[CentOS] Passwords in plain text

Sat Jun 16 10:25:05 UTC 2018
Johnny Hughes <johnny at centos.org>

On 06/15/2018 05:18 PM, Richard wrote:
> 
>> Date: Friday, June 15, 2018 14:55:21 -0700
>> From: Akemi Yagi <amyagi at gmail.com>
>>
>> On Fri, Jun 15, 2018 at 9:57 AM, Gianluca Cecchi
>> <gianluca.cecchi at gmail.com> wrote:
>>>
>>> Il Ven 15 Giu 2018, 18:45 Larry Martell <larry.martell at gmail.com>
>>> ha scritto:
>>>
>>>> On Fri, Jun 15, 2018 at 12:41 PM rj coleman
>>>> <rjcdevelop at gmail.com> wrote:
>>>>
>>>>> Am I the only one who just received this email from this group?
>>>>> Which came with my password in the email in plain text?
>>
>>>>>> Your membership in the mailing list CentOS has been disabled
>>>>>> due to excessive bounces The last bounce received from you
>>>>>> was dated 15-Jun-2018.  You will not get any more messages
>>>>>> from this list until you re-enable your membership.  You will
>>>>>> receive 3 more reminders like this before your membership in
>>>>>> the list is deleted.
>>>>>>
>>>> I got it as well.
>>>>
>>> Mee too
>>
>> I also received the "has been disabled" notification. It looks like
>> users with gmail addresses are affected.
>>
>> CentOS admins are looking into this issue (I believe).
>>
>> Akemi
> 
> I believe this is a DMARC issue. Yahoo, among other places, has set
> their dmarc records to p=reject:
> 
>   dig +short txt _dmarc.yahoo.com
>   "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua at yahoo.com;"
> 
> So, if your mail hosting provider enforces dmarc,(gmail does) and you
> get mail from a list that doesn't rewrite the headers, and people
> from places like yahoo post to the list, you'll likely get some form
> of warning about being being kicked off the mailing list every now
> and then. The frequency depends on how often people from p=reject
> places post, and what the settings are for bounce handling of the
> mailing list in question.
> 
> I believe that the current version of mailman can be configured to do
> the necessary header rewrites. Some lists I'm on only do the rewrites
> for headers of posts coming from p=reject sites (much less annoying
> than having them all rewritten).

This is indeed what happened.  An email from yahoo.com.uk caused gmail
to reject all the mails sent by that user because of the yahoo DMARC
settings.

We have now set the mailing list to rewrite headers.  That also has set
the From: of the email to the Mailing list and not the Original Author.
The author is moved to the CC: block and you can still easily see who
sent it and my email client (thunderbird) still does things the same way
(reply to list sends to the list, reply sends to the  original author).

 This should prevent the yahoo/gmail (or other dmarc) issues from
happening again.

For others running mailings lists on CentOS with this issue, Red Hat has
back ported the 'dmarc_moderation_action' into the current version of
mailman that is used in RHEL and CentOS.  You can follow the
instructions here for Mailman 2 (for version 2.1.18) even though the
version in CentOS is mailman-2.1.15-26.el7_4.1

we will be watching the list for the next few days to see if this change
is working as expected.  If it id not working for other email clients
please let us know.

Great job by Brian Stinson to figure all this out :)

Thanks,
Johnny Hughes



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20180616/2ed3e871/attachment-0004.sig>