Re: [mailop] DMARC question

2016-06-25 Thread Michelle Sullivan 

Sander Smeenk via mailop wrote:

Quoting Terry Barnum (terry...@gmail.com):


I've been checking our newly configured DMARC status on the
(excellent) dmarcian.com site. We're being joe jobbed every 2 weeks so
I'm hoping DMARC severely cuts into that spammer's delivery success. I
still hate getting all the undeliverable bounce notices though.

In addition to what has been said, keeping "false bounces" at bay is
best done by implementing SRS/PRVS/BATV: it creates time-limited
"envelope from"-addresses and you can reject any null-sender message
directed at a non-{srs,prvs,batv}-addresses...




Which violates the RFCs, and causes all sorts of problems.

Null Sender addressed email != bounces

Null sender addressed email is any email that is automated where one 
wishes to avoid mailing loops such as bounce messages and robot 
generated messages... Or webform triggered registration email validation 
emails where not an insignificant number are deliberately fake and/or 
have typos... for example.


--
Michelle Sullivan
http://www.mhix.org/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

2016-06-25 Thread Eric Tykwinski 
Frank,

Here’s the strange part, I get conflicting responses depending on protocol, and 
server.
Running OSX 10.11.5 

333885  67.190981000XXX.XXX.XXX.100 192.168.15.100  TLSv1.2 259 Server 
Hello, Change Cipher Spec, Encrypted Handshake Message
That’s to my Exchange server using EWS.

258785  47.527004000XXX.XXX.XXX.102 192.168.15.100  TLSv1   125 Change 
Cipher Spec, Encrypted Handshake Message
This is a DoveCot Server, IMAP4S

127064  20.228638000XXX.XXX.XXX.9   192.168.15.100  TLSv1   211 Server 
Hello, Change Cipher Spec, Encrypted Handshake Message
This is a SmarterMail server, also IMAP4S

21150   16.384388000192.168.15.100  XXX.XXX.XXX.9   TLSv1.2 167 
Encrypted Handshake Message
Same Server, but EWS.

So my guess is that this is really just effecting standard mail protocols, but 
not SOAP calls.
I’ve been meaning to test out SOGo, but haven’t had the chance, so OpenChange 
may work the same, but I’m not sure.

I agree with Bill that it’s effecting many older clients as well, but I 
disagree that RC4/TLS1 is less immune to MITM just because you are using a 
SMTP/IMAP/POP transport.  Most client systems won’t fallback to non encryption 
they will just error out, only servers will.  

Good news is at least the POODLE attack on TLS1 was restricted to F5 load 
balancers, at least I think:
https://en.wikipedia.org/wiki/POODLE#POODLE_attack_against_TLS

> On Jun 24, 2016, at 11:24 PM, frnk...@iname.com wrote:
> 
> I want to disable it for the reasons that Eric spelled out. TLS 1.0 is 
> broken, so if we turn it off on websites, shouldn't we turn it off for all 
> protocols?  Not that we promise our customers end-to-end encryption for all 
> their e-mail messages and handling, but I'd like to take advantage of the 
> standards that are already out there for web browsing.
> 
> And I think we could, if it weren't for Apple's mail products.
> 
> Frank
> 
> -Original Message-
> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Seth Mattinen
> Sent: Friday, June 24, 2016 6:28 PM
> To: mailop@mailop.org
> Subject: Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products
> 
> On 6/24/16 10:31 AM, Frank Bulk wrote:
>> Due to PCI requirements to disable TLS 1.0, and recognizing an overall
>> push towards to TLS 1.1 and TLS 1.2, we tried turning off TLS 1.0 on our
>> email servers.  That generally worked out fine for webmail, but Apple
>> users couldn’t use SMTP, POP3, or IMAP, resulting in a lot of helpdesk
>> calls.  We ended turning TLS 1.0 back on.
>> 
> 
> Unless you're sending card numbers or track data by email why would you 
> need to disable TLSv1.0 on a mail server for PCI?
> 
> ~Seth
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DMARC question

2016-06-25 Thread Sander Smeenk via mailop 
Quoting Terry Barnum (terry...@gmail.com):

> I've been checking our newly configured DMARC status on the
> (excellent) dmarcian.com site. We're being joe jobbed every 2 weeks so
> I'm hoping DMARC severely cuts into that spammer's delivery success. I
> still hate getting all the undeliverable bounce notices though.

In addition to what has been said, keeping "false bounces" at bay is
best done by implementing SRS/PRVS/BATV: it creates time-limited
"envelope from"-addresses and you can reject any null-sender message
directed at a non-{srs,prvs,batv}-addresses...

-Sndr.
-- 
| Recursive, adj.; See Recursive
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop