Edit: Can no longer reproduce with same setup, issue seems fixed at googles side.

TL;DR: See title. How can I tell Google they're probably processing their mail wrong?

After setting up the Matrix Authentication Service (MAS) and exim-relay as mail server, I noticed verification mails sent from the service are often in the spam directory.

When digging deeper, I found out the mails are failing DKIM authentication. This was weird because DKIM is set up correctly, as verified by other mail providers and online DKIM test tools such as DMARC Tester.

Searching online for "gmail fails DKIM authentication, while other providers pass", I found regular reports, posts or similar without resolution, or unrelated resolutions such as DKIM alignment.

Using meld, I compared the original source of mails as received by gmail with those of other providers, and found a difference:

In other providers, the header for "From:" and "Reply-To:" fields are presented with double-quotes:

From: "John Smith" <j.smith@example.com>
Reply-To: "John Smith" <j.smith@example.com>

In gmail, where DKIM fails, there are no double-quotes:

From: John Smith <j.smith@example.com>
Reply-To: John Smith <j.smith@example.com>

As this should be the raw source each, I ruled out presentation issues and digged deeper.

I found out, that specifically the rust crate lettre, as used by the MAS, encodes names with whitespace using double-quotes. Further, from researching a bit more and reading RFC 2822 sections 3.2.4 and 3.2.5, I come to the conclusion that whitespace needs no quoting in mail headers.

I created issues upstream and downstream to report the issue at lettre and MAS, particularly that their mails are failing DKIM checks at gmail:

• https://github.com/lettre/lettre/issues/1125
• https://github.com/element-hq/matrix-authentication-service/issues/5497

If you've read that far, you probably wonder why I post all of that? For one, to provide another data point for people scratching their heads over mail issues.

But other than that: I'm pretty sure the google mail servers should not strip the quotes before doing the DKIM check. I assume they have some kind of decode -> process -> encode workflow, that then simply encodes the headers again, this time without the quotes. But IMHO a correctly signed message should not lead to an authentication error, even if the contents are not perfectly encoded.

I would be curious on getting some feedback from some mail experts on what is happening here. This is not my field of expertise and I'm going by what I've learned over the past 48h.

hi everybody, i‘m pretty new here and just want to see if switch from sysadmin subreddit to this place is an option.

i was searching for sysadmin communitys in lemmy and just saw that there are different sysadmin communitys on different instances? as far as i understand means this, that the participents got split in differen communities?

since the count of members is already a issue here in my opinion, how could we handle that? or why do you think different communities are the way to go?

just interested in your opinions

We're currently using a traditional third party email gateway for spam/phishing scans etc, and we're using that gateway to redirect a few hundred (don't ask) email addresses to Zendesk and few other places. Now we're moving to an integrated solution that means having 365 handle incoming emails directly and we're struggling with the best approach to porting those redirects.

As it stands, with our domains marked as Authoritative, email is bouncing before any mail flow rules are evaluated due to not having existing mailboxes or contacts. I suppose "best practice" is to create contacts or mail users for all of the support addresses we need to use, followed by either mailbox-level forwards or mail flow rules for all of those addresses (or lump them into a group where appropriate). But that way seems like a big pain in the ass to administer.

The other option is to set the domains as Internal Relay, which will allow 365 to skip checking whether an address exists, and then just use mail flow rules to handle the redirections directly, which we can script easily enough. But that way seems unsupported at best, and raises big questions about what happens when someone emails an actual non-existent address.

Googling didn't come up with much in the way of useful documentation so I asked a couple of AIs and they've been similarly inconclusive. Copilot thinks that misdirected email will simply bounce with a "no route found" NDR, and gave me error code 5.4.312 that appears to be made up, while ChatGPT thinks that it'll result in a mail loop and eventual 5.4.6 error, "routing loop detected".

ChatGPT's explanation seems more plausible and its suggestion of using a catch-all rule to either redirect or bounce mis-addressed emails sounds good on the surfacce, but again, I can't find anything written by actual humans to confirm or deny.

