[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-help-public] [support #103775] From address used in CVS log me
|
From: |
Sylvain Beucler |
|
Subject: |
[Savannah-help-public] [support #103775] From address used in CVS log messages |
|
Date: |
Thu, 13 Jan 2005 21:02:15 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 |
This is an automated notification sent by Savannah.
It relates to:
support #103775, project Savannah Administration
==============================================================================
LATEST MODIFICATIONS of support #103775:
==============================================================================
Posted by: Sylvain Beucler <Beuc>
Posted on: 2005-01-13 21:02 (Europe/Paris)
_______________________________________________________
Follow-up Comment:
True: confused license and technology
False: I didn't mention that GPG would solve the problem, it's just a working
solution for authentication that is not vulnerable to MITM.
Now, we do not have any control on gnu.org MX fields, and we cannot satisfy
both you and the people who check whether the sender exists.
I'll ask the person in charge of the gnu.org mail system what are his thoughs
on these technologies.
==============================================================================
OVERVIEW of support #103775:
==============================================================================
URL:
<http://savannah.gnu.org/support/?func=detailitem&item_id=103775>
Summary: From address used in CVS log messages
Project: Savannah Administration
Submitted by: onno
Submitted on: jeu 13.01.2005 à 18:59
Category: Mail server
Priority: 5 - Normal
Severity: 5 - Average
Status: Wont Do
Privacy: Public
Assigned to: Beuc
Originator Email:
Platform Version: None
Open/Closed: Open
_______________________________________________________
For a while, address@hidden was used as From address in CVS log
mails. This is the correct thing to do.
But now, the user specified address is used again. Can this be changed back?
The current behaviour doesn't work with SPF and other spam fighting
mechanisms, because you're simply forging the From address. Your mail server
isn't authorized to send mails on behalf of /other/ domains, and they will be
rejected by the receiving mailserver.
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: jeu 13.01.2005 à 21:02 By: Sylvain Beucler <Beuc>
True: confused license and technology
False: I didn't mention that GPG would solve the problem, it's just a working
solution for authentication that is not vulnerable to MITM.
Now, we do not have any control on gnu.org MX fields, and we cannot satisfy
both you and the people who check whether the sender exists.
I'll ask the person in charge of the gnu.org mail system what are his thoughs
on these technologies.
-------------------------------------------------------
Date: jeu 13.01.2005 à 20:05 By: Onno Molenkamp <onno>
It's not about you, it's about interopability with the rest of the world.
Sender-ID is an adaptation of SPF with a Microsoft license. Apache won't
accept it, and they're right. However, they /do/ support SPF. Apache's
SpamAssassin 3.0 /does/ support SPF.
GPG keys are nice for client-side verification, but don't stop anything at
the SMTP level. They solve a different problem. And if your mail doesn't
arrive because you're forging addresses, GPG will never even get the chance
to prove it's legitimate mail..
-------------------------------------------------------
Date: jeu 13.01.2005 à 19:59 By: Sylvain Beucler <Beuc>
As I said, I already have a solution that works quite well and is far more
convenient; plus GPG keys if I want real signatures.
Besides, http://www.apache.org/foundation/docs/sender-id-position.html
-------------------------------------------------------
Date: jeu 13.01.2005 à 19:51 By: Onno Molenkamp <onno>
You /really/ have to read about ongoing developments in the SMTP world before
making decisions like these...
Go read http://spf.pobox.com. Go read http://antispam.yahoo.com/domainkeys.
Realize that sites with SPF records include gnu.org, nongnu.org,
savannah.nongnu.org, big sites like gmail.com. Gmail also employs DomainKeys,
as does Yahoo.
And no, you won't be able to send mails from your own server anymore using a
>From address that isn't yours. But that's not a bad thing. Every half-decent
mailclient supports setting an outgoing mailserver per identity. Or just use
an address in a domain that's controlled by yourself.
-------------------------------------------------------
Date: jeu 13.01.2005 à 19:42 By: Sylvain Beucler <Beuc>
I do hope that such a solution, that among others prevent people from using
their own SMTP server, will not be used.
Incidentally, my current mail provider (ovh.com) received both kind of cvs
notifications, _and_ I receive a low amount of spam. That's what I think is a
well-configured mail system :)
Also, I'm curious, how will your mail system know whether I am forging a
mail, or simply relaying a message in the context of a mailing-list?
-------------------------------------------------------
Date: jeu 13.01.2005 à 19:35 By: Onno Molenkamp <onno>
Then you'll have a big problem when more sites start deploying SPF,
DomainKeys, etc. and your mails will be dropped.
It might be your personal view that it's ok to forge addresses, but in
general this isn't considered acceptable.
In case of a mailinglist, there are mechanisms to make it work, if the
original mail /was/ sent by an approved mailserver. That's not the case here.
-------------------------------------------------------
Date: jeu 13.01.2005 à 19:20 By: Sylvain Beucler <Beuc>
This cannot be done, because addresses @savannah.gnu.org are not valid (no MX
field in the DNS, no SMTP server). This caused other people to miss
notifications.
As far as I am concerned, I expect a SMTP server to be able to forge e-mails.
I send all my mails using different addresses using the same SMTP server.
Likewise, the mailing lists server send mail on behalf of the subscribees.
==============================================================================
This item URL is:
<http://savannah.gnu.org/support/?func=detailitem&item_id=103775>
_______________________________________________
Message posté via/par Savannah
http://savannah.gnu.org/
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Onno Molenkamp, 2005/01/13
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Sylvain Beucler, 2005/01/13
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Onno Molenkamp, 2005/01/13
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Sylvain Beucler, 2005/01/13
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Onno Molenkamp, 2005/01/13
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Sylvain Beucler, 2005/01/13
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Onno Molenkamp, 2005/01/13
- [Savannah-help-public] [support #103775] From address used in CVS log messages,
Sylvain Beucler <=
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Onno Molenkamp, 2005/01/18
- [Savannah-help-public] [support #103775] From address used in CVS log messages, Sylvain Beucler, 2005/01/18