1 |
On Mon, 05 Dec 2016 14:50:30 -0500 |
2 |
"William L. Thomson Jr." <wlt-ml@××××××.com> wrote: |
3 |
|
4 |
> New thread, others can filter out. |
5 |
> |
6 |
> On Monday, December 5, 2016 7:25:52 PM EST Robin H. Johnson wrote: |
7 |
> > This is the official infra response re SPF in this case. |
8 |
> > |
9 |
> > On Mon, Dec 05, 2016 at 12:03:02PM -0500, Michael Orlitzky wrote: |
10 |
> > > Something is not "off" with our mail servers, and there is |
11 |
> > > currently no way to prevent "From" spoofing without significant |
12 |
> > > collateral damage. |
13 |
> > |
14 |
> > Correct. |
15 |
> > |
16 |
> > Infra does maintain an SPF page as well. |
17 |
> > https://wiki.gentoo.org/wiki/Project:Infrastructure/SPF |
18 |
> |
19 |
> What does infra use to validate SPF records? |
20 |
|
21 |
AIUI, they only use it as part of overall light spam filtering on |
22 |
incoming mail. the only checks on forwarded mail are spam keywords and |
23 |
for subscription. (?) |
24 |
|
25 |
> Having a SPF record alone is not enough. You need to run some |
26 |
> software that checks the emails against SPF records, ones I publish |
27 |
> for my domain, ones Gentoo publishes for its domains etc. |
28 |
> |
29 |
> In my case I use ASSP. Which I have used in front of mailing lists as |
30 |
> well. Maybe Gentoo needs to put something into place to check SPF |
31 |
> records. |
32 |
> |
33 |
> Unless Gentoo wants to allow spoofing via email on lists as I did on |
34 |
> accident the first time and on purpose the 2nd. Spoofing should not |
35 |
> be allowed at all on lists. I should not be able to pose as a Gentoo |
36 |
> Developer or another on any Gentoo mailing lists. |
37 |
|
38 |
SPF does not validate the From header in the first place, it only |
39 |
verifies the envelope sender. SPF is irrelevant to the concern of email |
40 |
sender spoofing from a user perspective. |
41 |
|
42 |
> Also why is GPG signing no longer required? |
43 |
> |
44 |
> That alone can help ensure emails are coming from who they say they |
45 |
> are. Not sure how I was able to sign an email with an email not part |
46 |
> of my GPG key. Not sure if that is kmail bug or by design. |
47 |
|
48 |
I am fairly confident that it never was. I am fairly confident that no |
49 |
mainstream mailing list software checks GPG signatures. |