Re: @debian.org mail

[Florian Reitmeir]

Am 06.06.2019 um 12:49 schrieb Bjørn Mork:

Daniel Lange  writes:


We have more people registered for DebConf ("the Debian Developers'
conference") with @gmail.com than @debian.org addresses.

You can't fix @gmail.com.  It is deliberately broken for commercial
reasons, and that won't stop with SPF and DKIM.  Anti-spam is just the
current selling excuse for moving users to a closed, commercially
controlled, messaging service.

Document that @gmail.com doesn't work and ask anyone subscribed with
such an address to resubscribe using an Internet email service.

You might want to make a press announcement out of it, to prevent other
service providers from making the same mistake Google has made.

You can also stop sending e-mails if it doesn't matter that they arrive 
anyway.


greetings

Re: @debian.org mail

[Philipp Kern]

On 6/6/2019 12:49 PM, Bjørn Mork wrote:
> Daniel Lange  writes:
> 
>> We have more people registered for DebConf ("the Debian Developers'
>> conference") with @gmail.com than @debian.org addresses.
> 
> You can't fix @gmail.com.  It is deliberately broken for commercial
> reasons, and that won't stop with SPF and DKIM.  Anti-spam is just the
> current selling excuse for moving users to a closed, commercially
> controlled, messaging service.
> 
> Document that @gmail.com doesn't work and ask anyone subscribed with
> such an address to resubscribe using an Internet email service.
> 
> You might want to make a press announcement out of it, to prevent other
> service providers from making the same mistake Google has made.

It does not only affect @gmail.com but all other email hosted by Google,
too. And you cannot see that from just the domain name. Thus I have
already given up on trying to mail to destinations other than
@debian.org with my @debian.org account.

So yes, you can proclaim that, but it still makes the @debian.org email
address increasingly useless. The requirement essentially boils down to
using DKIM if you want your emails delivered. There already have been
some suggestions in this thread.

Kind regards
Philipp Kern

Re: @debian.org mail

[Jérémy Lal]

Le mer. 5 juin 2019 à 13:26, Marc Haber  a
écrit :

> On Mon, 3 Jun 2019 10:40:26 +0200, Daniel Lange 
> wrote:
> >DSA should re-evaluate that.
> >
> >We run into more and more problems sending from @debian.org email
> >addresses as the three big players in email ratchet up their anti-spam
> >measures.
>
> This message and the following discussion has deeply saddened me.
>
> What the spammer didn't manage to do in 30 years, the antispammers
> were successful: E-Mail has become an unreliable service, not because
> of spam, but because of antispam.


I figured that the hard way (sending otp to new users by email): mostly
work,
but failures are difficult to explain to new users.
The only "safe" way would be to communicate that kind of info through sms,
but it's very expensive.

Jérémy

Re: @debian.org mail

[Marc Haber]

On Thu, 06 Jun 2019 12:49:25 +0200, Bjørn Mork  wrote:
>You can't fix @gmail.com.  It is deliberately broken for commercial
>reasons, and that won't stop with SPF and DKIM.  Anti-spam is just the
>current selling excuse for moving users to a closed, commercially
>controlled, messaging service.
>
>Document that @gmail.com doesn't work and ask anyone subscribed with
>such an address to resubscribe using an Internet email service.
>
>You might want to make a press announcement out of it, to prevent other
>service providers from making the same mistake Google has made.

Amen.

-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | 
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: @debian.org mail

[Bjørn Mork]

Daniel Lange  writes:

> We have more people registered for DebConf ("the Debian Developers'
> conference") with @gmail.com than @debian.org addresses.

You can't fix @gmail.com.  It is deliberately broken for commercial
reasons, and that won't stop with SPF and DKIM.  Anti-spam is just the
current selling excuse for moving users to a closed, commercially
controlled, messaging service.

Document that @gmail.com doesn't work and ask anyone subscribed with
such an address to resubscribe using an Internet email service.

You might want to make a press announcement out of it, to prevent other
service providers from making the same mistake Google has made.



Bjørn

Re: @debian.org mail

[Marc Haber]

On Mon, 3 Jun 2019 10:40:26 +0200, Daniel Lange 
wrote:
>DSA should re-evaluate that.
>
>We run into more and more problems sending from @debian.org email 
>addresses as the three big players in email ratchet up their anti-spam 
>measures.

This message and the following discussion has deeply saddened me.

What the spammer didn't manage to do in 30 years, the antispammers
were successful: E-Mail has become an unreliable service, not because
of spam, but because of antispam.

-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | 
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: @debian.org mail

[Daniel Lange]

Am 04.06.19 um 17:51 schrieb Graham Inggs:

I would certainly make use of SMTP for sending @debian.org email. I 
can't see the advantage of IMAP over forwarding though, would you 
explain how you see it working, or who would use it? 


I wouldn't need IMAP either. But for those who are stuck with gmail, 
hotmail, gmx and the like Debian hosted IMAP servers would mean they 
also get a chance to _receive_ all Debian email. Email from @debian.org 
to these email domains is currently rejected outright (IPv6 & gmail, 
Tencent brands) or often ends up in /Spam (IPv4 & gmail, many other 
"free" email providers). We can assume with an updated SMTP setup that 
situation will improve significantly but probably not to a 100%. We run 
mailing lists without sender address rewrite and ARC isn't there yet. 
But if we run IMAP, too, we can simply ensure delivery today (and in the 
future).


So having a submission host (SMTP) and a matching SPF policy solves the 
sending side of the problem, Debian-hosted secure IMAP the receiving side.


Supporting ARC* will eventually help keep mailing lists and bugs.d.o 
functional (for non-Debian-hosted email aka our users) when "the big 
players" ratchet up their anti-spam measures further. But that's, by my 
very subjective personal estimate, another few years down the line.


I'd probably add Debian hosted webmail, too. It's trivial to add and 
some people seem to need it as they spend their day jobs behind very 
restrictive firewalls.


* see https://en.wikipedia.org/wiki/Authenticated_Received_Chain for an 
explanation. That also explains quite well why plain DKIM / DMARC is 
hard to implement without serious side-effects.

Re: @debian.org mail

[Iustin Pop]

On 2019-06-04 17:51:56, Graham Inggs wrote:
> Hi
> 
> On 2019/06/03 10:40, Daniel Lange wrote:
> > To do better, we should really offer SMTP submission/IMAP services for
> > @debian.org as soon as possible and - after a grace period - publish a
> > mx -all SPF record.
> 
> I would certainly make use of SMTP for sending @debian.org email.  I can't
> see the advantage of IMAP over forwarding though, would you explain how you
> see it working, or who would use it?

+1 on both counts.

Re: @debian.org mail

[Graham Inggs]

Hi

On 2019/06/03 10:40, Daniel Lange wrote:

We (debian/DSA) do not provide email hosting. We provide email
forwarding.


DSA should re-evaluate that.


I strongly support this.

I recall this being an issue during debconf 15 and 16 orga, and the 
situation has only gotten worse since.


To do better, we should really offer SMTP submission/IMAP services for 
@debian.org as soon as possible and - after a grace period - publish a 
mx -all SPF record.


I would certainly make use of SMTP for sending @debian.org email.  I 
can't see the advantage of IMAP over forwarding though, would you 
explain how you see it working, or who would use it?


Regards
Graham

Re: @debian.org mail

[Marco d'Itri]

On Jun 03, Daniel Lange  wrote:

> It is a data point to prove your "we do not have forged email issues" wrong.
By "forged email issues" I mean phishing attacks, not garden variety 
malware which can be blocked in other ways.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Re: @debian.org mail

[Daniel Lange]

Am 03.06.19 um 22:32 schrieb Marco d'Itri:


On Jun 03, Daniel Lange  wrote:

> > -all would stop some forged emails, but we do not have forged email
> > issues.
> We do. 4% of this year's spam in my spam traps have originated as fake
> @debian.org. Unfortunately we even nicely relay them as we can't tell
This is not a meaningful figure unless you also figure out how much of
that spam could have been detected.

It is a data point to prove your "we do not have forged email issues" wrong.
How much of that spam we can prevent depends on which improvements we 
implement.


Cord kindly produced a few more data points tonight:

We have 39487 @gmail.com users subscribed to lists.d.o mailing lists.
9658 emails from lists.d.o have been bounced / denied by gmail.com in 
the last week.

Re: @debian.org mail

[Marco d'Itri]

On Jun 03, Daniel Lange  wrote:

> > -all would stop some forged emails, but we do not have forged email
> > issues.
> We do. 4% of this year's spam in my spam traps have originated as fake
> @debian.org. Unfortunately we even nicely relay them as we can't tell
This is not a meaningful figure unless you also figure out how much of 
that spam could have been detected.

> As we are white-listed at dnswl.org and a few other places such fan out
I would be seriously surprised if dnswl.org had any significant impact 
on deliverability, and I can safely exclude that it has any for the large 
email providers.

> I know you don't like SPF mx -all but that is what stops the above and makes
> @debian.org mail delivery reliable again. As we relay mailing lists via
This is a strong assertion for which you provided no proof.

> lists.d.o (bendel) we can easily have that continue rewriting senders
> without issues. It can have a separate SPF.
I have no idea of what you are actually proposing here.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Re: @debian.org mail

[Daniel Lange]

Am 03.06.19 um 18:09 schrieb Marco d'Itri:


-all would stop some forged emails, but we do not have forged email
issues.
We do. 4% of this year's spam in my spam traps have originated as fake 
@debian.org. Unfortunately we even nicely relay them as we can't tell 
legitimate and fake Debian email apart ourselves.


My favorite ones are fake me sending real me emails with forged 
Microsoft Outlook Express 6.00.2900.5338 headers. 'Cause that's 
definitely my MUA of choice. I've also been chosen for the Google 
foundation trustee board which - allegedly - gets me a personal grant to 
spend however I wish. I'm still waiting for Google's check to arrive.


