From owner-freebsd-chat Sat Feb 10 20:48:24 2001 Delivered-To: freebsd-chat@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id 3037337B401; Sat, 10 Feb 2001 20:48:05 -0800 (PST) Received: from xena (xena.hh.kew.com [192.168.203.148]) by kendra.ne.mediaone.net (Postfix) with SMTP id 44A068C4F; Sat, 10 Feb 2001 23:48:04 -0500 (EST) Message-ID: <009c01c093e5$d1cd7230$94cba8c0@hh.kew.com> From: "Drew Derbyshire" To: References: <200102082014.PAA29877@vws3.interlog.com> Subject: FreeBSD Postfix and Majordomo security (was FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE) Date: Sat, 10 Feb 2001 23:48:04 -0500 Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (Headers rigged to move follow ups to -chat ...) Since the FreeBSD site runs postfix, the fix to block external postings to the announce list is a Postfix FAQ, using a regular expression filter. This would require direct trusted posters to go through a local (or otherwise trusted IP), and cannot be beaten by forged headers. (Hint, hint!) The belief that signing advisories sorts out the good from the bad is naive. The negative impression is left on users when the reader realizes a bogus post from an official mailing list is bogus in the first place. (Nor do most mail clients support automatically decoding the key. Heck, I get global whining for using any sort of MIME at all in mail.) In general, I'm amazed that after all the SPAM on the FreeBSD mailing lists that they haven't gone to post-only-by subscribers in general -- clearly, the maintainers don't seem to care about the lists's quality as much as some of the subscribers do. Yes, yes, I've heard the "but we need to let any one post ..." argument, and refuse to believe it given hackish nature of the FreeBSD mailing lists, and general disdain for end-users. (Linux will rule the world, because organizations like RedHat support relatively clean binary patches using up2date between releases -- it makes me sad when I compare this to FreeBSD securty advisories which offer choices of source patches or "upgrade to Release 4.x-STABLE after the specified" date, given that such configurations have a prereq of reading the -stable mailing list and generally breathing FreeBSD.) -ahd- -- Drew Derbyshire UUPC/extended e-mail: software+sig@kew.com Telephone: 617-279-9812 "I've got to start listening to those quiet, nagging doubts." - Calvin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message