Re: [courier-users] Re: freemail list and questions about yahoo...

[Gordon Messmer]

Sam Varshavchik wrote:
Provided that they will follow through on their promise, and they don't 
do something stupid, like using a trusted authority certificate model, 
this is going to be the final solution. freemail is just a temporary 
stop-gap measure.

http://edition.cnn.com/2003/TECH/internet/12/05/spam.yahoo.reut/
Acknowledging that my opinion isn't worth much, this seems stupid.  As 
described, the solution would require all of the work that SPF does 
(http://spf.pobox.com/), plus additional computation.  What's the 
additional check get you?

Am I missing something, or is this going to be a stupid standard that 
gets used only because it's backed by enough money?



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Re: freemail list and questions about yahoo... YAHOO.COM doesn't work?

[Sam Varshavchik]

Andrew Newton writes:

Sam Varshavchik wrote:

Reverse, and forward.
So why is web60006.mail.yahoo.com not being seen as in yahoo.com?
Most likely there was a temporary DNS resolution failure.



pgp0.pgp
Description: PGP signature

[courier-users] Re: freemail list and questions about yahoo... YAHOO.COM doesn't work?

[Sam Varshavchik]

Mitch (WebCob) writes:

Sam said:

Mitch (WebCob) writes:
So I am assuming that the way freemail works is that it checks to see
if
the sending server is in the MX list for the freemail domain - I
understood
No.
the docs to mean that it would reverse resolve within the domain - which
seems to be wrong...
Reverse, and forward.
Of course, temporary resolution glitches would be a factor here.
Hmmm - so maybe the problem people are having with this is a DNS problem? In
that case, could I try patching courier to use a temporary failure code so
the remote server retries (at which point the DNS should work?) I've tried
several test messages - so far ALL have failed this way.
Check for the text string softdnserr, which is used in place of hostname 
when there's a temporary DNS error.



pgp0.pgp
Description: PGP signature

[courier-users] Re: freemail list and questions about yahoo...

[Sam Varshavchik]

Gordon Messmer writes:

Sam Varshavchik wrote:
Provided that they will follow through on their promise, and they don't
do something stupid, like using a trusted authority certificate model,
this is going to be the final solution. freemail is just a temporary
stop-gap measure.
http://edition.cnn.com/2003/TECH/internet/12/05/spam.yahoo.reut/
Acknowledging that my opinion isn't worth much, this seems stupid.  As
described, the solution would require all of the work that SPF does
(http://spf.pobox.com/), plus additional computation.  What's the
additional check get you?
Forwarding will now work.

SPF breaks forwarding.

Am I missing something, or is this going to be a stupid standard that
gets used only because it's backed by enough money?
There's that, and there's the 800lb gorilla factor.



pgp0.pgp
Description: PGP signature

Re: [courier-users] Re: freemail list and questions about yahoo...

[Gordon Messmer]

Sam Varshavchik wrote:
Gordon Messmer writes:

Acknowledging that my opinion isn't worth much, this seems stupid.  As 
described, the solution would require all of the work that SPF does 
(http://spf.pobox.com/), plus additional computation.  What's the 
additional check get you?


Forwarding will now work.
Malcolm tried to impress upon me the same thing.  The description on 
cnn.com is not very technical.  Who has the private keys?  How does 
forwarding work?



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

RE: [courier-users] Re: freemail list and questions about yahoo...

[Mitch \(WebCob\)]

I'm not sure - the way I read it it sounded more like a verification of the
sender - not the recipient... similar to spf I guess it will require REAL
registered domains to host the txt records containing the keys (guessing
here). But instead of validating a sender to a recipient (which screws up CC
and BCC as well as forwarding) it just validates a sender...

Would be nice if they'd throw up a working document so people could throw
some collective brainpower at it.

m/

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Gordon
Messmer
Sent: Tuesday, January 06, 2004 10:19 AM
To: Courier Users
Subject: Re: [courier-users] Re: freemail list and questions about
yahoo...


Sam Varshavchik wrote:
 Gordon Messmer writes:

 Acknowledging that my opinion isn't worth much, this seems stupid.  As
 described, the solution would require all of the work that SPF does
 (http://spf.pobox.com/), plus additional computation.  What's the
 additional check get you?


 Forwarding will now work.

Malcolm tried to impress upon me the same thing.  The description on
cnn.com is not very technical.  Who has the private keys?  How does
forwarding work?




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

RE: [courier-users] Re: freemail list and questions about yahoo...

[Malcolm Weir]

 -Original Message-
 From: Gordon Messmer
 Sent: Tuesday, January 06, 2004 10:19 AM
 To: Courier Users

 Sam Varshavchik wrote:
  Gordon Messmer writes:
  
  Acknowledging that my opinion isn't worth much, this seems 
  stupid.  
  As described, the solution would require all of the work that SPF 
  does (http://spf.pobox.com/), plus additional computation.  What's 
  the additional check get you?

