFp4nw==
=== -----END CERTIFICATE-----
 ~> EHLO <redacted>
<~  250-gourmet7.spamgourmet.com Hello <redacted> [xxx.xxx.xxx.xxx]
<~  250-SIZE 26214400
<~  250-8BITMIME
<~  250-PIPELINING
<~  250-PIPE_CONNECT
<~  250-CHUNKING
<~  250-SMTPUTF8
<~  250 HELP
 ~> QUIT
<~  221 gourmet7.spamgourmet.com closing connection
=== Connection closed with remote host.



That certificate, decoded, says:

Code: Select all
    Issued To: C=US, ST=Texas, L=Houston, O=spamgourmet, OU=spamgourmet, CN=gourmet7.spamgourmet.com, E=cert.sginfo@spamgourmet.com
    Issued By: C=US, ST=Texas, L=Houston, O=spamgourmet, OU=spamgourmet, CN=gourmet7.spamgourmet.com, E=cert.sginfo@spamgourmet.com
    Serial Number: 00 92 da 37 87 a8 88 1d 61
    Issued On: Wed Apr 09 2014 17:04:49 GMT+0200 (Central European Summer Time)
    Expires On: Mon Nov 29 2038 16:04:49 GMT+0100 (Central European Standard Time)
    SHA-256 Fingerprint: b7 48 b7 4b 85 55 5c 1d a5 01 54 53 b8 df fd f4 4d 41 b6 82 87 55 64 a6 4b 5f ea e0 d2 2e 5d bc
    SHA-1 Fingerprint: 62 b8 49 74 bb 87 6d f4 4a 9c 06 7f cb d2 4b b1 b6 5e 95 41


It certainly doesn't look expired.

But if I turn on validation:

Code: Select all
$ swaks --tls-verify -a -tls -q HELO -s 216.75.62.102 -au test -ap '<>'
=== Trying 216.75.62.102:25...
=== Connected to 216.75.62.102.
<-  220 spamgourmet. helo.
 -> EHLO <redacted>
<-  250-gourmet7.spamgourmet.com Hello <redacted> [xxx.xxx.xxx.xxx]
<-  250-SIZE 26214400
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-PIPE_CONNECT
<-  250-CHUNKING
<-  250-STARTTLS
<-  250-SMTPUTF8
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
*** TLS startup failed (connect(): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed)
*** STARTTLS attempted but failed


What I have not worked out is why the verification fails.

If I do the same thing to protonmail, the verification succeeds.

Code: Select all
$ swaks --tls-verify -a -tls -q HELO -s mail.protonmail.ch -au test -ap '<>'
=== Trying mail.protonmail.ch:25...
=== Connected to mail.protonmail.ch.
<-  220-mailin021.protonmail.ch ESMTP Postfix
<-  220 mailin021.protonmail.ch ESMTP Postfix
 -> EHLO <redacted>
<-  250-mailin021.protonmail.ch
<-  250-PIPELINING
<-  250-SIZE 36480000
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher UNKNOWN(0x0304):TLS_AES_256_GCM_SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=protonmail.com"
 ~> EHLO <redacted>
<~  250-mailin021.protonmail.ch
<~  250-PIPELINING
<~  250-SIZE 36480000
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250 CHUNKING
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.



If would be great if someone could say definitively what the problem is, and what needs to be done to resolve it. All I've confirmed is that certificate verification fails, but I don't know why.
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby hilde4705 » Mon Feb 13, 2023 4:36 pm

Clewby wrote:
That certificate, decoded, says:

Code: Select all
    Issued To: C=US, ST=Texas, L=Houston, O=spamgourmet, OU=spamgourmet, CN=gourmet7.spamgourmet.com, E=cert.sginfo@spamgourmet.com
    Issued By: C=US, ST=Texas, L=Houston, O=spamgourmet, OU=spamgourmet, CN=gourmet7.spamgourmet.com, E=cert.sginfo@spamgourmet.com
...

It certainly doesn't look expired.
...
What I have not worked out is why the verification fails.
If I do the same thing to protonmail, the verification succeeds.
...
If would be great if someone could say definitively what the problem is, and what needs to be done to resolve it. All I've confirmed is that certificate verification fails, but I don't know why.


Hi,
my 10 cents:

  1. Self signed cert @ SG?
    For me it looks as if the certificate that you decoded is a self-signed one (issued to == issued by), isn't it?
    Is the one you can get from protonmail self signed, too?
    If not: Maybe that is a crucial difference.
  2. Old platform with insufficient (outdated) cipher suites @ SG?
    Maybe there are no suitable cipher suites on spamgourmet platform anymore (but on protonmail servers platform) that match the few your machine provides for swaks (OpenSSL?).
    As I remember old (insecure) cipher suites are wiped out from software, programming languages etc. from time to time, new ones get implemented. But if client and server don't have cipher suites in common they can't establish any TLS connection.
    That could be the case if the spamgourmet platform is too old -- if so it could give the reason for the rumor that the spamgourmet platform is in need for an update, not the certificate(s).

