Re: https://www.postfix.org/ in trouble

2022-01-16 Thread Claus R. Wickinghoff 

Hi,


nobody is required to support or provide technologies just because you like
them.


In the beginning of the "any website needs to be encrypted" campaign I 
didn't get the point behind. Finally I understood, that in some 
countries encrypted data transfers are observed by the government/regime 
and anybody doing so is suspicious. So the only valid point here is to 
produce as much (useless) encrypted data traffic as possible to give 
these people a chance to hide in between.


Actually we should have reached this because a lot of sites already 
offer encrypted versions and most browsers try to establish an encrypted 
connection if possible.


Within the EU we have additionally the GDPR, that protects private data 
(e.g. cookies, lol). So you may not use cookies if the connection is not 
encrypted.


For the postfix website I don't see any necessity to switch to an 
encrypted version. We don't have the cookie-problem here and there is 
already enough encrypted traffic out there (to be realistic, the postfix 
web site is producing very little traffic on global scale I assume).


So it would be nice to have for solidarity but if there are arguments 
against (like the actual setup with the provider) it's still ok and 
working and safe.


Groetjes
   Claus



--
Claus R. Wickinghoff, Dipl.-Ing.
using Linux since 1994 and still happy... :-)

Re: https://www.postfix.org/ in trouble

2022-01-16 Thread Matus UHLAR - fantomas 

On 16.01.22 06:08, * Neustradamus * wrote:

Subject: Re: https://www.postfix.org/ in trouble



I am very happy to read all messages about the postfix.org website, thanks to 
relaunch this very old problem!


there is no problem and no trouble.


In 2019, more than 2 years, I have already informed the problem in users and 
dev list:
- https://marc.info/?l=postfix-users=157387961926385=2
"
In the same time, it does not work:
- http://postfix.org/
- https://postfix.org/
- https://www.postfix.org/
"


nobody is required to support or provide technologies just because you like
them.

You can trust postfix developers that they much about security. Apparently
more than you.


Recently, I have said here https://marc.info/?t=16422386331=1=2:
Redirect all links http://www.postfix.org/* + http://postfix.org/* to 
https://postfix.org/*

The goal is to have the main website https://postfix.org/ and all links must be 
redirected to the same https://postfix.org/exampleofpage link without lost with 
.htaccess rules.


there are better ways to handle that than .htaccess rules, since we already
talk abnout that.


My 2022 thread about it:
- https://marc.info/?t=16422386331=1=2

We will enter in the future when it will be done!


I don't think that repeated bugging will get you anywhere.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Re: https://www.postfix.org/ in trouble

2022-01-16 Thread Ralph Seichter 
* neustrada...@hotmail.com:

> The goal is to have the main website https://postfix.org/ and all
> links must be redirected to the same https://postfix.org/exampleofpage
> link without lost with .htaccess rules.
>
> [...]
>
> We will enter in the future when it will be done!

Oooh, the drama. :-)

The issue (not problem!) is well known, it has been coming up repeatedly
over the years, and the latest iteration happened in the first week of
January 2022.

Why would you believe that you bringing up the same subject in a new
thread yet again, a few days later, and without providing the least bit
of new information, is necessary, let alone beneficial? Is the reason
that (a) you did not check the archives beforehand, or (b) you somehow
think that you stating the obvious carries more weight than what other
list members already wrote?

Viktor was quite clear in [1]:

>> The hosting arrangements for Postfix.org don't currently include
>> HTTPS support. The data is all public, and there's little incentive
>> to take the effort to make the necessary changes.

[1] https://marc.info/?l=postfix-users=164151969101894=2

Like it or not, this clearly signals "end of story" until the hosting
arrangements change (if they change).

-Ralph

Re: https://www.postfix.org/ in trouble

2022-01-15 Thread * Neustradamus * 
Sorry, I have forgotten too:

On 19 Apr 2020 and 23 May 2020:
- https://github.com/vdukhovni/danecheck/issues/8

"
Dear Viktor,

There are several problems:
- http://posftix.org/ does not work
- https://posftix.org/ does not work
- https://www.posftix.org/ does not work

Only http://www.posftix.org/ and it is not secure.

Can you solve it?

