Re: Suggestions for a more privacy conscious email provider

[Rich Kulawiec]

On Sun, Dec 03, 2017 at 05:08:33PM +, Filip Hruska wrote:
> I personally run my own mail server, but route outgoing emails via Amazon
> SES. 

Not a good idea.  Amazon's cloud operations are a constant source of
spam and abuse (e.g., brute-force SSH attacks), they refuse to accept
complaints per RFC 2142, and -- apparently -- they simply don't care to
do anything about it.  I've had SES blacklisted in my MTA for years (among
other preventative measures) and highly recommend to others.

---rsk

Re: Ticketmaster?

[Matt Palmer]

On Sun, Dec 03, 2017 at 07:34:29PM -0800, Doug Barton wrote:
> On 12/02/2017 02:39 PM, Ryan Gard wrote:
> > *Oh, you must be sharing your IP with everyone else in your area*
> 
> CGNAT by any chance?

... and yet:

$ dig www.ticketmaster.com 

; <<>> DiG 9.10.3-P4-Debian <<>> www.ticketmaster.com 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28358
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ticketmaster.com.  IN  

;; AUTHORITY SECTION:
ticketmaster.com.   2560IN  SOA a1-157.akam.net. 
tmhostmaster.ticketmaster.com. 2991260818 600 600 1048576 2560

Re: Alternatives to ISE?

[Ray Van Dolson]

On Sun, Dec 03, 2017 at 02:39:27PM +, Christopher J. Wolff wrote:
> I've about reached my limit with the dumpster fire that is Cisco's
> Identity Service Engine.  Are there any reliable alternatives that do
> endpoint classification, central web auth, and .1x auth?

What version of ISE are you running?  What are your main frustrations
with it?

Ray

Re: Ticketmaster?

[mike . lyon]

They’ve blocked a few of my end-user /24s and i’ve had zero luck getting them 
to unblock them.

Just one more reason to hate them and not use them. They are the devil.

-Mike

> On Dec 3, 2017, at 19:34, Doug Barton  wrote:
> 
>> On 12/02/2017 02:39 PM, Ryan Gard wrote:
>> *Oh, you must be sharing your IP with everyone else in your area*
> 
> CGNAT by any chance?
> 

Re: Ticketmaster?

[Doug Barton]

On 12/02/2017 02:39 PM, Ryan Gard wrote:

*Oh, you must be sharing your IP with everyone else in your area*


CGNAT by any chance?

Re: Suggestions for a more privacy conscious email provider

[Grant Taylor via NANOG]

On 12/03/2017 12:55 PM, Royce Williams wrote:

Maybe the OP is interested in outsourcing all of that - letting someone
else stay current with patching, spammer tactics, etc.


You make a fair point.

My point is that it is possible to do yourself /if/ you want to do so. 
Everyone has to make their own decision.  -  My goal is to provide 
information to help make said decision.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Suggestions for a more privacy conscious email provider

[Royce Williams]

On Sun, Dec 3, 2017 at 10:31 AM, Grant Taylor via NANOG 
wrote:

> On 12/03/2017 10:08 AM, Filip Hruska wrote:
>
>> It's kind of a pain to manage a mail server.
>>
>
> I disagree.
>
> I have been running my own mail server for > 15 years and extremely happy
> with it.
>
> I spend less than an hour a month needing to do things to it.  Usually
> that's just the same type of OS updates that I do to my workstation.
>
> Having my own mail server gives me a LOT more flexibility than relying on
> someone else's mail server.


For those of us who have the savvy to do so competently, sure.

For others, the key word may be "provider".

Setting up a Linode server on static IP space (to avoid being blacklisted),
setting up greylisting, antivirus/antispam (maybe?), STARTTLS, etc. ...

Maybe the OP is interested in outsourcing all of that - letting someone
else stay current with patching, spammer tactics, etc.

Royce

Re: Suggestions for a more privacy conscious email provider

[Grant Taylor via NANOG]

On 12/03/2017 10:08 AM, Filip Hruska wrote:

It's kind of a pain to manage a mail server.


