Roller Network

The next update to the account control center will remove free Secondary DNS and add the “Basic” paid service level. Existing Secondary DNS zones won’t be disabled at this time, but no changes will be allowed to them unless you have a paid account. Back in March we posted an announcement that we’re going to start discontinuing free services and this is the first step.

You can find that announcement here: http://www.rollernet.us/wordpress/2016/03/changes-are-coming-maildns-prices-free-accounts-and-spam-filtering/

A link to this announcement has also been shown in the account control center for the past 8 months. Although we’re sure to see some complaints no matter how much lead time we give, eventually we have to move forward. That time has come for Secondary DNS.

UPDATE: Effective June 5, 2017, Secondary DNS has become paid-only.

We’re now blocking submissions on our outbound mail service (SMTP AUTH) that contain URIs on blacklists we check outgoing content against. Previously we would include them as part of a score, however we started to see unacceptable stuff pass because it didn’t matching anything except the bad URI. Scoring is still in effect, but the score for a URI match alone is now above threshold.

Exceptions are being made for the following recipient addresses:

• *@spam.spamcop.net
• abuse@*

Contact support if you have any questions or have a reporting service address like Spamcop you believe should also be whitelisted.

The other day we did some routine updates on expiring SSL certificates. Today we got a few reports from SMTP AUTH customers about devices (like office multifunction copiers, UPS management cards, etc.) failing to communicate with the SMTP AUTH service. The problem turned out to be the updated SHA256 certificate. Those devices simply can’t work with an SHA256 cert.

A while back it was determined that SHA1 is “weak” and could become exploitable, although at the time we’re writing this no successful real-world attacks have been discovered. As such certificate authorities now only issue SHA256 certificates. Unfortunately for older devices and embedded devices like the aforementioned offfice copier (and by copier we are referring to big floor standing ones like a Ricoh or Xerox, not some cheap inkjet printer-scanner-copier) they’re different than installing an OS update on your computer. Things like that usually only get replaced as they come off-lease.

We understand that people aren’t just going to trash their devices for SHA265 support so we’ve decided to add an alternate SHA1 access to the SMTP AUTH server. If your device can’t connect to smtpauth.rollernet.us using SSL/TLS try using smtpauth-sha1.rollernet.us instead. We believe this is a better option than disabling SSL/TLS: irrespective of how “weak” SHA1 could be this point, our opinion is that it’s still better than plaintext at this time.

There are some encryption types that are practically plaintext – like WEP or original DES – but SHA1 isn’t that bad (yet, possibly, maybe someday, maybe never).