  Forwarding will now work.
 
 Malcolm tried to impress upon me the same thing.  The 
 description on cnn.com is not very technical.  Who has the 
 private keys?  How does forwarding work?

It really isn't that complicated:

As each message is injected into the public internet by a SMTP server,
that message is signed with a private key controlled by whoever owns the
injecting domain.

From that point on, anyone can query the DNS for that domain and get a
public key; if the public key doesn't unlock the message, it *is* forged,
and can be immediately dropped.  SPF can only suggest that it might be
forged, and use that information to feed into subsequent filters; Yahoo's
scheme is authoritative.  Further, using SPF every stage (relaying or
forwarding) must provide SPF sender verification otherwise there is no
benefit.  Using Yahoo's crypto scheme, you can copy the message onto a
floppy disk and hand carry it around and at the other end you can still
authenticate the message.

The issues that seem to me as still need clarification/definition are these:
if my return address is not in the same domain as the injecting server, a
specific header would be useful to encapsulate that plus (idealistically)
the authenticated sender's name (or the lack thereof).

The recipient could then do the following:

*  If the public key of the sender's domain validates the message, the
message is authentic and should be delivered.
*  If that key *doesn't* work, but that of a listed injecting host does,
then you have a relay or third-party sender -- but you definitively *know*
that, and can make decisions before attempting delivery (e.g. check the
injecting host to see if it's listed in a blacklist).
*  If the sender's domain and the injecting host have public keys, and the
message doesn't have a signature, then the message is a forgery and can be
dropped without further effort.
*  If the sender's domain has a key but there is no indication of an
injecting host nor a signature, then the injecting host may not understand
the new scheme, OR the message may be a forgery.  However, it is likely that
it will be possible to determine (via Received-From lines) if there was a
separate injecting host, and if not, simply drop the message.

Of course, the alternative is to insist that if you want to send a message
with a sender address in a given domain, you must use that domain's server.
With authenticated MTA's, that isn't too onerous, but it will impact some
folk (particularly mass marketers... Dearie dearie me!)

In the particular case of Yahoo (and clearly this colors their thinking)
they can pretty much unilaterally decree that if you use a @yahoo.com
address and you want the message to have a valid signature, you must send
using Yahoo's servers.  This may sound draconian, but it *is* Yahoo's staff
who deals with complaints about forged messages allegedly showing a Yahoo
return address (and, given I know the person who has an address similar to
jane at yahoo.com, the amount of forged spam with that address is
astonishing.  Luckily, she used to head Yahoo's eMail customer service
team...)

Malc.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] RE: freemail list and questions about yahoo...

[Julian Mehnle]

Malcolm Weir [EMAIL PROTECTED] wrote:
 Gordon Messmer wrote:
  Sam Varshavchik wrote:
   Forwarding will now work [with the Yahoo proposal, unlike with SPF].
  
  Malcolm tried to impress upon me the same thing.  The
  description on cnn.com is not very technical.  Who has the
  private keys?  How does forwarding work?
 
 It really isn't that complicated:

First, thanks for explaining the Yahoo proposal, or YASAF (Yahoo Anti Sender Address 
Forgery), as I'll call it.  That was the first explanation that included enough 
technical detail for me to be able to understand YASAF.

 As each message is injected into the public internet by a SMTP server,
 that message is signed with a private key controlled by whoever owns
 the injecting domain. 
 
 From that point on, anyone can query the DNS for that domain and get a
 public key; if the public key doesn't unlock the message, it
 *is* forged,
 and can be immediately dropped.  SPF can only suggest that it might be
 forged, and use that information to feed into subsequent filters;
 Yahoo's scheme is authoritative.  Further, using SPF every stage
 (relaying or forwarding) must provide SPF sender verification otherwise
 there is no benefit.  Using Yahoo's crypto scheme, you can copy the
 message onto a floppy disk and hand carry it around and at the other
 end you can still authenticate the message. 

I don't see what SPF does NOT do (to prevent sender domain forgery) that IS being done 
by YASAF.

SPF, for a given domain, prevents rogue SMTP servers, that are unauthorized to send 
from that domain, from delivering mails to an SPF-protected server.  You as a domain 
owner can even authorize 3rd party servers (like your ISP's ones) to send mail from 
your domain.

The you can carry a YASAF-protected mail on a floppy disk and still verify its sender 
domain's authenticity argument is bogus.  Why would you actually want to perform the 
verification anytime *after* the mail has been received by your side in the first 
place?  For reliability's sake (from a legitimate sender's point of view), you'd want 
to reject invalid mails right in the SMTP dialog anyway instead of just dropping mails 
or even generating concrete bounce messages.  And even if there were a real reason to 
perform late verification, you could do the same with SPF.  Just check the 
delivering IP address in the apropriate Received: header (i.e. the oldest header you 
trust).

Why can SPF only suggest that a sender address is forged?  What's the difference 
from YASAF in this regard?

