lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: petard at freeshell.org (petard)
Subject: Proposal: how to notify owners of compromised PC's

On Wed, Jan 28, 2004 at 05:37:59PM -0600, Phil Brutsche wrote:
> <sending this to the list as well, since not enough people are doing the 
> proper research>
> 
> >I left my ISP about 9 months ago because they implemented this very
> >policy. It entirely destroyed my ability to send email from my preferred
> >address. Our SMTP setup at example.com relays mail from people
> >claiming to be @example.com if and only if they have been authenticated
> >using a client X.509 certificate issued by the example.com root
> >certificate authority.
> 
> Then put SMTP on a different TCP port.  RFC 2476, which specifies TCP 
> port 587 to be a message submission port for MUAs, was specifically 
> created to address this issue.
OK. You get a cookie. You've heard of RFC 2476. Now read it and you can
have another. From the RFC:

"A site MAY choose to use port 25 for message submission,
by designating some hosts to be MSAs and others to be MTAs."
Section 3.1 [emphasis in the original]

Because of my ISP's suddenly BROKEN service, I was no longer able to
operate in this RFC-compliant manner.

This is in fact our preferred mode of operation at example.com, as it
allows maximum client interoperability, or did anyway... It was
our only mode of operation at that time. When this happened with my ISP,
unannounced, we set the process in place to get the necessary holes
punched in our firewalls and configure an extra instance of the smtp
daemon on 587. This took weeks, and I still switched to a non-broken
ISP. Our admins are not paid to work around ISPs who do not provide what
they say they do, or suddenly and without notice stop doing so.

At any rate, blocking port 25 is a half-assed solution to a problem that
needs to be solved at the MUA, not the MTA or MSA.


regards,

petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