Re: [mailop] BIMI pilot @ Google

2020-07-27 Thread Roger Marquis via mailop 

John Levine wrote:

In article <20200725194707.ga19...@rafa.eu.org> you write:

My bank - as I have already mentioned in this thread - S/MIME signs the
contents of their messages. ...


Where do you live?  I've never heard of a bank here in North America doing that.
Here they barely undersstand SPF.


Was not that long ago we had to setup a tls-only postfix instance to
force two of California's largest financial institutions to stop sending
financial data in cleartext.  To one of their credit the problem was
fixed within a few days after one long phone call.  The other, one of
the US' largest brokerages, refused to use smtps or starttls for several
subsequent years.  We still have a stack of paper statements 3+ inches
(80mm) high as a result.

It may seem odd that such large organizations with technically capable
staff wouldn't use all available encryption.  Odd perhaps, until you
consider similarities with CALEA and how certain three letter government
agencies acquire political influence at the expense of business and
consumers.  The slow adoption of S/MIME is likely also fallout from
these same special interests.

Roger Marquis

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft Block list (S3150)

2020-06-27 Thread Roger Marquis via mailop 

Michael Orlitzky wrote:

 * Why won't Exchange follow the SMTP standards?
 * Why can't Outlook implement STARTTLS correctly?
 * Can Outlook finally support CalDAV and CardDAV?
 * How come all my mail comes through as winmail.dat?


Don't forget message body modifications that break DKIM and cause MS to silently
discard incoming messages.  Laura wrote about this almost 4 years ago:

yet we're still seeing it, as recently as last month.

There's also the fetching and embedding of URLs referenced (not included) in the
message body so MS can serve the content from their own servers without 
necessarily
checking whether that content is out of date.

All of this really should be a FAQ somewhere, so when your customer complains
that mail wasn't delivered (to MS/Outlook/Hotmail/...) you can point them to the
many potential reasons why.

Roger Marquis

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Opinions? Email Abuse over TOR Network?

2020-02-23 Thread Roger Marquis via mailop 

Alessandro Vesely wrote:

Even without 2FA, a password different from "12345" is probably desperately
hard to guess.  An activity suited for bots running at someone else's
expenses.


Enabling Dovecot auth_verbose and mail_debug will show credential failures
and in most cases you're right, they are nothing to worry about, especially
with fail2ban monitoring repeat offenders.  OTOH it also seems that few sites
do anything to test password strength once it is set.

Perhaps more interesting is the fact that the vast majority of ESPs don't
even think about obfuscating _usernames_.  Are there good reasons to use a
well known string like the email address for half of a credential?  While not
the default it doesn't take much additional configuration to allow users to
define their own MUA username which doesn't (and IMO shouldn't) have anything
in common with their email address/es.

Roger Marquis

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop