
Show HN: Self-Validating Email Aliases for Postfix - m3047
https://github.com/m3047/trualias/
======
notadev
I sort do this a different way. I have a custom domain and use that with
Google's G Suite. I set the catch-all email to my email. Then everything I
sign up with gets a different email address, like amazon@<mydomain>. I use a
password manager to track all the different emails/passwds. This has helped me
catch the water company giving out my email. I got junk mail asking me to sign
up with my email utilities-water@<mydomain>. If a particular email starts
getting spam, I just blacklist the To: address.

~~~
notduncansmith
People have been mentioning this technique for a long time on HN. I finally
started doing it a few years ago (my email is through Fastmail), and it has
worked pretty well. It turns out most customer support staff are surprised to
find the name of their company in your email address (“is that your real email
address?”).

~~~
orastor
I do the same and to avoid this I'll abbreviate the name or use initials, just
enough for it to be pronounced differently from the company name

------
teddyh
Why require a patched Postfix merely to use a localhost address and port as a
lookup table? I would assume that a unix domain socket should be acceptable?

~~~
m3047
I await the PR!

------
m3047
I want to thank HN and the HN community for the awesome free exposure. It
means a tremendous amount to a niche open source project. I'm sure I can
attribute 6 clones and 20 GitHub stars to this, hopefully some of those turn
into users and possibly even contributors. Thanks again...

------
edoceo
You can point alias_maps to a SQL table too. So adding and removing alias can
be done on the fly. No patching.

One can also use UAE, the '+' symbol after the user portion in postfix - don't
need new alias. Then use a dedicated UAE base address
"spam+VENDOR@example.com".

~~~
wave100
Only issue with that is that spammers have gotten smart and started excluding
the plus and anything after it.

~~~
edoceo
I've been blocked at web-forms too.

------
steve19
This is quite clever. I have avoided wildcards because I have not wanted to
deal with the increased spam sent by bots to random (jane@ eve@) or not so
random addresses (webmaster@).

~~~
madamelic
It just doesn't happen, in my experience.

I have 5 different domains with catch-alls and I get 0 unsolicited emails.

I have seen it happen at companies that paste their emails everywhere, but
with personal domains, it doesn't happen.

~~~
m3047
Some day your luck, or your interests, will change; maybe you'll remember this
project and come back and visit us.

------
1996
Also for postfix: use port 465 for SSL encryption,
[https://news.ycombinator.com/item?id=21430013](https://news.ycombinator.com/item?id=21430013)

[https://tools.ietf.org/html/rfc8314#section-3.3](https://tools.ietf.org/html/rfc8314#section-3.3)

~~~
teddyh
Note: Using port 465 for SMTPS is _deprecated_ ; one should use STARTTLS on
normal SMTP on port 25 or client e-mail submissions on port 587 instead. Port
465 has even been officially _reassigned_ to the “URL Rendezvous Directory”
service.

If you’re worried about man-in-the-middle protocol downgrade attacks, check
the DANE DNS record for the mail server (and verify the DNSSEC signature); if
the DANE record says to use TLS, but the SMTP connection doesn’t accept
STARTTLS, raise the shenanigans alert.

~~~
tptacek
How many serious SMTP servers in the entire industry have DANE records with
DNSSEC signatures? Didn't the major mail providers just push SMTP-STS
specifically so people wouldn't have to bother with DANE?

~~~
teddyh
MTA-STS was made by, and for, the big providers, and it shows. MTA-STS is not
a practical standard for small players, and is unlikely to be widely adopted
except by Big Email.

~~~
akerl_
Given that, by definition, the majority of end users are on “Big Email”, if
all of them adopt it, it will already have vastly more practical benefits than
DANE has had thus far.

That said, I’ve looked around a bit and it doesn’t seem like it’s actually
impractical to set up MTA-STS for your own server, unless I’m missing
something? (For reference, I’ve been skimming
[https://roll.urown.net/server/mail/mta-
sts.html](https://roll.urown.net/server/mail/mta-sts.html) ). Can you
elaborate on why it’s not practical for small players?

~~~
1996
Maybe because he doesn't like serving https? Many people object to that, while
they're fine with the DNS only part (you need to be able to curl [https://mta-
sts.DOMAIN/.well-known/mta-sts.txt](https://mta-sts.DOMAIN/.well-known/mta-
sts.txt) )

~~~
akerl_
I’m not sure I understand why somebody would object to running an HTTPS
server?

