Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Marcin Juszkiewicz 

W dniu 05.10.2015 o 16:43, Reindl Harald pisze:

well, that people should send their mail from the Fedora servers and
not from a wrong configured random MTA allowing random envelope
senders


Many of those people send their mail from properly configured MTA 
allowing random envelope senders for authenticated users.

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Paul Wouters 
And openpgpkey-milter :)

And put in a TLSA record for their MX :)

 Paul

Sent from my iPhone

> On Oct 5, 2015, at 10:58, Michel Alexandre Salim  
> wrote:
> 
> On a related note to that, it would be great if active Fedora contributors do 
> get to use an SMTP server with SPF and DKIM set up.
> 
> -- 
> Michel
> 
>> On Mon, Oct 5, 2015 at 9:47 PM, Marcin Juszkiewicz  
>> wrote:
>> W dniu 05.10.2015 o 16:43, Reindl Harald pisze:
>>> well, that people should send their mail from the Fedora servers and
>>> not from a wrong configured random MTA allowing random envelope
>>> senders
>> 
>> Many of those people send their mail from properly configured MTA allowing 
>> random envelope senders for authenticated users.
>> 
>> -- 
>> devel mailing list
>> devel@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/devel
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> 
> -- 
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Reindl Harald 



Am 05.10.2015 um 16:16 schrieb Stephen John Smoogen:

On 4 October 2015 at 03:03, Reindl Harald  wrote:

is there a reason that the list-subdomain has a SPF record but the main
domain not? now that as example "bo...@fedoraproject.org" sends a lot of
mails it would make sense to shortciruit them as ham on spamfilters as it is
possible for the mailing-lists


I think the fact that various people use n...@fedoraproject.org as their
email address. If we put an SPF that bodhi email comes from a certain
address area, then those people will need to send email also from that
zone or be treated as SPAM. Of course I could be completely wrong
here.. and I am ok with that.


well, that people should send their mail from the Fedora servers and not 
from a wrong configured random MTA allowing random envelope senders


however, it would make a lot of sense use for infrastructure mails a own 
subdomain like "lists.fedoraproject.org" because handling them different 
then personal sent mails from probably hacked accounts


BTW - that should also be the bodhi-adress and not the karma commenter 
as envelope:


Return-Path: lupi...@fedoraproject.org
[Fedora Update] [comment] kde-runtime-15.08.1-2.fc22




lists.fedoraproject.org. 300IN  TXT "v=spf1 mx
a:lists.fedoraproject.org a:bastion.fedoraproject.org
a:bastion02.fedoraproject.org a:bastion01.fedoraproject.org ~all"


[harry@srv-rhsoft:~]$ dig TXT fedoraproject.org
; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>> TXT fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47349
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;fedoraproject.org. IN  TXT

;; AUTHORITY SECTION:
fedoraproject.org.  120 IN  SOA ns04.fedoraproject.org.
hostmaster.fedoraproject.org. 2443921540 3600 600 2419200 86400

;; Query time: 27 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: So Okt 04 10:59:15 CEST 2015
;; MSG SIZE  rcvd: 98




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Stephen John Smoogen 
On 4 October 2015 at 03:03, Reindl Harald  wrote:
> is there a reason that the list-subdomain has a SPF record but the main
> domain not? now that as example "bo...@fedoraproject.org" sends a lot of
> mails it would make sense to shortciruit them as ham on spamfilters as it is
> possible for the mailing-lists

I think the fact that various people use n...@fedoraproject.org as their
email address. If we put an SPF that bodhi email comes from a certain
address area, then those people will need to send email also from that
zone or be treated as SPAM. Of course I could be completely wrong
here.. and I am ok with that.

> 
>
> lists.fedoraproject.org. 300IN  TXT "v=spf1 mx
> a:lists.fedoraproject.org a:bastion.fedoraproject.org
> a:bastion02.fedoraproject.org a:bastion01.fedoraproject.org ~all"
> 
>
> [harry@srv-rhsoft:~]$ dig TXT fedoraproject.org
> ; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>> TXT fedoraproject.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47349
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1024
> ;; QUESTION SECTION:
> ;fedoraproject.org. IN  TXT
>
> ;; AUTHORITY SECTION:
> fedoraproject.org.  120 IN  SOA ns04.fedoraproject.org.
> hostmaster.fedoraproject.org. 2443921540 3600 600 2419200 86400
>
> ;; Query time: 27 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: So Okt 04 10:59:15 CEST 2015
> ;; MSG SIZE  rcvd: 98
>
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct



-- 
Stephen J Smoogen.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Michel Alexandre Salim 
On a related note to that, it would be great if active Fedora contributors
do get to use an SMTP server with SPF and DKIM set up.