Further, the YASAF private keys can't be handed out to users for them to sign their 
messages themselves (and use whatever SMTP relay they want), or to other untrusted 3rd 
parties.  This means that users are required to use SMTP servers that have access to 
the private key, which will usually be the domain owner's trusted servers only.  This 
in turn means that YASAF prevents domain owners from authorizing (untrusted) 3rd party 
servers to send mail from their domain, while SPF does support this.

SPF's concept is most natural, as it basically represents the reverse of the DNS MX 
record type, plus it brings some extensions.  I don't see why this is not enough to 
effectively prevent sender address forgery.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Error messages from submit and courierlocal

[Andrew Gray]

I mentioned this back on 18 November, but that discussion got a little
sidetracked with the filters bit.

Every day I'm getting 20 or so messages from courierlocal and submit
just saying Permission denied.  No messages before or after to hint at
what it is trying to access.  Also about 50 a day from courierlocal with
just No such file or directory, again, no clue as to what it is
looking for.

Keeping in mind my daily maillog is already 50 megs or so I don't want
to have to enable gross levels of debug messages or the like, but is
there any way to get more information from courier as to what it is
looking for in these instances?

--
Andrew Gray
Systems Administrator
College of Engineering
University of Nevada, Las Vegas




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Re: freemail list and questions about yahoo...

[Sam Varshavchik]

Malcolm Weir writes:

The issues that seem to me as still need clarification/definition are these:
if my return address is not in the same domain as the injecting server,
then you sign the message with YOUR key, and put THAT in DNS.

I don't really know what Yahoo's going to do, but based on what I've read,
in several place, I reached a similar impression as to what they're doing.
The recipient could then do the following:

*  If the public key of the sender's domain validates the message, the
message is authentic and should be delivered.
*  If that key *doesn't* work, but that of a listed injecting host does,
then you have a relay or third-party sender -- but you definitively *know*
that, and can make decisions before attempting delivery (e.g. check the
injecting host to see if it's listed in a blacklist).
I didn't get the impression that Yahoo's stuff has anything to do with the
injection host.  Remember, that legitimate Yahoo mail can only come out of
Yahoo itself, so they can take care of signing entirely on their end.
As you indicated, this scheme will prevent someone from using their Yahoo
E-mail address to send mail themselves, from their ISP. That's unfortunate,
but I also agree that Yahoo wouldn't give a fsck about it.  They
specifically _want_ their lusers to send mail through their webmail
interface, instead of their own mail programs.
And I'm optimistic that they'll explicitly specify that the domain check has
to be carried out against the From: header, and not the envelope sender
address (although that one can still be optionally checked).  Remember that
Yahoo's goal is to get rid off all the clueless wonders from complaining to
Yahoo about spam From: [EMAIL PROTECTED]  I'll be disappointed if
they're naive enough to believe that checking the envelope sender address is
sufficient; otherwise all that's needed to nullify any value added from this
enterprise is to simply use a different envelope sender address, but keep
the From: header intact.
Yes, that means that the message's body will have to be received, before the
message can be authenticated.  That's better than nothing.


pgp0.pgp
Description: PGP signature

[courier-users] RE: freemail list and questions about yahoo...

[Julian Mehnle]

Sam Varshavchik [EMAIL PROTECTED] wrote:
 Julian Mehnle writes:
  I don't see what SPF does NOT do (to prevent sender domain
  forgery) that IS being done by YASAF.
 
 It prevents mail from being forwarded.  A forwarded message will keep
 its return address, but will now originate from some other host, from
 the point view of the ultimate recipient.

Alright, I do see that.  What's wrong with sender rewriting?  I mean, except for that 
it has to be implemented?



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] RE: freemail list and questions about yahoo...

[Julian Mehnle]

Sam Varshavchik [EMAIL PROTECTED] wrote:
 Julian Mehnle writes:
  What's wrong with sender rewriting?  I mean, except for that it has to
  be implemented?
 
 What exactly are you going to rewrite the sender to?  The address from
 which the message gets forwarded?
 
 Gee, guess where the bounce would go?

The bounce would go to the forwarder.  So what?  The forwarder can simply forward 
(backward) the bounce as well.  Is this a serious problem?



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?

[Mitch \(WebCob\)]

I'm cross posting this message here just to keep other courier users in the
loop. I'm a long time courier user but not quite as long time SpamAssassin
user. I noticed a problem with false positives related to the default
settings in SA. Messages sent from my home machine to myself were being
detected as spam due to a score on the RCVD_IN_DYNABLOCK test which is
supposed to trip when the top received header indicates the mail was
received from an address in a dynamic pool - like a cable modem / etc.

My first concern is that apparently due to the differences in courier's vs
sendmails Received header formats, the first courier header is not always
detected. Secondly, if I am sending to another user in my own system via
authenticated SMTP, the rule still triggers - even though my authentication
on the server should allow me some sort of whitelist like status (my
humble opinion).

