| 1 |
On Mon, Dec 05, 2016 at 02:50:30PM -0500, William L. Thomson Jr. wrote: |
| 2 |
> > Infra does maintain an SPF page as well. |
| 3 |
> > https://wiki.gentoo.org/wiki/Project:Infrastructure/SPF |
| 4 |
> What does infra use to validate SPF records? |
| 5 |
Postfix, Amavis, SpamAssassin are all used for validation paths |
| 6 |
presently. |
| 7 |
|
| 8 |
Lists operate on a principle to encourage as much open communication as |
| 9 |
possible, while blocking actual spam. |
| 10 |
|
| 11 |
> Unless Gentoo wants to allow spoofing via email on lists as I did on accident |
| 12 |
> the first time and on purpose the 2nd. |
| 13 |
The accident I'm willing for forgive, but that you went and repeated it |
| 14 |
shows a potential for malicious intent. |
| 15 |
|
| 16 |
Any further instance will be raised to comrel. |
| 17 |
|
| 18 |
> Spoofing should not be allowed at all on |
| 19 |
> lists. I should not be able to pose as a Gentoo Developer or another on any |
| 20 |
> Gentoo mailing lists. |
| 21 |
Your forgeries got a +1 point from SpamAssassin, due to the SPF per-user |
| 22 |
~all rule, but was otherwise sufficiently legitimate, and was permitted. |
| 23 |
|
| 24 |
Why did your mail server (mail1.obsidian-studios.com) allow the |
| 25 |
forgeries to be sent? Even as an authenticated client allowed to relay |
| 26 |
email, it should be checking the envelope sender (and ideally the From |
| 27 |
header inside the email as well). |
| 28 |
|
| 29 |
> Also why is GPG signing no longer required? |
| 30 |
OpenPGP signing of email has NEVER been required by any technical means. |
| 31 |
It HAS been strongly recommended. Unsigned mails ARE permitted, because |
| 32 |
OpenPGP isn't always appropriate or available: |
| 33 |
- mobile mail clients have terrible or non-existent OpenPGP support |
| 34 |
- not wanting OpenPGP keys on a mobile device |
| 35 |
- developers who participate in email from their work systems, without |
| 36 |
their Gentoo OpenPGP keys present on those systems. |
| 37 |
- automated mails to lists (like the weekly package/add removal notice, |
| 38 |
or the lots-of-bugs-need-wranging notice). |
| 39 |
|
| 40 |
> That alone can help ensure emails are coming from who they say they are. Not |
| 41 |
> sure how I was able to sign an email with an email not part of my GPG key. Not |
| 42 |
> sure if that is kmail bug or by design. |
| 43 |
Your MUA should have issued a warning, but it's not an error in any way. |
| 44 |
|
| 45 |
-- |
| 46 |
Robin Hugh Johnson |
| 47 |
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer |
| 48 |
E-Mail : robbat2@g.o |
| 49 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 50 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives