News items for tag security - Koos van den Hout

2021-11-21 Help in debugging DMARC/SPF/DKIM from xs4all
This morning I had DMARC reports in my mail from xs4all. With all the testing of DMARC, DKIM and SPF I did yesterday I was confused for a while what caused this since my domain names shouldn't be linked to xs4all anymore in any way.

First I thought one of the DMARC testing autoresponders I tried was linked to xs4all or maybe somehow my domains still show some link to xs4all, but after a while it dawned on me that all the testing of DKIM was done via a forward that is still active on my now closed xs4all account.

My DMARC record currently says I want reports of problems, so I am getting those. Anyway, I guess it's all working and I'm seeing no new problems.

Oh and outlook[.]com is still rejecting my e-mail so no progress there. But then again Microsoft and not handling Internet e-mail standards correctly was something I ranted about before: 17 and a half years ago. Not a lot of improvement.

Tags: ,
2021-11-20 Setting the right SPF records
In debugging mail from the shell server I noticed something in the headers:
Authentication-Results:; spf=none;
        dkim=pass; dmarc=pass
The shell server sees itself as and uses this on locally generated outgoing mail. I only had an SPF record for so setting one up for too can help fix things. I also need a DMARC policy allowing mail from subdomains of, with more specific DMARC policies for active subdomains.

Tags: ,
2021-11-20 Publishing the information about using DKIM: dmarc records
After getting DKIM signing running with sendmail and opendkim I generated DKIM keys for, configured them in the mailserver with opendkim and published them in DNS. The next thing to publish is a policy record showing that all outgoing mail for these domains should be signed.

I started with a policy that shows mail should be signed but to not reject it when it isn't, but report it to me as unsigned.
;      IN      TXT

;; ANSWER SECTION: 86400 IN      TXT     "v=DMARC1;p=none;sp=reject;pct=100;rua=mailto:dmarcreports at;"
With a similar policy for Mail with problems shouldn't be rejected yet: DNS propagation isn't instantaneous and testing first.

Tags: ,
2021-11-20 Trying to get DKIM running
My recent issues with getting my e-mail delivered made me look at DKIM signing of outgoing e-mail messages. To not break things I have started testing this with outgoing e-mail from which normally publishes it doesn't send mail at all, so the first steps were to change that policy: changing the MX record and SPF record.

I started reading into configuring sendmail with dkim and found OpenDKIM which can work as a sendmail milter.

Based on How to configure DKIM & SPF & DMARC on Sendmail for multiple domains on CentOS 7 I took the same steps for my Devuan installation.

In Devuan (and probably Debian/Ubuntu) there is a opendkim package for the service and a opendkim-tools package for the associated tools. I needed the second one to get the opendkim-genkey command. I can imagine keys being generated/managed on a different system than the actual signing server.

After configuring this for including generating a keypair and publishing the public key via DNS I started sending test messages but had no luck. It turned out the sending host has to be in the InternalHosts table of opendkim. I added the address ranges and after that things started to work.

After fixing that I got the results I wanted:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
        s=gosper; t=1637408594;
And a verification:
Authentication-Results:; spf=pass;
I was wondering about roaming users who authenticate to my mailserver and send messages that way. In a first test those messages get signed too. That means I can start signing mail from and other production domain names!
Read the rest of Trying to get DKIM running

Tags: , ,
2021-11-19 Attacks on new sites are fast!
I was working on a new site for a project and requested a certificate for it. The time between the certificate being generated and the first attack was 3 minutes and 7 seconds.

15:12:10 UTC: certificate generated and published on the certificate transparancy log
15:15:17 UTC: - - [19/Nov/2021:16:15:17 +0100] "GET /restapi.php HTTP/1.1" 404 1008 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
15:15:18 UTC: - - [19/Nov/2021:16:15:18 +0100] "POST /gate.php HTTP/1.1" 404 1008 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; SM-J700F Build/MMB29K)"

Tags: , ,
2021-11-15 Blocking mail I can't answer
Someone mailed me a few days ago with an interesting question. So I typed a reasonably long answer. But upon sending this answer I received the following error message:
   ----- The following addresses had permanent fatal errors -----
    (reason: 550 5.7.1 Unfortunately, messages from [] weren't sent. Please contact your Internet [])

   ----- Transcript of session follows -----
... while talking to
>>> MAIL From:<?????? .at.> SIZE=4837 BODY=8BITMIME
<<< 550 5.7.1 Unfortunately, messages from [] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to []
554 5.0.0 Service unavailable
Trying to get my IPv4 address allowed didn't work. The form for getting IP addresses whitelisted did not allow for IPv6 addresses, but then again has no IPv6 addresses listed for its MX record. I would think microsoft would do something with IPv6 to support innovations in Internet but I guess they only do that to win contracts.