I'm assuming that someone on the SA side can fix the failure to detect the
first header, and hopefuly the authentication issue as well (when the first
Received header shows (AUTH: ...). As this pertains courier specifically,
and it may be causing false positives I thought I'd share it here.

Hope it helps - I'll post the resolution as well assuming there is one.

cheers.

Original message from SAtalk follows.

m/





With the help of Shane Williams (who received a message and showed me how it
passed his SA ok) I figured out the following:

Courier formats it's received lines like this (this trips
RCVD_IN_DYNABLOCK):

Received: from bigass1.XXX.com ([66.199.X.X])
  by slim1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 +
Received: from a1200 ([24.83.X.X])
  (AUTH: LOGIN [EMAIL PROTECTED])
  by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 +

Shane I presume (by version numbers) is running sendmail - which has a
different Received format and DOESN'T trip RCVD_IN_DYNABLOCK:

Received: from bigass1.XXX.com (ns1.XXX.com [66.199.X.X])
by fiat.XXX.edu (8.12.10/8.12.10) with ESMTP id
i06MBJ6U020255
for [EMAIL PROTECTED]; Tue, 6 Jan 2004 16:11:19 -0600
Received: from a1200 ([24.83.X.X])
  (AUTH: LOGIN [EMAIL PROTECTED])
  by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 22:09:53 +

So for starters, the -notfirsthop option seems to be missing my first
header.

And for seconds... I will still have a problem when my first header is
AUTHENTICATED.
If I send mail to myself, my ONLY received header looks like:

Received: from a1200 ([24.83.X.X])
  (AUTH: LOGIN [EMAIL PROTECTED])
  by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 +

Which I think should be ignored - although headers can be forged, the first
header can't - right? And if it says authenticated, I shouldn't be penalized
for sending mail to myself - right?

So now what - do I file a bug report ? or have I already put the info in the
right place?

Thanks a bunch for the tool - glad to do my bit - I imagine that this
problem affects all courier users. Unless I'm missing something?

Thanks!

m/

-Original Message-
From: Brian Sneddon [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 06, 2004 4:55 AM
To: 'Mitch (WebCob)'; [EMAIL PROTECTED]
Subject: RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when
sending myself a test message?


Hi, Mitch.
Could you please provide more information regarding the mail server which is
running SpamAssassin?  Information such as which MTA it's using, how you're
calling SpamAssassin (procmail, milter, etc.), and whether the machine is on
a private NATed address will be helpful in troubleshooting your problem.


Thanks.
Brian




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Re: freemail list and questions about yahoo...

[Roger B.A. Klorese]

Gordon Messmer wrote:
Acknowledging that my opinion isn't worth much, this seems stupid.  As 
described, the solution would require all of the work that SPF does 
(http://spf.pobox.com/), plus additional computation.  What's the 
additional check get you?
If the particular server is who it says it is, and I trust its 
certificate, I don't really have to care what domain it's sending mail 
for.  The method will support roaming users on multiple networks, for 
instance, in a way SPF cannot.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Re: freemail list and questions about yahoo...

[Roger B.A. Klorese]

Mitch (WebCob) wrote:
Personally I don't see that as a bad thing - it makes it a lot
simpler to keep tabs on the spam problem, and since authenticated
SMTP and open source webmail systems are so common, I would question
why ANYONE would send mail from a foreign domain through a
convenient SMTP server.
Becauase many ISPs will only allow you to access port 25 of THEIR 
server; if you're roaming onto their network, you must use their server, 
not some external one you can authenticate to.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?

[Gordon Messmer]

Mitch (WebCob) wrote:
My first concern is that apparently due to the differences in courier's vs
sendmails Received header formats, the first courier header is not always
detected. Secondly, if I am sending to another user in my own system via
authenticated SMTP, the rule still triggers - even though my authentication
on the server should allow me some sort of whitelist like status (my
humble opinion).
Configure maildrop not to pass messages that were AUTH'd to spamassassin:

if( ! ( /Received: .*\(AUTH: [^)]*\) *by [:alnum:]*.example.com/ ) )
{
xfilter /usr/bin/spamc
}


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

RE: [courier-users] RE: freemail list and questions about yahoo...

[Malcolm Weir]

 -Original Message-
 From: Julian Mehnle
 Sent: Tuesday, January 06, 2004 3:08 PM

[ Snip ]

  As each message is injected into the public internet by a SMTP 
  server, that message is signed with a private key controlled by 
  whoever owns the injecting domain.
  
  From that point on, anyone can query the DNS for that 
 domain and get a 
  public key; if the public key doesn't unlock the message, it
  *is* forged,
  and can be immediately dropped.  SPF can only suggest that 
 it might be 
  forged, and use that information to feed into subsequent filters; 
  Yahoo's scheme is authoritative.  Further, using SPF every stage 
  (relaying or forwarding) must provide SPF sender verification 
  otherwise there is no benefit.  Using Yahoo's crypto 
 scheme, you can 
  copy the message onto a floppy disk and hand carry it around and at 
  the other end you can still authenticate the message.
 
