RE: Webmail / IMAPS software for end-user clients in 2016
Zimbra Jason Bertoch -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Eric Kuhnke Sent: Wednesday, June 8, 2016 9:06 PM To: nanog@nanog.org Subject: Webmail / IMAPS software for end-user clients in 2016 If you had to put up a public facing webmail interface for people to use, and maintain it for the foreseeable future (5-6 years), what would you use? Roundcube? https://roundcube.net/ Rainloop? http://www.rainloop.net/ Something else? Requirements: Needs to be open souce and GPL, BSD or Apache licensed Email storage will be accessed via IMAP/TLS1.2 Runs on a Debian based platform with apache2 or nginx Desktop browser CSS and mobile device CSS/HTML functionality on 4" to 7" size screens with Chrome and Safari smime.p7s Description: S/MIME cryptographic signature
RE: Heads-Up: GoDaddy Broke the Interwebs...
Now it's CNN /Jason -Original Message- From: Kyle Creyts [mailto:kyle.cre...@gmail.com] Sent: Tuesday, September 11, 2012 1:55 PM To: Operations Dallas Cc: nanog@nanog.org Subject: Re: Heads-Up: GoDaddy Broke the Interwebs... No DDoS or Anonymous attack appears to have been involved. On Tue, Sep 11, 2012 at 10:54 AM, Kyle Creyts wrote: > http://www.godaddy.com/newscenter/release-view.aspx?news_item_id=410 > > On Mon, Sep 10, 2012 at 1:27 PM, Operations Dallas > wrote: >> I thought I saw an article on routergod.com from Dance Patrick regarding anycast DNS.. >> ~oliver >> >> Sent via DynaTAC. Please forgive spelling and grammar. >> >> -Original Message- >> From: bill.ing...@t-systems.com >> Date: Mon, 10 Sep 2012 19:13:27 >> To: ; >> Subject: RE: Heads-Up: GoDaddy Broke the Interwebs... >> >> >> Looks like this may be a DDoS attack from Anonymous: >> >> http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-o >> f-sites/ >> >> >> -Original Message- >> From: Aaron C. de Bruyn [mailto:aa...@heyaaron.com] >> Sent: Monday, September 10, 2012 1:07 PM >> To: NANOG mailing list >> Subject: Heads-Up: GoDaddy Broke the Interwebs... >> >> For the last ~15 minutes I've been receiving complaints about DNS issues. GoDaddy DNS is apparently b0rked. I'm also seeing a lot of tweets about their hosting and VPS being down. I'm unable to access the control panel for one of my customer accounts. >> >> >> -A >> > > > > -- > Kyle Creyts > > Information Assurance Professional > BSidesDetroit Organizer -- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
Re: uunet ends newsfeed/newsreader in US
On 3/30/2012 5:55 PM, John Levine wrote: I thought it should have died when pr0n and w4rez took it over (in the late 90's).. Many of the tech groups remain quite healthy. I still moderate comp.compilers which gets about 100 posts/month. Actually, it's fine with us that the ignorant masses think that usenet is dead, since it tends to keep out the riffraff. R's, John +1
Re: Programmers with network engineering skills
On 2/27/2012 7:53 PM, William Herrin wrote: I think you're more likely to find a network engineer with (possibly limited) > programming skills. I wish. For the past three months I've been trying to find a network engineer with a deep TCP/IP protocol understanding, network security expertise, some Linux experience, minor programming skill with sockets and a TS/SCI clearance. Is clearance the problem, or the ability to obtain clearance due to something in their background? If your work requires it, you should have some recourse for applicants to obtain the required clearance, no? /Jason
Re: The stupidity of trying to "fix" DHCPv6
On 6/10/2011 10:53 AM, Owen DeLong wrote: I would like to see both protocols made optionally complete, so, in addition to fixing DHCPv6 by adding routing information options, I'd also like to see something done where it would be possible to add at least DNS servers to RA. +1. /Jason
Re: aster.pl unwise abuse policy
On 5/9/2011 1:54 PM, goe...@anime.net wrote: Reports sent via E-Mail will not be processed. Those are considered authorization to block by CIDR, as needed, here. No need to advise the already-unwilling recipient. /Jason
Re: Why does abuse handling take so long ?
