Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 16 Jul 2015 23:24:12 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: ezmlm warning

On Thu, Jul 16, 2015 at 11:10 PM, Florian Weimer <fw@...eb.enyo.de> wrote:

> * Reed Loden:
>
> > Yup, I get these, too... Been happening for almost a year. See also
> > http://seclists.org/oss-sec/2014/q3/471.
> >
> > Likely, the ezmlm instance on lists.openwall.com needs to be updated to
> get
> > some of the DMARC compliance changes that were made last year (
> > http://untroubled.org/ezmlm/archive/7.2.2/CHANGES).
>
> Or you need to upgrade your email service to something that supports
> mailing lists.  oss-security uses Internet Mail in the way it is
> intended and specified.  If recipient mail servers cannot accept those
> messages, it is really their fault.
>

You can complain all your want, but it's not going away. It cuts down on
spam and spoofing mails too much. DMARC isn't some rogue thing that just a
few people are doing. It's all been codified as RFC 7489, and lots of mail
providers have implemented it. There are definitely some things that can be
improved about it (the DMARC WG in the IETF is very busy --
https://tools.ietf.org/html/draft-ietf-dmarc-interoperability-04 for their
latest work on this), but ignoring DMARC is just putting your head in the
sand. Best to deal with the annoying workarounds for now until the next
evolution can be spec'd out and implemented. Otherwise, you risk losing
important e-mail (like joyful oss-security@ mails ;-]).

DMARC is just one aspect of that.  For example, would you also request
> that Openwall will never deploy IPv6 because Gmail rejects mail sent
> over IPv6?
>

[citation needed], considering I've sent mail over IPv6 and received it
just fine on Gmail (Google Apps, specifically).
https://support.google.com/mail/answer/81126?hl=en#authentication even
mentions IPv6 is supported but just has a few extra caveats that must be
followed.

~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.