On Wed 2017-05-17 09:20:21 +0100, Jonathan Knight wrote:
> The attack we're trying to defend against is a scripted one which grabs a
> list of all the mailing lists, then harvests the administrator email and
> then tries to spam each list using the administrator as a sender address.
>
> If the
On Tue 2017-05-16 13:29:21 +0100, Jonathan Knight wrote:
> I think the real name if its available and the list owner address if not.
> If you use the local part (e.g. j.knight) would still make it possible to
> guess the @keele.ac.uk if the mailing lists are all hosted on
> maillists.keele.ac.uk.
Hi Murray--
On Fri 2015-02-27 14:46:40 -0500, Murray S. Kucherawy wrote:
Sorry, by sign I meant add a footer. I probably said sign because
this is related to some DKIM work I've been planning, and the morning's
caffeine was already wearing off.
:)
Thanks for that detailed answer (and Barry
On Fri 2015-02-27 15:07:52 -0500, Barry Warsaw wrote:
The biggest downside, and probably the main reason we append the footer text
in the text/plain-compatible-charset case is because of crappy MUAs. I think
we *still* get complaints about the MIME composition not being rendered very
well.
On Sat 2015-02-21 08:49:49 -0500, Stephen J. Turnbull step...@xemacs.org
wrote:
You can say I know that. The problem is that your users frequently
will not, and may read more into *full* anonymization than can
possibly be delivered. If we're going to deliver this feature as part
of Mailman,
hi mailman folks--
over on dns-priv...@ietf.org, one of the participants (Hosnieh Rafiee,
cc'ed here) suggests that mailman appears to be introducing spurious
References: and In-Reply-To: headers (see the attached message below for
some of the discussion.
Can you confirm whether this is a
On 07/16/2014 10:34 AM, ML mail wrote:
Thanks for the trick with the double quotes to escape reserved keywords.
It's probably worth reading the PostgreSQL documentation for this sort
of thing:
http://www.postgresql.org/docs/9.3/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
Actually I
On 07/15/2014 06:16 AM, ML mail wrote:
Hello,
I am not sure it is a good idea to name the user table user. As you can see
in PostgreSQL user is a reserved word:
\c mailman
select * from user;
current_user
--
postgres
(1 row)
Any ideas how I can still list the
On 01/08/2014 12:35 PM, Paul Boddie wrote:
Of course, RFC 3156 warns about the pitfalls of encoding the part that is to
be signed,
It doesn't just warn about the pitfalls. it states that:
Multipart/signed and multipart/encrypted are to be treated by agents
as opaque, meaning that the
On 09/12/2013 03:11 AM, Stephen J. Turnbull wrote:
So you're proposing this, I guess:
multipart/signed
multipart/mixed
text/whatever # optional mailman header
multipart/signed
text/whatever # original signed
On 09/11/2013 04:58 AM, Abhilash Raj wrote:
I have attached all 3 type of message, each in a different file. Please
can you place it in your maildir and check how your MUAs respond to it
and report here? The message signature will not be verified(the
signature text is actually gibberish),
On 09/13/2013 12:29 AM, Daniel Kahn Gillmor wrote:
http://dkg.fifthhorseman.net/src/mailman/multisigned-images/
I've added a fourth message, with a variant on the content wrapping
structure stephen and i were just talking about:
└┬╴multipart/signed 11903 bytes
├┬╴multipart/mixed 8561 bytes
On 09/11/2013 06:57 AM, Adam McGreggor wrote:
On Wed, Sep 11, 2013 at 02:28:21PM +0530, Abhilash Raj wrote:
I have attached all 3 type of message, each in a different file. Please
can you place it in your maildir and check how your MUAs respond to it
and report here? The message signature will
On 09/11/2013 08:44 PM, Stephen J. Turnbull wrote:
Abhilash Raj writes:
I have attached all 3 type of message, each in a different file. Please
can you place it in your maildir and check how your MUAs respond to it
and report here? The message signature will not be verified(the
Hi Abhilash--
I haven't looked at the code much yet, but this is a pretty exciting
report! I'm glad to hear everything you've done.
On 08/28/2013 09:37 PM, Abhilash Raj wrote:
1) There is a 'signature rule'[1] that can verify signature from the
users whose public key is stored in 'var/gpg'
On 08/30/2013 12:56 AM, Stephen J. Turnbull wrote:
The last time I looked (~10 days ago), that was the implementation:
look only at the message-level Content-Type, ensure it's
multipart/signed, check that there are exactly two parts and that the
second is application/pgp-signature.
hum, what
On 08/22/2013 02:45 PM, Barry Warsaw wrote:
On Aug 16, 2013, at 03:12 PM, Abhilash Raj wrote:
2) RSA or DSA keys?
DSA can only be used for signing but is faster than RSA, although for
now our scope is limited to signing later on we will add encryption so
I think we should stick to RSA?
On 08/19/2013 10:52 PM, Stephen 'Humble is my middle name' Turnbull wrote:
Barry Warsaw writes:
If I read the correct response from Steve, I don't think he was
adamant about it. He basically said that he associates keys more
with people than bots, but OTOH, -owner isn't really a
On 08/14/2013 04:35 AM, Stephen J. Turnbull wrote:
Abhilash Raj writes:
After midterm evaluations I have been working on signing the message
using one the keys associated with the list, now since `python-gnupg`
does not allow selecting keys with key credentials( like address or
On 08/02/2013 01:18 PM, Barry Warsaw wrote:
On Aug 02, 2013, at 05:49 PM, Abhilash Raj wrote:
Now as the signing part is almost done except for to-be-able-to-select
the key for signing(now python-gnupg signs using the first found key in
the secret keyring) we need the proper infrastructure
I'm excited to see this work, Abhilash!
Do you have a demonstration instance of this code up and running anywhere?
On 07/31/2013 02:43 AM, Abhilash Raj wrote:
* Signature verification using `python-gnupg` was a PITA to me for
sometime. The way it accepts the string and signature for detached
On 07/01/2013 01:58 AM, Stephen J. Turnbull wrote:
2) subscribers to an OpenPGP-enabled mailman mailing list subscribe,
unsubscribe, receive, and send mails as usual (though messages not
signed with valid keys will not be re-sent to the list).
Not necessarily. It may be necessary to
On 06/28/2013 12:03 AM, Stephen J. Turnbull wrote:
Daniel Kahn Gillmor writes:
I think Abhilash's question above is a really important question,
It is.
and one that really should be addressed by this GSoC project.
Vetoed (I'm the mentor). Abhilash is welcome to work on key
On 06/28/2013 10:11 AM, Barry Warsaw wrote:
Another complication is that keys will probably be attached to users, but
users have relationships with list across the entire Mailman installation. So
if it were list owners that were responsible for key management, how does that
cross list
On Sat 2013-06-15 12:48:34 -0400, Stephen J. Turnbull wrote:
Abhilash Raj writes:
* How to ensure the keys belong the email it says it does?
This is not in scope for your project. Key upload is for
bootstrapping strong authentication, therefore you should assume there
is no strong
On 05/23/2013 12:06 PM, Abhilash Raj wrote:
For the encrypted lists yes, the key will be marked as 'encryption
capable'. The list owner has to upload the public-private keypair for
the list.
[dkg wrote:]
***SIGNED_POSTS***
Might there be a reason for the list to have a keypair associated
On 05/11/2013 03:17 AM, Abhilash Raj wrote:
After the Barry's comment on my proposal I decided to cut down the
proposal to implement use of OpenPGP signatures for posting
privileges instead of both signed and encrypted list.
Most of the infrastructure for encrypted list will be created along
On 05/09/2013 12:28 PM, Barry Warsaw wrote:
The real power here would be for someone who is reading the archives to jump
into a discussion, potentially long after the fact. Imagine you've done a
web search for a particular problem you're having and it lands you on a page
in an archive. You
As i about this, i wonder if the OpenPGP integration project shouldn't
be broken into two phases, so that the tricky nuances could be handled
more simply.
I'm imagining a first phase (message authentication) would not expect
or handle encrypted messages, but would just use cryptographic
Hi Mark--
On 05/09/2013 01:06 PM, Mark Sapiro wrote:
Go to
http://mail.python.org/pipermail/mailman-developers/2013-May/023054.html
and look at the mailto: link under 'dkg at fifthhorseman.net'.
wow, great! I have never looked at this link before because i always
assumed it was a link to
On 04/27/2013 12:45 PM, Stephen J. Turnbull wrote:
Stefan Schlott writes:
2. Your list has elevated security requirements. In this case, you can
use gpg-agent to manage the secret key (and its passphrase).
I don't understand what threat you propose to address in this way.
It's true
On 04/25/2013 04:36 PM, Stefan Schlott wrote:
On 25.04.2013 00:14, Abhilash Raj wrote:
1) When a message is decrypted and then passed on between the queues, it
creates a security threat for the cleartext message is being held in
memory, even for a small time in between the runners.
The
On 04/11/2013 09:13 AM, Stefan Schlott wrote:
True, the PGP file structure encapsulates the signature within the
encryption (in contrast to S/MIME, which does it vice versa). But the
standard PGP binary will strip both in one step, so keeping the
signature won't work out of the box (at least
On 04/09/2013 07:55 PM, Marcos Chavarría Teijeiro wrote:
The problem is that I'm not sure if I understand the idea. This is how I
see it:
1) Users summit their public key to MailMan server when they register to
mail list.
2) The user can get MailMan Server public key
3) When an user want
On 04/06/2013 06:53 PM, Paul Wise wrote:
On Sun, Apr 7, 2013 at 5:19 AM, Abhilash Raj wrote:
I am a undergrad student interested in OpenPGP integration in mailman as a
GSOC project this summer.
neat, i'm glad to hear it!
I'm not sure about the scope of your project but you may want to
On 06/21/2011 11:46 AM, Andrew wrote:
On 21/06/11 09:31, David Andrews wrote:
I presume the page is graphical because as a blind, screen reader
using person, I got nothing out of it. Remember accessibility!
Sure absolutely, this is just a image mockup to see what everyone
thinks, it goes
On Sun, 15 May 2011 13:11:36 -0400, Robert J. Hansen r...@sixdemonbag.org
wrote:
http://sixdemonbag.org/pgpmime.zip
Contains the good message (taken from my outbox), the bad message (as
received from the list), and a diff between the two (as computed by
Cygwin's diff). Knock yourself out.
On 05/27/2011 05:09 PM, Barry Warsaw wrote:
One other thing I've been thinking about is a kind of debug option where a
fake message could be injected into the system, with the appropriate headers,
and out would come some debugging information about which rules got hit, and
exactly why a
38 matches
Mail list logo