I disagree.

I have been running my own mail server for > 15 years and extremely 
happy with it.


I spend less than an hour a month needing to do things to it.  Usually 
that's just the same type of OS updates that I do to my workstation.


Having my own mail server gives me a LOT more flexibility than relying 
on someone else's mail server.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Alternatives to ISE?

[Alan Buxey]

if you're already slurping the commercial koolaid (support contracts,
someone to blame etc etc) - then Aruba Clearpass?

(otherwise local homebrew with FreeRADIUS core or PacketFence as
FOSSOTS ;-) )

alan

Re: Suggestions for a more privacy conscious email provider

[Filip Hruska]

It's kind of a pain to manage a mail server.

Even if you have SPF, DKIM correctly setup and you are not on any common 
blacklists,
you constantly have to fight for good deliverability - some mail server 
solutions will simply reject you no matter what.
You might be on some obscure blacklist nobody uses and then you have to 
waste time sending blacklist removal requests.


I personally run my own mail server, but route outgoing emails via 
Amazon SES. Gives me all the benefits
of having my own mail server (domain aliases, extensions, custom spam 
filter etc) and saves me from the pain

of managing outgoing reputation.


--
Filip Hruska
Linux System Administrator

Dne 12/3/17 v 16:12 Jean | ddostest.me via NANOG napsal(a):

If you plan to use it for a small group of people, you should consider
hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6.

It could be seen as a personal challenge to achieve.

Then if you need real privacy, you will need to encrypt with public keys
like PGP or S/MIME. You can upload your public key to the public pgp key
servers. I guess that one day this thing will be very popular.

Challenge accepted?

Jean

On 17-12-02 05:20 PM, Paul Ferguson wrote:

On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh 
wrote:


I am in need of some suggestions for some privacy conscious email
providers. I am currently using Migadu [...]

I use KolabNow, based in Switzerland, for a lot of personal e-mail
communications. They are very, very privacy conscious:

--> https://kolabnow.com/feature/confidence

They are *not* free, but quite reasonable, and I am quite happy with the
m.

- ferg

Re: Alternatives to ISE?

[Eriks Rugelis]

$dayjob is a university where we use PacketFence to support .1x for a 
population of approx. 28K concurrent Wi-Fi devices.

It took us a couple of iterations but we now have a clustered deployment (of 
VM’s) model which routinely handles >1200 logins per second, has a fair bit of 
headroom left over and can scale larger as required.

We have been very satisfied with the responsiveness and capabilities of tech 
support by Inverse.ca.   All this and the price point is hard to beat.

I have no personal interest in Inverse other than as a satisfied customer.

Our presentation on the scalable deployment model for PF may be found by 
searching the web for “Authentication for big Wi-Fi”.

Eriks
---
Eriks Rugelis
Sr. Consultant
Netidea Inc.
T: +1.416.876.0740

> On Dec 3, 2017, at 10:06, Jean | ddostest.me via NANOG  
> wrote:
> 
> I'm about to try this one.
> 
> https://packetfence.org/
> 
> Not sure if it covers all the features you need though, but it seems
> promising. In case you give it a try, could you share your experience
> please?
> 
> Thanks
> Jean
> 
>> On 17-12-03 09:48 AM, segs wrote:
>> Forescout but if you want something simpler with SNMP authentication of
>> switches and Domain Controller of authorized PCs you can have a look at
>> Portnox. Done couple of deployments with Portnox.
>> 
>> On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff 
>> wrote:
>> 
>>> I've about reached my limit with the dumpster fire that is Cisco's
>>> Identity Service Engine.  Are there any reliable alternatives that do
>>> endpoint classification, central web auth, and .1x auth?
>>> 
>>> Thanks in advance,
>>> Christopher
>>> 
> 

Re: Alternatives to ISE?

[Mel Beckman]

I’ve used PacketFence for several years, but it’s kind of fragile. Compared to 
many FOSS systems, it’s exceptionally well documented, and uses reasonably good 
Web GUI standards. It also supports Cisco switches well. However, I routinely 
have to twiddle with it when one or another internal components silently 
crashes. It’s about ads fiddly as Asterisk is for telephony: just when you 
think you’ve got it working, some unpredicted external event — a new device or 
an OS security patch — breaks it. What PF really needs is some kind of internal 
monitoring and notification system to let you know when and what stopped 
working. Various users have jury rigged their own scripts and published them, 
but they’re too customized to work generically for any PF installation.

I’ve seen commercial NAC systems that appear to be much more reliable. Cisco’s 
is not among them. I haven’t taken the time to try them out yet, however. 

 -mel

> On Dec 3, 2017, at 7:06 AM, Jean | ddostest.me via NANOG  
> wrote:
> 
> I'm about to try this one.
> 
> https://packetfence.org/
> 
> Not sure if it covers all the features you need though, but it seems
> promising. In case you give it a try, could you share your experience
> please?
> 
> Thanks
> Jean
> 
> On 17-12-03 09:48 AM, segs wrote:
>> Forescout but if you want something simpler with SNMP authentication of
>> switches and Domain Controller of authorized PCs you can have a look at
>> Portnox. Done couple of deployments with Portnox.
>> 
>> On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff 
>> wrote:
>> 
>>> I've about reached my limit with the dumpster fire that is Cisco's
>>> Identity Service Engine.  Are there any reliable alternatives that do
>>> endpoint classification, central web auth, and .1x auth?
>>> 
>>> Thanks in advance,
>>> Christopher
>>> 

Re: Suggestions for a more privacy conscious email provider

[Jean | ddostest.me via NANOG]

If you plan to use it for a small group of people, you should consider
hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6.

It could be seen as a personal challenge to achieve.

Then if you need real privacy, you will need to encrypt with public keys
like PGP or S/MIME. You can upload your public key to the public pgp key
servers. I guess that one day this thing will be very popular.

Challenge accepted?

Jean

On 17-12-02 05:20 PM, Paul Ferguson wrote:
> On Sat, Dec 2, 2017 at 1:35 PM, Michael S. Singh 
> wrote:
> 
>> I am in need of some suggestions for some privacy conscious email 
>> providers. I am currently using Migadu [...]
> 
> I use KolabNow, based in Switzerland, for a lot of personal e-mail
> communications. They are very, very privacy conscious:
> 
> --> https://kolabnow.com/feature/confidence
> 
> They are *not* free, but quite reasonable, and I am quite happy with the
> m.
> 
> - ferg
> 
> 
> 

Re: Alternatives to ISE?

[Jean | ddostest.me via NANOG]

I'm about to try this one.

https://packetfence.org/

Not sure if it covers all the features you need though, but it seems
promising. In case you give it a try, could you share your experience
please?

Thanks
Jean

On 17-12-03 09:48 AM, segs wrote:
> Forescout but if you want something simpler with SNMP authentication of
> switches and Domain Controller of authorized PCs you can have a look at
> Portnox. Done couple of deployments with Portnox.
> 
> On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff 
> wrote:
> 
>> I've about reached my limit with the dumpster fire that is Cisco's
>> Identity Service Engine.  Are there any reliable alternatives that do
>> endpoint classification, central web auth, and .1x auth?
>>
>> Thanks in advance,
>> Christopher
>>

Re: Alternatives to ISE?

[segs]

Forescout but if you want something simpler with SNMP authentication of
switches and Domain Controller of authorized PCs you can have a look at
Portnox. Done couple of deployments with Portnox.

On Sun, Dec 3, 2017 at 3:39 PM, Christopher J. Wolff 
wrote:

> I've about reached my limit with the dumpster fire that is Cisco's
> Identity Service Engine.  Are there any reliable alternatives that do
> endpoint classification, central web auth, and .1x auth?
>
> Thanks in advance,
> Christopher
>

Alternatives to ISE?

[Christopher J. Wolff]

I've about reached my limit with the dumpster fire that is Cisco's Identity 
Service Engine.  Are there any reliable alternatives that do endpoint 
classification, central web auth, and .1x auth?

Thanks in advance,
Christopher