Re: regarding ssl certificates
With PKIX validation the certificate should match the hostname. With SMTP, the hostname should match the reverse IP though often it does not. Using subdomains gives you flexibility. with DANE validation, it is DNSSEC that validates the fingerprint to the hostname so I do not believe there is a need for the hostname in the cert to match anything, but DANE validation is currently not used by any mail user agents, only PKIX validation is used by mail user agents. DANE is used to MTA to MX quite frequently however, so it may come to mail user agents in the near future (near being within a decade or so). On 3/14/19 10:03 PM, Gary via dovecot wrote: Is there some reason to use a mail.domain.com cert for mail rarher than just using domain.com for everything? Historically the subdomain were used because they were on different hardware. That is www was on one machine and mail was on another. Original Message From: dovecot@dovecot.org Sent: March 14, 2019 3:56 PM To: dovecot@dovecot.org Reply-to: jtam.h...@gmail.com Subject: Re: regarding ssl certificates mick crane wrote: Apache2 default install has this snake oil certificate Can make a new one for apache I won't go over some of the excellent points in previous posts, but I will mention SAN as a third type of certificate you can make. LetsEncrypt supports this type of certificate. This is halfway between single CN and wildcard certificate where you can combine many hostnames (up to 1000?) into one certificate. This may be useful if you want the convenience of handling fewer certificates, without having an unbounded wildcard certificate (the latter also requires control over your DNS). I use this for SMTPAUTH, POP3, IMAP and webmail services since they are all on one server. Then Stephan von Krawczynski wrote: Sorry I have to write this, but this is again pointing people in a fake security direction. The only valid authority for a certificate is the party using it. Any third party with unknown participants cannot be a "Certificate Authority" in its true sense. This is why you should see "Let's Encrypt" simply as a cheap way to fake security. It is a US entity, which means it _must_ hand out all necessary keys to fake certificates to the US authorities _by law_. Now probably you can imagine why they are giving the certificates out for free. US authorities can compromise all of them - without any "open knowledge". Wow, you packed a lot of fear, uncertainty and doubt (and some misinformation) into one paragraph. I'll leave it at that. Joseph Tam
Re: offtopic: rant about thoughtless enabling DMARC checks
On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution, A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass. However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO Also, DMARC isn't really anti-spam technology, it's anti-spoof technology. Rather than fake mail list headers, spammers will just use domains w/o a DMARC policy. Much easier.
Re: offtopic: rant about thoughtless enabling DMARC checks
On 2/10/19 3:42 PM, Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution, A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass. However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO
Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 2/9/19 11:13 AM, Michael A. Peters via dovecot wrote: On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote: *snip* Honestly I was sort of tempted to try and create my own DMARC validator (I was thinking one daemon that does both DKIM and DMARC - for postfix, Exim has DKIM native but I only use Exim for submission) that tried to sniff Mailman and not enforce it but it looks like it would be very time consuming. What I wanted to do, was sniff mailman in headers and if it was sent by mail, reject if reverse DNS didn't match HELO/EHLO and white list from OpenDMARC enforcement if it did. That would prevent most spoofed that tried to look like Mailman since spoofed mail rarely has reverseDNS properly set up but Mailman admins tend to.
Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote: On 09/02/2019 10:44, Aki Tuomi via dovecot wrote: For some reason mailman failed to "munge from" for senders with dmarc policy ;( It's now configured to always munge to avoid this again. I'd say, let Mailman throw all people off the list that have enabled DMARC checking without using exceptions for the lists they are on. It's a known fact that DMARC does not cope well with mailing lists. Blindly enabling DMARC checks without thinking about the consequences for themselves should not be the problem of other well behaving participants. Most people use OpenDMARC and there are patches to mark certain hosts as mailing lists senders, so it is possible. can you please let me know where to find those patches? I ran DMARC in testing on one domain and had to disable it because over 95% of the reports were false positives from mailing lists, and the few that were genuine spoofed would have easily been caught by spam/malware filters anyway. However a project I am working on, DMARC is highly desired. Designing a white-list for known mailing lists is something I want to do. Honestly I was sort of tempted to try and create my own DMARC validator (I was thinking one daemon that does both DKIM and DMARC - for postfix, Exim has DKIM native but I only use Exim for submission) that tried to sniff Mailman and not enforce it but it looks like it would be very time consuming.