It will be better to have only and all other redirected to this address:
- https://posftix.org/

To have for example:
- http://postfix.org/announcements.html -> 
https://postfix.org/announcements.html
- https://postfix.org/announcements.html -> 
https://postfix.org/announcements.html
- https://www.postfix.org/announcements.html -> 
https://postfix.org/announcements.html
"
--

"Dear Viktor,

Any news?

https://dropwww.com/why
"

---

Thanks in advance.

Regards,

Neustradamus


From: owner-postfix-us...@postfix.org  on 
behalf of * Neustradamus * 
Sent: Sunday, January 16, 2022 07:08
To: Jaap van Wingerde; postfix-users@postfix.org
Subject: Re: https://www.postfix.org/ in trouble

Dear all,

I wish you a Happy New Year 2022!

I am very happy to read all messages about the postfix.org website, thanks to 
relaunch this very old problem!

In 2019, more than 2 years, I have already informed the problem in users and 
dev list:
- https://marc.info/?l=postfix-users=157387961926385=2

"
In the same time, it does not work:
- http://postfix.org/
- https://postfix.org/
- https://www.postfix.org/
"

Recently, I have said here https://marc.info/?t=16422386331=1=2:
Redirect all links http://www.postfix.org/* + http://postfix.org/* to 
https://postfix.org/*

The goal is to have the main website https://postfix.org/ and all links must be 
redirected to the same https://postfix.org/exampleofpage link without lost with 
.htaccess rules.

My 2022 thread about it:
- https://marc.info/?t=16422386331=1=2

We will enter in the future when it will be done!

Thanks in advance.

Regards,

Neustradamus

From: owner-postfix-us...@postfix.org  on 
behalf of Jaap van Wingerde 
Sent: Monday, January 3, 2022 14:48
To: postfix-users@postfix.org
Subject: https://www.postfix.org/ in trouble

All the urls on https://www.postfix.org give an 'Not found'error, and a
'SSL_ERROR_BAD_CERT_DOMAIN' error.

Re: https://www.postfix.org/ in trouble

2022-01-15 Thread * Neustradamus * 
Dear all,

I wish you a Happy New Year 2022!

I am very happy to read all messages about the postfix.org website, thanks to 
relaunch this very old problem!

In 2019, more than 2 years, I have already informed the problem in users and 
dev list:
- https://marc.info/?l=postfix-users=157387961926385=2

"
In the same time, it does not work:
- http://postfix.org/
- https://postfix.org/
- https://www.postfix.org/
"

Recently, I have said here https://marc.info/?t=16422386331=1=2:
Redirect all links http://www.postfix.org/* + http://postfix.org/* to 
https://postfix.org/*

The goal is to have the main website https://postfix.org/ and all links must be 
redirected to the same https://postfix.org/exampleofpage link without lost with 
.htaccess rules.

My 2022 thread about it:
- https://marc.info/?t=16422386331=1=2

We will enter in the future when it will be done!

Thanks in advance.

Regards,

Neustradamus

From: owner-postfix-us...@postfix.org  on 
behalf of Jaap van Wingerde 
Sent: Monday, January 3, 2022 14:48
To: postfix-users@postfix.org
Subject: https://www.postfix.org/ in trouble

All the urls on https://www.postfix.org give an 'Not found'error, and a
'SSL_ERROR_BAD_CERT_DOMAIN' error.

Re: https://www.postfix.org/ in trouble

2022-01-11 Thread Charles Sprickman 


> On Jan 11, 2022, at 2:07 PM, Dan Mahoney  wrote:
> 
> 
> 
>> On Jan 11, 2022, at 10:38 AM, Claus R. Wickinghoff > > wrote:
>> 
>> Mojn,
>> 
>>> Today I find only a directory listing at www.postfix.org 
>>>  or www.postfix.com 
>> With http it's working.
>> 
>> With https I get a certificate warning (issued for archive.science.uu.nl 
>> ) and a directory listing.
>> 
>> So might be a regional problem?
> 
> Regional?
> 
> There's no vhost configured for www.postfix.org:443 
> , that's why you're seeing a different site.
> 
> The site that's answering is the first one configured in apache for 
> 131.211.31.189:443, and thus will answer regardless of which Host: header is 
> sent, just as if you browsed to it via IP address.  (Which would also give 
> you a cert mismatch warning).

It’s an odd thing for a major project like Postfix to have this type of setup.

If someone types “https://www.postfix.org/ “, or has 
a browser that uses https by default, and accepts any warnings, they land on 
another site.