On 3/14/2011 2:13 PM, valdis.kletni...@vt.edu wrote: On Mon, 14 Mar 2011 12:35:27 EDT, David Miller said: Define "contacts don't work properly". - Email / phone number does not exist? - Email / phone was answered by unhelpful person? Somewhere between these two should be "email/phone number exists, but is completely unable to serve the function" (auto-responders that tell you they can't act on your report without the information that was already in the note they are auto-responding to, in the format they requested, Level 1 desk unable to escalate to a Level 2, etc etc). My favorite is: -Original Message- After investigation, we have determined that this email message did not originate from the Yahoo! Mail system. It appears that the sender of this message forged the header information to give the impression that it came from the Yahoo! Mail system. Original Message Follows: - Received: from nm20.bullet.mail.ac4.yahoo.com (nm20.bullet.mail.ac4.yahoo.com [98.139.52.217]) -- /Jason
Re: need help about switch montior
On 2011/03/12 8:51 AM, Deric Kwok wrote: Hi ls there any program/way to monitor the switch port/switch status when it reaches to certain bandwidth? Cacti with Threshold plugin -- /Jason
Re: ipv6 question
On 2011/03/11 3:51 PM, ann kok wrote: ping6 -I eth0 fe80::20c:29ff:fe3c:92a1 connect: Cannot assign requested address Maybe duplicate address detection? Are you statically assigning this address? Have you checked your kernel log? -- /Jason
Re: ipv6 question
On 2011/03/11 3:36 PM, ann kok wrote: What is this meaning? ping6 -l eth0 fe80::20c:29ff:fe3c:92a1 ping: bad preload value, should be 1..65536 That was a capital "i" not a lower case "L". man ping6 -- /Jason
Re: ipv6 question
On 2011/03/11 3:19 PM, ann kok wrote: Thank you. I try your way. the ipv6 address is on eth0 interface. I try to run ping6 the fe80::20c:29ff:fe3c:92a1%eth0 lt is same problem! Try ping6 -I eth0 fe80::20c:29ff:fe3c:92a1 -- /Jason
Re: IPv6? Why, you are the first one to ask for it!
- Original Message - > From: "George Bonser" > > I could buy that if it weren't for the fact that it took two days to > come back with that answer. An off the cuff "wow, nobody has ever > asked me that before, I need to check on it" would have been > understandable for a new rep. Two days later coming back with "gee, we > really haven't had anyone ask about that before" is bogus. > > I am not trying to beat anyone up here, the point is a general one for > the providers out there. If you can't offer v6, say so, don't try to > dance around it and pretend that customer is the only one on the > planet with a migration plan because we know better. At this point, I'd even settle for a lie from one of my upstreams. I've asked the local tech folks a couple of times over the last year or so, on top of a request to our sales rep, without even a single response to the question of "do you support v6 yet and, if not, what's your timeline?". -- /Jason
Re: Looking for an IPv6 naysayer...
On 2011/02/09 2:44 PM, Jens Link wrote: IPv6 for some ISPs will be extraordinarily painful because of legacy > layer 2 gear I don't feel sorry for them. We know that IPv6 is coming for how long? 15years? 10year? 5years? Well if you only read the mainstream media you should have read something about this new Internet thing about two years ago. And still many people fear IPv6 or think the can still wait for another couple of years. I'm not sure about your part of the world, but the economy has been terrible in mine. Even in a good economy, DSL margins don't afford the ability to replace your network every two years. In fact, spending on new gear all but halted for us over the last 6 years. While everyone is still figuring out best practices for IPv6 rollout today, how difficult would it have been to plan and purchase the exact equipment that long ago? Was the right equipment even available for a production environment? Not only that, but cheap CPE equipment that supports IPv6 still hardly exists today, and all of that will need replacing. In addition, what about IP phones and the customer that just replaced their entire phone system? Are they going to want to do that all over again by the end of the year? No, IPv6 rollout is going to be extremely expensive and will likely put a number of smaller operations out of business. -- /Jason
Re: Abuse@ contacts
On 2010/12/07 11:39 AM, Gavin Pearce wrote: How many of you (honestly) actively manage and respond to abuse@ contact details listed in WHOIS? Or have had any luck with abuse@ contacts in the past? Who's good and who isn't? I answer our abuse@ address and file reports daily. I get automated responses from the free providers, but have little faith they care enough to fix the problem. RIPE regions seem to process reports with an attitude that they care, while LACNIC, AFRINIC, and Asian providers seem to ignore all reports if you can even find a working abuse@ contact. Smaller providers in the ARIN region also seem to do a good job. -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Low end, cool CPE.
On 11/11/2010 8:41 PM, Leo Bicknell wrote: I've run into a number of low end CPE situations lately where I haven't found anything that does what I want, but I have to believe it is out there. I'm hoping NANOG can help. Basically think about a sophisticated home user, or a 1-5 person small office. Think DSL, Cable Modem, maybe Cell Card or ISDN as backups. Looking for an "appliance", very much fire and forget. I probably won't get all the features that I want, but in no particular order: - Able to load balance over 2 links (probably via NAT). - IPv6 support, native or tunnel to tunnelbroker.net type thing. - Able to deal with "backup" connectivity, eg. Cell Cards which you only want to use if the primary is down. - User friendly features, e.g. UPNP, NAT-PMP, etc. - Good manageability. ssh to a cli would be a huge bonus, at least the ability to backup a config. - Able to handle decent througput, probably 20Mbps/sec min, 50 would be nice. _ Nice firewall features. - IDS features are cool. WiFi is not strictly required, but would be cool. Things like "guest" WiFi would be an added bonus. Something a NANOGer might want at home would be a good baseline. I realize the exact product may differ depending on DSL/Cable/Cell/ISDN, that's ok, let's get some various good solutions going here. What is the state of the art, and who has it? DD-WRT supported hardware may be a start... -- /Jason
Re: AS6517 - Reliance Globalcom -- routing three more hijacked blocks
On 2010/10/06 11:36 PM, Ronald F. Guilmette wrote: Well, anyway, here's three more hijacked blocks that they (AS6517) are routing. This is in addition to the 75 such blocks I've already reported. (I guess that makes 78 hijacked blocks for them, in total.) Out of curiosity, are you also reporting these blocks to Spamhaus? I expect their DROP list maintainers would be interested. -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Spamhaus...
On 2/17/2010 5:32 PM, Laczo, Louis wrote: Folks, I'm looking for comments / suggestions / opinions from any providers that have been contacted by spamhaus about excessive queries originating from their DNS resolvers, typically, as a proxy for customers. I know that certain large DNS providers (i.e. google and level3) have either been banned or have voluntarily blocked spamhaus queries by their resolvers. We're currently in discussion with spamhaus and I wanted to see how others may have handled this. Assuming you're already running a local caching server for your mail system... Based on the spamhaus fee structure (# of e-mail accounts), our policy is to allow spamhaus to block queries from our public resolvers if they choose. The spamhaus folks certainly deserve compensation for their efforts, so customers that need such volume should do so from their own IP and pay a fee. While I believe it might be mutually beneficial for spamhaus to offer some sort of a recursive DNS provider/ISP fee structure, I can see where enforcement would be a problem. The resolution of that particular problem belongs to spamhaus and their individual users/customers. /Jason
Re: Are the Servers of Spamhaus.rg and blackholes.us down?
Xaver Aerni wrote: Dec 31 10:12:37 linux-1ij2 named[14306]: too many timeouts resolving 'XXX.YYY.ZZZ/A' (in 'YYY.ZZZ'?): disabling EDNS Do you have a firewall in front of this server that limits DNS packets to 512 bytes?
Re: Consumer-grade dual-homed connectivity options?
Paul Bennett wrote: At home, I currently run two DSL lines. Right now, we just have two separate LANs, one connected to each line, with my wife's devices attached to one, and my devices attached to the other. For a while now, I've been thinking about setting up a load-balancing routing solution to give both of us access to both lines. Have you looked at a simple dual-WAN router?
Re: sink.arpa question
Ted Hardie wrote: But I think the key question is actually different. Look at this text in RFC 2821: If one or more MX RRs are found for a given name, SMTP systems MUST NOT utilize any A RRs associated with that name unless they are located using the MX RRs; the "implicit MX" rule above applies only if there are no MX records present. If MX records are present, but none of them are usable, this situation MUST be reported as an error. If I put in an MX record pointing to a guaranteed non-present FQDN, someone complying with that text will throw an error rather than keep seeking for an A/. Is *that* useful? If so, then sink.arpa/1.0.0.257.in-addr.arpa as an MX record entry may be. Yes, I understand the RFC. That section is what allows this topic to be discussed in the first place. sink.arpa may very well be the interim solution, too. It definitely looks better than "0 .". It just seems like an ugly, smelly hack when the fundamental problem lies with allowing the implicit MX. It implies that I should, for the benefit of everyone, create a sink.arpa MX for every A record, where the effort could be better spent dropping the implicit MX rule and requiring an MX record for hosts that really do accept mail. /Jason
Re: sink.arpa question
Tony Finch wrote: On Fri, 18 Dec 2009, Jason Bertoch wrote: Isn't the fundamental problem that SMTP can fall back to an implicit MX? None of these solutions will stop spammers from skipping MX records and using direct-to-host connections. This has nothing to do with spam. For the OP in the original thread, it dealt with spam. I would also argue that spammers abusing the implicit MX, most often through forgeries, provides the biggest motivation to find a fix. Shouldn't we just consider dropping the implicit MX back door as opposed to getting creative with MX records that spammers will surely note and avoid anyway? It's impossible to make that kind of incompatible change with an installed base of billions of users. I wouldn't call it impossible...difficult, maybe. Do metrics exist on how many current installs still rely on the implicit MX? Is the abuse of the implicit MX causing more harm than the effort it would take legacy DNS admins to specify an MX?
Re: sink.arpa question
Ted Hardie wrote: Silly question: how well would using 1.0.0.257.in-addr.arpa match the need identified in draft-jabley-sink-arpa ? It seems like it would be equally well guaranteed to be non-existant (short of change in the def of IPv4 and in-addr.arpa). Like sink.arpa, it would get you a valid SOA and nothing else. Am I missing something, or is this operationally equivalent? regards, Ted Isn't the fundamental problem that SMTP can fall back to an implicit MX? None of these solutions will stop spammers from skipping MX records and using direct-to-host connections. Shouldn't we just consider dropping the implicit MX back door as opposed to getting creative with MX records that spammers will surely note and avoid anyway?
Re: ESPN360 Access
Chris Gotstein wrote: We've been getting more and more requests for ESPN360 from our customers. From what i understand, ESPN requires that the ISP "subscribe" to their content and pay a fee to do so. I have been unable to find much information on what it takes to subscribe and what the fees are to do so. Does anyone have more info on ESPN360? Thanks. +1 I attempted contact and was treated like and end user even though I clearly specified I was an ISP seeking connection info.
Re: dealing with bogon spam ?
Justin Shore wrote: Michiel Klaver wrote: I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers. The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this. Downloading and parsing is easy. I used to drop it into the config for a small dns server, rbldnsd I believe, that understands CIDR and used it as a local blacklist. It did very little to stop spam and I was never brave enough to script an automatic update to BGP.
Re:
Michael Ruiz wrote: Group, I am stuck like chuck. We are unable to activate a VPN in one of the virtual firewall context. Under the crypto commands, none of the IP-sec are available. Any help on this would be appreciated. Version we running is 8.0(4) Isn't VPN only available in single-context mode?
Verizon Southeast Network Map
We're considering adding a Verizon connection to our network in Florida, so I've been looking unsuccessfully for a map of Verizon's fiber network in the southeast to verify that I'll have diverse paths with my other providers. Does anyone know if such a map exists in a public location?
Re: IPSEC-VRF MIB
Bailey Stephen wrote: I am looking to monitor the number of active IPSEC tunnels terminating in a given VRF via SNMP Vpn#show crypto mib ipsec flowmib global vrf test-vrf vrf test-vrf Active Tunnels: 2 ... Is there anyway I can get this ActiveTunnels value via SNMP and MIBs? Have you asked around on the Cacti forums?
Re: Repeated Blacklisting / IP reputation
Suresh Ramasubramanian wrote: That said most of the larger players already attend MAAWG - that leaves rural ISPs, small universities, corporate mailservers etc etc that dont have full time postmasters, and where you're more likely to run into this issue. I've found the opposite to hold true more often. Smaller organizations can use public blacklists for free, due to their low volume, and so have little incentive to run their own local blacklist. I've typically seen the larger organizations run their own blacklists and are much more difficult to contact for removal.
RE: ISP best practices
> -Original Message- > From: Adam Kennedy [mailto:akenn...@cyberlinktech.com] > Sent: Thursday, May 21, 2009 4:41 PM > To: NANOG > Subject: Re: ISP best practices > > ...When combined with Webmin (www.webmin.com), Jason A. Bertoch Network Administrator ja...@electronet.net Electronet Broadband Communications 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
RE: Level3 funkiness
> -Original Message- > From: J. Oquendo [mailto:s...@infiltrated.net] > Sent: Wednesday, April 15, 2009 3:36 PM > To: nanog@nanog.org > Subject: Level3 funkiness > > > Anyone else experience sporadic funkiness via > Level3? I can't even reach the main website from who > knows how many networks I've tried. Also friends > and former colleagues have tried to reach the site > to no avail. > My Level3 connection is working normally, I can reach their site, and I'm peered in Atlanta. Jason A. Bertoch Network Administrator ja...@electronet.net Electronet Broadband Communications 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771