Back to topic:

Mailly's sender score has ditched to 65/100 during the last spam wave in 
early May and it took two weeks to recover to sane ratings.


We also fan out spam like 
 
(msgid-search works but it's just a boring example) which - funnily - 
gets us spam points at Google (cause we amplify that to ~ a hundred 
@gmail.com recipients).


As we are white-listed at dnswl.org and a few other places such fan out

1) is very useful for spammers and
2) makes our IP reputation suffer as in the May case cited above

As I said earlier, we're not the best netizens we can be and we should 
not facilitate for others spamming in our name.


I know you don't like SPF mx -all but that is what stops the above and 
makes @debian.org mail delivery reliable again. As we relay mailing 
lists via lists.d.o (bendel) we can easily have that continue rewriting 
senders without issues. It can have a separate SPF.


There are other options, too, incl. the one you listed. I'd go for ARC 
if we want to go beyond SPF. But that would be a 20 year leap in email 
tech. I like iterations, i.e. aim for some less ambitious goals first.
It's DSA's call what they prefer. I don't care which solution is chosen 
as long as we get one.
O.k., I'd prefer us to not sign up for Google hosted email or Exchange 
online. I think that part is even safe to assume rough consensus on.

Re: @debian.org mail

[Sebastian Andrzej Siewior]

On 2019-06-03 11:37:39 [-0400], Sam Hartman wrote:
> I'd much rather pay money and allow members who do want to use their own
> infrastructure to do so rather than set up an SPF record and force
> everyone to go through the debian mxes.

With my kernel.org address I get mail forwarding and a SMTP server for
sending emails ->
   https://korg.wiki.kernel.org/userdoc/mail

A SMTP server for mail deliver used by DDs would be money much better
spent than paying random companies to get @debian.org on their
whitelist. After all, a random person can post using lea...@debian.org
and his dial-up or $2 VM and getting through the whitelists.

I don't get the point why the debian machines would get a copy of email
email sent. It ends up in the spool folder and gets deleted once
delivered. Also I don't see the point why using a specific machine mail
delivery is problem.

> I'd prefer to find a way to do none of the above and still get
> reasonable email reputation with the large providers.

Nope. I don't mind that email is forwaded only but SMTP should be part
of the email setup.

> I think this is a case where serving our users and being practical is
> more important than a moralistic stand.  If Ian's right that we could
> somehow use our political power to make a difference, I'd be open to
> considering that.

I don't understand what you want do with the "political power".

> --Sam

Sebastian

Re: @debian.org mail

[Sam Hartman]

> "Daniele" == Daniele Nicolodi  writes:

Daniele> On 03/06/2019 09:37, Sam Hartman wrote:
>> I'd much rather pay money and allow members who do want to use their own
>> infrastructure to do so rather than set up an SPF record and force
>> everyone to go through the debian mxes.

Daniele> Pay money for which service exactly? I am not aware of any widely
Daniele> deployed whitelist that filters on source address, which I think 
would
Daniele> be the only solution that would allow members to use their own
Daniele> infrastructure.

We could pay money to get better deliverability for mail that does go
through Debian machines.
I  don't want to break or help people running their own infrastructure.

Re: @debian.org mail

[Daniele Nicolodi]

On 03/06/2019 09:37, Sam Hartman wrote:
> I'd much rather pay money and allow members who do want to use their own
> infrastructure to do so rather than set up an SPF record and force
> everyone to go through the debian mxes.

Pay money for which service exactly? I am not aware of any widely
deployed whitelist that filters on source address, which I think would
be the only solution that would allow members to use their own
infrastructure.

Cheers,
Dan

Re: @debian.org mail

[Russ Allbery]

Marco d'Itri  writes:
> On Jun 03, Russ Allbery  wrote:

>> A possibly useful compromise is to do what Marco suggested: publish SPF
>> records for domains like lists.debian.org, where all the mail is coming
>> from Debian infrastructure.  That can easily be -all.  And then at
>> least we have the option of moving some of the most important official
>> mail messages (password reset links and so forth) to a subdomain with
>> -all SPF records, without affecting the flow of @debian.org mail.

> I have never suggested using -all because we are discussing improving
> deliverability issues and -all cannot do this.  -all would stop some
> forged emails, but we do not have forged email issues.

Right, sorry, I should have been clearer that DKIM should be the top
priority rather than worrying about SPF, since that will do the most to
directly improve our sender reputation.  The point that you raised was
using subdomains, which I think is by far the easiest way to proceed.
debian.org itself is a complicated problem, but we can do a lot for, say,
lists.debian.org or bugs.debian.org by adding DKIM signing without
tackling that problem.

That said, it has been my anecdotal experience that adding restrictive
DMARC or SPF policies does help with sender reputation somewhat, but I
haven't tested this in any scientific way and it may be that I was
confusing correlation with causation.