And if the answer is “don’t accept the override”, I mean I guess maybe someone 
will try http eventually, or they may figure the whole thing is screwy and just 
go hunting for a mirror...

Just a weird hill to die on. Certs are free.

Charles

> 
> If we want something to be concerned about, the apache version is like...40 
> minor versions out of date.   (2.4.6 -- it could be lying about its version).
> 
> -Dan

Re: https://www.postfix.org/ in trouble

2022-01-11 Thread Joe Acquisto-j4 
> Date: Tuesday, January 11, 2022 19:38:05 +0100
>> From: "Claus R. Wickinghoff" 
>> 
Today I find only a directory listing at www.postfix.org or
>>> www.postfix.com 
>> With http it's working.
>> 
>> With https I get a certificate warning (issued for
>> archive.science.uu.nl) and a directory listing.
>> 
>> So might be a regional problem?
>> 
> 
> See the list archive for a discussion of this earlier this month,
> specifically:
>   
>
> 
> Nothing is broken, https just isn't supported.

Sorry for the noise, apparently I changed something in my browser to require 
https.
Odd that.

joe a.

Re: https://www.postfix.org/ in trouble

2022-01-11 Thread Dan Mahoney 


> On Jan 11, 2022, at 10:38 AM, Claus R. Wickinghoff  
> wrote:
> 
> Mojn,
> 
>> Today I find only a directory listing at www.postfix.org or www.postfix.com
> With http it's working.
> 
> With https I get a certificate warning (issued for archive.science.uu.nl) and 
> a directory listing.
> 
> So might be a regional problem?

Regional?

There's no vhost configured for www.postfix.org:443 
, that's why you're seeing a different site.

The site that's answering is the first one configured in apache for 
131.211.31.189:443, and thus will answer regardless of which Host: header is 
sent, just as if you browsed to it via IP address.  (Which would also give you 
a cert mismatch warning).

If we want something to be concerned about, the apache version is like...40 
minor versions out of date.   (2.4.6 -- it could be lying about its version).

-Dan

Re: https://www.postfix.org/ in trouble

2022-01-11 Thread Richard 


> Date: Tuesday, January 11, 2022 19:38:05 +0100
> From: "Claus R. Wickinghoff" 
> 
>> Today I find only a directory listing at www.postfix.org or
>> www.postfix.com
> With http it's working.
> 
> With https I get a certificate warning (issued for
> archive.science.uu.nl) and a directory listing.
> 
> So might be a regional problem?
> 

See the list archive for a discussion of this earlier this month,
specifically:
  
   

Nothing is broken, https just isn't supported.

Re: https://www.postfix.org/ in trouble

2022-01-11 Thread Claus R. Wickinghoff 

Mojn,


Today I find only a directory listing at www.postfix.org or www.postfix.com

With http it's working.

With https I get a certificate warning (issued for 
archive.science.uu.nl) and a directory listing.


So might be a regional problem?

Groetjes
   Claus


--
Claus R. Wickinghoff, Dipl.-Ing.
using Linux since 1994 and still happy... :-)

Re: https://www.postfix.org/ in trouble

2022-01-11 Thread Joe Acquisto-j4 
> raf wrote:
>> Being flippant, it would protect against a
>> man-in-the-middle-attack where someone tricks you into
>> reading false online documentation. :-)
> 
> Why bother?  Most of us can misread the docs perfectly well all on our 
> own...  
> 
> -kgd

Today I find only a directory listing at www.postfix.org or www.postfix.com 

joe a.

Re: https://www.postfix.org/ in trouble

2022-01-07 Thread Kris Deugau 

raf wrote:

Being flippant, it would protect against a
man-in-the-middle-attack where someone tricks you into
reading false online documentation. :-)


Why bother?  Most of us can misread the docs perfectly well all on our 
own...  


-kgd

Re: https://www.postfix.org/ in trouble

2022-01-07 Thread Nilo César Teixeira 
>
>
> It also prevents some browsers from indicating that a
> site is "insecure", but anyone going directly to
> www.postfix.org will know better than to worry about
> that.
>

Yes, the suggestion was mainly to ease new direct user accesses to
postfix.org, which nowadays don't require the protocol on the address bar
anymore, and break because there isn't SSL configured there. Not worried
about any other use case.

