Re: [mailop] Expired SSL cert for mailop

2018-10-29 Thread Doug Barton 
So leaving aside the discussion of specific TLS solutions, how do we get 
the list admin on the line to fix this?




On 10/25/18 8:50 PM, Doug Barton wrote:
Y'all might want to be aware that this issue is being discussed on the 
NANOG list. In the age of Let's Encrypt expired TLS certs are a really 
bad look.


On 9/12/18 6:24 AM, Matt Gilbert via mailop wrote:

Hey gang,

I was showing mailop to a new member of my team, and when I went to 
show them where to request signup to the list, I noticed that the SSL 
certificate has expired, which causes most (all?) current browsers to 
block the page loading. I figured you’d want to know.


 > chilli.nosignal.org  uses an invalid 
security certificate.
 > The certificate expired on July 25, 2018, 7:59:59 PM GMT-4. The 
current time is September 12, 2018, 9:21 AM.

 > Error code: SEC_ERROR_EXPIRED_CERTIFICATE


Thanks,
Matt Gilbert
--
Deliverability Engineer | MailChimp
delivery.mailchimp.com 



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Noel Butler 
On 30/10/2018 09:29, Noel Butler wrote:

> On 30/10/2018 03:18, Bill Cole wrote: 
> On 29 Oct 2018, at 12:41, Jim Popovitch via mailop wrote:
> 
> N.B. please don't CC me, I'm subscribed to the list. 
> I normally wouldn't, but your posts all have this header:
> 
> Reply-To: Jim Popovitch 
> 
> Perhaps that's being added by Mailman for some reason...

Nope,  Jim is forcing that, not mailman, I just use reply to all which
roundcube sees it as reply to list, and only replies to list (in all but
some unusual cases) 

scratch that.. my knowledge of mailman is a bit out-dated :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Noel Butler 
On 30/10/2018 03:18, Bill Cole wrote:

> On 29 Oct 2018, at 12:41, Jim Popovitch via mailop wrote:
> 
>> N.B. please don't CC me, I'm subscribed to the list.
> 
> I normally wouldn't, but your posts all have this header:
> 
> Reply-To: Jim Popovitch 
> 
> Perhaps that's being added by Mailman for some reason...

Nope,  Jim is forcing that, not mailman, I just use reply to all which
roundcube sees it as reply to list, and only replies to list (in all but
some unusual cases) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Noel Butler 
On 29/10/2018 19:44, Frands Bjerring Hansen wrote:

> Noel, 
> 
> LE does not insist on certbot. They recommend it, and why wouldn't they? :) 
> 
> Use acme.sh instead if you are not able adhere to the requirements of 
> Certbot. Acme.sh requires nothing but sh.
> 
> Also, it seems like you did not properly read about ways to address the 
> problems you mention. Instead of having a webserver you could do DNS 
> validation. Acme.sh already supports a ton of DNS implementations: 
> https://github.com/Neilpang/acme.sh/tree/master/dnsapi- and if yours is 
> not there, it's easy to write an implementation.

I will look into acme.sh for the Mx's as I see it has an nsupdate
method, MX certs dont expire for 2 months so I have plenty time, the few
websites that use SSL though starting expired a few days ago now, so
were more time critical to sort out last week, after giving up on
certbot and trying Crypt::LE (since I know perl) it did what we needed
easily right away, it took all of 5 mins to write the automation
processes and test them. 

I just wish LE had better docs.. oh well... one day maybe...

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] gmx.com to the white courtesy phone

2018-10-29 Thread Luis E. Muñoz via mailop 
Please contact me offlist.

Thanks!

-lem

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] hotmail.com blocks again for no reasons - this is insane

2018-10-29 Thread Michael Wise via mailop 

Might be a reason for it.
Perhaps you should ask…?

  https://go.microsoft.com/fwlink/?LinkID=614866&clcid

Won’t be commenting any further on this thread … or offlist.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting 
Tool ?