After a while I got a response with a ticket number and an hour later a response that looked like maybe a person had taken a look at it, with "Our investigation has determined that the above IP(s) do not qualify for mitigation." So that leaves me with possible mails from outlook[.]com that I can't answer, making me look bad because I don't seem to reply at all.

I'm convinced the mail setup is correct on my end. The domain has an SPF record and the mail was sent out via the approved route.

The only solution I can think of at the moment is blocking mail from at the protocol level with an error message pointing at a webpage what the problem is, so when someone sends an e-mail from outlook[.]com to one of my domains they will get an error message with an embedded hint what they should do, namely We cannot reply to your mail, please send us mail from a different domain, see for an explanation. About the same as microsoft does, although the careful reader might have noticed the error code S3150 is not mentioned at

Tags: , , , ,
2021-10-23 Something weird with sendmail and Let's Encrypt
Encrypt all the things meme Noticed this in the logs:
Sep 30 14:02:04 wozniak sendmail[25878]: STARTTLS=client,, version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 30 15:02:04 wozniak sendmail[27149]: STARTTLS=client,, version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 30 16:02:04 wozniak sendmail[28400]: STARTTLS=client,, version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 30 17:02:04 wozniak sendmail[29654]: STARTTLS=client,, version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
This is exactly the expiry of the DST Root CA:
koos@wozniak:/usr/share/ca-certificates/mozilla$ openssl x509 -in DST_Root_CA_X3.crt -noout -startdate -enddate
notBefore=Sep 30 21:12:19 2000 GMT
notAfter=Sep 30 14:01:15 2021 GMT
But now to find out where this goes wrong...
Read the rest of Something weird with sendmail and Let's Encrypt

Tags: ,
2021-10-23 Woningnet fraude weer
Cybercriminal Uit de inbox, weer een 'WoningNet' verhaal, zie ook Spam/phishing/fraude woningnet. Bekend natuurlijk al bij FraudeHelpdesk: Laatste Herinnering - Fraudehelpdesk.
   U heeft een inschrijving bij WoningNet.
   Over 2 weken verloopt uw inschrijving.
   Uw inschrijving verlengen wij met een jaar als u de verlenginskosten
   van €8,00
   U kunt betalen via iDEAL.
   Via de onderstaande link word u automatisch doorverwezen naar onze

   Als u niet binnen 2 weken betaalt, schrijven wij u uit.
   Uw opgebouwde inschrijfduur en eventuele reacties komen dan te
Het pad van URLs:
  • hxxps://
  • hxxps://
  • hxxps://
  • hxxps://
  • Kies ING → hxxps:// En dan een volle phishing kit voor Mijn ING credentials.
De methode is al bekend (berucht) bij de fraudehelpdesk. Ook even getest met - en gemeld bij google safe browsing.

En dan
Take a second to rejoice merrily for doing your part in making the web a safer place.

Tags: , ,
2021-10-18 Securing the home network: a separate DMZ network
I have a lot of control over the software that runs on systems at home but there are limits to what I can fix and sometimes things are insecure.

Things like the recent wordpress brute force attacks show that random 'loud' attackers who don't care about the chance of getting noticed will try. I sometimes do worry about the silent and more targeted attackers.

So recently I updated my home network and I now have a DMZ network. At this moment it is a purely virtual network as it doesn't leave the KVM server. Hosts in the DMZ have a default-deny firewall policy to the other inside networks. Specific services on specific hosts have been enabled.

I first moved the development webserver, which allowed me to tune those firewall rules and fix some other errors.

Now other webservers and other servers offering things to the outside world have moved.

Tags: , , ,
2021-10-13 Wordpress brute force attacks
graph of wordpress https requests showing brute force attack The wordpress blog software is a popular target for attacks. I normally have fail2ban running with some rules to detect bad things on sites behind haproxy but due to some other work on the firewall rules I had fail2ban temporarily disabled.

Someone/something at IP address (A Microsoft-managed IPv4 address) noticed this and fired off a brute force script which ended up making 521525 attempts at logging in, none of which worked. It was stopped when I enabled fail2ban again.

The first indication of interesting amounts of things happening was that the disc i/o led of the server was blinking a lot. The second indication was the high amount of traffic seen for the specific backend in haproxy.

Later I also discovered the actual power use of the server was higher.

Tags: ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.37 2022/02/15 21:48:19 koos Exp $ in 0.024138 seconds.