cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Teus Hagen <teus AT theunis.org>
- To: Ian G <iang AT iang.org>
- Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
- Subject: Re: [Cacert-sysadm] CAcert email address snafu
- Date: Mon, 11 Aug 2008 16:34:03 +0200
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
- Openpgp: id=85796A23
Gentlemen,
maybe I misunderstood Ian his email. The thing is that Ian complains
about Ian the one who is getting a grey listing message and so a wait is
enforced to his MTA and email spooling server. The latter is common as
any email can sit some time on an email sppoling server for different
and quite common reasons.
Tunix is using grey listing on request of CAcert (they asked should we
turn it of and the answer was no).
Critical systems do an evaluation email trial. That is the other way
around (eg no grey listing is then active at the CAcert side). This is
outbound traffic not inbound... Grey listing can be active but then on
the "user" side.
Is there inbound email traffic to CAcert which should not be delayed?
Have not seen that requirement.
Email spooling is a common fact of life and CAcert cannot do much about
it....
So I fail to see the point Ian is trying to make...
teus
On 10/08/08 19:56, Philipp Gühring wrote:
> Hi Ian,
>
>
>> OK. Do we have any documentation on this? Is this an
>> agreement between Oophaga and Tunix? Does CAcert feel that
>> this is a "good thing?"
>>
>
> Greylisting is currently industry standard practice. I personally dislike it
>
>
>
>> That's to turn the question around. Let me rephrase it so
>> it cannot be turned around, hopefully:
>>
>
>
>> If Tunix can fiddle with the mail, can Tunix add any domain
>> or email, and get a cert for it?
>>
>
> No, since Tunix does not operate a firewall in front of our critical
> systems at the moment, it only operates a firewall in front of our
> non-critical systems, which are doing email and other things.
>
>
>
>> Who else could do this "fiddling"?
>>
>
> Lots of people could do that. Everyone who is running a larger Internet
> Exchange could (VIX, DECIX, ...) probably could. Everyone running core
> DNS servers potentially could, ...
>
>
>> Obviously, the system
>> administrators on the critical systems (i.e., Philipp,
>> today) can do this. That's why that is declared "critical"
>> because they can do things like that.
>>
>
> Yes.
>
>
>> The question is, who else *outside* the critical systems
>> circle can fiddle with email. I'm guessing the answer is you :)
>>
>
> Everyone with access to the backbones, ...
>
>
>> OK. Threat models ... I do not see email fiddling mentioned
>> here:
>>
>> http://svn.cacert.org/CAcert/SecurityManual/RiskAnalysis.pdf
>> http://wiki.cacert.org/wiki/ThreatList
>>
>> but maybe I am looking in the wrong place?
>>
>
> Both lists aren't complete yet.
>
>
>
>>>> who is poking around and greylisting and
>>>> blacklisting and goldlisting and whatever... ,
>>>>
>>> most email admins to some extent.
>>>
>> OK. So that is: You + Philipp?
>>
>
> + Tunix (for cacert.org and lists.cacert.org)
> + BIT
>
>
>
>
>> Well. I think one scenario is this: I steal anyone's
>> password. I log in to their account. I add microsoft.com.
>> I cause the ping test to go to say
>> root AT microsoft.com.
>>
>> As I have "fiddling rights" over the email system, I kill
>> the email probe going out by some mechanism. (Maybe I trick
>> the greylisting into being blacklisting, who cares...)
>>
>
> No, the critical systems are currently located in vienna, neither BIT,
> Tunix, nor Daniel has access to them. The critical systems send out the
> emails for the email-pings and domain-pings on themselves. So neither of
> those parties can intercept any of those emails at the moment, due to
> our seperation of datacenters.
>
>
>> I then add the special checkcode, and all looks perfect.
>> When the S hits the F, we all run around looking in the
>> wrong place.
>>
>
> ?
>
>
>> Sure. Greylisting is perhaps benign, but it's smokey
>> coloured, and there might be some red stuff there too. What
>> I'm concerned with here is: what else are they doing? Who
>> said they could do that? What is the mission/objective
>> here? Who is monitoring their activities? Who is going to
>> take the responsibility for the statement that "Tunix are
>> doing benign greylisting???" etc etc.
>>
>
> Since Tunix does not operate a firewall in front of our critical
> systems, I don't think that we have a difficult question here at the moment.
> If we placed our critical systems behind Tunix firewalls, then we would
> have to start asking those questions. (Or perhaps even before ...)
>
> Best regards,
> Philipp Gühring
>
> _______________________________________________
> CAcert-sysadm mailing list
> CAcert-sysadm AT lists.cacert.org
> https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-sysadm
>
- [Cacert-sysadm] CAcert email address snafu, IanG, 08/09/2008
- Re: [Cacert-sysadm] CAcert email address snafu, guillaume romagny, 08/09/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/09/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Daniel Black, 08/09/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/10/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Philipp Gühring, 08/10/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Guillaume ROMAGNY - CAcert support, 08/10/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Teus Hagen, 08/11/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/11/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/11/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/11/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/12/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/12/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/12/2008
- Message not available
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/17/2008
- Message not available
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Philipp Gühring, 08/10/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/10/2008
- Message not available
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/18/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/19/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Daniel Black, 08/09/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/09/2008
- Re: [Cacert-sysadm] CAcert email address snafu, guillaume romagny, 08/09/2008
Archive powered by MHonArc 2.6.16.