So I come to you, denizens of sysadmin! Is there any suggested or best practice configuration for the redirection of large amounts of email addresses? Is using Internal Relay on what is actually the final hop a supported configuration? Or is the only supported/sane option to use an Authoritative domain along with the additional overhead of mail contacts?

Hugely appreciate any thoughts!

I've been wondering whether it's better for memory pages to be compressed at the hypervisor level, or on the VM level.

I'm leaning toward the VM level, because

1: VMs have better knowledge of memory pressure by the application, and can better decide when to swap pages out to zram. The VM has access to information about memory pages that the hypervisor doesn't have.

2: if pages are compressed on the hypervisor level, the VM doesn't "see" any increased memory available. The host box gains free memory, but the application never sees it to make use of it, it'll just see the same 8GB as it always has, so it never really benefits. This maybe lets you host more VMs on one box, but at the cost of the applications not being as efficient.

Is this a reasonable position? I'm wondering if I'm missing something obvious.

I want to make windows clients at my workplace more secure by using software obtained with winget and have it automatically updated on a regular schedule. I have a Linux (Gentoo and Debian) background.

In the majority of cases the users are AD users without Administrator rights, so they cannot do winget upgrade --all in PowerShell. My idea was to create a scheduled task which runs as the SYSTEM user, but unfortunately, a PowerShell spawned that way cannot access winget, reporting that this Cmdlet cannot be found.

I recently saw WAU (Winget-AutoUpdate). I did not try it myself yet. Can it do the job? What are you doing to maintain 50+ windows clients with users that are not Administrators on their system and lack the knowledge to update software besides what Windows 11 does for them out-of-the-box.

Interestingly, there does not seem to exist anything on Windows that is as easy as cron, systemd.timers or unattended-updates. And, in most cases users of Linux clients get sudo rights, because you can expect some basic knowledge about the package manager. On the other hand it wouldn't strictly be neccessary if they are not devs and need only a static set of software. The beauty of having it all in one repo + flatpaks in user space makes it all possible on Linux.

Even with winget which is a great relieve on Windows, btw., OS updates are seperate from app updates; basically only "flatpak", but without native auto-updates.

One additional remark: The apps need to be preinstalled before a new AD user logs on; I have to use --scope machine with winget. Users should not be bothered installing software themselves, not even with winget install --scope machine

I like to read, what you are using and I hope, it can be done without spending money on it. An open source solution is preferred.

Coming to me in the form of Sonicwall's Cloud Secure Edge (at a monthly, per-user cost), I understand the basics of what they say it's going to do, but I also have been doing this long enough to understand when someone's using a lot of buzzwords and scare tactics to hype a much simpler concept that I feel I am not as much up on. I would welcome any and all comments from those of you with any experience in implementing/utilizing/understanding SSE. Thanks in advance!

Hi! So I have a backblaze account, and I would like to make a restic backup of my servers, but I'd like to be able to handle the paths, schedules and other options via GUI. What would be a good/easy GUI to set it up?

Thanks!

cross-posted from: https://feddit.uk/post/40593125

They state it's scheduled maintenance but the dashboard link leads to a 500 return. https://www.cloudflarestatus.com/

Hi, I’m looking to set up a Hybrid Cloud Infrastructure with my homelab as I’m lacking additional processing power.

• Does Hetzner have concepts for VPC/VCN and subnets, similar to AWS, GCP, or Oracle? I’ve been browsing through the documentation (https://docs.hetzner.com/networking/networks) but couldn’t find anything related to it.
• Does anyone have a new referral code they can share? Thanks!

Remote terminal application that allows roaming, supports intermittent connectivity …

Hello guys,

We're somewhat struggling with moving traditional file shares to SharePoint Online. Unanimously people recommend moving to multiple sites vs a single one because the ease of management. While I do not doubt that I simply cannot see the logic. The only real limitation I can think of is the amount of items per site where moving to multiple sites would make a difference.

