Jayson Smith writes:
> I've recently been playing with the OpenARC milter for Sendmail.
IIRC, OpenARC is the sample implementation by the ARC developers. It
should be robust. Mailman uses a different implementation based on
Python. (You should use an MTA-based implementation if it works
Hi,
I've recently been playing with the OpenARC milter for Sendmail. I have
it running, and it seems to be working properly, except for one thing.
When a message is sent to one of my Mailman 2 lists, OpenARC adds an ARC
set to the incoming message before it ever hits Mailman. Then the
Jordan Brown writes:
> Wasn't this in the context of signature-checking schemes that detect
> forged origin metadata?
Context, yes. The question is did Intuit need extreme accuracy for
that? Maybe they did, but I see no evidence for that need.
Intuit was not a financial intermediary. It
On 7/26/2018 9:19 PM, Stephen J. Turnbull wrote:
> Jordan Brown writes:
>
> > Well, yeah, but to provide such a service in a way that has any
> > resemblance to being secure, Intuit *must* have some secret that allows
> > it to send mail "from" those subdomains. If Intuit doesn't need such a
>
Grant Taylor via Mailman-Users writes:
> On 07/25/2018 03:53 AM, Stephen J. Turnbull wrote:
> > That's not how "on behalf of" worked in practice. What happened in April
> > 2014, was that a home business owner (HBO) would send a pile of completed
> > order notices to intuit.com, and
Jordan Brown writes:
> Well, yeah, but to provide such a service in a way that has any
> resemblance to being secure, Intuit *must* have some secret that allows
> it to send mail "from" those subdomains. If Intuit doesn't need such a
> secret, then anybody could send mail like that.
Sure,
John R Levine writes:
> Large mail systems already know where all the mailing lists are.
Hm. Well, that may be true for Google et al, but the systems at my
employer regularly mark internal business mail as "possible spam",
occasionally mark it as "almost certainly spam", and pass through
> As I said a few messages ago, if lists did more stringent tests on
> incoming mail, a lot of this complexity could be avoided,
I don't understand this. If lists got a pass, every spam would grow
RFC 2369 header fields. No?
Large mail systems already know where all the mailing lists are.
On 7/25/2018 2:53 AM, Stephen J. Turnbull wrote:
> Note that if I were intuit.com's CISO, I would fight tooth and nail
> against the system you suggest, because it implies that I have DKIM
> private keys for all those subdomains owned by clients. Every spammer
> in the world would be trying to
On 07/25/2018 03:53 AM, Stephen J. Turnbull wrote:
That's not how "on behalf of" worked in practice. What happened in April
2014, was that a home business owner (HBO) would send a pile of completed
order notices to intuit.com, and intuit.com would send an invoice to each
customer on behalf of
John Levine writes:
> As I said a few messages ago, if lists did more stringent tests on
> incoming mail, a lot of this complexity could be avoided,
I don't understand this. If lists got a pass, every spam would grow
RFC 2369 header fields. No? So ISTM the received chain needs to be
Grant Taylor via Mailman-Users writes:
> I would think / hope / expect that such services would be from a
> different (sub)domain of the client that they are sending email on
> behalf of.
That's not how "on behalf of" worked in practice. What happened in
April 2014, was that a home
On 07/22/2018 11:02 PM, Stephen J. Turnbull wrote:
You're misunderstanding. The ARC community doesn't discourage
whitelisting other sites. The work to do whitelisting does.
Thank you for clarifying Stephen. I was afraid that you were somehow
implying that there was some sort of guideline
In article
you write:
>On Sun, Jul 22, 2018 at 3:18 PM Grant Taylor via Mailman-Users <
>mailman-users@python.org> wrote:
>
>> On 07/21/2018 02:24 PM, John Levine wrote:
>> > I know people working on whiteish lists to use with ARC, to say that
>> > these domain are known to host real mailing
On Sun, Jul 22, 2018 at 3:18 PM Grant Taylor via Mailman-Users <
mailman-users@python.org> wrote:
> On 07/21/2018 02:24 PM, John Levine wrote:
> > I know people working on whiteish lists to use with ARC, to say that
> > these domain are known to host real mailing lists so you should believe
> >
Grant Taylor via Mailman-Users writes:
> I'm questioning why domains that do use ARC headers that don't run
> mailing lists should not be white listed.
You're misunderstanding. The ARC community doesn't discourage
whitelisting other sites. The work to do whitelisting does. Mailing
lists
On 07/22/2018 02:05 PM, John Levine wrote:
Every domain added to a whitelist like this involves manual work.
Yes.
Why would you waste time on domains that aren't likely to send mail with
ARC headers?
I'm not suggesting wasting time on domains that wouldn't send ARC headers.
I'm
In article <1fb88a39-0acd-f34f-c504-9eb217a75...@spamtrap.tnetconsulting.net>
you write:
>Is there some place that I can find out more about these people and / or
>their projects?
See the archives of the ARC mailing lists.
>Aside: What does hosting mailing lists or not have to do with
On 07/21/2018 02:24 PM, John Levine wrote:
I know people working on whiteish lists to use with ARC, to say that
these domain are known to host real mailing lists so you should believe
their ARC assertions.
Is there some place that I can find out more about these people and / or
their
In article
you write:
>On 07/19/2018 05:27 PM, Mark Sapiro wrote:
>> The problem is downstream has to trust me. If I'm gmail.com, I'll probably
>> be trusted. If I'm msapiro.net, probably not. Python.org, who knows.
>
>Yep.
>
>I've not yet seen any indication that there will be any good way to
20 matches
Mail list logo
