Re: Suggestions for a more privacy conscious email provider
On Sun, Dec 03, 2017 at 05:08:33PM +, Filip Hruska wrote: > I personally run my own mail server, but route outgoing emails via Amazon > SES. Not a good idea. Amazon's cloud operations are a constant source of spam and abuse (e.g., brute-force SSH attacks), they refuse to accept complaints per RFC 2142, and -- apparently -- they simply don't care to do anything about it. I've had SES blacklisted in my MTA for years (among other preventative measures) and highly recommend to others. ---rsk
Re: Ticketmaster?
On Sun, Dec 03, 2017 at 07:34:29PM -0800, Doug Barton wrote: > On 12/02/2017 02:39 PM, Ryan Gard wrote: > > *Oh, you must be sharing your IP with everyone else in your area* > > CGNAT by any chance? ... and yet: $ dig www.ticketmaster.com ; <<>> DiG 9.10.3-P4-Debian <<>> www.ticketmaster.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28358 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ticketmaster.com. IN ;; AUTHORITY SECTION: ticketmaster.com. 2560IN SOA a1-157.akam.net. tmhostmaster.ticketmaster.com. 2991260818 600 600 1048576 2560
Re: Alternatives to ISE?
On Sun, Dec 03, 2017 at 02:39:27PM +, Christopher J. Wolff wrote: > I've about reached my limit with the dumpster fire that is Cisco's > Identity Service Engine. Are there any reliable alternatives that do > endpoint classification, central web auth, and .1x auth? What version of ISE are you running? What are your main frustrations with it? Ray
Re: Ticketmaster?
They’ve blocked a few of my end-user /24s and i’ve had zero luck getting them to unblock them. Just one more reason to hate them and not use them. They are the devil. -Mike > On Dec 3, 2017, at 19:34, Doug Bartonwrote: > >> On 12/02/2017 02:39 PM, Ryan Gard wrote: >> *Oh, you must be sharing your IP with everyone else in your area* > > CGNAT by any chance? >
Re: Ticketmaster?
On 12/02/2017 02:39 PM, Ryan Gard wrote: *Oh, you must be sharing your IP with everyone else in your area* CGNAT by any chance?
Re: Suggestions for a more privacy conscious email provider
On 12/03/2017 12:55 PM, Royce Williams wrote: Maybe the OP is interested in outsourcing all of that - letting someone else stay current with patching, spammer tactics, etc. You make a fair point. My point is that it is possible to do yourself /if/ you want to do so. Everyone has to make their own decision. - My goal is to provide information to help make said decision. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Suggestions for a more privacy conscious email provider
On Sun, Dec 3, 2017 at 10:31 AM, Grant Taylor via NANOGwrote: > On 12/03/2017 10:08 AM, Filip Hruska wrote: > >> It's kind of a pain to manage a mail server. >> > > I disagree. > > I have been running my own mail server for > 15 years and extremely happy > with it. > > I spend less than an hour a month needing to do things to it. Usually > that's just the same type of OS updates that I do to my workstation. > > Having my own mail server gives me a LOT more flexibility than relying on > someone else's mail server. For those of us who have the savvy to do so competently, sure. For others, the key word may be "provider". Setting up a Linode server on static IP space (to avoid being blacklisted), setting up greylisting, antivirus/antispam (maybe?), STARTTLS, etc. ... Maybe the OP is interested in outsourcing all of that - letting someone else stay current with patching, spammer tactics, etc. Royce
Re: Suggestions for a more privacy conscious email provider
On 12/03/2017 10:08 AM, Filip Hruska wrote: It's kind of a pain to manage a mail server. I disagree. I have been running my own mail server for > 15 years and extremely happy with it. I spend less than an hour a month needing to do things to it. Usually that's just the same type of OS updates that I do to my workstation. Having my own mail server gives me a LOT more flexibility than relying on someone else's mail server. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Alternatives to ISE?
if you're already slurping the commercial koolaid (support contracts, someone to blame etc etc) - then Aruba Clearpass? (otherwise local homebrew with FreeRADIUS core or PacketFence as FOSSOTS ;-) ) alan
Re: Suggestions for a more privacy conscious email provider
It's kind of a pain to manage a mail server. Even if you have SPF, DKIM correctly setup and you are not on any common blacklists, you constantly have to fight for good deliverability - some mail server solutions will simply reject you no matter what. You might be on some obscure blacklist nobody uses and then you have to waste time sending blacklist removal requests. I personally run my own mail server, but route outgoing emails via Amazon SES. Gives me all the benefits of having my own mail server (domain aliases, extensions, custom spam filter etc) and saves me from the pain of managing outgoing reputation. -- Filip Hruska Linux System Administrator Dne 12/3/17 v 16:12 Jean | ddostest.me via NANOG napsal(a): If you plan to use it for a small group of people, you should consider hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6. It could be seen as a personal challenge to achieve. Then if you need real privacy, you will need to encrypt with public keys like PGP or S/MIME. You can upload your public key to the public pgp key servers. I guess that one day this thing will be very popular. Challenge accepted? Jean On 17-12-02 05:20 PM, Paul Ferguson wrote: On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singhwrote: I am in need of some suggestions for some privacy conscious email providers. I am currently using Migadu [...] I use KolabNow, based in Switzerland, for a lot of personal e-mail communications. They are very, very privacy conscious: --> https://kolabnow.com/feature/confidence They are *not* free, but quite reasonable, and I am quite happy with the m. - ferg
Re: Alternatives to ISE?