-- 
Russ Allbery (r...@debian.org)   <http://www.eyrie.org/~eagle/>

Re: @debian.org mail

[Marco d'Itri]

On Jun 03, Russ Allbery  wrote:

> A possibly useful compromise is to do what Marco suggested: publish SPF
> records for domains like lists.debian.org, where all the mail is coming
> from Debian infrastructure.  That can easily be -all.  And then at least
> we have the option of moving some of the most important official mail
> messages (password reset links and so forth) to a subdomain with -all SPF
> records, without affecting the flow of @debian.org mail.
I have never suggested using -all because we are discussing improving 
deliverability issues and -all cannot do this.
-all would stop some forged emails, but we do not have forged email 
issues.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Re: @debian.org mail

[Jonathan Dowland]

On Mon, Jun 03, 2019 at 10:40:26AM +0200, Daniel Lange wrote:

We (debian/DSA) do not provide email hosting. We provide email
forwarding.


DSA should re-evaluate that.


I'm not sure I would want the existing DSA resource, spread as thin as it is,
allocated to running a mail hosting service. At least there are other things
I would prioritise above mail hosting.

OTOH, I run my own email systems end-of-end, as I'm sure many DDs do; and
I continue to do so partly out of inertia, I appreciate it's unrealistic
to expect all DDs, and newer/younger members, to do the same.

It may be worth, as a project, considering whether we would like something
different to what we have now, and I guess that's exactly what this thread is.
Best conducted at a project (requirements) level rather DSA (solutions) level.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: @debian.org mail

[Marco d'Itri]

On Jun 03, Sam Hartman  wrote:

> But more than that, you don't need the SPF record.
(Here comes a short lesson on email authentication...)
The most useful way to think about SPF and DKIM is that they allow to 
move reputation considerations for a message from the sender IP address 
to the sender domain (DKIM) or envelope sender domain (SPF).
This way receivers can safely assign a positive or negative reputation 
to mail from specific domains instead of using the same reputation for
all mail emitted by a specific IP.
This is what happens when SPF and/or DKIM are aligned, i.e. they 
successfully validate the (envelope) sender of the message.
This is why it is not very useful to have SPF records with ~all (which 
may mean "deliver to the spam folder") or -all (which may mean 
"reject"): the purpose of email authentication is managing positive 
reputation.
Since we are not a financial institution we do not have major troubles 
with forged @debian.org emails, so there is no need for ~all or -all SPF 
records: we can use ?all which basically means "revert to IP-based 
reputation if SPF is not aligned".
Also: SPF with hard failure (-all) breaks forwarding unless SRS is used, 
and most of the existing tools which implement SRS suck, so this is not 
a given.

> Debian could  pay to get on one of the white lists, we could use some services
> like Amazon SES, we could possibly get a good enough dkim reputation
> that we don't need to do any of the above.
There are no useful whitelists (which would require domain-based 
reputation anyway) to solve this problem and a third party mail relay 
would not improve deliverability without domain-based reputation 
attached to debian.org.

On Jun 03, Ian Jackson  wrote:

> 2. We have not published mail restriction DNS RRs.  Some people seem
> to think that this is a bad thing.
No. Many large receivers want to use domain-based reputation, and since 
in the email world receivers are always right it is a bad thing (for us, 
who are the ones having deliverability problems) that we are not 
providing a way to do so.
As I explained, we can usefully deploy SPF and DKIM without adding any 
new restriction for unaligned messages.

> 3. Some big services have other shitty heuristics which misclassify
> mail from @debian.org users.
Probably because they have no way of attaching a reputation to the 
debian.org domain, given the lack of SPF and DKIM.

> Debian is in a better position than most to resist the hegemony of an
> oligopoly of unaccountable email providers.  We should use our
> political power, such as it is.
This would be nice if we had any political power which could be used, 
but it is quite obvious that the debate about email authentication was 
settled long ago in favour of domain-based reputation.
(And Google whitelisting some of our own servers is exactly the wrong 
thing to aim for since it does not solve the problem in a general way.)

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Re: @debian.org mail

[Sam Hartman]

In this thread I'm speaking as an individual.
Other than approving DSA expendatures related to email, the DPL does not
set Debian's email policy.

>>>>> "Ian" == Ian Jackson  writes:

Ian> Sam Hartman writes ("Re: @debian.org mail"):
>> But more than that, you don't need the SPF record.  Debian could pay
>> to get on one of the white lists, we could use some services like
>> Amazon SES, we could possibly get a good enough dkim reputation that
>> we don't need to do any of the above.

Ian> Debian should certainly not pay to get on some white list.  Nor should
Ian> we use some service whose primary purpose is gatekeeping.

>> My point is that from experience, the SPF record will totally cripple
>> people wanting to use their own infrastructure even worse than we see
>> today.
>> 
>> I absolutely agree with the idea of improving Debian's email reputation.

I'd much rather pay money and allow members who do want to use their own
infrastructure to do so rather than set up an SPF record and force
everyone to go through the debian mxes.
I'd prefer to find a way to do none of the above and still get
reasonable email reputation with the large providers.