What is easier about managing permissions on for example 5 folders in the root of a single site vs managing the permissions on 5 separate sites?

What I do know is that it is way easier to have my user go to a single site to find their stuff vs 5 different sites (and their corresponding URL's) or am I missing something here?

Why troubleshoot Terraform when you can procrastinate by updating your onboarding slide deck instead?

For a few years I'm noticing more and more weird and unexplainable behaviour in Outlook. We support mostly 365 Exchange Online clients on Windows workstations or RDS environments.

The amounts of unexplainable bullshit we face is staggering. Outlook not being able to open the folder set, weird MFA glitches, weird bugs in the UI and downright weird errors coming from nowhere is some of the stuff we face weekly.

Am I alone on this?

With version 142, Google Chrome just rolled out a new permission prompt for Local Network Access.

While technically a good feature, this caused me the better half of the day hunting a production bug in our SaaS product, which after all did not exist.

Turns out that Chrome will display the permission dialog also for requests which your company's IT-mandated Endpoint Protection solution is grabbing for inspection. In our case, it was Zscaler causing issues.

If you deny the request (which from an end user perspective is the only reasonable choice), your web application will act weird.

Lucky me, our devices had just upgraded to Chrome 142 at the very same day we rolled out a production release. That's how all hell broke loose.

Working on a machine that BSOD'd 3-4 times a week, couldn't find much wrong but then I saw this. An NVME drive from a company named "OEMGenuine".
Their website 404's, waybackmachine says it was last cached 2 years ago, and even then it was a broken Godaddy landing page.

Found in a Thinkpad purchased from Amazon, sold by a third-party reseller who "upgrades" the devices before reselling.

Machine seems just fine/stable with a credible drive in it.

What's the craziest shady "brand" name you've seen in the wild?

EDIT: NEW Discovery! One of the ancient waybackmachine cached pages previously redirected to oemgenuine.NET! It's shoddy as hell but the .net domain is still visible today! oemgenuine.net

AWS Us-east-1 has broken itself on a European Monday morning.

So far we have Slack being slow and image attachments preview broken.

No SSO auth with Atlassian (JIRA, OpsGenie, and Confluence)

Sadly, I looks to be resolving. Back to work 🥲

About a month ago NPM was compormised. It was advised to lock versions to before the compromise.

However, one eventually needs to unlock and start getting updates again. Does anybody know if the coast is clear, or possibly a place that is tracking known compromised packages and their current status?

So we just hired a contractor. We wanted a mid level devops like engineer that can handle cleanup tasks that we are far behind on. Grunt work, mostly like cleaning up terraform repos, adjusting configuration to comply with audits.

What we go instead is a highly pushy dude who really wants to push us to a specific stack architecture.

Right now we use a pretty old but standard setup of public lb to nginx, to app load-balancer to our app servers.

We want to move to Kubernetes but there have been some roadblockers with the way this app location is configured.

He's been trying to push us to move to a tool chain that uses terragrunt and terraform to deploy kubernetes and argocd.

We finally agreed to let him do what he wanted, and the very first thing he asked for is a separate AWS account, and the ability to register two top-level domains through Route 53.

Myself and management talked about it and while we understand the requirement for the AWS account,and how does complicate network infrastructure, we're a bit concerned about why he wants to register two new domains to work with.

I've been doing this for almost 10 years now, and I've read all of the documentation for these tools, and while I haven't used argocd and Terragrunt, I don't see any reason why they could not work with us to use one of our pre-existing domains.

Hi there, looking for a KVM for my home server to fix it remotely when having an important issue
because wel... My home server isn't at MY home but at my mother's home

I was looking at nanoKVM-USB which I would plug to a raspberry pi, enabling and disabling the remote app according to my need to avoid unnecessary security issues, maybe even unplug it and ask my mother to plug it when needed, what do you think of such a solution ?

Thanks !