SMTP Authentication with Postfix

Tutorial No Comments »

By René Pfeiffer

Taken From LinuxGazette.com Issue #142

Sending and receiving email is still one of the most important aspects of the Internet. Anyone who has ever worked in first level support knows this. Sending email is not a trivial task anymore, because a lot of Internet service providers fight against unsolicited email known as spam. For end users this means that you have to configure a fixed mail server that accepts email from you and relays it to other servers. This usually works fine as long as you aren’t mobile. Laptop users with ever changing IP addresses sometimes need to change their relay mail server depending on their location. Accepting email from dynamically assigned addresses is best done by SMTP Authentication. I will show you how this works.

Prerequisites

Who is Who

The configuration can be done with almost all GNU/Linux distributions. Nevertheless I will focus on using Debian Etch together with Postfix. We will also use encryption, so you need to have OpenSSL and a suitable certificate at hand. The article “Migrating a Mail Server to Postfix/Cyrus/OpenLDAP” in issue #124 shows you how to prepare Postfix for encryption. Your Postfix installation will therefore need Transport Layer Security (TLS) support. On Debian you can enable TLS by installing the postfix-tls package.

We will be speaking of two distinct components when dealing with email.

  • Mail User Agent (MUA)
    This is the program for reading, writing and sending email. Typical MUAs are Mozilla Thunderbird/Icedove, mutt, Sylpheed, Evolution, KMail, and Pine. Some MUAs speak Simple Mail Transfer Protocol (SMTP), some don’t and submit the mail to a local program for relaying. MUAs are mail clients.
  • Mail Transport Agent (MTA)
    This is the software also known as a mail server. MTAs relay mail to other mail servers by using SMTP/ESMTP. Any mail destined for local users will be dispatched to a local mailbox by means of the Local Delivery Agent (LDA). Typical MTAs include Exim, Postfix, Sendmail, and qmail.

I will focus on using mutt as a MUA. The confusing advantage of mutt is that it submits the email to a MTA on the local machine for delivery.

Authentication Software

We need a source for the authentication information. The easiest way is to use the Simple Authentication and Security Layer (SASL) framework, which allows us to use a variety of sources through a single mechanism. The packages sasl2-bin and libsasl2-modules are needed for our purposes. sasl2-bin contains the utilities to maintain and query the user database with the passwords and is only needed on the MTA that should use SMTP Authentication. The libsasl2-modules are needed on both sides. Some MUAs already provide code for SASL authentication.

Configuration

Now let’s try to get everything to work together seamlessly.

Postfix as Inbound Mail Relay

Postfix will use the SASL Authentication daemon saslauthd in order to decide whether the authentication is correct or not. The query is done by using saslauthd’s UNIX socket, usually found in /var/run/saslauthd/mux. This is a problem since Postfix runs in its own chroot environment, /var/spool/postfix/, and can’t see the socket. You now have two options - give up Postfix’s chroot or move saslauthd’s socket to another place. Fortunately, the last option can be done easily by editing /etc/default/saslauthd:

# This needs to be uncommented before saslauthd will be run
# automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="sasldb"
PARAMS="-m /var/spool/postfix/var/run/saslauthd"

We changed the MECHANISMS to the SASL database (we don’t want to use system accounts for SMTP AUTH) and we moved the socket into Postfix’ chroot by using the -m option. We still have to make sure that the path to the socket exists.

antigone:~# mkdir -p /var/spool/postfix/var/run/saslauthd

Now we can turn our attention to the Postfix configuration. It needs to be told that it should use SASL for authentication and what options it should accept. First, we create a directory and a file with the options:

antigone:~# mkdir /etc/postfix/sasl/
antigone:~# cat > /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
auxprop_plugin: sasldb
saslauthd_path: /var/run/saslauthd/mux
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
^D
antigone:~#

smtpd.conf tells Postfix to ask saslauthd’s user database the path to the socket and the allowed authentication options. PLAIN and LOGIN are simple cleartext authentication methods. Leave them out in case your MTA doesn’t support encryption. LOGIN is deprecated so you won’t need it anyway; I just included it as example. CRAM-MD5 and DIGEST-MD5 based on challenge-response or digests respectively. Most modern MUAs know them, so it’s good to allow them in this configuration.

