Just wanted to add that given the circumstances ARIN felt it was necessary to
warn those using MAIL_FROM validation from publicly, published addresses. ARIN
is open to receiving suggestions through the ARIN ACSP process if people have
other approaches to suggest.
On 12/1/22, 2:37 PM, "ARIN-PPML on behalf of Jon Worley"
<arin-ppml-boun...@arin.net on behalf of j...@arin.net> wrote:
Hi Frank,
I'll start by defining "authorized users" as any web user who's linked to a
point of contact handle that's specified as an administrative or technical
contact on your Org ID.
The only way to prevent processing of templates (1) and API calls (2) is to
make sure no authorized user has an active API key (a shared secret generated
and put into the template/call to identify the user). You can't directly do
this. You can't view each authorized user and confirm they have no active API
keys; you'd have to set a policy that asks that no authorized user has an
active API key. There's also no switch to disable API keys. Were you to do
this, the only way authorized users could do things would be via the web site
(3). Again, though, you'd have to enforce this on your side. That being said,
if you trust your authorized users to not create API keys, this would somewhat
accomplish what you're asking to do.
A note: you CAN prevent processing of email templates based solely on
MAIL-FROM by asking your authorized users not to add an email address to an
active API key. Again, enforced by you. Note also that there's no requirement
to have personal contact information publicly visible. You may have all points
of contact be role contacts; each user can then link to those role contacts.
The web account contact information is not publicly visible.
There is no way to prevent authorized users from making changes via the web
site (3). You'd have to remove them as an authorized user to stop them from
making changes via the web.
Now, a caveat: we do have contact types other than admin/tech that can
restrict authorization. Abuse and NOC contacts are display-only; web users
linked only to those contacts cannot do anything other than edit their own
contact information. They’re just publicly displayed with your records. We also
have routing contacts and DNS contacts which are restricted to actions related
to routing (IRR, RPKI, etc) and DNS (rDNS, DNSSEC, etc) respectively. The same
restrictions as noted above apply; this just limits the sphere of authorized
actions to routing/DNS.
Hope that answers your questions. We left a message with a callback number
in case you want to set up a call to discuss further.
Thanks & best regards,
Jon Worley
Senior Technology Architect
American Registry for Internet Numbers (ARIN)
On 11/30/22, 11:35 AM, "ARIN-PPML on behalf of Frank Bulk"
<arin-ppml-boun...@arin.net on behalf of frnk...@iname.com> wrote:
We received an email today about the risk of using an email address
that is
publicly visible in WHOIS for our registered MAIL FROM authentication
email
address.
Is there a way to turn off/turn on the following options:
1. email templates for changing records2.
2. API
3. ARIN web GUI
Regards,
Frank Bulk
Premier Communications
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact i...@arin.net if you experience any issues.
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact i...@arin.net if you experience any issues.
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List (ARIN-PPML@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact i...@arin.net if you experience any issues.
