Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
Quoting terryc (ter...@woa.com.au): > On Sun, 27 Sep 2020 17:20:06 +0200 > Alessandro Vesely via Dng wrote: > > > > You can also publish DKIM and SPF records so as to produce > > DMARC-aligned authentication for any hosted domain. Users won't > > notice any difference. > > Does anyone have any figures on how effective these methods are? > It seems we get a new idea every few years and none make the slightest ^^^ > difference in spam levels. ^ You have made a fundamental, basic error. SPF and DMARC are _antiforgery_ extensions to DNS and SMTP. They permit a domain owner to publish information in their authoritative DNS to advise recipients of SMTP about what SMTP-originating IP addresses ought to be considered _authorised_ SMTP senders for their domains, vs. which others ought to be rejected as forgeries. Nothing about SPF and DMARC say 'this will reduce spam'. They're about making domain forgery (in received SMTP mail) be detectable and able to be confidently rejected upon receipt. DKIM is a (poorly designed, IMO) method for individual SMTP-mail originating system to cryptographically sign outbound SMTP mail, permitting receiving systems to verify that the mail contents hasn't been tampered with en-route. Since I personally refuse to have anything to do with DKIM or DMARC (both designed by the same team at Yahoo), I'll illustrate SPF's value proposition to a domain owner. I'm the owner/operator of domain linuxmafia.com (among others). Here is that domain's publicly proclaimed SPF record: :r! dig -t txt linuxmafia.com +short "v=spf1 ip4:96.95.217.99 -all" That record says, translated into English, "Please accept as from an authorised SMTP source for domain linuxmafia.com _only_ mail originated by IPv4 address 96.95.217.99. Please hardfail (reject) mail received from any other IP address." My putting that information in my DNS is a huge win for my domain's good reputation as a clean SMTP source, in that it states extremely clearly what mail _purporting_ to be from linuxmafia.com ought to be considered by receiving MTAs (that honour my wishes) to be genuine. Of course, I have zero ability to compel or persuade receiving SMTP systems to check and honour my domain's SPF record, but many do, and every little bit helps. Occasionally, someone tries to convince me that SPF is A Bad Thing for any of several uncompelling reasons, most often because they have been accustomed to originating mail from _their_ domains from arbitrary IP addresses on TCP port 25 (SMTP), and fear that widespread adoption of SPF will somehow make it less likely that their carefree habit will continue much longer. My response inevitably is that I really couldn't care less whether they like SPF or not. It permits me to unambiguously declare to the public that IP address 96.95.217.99 is the only valid source of SMTP mail from my domain, thereby exposing as forgeries mail from anywhere else (falsely) claiming to be from my domain, so it is A Good Thing for my domain, and I don't give a tinker's damn whether my interlocutor approves of it. And none of this has anything particularly to do with 'reducing spam'. That just isn't the point, and the only people debating that supposed issue are folks who never bothered to look up what the thing _is_. > The only result is that there is now an industry of religious extremism > in "blacklisting" sites that don't follow their desired implementation. To be blunt: You have not bothered to understand what you're writing about. I would suggest you do so. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
Thank you for that note on SPF - it clarified it for me in a way that other documentation on this has failed to do up to now. On Thu, 2020-10-01 at 00:07 -0700, Rick Moen wrote: > Quoting terryc (ter...@woa.com.au): > > > On Sun, 27 Sep 2020 17:20:06 +0200 > > Alessandro Vesely via Dng wrote: > > > > > > > You can also publish DKIM and SPF records so as to produce > > > DMARC-aligned authentication for any hosted domain. Users won't > > > notice any difference. > > > > Does anyone have any figures on how effective these methods are? > > It seems we get a new idea every few years and none make the slightest > ^^^ > > difference in spam levels. > ^ > > You have made a fundamental, basic error. > > SPF and DMARC are _antiforgery_ extensions to DNS and SMTP. They permit > a domain owner to publish information in their authoritative DNS to > advise recipients of SMTP about what SMTP-originating IP addresses ought > to be considered _authorised_ SMTP senders for their domains, vs. which > others ought to be rejected as forgeries. > > Nothing about SPF and DMARC say 'this will reduce spam'. They're