Moving off self hosted email Sat Feb 26 2022 I moved from self hosted email to fastmail because of uceprotect, a scammy real time black hole service that hotmail and others use. -------------------------------------------------------------------------------- Moving off self hosted email ============================ Published Feb 26, 2022 - 6 min read /[cendyne: talk-w-bubble]------------------------------------------------------\ | Since March 4th, 2021, I have hosted my own email for this domain. I could | | definitely receive and I could send to most of my friends. | \------------------------------------------------------------------------------/ /[cendyne: reading]------------------------------------------------------------\ | Then May 8th, 2021, I wanted to do something neat I read about online for | | fun: | | | | * RFC6698 [L1] (DANE) | | * RFC7672 [L2] (DANE for SMTP which is like RFC6797 [L3] (HSTS)) | | * RFC8461 [L4] (MTA-STS) | \------------------------------------------------------------------------------/ [I1: CheckTLS] /[cendyne: checkmark]----------------------------------------------------------\ | And I was successful! Green checks across the board on CheckTLS [L5]. I | | managed to use each standard effectively, I was in complete control of my | | server with reverse PTR records [L6] and everything! I didn't know these | | record types existed until I went through all this. | \------------------------------------------------------------------------------/ /[cendyne: excited]------------------------------------------------------------\ | Next I automated checks for my DANE TLS records [L7], this helped me stay on | | top of my ACME TLS integration with Let's Encrypt. Its put together with a | | cron job and a shell script which uses curl, jq, and openssl to update and | | verify DNS records in Cloudflare. | \------------------------------------------------------------------------------/ /[cendyne: math]---------------------------------------------------------------\ | I was proud that I could technically achieve something cool (to me) and have | | it externally verified, while being so low resource (literally bash scripts | | and utility calls) it could run on a server with less than 64 MB of free | | memory. I literally pay $1 a month for it so it does not have much memory. | \------------------------------------------------------------------------------/ /[cendyne: big-a]--------------------------------------------------------------\ | Then I tried to test my email setup with a few friends. For one of them I | | got back a rejection response, it mentioned: | | > host mx.zoho.com[204.141.43.44] said: 541 5.7.1 Mail rejected due to | | > antispam policy | | | | After digging into it among the many seemingly free email validation | | services, I see a few problems. | \------------------------------------------------------------------------------/ [I2: Problems Detected] /[cendyne: frustrated2]--------------------------------------------------------\ | Oh right DMARC [L8] RFC7468 [L9]. I've dealt with this at work a few times, | | as well as SPF [L10] RFC7208 [L11]. Not too hard... So I fix those and wait | | a few days. | \------------------------------------------------------------------------------/ /[cendyne: frustration]--------------------------------------------------------\ | But the problem persists. It comes and goes too! I do literally everything | | right to the spec on inbound and outbound. One problem mentioned that my IP | | addressed was blocked by UCEPROTECTL3. So I look at this UCEPROTECT [L12] | | thing, and it's some website that's not even secured with HTTPS! | \------------------------------------------------------------------------------/ [I3: UCEPROTECT Website] /[cendyne: laptop]-------------------------------------------------------------\ | What is this thing? They do some sort of black hole listing that lasts for 7 | | days per violation. I look through it and there's something about paying for | | removal? It is about $100. But that's only for Level 1, I was on the level | | 3, what's up with that? | \------------------------------------------------------------------------------/ [I4: UCEPROTECT Extortion] /[cendyne: f-off]--------------------------------------------------------------\ | UCEPROTECT Level 3 blocks ASNs [L13] which you can think of as a group of IP | | ranges operated by an ISP. They want the ISP to take down misbehaving / | | spamming actors on their network. One could theoretically pay them to remove | | an ASN block for.. $485. But once a single IP address spams again, they'll | | add it back to their block list and keep the money. | \------------------------------------------------------------------------------/ [I5: UCEPROTECT Extortion] /[cendyne: table-flip]---------------------------------------------------------\ | I have zero spam history attributed to my server. And yet I can't send reply | | to someone who I paid for a custom pattern of my character? | | > hotmail-com.olc.protection.outlook.com[104.47.74.33] said: 550 5.7.1 | | > Unfortunately, messages from [...] weren't sent. Please contact your | | > Internet service provider since part of their network is on our block list | | > (S3140). | | | | This sucks. | \------------------------------------------------------------------------------/ [I6: UCEPROTECT is a scam] Archived Tweet [L14] [I7: UCEPROTECT is an extortion racket] /[cendyne: dread]--------------------------------------------------------------\ | The price has increased three fold since I first looked at their prices last | | year. The pandemic hits spam grifters hard too, huh? | \------------------------------------------------------------------------------/ -------------------------------------------------------------------------------- /[cendyne: guess-i-will-die]---------------------------------------------------\ | I have to depend on yet another service because of spammers and Scammy Real | | Time Black Holes [L15]. | \------------------------------------------------------------------------------/ [I8: CheckTLS with fastmail] /[cendyne: crossmark]----------------------------------------------------------\ | My email is now serviced with fastmail. But it wasn't smooth either. | \------------------------------------------------------------------------------/ [I9: Google checks MTA-STS] /[cendyne: disappointed]-------------------------------------------------------\ | Fastmail did not detect that I had to migrate my MTA-STS settings [L16]. | | Which of course lead to Google refusing to send outbound from google to | | fastmail. I had the TTL set to 1 day, so switching that was a bother. | \------------------------------------------------------------------------------/ [I10: Facebook can send and receive] /[cendyne: gendo]--------------------------------------------------------------\ | Everything seems settled now with Fastmail. I can communicate with people at | | orgs that should have competent email filtering without issue. So I'll leave | | it at that. | \------------------------------------------------------------------------------/ -------------------------------------------------------------------------------- [L1]: https://tools.ietf.org/html/rfc6698 [L2]: https://tools.ietf.org/html/rfc7672 [L3]: https://tools.ietf.org/html/rfc6797 [L4]: https://tools.ietf.org/html/rfc8461 [L5]: https://www.checktls.com/TestReceiver [L6]: https://www.cloudflare.com/learning/dns/dns-records/dns-ptr-record/ [L7]: /posts/2021-08-14-dane-monitoring.html [L8]: https://dmarc.org/overview/ [L9]: https://tools.ietf.org/html/rfc7468 [L10]: https://en.wikipedia.org/wiki/Sender_Policy_Framework [L11]: https://tools.ietf.org/html/rfc7208 [L12]: https://archive.ph/ElcBn [L13]: https://en.wikipedia.org/wiki/Autonomous_system_(Internet) [L14]: https://archive.ph/QIEV4 [L15]: https://blog.sucuri.net/2021/02/uceprotect-when-rbls-go-bad.html [L16]: https://mta-sts.cendyne.dev/.well-known/mta-sts.txt [I1]: https://c.cdyn.dev/93GMQiaZ [I2]: https://c.cdyn.dev/V7jCeWWi [I3]: https://c.cdyn.dev/XseiY2nD [I4]: https://c.cdyn.dev/PM1MBOJb [I5]: https://c.cdyn.dev/2k8usTW7 [I7]: https://c.cdyn.dev/g7KLqSVv [I8]: https://c.cdyn.dev/AjVV5-YH [I9]: https://c.cdyn.dev/VysXBeSw [I10]: https://c.cdyn.dev/WI26ABL9