1 |
New thread, others can filter out. |
2 |
|
3 |
On Monday, December 5, 2016 7:25:52 PM EST Robin H. Johnson wrote: |
4 |
> This is the official infra response re SPF in this case. |
5 |
> |
6 |
> On Mon, Dec 05, 2016 at 12:03:02PM -0500, Michael Orlitzky wrote: |
7 |
> > Something is not "off" with our mail servers, and there is currently no |
8 |
> > way to prevent "From" spoofing without significant collateral damage. |
9 |
> |
10 |
> Correct. |
11 |
> |
12 |
> Infra does maintain an SPF page as well. |
13 |
> https://wiki.gentoo.org/wiki/Project:Infrastructure/SPF |
14 |
|
15 |
What does infra use to validate SPF records? |
16 |
|
17 |
Having a SPF record alone is not enough. You need to run some software that |
18 |
checks the emails against SPF records, ones I publish for my domain, ones |
19 |
Gentoo publishes for its domains etc. |
20 |
|
21 |
In my case I use ASSP. Which I have used in front of mailing lists as well. |
22 |
Maybe Gentoo needs to put something into place to check SPF records. |
23 |
|
24 |
Unless Gentoo wants to allow spoofing via email on lists as I did on accident |
25 |
the first time and on purpose the 2nd. Spoofing should not be allowed at all on |
26 |
lists. I should not be able to pose as a Gentoo Developer or another on any |
27 |
Gentoo mailing lists. |
28 |
|
29 |
Also why is GPG signing no longer required? |
30 |
|
31 |
That alone can help ensure emails are coming from who they say they are. Not |
32 |
sure how I was able to sign an email with an email not part of my GPG key. Not |
33 |
sure if that is kmail bug or by design. |
34 |
|
35 |
-- |
36 |
William L. Thomson Jr. |