about > making domain forgery (in received SMTP mail) be detectable and able to > be confidently rejected upon receipt. > > DKIM is a (poorly designed, IMO) method for individual SMTP-mail > originating system to cryptographically sign outbound SMTP mail, > permitting receiving systems to verify that the mail contents hasn't > been tampered with en-route. > > Since I personally refuse to have anything to do with DKIM or DMARC > (both designed by the same team at Yahoo), I'll illustrate SPF's > value proposition to a domain owner. I'm the owner/operator of domain > linuxmafia.com (among others). Here is that domain's publicly > proclaimed SPF record: > > :r! dig -t txt linuxmafia.com +short > "v=spf1 ip4:96.95.217.99 -all" > > That record says, translated into English, "Please accept as from an > authorised SMTP source for domain linuxmafia.com _only_ mail originated > by IPv4 address 96.95.217.99. Please hardfail (reject) mail received > from any other IP address." > > My putting that information in my DNS is a huge win for my domain's good > reputation as a clean SMTP source, in that it states extremely clearly > what mail _purporting_ to be from linuxmafia.com ought to be considered > by receiving MTAs (that honour my wishes) to be genuine. Of course, I > have zero ability to compel or persuade receiving SMTP systems to check > and honour my domain's SPF record, but many do, and every little bit > helps. > > Occasionally, someone tries to convince me that SPF is A Bad Thing for > any of several uncompelling reasons, most often because they have been > accustomed to originating mail from _their_ domains from arbitrary IP > addresses on TCP port 25 (SMTP), and fear that widespread adoption of > SPF will somehow make it less likely that their carefree habit will > continue much longer. My response inevitably is that I really couldn't > care less whether they like SPF or not. It permits me to unambiguously > declare to the public that IP address 96.95.217.99 is the only valid > source of SMTP mail from my domain, thereby exposing as forgeries mail > from anywhere else (falsely) claiming to be from my domain, so it is > A Good Thing for my domain, and I don't give a tinker's damn whether my > interlocutor approves of it. > > And none of this has anything particularly to do with 'reducing spam'. > That just isn't the point, and the only people debating that supposed > issue are folks who never bothered to look up what the thing _is_. > > > > > The only result is that there is now an industry of religious extremism > > in "blacklisting" sites that don't follow their desired implementation. > > To be blunt: You have not bothered to understand what you're writing > about. I would suggest you do so. > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..devuan to the rescue? Easiest possible newbie email server setup, ideas?
On Tue 29/Sep/2020 11:10:12 +0200 Simon Hobson wrote: Alessandro Vesely via Dng wrote: I have no choice over the neighbours ! Don't buy overly cheap connections... Doesn't matter how much you pay - unless you get an entire net-block to yourself then you have no control over the neighbours. Only the ISP has control over the neighbours. Correct. ISPs which maintain a restricted set of non-spamming customers tend to ask for higher rates. Mass discount ISPs, cutting abuse team costs, accept anyone. Best Ale -- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..devuan to the rescue? Easiest possible newbie email server setup, ideas?
On Thu, 2020-10-01 at 11:31 +0200, Alessandro Vesely via Dng wrote: > On Tue 29/Sep/2020 11:10:12 +0200 Simon Hobson wrote: > > Alessandro Vesely via Dng wrote: > > > >>> I have no choice over the neighbours ! > > > >> Don't buy overly cheap connections... > > > > Doesn't matter how much you pay - unless you get an entire net-block to > > yourself then you have no control over the neighbours. Only the ISP has > > control over the neighbours. > > > Correct. ISPs which maintain a restricted set of non-spamming customers tend > to ask for higher rates. Mass discount ISPs, cutting abuse team costs, > accept > anyone. Tell me about it! My provided mail router has been blacklisted several times because of neighbours' spamming activities. I keep wondering about going for a more exclusive package (in all senses) but it would be a big increase in the yearly fee. Oh for the days when I was a Demon Internet customer and had my very own class C address ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] (Almost) no sound under Beowulf
