Re: [Tools-discuss] Fwd: [rt5.ietf.org #6435] Unable to get mail back from alias expansion - expand-mediaman-chairs
Tero Kivinen <kivinen@iki.fi> Fri, 20 May 2022 14:00 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: tools-discuss@ietfa.amsl.com
Delivered-To: tools-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48670C159529 for <tools-discuss@ietfa.amsl.com>; Fri, 20 May 2022 07:00:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.957
X-Spam-Level:
X-Spam-Status: No, score=-3.957 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.857, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTNeidU3p9ov for <tools-discuss@ietfa.amsl.com>; Fri, 20 May 2022 07:00:21 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFC80C15952B for <tools-discuss@ietf.org>; Fri, 20 May 2022 07:00:20 -0700 (PDT)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 1D0551B0025B; Fri, 20 May 2022 17:00:15 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1653055215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sm2Z3yRY77+jR64UYoSC1ygzUXIZfGAdjoP1zhHQVQ8=; b=dDtxLKZuyYN+EbBr/iCnZetGPhGzdlaRPzBefkDHDqXxenwJMmoK39vaTW4WU3Xg9T64Z7 Eivae6ndvP22o52Nk8LdO/aVP8vup3T9QUT0WqCX/mH51jUe/PeVaizcxeW4mivTZ9TBh6 hOlXWDS/6at3nSCxXcvem6bxi6Pzs9CLf7yOBhCywh93rPBvsbyYxLFGbSRrxXbeiPiTOh w6fzNBx5oSziBA4i3iExAaaswRfcy1lAn9tCwdoKxcijjjFszNBtOKvNRZ4sr16Myajo26 oDS+vAxZypJC0OrqILwH2WNt6JeI37DzMf7W13h+k7RNI8l7zHX9RObzBV3wDg==
Received: by fireball.acr.fi (Postfix, from userid 15204) id 7CFFC25C1299; Fri, 20 May 2022 17:00:14 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25223.40686.441266.68020@fireball.acr.fi>
Date: Fri, 20 May 2022 17:00:14 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: tools-discuss@ietf.org
In-Reply-To: <793760.1653046427@dooku>
References: <rt-5.0.1-61158-1652918204-1888.6435-5-0@rt5.ietf.org> <a5e072c6-b370-0134-af78-1fb2f2762b01@alvestrand.no> <25222.20584.363434.662292@fireball.acr.fi> <793760.1653046427@dooku>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 33 min
X-Total-Time: 32 min
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1653055215; a=rsa-sha256; cv=none; b=RSI3Mu26TX9xpRQ2hGbvTttP9CQV4oHT4vHT6/kU+p+SG3M5Pek06Uzf+OUIVX5gI+LWzJ HkezAFZVd02ZcH+wFf/N0E9hZ4HPIX0cT/E/i8bm6g1Phorokt+MLkdEcQ2gj063wSiBHS 4J/J+ccMIPdEaqNjvWjGSaJgNSlQTWARaNTQsaipk2y853uxfWlhghOOcPNlYSKLzRbx51 ZN430YTwM5WJr8Tg7mtm1qpEK7gZxKCx/b8fDaDZBraLOn5hId3MUmjTJJOKcwqXVk1FiT JhrRN57DaXH57YH3wijnBYVhOJ4xaYbkSVYnF3AUCbkzAGf5oFZoXicJPel93A==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1653055215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sm2Z3yRY77+jR64UYoSC1ygzUXIZfGAdjoP1zhHQVQ8=; b=nm85x26WYuqHxBsEt7LGGDB5Ity4k+IjPSibd+rLd0X9g5CK2AM7eA4b0ItLyLnPEyLiIr q+Nt8HusdtxYXTgzZ9DB9X8+TZjbZ77XWBHZ0MPZHXjkcaobJ80NA3XNkMqed/KvCjbt0U 74NSckNeuaPypmZf9vWoFS/lW1LW+AMnspFjxnFyvG1WYJ3q1vQYJeFpmz5HWrAS2HZkcu KPHpZMLH/jJAMY88lE59Xb5yXDrrCdXwkSU6YvQOPIBIkHmdbSJSRYeuv7I+ehj0LvHiQW JlzROsDTykeedz+7CophhjnswK+g7o2KEcWUO6fk6NGyhmSJJIyp1ocL3CEVXg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tools-discuss/msY7d5X2qrJVPHB6qnzPu6tltn0>
Subject: Re: [Tools-discuss] Fwd: [rt5.ietf.org #6435] Unable to get mail back from alias expansion - expand-mediaman-chairs
X-BeenThere: tools-discuss@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: IETF Tools Discussion <tools-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-discuss/>
List-Post: <mailto:tools-discuss@ietf.org>
List-Help: <mailto:tools-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2022 14:00:22 -0000