-- 
Michel

On Mon, Oct 5, 2015 at 9:47 PM, Marcin Juszkiewicz 
wrote:

> W dniu 05.10.2015 o 16:43, Reindl Harald pisze:
>
>> well, that people should send their mail from the Fedora servers and
>> not from a wrong configured random MTA allowing random envelope
>> senders
>>
>
> Many of those people send their mail from properly configured MTA allowing
> random envelope senders for authenticated users.
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Kevin Fenzi 
On Mon, 5 Oct 2015 16:47:09 +0200
Marcin Juszkiewicz  wrote:

> W dniu 05.10.2015 o 16:43, Reindl Harald pisze:
> > well, that people should send their mail from the Fedora servers and
> > not from a wrong configured random MTA allowing random envelope
> > senders
> 
> Many of those people send their mail from properly configured MTA 
> allowing random envelope senders for authenticated users.

There's no "sending from Fedora servers". 

@fedoraproject.org _aliases_ are just aliases. They aren't real
mailboxes. 

We will never have SPF records for fedoraproject.org. 

The bodhi emails are IMHO a bug: 
https://github.com/fedora-infra/bodhi/issues/626

It should ideally not send them at all (in favor of FMN) or  if it has
to for some reason, they should come from a known address and not
pretend to be from the commenter. 

kevin


pgpswSphjdL65.pgp
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Kevin Fenzi 
On Mon, 5 Oct 2015 11:04:40 -0400
Paul Wouters  wrote:

> And openpgpkey-milter :)
> 
> And put in a TLSA record for their MX :)

I don't think it makes much sense for Fedora Infrastructure to get into
the business of being a SMTP server provider. Is this something that
would help forward the goals of the Fedora Project? If so, how?

Additionally I suspect the admin overhead would be large just answering
"Your smtp server sent me spam" type of noise... 

kevin
--
> 
>  Paul
> 
> Sent from my iPhone
> 
> > On Oct 5, 2015, at 10:58, Michel Alexandre Salim
> >  wrote:
> > 
> > On a related note to that, it would be great if active Fedora
> > contributors do get to use an SMTP server with SPF and DKIM set up.
> > 
> > -- 
> > Michel
> > 
> >> On Mon, Oct 5, 2015 at 9:47 PM, Marcin Juszkiewicz
> >>  wrote: W dniu 05.10.2015 o 16:43, Reindl
> >> Harald pisze:
> >>> well, that people should send their mail from the Fedora servers
> >>> and not from a wrong configured random MTA allowing random
> >>> envelope senders
> >> 
> >> Many of those people send their mail from properly configured MTA
> >> allowing random envelope senders for authenticated users.
> >> 
> >> -- 
> >> devel mailing list
> >> devel@lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/devel
> >> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> > 
> > -- 
> > devel mailing list
> > devel@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/devel
> > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct



pgpMdJkmno5Ok.pgp
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Reindl Harald 



Am 05.10.2015 um 16:47 schrieb Marcin Juszkiewicz:

W dniu 05.10.2015 o 16:43, Reindl Harald pisze:

well, that people should send their mail from the Fedora servers and
not from a wrong configured random MTA allowing random envelope
senders


Many of those people send their mail from properly configured MTA
allowing random envelope senders for authenticated users


well, and that's why spamfighting is that complicated
a MTA allowing random sender is *not* properly configured

however, at least the bodhi mails should come from a subdomain with a 
SPF record or at least DKIM signed which would also hit 
"whitelist_auth", alternatively STOP THAT NEW mass mails while using 
fedora-easy-karma (which now works after a long time), i know by myself 
that i have commented a testing update


i guess you don't use random sevrers fro your @redhat.com

redhat.com. 600 IN  TXT "v=spf1 
include:u1969764.wl.sendgrid.net include:_spf1.redhat.com 
include:_spf2.redhat.com -all"