The last thing you need to do is to add the authentication directives to the Postfix main config file /etc/postfix/main.cf:

smtpd_sasl_auth_enable      = yes
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_application_name = smtpd
smtpd_sasl_local_domain     = $mydomain
broken_sasl_auth_clients    = no

The first line enables SASL AUTH. The security options define what to accept. It is very important to include noanonymous or else the authentication allows any mail relaying, which is not what you and I want. Be careful to double-check that noanonymous is present! The application name tells Postfix the name that should be used when initiating the SASL server. It corresponds to our file smtpd.conf, which contains the options we wish to use. The SASL local domain defines the realm that should be used as the authentication realm. Every user has a login, a realm, and a password. Usually the realm corresponds to the domain your server is part of. The last option deals with the special needs of some MUAs. Set this option to yes if a Microsoft Outlook Express Version 4 and Microsoft Exchange server Version 5.0 use your Postfix as authentication mail relay. Otherwise, it is safe to use no.

We still need to tell Postfix that authenticated clients are ok. You can configure this with the smtpd_recipient_restrictions directive.

smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unlisted_recipient,
    check_recipient_access hash:/etc/postfix/rcpt_blacklist,
    check_helo_access hash:/etc/postfix/helo,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_rbl_client realtimeblacklist.example.net,
    check_policy_service inet:127.0.0.1:60000,
    permit

We added a permit_sasl_authenticated right before the blacklist and greylist check. Make sure you accept the authenticated connection as soon as possible, but don’t skip important checks in case the MUA gets something wrong. The files rcpt_blacklist and helo are custom hash files with blacklisted addresses and faked name in the HELO/EHLO dialog. You can skip them if you don’t have them yourself. The same is true for the real time blacklist. You don’t have to use one.

We’re almost done. We only need the account with username and password. You can add users by using the saslpasswd2 command.

antigone:~# saslpasswd2 -u your.realm username

The tool will prompt twice for the password. Now you are all set. Reload or restart saslauthd and Postfix. Make sure the UNIX socket in Postfix’s chroot environment was created. Check with telnet for the SMTP AUTH banner.

lynx@agamemnon:~ $ telnet antigone.luchs.at 25
Trying 127.0.0.1...
Connected to antigone.luchs.at.
Escape character is '^]'.
220 antigone.luchs.at ESMTP ready
EHLO client.example.net
250-antigone.luchs.at
250-PIPELINING
250-SIZE 10380902
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 CRAM-MD5
250 8BITMIME
QUIT
221 Bye
Connection closed by foreign host.
lynx@agamemnon:~ $

If everything works you should see the string 250-AUTH DIGEST-MD5 CRAM-MD5 after the HELO/EHLO command.

Postfix as Outbound Mail Relay with Authentication

Since I use mutt, the component that deals with SMTP is my local Postfix. It doesn’t know about SMTP AUTH yet, but we only need two additional options in main.cf

smtp_sasl_auth_enable   = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

The first directive enables SMTP AUTH in Postfix’s SMTP client component. The second dictates which username and password to use when talking to each server. A sample sasl_passwd map looks like this:

smtp.example.net        username:seckrit
192.168.1.1             username2:geheim

Don’t forget to create the hash of the map by using postmap /etc/postfix/sasl_passwd. Now point your relayhost variable to one of the servers listed in sasl_passwd and reload the Postfix configuration. Mail relay should now be using SMTP AUTH. If the login fails, check for the presence of the libsasl2-modules package. Without it Postfix will try to use authentication, but will fail because no suitable authentication methods can be found.

One Word About Encryption

Although I didn’t show how to configure encryption in this example, I strongly suggest using TLS with every MTA you run. The setup isn’t too hard and having encrypted SMTP AUTH sessions is the best way to protect the passwords.

Useful Resources

This is one of many articles written about this topic. You can find more details here:

Popularity: 18% [?]

