lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210628162027.GC4604@ziepe.ca>
Date:   Mon, 28 Jun 2021 13:20:27 -0300
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     Benjamin LaHaise <ben@...munityfibre.ca>
Cc:     James Bottomley <James.Bottomley@...senPartnership.com>,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: linux-mm@...ck.org - limping on a backup

On Mon, Jun 28, 2021 at 10:40:51AM -0400, Benjamin LaHaise wrote:
> On Mon, Jun 28, 2021 at 11:26:59AM -0300, Jason Gunthorpe wrote:
> > Isn't a 7-bit conversion what I pointed at last time we talked about
> > this?
> 
> I changed several options in postfix last time this was raised, but as
> nobody ever provided a test case, I had no way of knowing if it worked or
> not.

I've been using a script like this against the lore public inbox git
repos to monitor my own domain's dkim cleanness and interaction with
list serves:

#!/usr/bin/python3
import subprocess
import collections

# Starting points
start = XXXXX # git commit id string

emails = collections.defaultdict(list)
commits = subprocess.check_output(["git","log","master","^" + start,'--pretty=format:%H %aN <%aE>']).decode()
for ln in commits.splitlines():
    commit,_,email = ln.partition(' ')
    if "nvidia.com" in email.lower():
        emails[email].append(commit)

fails = set()
not_empty = True;
while not_empty:
    not_empty = False;
    for email,commits in sorted(emails.items()):
        if email in fails or not commits:
            continue
        commit = commits[-1];
        del commits[-1]
        if commits:
            not_empty = True;
        msg = subprocess.check_output(["git","show",commit + ":m"]);
        try:
            subprocess.check_output(["dkimverify"], input=msg);
            #print(email)
        except:
            fails.add(email)
            print("Failed!", email, commit)

It has taken a lot of doing, but nvidia.com is now effectively DKIM
clean through vger.

You could run with with some known-good domains like nvidia.com,
facebook.com, google.com, to measure kvack's activity. Failures can
often be cross-correlated against a vger list and then you can do A/B
comparison to guess what is wrong.

> spec that ignores decades of that philosophy at the IETF.  And even if a
> DKIM signature passes, that's still not enough to trust the resulting
> email.  All it does is ensure that a small subset of valid emails get
> dropped on the floor.  This doesn't seem like an overall win.

I have no idea. It is here, people beyond us have made this decision,
we have to work within it. DMARC is ratcheting this up and is moving
to say if DKIM fails then emails should be discared.

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