A better approach to security

[tarvid <tarvid AT ls.net>]

J. Wren Hunt wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Hi All!
>
> Just a reminder that it is incumbent upon those with
> challenge/response-type email systems  requesting support via email to
> support[at]cacert.org to first whitelist the .cacert.org domain if you
> expect messages back to you. These include revocation, certificate and
> email ping messages, in addition to support request notifications.
>
> With over 10,000 users and growing, there's no way our small team of
> volunteers can cope if even a fraction of this number don't heed this
> request. Not to mention irritating when we're chastised by these users
> when they don't receive the replies that we in fact sent.
>
> Respectfully,
>
> Wren
> wren[at]cacert.org
>
> | Please click on http://<some-address-here> and
> | follow directions to clear your e-mail to <some-guys-email-here>.
> | You will only have to do this once.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
>
> iD8DBQFBI20qA/qR4Uok1vQRAgcBAJ9QyHVVo3SPxjK4IT7z5u6ExPcL5gCgvlmH
> if+Km2O6V5GynEsr/KGctns=
> =15oI
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Can also get us on IRC - irc://irc.cacert.org/#cacert
> CAcert mailing list
> CAcert AT lists.cacert.org
> http://lists.cacert.org/mailman/listinfo/cacert

A few changes on the CAcert side would help.

1) change the "mail from" in RT to support AT cacert.org from 
anonymous AT flexo.sydneywireless.com

Aug 18 08:15:05 horace postfix/smtpd[17554]: NOQUEUE: reject: RCPT from 
flexo.sydneywireless.com[202.93.176.34]: 554 
<anonymous AT flexo.sydneywireless.com>: Sender address rejected: Mail from 
anonymous is always spam.; from=<anonymous AT flexo.sydneywireless.com> 
to=<tarvid AT ls.net> proto=ESMTP helo=<flexo.sydneywireless.com>

2) colocate the server with its own IP address with a proper reverse

[tarvid@ding tarvid]$ dig -x 202.93.176.34
;; QUESTION SECTION:
;34.176.93.202.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
34.176.93.202.in-addr.arpa. 71355 IN    PTR     flexo.sydneywireless.com.

;; AUTHORITY SECTION:
176.93.202.in-addr.arpa. 71355  IN      NS      
dns1.services.unitedip.net.au.
176.93.202.in-addr.arpa. 71355  IN      NS      
dns2.services.unitedip.net.au.

;; ADDITIONAL SECTION:
dns1.services.unitedip.net.au. 71355 IN A       202.93.160.10
dns2.services.unitedip.net.au. 71355 IN A       202.93.176.129

3) run your own SMTP server

[root@horace mail]# dig mx cacert.org

; <<>> DiG 9.2.3 <<>> mx cacert.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;cacert.org.                    IN      MX

;; ANSWER SECTION:
cacert.org.             600     IN      MX      10 spamcheck.au1.net.

;; AUTHORITY SECTION:
cacert.org.             600     IN      NS      ns2.au1.net.
cacert.org.             600     IN      NS      ns1.au1.com.au.
cacert.org.             600     IN      NS      ns1.au1.net.
cacert.org.             600     IN      NS      ns2.au1.com.au.

;; ADDITIONAL SECTION:
ns1.au1.net.            69477   IN      A       210.8.208.8
ns2.au1.net.            69477   IN      A       202.87.28.2

[root@horace mail]# dig spamcheck.au1.net

; <<>> DiG 9.2.3 <<>> spamcheck.au1.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49236
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;spamcheck.au1.net.             IN      A

;; ANSWER SECTION:
spamcheck.au1.net.      600     IN      A       202.87.16.21

;; AUTHORITY SECTION:
au1.net.                600     IN      NS      ns1.au1.com.au.
au1.net.                600     IN      NS      ns1.au1.net.
au1.net.                600     IN      NS      ns2.au1.com.au.
au1.net.                600     IN      NS      ns2.au1.net.

;; ADDITIONAL SECTION:
ns1.au1.net.            69298   IN      A       210.8.208.8
ns2.au1.net.            69298   IN      A       202.87.28.2

;; Query time: 291 msec
;; SERVER: 12.168.116.27#53(12.168.116.27)
;; WHEN: Wed Aug 18 12:35:23 2004
;; MSG SIZE  rcvd: 165

Does that server actually check "spam"? If so, the incoming address 
support AT cacert.org should be whitelisted.

Jim Tarvid