I think this is a case where serving our users and being practical is
more important than a moralistic stand.  If Ian's right that we could
somehow use our political power to make a difference, I'd be open to
considering that.
However, I'll point out that our priorities are our users and free
software.
Preserving the end-to-end principle, preserving the net, etc, are goals
that to a greater or lesser extent many of us may personally agree
with.  However, they are not Debian's goals.
When we allow related goals to get in the way of our priorities, we
damage those priorities.

--Sam

Re: @debian.org mail

[Russ Allbery]

Sam Hartman  writes:
>>>>>> "Daniel" == Daniel Lange  writes:

> Daniel> To do better, we should really offer SMTP submission/IMAP
> Daniel> services for @debian.org as soon as possible and - after a
> Daniel> grace period - publish a mx -all SPF record.

> Actually publishing the SPF record seems fairly problematic.

A possibly useful compromise is to do what Marco suggested: publish SPF
records for domains like lists.debian.org, where all the mail is coming
from Debian infrastructure.  That can easily be -all.  And then at least
we have the option of moving some of the most important official mail
messages (password reset links and so forth) to a subdomain with -all SPF
records, without affecting the flow of @debian.org mail.

(The same all applies to DKIM, of course, and DKIM is probably more
generally useful these days.  SPF is slowly dying in favor of DKIM most
places.)

-- 
Russ Allbery (r...@debian.org)   <http://www.eyrie.org/~eagle/>

Re: @debian.org mail

[Xavier]

Le 03/06/2019 à 17:21, Sam Hartman a écrit :
>> "Daniel" == Daniel Lange  writes:
> 
> Daniel> Hence I'd like us to offer email services to project members. 
> That's
> Daniel> an offer. Not a requirement. If DDs use the Debian infra or 
> continue
> Daniel> using their current setup, all fine for me.
> 
> We're agreed so far.
> 
> Daniel> Yes, a proper SPF record may make things more difficult for people
> Daniel> that run their own. But I - for example - run my own and route via
> Daniel> Debian MX (just the Debian mail of course). So it can be
> Daniel> done.
> 
> I explained why I find routing the mail problematic.
> But more than that, you don't need the SPF record.
> Debian could  pay to get on one of the white lists, we could use some services
> like Amazon SES, we could possibly get a good enough dkim reputation
> that we don't need to do any of the above.
> 
> My point is that from experience, the SPF record will totally cripple
> people wanting to use their own infrastructure even worse than we see
> today.

We can use "~all" or "?all" in SPF record, so it would increase Debian's
email reputation when using Debian SMTP services but would authorize to
use some other service. I remember that there is something like that in
DKIM.

> I absolutely agree with the idea of improving Debian's email reputation.

+1

Re: @debian.org mail

[Ian Jackson]

Sam Hartman writes ("Re: @debian.org mail"):
> But more than that, you don't need the SPF record.  Debian could pay
> to get on one of the white lists, we could use some services like
> Amazon SES, we could possibly get a good enough dkim reputation that
> we don't need to do any of the above.

Debian should certainly not pay to get on some white list.  Nor should
we use some service whose primary purpose is gatekeeping.

> My point is that from experience, the SPF record will totally cripple
> people wanting to use their own infrastructure even worse than we see
> today.
> 
> I absolutely agree with the idea of improving Debian's email reputation.

There are two things that are "wrong" with Debian's email reputation:

1. Some proprietary mail scanning systems used by corporates do not
experience enough mail from Debian's own servers, and therefore reckon
that some DSA-run email servers are not proper mail hosts.
security@d.o cannot email my work email address, and neither can I
from my own colo.

2. We have not published mail restriction DNS RRs.  Some people seem
to think that this is a bad thing.

3. Some big services have other shitty heuristics which misclassify
mail from @debian.org users.

We cannot fix (2) without breaking the use case you talk about.  We
cannot fix (1) because it is corporate stupidity.

We may be able to improve (3) but we should be careful not to do so in
a way that is not available to operators of other legitimate private
mail domains.

Debian is in a better position than most to resist the hegemony of an
oligopoly of unaccountable email providers.  We should use our
political power, such as it is.

Ian.

-- 
Ian JacksonThese opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Re: @debian.org mail

[Sam Hartman]

> "Daniel" == Daniel Lange  writes:

Daniel> Hence I'd like us to offer email services to project members. That's
Daniel> an offer. Not a requirement. If DDs use the Debian infra or continue
Daniel> using their current setup, all fine for me.

We're agreed so far.

Daniel> Yes, a proper SPF record may make things more difficult for people
Daniel> that run their own. But I - for example - run my own and route via
Daniel> Debian MX (just the Debian mail of course). So it can be
Daniel> done.

I explained why I find routing the mail problematic.
But more than that, you don't need the SPF record.
Debian could  pay to get on one of the white lists, we could use some services
like Amazon SES, we could possibly get a good enough dkim reputation
that we don't need to do any of the above.