Best regards
Hilde
hilde4705
 
Posts: 6
Joined: Sun Jan 29, 2023 9:04 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Tue Feb 14, 2023 2:40 pm

@hilde4705

Yes, the certificate looks to be self-signed. In principle, I don't see that as a problem, as I doubt multiple independent providers would simultaneously decide to stop accepting self-signed certificates, if that's what they were doing in the past.

As for whether there are no common cipher suites as a result of Spamgourmet running old software: it's a possibility, but again I doubt multiple independent providers would simultaneously have problems with finding a common cipher suite. I'd hope that would show up in the Spamgourmet logs, too.

To me, it looks more like a configuration issue, and I'm slightly surprised it is not showing as a relatively simple certificate expiry.

I have moved my protected address to an email provider that still currently accepts mail from Spamgourmet.

And yes, I'm using an old SSL (version 1.1.1). I'm planning on an upgrade Real Soon Now (openssl.org says "Version 1.1.1 will be supported until 2023-09-11 (LTS)").

Clewby
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Bulli » Tue Feb 14, 2023 4:16 pm

I have another provider where incoming mail from Spamgourmet is successfully delivered to the user's mailbox:

Vodafone.de
Bulli
 
Posts: 2
Joined: Tue Jan 31, 2023 5:24 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby hilde4705 » Thu Feb 16, 2023 8:49 pm

Clewby wrote:Yes, the certificate looks to be self-signed. In principle, I don't see that as a problem, as I doubt multiple independent providers would simultaneously decide to stop accepting self-signed certificates, if that's what they were doing in the past.

As for whether there are no common cipher suites as a result of Spamgourmet running old software: it's a possibility, but again I doubt multiple independent providers would simultaneously have problems with finding a common cipher suite. I'd hope that would show up in the Spamgourmet logs, too.
...


Hi Clewby,

my 10 Cents for you should not explain where the problems between SG and other providers that are discussed in this thread may come from.
Instead I tried to explain where the problems/differences could come from that you discovered using your swaks against protonmail and SG.
As you wrote your OpenSSL is still supported. But maybe the SGs isn't and the protonmail's is up-to-date?

Best regards
Hilde
hilde4705
 
Posts: 6
Joined: Sun Jan 29, 2023 9:04 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby mysticturner » Sat Feb 25, 2023 12:38 am

It looks like it might be starting again. I'm getting emails that indicate TLS is unavailable so the server (the one trying to send to SG) will keep retrying.
mysticturner
 
Posts: 57
Joined: Sun Jun 12, 2005 6:38 am
Location: Dallas, TX

Re: 0sg.net bouncing for bad reverse lookups?

Postby leishirsute » Sun Feb 26, 2023 9:16 pm

Likewise. I am getting a similar error. Emails stopped forwarding from my gmail address to SG around 2/24.

From Google:
Mail Delivery Subsystem <mailer-daemon@googlemail.com>

Attachments3:37 PM (34 minutes ago)

to xxxxxxxxxxx+caf_=xxxxxxxxxxxxxxx=spamgourmet.com
Error Icon
Delivery incomplete
There was a temporary problem delivering your message to xxxxxxxxxxxxxxxxx@spamgourmet.com. Gmail will retry for 44 more hours. You'll be notified if the delivery fails permanently.
The response from the remote server was:

454 TLS currently unavailable


Everything forwarded from gmail address to SG is bouncing as of 2/24 with similar error to the one above.

Any suggestions?
Attachments
2023-02-26_163844+spamgourmet_forwarding.jpg
2023-02-26_163844+spamgourmet_forwarding.jpg (191.77 KiB) Viewed 19748 times
leishirsute
 
Posts: 6
Joined: Sun Mar 25, 2018 12:19 am

Re: 0sg.net bouncing for bad reverse lookups?

Postby lwc » Wed Mar 01, 2023 7:36 am

lwc
 
Posts: 455
Joined: Sat Aug 28, 2004 9:09 am

Re: 0sg.net bouncing for bad reverse lookups?

Postby lwc » Thu Jun 22, 2023 7:12 am

lwc wrote:Confirmed too, thanks! But what about all the old messages? Are they gone for good?

One company that stopped sending to me because of it told me it's because of the red parts in https://intodns.com/neverbox.com#:~:tex ... y%20parent
Attachments
dns error.png
dns error.png (15.33 KiB) Viewed 17735 times
lwc
 
Posts: 455
Joined: Sat Aug 28, 2004 9:09 am

Re: 0sg.net bouncing for bad reverse lookups?

Postby notmysgusername1 » Sat Jul 08, 2023 7:26 pm

It seems like there's no status update.

Where does the error occur with DANE? Is there something that the receiver can do to fix the issue? Is there a requirement on the receiver's side that isn't met by SG?

Or is SG seeing something it doesn't like and dropping the connection?

Assuming SG can't fix the problems on its end, what would a receiver have to do to allow e-mail through?
notmysgusername1
 
Posts: 9
Joined: Fri Jan 27, 2023 12:58 am

PreviousNext

Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: No registered users and 20 guests