tlhackque writes: > So you know exactly who your users are, and can pre-register them > while they are not in China.
No. China may, or may not, block any given email provider without warning. They may need to provide a new address *from that address* (or their mother's, which I also don't know). If I can figure out how they can use X.509 auth with mail or thru the web, that will do the trick for authentication, of course. I might use fwknop to conceal authenticated services. > Geographic IP address is the wrong hammer for this nail. Yes, I understand that. Tell it to Chairman Xi, please. > GeoIP will never get you down to the level of granularity and accuracy > that you want. Sure it will. If I can block 95% of Chinese attempts to connect on SYN, that's a win. > Even if it did, people with phones move - apartment, coffee shop, > etc. Whether that means they'll be out of the geographic area allowed depends on how the provider allocates IP addresses. > And in your scenario, you can block all of China, since you can > register your students while they are at your school (which > presumably is not in China). It's not, but no, I'm not sure I can, for the reason given above. > So use the registration website to issue an X.509 certificate, > register a hardware token, issue fwknop key - whatever you choose > as your token (credential). Then use that token to protect routine > access to the mailman web ui AND mail servers. I know how to issue such things, or can find out. What I don't know how to do is enable devices to use them, and whether I can configure once, or teach students to do it. I also wonder what Chinese immigration authorities would think of a fwknop app on an iPhone.... > Even if you don't have a native MUA, you can provide a web-based e-mail > account on your server for your users - e.g. squirrelmail, roundcube, > etc. That's a last resort. They won't use that account frequently (if at all), which really counts against it. I would want something that they use under normal circumstances that they're used to, and have some idea how to configure on a new phone, etc. > Mobile web browsers certainly support x.509 client auth. This seems like the route to go, then. Use a nonstandard port to screen out the dumbest kiddies, or maybe fwknop. > Issue their keys before they go home, and you're done. Optionally, > provide some form of recovery/reissue for the "I lost my phone" case. I'm not sanguine about "issue keys and you're done". There are users in the loop, and they're not terribly security-savvy. I'm not saying it's insanely difficult, but the system would be an unfamiliar one that is a SPOF. The recovery/reissue feature wouldn't be optional: the trips I'd be worrying about would be on location data-gathering trips. > In any case, I think we've probably exhausted the patience of > mailman-users since we're off into the general problem of keeping > our servers alive in the jungle... Well, the considerations of dealing with user-hostile environments like the Great Firewall are pretty special, but the jungle *is* general. I.e., it applies to Mailman servers too. I don't know anybody who runs a list who doesn't run into abuse from time to time. Thanks for the ideas and software suggestions! Steve ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