 I don't see what SPF does NOT do (to prevent sender domain 
 forgery) that IS being done by YASAF.

SPF only validates that the host that claims to be on the other end of the
SMTP connection is the 'correct' host (or a correct host) for that domain.

In most cases (see Sam's remarks) YASAF validates that the 'From:' line is
being used legitimately.

Still, the main thing that YASAF *does* is based on the fact that it is
sponsored by Yahoo who is one of the major e-mail domains out there, while
SPF is sponsored by more-or-less no-one.  SPF may be acceptable, but any
fair assessment will acknowledge that the use of crypto signatures *is* a
harder nut to crack when it comes to forgeries, so YASAF can be viewed as
SPF++ (the first plus for the crypto, the second for the sponsor).

 SPF, for a given domain, prevents rogue SMTP servers, that 
 are unauthorized to send from that domain, from delivering 
 mails to an SPF-protected server.  You as a domain owner can 
 even authorize 3rd party servers (like your ISP's ones) to 
 send mail from your domain.

Sure.  Now, explain why it isn't already being used universally?  Why
doesn't Yahoo simply implement it?

The answer is that it doesn't authenticate the message, only the connection.
If your SMTP server decides that mine is authentic (in the SPF sense), then
I can shovel a message to you that appears to have been relayed from (say) a
Yahoo domain.  You'll add another 'Received-From:' header, and deliver it to
your user.

Unfortunately, in this specific case, 'I' might have been a SPF-protected
disposable domain, and your user still complains to Yahoo...

 The you can carry a YASAF-protected mail on a floppy disk 
 and still verify its sender domain's authenticity argument 
 is bogus.

No, it's entirely valid, and covers one of the key issues.

Note that SPF can only be employed during SMTP dialogs; 'YASAF' can be
employed even by an MUA's during a POP3 dialog... And the old POP3 (and IMAP
and SMTP) server(s)s can be entirely ignorant of the whole issue while the
user gains the benefits!

  Why would you actually want to perform the 
 verification anytime *after* the mail has been received by 
 your side in the first place? 

Because you are Yahoo's support department and, to borrow Sam's example, you
are fed up with responding to people complaining about mail received from
'[EMAIL PROTECTED]'.  In this case, the forwarded message (or the
message carried on a floppy) is self-contained from the standpoint of its
signature, and it can be subsequently proven (say, in a court of law) that
it is a forgery.  This may be rather important if you are being sued for
sending UCE... As may now be the case!

Secondly, as suggested earlier, your 'side' may be using a old SMTP package,
but your MUA is cutting edge and is smart enough to discard invalid 'YASAF'
messages during the download.

 For reliability's sake (from 
 a legitimate sender's point of view), you'd want to reject 
 invalid mails right in the SMTP dialog anyway instead of just 
 dropping mails or even generating concrete bounce messages.  

That's debatable.  If you are sending legitimately with a signature, all is
well.  If you are sending *without* a signature where you 'should' have one,
it can be argued that you are sending a forgery, and a rejection provides
the forger with additional information -- that may be good, or not,
depending on whether you choose to argue that it is better to permit forgers
to hone their mailing lists, or whether it is better to allow the forgers to
bloat their lists so as to increase the overall cost.

Sure, from a good citizen standpoint you are right... But from an
anti-spam standpoint the issue is slightly more complex (I personally would
love for the largest ISPs to silently drop forged mail, for precisely this
reason).

 And even if there were a real reason to perform late 
 verification, you could do the same with SPF.  Just check the 
 delivering IP address in the apropriate Received: header 
 (i.e. the oldest header you trust).

No, because once the connection has been closed, 

Re: [courier-users] RE: freemail list and questions about yahoo...

[Roger B.A. Klorese]

Julian Mehnle wrote:
But it *could* be.  You can set the following SPF record for
workdomain.com (if Earthlink has their own SPF set up correctly):
v=spf1 [...] include:earthlink.net -all

or (if Earthlink uses their incoming MXes as outgoing MXes as well):

v=spf1 [...] mx:earthlink.net -all

or even (otherwise):

v=spf1 [...] a:smtp.earthlink.net -all
So my employer has to determine which networks I'm allowed to roam onto?!

So when I travel on business, I should call the hotel a day or two ahead 
of time to ask who their service provider is and what their SMTP servers 
are, so I can ask the work NOC to add it as a valid sender?!

What planet are we talking about?

Yahoo's scheme has the advantage that the owner of workdomain.com
doesn't have to open his domain to forgery from other domains (like
in the example above).  But as soon as a user @workdomain.com is
forced to send through a 3rd party SMTP relay (like in the example
above), either the user or that 3rd party would need access to the
workdomain.com private key to properly sign the sent messages.
Of course.  But it makes lots more sense for employees of workdomain.com 
to have access to its private key than it does for servers of 
randomroamprovider.net to.