Preventing Domain Expiration

Tutorial No Comments »

By Rick Moen

Tken from LinuxGazette.com Issue #142

If you study accounting and finance, one of the tidbits taught is that financial fraud (via embezzlement and otherwise) is far more pervasive than anyone’s willing to admit. It’s a loss syndrome businesses (e.g., banks) see no advantage in mentioning: Having been taken for a ride is pretty embarrassing, after all.

Internet users have an equally pervasive — and oddly similar — problem: accidental Internet domain expiration. Your Linux user group or other nonprofit group (or, hey, even your company) is relying on some vaguely defined chain of command to make sure the domain keeps getting renewed, making the assumption everything’s fine as long as no disaster has yet happened (which tactic is called “management by exception” in business school — usually just before they cue the ominous music). Somebody drops the ball, the domain everyone’s relying on expires when nobody’s looking, and when the dust settles you find that a domain squatter’s grabbed it. Yes, there are companies that make domain snatching their core business. They do well at it, too. Too well for my taste.

Victims of such raids sometimes attempt to recover using legal threats, usually trademark-based, and the ICANN Uniform Domain-Name Dispute-Resolution Policy (UDRP) to wrestle back their domains, but it’s more common to pay the squatter’s ransom: That might range from hundreds to tens of thousands of US dollars, depending on the domain and what the market will bear.

Equally common, though, especially for less wealthy victims, is to just quietly concede, watch the squatter deploy a so-called “search engine” site where your Net presence had been, and move your presence to some entirely new domain name you use as a replacement. Every year, I see this happen to individuals and groups: Suddenly, the established domain is a squatter site, and everyone has a new e-mail address, for reasons nobody wants to discuss.

But there’s a better way. It doesn’t have to happen. It can be prevented.

First up, out on the Net, I found a nice little Bourne shell script by Ryan Matteson (matty91 at gmail dot com) called “domain-check” (http://prefetch.net/code/domain-check), which queries the public WHOIS data in real time to check pending domain expiration dates, and integrates nicely with cron and optionally SMTP e-mail notification, in order give responsible parties advance notice of the need to take action. (In this article, as elsewhere, all-caps “WHOIS” refers to the TCP port 43 protocol defined in RFC 3912 for remote information lookup about domain names, etc. Not all TLDs offer that service, as detailed below.)

Ryan’s script’s only dependencies are awk, whois, and date, whose executable paths must all be correctly set in the script body (and require fixing on typical Linux systems). Plus, you probably need to add a line defining shell environment variable MAIL to point to a proper system outbound mailer, if you wish to do e-mail advisories. (On my system, /usr/bin/mail fits nicely.)

Once you have that set, it’s fairly self-explanatory:

$ domain-check -h
Usage: /usr/local/bin/domain-check [ -e email ] [ -x expir_days ] [ -q ]
[ -a ] [ -h ]
          {[ -d domain_namee ]} || { -f domainfile}

  -a               : Send a warning message through email
  -d domain        : Domain to analyze (interactive mode)
  -e email address : Email address to send expiration notices
  -f domain file   : File with a list of domains
  -h               : Print this screen
  -s whois server  : Whois sever to query for information
  -q               : Don't print anything on the console
  -x days          : Domain expiration interval (eg. if domain_date < days)

Example output:

$ domain-check -d linuxmafia.com

Domain                           Registrar         Status   Expires Days Left
-------------------------------- ----------------- -------- ------- ---------
linuxmafia.com                   TUCOWS INC.       Valid   17-jul-2010   1057

Ryan’s implementation of domain-check has two problems: One is that he has inadvertently made its licence technically proprietary (as of v. 1.4), by failing to include rights to modify or redistribute, in his otherwise generous licence statement. Ryan’s aware of this oversight, but hasn’t yet fixed it at press time.

The other: It can parse the expiration date fields from only a few top-level domains (TLDs), missing some really important ones such as .ORG. In particular, if you run it with e-mailed output (where it really shines, generally, e.g., running as a weekly cronjob to check a list of domains), it says nothing at all about domains within the many TLDs it simply can’t handle.

Mind you, as editor Ben Okopnik and I were testing Ryan’s script, we realised that adding to it support for additional TLDs could prove non-trivial, and we respect Ryan’s accomplishment, as far as it’s gone: A brief survey of the 250 country-code TLDs (”ccTLDs”, such as .uk and .us) and 21 generic TLDs (”gTLDs”, such as .com, .net, .org, .info, etc.) showed dozens of variations in the way expiration dates and registrar names, each needing its own parsing code.