Michael Richardson writes: > > 1) We use ARC to sign incoming messages before they are forwarded, and > > this allows end systems to verify the ARC headers, and whitelist our > > servers. I think that some of those modern mailbox service providers > > What are you using to do this? We use milter and rspamd to do that (it works both with sendmail and postfix, and half of our machines are using sendmail other half postfix). This is done on the first incoming machine, i.e., after that the email might get forwarded to other machines in our internal network (spam marking, the www mailbox etc), but those other machines do not add any other ARC headers, only the first step does that. > > 2) We offer read-only web mail box for our members (opt-in), which > > stores copies for all emails sent to his address for last 7 days. This > > That's quite a brilliant thing to do. As we are non-profit organization in Finland, that also adds some restrictions to us, i.e., we are not supposed to compete against companies offering similar things as a service. Because of that we can't really offer real web mailbox service, as that would directly complete with oter companies offering similar service, but this read only temporary mailbox solution is fine. Also because it is read only and isn't meant for permanent storage, it is also offered with best-effort way, meaning we do not need to have backups of those emails. If that machine break we simply replace it with new one from the scratch. For authentication all our services use separate automatically generated strong service passwords for each service. We do NOT allow users to pick those password themselves. I.e., the web mail has password that looks like asdfa-asdas-fewrg-vrmkl-weknq (i.e, 5 * 5 lower case letters separated by dashes, about 120 bits of security). We do not expect anybody to type that, but if you need to type it on your phone (for example you do need to add your authenticated smtp service password to your email client on phone, to be able to send emails), it is much easier to type if it is only lowercase letters and dashes. We did end up in cases where some applications didn't allow using that long passwords so we also have a way of generating less secure (about 95 bits of security) passwords which are only 16-characters long, but uses larger set of characters... As those passwords are added to configurations of different low security system like phones, web browsers etc, we want to make sure each password is separate, and we have then one master password that allows you to log in to user admin panel and change or show those passwords (and then you can cut & paste it to your configuration dialog). For this master password we recommend people to write it down on paper and keeping that paper in safe location. It is impossible to remember password you use every few years or once every ten years, so you must write it down. We also offer ability to use goverment issued smartcards to log in to the adminstration interface (and then you do not need passwords), which provides much better security than any of the 2fa that others are using. Of course we had to disable TLS1.3 because of that (older smartcards support only RSASSA-PKCS1-v1_5, newer ones support also RSASSA-PSS (TLS1.3) but TLS1.3 misses renegotiation support also (I think)). -- kivinen@iki.fi
- [Tools-discuss] Fwd: [rt5.ietf.org #6435] Unable … Harald Alvestrand
- Re: [Tools-discuss] [rt5.ietf.org #6435] Unable t… Carsten Bormann
- Re: [Tools-discuss] [rt5.ietf.org #6435] Unable t… Harald Alvestrand
- Re: [Tools-discuss] [rt5.ietf.org #6435] Unable t… Michael Richardson
- [Tools-discuss] Fwd: [rt5.ietf.org #6435] Unable … Tero Kivinen
- Re: [Tools-discuss] [rt5.ietf.org #6435] Unable t… Carsten Bormann
- Re: [Tools-discuss] [rt5.ietf.org #6435] Unable t… Tero Kivinen
- Re: [Tools-discuss] Fwd: [rt5.ietf.org #6435] Una… Michael Richardson
- Re: [Tools-discuss] Fwd: [rt5.ietf.org #6435] Una… Tero Kivinen