[CentOS] Passwords in plain text

Mon Jun 18 12:57:56 UTC 2018
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Mon, June 18, 2018 7:10 am, Johnny Hughes wrote:
> On 06/17/2018 11:13 AM, Alice Wonder via CentOS wrote:
>> On 06/17/2018 09:11 AM, Alice Wonder via CentOS wrote:
>>> On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote:
>>>> I'm petty sure I messed up attributions, so am deleting them.
>>>>>> I believe this is a DMARC issue. Yahoo, among other places, has set
>>>>>> their dmarc records to p=reject:
>>>>>> So, if your mail hosting provider enforces dmarc,(gmail does) and
>>>>>> you
>>>>>> get mail from a list that doesn't rewrite the headers, and people
>>>>>> from places like yahoo post to the list, you'll likely get some form
>>>>>> of warning about being being kicked off the mailing list every now
>>>>>> and then. The frequency depends on how often people from p=reject
>>>>>> places post, and what the settings are for bounce handling of the
>>>>>> mailing list in question.
>>>>> This is indeed what happened.  An email from yahoo.com.uk caused
>>>>> gmail
>>>>> to reject all the mails sent by that user because of the yahoo DMARC
>>>>> settings.
>>>> Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk
>>>> caused every gmail user to have his account disabled.
>>>> I'd heard of the DMARC thing with mailing lists before,
>>>> but had not known it enabled single e-mails of mass destruction.
>>> I run dmarc on my mail server but only in report mode, it doesn't
>>> reject.
>>> I did it as a test (for years) and am fully convinced that dmarc is
>>> worthless for real world protection.
>>> Numerous mail lists out there are configured in such a way that dmarc
>>> gets triggered and that just isn't going to change.
>>> It's a neat idea but it's not backwards compatible with the way SMTP
>>> already works.
>>> I can not recommend its use. I do recommend mail server software update
>>> if possible to be compatible but I just can not recommend mail servers
>>> enforce dmarc.
>>> DKIM is a good thing, but dmarc breaks things too badly.
>>> Even DKIM though is of limited usefulness - it seems the spammer
>>> blacklists don't really care. Even with proper DKIM signature on a
>>> domain with correct reverse DNS set up for years, they will still add
>>> you to the spam blacklist if any other host on your subnet is
>>> identified
>>> as a spammer.
>>> So even the blacklists don't really utilize this anti-spam anti-spoof
>>> technology, which makes it kind of worthless.
>>> Using DKIM as one of several factors in spamassassin though is possibly
>>> helpful, though most spammers these days have a validating DKIM sig.
>>> _______________________________________________
>> Let me put it this way - in the several years of running dmarc is report
>> only mode, over 99% of reported violations are false positives from mail
>> lists.
>> That high of a false positive rate tells me it is broken technology.

Fully agree.

> I agree with you .. unfortunately, gmail does not.  They have enabled it
> for gmail users .. so if someone from  yahoo xends a mail from a yahoo
> address, it gets rejected by gmail accounts.  The list setting wrt dmarc
> doesn't matter .. it is totally gmail enabling it.
> What our settings do is NOT send the From (as the original sender), if
> the sender is on a domain where dmarc is enabled, so that gmail does not
> reject it.
> If it is rejected by gmail .. it causes (eventually) .. not he sender's,
> but the recipient's account on gmail to be disabled by the mailing list
> as non-existent.

I'm surprised no one arrived at conclusion: don't use gmail then.


> What the change that Brian and I tried to make, and Fabian finally fixed
> :D (thanks Fabian), is to fix that only from doamins that enable dmarc
> (ie, yahoo.* ) so that domains who turn on dmarc as enforcing (ie gmail)
> do not cause rejects of those emails.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247