Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] "The invitation email could not be sent!"

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] "The invitation email could not be sent!"


Chronological Thread 
    < Chronological >      < Thread >
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: anderson.almeida AT rnp.br
  • Cc: Divisão de Rede/DTI/UFTM <rede.dti AT uftm.edu.br>, Humberto Parreira <humberto.parreira AT uftm.edu.br>, cat-users AT lists.geant.org, Jihann Resende Marques Fernandes <jihann.fernandes AT uftm.edu.br>, "fabio.roncolato" <fabio.roncolato AT uftm.edu.br>, Jorge Luís <jorge.luis.reis AT uftm.edu.br>
  • Subject: Re: [[cat-users]] "The invitation email could not be sent!"
  • Date: Fri, 9 Nov 2018 12:28:28 +0100
  • Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello Anderson,

CAT's inability to send mail to your institution is not due to a bug in
the system but to the lack of standards compliance on the receiving side.

I'm afraid there is nothing we can do to fix that situation.

Greetings,

Stefan Winter

> Good Morning, Recommendations are not laws. The management that we adopt
> works and meets the requirements and current security policies. Verify
> that what you need is in compliance and proceed with our request. Att
>
>
>
> ___________________________________
> Jihann Resende Marques Fernandes
> Diretor da Divisão de Rede, Portaria: 337
> DOU: 108, quarta-feira, 8 de junho de 2016
> Universidade Federal do Triangulo Mineiro
> Departamento: Tecnologia da Informação
> Rua do Carmo, 143 - Bairro Abadia
> CEP: 38025-000 - Uberaba-MG
> 34 3700 6432
>
>
> Em sex, 9 de nov de 2018 às 05:04, Stefan Winter
> <stefan.winter AT restena.lu <mailto:stefan.winter AT restena.lu>> escreveu:
>
> Hello,
>
> > Good Morning, Connections on TCP / 25 port are allowed, but the
> > recommendations are the use of TCP / 587 TLS.
>
> I don't know who gave you that recommendation, but it is wrong. There is
> a difference between mail submission and mail transfer. Transfer has
> always been and is exclusively and legitimately on TCP/25. And transfer
> is what MX servers do.
>
> Read the introduction of RFC 2476 for a rationale and discussion. Or ask
> any savvy email domain administrator in your vicinity.
>
> > Our perimeter firewall is
> > implemented GeoIP control of connections from China, Russia, India and
> > United Arab Emirates, as recommended by the manufacturer of the
> > SonicWall firewall. Please report domains or LANs to add firewall
> rules
> > to ignore GeoIP. graciously
>
> Our servers are not located in any of those countries. It is also a
> terrible idea to block whole countries. You are saying there will never
> be any legitimate email coming from those countries and the people there
> are all spammers.
>
> Frankly, this is a filtering strategy from the last century.
>
> And then it doesn't even work. If the CAT invitation mails are blocked
> by your GeoIP, then that filter is apparently blocking mails from The
> Netherlands in Europe. We might decide to switch our sending server to
> the UK or Croatia in the future, also in Europe. If blocking countries
> from Europe is not what you configured, complain to the filter vendor.
>
> I will not entertain things like subnet whitelisting for you. You really
> need to learn how to operate a MX server in a contemporary way.
>
> Greetings,
>
> Stefan Winter
>
> >
> > ___________________________________
> > Jihann Resende Marques Fernandes
> > Diretor da Divisão de Rede, Portaria: 337
> > DOU: 108, quarta-feira, 8 de junho de 2016
> > Universidade Federal do Triangulo Mineiro
> > Departamento: Tecnologia da Informação
> > Rua do Carmo, 143 - Bairro Abadia
> > CEP: 38025-000 - Uberaba-MG
> > 34 3700 6432
> >
> >
> > Em ter, 30 de out de 2018 às 11:18, Stefan Winter
> > <stefan.winter AT restena.lu <mailto:stefan.winter AT restena.lu>
> <mailto:stefan.winter AT restena.lu <mailto:stefan.winter AT restena.lu>>>
> escreveu:
> >
> >     Hello,