Ryan might appreciate some help with that task: Experienced shell coders might want to send Ryan patches, especially to fill out its currently rather thin TLD coverage. However, we right away spotted the licensing issue, on top of that — and so, for ourselves, decided to switch tactics.

Introducing Ben’s domain-check

Ben Okopnik fired up his mighty Perl kung fu, and crafted a second implementation, likewise called “domain-check”, which now is available with GPL licensing terms at my Web site. It works a treat. Here’s how it goes from the command line — obviously fashioned after Ryan’s good example:

$ domain-check -d=linuxmafia.com
Processing linuxmafia.com... 

Host                    Registrar                           Exp.date/Days left
==============================================================================
linuxmafia.com          TUCOWS, INC.                        17-jul-2010 / 1057

And, of course, it supports the same e-mailed reporting mode that in Ryan’s script is so nicely cron-friendly — with the bonus improvement of relying on Perl and a WHOIS client solely, and finding them via PATH without any need to tweak the script.

The Two WHOIS Clients

At present, Ben’s domain-check will use, if present, the fairly sophisticated, configurable, and cache-enabled WHOIS client “jwhois” by default, on a hunch that “jwhois” is usually, generally a small bit smarter, and its caching on disk of recently received WHOIS data is usually an advantage, relative to the regular “whois” (/usr/bin/whois) implementation — with automatic fallback to the latter client. However, the WHOIS client comparison is, upon further examination, a mixed bag. For one thing, “jwhois’s” results caching (defaulting to a seven-day retention period) can become a problem: Suppose it’s Wednesday today, you last checked your friend’s domain example.com on Sunday, and that domain’s due to expire this coming Saturday. You run domain-check (and it finds “jwhois”); domain-check reports that your friend’s weekend expiration is still looming.

But maybe, he/she has (unbeknownst to you) already paid for that renewal, and it took effect yesterday. domain-check won’t pick this datum up (while using “jwhois” with 7-day retention), and so issues a false alarm, because it’s still using the cache-hit of Sunday’s data, now three days old (but already obsolete).

You can ameliorate this situation by, say, reducing the cache period (near the bottom of /etc/jwhois.conf) to 2 hours instead of the default 168 hours = 1 week — but the point is that “jwhois’s” default reliance on old data can be misleading.

Nor is it always or unambiguously the case that “jwhois” is “a bit smarter”. This is where things get interesting (part one, of two). The worldwide Internet domain system’s “whois” data, showing contact information for each domain’s owners & operators, which registrar it’s enrolled through, when it will expire, and at what IPs its DNS nameservers can be found, is (like DNS itself) yet another distributed information system, with “whois” information for each TLD (among those that offer it) publicly accessible (if at all) either the WHOIS protocol, or Web-based lookup methods, or both, that can query one or more database server holding that data.

Which TLDs offer meaningful information lookup via WHOIS, and at what WHOIS server hostnames in each case? If you’re reasonably lucky (regarding the six or seven TLDs you typically care about, no matter where in the world you are), the WHOIS client software you use (which on Linux will be either /usr/bin/whois or /usr/bin/jwhois) already has this knowledge built in. However, the various TLD operators, including the administrators of the 250 country-code TLDs, have an unsettling tendency to move things around, change where their WHOIS data is, terminate WHOIS service, start WHOIS service — without (much) notice. They’re supposed to inform IANA of all such changes, whereupon IANA would update its TLD information pages (1, 2), but you will be “shocked, shocked!” to hear that compliance is spotty. In parallel to this official process the two client programs’ authors attempt to track TLD changes, themselves. Sometimes, one of the two Linux WHOIS clients will reflect (in its auto-selection of the correct WHOIS server for a given TLD, or its claim that none exists) better information than IANA has. Sometimes, IANA has better data (and, if the system really worked, it would have the latest and best — but doesn’t). More often than not, the best data are on relevant Wikipedia pages (1, 2, 3, 4). Some of the linked subpages are really entertaining: If your sense of humour is as warped as mine, check out the reasons why “.vrsn-end-of-zone-marker-dummy-record.root” is a valid TLD, and note the reasons why, in 2007, .arpa is still a robust TLD with six active subdomains — and, by the way, a useful WHOIS server.