From: mailop  On Behalf Of Stefan Bauer
Sent: Monday, October 29, 2018 11:07 AM
To: mailop 
Subject: [mailop] hotmail.com blocks again for no reasons - this is insane


Hi,



anyone else in trouble with hotmail.com again?



We are a very low sending MX without any spam from our range. It started at 
17:00 that hotmail was not offering TLS. I have no clue, why this is the case. 
Is this some kind of spam defense voodoo?



Our MX tried again after an hour and got refused with "network is on our block 
list (S3150)"



No blocklist shows our ip / network as blocked.



Also microsoft owns SNDS shows no issses at all. Already requested unblock even 
though i do not see anywhere a block of our ip. This is all insane.



Oct 28 06:35:21 securetransport schmid/smtp[14208]: Untrusted TLS connection 
established to hotmail-com.olc.protection.outlook.com[104.47.38.33]:25: TLSv1.2 
with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Oct 28 06:35:22 securetransport schmid/smtp[14208]: A6A9F5FBD7: 
to=mailto:valid-u...@hotmail.com>>, 
relay=hotmail-com.olc.protection.outlook.com[104.47.38.33]:25, delay=1.4, 
delays=0.13/0.01/0.65/0.59, dsn=2.6.0, status=sent (250 2.6.0 
mailto:kcis.0AACE3E0EE264E0A9772E38A1401E4C0@mailserver>>
 [InternalId=23523535900992, 
Hostname=BL2NAM02HT009.eop-nam02.prod.protection.outlook.com] 10238 bytes in 
0.187, 53.358 KB/sec Queued mail for delivery)
Oct 29 11:47:17 securetransport schmid/smtp[10776]: Untrusted TLS connection 
established to hotmail-com.olc.protection.outlook.com[104.47.33.33]:25: TLSv1.2 
with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Oct 29 11:47:17 securetransport schmid/smtp[10776]: 53D3C5FBD7: 
to=mailto:valid-u...@hotmail.com>>, 
relay=hotmail-com.olc.protection.outlook.com[104.47.33.33]:25, delay=2.6, 
delays=1.1/0.01/0.67/0.72, dsn=2.6.0, status=sent (250 2.6.0 
mailto:kcis.C3875E6D40E842D6B24A6DE18C50DCAA@mailserver>>
 [InternalId=23557895672549, 
Hostname=BN3NAM01HT013.eop-nam01.prod.protection.outlook.com] 58529 bytes in 
0.263, 216.623 KB/sec Queued mail for delivery)
Oct 29 17:00:35 securetransport schmid/smtp[16434]: 62DCA5FBC9: TLS is 
required, but was not offered by host 
hotmail-com.olc.protection.outlook.com[104.47.40.33]
Oct 29 18:17:21 securetransport schmid/smtp[17756]: A87965FBD7: 
to=mailto:valid-u...@hotmail.com>>, 
relay=hotmail-com.olc.protection.outlook.com[104.47.34.33]:25, delay=0.75, 
delays=0.12/0.01/0.46/0.15, dsn=5.7.1, status=bounced (host 
hotmail-com.olc.protection.outlook.com[104.47.34.33] said: 550 5.7.1 
Unfortunately, messages from [188.68.39.254] weren't sent. Please contact your 
Internet service provider since part of their network is on our block list 
(S3150). You can also refer your provider to 
http://mail.live.com/mail/troubleshooting.aspx#errors.
 [BY2NAM01FT031.eop-nam01.prod.protection.outlook.com] (in reply to MAIL FROM 
command))
Oct 29 18:17:21 securetransport schmid/smtp[17756]: A87965FBD7: lost connection 
with hotmail-com.olc.protection.outlook.com[104.47.34.33] while sending RCPT TO
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Amazon AWS as 'spam sending farm' via phished account?