Re: https://www.postfix.org/ in trouble

2022-01-06 Thread raf 
On Fri, Jan 07, 2022 at 01:42:40AM +, Antonio Leding  
wrote:

> Not sure if this is a question for the community or just the devs but one of
> the credos this user swears by is “If it isn’t broken, then don’t go fixin’
> it…”
> 
> There’s this FUD out there that all sites MUST be https.  Of course I
> disagree with this sentiment but perhaps there is something I’m missing.
> 
> So, to the community:  What is gained by requiring postfix.org to use https?



I doubt that anyone can require this (other than Wietse
of course).

Supporting HTTPS is supposed to make Google rank a page
higher, but any Google search for Postfix will show
www.postfix.org as the first search result anyway, so
that's not a gain.

It also prevents some browsers from indicating that a
site is "insecure", but anyone going directly to
www.postfix.org will know better than to worry about
that.

Confidentiality isn't important since it's publicly
available software.

The only thing that is truly gained is Integrity: the
assurance that there's no man-in-the-middle attack
between you and the site modifying data en route. But
if you think someone will trick you into downloading a
false version of the Postfix software, you can check
the signature. Or download it from one of the mirror
sites that do HTTPS, and then check the signature. Or
install it via your system's package manager which will
automatically check the package's signature. So no gain
there.

Being flippant, it would protect against a
man-in-the-middle-attack where someone tricks you into
reading false online documentation. :-)

Having said all that, I doubt that there's much harm in
it these days (except when root CAs expire of course,
and plain HTTP access has been turned off). :-)

Less flippantly, confidentiality and integrity do
matter in general. That's why Google encourages HTTPS,
and why LetsEncrypt exists. For many sites, it really
does matter. For others, it's not that important. But
it's the better default preference.



cheers,
raf

Re: https://www.postfix.org/ in trouble

2022-01-06 Thread Viktor Dukhovni 
On Thu, Jan 06, 2022 at 10:34:19PM -0300, Nilo César Teixeira wrote:

> First message on this group, thanks for all good advice so far.
> 
> Regarding https, why not host Postfix website here:
> https://pages.github.com/ ?

The hosting arrangements for Postfix.org don't currently include HTTPS
support.  The data is all public, and there's little incentive to take
the effort to make the necessary changes.

> We could leverage auto https ideally, but perhaps for custom domain certbot
> would be necessary haven't researched yet.

If you feel that your queries to www.postfix.org deserve protection
from passive monitoring, you can use:

https://vdukhovni.github.io/postfix/

but I don't always update the HTML docs there in a timely manner.  I did
update them a month or two back, so presently you'd be looking at the
docs as of a recent 3.7 snapshot.

-- 
Viktor.

Re: https://www.postfix.org/ in trouble

2022-01-06 Thread Antonio Leding 
Not sure if this is a question for the community or just the devs but 
one of the credos this user swears by is “If it isn’t broken, then 
don’t go fixin’ it…”


There’s this FUD out there that all sites MUST be https.  Of course I 
disagree with this sentiment but perhaps there is something I’m 
missing.


So, to the community:  What is gained by requiring postfix.org to use 
https?


- - -

On 6 Jan 2022, at 17:34, Nilo César Teixeira wrote:


Hi,

First message on this group, thanks for all good advice so far.

Regarding https, why not host Postfix website here:
https://pages.github.com/ ?

We could leverage auto https ideally, but perhaps for custom domain 
certbot

would be necessary haven't researched yet.


Em seg., 3 de jan. de 2022 11:29, Viktor Dukhovni <
postfix-us...@dukhovni.org> escreveu:


On Mon, Jan 03, 2022 at 03:19:36PM +0100, Jaap van Wingerde wrote:


try plaintext http: http://www.postfix.org/ currently works for me.


Firefox (with 'only-https' off, still redirects to https).


Then you've failed to completely turn off 'only-https'.  The pages at
"http://www.postfix.org/; load just fine with the latest Firefox 
95.0.2.


There's no imminent risk of browsers dropping HTTP support.  They 
just

flag the connection as "insecure".

--
Viktor.

Re: https://www.postfix.org/ in trouble

2022-01-06 Thread Nilo César Teixeira 
Hi,

First message on this group, thanks for all good advice so far.

Regarding https, why not host Postfix website here:
https://pages.github.com/ ?

We could leverage auto https ideally, but perhaps for custom domain certbot
would be necessary haven't researched yet.