My point is that from experience, the SPF record will totally cripple
people wanting to use their own infrastructure even worse than we see
today.

I absolutely agree with the idea of improving Debian's email reputation.

Re: @debian.org mail

[Daniel Lange]

Hi Sam,

Am 03.06.19 um 13:29 schrieb Sam Hartman:

1) You're asking all DDs to use this infrastructure you set up.


Currently everybody routes inbound mail via two Debian servers (as they 
are the only MXs for debian.org).


Everybody who needs to make sure they can reach @gmail.com / GApps users 
/ Microsoft hosted Exchange etc. need to send via these, too, cf. my 
initial email.


People vote with their feet. We're not really overrun by new 
contributors. We shouldn't afford the arrogance of "it is your problem 
if my email doesn't reach your inbox". Esp. if we can do better.


That said, I don't care when DDs use their private domains for Debian 
stuff. I'd be all for continuing them to do so.


For things like fundraising officially looking email addresses are 
important. That's why I care to keep these functional. More DDs funded 
to travel to DebConf is a more happy me. I'm also sure many @debian.org 
-> random upstream messages are never received. Because random upstream 
is a Google / Microsoft / Yahoo user or runs an email server with a 
strict anti-spam policy. We just had that case with the cfp@ email of 
our Hamburg Mini-DebConf rejecting @debian.org email because of "forged 
recipients" and bad IP reputation scores. QQ (Tencent) refused emails 
from Salsa. This is the biggest email hoster in China. I'd like more 
Chinese to be able to participate in Debian. I have many such examples.


Hence I'd like us to offer email services to project members. That's an 
offer. Not a requirement. If DDs use the Debian infra or continue using 
their current setup, all fine for me.
Yes, a proper SPF record may make things more difficult for people that 
run their own. But I - for example - run my own and route via Debian MX 
(just the Debian mail of course). So it can be done. I just wish not 
every DD had to, if they wouldn't want to. And possibly end up using 
GMail and make Jonathan and many Free as in Freedom advocates unhappy.



2) I'm not really sure I want the debian machines to get a copy of all
mail I send from my debian.org address.


In case anybody replies to your email, these machines get the gist of 
your communication anyways. And you send via AWS (Amazon). I personally 
trust DSA more.


To me emails are postcards. Everybody along the transport chain may 
enjoy the pictures. Of course I can sign or encrypt if I want the 
pictures to stay genuine or the back side text private.


There is currently a trend in the FLOSS ecosystem to try migrating off 
irc, email and email lists towards Discourse, Gitlab, Mattermost and 
other web based tools. I'm not a fan of that at all (siloing). But one 
of the reasons is lowering the technical entry barrier to participation. 
We should give at least the project members everything they need as 
readily available as possible. And email is really basic.


Kind regards,
Daniel

Re: @debian.org mail

[Sam Hartman]

> "Daniel" == Daniel Lange  writes:

Daniel> To do better, we should really offer SMTP submission/IMAP services 
for
Daniel> @debian.org as soon as possible and - after a grace period - 
publish a
Daniel> mx -all SPF record.

Actually publishing the SPF record seems fairly problematic.

1) You're asking all DDs to use this infrastructure you set up.

2) I'm not really sure I want the debian machines to get a copy of all
mail I send from my debian.org address.
Transport level encryption is a lot easier to use for recipients than
PGP or S/MIME.
So I do care about the transport of my mail messages.

Re: @debian.org mail

[Marco d'Itri]

On Jun 03, Daniel Lange  wrote:

> The default reply for missing wafer confirmation emails (the software
> running debconf19.debconf.org) and missing salsa password reset emails is
> "check your Spam folder". Debian.org doesn't have a SPF record so mail
> submitted from such Debian machines is a bit in a limbo.
The current reality of email is that you cannot expect passable 
deliverability for messages which do not have one of SPF or DKIM 
aligned.

A first obvious step is to setup SPF records for services like salsa 
and lists which send all mail from their own domain from the same 
servers.

A second obvious step is to start DKIM-signing all email emitted by 
Debian servers.

A third not so obvious step is to create a way for developers to publish 
personal TXT or CNAMEs records below _domainkey.debian.org: this would 
allow everybody to keep sending aligned messages from their own servers.
Maybe the infrastructure currently used for debian.net domains could be 
easily adapted to do this as well.

> @debian.org as soon as possible and - after a grace period - publish a mx
> -all SPF record.
-all SPF records are not really useful unless you are a target of 
phishing and break forwarding, so I strongly recommend against this.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Re: @debian.org mail

[Jonathan Carter]

On 2019/06/03 10:40, Daniel Lange wrote:
> Mail submitted from DD's private IPs frequently gets flagged as spam
> regardless of content by all three big players and - if submitted via
> IPv6 - refused directly by Google. Microsoft and Yahoo still run their
> MXs IPv4 only. But we can expect a similar policy once they add IPv6
> SMTPs at scale. And they won't warn us up-front.
> The missing SPF record mentioned above means there is a lot of spam
> circulating with @debian.org fake senders and obviously our open
> submission policy on many mailing-lists and @debian.org technical
> addresses also fan out quite some spam. So we're not the best netizens
> we could be.
> 
> To do better, we should really offer SMTP submission/IMAP services for
> @debian.org as soon as possible and - after a grace period - publish a
> mx -all SPF record.