2018-10-29 Thread Michael Peddemors 
While we do see an increase in AUTH attacks from Amazon AWS, it is still 
a drop in the bucket compared to traditional attack sources.  And there 
is not enough evidence yet to see if this is actual hacker's with their 
own resources, vs simply hacker's who have compromised someone else's 
resources there.  This is a similar pattern to what is seen at other 
large providers.


However, we do empathize with you regarding the Amazon support when 
trying to report such attacks.. I personally have got the generic, 
'Sorry, we don't who was on that IP at that exact time' response..


But in essence, you will have to address this like all other 
authentication attacks.  I would not go as far as saying block all AWS 
from authenticating, there could be legitimate applications designed to 
access email accounts.  Of course, you should do your best to ensure 
that at least the script kiddie authentication attempts are blocked, or 
used to trigger blocking mechanisms.


And in general, expect a lot more of these types of attacks, as hackers 
now find that they get more value from compromising email accounts, than 
just to use them to spam.


You could throw support behind our CLIENTID initiatives ;)

2018 we spent a lot of development time behind this emerging threat, 
including our Advanced Threat Detection tools, but authentication to 
legacy protocols will have to change in order to encompass all of the 
threats.


Now, if we can just get everyone to BLACKHOLE the really bad 'hosting 
companies'  which are just fronts for large scale AUTH attacks and 
other abuses.. which somehow got IP Space.


PS, Most of the AUTH attacks we see are still trying simply 'username' 
instead of full 'emailaddress', so restricting authentication to full 
email address should reduce much of the attacks.  A lot of it is still 
trying old compromised database information, from 2015 and earlier..
And there is a separate group doing dictionary attacks against common 
names..





On 18-10-29 04:01 AM, Benoit Panizzon wrote:

Hi List

We increasingly notice, that when an account got phished, it is being
abused to send spam from usually one or two Amazon AWS US IP Addresses
simultaneously, staying below our account auto-block thereshold.

Quite some time in the past, when I first observed this, contacted the
Amazon Abuse Desk, including the infos they provide in their WHOIS
entry in the past, but newer ever got any kind of reaction.

Now I am curious, do others also make this observation?

How about blocking the Amazon AWS IP ranges? Are there any legitimate
emails being send by them?

Well I could try to block them only for Authenticated SMTP submission,
not for MX operation.

Mit freundlichen Grüssen

-Benoît Panizzon-





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Jim Popovitch via mailop 
On Mon, 2018-10-29 at 13:18 -0400, Bill Cole wrote:
> On 29 Oct 2018, at 12:41, Jim Popovitch via mailop wrote:
> 
> > N.B. please don't CC me, I'm subscribed to the list.
> 
> I normally wouldn't, but your posts all have this header:
> 
>    Reply-To: Jim Popovitch 
> 
> Perhaps that's being added by Mailman for some reason...

Ahh, you are correct.  Mailman populates Reply-To when it munges a post
from a DMARC enabled domain.  IIRC this was done to preserve the
original address in a form that would make it to most end-user MUAs.

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] hotmail.com blocks again for no reasons - this is insane

2018-10-29 Thread Stefan Bauer 
Hi,



anyone else in trouble with hotmail.com again?



We are a very low sending MX without any spam from our range. It started at 
17:00 that hotmail was not offering TLS. I have no clue, why this is the case. 
Is this some kind of spam defense voodoo?



Our MX tried again after an hour and got refused with "network is on our block 
list (S3150)"



No blocklist shows our ip / network as blocked.



Also microsoft owns SNDS shows no issses at all. Already requested unblock even 
though i do not see anywhere a block of our ip. This is all insane.