The biggest reason Ben and I have so far favoured the jwhois client is that its internal knowledge about which WHOIS server to use for particular TLDs and subdomains is highly configurable via configuration file /etc/jwhois.conf (but beware of the mixed blessing of results caching). Whereas, the other WHOIS client is not. However, in the middle with wrestling with both clients, seeking to give domain-check the broadest possible TLD coverage, Ben found it prudent to hack domain-check’s parsing code that handles its (optional) file listing which domains to check, to support an optional two-column format: domain, and what WHOIS server hostname to use for that domain. To help users, I’ve constructed a prototype domains file, showing a test-case host within each supported TLD (often, the “NIC” = network information centre that runs Internet infrastructure for that country or other TLD authority), plus the currently correct WHOIS host for that TLD. Separately, I am maintaining a separate file of more-verbose notes/information, but the latter is intended solely for interested humans, and isn’t readable by domain-check.

Now, I figure most people who deal in domains are following this account without major problems, but a minority of readers may be thinking “What’s this about determining expiration data via WHOIS?”, and a smaller minority are still stuck on “What’s this about domains expiring?” I should explain:

It’s a Wacky World, out There

(This is part two of “Where things get interesting”.)

One of the reasons I really enjoy travelling to remote and diverse parts of the world, on occasions when I have time and money for it, is that you encounter people living their lives using, quite naturally, radically different basic assumptions, sometimes assumptions differing in subtle but important ways. In return, you’re rewarded with the cheerful fact that you and your people will tend to strike other nations as slightly odd and nutty, too — and may even agree. (An American comedian and entertainer named Garrison Keillor and his radio programme “A Prairie Home Companion” finally made me realise, similarly, that my own crowd of Scandinavian-Americans are extremely quirky people — manias for strong coffee and white fish, going nuts on Midsummer Day, mocking self-deprecation, and all.)

Getting back to the subject, exploring WHOIS data can earn you that same shock of unexpected strangeness, right at home. One of my first test cases for the unfolding development of domain-check was .au, i.e., our esteemed friends in Australia. Hmm, I thought, why not check Linux Users of Victoria?

$ whois luv.asn.au | more
Domain Name:             luv.asn.au
Last Modified:           Never Updated
Registrar ID:            R00016-AR
Registrar Name:          Connect West
Status:                  OK

Registrant:              Linux Users of Victoria Inc.
Registrant ID:           None given

Eligibility Type:        Other

Registrant ROID:         C0793852-AR
Registrant Contact Name: THE MANAGER
Registrant Email:        Visit whois.ausregistry.com.au for Web based WhoIs

Tech ID:                 C0793854-AR
Tech Name:               Stuart  Young
Tech Email:              Visit whois.ausregistry.com.au for Web based WhoIs

Name Server:             black-bean.cyber.com.au
Name Server IP:          203.7.155.4
Name Server:             ns2.its.monash.edu.au
Name Server IP:          130.194.7.99
Name Server:             core1.amc.com.au
Name Server IP:          203.15.175.32
Name Server:             lists.luv.asn.au
Name Server IP:          203.123.80.10

Hullo? Where’s the expiration data? Turns out, none of .au offers that information via WHOIS. Nor does the public whois information browsable at the indicated Web host. What?

Well, upon inquiry, I was enlightened: It’s deemed a privacy issue, and Australians using .au domains presumably suffer fewer domain snatches, and similar abuses. The same appears to be true in .de (Germany) and some others. Presumably, domain owners (as opposed to the general public) can look up their own domains’ expiration data via their logged-in individual domain records, in addition, of course (in theory), to getting notification of upcoming expirations. On the downside, TLDs that conceal that data from the public prevent public-spirited neighbours from helping warn domain owners notice upcoming problems, keep people from planning for legitimate opportunities to re-register domains their owners no longer want, etc.

(By the way, if you are really serious about protecting your privacy as a domain holder, .au doesn’t really qualify. .to (Kingdom of Tonga) is among the few that do.)

