1 |
On Mon, Dec 05, 2016 at 02:50:30PM -0500, William L. Thomson Jr. wrote: |
2 |
> > Infra does maintain an SPF page as well. |
3 |
> > https://wiki.gentoo.org/wiki/Project:Infrastructure/SPF |
4 |
> What does infra use to validate SPF records? |
5 |
Postfix, Amavis, SpamAssassin are all used for validation paths |
6 |
presently. |
7 |
|
8 |
Lists operate on a principle to encourage as much open communication as |
9 |
possible, while blocking actual spam. |
10 |
|
11 |
> Unless Gentoo wants to allow spoofing via email on lists as I did on accident |
12 |
> the first time and on purpose the 2nd. |
13 |
The accident I'm willing for forgive, but that you went and repeated it |
14 |
shows a potential for malicious intent. |
15 |
|
16 |
Any further instance will be raised to comrel. |
17 |
|
18 |
> Spoofing should not be allowed at all on |
19 |
> lists. I should not be able to pose as a Gentoo Developer or another on any |
20 |
> Gentoo mailing lists. |
21 |
Your forgeries got a +1 point from SpamAssassin, due to the SPF per-user |
22 |
~all rule, but was otherwise sufficiently legitimate, and was permitted. |
23 |
|
24 |
Why did your mail server (mail1.obsidian-studios.com) allow the |
25 |
forgeries to be sent? Even as an authenticated client allowed to relay |
26 |
email, it should be checking the envelope sender (and ideally the From |
27 |
header inside the email as well). |
28 |
|
29 |
> Also why is GPG signing no longer required? |
30 |
OpenPGP signing of email has NEVER been required by any technical means. |
31 |
It HAS been strongly recommended. Unsigned mails ARE permitted, because |
32 |
OpenPGP isn't always appropriate or available: |
33 |
- mobile mail clients have terrible or non-existent OpenPGP support |
34 |
- not wanting OpenPGP keys on a mobile device |
35 |
- developers who participate in email from their work systems, without |
36 |
their Gentoo OpenPGP keys present on those systems. |
37 |
- automated mails to lists (like the weekly package/add removal notice, |
38 |
or the lots-of-bugs-need-wranging notice). |
39 |
|
40 |
> That alone can help ensure emails are coming from who they say they are. Not |
41 |
> sure how I was able to sign an email with an email not part of my GPG key. Not |
42 |
> sure if that is kmail bug or by design. |
43 |
Your MUA should have issued a warning, but it's not an error in any way. |
44 |
|
45 |
-- |
46 |
Robin Hugh Johnson |
47 |
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer |
48 |
E-Mail : robbat2@g.o |
49 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
50 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |