Freecycle.org
I raised an issue via the FreecycleTech Forum and it became clear to me that nobody wanted to hear or try to understand what I had to say. You simply tried to repudiate anything I said which I found very disappointing.
I have decided to try and articulate more clearly with additional detail to justify the points I have tried unsuccessfully to raise with Deron and the Tech Team.
I believe the email configuration for freecycle.org is erroneous for the following reasons:
freecycle.org has a single DNS MX record defined and that points to vps111.rbx.freecycle.org
vps111.rbx.freecycle.org has a DNS A record that points to 51.83.28.234
https://dnschecker.org/all-dns-records-of-domain.php?query=freecycle.org&rtype=ALL&dns=dnsauth
If you view the certificate details on https://51.83.28.234 you will see an expired certificate.
https://vps111.rbx.freecycle.org or https://mail.freecycle.org
Note: if you try to view this certificate using a browser you will need to use one that doesn’t redirect to https://webmail.freecycle.org which is a different server (hint: use Firefox with the NoScript Extension installed).
https://testtls.com/vps111.rbx.freecycle.org/443
https://testtls.com/51.83.28.234/443
So, there are two issues here, firstly the certificate is expired and secondly, it’s invalid.
It expired at 23:59:59 on January 16, 2024.
As I mentioned above, there is only a single DNS MX record that points to vps111.rbx.freecycle.org which is defined in a DNS A record so that’s fine, only the certificate doesn’t match as vps111.rbx.freecycle.org cannot match with *.freecycle.org (see RFC 1034) and hence is invalid.
https://mxtoolbox.com/SuperTool.aspx?action=mx%3afreecycle.org&run=toolpage
You tried to tell me an inbound email should be going to mail.freecycle.org which is an alias (i.e. DNS CNAME) of vps111.rbx.freecycle.org. Well, I’m afraid that still doesn’t stack up as the alias isn’t referenced in the MX record and if it was it would be invalid as according to RFC 2181 it’s not acceptable to use an alias in an MX record.
https://dnschecker.org/all-dns-records-of-domain.php?query=mail.freecycle.org&rtype=ALL&dns=dnsauth
https://testtls.com/mail.freecycle.org/443
I think it’s also worth pointing out that the certificate on the vps111.rbx.freecycle.org server has a key length of 4096 bits. This seems excessive to me for a server certificate and in my previous experience is likely to cause issues for some folks trying to connect to it. I noticed all your other server certificates I can see including the replacement for this certificate are all 2048 bit as I would expect.
Another point worthy of mention is the protocols enabled for the servers. Most of the freecycle.org servers have the following profile:
TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No
While the vps111.rbx.freecycle.org server has the following profile (which I would suggest is suboptimal):
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
You tell me that you already have DMARC configured. Well, again I’d challenge that assertion as the way you have it configured is meaningless due to it having a policy defined as ‘none’.
https://www.uriports.com/tools?method=dmarc&domain=freecycle.org
You also tell me that MTA-STS is emerging and not a ratified standard. I guess that depends on what you mean by emerging. It’s been defined in RFC 8461 since 2018, is being advised by the UK Government and is being widely pushed by Google, Microsoft and most large email providers. Given your other issues, I can understand wanting to bury your head in the sand concerning MTA-STS.
Good luck, you’re going to need some.
https://checkcybersecurity.service.ncsc.gov.uk/email-security-check/results?domain=freecycle.org