However, it gets stranger: There are particular country-code domains (I won’t name names) where expiration data is available, and open to the public, but appears not to matter. That is, you’ll find what appears to be a good test case, notice that its expiration date of record is three years ago, and then notice that the domain still works, anyway.

Your mileage may differ, but, for me, that was a culture shock: In my sadly clock-driven, Westernised existence, Internet domain expiration is a real calamity: Your domain’s DNS stops working within a day (if not instantly), and you may or may not even be allowed to buy it back (re-register or renew it) at all. If you are, it may involve a ghastly “Sorry, you were asleep at the wheel” surcharge.

Some TLDs, evidently, just aren’t like that, so domain-check may address a non-problem for domains in your national TLD. It’s up to you to check, I suppose.

My prototype setup of domain-check runs via a weekly cronjob that runs every Sunday night, and e-mails me a notice about which domains, among the roughly 150 I have domain-check monitor, are now within 90 days from expiration, plus a separate one about what domains, if any, have already expired. You might ask, armed with that weekly briefing, what do I do? That brings us to:

The Difficult Part

This might be you: You own a domain you care considerably about, but every year, like clockwork, you put off renewal until the last minute, to “get the most for your money”. You pay for only one extra year at a time, not three or four, for the same reason. Maybe you dislike your current registrar (in TLDs like com/org/net where a choice is offered), but never move your domain because that would require sending more money, and you have a vague notion that, some year, you’ll move registrars right around the time of your next renewal. Maybe you literally wait until the final day, and panic and shout on the telephone to your registrar if there’s a hitch, until your renewal goes through. You’re now reading this article and realise I’m about to tell you you’re being foolish, but nothing’s going to change your mind, let alone your habits.

Why is that foolish behaviour? Because every bit of that attitude greatly increases the risk of accidental expiration. You should, actually, consider moving to a better registrar at any time, and not wait, because competing registrars almost all credit you for the full time remaining at your prior registrar, upon your domain’s arrival. That is, if you have 100 days remaining at Registrar A when you initiate a transfer to Registrar B (and pay the latter for a year of service), you start with 365 + 100 days on your domain’s expiration clock. So, you lose nothing at all. The bank interest you save by buying only one year in advance instead of 3-4 is absolutely negligible compared to the painful cost of recovering from accidental expiration (where that is possible), not to mention the transaction cost of swooping in and continually renewing annually to “save money” (let alone the cost of doing that mere days or hours before expiration, as many do).

I might be able to convince you, the reader, that the above syndrome is unwise, but I won’t convince your friends or the organisations you care about — whose domains you might want to watch over. Which brings us back to the question: Armed with the knowledge that someone’s domain expiration is imminent, what do you do about it?

Several non-technical problems become evident, as one attempts to look after friends’ domains — and I really should have realised that the technical challenges of writing and debugging domain-check would be the iceberg’s tip, but didn’t:

  • The dangerous lure of last-minute renewal syndrome is widespread. Even after reaching the right person, saying “Dude, your domain’s three days from expiration”, and getting acknowledgement, the owner may not care. Oh well, it’s his/her funeral. At least you tried.
  • Increasingly among registrars, there’s something called “auto-renew” on domain registrations: The registrar accepts credit-card data from the owner, and then at some number of months, weeks, or days from expiration (sometimes, three or more scheduled attempts) tries to charge the credit card for a year’s fee, without the need for an explicit renewal action from the owner. Registrars like the customer-retention effect of this setup, so it is often the default arrangement (e.g., at Dotster). At least one major registrar reportedly carries out the auto-renew attempt only on a covered domain’s day of expiration, and never before. Problem: From your perspective as a sympathetic watcher of someone else’s domain, you have no idea if an auto-renew is likely or not, so you cannot easily distinguish a domain on auto-renew from one at risk.
  • Most perniciously, there is the syndrome of broken communication, which I’ll detail below.
  • Last, don’t forget, not all domain expirations are unintended.