Oct 28 06:35:21 securetransport schmid/smtp[14208]: Untrusted TLS connection 
established to hotmail-com.olc.protection.outlook.com[104.47.38.33]:25: TLSv1.2 
with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Oct 28 06:35:22 securetransport schmid/smtp[14208]: A6A9F5FBD7: 
to=, 
relay=hotmail-com.olc.protection.outlook.com[104.47.38.33]:25, delay=1.4, 
delays=0.13/0.01/0.65/0.59, dsn=2.6.0, status=sent (250 2.6.0 
 [InternalId=23523535900992, 
Hostname=BL2NAM02HT009.eop-nam02.prod.protection.outlook.com] 10238 bytes in 
0.187, 53.358 KB/sec Queued mail for delivery)
Oct 29 11:47:17 securetransport schmid/smtp[10776]: Untrusted TLS connection 
established to hotmail-com.olc.protection.outlook.com[104.47.33.33]:25: TLSv1.2 
with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Oct 29 11:47:17 securetransport schmid/smtp[10776]: 53D3C5FBD7: 
to=, 
relay=hotmail-com.olc.protection.outlook.com[104.47.33.33]:25, delay=2.6, 
delays=1.1/0.01/0.67/0.72, dsn=2.6.0, status=sent (250 2.6.0 
 [InternalId=23557895672549, 
Hostname=BN3NAM01HT013.eop-nam01.prod.protection.outlook.com] 58529 bytes in 
0.263, 216.623 KB/sec Queued mail for delivery)
Oct 29 17:00:35 securetransport schmid/smtp[16434]: 62DCA5FBC9: TLS is 
required, but was not offered by host 
hotmail-com.olc.protection.outlook.com[104.47.40.33]
Oct 29 18:17:21 securetransport schmid/smtp[17756]: A87965FBD7: 
to=, 
relay=hotmail-com.olc.protection.outlook.com[104.47.34.33]:25, delay=0.75, 
delays=0.12/0.01/0.46/0.15, dsn=5.7.1, status=bounced (host 
hotmail-com.olc.protection.outlook.com[104.47.34.33] said: 550 5.7.1 
Unfortunately, messages from [188.68.39.254] weren't sent. Please contact your 
Internet service provider since part of their network is on our block list 
(S3150). You can also refer your provider to 
http://mail.live.com/mail/troubleshooting.aspx#errors. 
 
[BY2NAM01FT031.eop-nam01.prod.protection.outlook.com] (in reply to MAIL FROM 
command))
Oct 29 18:17:21 securetransport schmid/smtp[17756]: A87965FBD7: lost connection 
with hotmail-com.olc.protection.outlook.com[104.47.34.33] while sending RCPT TO
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Bill Cole 
On 29 Oct 2018, at 12:41, Jim Popovitch via mailop wrote:

> N.B. please don't CC me, I'm subscribed to the list.

I normally wouldn't, but your posts all have this header:

   Reply-To: Jim Popovitch 

Perhaps that's being added by Mailman for some reason...

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Jim Popovitch via mailop 
On Mon, 2018-10-29 at 12:32 -0400, Bill Cole wrote:
> On 29 Oct 2018, at 10:40, Jim Popovitch via mailop wrote:
> 
> > You allow nsupdate from your cgi/php/java enabled webserver(s)?
> 
> My **what?*** Are you high? Do you mean to be insulting???

Of course not.  I only asked a simple question.  You plus-one'd a
solution in a thread about using LE for a website.

> 
> But no, I don't run anything on my webserver that modifies its own
> DNS. 

Ok, thanks.  It seemed like you were recommending acme.sh + nsupdate for
 https://chilli.nosignal.org/


-Jim P.

N.B. please don't CC me, I'm subscribed to the list.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Bill Cole 

On 29 Oct 2018, at 10:40, Jim Popovitch via mailop wrote:


You allow nsupdate from your cgi/php/java enabled webserver(s)?


My **what?*** Are you high? Do you mean to be insulting???

But no, I don't run anything on my webserver that modifies its own DNS. 
Although I would be vulnerable in theory to something on that machine 
doing a specific update via the right RFC1918 interface using the right 
hmac-sha512 key after installing nsupdate, guessing or stealing the key 
from a substantially more hardened machine, and figuring out which 
RFC1918 interface on which nameserver allows updates. At which point all 
the attacker could do would be to add or remove a TXT record for a label 
that is only used for ACME validation.


So no, I do not use the sort of simplistic security that causes BIND to 
whine every time it loads its config and despite my longtime nickname, I 
am not a total clown.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Dave Brockman 
On 10/29/2018 11:48 AM, Jim Popovitch via mailop wrote:
> On Mon, 2018-10-29 at 11:31 -0400, Dave Brockman wrote:
>> On 10/29/2018 10:40 AM, Jim Popovitch via mailop wrote:
>>> You allow nsupdate from your cgi/php/java enabled webserver(s)?  
>>>
>>> -Jim P.
>>
>> No, the whole point of using acme.sh and the nsupdate module is to
>> avoid running a web server.  You can also run LE with a webserver that
>> doesn'tsupport cgi, php, or java, it only has to serve up a static
>> directory.
> 
> Obviously.  My point being that it's saner to run a tightened webserver
> on a host using certbot than it is to run acme.sh and nsupdate on a full
> feature webserver.

I personally find nothing sane about certbot.  There are easier, more
lightweight, and auditable solutions available.

Personal preferences aside, is there any assistance I can offer to get a
valid certificate installed at chilli.nosignal.org?

Cheers,

--dtb




signature.asc
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Jim Popovitch via mailop 
On Mon, 2018-10-29 at 11:31 -0400, Dave Brockman wrote:
> On 10/29/2018 10:40 AM, Jim Popovitch via mailop wrote:
> > You allow nsupdate from your cgi/php/java enabled webserver(s)?  
> > 
> > -Jim P.
> 
> No, the whole point of using acme.sh and the nsupdate module is to
> avoid running a web server.  You can also run LE with a webserver that
> doesn'tsupport cgi, php, or java, it only has to serve up a static
> directory.

Obviously.  My point being that it's saner to run a tightened webserver
on a host using certbot than it is to run acme.sh and nsupdate on a full
feature webserver.

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Dave Brockman 
On 10/29/2018 10:40 AM, Jim Popovitch via mailop wrote:
> You allow nsupdate from your cgi/php/java enabled webserver(s)?  
> 
> -Jim P.

No, the whole point of using acme.sh and the nsupdate module is to avoid
running a web server.  You can also run LE with a webserver that doesn't
support cgi, php, or java, it only has to serve up a static directory.

Cheers,

--dtb



signature.asc
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Jim Popovitch via mailop 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2018-10-29 at 09:52 -0400, Bill Cole wrote:
> On 29 Oct 2018, at 5:44, Frands Bjerring Hansen wrote:
> 
> > Noel, 
> > 
> > LE does not insist on certbot. They recommend it, and why wouldn't 
> > they? :) 
> > 
> > Use acme.sh instead if you are not able adhere to the requirements
> > of Certbot. Acme.sh requires nothing but sh.
> > 
> > Also, it seems like you did not properly read about ways to address 
> > the problems you mention. Instead of having a webserver you could
> > do DNS validation. Acme.sh already supports a ton of DNS 
> > implementations: https://github.com/Neilpang/acme.sh/tree/master/dns
> > api   - and if yours is not there, it's easy to write an
> > implementation.
> 
> +1 for acme.sh.
> 
> I use acme.sh (with the nsupdate module for validation) and it has
> been flawless and simple to set up and use. Having been specifically
> tasked with setting up Certbot for others, I cannot understand why
> anyone would  choose Certbot over acme.sh.
> 

You allow nsupdate from your cgi/php/java enabled webserver(s)?  

- -Jim P.



