Let’s Encrypt revoking some certificates – Check to see if you are impacted

Are you using Let’s Encrypt with MDaemon or SecurityGateway (or anywhere else)? If so, great! But due to a bug re-validating CAA records, Let’s Encrypt will be revoking a subset of otherwise valid certificates. This bug has existed since 2019-07 and therefore could apply to any certificate issued prior to the fix which was applied 2020-02-29.

So what should you do? Well, luckily there is a tool to check your certificate, so you should check to see if your certificate is being revoked and if so, issue a new certificate as quickly as possible.

Modern browsers don’t check certificate revocations immediately or on all requests, so just because your browser works does not mean there is no impact! If your certificate is revoked you may see an impact some time in the next week or so, or you might not see it at all while users of other operation system / browser / client combinations may have a different experience.

Using an external mail filtering service

If you happen to be using an external mail filtering service or appliance, one of the critical setup steps is to ensure that MDaemon is configured to not accept messages that attempt to bypass your mail filtering service as spammers look ways to bypass filtering gateways.

There are multiple ways to accomplish this in MDaemon, but one of the easiest ones is often overlooked: IP Shield. IP Shield is a very simple feature, it provides an administrator a simple way to tell MDaemon to only accept mail from a particular domain if it matches one of the listed IP addresses. Once upon a time, this was used to prevent spammers and others from forging one’s own domain, but there are better ways to accomplish this in MDaemon now, so today, we’ll use IP Shielding in another way: By using wildcards. With a wildcarded sender domain, you can use IP Shield to ensure that MDaemon will only accept mail if it’s from a pre-defined IP address or uses authentication.

      Open the Security menu
      Click on Security Settings
      Under Sender Authentication, open the IP Shield dialog
      Uncheck Do not apply IP Shield to messages sent to valid local users
      Check Do not apply IP Shield to authenticated sessions
      Check Do not apply IP Shield to Trusted IPs
      Check IP Shield honours aliases
      Uncheck Check FROM header against IP Shield
      In the Domain field, enter *
      In the IP field, the IP address of your mail filtering gateway
      Click Add
      Repeat these steps to add any other IPs that should be allowed to send mail without authentication.

Note that you can use wildcards and CIDR notation for IP addresses here.

Since users should be configured to use authentication, this will not impact normal user traffic, but it will block any unauthenticated attempt to send mail unless the IP matches one of the entries.

Phishing targeting domain registrants

We’ve recently become aware of a phishing scheme targeting customers of various registrars. Since this is targeting administrators directly, I felt it was worth of a mention even though it’s not MDaemon specific. This is a little difference from most phishing as it’s targeted to domain owners, and specifically mentions their domain registrar by name.

An example message sent to one of my own addresses is below, noting that I am using “TUCOWS, INC.” as my registrar for the domain in question.

Dear Dave Warren,

The Domain Name HIREAHIT.COM have been suspended for violation of the TUCOWS, INC. Abuse Policy.

Multiple warnings were sent by TUCOWS, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,

TUCOWS, INC.

Spam and Abuse Department

As with all phishes, you should simply ignore and delete it without any further action (or report it to the sending network, if you have the time and energy to hunt it down)