On 29/12/2021 1:35 pm, Noel Butler via mailop wrote:
On 29/12/2021 03:50, Jaroslaw Rafa via mailop wrote:
It is Roundcube that is actually connecting to Dovecot/Postfix and
receiving/sending mail, not the user's browser, so the connecting IP that
Dovecot/Postfix gets is technically correct. No need to change it. On the
other hand, user's browser is talking HTTP to Roundcube, and
Roundcube knows
it's IP address, so Roundcube is the point where restrictions should be
enforced, not Dovecot/Postfix.
Agreed, dovecot doesnt know - nor care - if its kmail, evolution,
thunderbird, outlook, RC, imapproxy, or some other client, it's not
its job to care.
RC has rcguard which works well, and as mentioned by another poster
there is always fail2ban.
Frankly, I don't see any problem that needs addressing, and I guess
neither do the RC team if this is as is claimed a "long standing"
issue for a small minority.
As to the anti privacy brigade, suck it up, we are network operators,
if we want to know who they are, we can, just means we have to
multitask looking at two logs, i mean FFS, how hard is that, you
already do this tracking local spammers actions and then looking them
up in CRM or radius, or some other database.
get over it.
A bit harsh.
I use Roundcube myself and as a /user/ of the software, it hadn't
occurred to me that, much like Gmail, people who send emails using this
webmail tool have /full anonymity/ (except, of course, from the service
operator).
In the case of Gmail we know that it's simply too big to police
effectively, so we see a lot of malicious email come from gmail accounts
and there's nothing that the recipient can do to identify the /actual/
source. We can report it to Google and hope they do something with it
(black hole, never a response to a report) and whilst i'm sure a small
percentage of people are diligent in doing this, the vast majority will
never bother.
Similarly if you're a /good/ mail platform operator, you won't have a
problem with cross-referencing two logs (as you say) but from the
recipients perspective, all they have is the details of the server that
generated the email.. they're relying on your good practices to ensure
that something will come of a spam report they may place.
So your attitude is fine if you're a /good/ platform operator /and the
victim knows this/. ... or the victim will decide there's not enough
incentive to report, and will remain a victim, and you (for all your
good intentions) could remain oblivious to a spammer (or compromised
account) in your midst. Much as I'm sure Google are. (And Google have
the added advantage of being too-big-to-block... and whilst i'm sure
they are doing /something/ about abuse reports filed with them...
there's little evidence of this to an end-user/victim...)
I for one look forward to Roundcube building in the option to have the
web IP included in headers, but i'm small enough fry that it's probably
not a problem for me... after all i'm not the victim here.
But with a victims perspective in mind, feels like it'd be nice to show
some public accountability. (And your IP address shouldn't be treated as
PII kid-gloves... you expose it every time you access network resources)
Mark.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