Imagine a Linux user group, or a science fiction fan association that puts on an annual convention, or some other similar group that relies on an Internet domain. You’re trying to get their attention to an upcoming expiration. Domain matters are probably delegated to someone technical who’s believed to be handling them. The people who run the group generally are most often other people, who may not understand domain matters at all, and may assume, if you ask them about it, that you must be referring to the Web site, will forward your mail to the HTML guy / webmaster / hosting company / listadmin, and will never realise their category error.

The domain guy may be gone from e-mail for a month. He/she might have believed the responsibility was taken over by somebody else. The contact e-mail addresses shown in WHOIS for the domain may be wrong or outdated, or just unmonitored. Your warning e-mails might be mistaken as spam or a sales solicitation (strangers showing concern seems outlandish to many), and blackholed or ignored. Or everyone in the group might be assuming someone else is taking care of it. Or maybe their mail server is misconfigured or otherwise mishandling or misrouting some or all incoming mail about the domain.

Ultimately, this isn’t your problem — sufficiently hapless organisations’ negligence will cause them loss despite even heroic efforts to help, and that can’t be helped — but it’s nice to know the most common failure modes.

If you see a domain’s days remaining rapidly approaching zero, and nothing’s happening, one of four explanations logically applies:

  • It’s set to auto-renew, on or near the last day, “but thanks for letting us know”.
  • The owner specifically intends to let it expire, actually, “but thanks for caring”.
  • The owner’s stuck in a deliberate, conscious case of last-minute syndrome.
  • The registrar’s various reminder attempts (if any) have failed completely or failed to reach the right, motivated party, for some reason as yet undetermined, and everyone’s otherwise asleep at the wheel. (Registrars make mistakes. Also, domain contact information has been known to get corrupted, changed in error, hijacked / misappropriated, etc.)

As the concerned outsider, your main worry is the last scenario, which is the classic domain-loss one — which is relevant to the current question, of what you do with your knowledge of the impending expiration. The naive answer is: “Look in WHOIS, find the listed domain contacts, send them “Dude, you need to renew your domain” e-mail, check that domain off your list, and pat yourself on the back for being a good neighbour.

That’s naive because, odds are, that’s exactly what the registrar did, and it didn’t work. Thus, you may want to be a little creative about whom to contact, and how. E.g., look on the Web site for maintained information about who currently runs the group. Bear in mind that he/she/they may not, initially, know what you’re talking about (e.g., fob you off on the webmaster). Ask politely that someone in charge send you wording like “Thanks, we know about it”, mention that you’ll cease pestering them when that happens, and keep following up at intervals.

Be really, really diplomatic. Your queries may, themselves, cause a political kerfuffle within domain-owning groups, and cause considerable unintended irritation. People will get bothered, often despite being the wrong people to bother (e.g., the webmaster), and may get cranky. A harassed domain-admin may write back and say “It’s on auto-renew, jerk.” Don’t be offended. Stress that you didn’t know, and merely want to help them avert mishaps. From time to time, you just might get lucky and hear “Thank you.”

Anyway…

I should stress that my cronjob was the result of only a few minutes’ work, shortly before penning the initial draft of this article. It wouldn’t be difficult to write a less-feeble shell script to do slightly more useful notifications, e.g., tailored e-mail warning texts at the 90, 60, and 30-day marks, with each being sent to groups of people appropriate to each domain, rather than all notifications being sent just to one person for all domains monitored.

However, as is so often the case with system administration, perfectionism is not your friend: Waiting around to do this job right had already caused me to delay some months from doing even this much, while I pondered the problem — and in the meantime a volunteer group I know (but will not name here) was obliged to spend about US $500 to ransom its domain back. Ouch and damn.

Moral: Do the 80% solution, the one that avoids disaster, today. Don’t be proud.

And don’t be a single point of failure, either. I’m encouraging all my ‘Nix-using (including, without prejudice, MacOS X) friends to run this thing, and help out with redundant, overlapping checks, too.

How about you? The domain you save from disaster probably won’t be your own, but it could easily be one you care about dearly, or that a friend cherishes.

Alternatively, you could think of this as your best shot at ruining a domain squatter’s day. Either way, it’s awfully good news for decent folk.

Popularity: 11% [?]

WP Theme & Icons by N.Design Studio
Entries RSS Comments RSS Login