[CentOS] DMARC test , please ignore (eom)
___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Passwords in plain text
On 17/06/18 18:11, Michael Hennebry via CentOS wrote: > Methinks the rewriting was done badly. > I'm guessing that this will go to the entire list, > but I am not sure. I should be sure. > This is what alpine shows me: >> From: Leon Fauster via CentOS >> Reply-To: Leon Fauster , >> CentOS mailing list >> To: Johnny Hughes , >> CentOS mailing list > > Yes, that's because initially (in emergency when the issue was discovered last friday), the mailman "from_is_list" was changed from "no" to "munge_from", which solved the initial issue when all people were subscribed again. Now I've put it back to "no", as there are other settings that were backported to the .el7 mailman version (so from upstream 2.1.18 to mailman-2.1.15-26.el7_4.1.x86_64) and from today, here are the settings that were adapted : dmarc_moderation_action "munge from" dmarc_quarantine_moderation_action : "yes" So that means that for people without any DMARC policy set to either p=quarantine or p=reject , nothing will be changed in the headers, so as before And for for impacted originator domains with such DMARC policy, the "from" will be adapted, so still let the mail being processed and delivered, but without a risk of being rejected/bounced by mail servers implementing such DMARC checks Let's see how that goes during the day -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 56BEC54E | twitter: @arrfab signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Passwords in plain text
On 06/17/2018 09:11 AM, Alice Wonder via CentOS wrote: On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote: I'm petty sure I messed up attributions, so am deleting them. I believe this is a DMARC issue. Yahoo, among other places, has set their dmarc records to p=reject: So, if your mail hosting provider enforces dmarc,(gmail does) and you get mail from a list that doesn't rewrite the headers, and people from places like yahoo post to the list, you'll likely get some form of warning about being being kicked off the mailing list every now and then. The frequency depends on how often people from p=reject places post, and what the settings are for bounce handling of the mailing list in question. This is indeed what happened. An email from yahoo.com.uk caused gmail to reject all the mails sent by that user because of the yahoo DMARC settings. Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk caused every gmail user to have his account disabled. I'd heard of the DMARC thing with mailing lists before, but had not known it enabled single e-mails of mass destruction. I run dmarc on my mail server but only in report mode, it doesn't reject. I did it as a test (for years) and am fully convinced that dmarc is worthless for real world protection. Numerous mail lists out there are configured in such a way that dmarc gets triggered and that just isn't going to change. It's a neat idea but it's not backwards compatible with the way SMTP already works. I can not recommend its use. I do recommend mail server software update if possible to be compatible but I just can not recommend mail servers enforce dmarc. DKIM is a good thing, but dmarc breaks things too badly. Even DKIM though is of limited usefulness - it seems the spammer blacklists don't really care. Even with proper DKIM signature on a domain with correct reverse DNS set up for years, they will still add you to the spam blacklist if any other host on your subnet is identified as a spammer. So even the blacklists don't really utilize this anti-spam anti-spoof technology, which makes it kind of worthless. Using DKIM as one of several factors in spamassassin though is possibly helpful, though most spammers these days have a validating DKIM sig. ___ Let me put it this way - in the several years of running dmarc is report only mode, over 99% of reported violations are false positives from mail lists. That high of a false positive rate tells me it is broken technology. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Passwords in plain text
Methinks the rewriting was done badly. I'm guessing that this will go to the entire list, but I am not sure. I should be sure. This is what alpine shows me: From: Leon Fauster via CentOS Reply-To: Leon Fauster , CentOS mailing list To: Johnny Hughes , CentOS mailing list -- Michael henne...@web.cs.ndsu.nodak.edu "Sorry but your password must contain an uppercase letter, a number, a haiku, a gang sign, a heiroglyph, and the blood of a virgin." -- someeecards ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Passwords in plain text
On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote: I'm petty sure I messed up attributions, so am deleting them. I believe this is a DMARC issue. Yahoo, among other places, has set their dmarc records to p=reject: So, if your mail hosting provider enforces dmarc,(gmail does) and you get mail from a list that doesn't rewrite the headers, and people from places like yahoo post to the list, you'll likely get some form of warning about being being kicked off the mailing list every now and then. The frequency depends on how often people from p=reject places post, and what the settings are for bounce handling of the mailing list in question. This is indeed what happened. An email from yahoo.com.uk caused gmail to reject all the mails sent by that user because of the yahoo DMARC settings. Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk caused every gmail user to have his account disabled. I'd heard of the DMARC thing with mailing lists before, but had not known it enabled single e-mails of mass destruction. I run dmarc on my mail server but only in report mode, it doesn't reject. I did it as a test (for years) and am fully convinced that dmarc is worthless for real world protection. Numerous mail lists out there are configured in such a way that dmarc gets triggered and that just isn't going to change. It's a neat idea but it's not backwards compatible with the way SMTP already works. I can not recommend its use. I do recommend mail server software update if possible to be compatible but I just can not recommend mail servers enforce dmarc. DKIM is a good thing, but dmarc breaks things too badly. Even DKIM though is of limited usefulness - it seems the spammer blacklists don't really care. Even with proper DKIM signature on a domain with correct reverse DNS set up for years, they will still add you to the spam blacklist if any other host on your subnet is identified as a spammer. So even the blacklists don't really utilize this anti-spam anti-spoof technology, which makes it kind of worthless. Using DKIM as one of several factors in spamassassin though is possibly helpful, though most spammers these days have a validating DKIM sig. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Passwords in plain text
I'm petty sure I messed up attributions, so am deleting them. I believe this is a DMARC issue. Yahoo, among other places, has set their dmarc records to p=reject: So, if your mail hosting provider enforces dmarc,(gmail does) and you get mail from a list that doesn't rewrite the headers, and people from places like yahoo post to the list, you'll likely get some form of warning about being being kicked off the mailing list every now and then. The frequency depends on how often people from p=reject places post, and what the settings are for bounce handling of the mailing list in question. This is indeed what happened. An email from yahoo.com.uk caused gmail to reject all the mails sent by that user because of the yahoo DMARC settings. Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk caused every gmail user to have his account disabled. I'd heard of the DMARC thing with mailing lists before, but had not known it enabled single e-mails of mass destruction. We have now set the mailing list to rewrite headers. That also has set the From: of the email to the Mailing list and not the Original Author. The author is moved to the CC: block and you can still easily see who sent it and my email client (thunderbird) still does things the same way (reply to list sends to the list, reply sends to the original author). I'm truly amazed that rewwriting headers is not the default. -- Michael henne...@web.cs.ndsu.nodak.edu "Sorry but your password must contain an uppercase letter, a number, a haiku, a gang sign, a heiroglyph, and the blood of a virgin." -- someeecards ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