So essentially, the difference in this regard between SPF and the
Yahoo scheme is that with SPF, the 3rd party must be trusted, while
with the Yahoo scheme, the 3rd party OR the user @workdomain.com must
be trusted.  I.e., with SPF, trust cannot be delegated to the user.
No, but you seem to trivialize the amount of work and the impractical 
and unreasonable policy involved in that difference.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Re: freemail list and questions about yahoo...

[Sam Varshavchik]

Julian Mehnle writes:

Sam Varshavchik [EMAIL PROTECTED] wrote:
Julian Mehnle writes:
 What's wrong with sender rewriting?  I mean, except for that it has to
 be implemented?
What exactly are you going to rewrite the sender to?  The address from
which the message gets forwarded?
Gee, guess where the bounce would go?
The bounce would go to the forwarder.  So what?  The forwarder can simply forward (backward) the bounce as well.  Is this a serious problem?
Yes.  Because the bounce bounces (after all, everything to the forwarded
address gets bounced, right?), and since the return address is reset to the
forwarder, it go back to the forwarder.
But, by definition, the forwarder forwards all mail, resetting the return
address.  So the bounce gets forwarded again, it bounces, goes back,
forwards, bounces again, etc


pgp0.pgp
Description: PGP signature

[courier-users] Re: freemail list and questions about yahoo...

[Sam Varshavchik]

Malcolm Weir writes:

Still, the main thing that YASAF *does* is based on the fact that it is
sponsored by Yahoo who is one of the major e-mail domains out there, while
SPF is sponsored by more-or-less no-one.
That's absolutely correct.  The 800lb gorilla factor cannot be overlooked.

However, be assured that if Yahoo cooks up something obnoxious, like some
scheme that involves a trusted certificate authority, nobody will pay any
attention to the gorilla.  Nobody is going to pay $100/yr for the privilege
of obtaining a certificate to validate their mail.
But I think that as far as 800lb gorillas go, Yahoo probably has a better
chance of putting something workable on the table.  I would feel fairly
comfortable pronouncing dead-on-arrival any similar press release from
Hotmail (for the obvious reasons).
It is a fact that there's an awful lot of crap being thrown around with
@yahoo.com return addresses.  You just HAVE TO KNOW that if there's ANY WAY
that any Internet provider can easily trash all that spam, without even the
slightest possibility of interfering any legitimate @yahoo.com mail (setting
aside the marginal case of someone using their yahoo.com address from their
ISP), then you, as an ISP, would have to be astonishingly DUMB not to make
use of this opportunity.
And once the infrastructure is in place to validate @yahoo.com mail, there's
virtually no added cost to turn it on for any other domain.
And, as long as anyone can play, without paying a dime, there's absolutely
no reason why any other E-mail provider would NOT voluntarily choose to
authenticate their E-mail in a similar fashion.
Everything is hinging on the proposition that Yahoo is not about to try
something stupid.  If they get it right, you're going to have a snowball
effect coming down the hill.


pgp0.pgp
Description: PGP signature

[courier-users] Re: Seeming issue between SA courier... WAS RE: [SAtalk] RCVD_IN_DYNABLOCK,RCVD_IN_SORBS in 2.61 when sending myself a test message?

[Sam Varshavchik]

Mitch (WebCob) writes:

And for seconds... I will still have a problem when my first header is
AUTHENTICATED.
If I send mail to myself, my ONLY received header looks like:
Received: from a1200 ([24.83.X.X])
  (AUTH: LOGIN [EMAIL PROTECTED])
  by bigass1.XXX.com with esmtp; Tue, 06 Jan 2004 23:56:09 +
Which I think should be ignored - although headers can be forged, the first
header can't - right? And if it says authenticated, I shouldn't be penalized
for sending mail to myself - right?
Correct.  The topmost received header is yours, and it cannot be forged.



pgp0.pgp
Description: PGP signature

[courier-users] courierperlfilter question

[Systems Administrator]

Hi all.  I'm wanting to test a perlfilter script, and from what I
can figure it wants a socket ID in ARGV when it starts.  I'd like to test
this filter without having it run as one of Courier's mail filters.  I can
probably come up with some wrapper around it, etc, but I don't understand
how to pass the file descriptor to the script.  I've tried (in perl):

---
open($handle, mailfile);

$foo = '/usr/local/bin/spamassassin-filter.pl ' . $handle;
print `$foo`;
---

That doesn't work.  Does anyone have any ideas?

Thanks,

--
Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: [EMAIL PROTECTED]






---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] RE: freemail list and questions about yahoo...

[Julian Mehnle]

Malcolm Weir [EMAIL PROTECTED] wrote:
 SPF only validates that the host that claims to be on the other end of
 the SMTP connection is the 'correct' host (or a correct host) for that
 domain. 
 
 In most cases (see Sam's remarks) YASAF validates that the 'From:' line
 is being used legitimately.