I think you make a good case for offering SMTP, and that's very
beneficial to a lot of people. IMAP is a whole nother case in terms of
the kind of sustained work it requires and I'm unconvinced that it would
be at all worth it.

I have little sympathy for people who say "but I use gmail", there's
literally a 1000 better mail services on the Internet that they could
use without having to set up their own, and the good reasons not to use
google services keep rapidly piling up.

-Jonathan

-- 
  ⢀⣴⠾⠻⢶⣦⠀  Jonathan Carter (highvoltage) 
  ⣾⠁⢠⠒⠀⣿⡁  Debian Developer - https://wiki.debian.org/highvoltage
  ⢿⡄⠘⠷⠚⠋   https://debian.org | https://jonathancarter.org
  ⠈⠳⣄  Be Bold. Be brave. Debian has got your back.

Re: @debian.org mail

[Daniel Lange]

We (debian/DSA) do not provide email hosting. We provide email
forwarding.


DSA should re-evaluate that.

We run into more and more problems sending from @debian.org email 
addresses as the three big players in email ratchet up their anti-spam 
measures.


They are hosting a huge share of our users' email and the same for 
prospective contributors:



The default reply for missing wafer confirmation emails (the software 
running debconf19.debconf.org) and missing salsa password reset emails 
is "check your Spam folder". Debian.org doesn't have a SPF record so 
mail submitted from such Debian machines is a bit in a limbo.


We have more people registered for DebConf ("the Debian Developers' 
conference") with @gmail.com than @debian.org addresses.


Mail submitted from DD's private IPs frequently gets flagged as spam 
regardless of content by all three big players and - if submitted via 
IPv6 - refused directly by Google. Microsoft and Yahoo still run their 
MXs IPv4 only. But we can expect a similar policy once they add IPv6 
SMTPs at scale. And they won't warn us up-front.
The missing SPF record mentioned above means there is a lot of spam 
circulating with @debian.org fake senders and obviously our open 
submission policy on many mailing-lists and @debian.org technical 
addresses also fan out quite some spam. So we're not the best netizens 
we could be.


To do better, we should really offer SMTP submission/IMAP services for 
@debian.org as soon as possible and - after a grace period - publish a 
mx -all SPF record.


Google has added mailly and muffat to their internal 
has-no-proper-SPF-policy-whitelist (thank you!). This will obviously 
increase the problems for people not sending via Debian machines down 
the road.
Which is why a few people - including me - now route outbound via these 
Debian MX machines. That's a work-around for the technically inclined 
but won't really scale.


People have tried mending the gap by offering accounts on their personal 
infrastructure to fellow developers (and thanks for that Tollef and others).


We like people to use their @debian.org or @debconf.org email address 
when reaching out to sponsors and suppliers as this adds (perceived) 
credibility and (true) visibility. So we should make it easy for people 
to use those email addresses.


Just maintaining the status-quo of email-forwarding only seems past its 
useful life time.


Kind regards,
Daniel

P.S.: I have offered helping to run email services to DSA in the past.
I don't only complain. But DSA has the issue of them having to run 
committed infrastructure in the end. So if - for example - the Salsa 
team were not wanting to run salsa.debian.org anymore, DSA would end up 
having to add this to their work load. This is why DSA need to 
prioritize email regardless of who will set it up and run it initially.

Re: @debian.org mail

[Tollef Fog Heen]

]] Jean-Philippe MENGUAL 

> Forwarding mail from @debian.org to my mailbox makes me apply
> complicated filters to stay subscribed to ML I wish.

In that case, I suggest you don't subscribe with your debian.org email
address.

> Do you confirm me it is really not wanted to pull mails from a Debian
> machine via POP? I really would love to separat ma Debian box
> fromothers.

We (debian/DSA) do not provide email hosting. We provide email
forwarding.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Re: @debian.org mail

[Andrey Rahmatullin]

On Tue, May 28, 2019 at 11:19:37PM +0200, Jean-Philippe MENGUAL wrote:
> Forwarding mail from @debian.org to my mailbox makes me apply
> complicated filters to stay subscribed to ML I wish. 
Why?

-- 
WBR, wRAR


signature.asc
Description: PGP signature

@debian.org mail

[Jean-Philippe MENGUAL]

Hi,

Forwarding mail from @debian.org to my mailbox makes me apply complicated 
filters to stay subscribed to ML I wish. Do you confirm me it is really not 
wanted to pull mails from a Debian machine via POP? I really would love to 
separat ma Debian box fromothers.

Tell me if I should ask to another place.


Thanks for your help.