> >
> >     > we are using the security connection in the number  port 587
> with the
> >     > TLS protocol in our server (mail.uftm.edu.br
> <http://mail.uftm.edu.br>
> >     <http://mail.uftm.edu.br>) because it's one the best
> >     > practics of security in computer networking.
> >
> >     As stated, that is incorrect.
> >
> >     Submission (TCP/587) is the best practice for connections from
> a MUA to
> >     an MTA (in other words, for mails sent from a end user
> computer/device
> >     to a server which is willing to send my mail onwards across
> the planet).
> >
> >     MTA to MTA connections continue to run on SMTP (TCP/25). This is a
> >     worldwide standard and hasn't changed since the early days of the
> >     internet.
> >
> >     An MX record in DNS indicates that you run a MTA which is
> willing to
> >     receive mails as sent from other MTAs on behalf of their
> users. This has
> >     to happen on port 25.
> >
> >     As of recent, these connections have a best practice of doing
> STARTTLS
> >     on port 25 (opportunistic hop-by-hop encrpytion). That's
> something we
> >     test for in CAT and warn the end user that the mail is not
> encrypted if
> >     STARTTLS is not supported.
> >
> >     If you care about receiving mail for your users from arbitrary
> third
> >     parties, please do set up an MTA that is capable of receiving
> mails on
> >     TCP/25.
> >
> >     This is becoming an off-topic discussion for this list. Please
> do not
> >     continue this thread here.
> >
> >     > Too, we aren't using protocol IPV6 ( AAAA) in our enviroment.
> >
> >     That's what I saw and it's not the root cause of the "mail
> could not be
> >     sent" error.
> >
> >     > Please, use the informations mencioned for new tests.
> >
> >     There is nothing to test. Your mail server is not or only
> sporadically
> >     listening on port TCP/25. You need to change that.
> >
> >     For reference, I dug out our mail server logs from the
> original off-list
> >     mail I sent to you, and the one from this morning when I wrote
> the mail
> >     to the list with you in cc:
> >
> >     Oct 26 13:42:44 smtprelay postfix/smtp[11026]: Untrusted TLS
> connection
> >     established to mail.uftm.edu.br <http://mail.uftm.edu.br>
> >     <http://mail.uftm.edu.br>[200.131.62.18]:25: TLSv1.2 with cipher
> >     DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> >     Oct 26 13:42:47 smtprelay postfix/smtp[11026]: BAED640BFF:
> >     to=<humberto.parreira AT uftm.edu.br
> <mailto:humberto.parreira AT uftm.edu.br>
> >     <mailto:humberto.parreira AT uftm.edu.br
> <mailto:humberto.parreira AT uftm.edu.br>>>,
> >     relay=mail.uftm.edu.br <http://mail.uftm.edu.br>
> <http://mail.uftm.edu.br>[200.131.62.18]:25,
> >     delay=5.8,
> >     delays=0.03/0/3.4/2.4, dsn=2.0.0, status=sent (250 Ok.
> >     000000005BD2FDB6.00001BF7)
> >
> >     As you can see, your server *was* listening on port 25 as it
> should, and
> >     the mail got through.
> >
> >     888FC40D76    14692 Tue Oct 30 09:42:01 
> stefan.winter AT restena.lu <mailto:stefan.winter AT restena.lu>
> >     <mailto:stefan.winter AT restena.lu
> <mailto:stefan.winter AT restena.lu>>
> >              (connect to mail.uftm.edu.br <http://mail.uftm.edu.br>
> >     <http://mail.uftm.edu.br>[200.131.62.18]:25: Connection
> >     timed out)
> >
> >     And this time it was not.
> >
> >     Greetings,
> >
> >     Stefan Winter
> >
> >     --
> >     Stefan WINTER
> >     Ingenieur de Recherche
> >     Fondation RESTENA - Réseau Téléinformatique de l'Education
> Nationale et
> >     de la Recherche
> >     2, avenue de l'Université
> >     L-4365 Esch-sur-Alzette
> >
> >     Tel: +352 424409 1
> >     Fax: +352 422473
> >
> >     PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> >     recipient's key is known to me
> >
> >   
>  http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
> >
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

Top of Page