-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEPxwe8uYBnqxkbORSJxVetMRaJwUFAlvXG+4ACgkQJxVetMRa
JwXnug//Q8iNeUi3xFmf2aG4R16CRVn0A9OPHnk9GCjPfJytnqx+oCO8xg5sTwrp
bkxgqTYaqoKGLONhjqIefQfBgCdKxYy8LaL9XKOS945BsGCkGu1VbSl6xZmGEPSr
zAzs7/3mpf9INmFNASqHiJksoW8KhJXRzqgmpqBvMCsefWSl1D/WLEqZTxknS+fV
Fz9x//9wMLpb/dVyf7aJVc6hayBJHFcbm+yHlBCZWcT+07ZrrX+9PCWUFg6M2TB8
ZpVihB0tv5KZqjrvi6rnoJDFAsvCNwJe9tsEG7ZMeFmILJ0tk+F4ytBKcOcUcowh
/qM/fa6GzzKFE6QLzzs0mLS2i60tZk8B0BZhEwHYxQ8pRsSz6F4sNuzkJrtqZeUp
9pIxVAKG5DwGlXRAD0uN9lQjQhJ0Au9rY1GGgWyDucWeMEFOTcGZqkmQVDNULciR
GXaZFeMPWjVD7rpeaZ7H7FU9aawpTTpfTQeD9EmWxNETtiXp+lwOGTQg1ifgpZRR
JFwHDIQedxAlo6ocOyRH/WAQpemuZJ6Ygz6mgGmrfd/iJZ1sPhYA1czTBfoaajkp
rUNMEL+QFQjWinMmNpK1aQAs5EfSQLPDBibKzQFgESoQgVddjwpHtYXE9+QMde1D
GfzRbRPVmA0BNK4ZrLCgchHu3RSw0L9tYT8vOM9eosMaUcXv/OM=
=M+IP
-END PGP SIGNATURE-


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Bill Cole 

On 29 Oct 2018, at 5:44, Frands Bjerring Hansen wrote:


Noel, 

LE does not insist on certbot. They recommend it, and why wouldn't 
they? :) 


Use acme.sh instead if you are not able adhere to the requirements of 
Certbot. Acme.sh requires nothing but sh.


Also, it seems like you did not properly read about ways to address 
the problems you mention. Instead of having a webserver you could do 
DNS validation. Acme.sh already supports a ton of DNS 
implementations: https://github.com/Neilpang/acme.sh/tree/master/dnsapi 
   - and if yours is not there, it's easy to write an implementation.


+1 for acme.sh.

I use acme.sh (with the nsupdate module for validation) and it has been 
flawless and simple to set up and use. Having been specifically tasked 
with setting up Certbot for others, I cannot understand why anyone would 
choose Certbot over acme.sh.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Amazon AWS as 'spam sending farm' via phished account?

2018-10-29 Thread Olaf Petry - Hornetsecurity 
Hi Benoît,

>> How about blocking the Amazon AWS IP ranges? Are there any legitimate
>> emails being send by them?
We see less than 1 clean between 1 million (or 1 billion?) emails from there, 
so guess what :-)
Our fast reacting abuse desk whitelists single IPs on demand from those ranges. 

Olaf Petry
Hornetsecurity GmbH

-Original Message-
From: mailop  On Behalf Of Benoit Panizzon
Sent: Monday, October 29, 2018 12:02 PM
To: mailop@mailop.org
Subject: [mailop] Amazon AWS as 'spam sending farm' via phished account?

Hi List

We increasingly notice, that when an account got phished, it is being
abused to send spam from usually one or two Amazon AWS US IP Addresses
simultaneously, staying below our account auto-block thereshold.

Quite some time in the past, when I first observed this, contacted the
Amazon Abuse Desk, including the infos they provide in their WHOIS
entry in the past, but newer ever got any kind of reaction.

Now I am curious, do others also make this observation?

How about blocking the Amazon AWS IP ranges? Are there any legitimate
emails being send by them?

