On Thu, 6 Dec 2018 12:11:04 +0100, Raphael Hertzog
wrote:
>
>On Tue, 04 Dec 2018, Marc Haber wrote:
>> >> If I could vote for which idea Debian mail admin time is dedicated
>> >> (which I cannot since Debian admins are volunteers and can choose what
>> >> to work on), I'd vote for better spam filt
Hi,
On Tue, 04 Dec 2018, Marc Haber wrote:
> >> If I could vote for which idea Debian mail admin time is dedicated
> >> (which I cannot since Debian admins are volunteers and can choose what
> >> to work on), I'd vote for better spam filtering on
> >> @packages.debian.org and @alioth-lists.debian.
Jeremy Stanley writes:
> On 2018-12-05 14:58:08 +0100 (+0100), Thomas Goirand wrote:
>> Absoultely not. Adding some DMARC records in our DNS doesn't break any
>> server not checking DMARC records.
> Migrating _client_ configurations/workflows to all submit via
> Debian-controlled relays on the o
On 2018-12-05 14:58:08 +0100 (+0100), Thomas Goirand wrote:
> On 11/30/18 6:57 PM, Michael Stone wrote:
> > On Fri, Nov 30, 2018 at 12:49:02PM -0500, Alexandre Viau wrote:
> >> It is true that others are vulnerable, but this is a choice that Debian
> >> makes and it can be fixed. If we wanted, we c
On 11/30/18 6:57 PM, Michael Stone wrote:
> On Fri, Nov 30, 2018 at 12:49:02PM -0500, Alexandre Viau wrote:
>> It is true that others are vulnerable, but this is a choice that Debian
>> makes and it can be fixed. If we wanted, we could largely limit this
>> with more restrictive debian.org DNS reco
On Mon, 3 Dec 2018 16:00:36 +0100, Bernhard Schmidt
wrote:
>Am 30.11.18 um 20:05 schrieb Marc Haber:
>> If I could vote for which idea Debian mail admin time is dedicated
>> (which I cannot since Debian admins are volunteers and can choose what
>> to work on), I'd vote for better spam filtering on
Am 30.11.18 um 20:05 schrieb Marc Haber:
Hi Marc,
> If I could vote for which idea Debian mail admin time is dedicated
> (which I cannot since Debian admins are volunteers and can choose what
> to work on), I'd vote for better spam filtering on
> @packages.debian.org and @alioth-lists.debian.net,
On Sat, Dec 1, 2018 at 2:10 PM Anthony DeRobertis wrote:
> That honestly sounds like building a parallel system with at least as
> much complexity as gpg,
Such a system already exists, so it would presumably not have to be
built from scratch.
https://freerelay.err.no/
Systems that only allow ma
On 2018-12-01 3:43 a.m., Marc Haber wrote:
> On Fri, 30 Nov 2018 17:32:23 -0500, Alexandre Viau
> wrote:
>> I shouldn't have said that, I just didn't want to overstate the security
>> of a setup like this as I am not an email expert :)
>
> The people running the Debian mail system _are_ mail expe
]] Alexandre Viau
> It is true that others are vulnerable, but this is a choice that Debian
> makes and it can be fixed. If we wanted, we could largely limit this
> with more restrictive debian.org DNS records.
I would say «changed» rather than fixed, since I don't think the current
setup is wro
On Sat, 1 Dec 2018 01:10:22 -0500, Anthony DeRobertis
wrote:
>That honestly sounds like building a parallel system with at least as
>much complexity as gpg, just to prevent a largely non-existent problem
>(forged emails — the whole thread has been about its possible, but no
>reports of it happe
On Fri, 30 Nov 2018 17:32:23 -0500, Alexandre Viau
wrote:
>I shouldn't have said that, I just didn't want to overstate the security
>of a setup like this as I am not an email expert :)
The people running the Debian mail system _are_ mail experts. You
should trust them do to a good job instead of
On 11/30/18 6:18 PM, Paul Wise wrote:
I've experienced spammers brute-forcing SMTP submission credentials
and using that to send spam before, so I think that mitigating that
using client-side TLS certs should be required, just as we do for SSH
access to Debian machines. I'm not sure how many MUAs
On Sat, Dec 1, 2018 at 7:01 AM Jeremy Stanley wrote:
> Compromise of the cryptographic keys or primitives in use,
> compromise of the authorized MTAs, compromise of the sender's
> SMTP submission account, compromise of the sender's MUA/system, and
> biggest of all of course is recipients who don't
On 2018-12-01 06:29:44 +0800 (+0800), Paul Wise wrote:
> On Fri, 2018-11-30 at 17:17 -0500, Alexandre Viau wrote:
>
> > DMARC, SPF and DKIM can be used together prevent almost all
> > scenarios of debian.org email spoofing.
>
> Which spoofing scenarios are not covered by this combination?
Compro
On 2018-11-30 5:29 p.m., Paul Wise wrote:
> On Fri, 2018-11-30 at 17:17 -0500, Alexandre Viau wrote:
>
>> DMARC, SPF and DKIM can be used together prevent almost all scenarios
>> of debian.org email spoofing.
>
> Which spoofing scenarios are not covered by this combination?
Ah, none that I know
On Fri, 2018-11-30 at 17:17 -0500, Alexandre Viau wrote:
> DMARC, SPF and DKIM can be used together prevent almost all scenarios
> of debian.org email spoofing.
Which spoofing scenarios are not covered by this combination?