SPF doesn't primarily use the HELO string, but the envelope from.  In principle it can 
also be used to verify the From: and Sender: headers.

 Still, the main thing that YASAF *does* is based on the fact that it is
 sponsored by Yahoo who is one of the major e-mail domains out there,
 while SPF is sponsored by more-or-less no-one.  SPF may be acceptable,
 but any fair assessment will acknowledge that the use of crypto
 signatures *is* a harder nut to crack when it comes to forgeries, so
 YASAF can be viewed as SPF++ (the first plus for the crypto, the second
 for the sponsor). 

For SPF to be cracked, one would need to spoof DNS.  Granted, it's some orders of 
magnitude harder to fake digital signatures (that are using significant key lengths) 
than to spoof DNS.  But on the other hand, cryptography would need to be newly 
implemented in huge chunks of software, even in countries where digital cryptography 
is illegal.  Sure, this might not concern us lucky ones, but given that the crypto 
approach is vast overkill for the problem, this seems like a very bad trade off.  At 
least to me.

I acknowledge that Yahoo is BIG and that this will give YASAF some considerable 
momentum.  But this alone certainly doesn't make YASAF the technically superior 
solution against sender address forgery.  But isn't that what we're arguing about here?

 [...]
 Sure.  Now, explain why [SPF] isn't already being used universally?
 Why doesn't Yahoo simply implement it?

I can't.  Please ask Yahoo.  And please also ask them why YASAF isn't already being 
used universally.  And why has nobody else yet implemented YASAF?

 The answer is that it doesn't authenticate the message, only the
 connection.

This is not true.

 [...]
 Unfortunately, in this specific case, 'I' might have been a
 SPF-protected disposable domain, and your user still complains to
 Yahoo... 

http://spf.pobox.com/objections.html#throwaway

   Why would you actually want to perform the
  verification anytime *after* the mail has been received by
  your side in the first place?
 
 Because you are Yahoo's support department and, to borrow Sam's
 example, you are fed up with responding to people complaining about
 mail received from '[EMAIL PROTECTED]'.  In this case, the
 forwarded message (or the message carried on a floppy) is
 self-contained from the standpoint of its signature, and it can be
 subsequently proven (say, in a court of law) that it is a forgery. 
 This may be rather important if you are being sued for sending UCE...
 As may now be the case! 

Are we debating SPF vs. YASAF from a sender address forgery protection tool point 
of view or from a forensic evidence point of view?  Besides, it's technically 
impossible to prove anything with a copy of an alleged digital mail message.  A 
message with an invalid digital signature can be easily forged by the suitor.  Based 
on such bogus proof, one could sue anybody.  And would hopefully fail!

  And even if there were a real reason to perform late
  verification, you could do the same with SPF.  Just check the
  delivering IP address in the apropriate Received: header
  (i.e. the oldest header you trust).
 
 No, because once the connection has been closed, the headers are
 vulnerable to being rewritten.  Sure, *most* MTA's behave well, but
 some clearly don't,

Oh come on, are you talking about broken software here?  What about broken software 
that incorrectly verifies digital signatures, or even corrupts the digital signature 
during transmission?  Does that kind of software make YASAF technically inferior?

 and if you are willing to forge a 'From:' line, one
 must acknowledge that forging a 'Received:' line is certainly possible.
 Forging a crypto key is rather harder...

On a trusted mail server, the oldest trusted Received: line cannot ever be forged.  
I.e. there is always at least one Received: line containing an unforged sender IP 
address which can be used for SPF verification.

  Why can SPF only suggest that a sender address is forged?
  What's the difference from YASAF in this regard?
 
 SPF validates that the connection came from the place it claims to have
 come from.  It doesn't validate that the origination is is valid for an
 address. Further processing is required to discover if the validated
 connection is associated with a problematic source (e.g. checks against
 blacklists). 

Yes, blacklists may be required with SPF to avert the disposable domain problem.  
But SPF is not designed to kill spam on its own, but as a tool to protect against 
sender address forgery.  With SPF, spammers may send from disposable domains, but they 
can't forge other people's domains.

Re: [courier-users] RE: freemail list and questions about yahoo...

[Roger B.A. Klorese]

JulianMehnle wrote:
See it this way: the domain owner has to determine which networks the
domain users are allowed to send mail from.  It's not always about
employer/emplyoee.  In fact, most of the time it will be
ISP/customer.
I see that as stupid and totalitarian.

If I have an Earthlink account, you're saying it's reasonable that:
- I can only send mail with my Earthlink-hosted address through their 
servers or servers they bless, BUT
- I can only send through their servers if I'm connected to them (and 
most of their peers will do the same)...
...meaning that I will likely only be able to send mail using any 
address when I'm on that ISP's pipe...

...an absurd situation.

This is a good objection, agreed.  But YASAF doesn't really avoid
this.  With YASAF, as an employee you may be better off because your
employer entrusted you with his domain private key, but as an ISP
customer, you can't send mail from we're blocking port 25 hotels
either.
Why not?  I'd furnish my clients with *a* domain private key -- 
especially if their address is in a private domain of theirs that I 
manage -- and spank them if they misuse it.

Of course.  But consider not employer/employee, but ISP/customer.
I'm 100% dead sure that less than 1% of ISPs will give their domain
private keys away to their customers.
Clearly, it will be much more workable with private domains.

Additionally, any employer giving his domain private key(s) to its
employees will have to generate new keys each time any (previously)
trusted employee leaves the company.
Of course, but they pretty much need to do that for lots of things now.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] RE: freemail list and questions about yahoo...

[Julian Mehnle]

Sam Varshavchik [EMAIL PROTECTED] wrote:
 Julian Mehnle writes:
  Sam Varshavchik [EMAIL PROTECTED] wrote:
   Julian Mehnle writes:
What's wrong with sender rewriting?  I mean, except for that it
has to be implemented?
   
   What exactly are you going to rewrite the sender to?  The address
   from which the message gets forwarded?
   
   Gee, guess where the bounce would go?
  
  The bounce would go to the forwarder.  So what?  The forwarder can
  simply forward (backward) the bounce as well.  Is this a serious
  problem? 
 
 Yes.  Because the bounce bounces (after all, everything to the forwarded
 address gets bounced, right?), and since the return address is reset to
 the forwarder, it go back to the forwarder.
 
 But, by definition, the forwarder forwards all mail, resetting the
 return address.  So the bounce gets forwarded again, it bounces, goes
 back, forwards, bounces again, etc

I don't see the problem.  http://spf.pobox.com/objections.html#forwarding handles it, 
I think.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78alloc_id371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] RE: freemail list and questions about yahoo...

[Roger B.A. Klorese]

Julian Mehnle wrote:
And why has nobody else yet implemented YASAF?
Before they write it and build its infrastructure?

Perhaps you'd like to tell me why you're not driving the 2033 Porsche.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Re: freemail list and questions about yahoo...

[Sam Varshavchik]

Julian Mehnle writes:

I acknowledge that Yahoo is BIG and that this will give YASAF some considerable momentum.  But this alone certainly doesn't make YASAF the technically superior solution against sender address forgery.
Both of them provide equivalent authentication of the sender's address.  
SPF will break when mail is forwarded.  YASAF won't.  The logical 
conclusion is that YASAF is a technically superior solution.

[...]
Sure.  Now, explain why [SPF] isn't already being used universally?
Why doesn't Yahoo simply implement it?
I can't.  Please ask Yahoo.  And please also ask them why YASAF isn't already being used universally.  And why has nobody else yet implemented YASAF?
They have not published it.  The Reuters report indicates that they are 
working on a toolkit that they intend to give away to everyone, and they 
estimate that they will complete the work sometime before May.




pgp0.pgp
Description: PGP signature

Re: [courier-users] Re: freemail list and questions about yahoo...

[Roger B.A. Klorese]

Sam Varshavchik wrote:
You forgot all about authenticated SMTP.  You can use any ISP, and 
authenticate yourself to Earthlink's mail servers.  After you are 
authenticated, you have relaying privileges, and Earthlink's mail 
servers will sign your relayed mail automatically.
Not with pobox.com's private key.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Re: freemail list and questions about yahoo...

[Sam Varshavchik]

Roger B.A. Klorese writes:

Julian Mehnle wrote:
I don't see the problem.  http://spf.pobox.com/objections.html#forwarding handles it, I think.
But it's just wrong.

If I am connected to my Earthlink DSL at home and want to send mail 
using my pobox.com account in their example...
- Earthlink will block port 25 to any other SMTP server but theirs
- therefore there's no voodoo that pobox.com can do that will allow
   a normally-configured mail client to send using my pobox.com
   address
Yes, they can.  SMTP's twin sister, the mail submission protocol, uses port 
587, which will be unaffected by Earthlink's stupid firewall.

It's unacceptable to me -- and to millions of others.
If your mail client cannot be reconfigured to use SMTP to port 587, instead 
of port 25, then have someone fix it, so that it can.

I think that the spam problem has gotten big enough to force a swift kick in 
the ass, to everyone.



pgp0.pgp
Description: PGP signature

Re: [courier-users] Re: freemail list and questions about yahoo...

[Roger B.A. Klorese]

Sam Varshavchik wrote:
Yes, they can.  SMTP's twin sister, the mail submission protocol, uses 
port 587, which will be unaffected by Earthlink's stupid firewall.
Perhaps.  But why assume it won't be blocked?  I'd expect them to block 
it in a New York minute.

I think that the spam problem has gotten big enough to force a swift 
kick in the ass, to everyone.
Maybe for you.  I get a good 1000-2000 pieces of spam a day, and 
compared to these hoops, it seems no big deal to me.

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
___
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users