--
Jean-Philippe MENGUAL

Re: debian.org mail forwarding, SPF and Postfix

[Marco d'Itri]

On Dec 08, Daniel Pocock <dan...@pocock.pro> wrote:

> Can anybody comment on the recommended way to allow mail forwarded from
> debian.org mail servers?
You whitelist them from your SPF checks, because SPF is the kind of 
FUSSP which requires the whole Internet to modify their servers to 
support forwarding.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

debian.org mail forwarding, SPF and Postfix

[Daniel Pocock]

I have the Postfix package on jessie with SPF checks on incoming mail.

I'm have trouble receiving mail forwarded from the poc...@debian.org
email address.

>From main.cf, these lines mention spf:

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_policy_service unix:private/policyd-spf

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, check_policy_service unix:private/policyd-spf

policyd-spf_time_limit = 3600


Can anybody comment on the recommended way to allow mail forwarded from
debian.org mail servers?

People receive bounces like this:

  dan...@pocock.pro
SMTP error from remote mail server after RCPT TO:<dan...@pocock.pro>:
host mail.trendhosting.net [2001:67c:1388:1000::5]:
550 5.7.1 <dan...@pocock.pro>: Recipient address rejected:
Message rejected due to: SPF fail - not authorized. Please see
http://www.openspf.net/Why?s=mfrom;id=..



I saw this:
  http://www.openspf.org/Best_Practices/Forwarding

but it doesn't say anything about Postfix.

Re: debian.org mail forwarding, SPF and Postfix

[Daniel Pocock]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 08/12/15 20:43, Marco d'Itri wrote:
> On Dec 08, Daniel Pocock <dan...@pocock.pro> wrote:
> 
>> Can anybody comment on the recommended way to allow mail
>> forwarded from debian.org mail servers?
> You whitelist them from your SPF checks, because SPF is the kind of
>  FUSSP which requires the whole Internet to modify their servers to
>  support forwarding.
> 

But what exactly does somebody need to whitelist to allow mail
forwarded from a debian.org address?

Should check_helo_access be used with a domain or IP or some other
value specific to mail forwarded by Debian's MTA?

http://www.postfix.org/postconf.5.html#check_helo_access
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWZza8AAoJEOm1uwJp1aqDGUcP/3LJitI8yhR7QBpz/FcyeKf4
epKzTAbu4BIerUH7M05ZML3y6Z0AgvkUyTp0JdkOZYfp0UvlmaKEPAaZx3YZx8P9
MP4/3M3uaywAZH/rl4AnqqCUeJfwCI2yBYSFYWHFcjz2PxjDFCi+AvEe7Al6Z3Wt
EzIOMjCqQAWgW5gWOUSE9OFIr0XRNipO9Ust+ywSKRDfbZVoJ3rLDP9dwZgZTDct
BmA9Qodo4TnifcqRskmJPZ3baSh/vew/hLehwHo2jWXgHONk5AXk9VdjGFJxwKBf
/sUdbkctJUTqIDQ92QYplGjkxMnZGjf3s8Mju4YpViEyVUfuie+h2fAAdv1bPxAT
UTUYId/P3S5AWM/QA8li5XF4kpTaw2JHf3sRNIA7gAJXnhtRvC5mCxg4cz2J7Hx4
6aqSuzyzu/+fGZT+YW6EVbXJwSgk1h2JfgGZN/6AJ5Hl1GSd8xm5k/6465ljwYTE
fiUFHbvKbabuDdZnmmReP7FS4xfqg9xtRcTzbntQf6MZGQSS0XINEvyyvmmgN1q2
hEBoN5YBJ6CcUsvR9e0fBcfldvNRywGmoNtXyTSHDkE+drSUFCJnyNQlJIY4DeRf
fitPXe7ORG8MZWZQgK5c1UyWu3NDO7Cahz9UI/P2b0l3J20pLpsFqGOYkfYzj5Nf
Uu7tkdPuaQpqT6aX8vS9
=pSqW
-END PGP SIGNATURE-

Re: debian.org mail forwarding, SPF and Postfix

[Scott Kitterman]

On December 8, 2015 2:59:57 PM EST, Daniel Pocock <dan...@pocock.pro> wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>
>
>On 08/12/15 20:43, Marco d'Itri wrote:
>> On Dec 08, Daniel Pocock <dan...@pocock.pro> wrote:
>> 
>>> Can anybody comment on the recommended way to allow mail
>>> forwarded from debian.org mail servers?
>> You whitelist them from your SPF checks, because SPF is the kind of
>>  FUSSP which requires the whole Internet to modify their servers to
>>  support forwarding.
>> 
>
>But what exactly does somebody need to whitelist to allow mail
>forwarded from a debian.org address?
>
>Should check_helo_access be used with a domain or IP or some other
>value specific to mail forwarded by Debian's MTA?

The easiest way to do it, assuming you're using postfix-policyd-spf-python, is 
within the policy server.  See man 5 policyd-spf.  There are several whitelist 
options.  I think PTR whitelist on bendel.debian.org will probably do it.

Scott K