Re: secure MTA

2020-04-09 Thread Erling Westenvik
On Thu, Apr 09, 2020 at 04:24:34PM +0100, Kevin Chadwick wrote: > > > Now this whole debate boils down to "how much effort is someone willing to > > invest > > into hacking Cord's computers?", and that's something I can't answer. > > And how competent Cord is at defending his computer because t

Re: secure MTA

2020-04-09 Thread Kevin Chadwick
> Now this whole debate boils down to "how much effort is someone willing to > invest > into hacking Cord's computers?", and that's something I can't answer. And how competent Cord is at defending his computer because they may not be able to if he is competent enough, which is my point; It is

Re: secure MTA

2020-04-09 Thread Rudolf Leitgeb
> Conversely, if everything was easily hackable then we probably wouldn't use > computers, at all. Being hacked is a risk everybody is ready to accept, some knowingly, some unknowingly. There may be people here, who have never done business with any of these entities listed here, but they are ce

Re: secure MTA

2020-04-09 Thread Kevin Chadwick
On 2020-04-09 10:55, Rudolf Leitgeb wrote: > My point was, that security is an ongoing effort. Flaws and new > exploit venues are discovered. There will be different numbers > of flaws for different operating systems, but none remains unscathed > for years. As soon as your server does anything usef

Re: secure MTA (was: news from ...)

2020-04-09 Thread infoomatic
On 09.04.20 11:55, Rudolf Leitgeb wrote: > As soon as your server does anything useful, it will > present an attack vector to the outside world, and one needs to > be aware of it. > just to add to your argument: your server does not even have to do anything ... the interface driver or just the tc

Re: secure MTA (was: news from ...)

2020-04-09 Thread Rudolf Leitgeb
On Wed, 2020-04-08 at 13:55 -0400, Allan Streib wrote: > My (default) smtpd.conf says: > > listen on lo0 > > So how might that be remotely exploitable? I can disable all network connections on an unpatched Windows 95 laptop - oh, this would make it s secure ... Hint: a server, which provid

Re: secure MTA (was: news from ...)

2020-04-08 Thread Allan Streib
Claus Assmann writes: > On Wed, Apr 08, 2020, Kevin Chadwick wrote: > >> OpenSMTPD does not listen to the internet, by default and even if you do set >> it > > From: Qualys Security Advisory > To: oss-secur...@lists.openwall.com > Message-ID: <20200224184538.GF17396@localhost.localdomain> > > -

Re: secure MTA

2020-04-08 Thread Theo de Raadt
Claus Assmann wrote: > > Qualsys chose to call that remote, at a stretch. Either way, it does not > > change > > It seems to be similar to "if you visit a compromised website"... Which is not remote, either. > Anyway, it doesn't seem to be productive to argue terminology etc, > hence: sorry f

Re: secure MTA

2020-04-08 Thread Claus Assmann
On Wed, Apr 08, 2020, Kevin Chadwick wrote: > You missed some out. I assume on purpose. Wrong "assumption"; I did it to keep it short -- I included the info how someone could find the details. > So it does require internal users to make an action and a MITM or outbound > connection to an attacke

Re: secure MTA

2020-04-08 Thread Kevin Chadwick
On 2020-04-08 18:39, Claus Assmann wrote: > - Client-side exploitation: This vulnerability is remotely exploitable > in OpenSMTPD's (and hence OpenBSD's) default configuration. Although You missed some out. I assume on purpose. Client-side exploitation: This vulnerability is remotely exploitabl

Re: secure MTA (was: news from ...)

2020-04-08 Thread Claus Assmann
On Wed, Apr 08, 2020, Kevin Chadwick wrote: > OpenSMTPD does not listen to the internet, by default and even if you do set > it From: Qualys Security Advisory To: oss-secur...@lists.openwall.com Message-ID: <20200224184538.GF17396@localhost.localdomain> - Client-side exploitation: This vulnera