$dayjob is a university where we use PacketFence to support .1x for a population of approx. 28K concurrent Wi-Fi devices. It took us a couple of iterations but we now have a clustered deployment (of VM’s) model which routinely handles >1200 logins per second, has a fair bit of headroom left over and can scale larger as required. We have been very satisfied with the responsiveness and capabilities of tech support by Inverse.ca. All this and the price point is hard to beat. I have no personal interest in Inverse other than as a satisfied customer. Our presentation on the scalable deployment model for PF may be found by searching the web for “Authentication for big Wi-Fi”. Eriks --- Eriks Rugelis Sr. Consultant Netidea Inc. T: +1.416.876.0740 > On Dec 3, 2017, at 10:06, Jean | ddostest.me via NANOG> wrote: > > I'm about to try this one. > > https://packetfence.org/ > > Not sure if it covers all the features you need though, but it seems > promising. In case you give it a try, could you share your experience > please? > > Thanks > Jean > >> On 17-12-03 09:48 AM, segs wrote: >> Forescout but if you want something simpler with SNMP authentication of >> switches and Domain Controller of authorized PCs you can have a look at >> Portnox. Done couple of deployments with Portnox. >> >> On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff >> wrote: >> >>> I've about reached my limit with the dumpster fire that is Cisco's >>> Identity Service Engine. Are there any reliable alternatives that do >>> endpoint classification, central web auth, and .1x auth? >>> >>> Thanks in advance, >>> Christopher >>> >
Re: Alternatives to ISE?
I’ve used PacketFence for several years, but it’s kind of fragile. Compared to many FOSS systems, it’s exceptionally well documented, and uses reasonably good Web GUI standards. It also supports Cisco switches well. However, I routinely have to twiddle with it when one or another internal components silently crashes. It’s about ads fiddly as Asterisk is for telephony: just when you think you’ve got it working, some unpredicted external event — a new device or an OS security patch — breaks it. What PF really needs is some kind of internal monitoring and notification system to let you know when and what stopped working. Various users have jury rigged their own scripts and published them, but they’re too customized to work generically for any PF installation. I’ve seen commercial NAC systems that appear to be much more reliable. Cisco’s is not among them. I haven’t taken the time to try them out yet, however. -mel > On Dec 3, 2017, at 7:06 AM, Jean | ddostest.me via NANOG> wrote: > > I'm about to try this one. > > https://packetfence.org/ > > Not sure if it covers all the features you need though, but it seems > promising. In case you give it a try, could you share your experience > please? > > Thanks > Jean > > On 17-12-03 09:48 AM, segs wrote: >> Forescout but if you want something simpler with SNMP authentication of >> switches and Domain Controller of authorized PCs you can have a look at >> Portnox. Done couple of deployments with Portnox. >> >> On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff >> wrote: >> >>> I've about reached my limit with the dumpster fire that is Cisco's >>> Identity Service Engine. Are there any reliable alternatives that do >>> endpoint classification, central web auth, and .1x auth? >>> >>> Thanks in advance, >>> Christopher >>>
Re: Suggestions for a more privacy conscious email provider
If you plan to use it for a small group of people, you should consider hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6. It could be seen as a personal challenge to achieve. Then if you need real privacy, you will need to encrypt with public keys like PGP or S/MIME. You can upload your public key to the public pgp key servers. I guess that one day this thing will be very popular. Challenge accepted? Jean On 17-12-02 05:20 PM, Paul Ferguson wrote: > On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh> wrote: > >> I am in need of some suggestions for some privacy conscious email >> providers. I am currently using Migadu [...] > > I use KolabNow, based in Switzerland, for a lot of personal e-mail > communications. They are very, very privacy conscious: > > --> https://kolabnow.com/feature/confidence > > They are *not* free, but quite reasonable, and I am quite happy with the > m. > > - ferg > > >
Re: Alternatives to ISE?
I'm about to try this one. https://packetfence.org/ Not sure if it covers all the features you need though, but it seems promising. In case you give it a try, could you share your experience please? Thanks Jean On 17-12-03 09:48 AM, segs wrote: > Forescout but if you want something simpler with SNMP authentication of > switches and Domain Controller of authorized PCs you can have a look at > Portnox. Done couple of deployments with Portnox. > > On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff> wrote: > >> I've about reached my limit with the dumpster fire that is Cisco's >> Identity Service Engine. Are there any reliable alternatives that do >> endpoint classification, central web auth, and .1x auth? >> >> Thanks in advance, >> Christopher >>
Re: Alternatives to ISE?
Forescout but if you want something simpler with SNMP authentication of switches and Domain Controller of authorized PCs you can have a look at Portnox. Done couple of deployments with Portnox. On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolffwrote: > I've about reached my limit with the dumpster fire that is Cisco's > Identity Service Engine. Are there any reliable alternatives that do > endpoint classification, central web auth, and .1x auth? > > Thanks in advance, > Christopher >
Alternatives to ISE?
I've about reached my limit with the dumpster fire that is Cisco's Identity Service Engine. Are there any reliable alternatives that do endpoint classification, central web auth, and .1x auth? Thanks in advance, Christopher