Em seg., 3 de jan. de 2022 11:29, Viktor Dukhovni <
postfix-us...@dukhovni.org> escreveu:

> On Mon, Jan 03, 2022 at 03:19:36PM +0100, Jaap van Wingerde wrote:
>
> > > try plaintext http: http://www.postfix.org/ currently works for me.
> >
> > Firefox (with 'only-https' off, still redirects to https).
>
> Then you've failed to completely turn off 'only-https'.  The pages at
> "http://www.postfix.org/; load just fine with the latest Firefox 95.0.2.
>
> There's no imminent risk of browsers dropping HTTP support.  They just
> flag the connection as "insecure".
>
> --
> Viktor.
>

Re: https://www.postfix.org/ in trouble

2022-01-03 Thread Viktor Dukhovni 
On Mon, Jan 03, 2022 at 03:19:36PM +0100, Jaap van Wingerde wrote:

> > try plaintext http: http://www.postfix.org/ currently works for me.
> 
> Firefox (with 'only-https' off, still redirects to https).

Then you've failed to completely turn off 'only-https'.  The pages at
"http://www.postfix.org/; load just fine with the latest Firefox 95.0.2.

There's no imminent risk of browsers dropping HTTP support.  They just
flag the connection as "insecure".

-- 
Viktor.

Re: https://www.postfix.org/ in trouble

2022-01-03 Thread Demi Marie Obenour 
On 1/3/22 09:08, Alexey Shpakovsky wrote:
> On Mon, January 3, 2022 14:48, Jaap van Wingerde wrote:
>> All the urls on https://www.postfix.org give an 'Not found'error, and a
>> 'SSL_ERROR_BAD_CERT_DOMAIN' error.
>>
> 
> try plaintext http: http://www.postfix.org/ currently works for me.

Browsers are starting to deprecate that, though.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: https://www.postfix.org/ in trouble

2022-01-03 Thread Jaap van Wingerde 
Op 2022-01-03T15:08:08+0100 schreef Alexey Shpakovsky
 in bericht
,
inzake: https://www.postfix.org/ in trouble> het volgende.

> try plaintext http: http://www.postfix.org/ currently works for me.

Firefox (with 'only-https' off, still redirects to https). Chromium
shows the working http-site.

Re: https://www.postfix.org/ in trouble

2022-01-03 Thread Jaap van Wingerde 
The main page directs to "Apache Software Foundation Distribution
Directory".



Op 2022-01-03T14:48:36+0100 schreef Jaap van Wingerde
 in bericht
, inzake:
<https://www.postfix.org/ in trouble> het volgende.

> All the urls on https://www.postfix.org give a 'Not found' error, and
> a 'SSL_ERROR_BAD_CERT_DOMAIN' error. 
>

Re: https://www.postfix.org/ in trouble

2022-01-03 Thread Jason Hirsh 
No problem with the below NON secure url

> On Jan 3, 2022, at 9:08 AM, Alexey Shpakovsky  
> wrote:
> 
> On Mon, January 3, 2022 14:48, Jaap van Wingerde wrote:
>> All the urls on https://www.postfix.org give an 'Not found'error, and a
>> 'SSL_ERROR_BAD_CERT_DOMAIN' error.
>> 
> 
> try plaintext http: http://www.postfix.org/ currently works for me.
> 
>

Re: https://www.postfix.org/ in trouble

2022-01-03 Thread Alexey Shpakovsky 
On Mon, January 3, 2022 14:48, Jaap van Wingerde wrote:
> All the urls on https://www.postfix.org give an 'Not found'error, and a
> 'SSL_ERROR_BAD_CERT_DOMAIN' error.
>

try plaintext http: http://www.postfix.org/ currently works for me.

Re: https://www.postfix.org/ in trouble

2022-01-03 Thread Benny Pedersen 

On 2022-01-03 14:48, Jaap van Wingerde wrote:

All the urls on https://www.postfix.org give an 'Not found'error, and a
'SSL_ERROR_BAD_CERT_DOMAIN' error.


Brugere med ondsindede hensigter kan forsøge at stjæle dine oplysninger 
fra www.postfix.org (f.eks. adgangskoder, beskeder eller kreditkort). Få 
flere oplysninger

NET::ERR_CERT_COMMON_NAME_INVALID

https://www.postfix.org/ in trouble

2022-01-03 Thread Jaap van Wingerde 
All the urls on https://www.postfix.org give an 'Not found'error, and a
'SSL_ERROR_BAD_CERT_DOMAIN' error.