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Marcin Juszkiewicz 

W dniu 05.10.2015 o 16:58, Reindl Harald pisze:

Am 05.10.2015 um 16:47 schrieb Marcin Juszkiewicz:



Many of those people send their mail from properly configured MTA
allowing random envelope senders for authenticated users


well, and that's why spamfighting is that complicated
a MTA allowing random sender is *not* properly configured


My MTA has to send my emails. I connect, authenticate and provide emails 
to send. I may fetch them from many different servers but send them 
through one SMTP server.



i guess you don't use random sevrers fro your @redhat.com


My emails from company address go through company MTA because that's 
policy and they can contain confidential information.


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Reindl Harald 



Am 05.10.2015 um 17:12 schrieb Kevin Fenzi:

On Mon, 5 Oct 2015 11:04:40 -0400
Paul Wouters  wrote:


And openpgpkey-milter :)

And put in a TLSA record for their MX :)


I don't think it makes much sense for Fedora Infrastructure to get into
the business of being a SMTP server provider. Is this something that
would help forward the goals of the Fedora Project? If so, how?

Additionally I suspect the admin overhead would be large just answering
"Your smtp server sent me spam" type of noise...


my whole point was that automatic generated mails of infrastructure 
should live in a subdomain with a SPF record to handle them different 
than ordinary mail - a whitelist_auth / shortcircuit message eats no 
ressources ona incoming filter and you don't need bayes-training while 
SPF prevents forging the sender




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Reindl Harald 



Am 05.10.2015 um 17:43 schrieb Marcin Juszkiewicz:

W dniu 05.10.2015 o 16:58, Reindl Harald pisze:

Am 05.10.2015 um 16:47 schrieb Marcin Juszkiewicz:



Many of those people send their mail from properly configured MTA
allowing random envelope senders for authenticated users


well, and that's why spamfighting is that complicated
a MTA allowing random sender is *not* properly configured


My MTA has to send my emails. I connect, authenticate and provide emails
to send. I may fetch them from many different servers but send them
through one SMTP server.


RTFM your SMTP servers manual

for such cases our MTA has the SMTP credentials of the sender and uses a 
sender-based relay to *not* blow out forged mail, while that's off-topic 
here: A records without SPF lead to forged mails and more important 
makes it impossible on the RCPT side to distinct between forged and 
legit mail for whitelisting and in general


however, off-topic, for the moment i only care about mass mails from the 
fedora infrastructure which hits BAYES_50 alerts and i don't want to 
train as ham for good reasons




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Paul Wouters 

On Mon, 5 Oct 2015, Kevin Fenzi wrote:


On Mon, 5 Oct 2015 11:04:40 -0400
Paul Wouters  wrote:


And openpgpkey-milter :)

And put in a TLSA record for their MX :)


I don't think it makes much sense for Fedora Infrastructure to get into
the business of being a SMTP server provider. Is this something that
would help forward the goals of the Fedora Project? If so, how?


I wasn't refering to Fedora Infrastructure, but to people running fedora
for their mail servers.

That said, if we run MX for fedoraproject.org, we should also do that of
course :)

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-04 Thread Reindl Harald 
is there a reason that the list-subdomain has a SPF record but the main 
domain not? now that as example "bo...@fedoraproject.org" sends a lot of 
mails it would make sense to shortciruit them as ham on spamfilters as 
it is possible for the mailing-lists



lists.fedoraproject.org. 300IN  TXT "v=spf1 mx 
a:lists.fedoraproject.org a:bastion.fedoraproject.org 
a:bastion02.fedoraproject.org a:bastion01.fedoraproject.org ~all"



[harry@srv-rhsoft:~]$ dig TXT fedoraproject.org
; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>> TXT fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47349
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;fedoraproject.org. IN  TXT

;; AUTHORITY SECTION:
fedoraproject.org.  120 IN  SOA ns04.fedoraproject.org. 
hostmaster.fedoraproject.org. 2443921540 3600 600 2419200 86400


;; Query time: 27 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: So Okt 04 10:59:15 CEST 2015
;; MSG SIZE  rcvd: 98



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct