savannah-hackers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-help-public] [support #103775] From address used in CVS log me


From: Sylvain Beucler
Subject: [Savannah-help-public] [support #103775] From address used in CVS log messages
Date: Tue, 18 Jan 2005 20:09:45 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

This is an automated notification sent by Savannah.
It relates to:
                support #103775, project Savannah Administration

==============================================================================
 LATEST MODIFICATIONS of support #103775:
==============================================================================

               Posted by: Sylvain Beucler <Beuc>
               Posted on: 2005-01-18 20:09 (Europe/Paris)
    _______________________________________________________

Follow-up Comment:
Waiting for his reply...

==============================================================================
 OVERVIEW of support #103775:
==============================================================================

URL:
  <http://savannah.gnu.org/support/?func=detailitem&item_id=103775>

                 Summary: From address used in CVS log messages
                 Project: Savannah Administration
            Submitted by: onno
            Submitted on: jeu 13.01.2005 à 18:59
                Category: Mail server
                Priority: 5 - Normal
                Severity: 5 - Average
                  Status: Wont Do
                 Privacy: Public
             Assigned to: Beuc
        Originator Email: 
        Platform Version: None
             Open/Closed: Open

    _______________________________________________________


For a while, address@hidden was used as From address in CVS log
mails. This is the correct thing to do.



But now, the user specified address is used again. Can this be changed back?
The current behaviour doesn't work with SPF and other spam fighting
mechanisms, because you're simply forging the From address. Your mail server
isn't authorized to send mails on behalf of /other/ domains, and they will be
rejected by the receiving mailserver.

    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: mar 18.01.2005 à 20:09        By: Sylvain Beucler <Beuc>
Waiting for his reply...

-------------------------------------------------------
Date: mar 18.01.2005 à 06:38        By: Onno Molenkamp <onno>
And what did he have to say about it?

-------------------------------------------------------
Date: jeu 13.01.2005 à 21:02        By: Sylvain Beucler <Beuc>
True: confused license and technology

False: I didn't mention that GPG would solve the problem, it's just a working
solution for authentication that is not vulnerable to MITM.



Now, we do not have any control on gnu.org MX fields, and we cannot satisfy
both you and the people who check whether the sender exists.



I'll ask the person in charge of the gnu.org mail system what are his thoughs
on these technologies.



-------------------------------------------------------
Date: jeu 13.01.2005 à 20:05        By: Onno Molenkamp <onno>
It's not about you, it's about interopability with the rest of the world.
Sender-ID is an adaptation of SPF with a Microsoft license. Apache won't
accept it, and they're right. However, they /do/ support SPF. Apache's
SpamAssassin 3.0 /does/ support SPF.



GPG keys are nice for client-side verification, but don't stop anything at
the SMTP level. They solve a different problem. And if your mail doesn't
arrive because you're forging addresses, GPG will never even get the chance
to prove it's legitimate mail..

-------------------------------------------------------
Date: jeu 13.01.2005 à 19:59        By: Sylvain Beucler <Beuc>
As I said, I already have a solution that works quite well and is far more
convenient; plus GPG keys if I want real signatures.



Besides, http://www.apache.org/foundation/docs/sender-id-position.html



-------------------------------------------------------
Date: jeu 13.01.2005 à 19:51        By: Onno Molenkamp <onno>
You /really/ have to read about ongoing developments in the SMTP world before
making decisions like these...



Go read http://spf.pobox.com. Go read http://antispam.yahoo.com/domainkeys.



Realize that sites with SPF records include gnu.org, nongnu.org,
savannah.nongnu.org, big sites like gmail.com. Gmail also employs DomainKeys,
as does Yahoo.



And no, you won't be able to send mails from your own server anymore using a
>From address that isn't yours. But that's not a bad thing. Every half-decent
mailclient supports setting an outgoing mailserver per identity. Or just use
an address in a domain that's controlled by yourself.

-------------------------------------------------------
Date: jeu 13.01.2005 à 19:42        By: Sylvain Beucler <Beuc>
I do hope that such a solution, that among others prevent people from using
their own SMTP server, will not be used.



Incidentally, my current mail provider (ovh.com) received both kind of cvs
notifications, _and_ I receive a low amount of spam. That's what I think is a
well-configured mail system :)



Also, I'm curious, how will your mail system know whether I am forging a
mail, or simply relaying a message in the context of a mailing-list?



-------------------------------------------------------
Date: jeu 13.01.2005 à 19:35        By: Onno Molenkamp <onno>
Then you'll have a big problem when more sites start deploying SPF,
DomainKeys, etc. and your mails will be dropped.



It might be your personal view that it's ok to forge addresses, but in
general this isn't considered acceptable.



In case of a mailinglist, there are mechanisms to make it work, if the
original mail /was/ sent by an approved mailserver. That's not the case here.

-------------------------------------------------------
Date: jeu 13.01.2005 à 19:20        By: Sylvain Beucler <Beuc>
This cannot be done, because addresses @savannah.gnu.org are not valid (no MX
field in the DNS, no SMTP server). This caused other people to miss
notifications.



As far as I am concerned, I expect a SMTP server to be able to forge e-mails.
I send all my mails using different addresses using the same SMTP server.



Likewise, the mailing lists server send mail on behalf of the subscribees.








==============================================================================

This item URL is:
  <http://savannah.gnu.org/support/?func=detailitem&item_id=103775>

_______________________________________________
  Message posté via/par Savannah
  http://savannah.gnu.org/





reply via email to

[Prev in Thread] Current Thread [Next in Thread]