Wed, 30 Sep 2020 11:36:32 -0700 - Ian Zimmerman : > On 2020-09-30 20:02, al3xu5 / dotcommon wrote: > > > Firefox, from a certain version onwards (sorry but I don't remember > > which one), removed support for ALSA from the default build > > configuration (maybe it will be restored in the future, I don't know > > if it has already been but I don't think so), keeping only pulseaudio > > support. > > > > This should explain why you didn't have audio on Firefox; while I can > > assume that the other problems depend on pulseaudio and its > > configuration (also because I seem to understand that they happened > > after you installed it...). > > FWIW, I am on Debian buster, which just upgraded firefox-esr to 78; I > have no pulseaudio; and I just checked youtube and it works ok. So, I > doubt this explanation of Marc's problem. As I said, "Firefox from a certain version onwards" (shoud be 52) "removed support for ALSA from the default build configuration (maybe it will be restored in the future, [...]" So if you have no pulseaudio and audio is ok with firefox-esr 78, IMHO it should mean that the ff release you have has been built with ALSA support (nice if they have restored it!!!) or that you run ff throught apulse... Regards al3xu5 -- Say NO to copyright, patents, trademarks and industrial design restrictions! Public GPG/PGP key: F94CFE23 (4096 bit RSA) Key fingerprint:59C6 9DC7 CD4B CF2F A190 E3DE 69C5 977B F94C FE23 pgpgAp6fR2xMI.pgp Description: Firma digitale OpenPGP ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
Hi Steve, Steve Litt writes: > On Tue, 29 Sep 2020 20:58:42 +0700 > Андрей via Dng wrote: > >> Hello. >> >> >> I've seen on the DeVuan web wite an article on complete system HDD >> encryption using LLVM. I have tried that one and found that it is >> impossible to change partiotion sizes once it was autopartiotioned, >> using LLVM full system HDD encryption. > > If your /home partition is encrypted, and any other "data" partitions > are encrypted, and perhaps your swap partition is encrypted (is that > possible?) then I think it's pretty easy. Why would one need /usr and > /etc and /var encrypted? - /usr? Depends on what gets stuffed under /usr/local/ - /etc? 'cause you might end up saving clear text passwords there ... Oh! I found one below /etc/wpa_supplicant/. There might be others. - /var? Eh, /var/spool/ may have mail and print jobs, at least for some time. /var/log/ may contain sensitive stuff ... That said, I generally agree that for _most_ of *my* purposes there is no real need to have those trees encrypted. Still on the machine I am now typing this mail *everything* is, the whole of it from / on down. Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 10/1/20 2:30 PM, Olaf Meeuwissen via Dng wrote: - /etc? 'cause you might end up saving clear text passwords there ... Oh! I found one below/etc/wpa_supplicant/. There might be others. could also be clear-text : smtp account password(s), network-manager saves connection passwords there, system backup passwords, mysql also has debian-sys-maint password. and there are probably more clear-text examples in /etc/ apart from clear-text passwords, most encryption keys for daemons are stored in /etc. -/var? Eh, /var/spool/ may have mail and print jobs, at least for some time./var/log/ may contain sensitive stuff ... + /var/lib is mostly data.. mysql data, dns data, tor data, etc. /var/backups -- and yes, swap can be encrypted too, very very easily. OpenPGP_signature Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] AppArmor documentation and packaging
I don't know to whom these should go to, or how to get them fixed.
Documentation:
Having read the fine manual:
Neither
man apparmor
or
man apparmor.d
have any mention of apparmor.d/local
There is no mention of proper formatting of apparmor.d/local files.
At https://gitlab.com/apparmor/apparmor/-/wikis/Policy_Layout
there is a mention of
${APPARMOR.D}/local/
and
${HOME}/.apparmor/
but there does not appear to be any documentation on
formatting of the files in the local subdirectory,
which is different from the profiles.
But they also say that the Debian distribution includes
the documentation and Debian specific notes.
So, can you trust documentation that contradicts itself?
Profiles and packaging:
FIREFOX-ESR
There is no apparmor profile for FIREFOX-ESR
There is a firefox profile in apparmor-profiles-extra.deb
which appears to work after changing the name appropriately.
MSMTP
The apparmor profile is part of the package.
The point of these last items is the inconsistent packaging.
There should probably be a guideline that profiles go with the package
or in a separate package.
I discovered this after installing MSMTP and having it mysteriously fail
when the log directory was changed.
I imagine that I am not the first person to have the learning opportunity
that inconsistent packaging creates.
Regards,
Ken___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 10/1/20 4:42 AM, Steve Litt wrote: On Tue, 29 Sep 2020 20:58:42 +0700 Андрей via Dng wrote: I've seen on the DeVuan web wite an article on complete system HDD encryption using LLVM. I have tried that one and found that it is impossible to change partiotion sizes once it was autopartiotioned, using LLVM full system HDD encryption. If your /home partition is encrypted, and any other "data" partitions are encrypted, and perhaps your swap partition is encrypted (is that possible?) then I think it's pretty easy. Why would one need /usr and /etc and /var encrypted? /etc/ to prevent adversaries with physical access from reading your configuration /usr/ to prevent adversaries with physical access from replacing binaries /var/ mixture of the above. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] (Almost) no sound under Beowulf
On 2020-10-01 13:23, al3xu5 / dotcommon wrote: > So if you have no pulseaudio and audio is ok with firefox-esr 78, IMHO > it should mean that the ff release you have has been built with ALSA > support (nice if they have restored it!!!) or that you run ff throught > apulse... No apulse either. AFAIK, there was never a point when the _Debian_ build of firefox-esr had this problem. As for Mozilla builds, I cannot say, though their devs can sound very Lennart-like sometimes, so it is not unlikely. -- Ian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 9/29/20 9:58 AM, Андрей via Dng wrote: > Question is, Is it possible to to achieve same goal without LLVM -- > i.e. to partition system HDD with fdisk, and then still have full > encryption? > Another way to do it is with the live-isos (using refractainstaller). Select encryption for the root partition and do not select a separate partition for /boot. You can also select a separate partition for /home, and if you encrypt that, you will have to enter the passphrase to unlock each partition. You can change that to a keyfile after the install. The default for the live installer is to use a swap file on the root partition, so that will be part of the encrypted filesystem. One thing I find annoying with having /boot encrypted is that grub is very slow to respond to the passphrase. And then you have to enter it again for the root partition. fsmithred 0xA73823D3094C5620.asc Description: application/pgp-keys ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] AppArmor documentation and packaging
Il 01/10/20 17:43, kdibble ha scritto:
> I don't know to whom these should go to, or how to get them fixed.
>
> Documentation:
>
> Having read the fine manual:
>
> Neither
> man apparmor
> or
> man apparmor.d
>
> have any mention of apparmor.d/local
>
> There is no mention of proper formatting of apparmor.d/local files.
>
> At https://gitlab.com/apparmor/apparmor/-/wikis/Policy_Layout
> there is a mention of
>
> ${APPARMOR.D}/local/
> and
> |${HOME}/.apparmor/|
>
> but there does not appear to be any documentation on
> formatting of thefiles in the local subdirectory,
> which is different from the profiles.
>
> |But they also say that the Debian distribution include|s
> the documentation and Debian specific notes.
>
> So, can you trust documentation that contradicts itself?
>
>
> Profiles and packaging:
>
> FIREFOX-ESR
> There is no apparmor profile for FIREFOX-ESR
>
> There is a firefox profile in apparmor-profiles-extra.deb
> which appears to work after changing the name appropriately.
>
> MSMTP
> The apparmor profile is part of the package.
>
>
> The point of these last items is the inconsistent packaging.
>
> There should probably be a guideline that profiles go with the package
> or in a separate package.
>
> I discovered this after installing MSMTP and having it mysteriously fail
> when the log directory was changed.
>
> I imagine that I am not the first person to have the learning opportunity
> that inconsistent packaging creates.
>
> Regards,
>
> Ken
>
>
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
Hi,
apparmor is the first thing I uninstall and set
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"
in /etc/default/grub (after systemd).
I also add:
Package: apparmor*
Pin:release n=beowulf
Pin-Priority: -1
To /etc/apt/preferences.d/preferences to avoid it being sucked in again as
dependency
of some other package.
The reason is that I experienced so many subtle breakages of various packages
(e.g. unbound, haveged are the first I recall) for which the profiles are not
working or missing ort broken for my setup that I get fed up with it.
IMHO it is impossible to make correct profiles unless you analyze every single
line
of code of the program you want to protect to detect the exact resources it
needs in every possible situation, code path and use case.
So you open up your boxes to unexpected behavior at best or breakage at worst.
It is also dangerous to relay on apparmor because it could give you a false
sense
of security and last but not least who controls the controller?
Do we need a "Superarmor" to arm apparmor next?
Better configure your system correctly and keep it as simple as possible.
Less programs, less code, less bugs, less complexity, less configuration errors.
Just my 0,2 cents.
Ciao,
Tito
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On Tue, Sep 29, 2020 at 08:58:42PM +0700, Андрей via Dng wrote: > Hello. > > > I've seen on the DeVuan web wite an article on complete system HDD > encryption using LLVM. I have tried that one and found that it is > impossible to change partiotion sizes once it was autopartiotioned, > using LLVM full system HDD encryption. You probably mean LVM. > > Question is, Is it possible to to achieve same goal without LLVM -- > i.e. to partition system HDD with fdisk, and then still have full > encryption? > > Thanks for any advance. > > > Andrey. > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