--
bye,
pabs
https://wiki.debian.org/PaulWise
signature.asc
Descript
On 2018-11-30 4:58 p.m., Paul Wise wrote:
> On Sat, Dec 1, 2018 at 1:49 AM Alexandre Viau wrote:
>
>> Debian can specify which servers it sends emails from and ask mail
>> servers around the world to only accept emails from these servers and
>> discard the others.
>
> Does this break the bounce/r
On Sat, Dec 1, 2018 at 1:49 AM Alexandre Viau wrote:
> Debian can specify which servers it sends emails from and ask mail
> servers around the world to only accept emails from these servers and
> discard the others.
Does this break the bounce/resend/redirect feature of various MUAs?
i.e., arbitra
On Fri, 30 Nov 2018 13:17:51 -0500, Alexandre Viau
wrote:
>Debian could provide MTAs and force DDs to use them if they want to send
>from a @debian email. I would consider this reasonable.
>
>The "flexibility" of sending mails from any MTA isn't really relevant if
>you ask me. I could configure gm
On Nov 30, Alexandre Viau wrote:
> - https://en.wikipedia.org/wiki/DMARC
Among other issues, the BTS is still not compatible with DMARC.
--
ciao,
Marco
signature.asc
Description: PGP signature
On 2018-11-30 12:59 p.m., Jeremy Stanley wrote:
> On 2018-11-30 12:49:02 -0500 (-0500), Alexandre Viau wrote:
> [...]
>> If we wanted, we could largely limit this with more restrictive
>> debian.org DNS records.
> [...]
>
> _And_ restrict those with @debian.org addresses to only sending them
> thr
On 2018-11-30 12:49:02 -0500 (-0500), Alexandre Viau wrote:
[...]
> If we wanted, we could largely limit this with more restrictive
> debian.org DNS records.
[...]
_And_ restrict those with @debian.org addresses to only sending them
through specific MTAs. Received headers indicate your message to
On Fri, Nov 30, 2018 at 12:49:02PM -0500, Alexandre Viau wrote:
It is true that others are vulnerable, but this is a choice that Debian
makes and it can be fixed. If we wanted, we could largely limit this
with more restrictive debian.org DNS records.
Yes and no. :) There would need to be a conc
On 2018-11-30 9:29 a.m., Roberto C. Sánchez wrote:
> That is just how email works. With the help of a cooperating mail
> server (which is trivial to setup) anybody in the world can send mail
> with any from address that they wish. This problem is not unique to
> Debian.
Yes and no.
It is true t
>
>
> > However this worries me. During the setup there is no Debian
> involvement, and that means anyone can do the same trick to pretend to own
> my Debian address.
> >
>
That's also a reason why it's better to gpg-sign important email (aside
from the fact that anybody can have a setup that send
On Fri, Nov 30, 2018 at 10:17:47PM +0800, 殷啟聰 | Kai-Chung Yan wrote:
> > There is a Gmail trick where you can add one send-as email and provide
> > smtp.gmail.com credentials.
>
> > You might have to create an app password.
>
> > I think that this guide does something similar to what I did:
>
>
On Fri, Nov 30, 2018 at 9:18 AM 殷啟聰 | Kai-Chung Yan wrote:
> However this worries me. During the setup there is no Debian involvement, and
> that means anyone can do the same trick to pretend to own my Debian address.
There is a confirmation email so a Bad Guy would have to be able to
read your
> There is a Gmail trick where you can add one send-as email and provide
> smtp.gmail.com credentials.
> You might have to create an app password.
> I think that this guide does something similar to what I did:
> https://blog.alexlenail.me/i-want-to-send-emails-from-my-google-domains-email-thro
Hi Simon,
On Wed, Oct 3, 2018 at 7:07 PM Simon Quigley wrote:
> Ubuntu has some very detailed Gmail-specific documentation, I would
> recommend that you grab relevant information from that as well:
> https://wiki.ubuntu.com/UbuntuEmail
Thanks for the link pretty well explained. I added a note ab
Hello,
On 10/02/2018 09:00 PM, Joseph Herlant wrote:
>> I'll add that to the wiki page in case somebody else gets the issue.
>
> FYI: updated https://wiki.debian.org/MigrateToDDAccount with the details.
> Not sure if that would be an issue to mention gmail specifically there
> as it's vendor-spec
> I'll add that to the wiki page in case somebody else gets the issue.
FYI: updated https://wiki.debian.org/MigrateToDDAccount with the details.
Not sure if that would be an issue to mention gmail specifically there
as it's vendor-specific. Feel free to remove it if it's a problem.
Joseph
Hi! :)
On Tue, Oct 2, 2018 at 6:04 PM Alexandre Viau wrote:
> It looks like you are trying to use Debian smtp servers. I just use
> smtp.gmail.com.
>
> There is a Gmail trick where you can add one send-as email and provide
> smtp.gmail.com credentials.
>
> You might have to create an app password
On 2018-10-02 8:52 p.m., Joseph Herlant wrote:
> Hi guys,
>
> Wondering if anybody here succeeded to configure your debian email in
> the "Send mail as" configuration in gmail (for the gmail users). If so
> do you have tips on how you didi it?
I did.
> My main problem seems to be that gmail forc
Hi guys,
Wondering if anybody here succeeded to configure your debian email in
the "Send mail as" configuration in gmail (for the gmail users). If so
do you have tips on how you didi it?
My main problem seems to be that gmail forces the authentication and
master.debian.org doesn't allow it. It re
35 matches
Mail list logo