Well I could try to block them only for Authenticated SMTP submission,
not for MX operation.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  
http://atpscan.global.hornetsecurity.com/index.php?atp_str=07zaR0I5KHZHSQhtydYdX1oYKg72Ia9jsYDDP9_dXJo-pQdIAARnuUIbfQtvKEAuvwT1W6bOub-guncDQACzPQ5h_YRQMIPEaxble352w6fj28OGRSl4OGqLTNcjoBbkenql71mWjJy9ZlzK3PLgYLv_FIuNxNjrchqOYqRotss8XdluF2bd9cFQkfUgO38BoRQZRakoDxxYriEg1Jqbicaio6c7gISqaV-l0VTj3XlsZZ0-2dM03FpqbkDy0sfDBarAu4eyE4XBCuPrxZFBiQtF1O6asZcL2yM6OiM2NTA2ODczYTcxNWMjOjoj0JzzuvgNKYlkBICLfYtu6w
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Amazon AWS as 'spam sending farm' via phished account?

2018-10-29 Thread Benoit Panizzon 
Hi List

We increasingly notice, that when an account got phished, it is being
abused to send spam from usually one or two Amazon AWS US IP Addresses
simultaneously, staying below our account auto-block thereshold.

Quite some time in the past, when I first observed this, contacted the
Amazon Abuse Desk, including the infos they provide in their WHOIS
entry in the past, but newer ever got any kind of reaction.

Now I am curious, do others also make this observation?

How about blocking the Amazon AWS IP ranges? Are there any legitimate
emails being send by them?

Well I could try to block them only for Authenticated SMTP submission,
not for MX operation.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Expires SSL cert for mailop

2018-10-29 Thread Frands Bjerring Hansen 
Noel, 

LE does not insist on certbot. They recommend it, and why wouldn't they? :) 

Use acme.sh instead if you are not able adhere to the requirements of Certbot. 
Acme.sh requires nothing but sh.

Also, it seems like you did not properly read about ways to address the 
problems you mention. Instead of having a webserver you could do DNS 
validation. Acme.sh already supports a ton of DNS implementations: 
https://github.com/Neilpang/acme.sh/tree/master/dnsapi    - and if yours is not 
there, it's easy to write an implementation.

--
Frands Bjerring Hansen
Zitcom A/S - zitcom.dk​





From: mailop  on behalf of Noel Butler 

Sent: Saturday, October 27, 2018 4:29 AM
To: mailop@mailop.org
Subject: Re: [mailop] Expires SSL cert for mailop
  
On 27/10/2018 04:40, Thomas Walter wrote:
 
Hey Mark,

On 26.10.18 17:34, Mark Milhollan wrote:  Let's Encrypt changes little, 
processes can break whether they are 
yearly, bi-yearly or monthly.  Granted you'd think there would be 
monitoring and then reasonably quick restoration.
Let's Encrypt automates the whole process and in case that doesn't work
for whatever reason it sends you reminders by mail way before the
certificate finally expires.

If the main process and the backup reminder both fail, you are doing
something wrong ;).

Regards,
Thomas Walter

 
 
Problem with letsencrypt is their preferred and insisted " certbot "  - does 
not run (easily at least) on all flavours..
I gave up with it on slackware which is what my servers run, tried using 
Crypt::LE and voila instant success, it was painless to use even for (tested at 
least) renews, although it requires a working webserver so come time to replace 
my comodo's on my MX's,  will give me another challenge :)
 
 
 
 
-- 
Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally privileged 
information, therefore remains confidential and subject to copyright protected 
under international law.  You may not disseminate, discuss, or reveal, any 
part, to anyone, without the authors express written authority to do so. If you 
are not the intended recipient, please notify the sender then delete all copies 
of this message including attachments, immediately.  Confidentiality, 
copyright, and legal privilege are not waived or lost by reason of the mistaken 
delivery of this message. Only PDF and  ODF documents accepted, please do not 
send proprietary formatted documents   
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop