Re: Passwords in plain text

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 06/15/2018 05:18 PM, Richard wrote:
> 
>> Date: Friday, June 15, 2018 14:55:21 -0700
>> From: Akemi Yagi <amyagi@xxxxxxxxx>
>>
>> On Fri, Jun 15, 2018 at 9:57 AM, Gianluca Cecchi
>> <gianluca.cecchi@xxxxxxxxx> wrote:
>>>
>>> Il Ven 15 Giu 2018, 18:45 Larry Martell <larry.martell@xxxxxxxxx>
>>> ha scritto:
>>>
>>>> On Fri, Jun 15, 2018 at 12:41 PM rj coleman
>>>> <rjcdevelop@xxxxxxxxx> wrote:
>>>>
>>>>> Am I the only one who just received this email from this group?
>>>>> Which came with my password in the email in plain text?
>>
>>>>>> Your membership in the mailing list CentOS has been disabled
>>>>>> due to excessive bounces The last bounce received from you
>>>>>> was dated 15-Jun-2018.  You will not get any more messages
>>>>>> from this list until you re-enable your membership.  You will
>>>>>> receive 3 more reminders like this before your membership in
>>>>>> the list is deleted.
>>>>>>
>>>> I got it as well.
>>>>
>>> Mee too
>>
>> I also received the "has been disabled" notification. It looks like
>> users with gmail addresses are affected.
>>
>> CentOS admins are looking into this issue (I believe).
>>
>> Akemi
> 
> I believe this is a DMARC issue. Yahoo, among other places, has set
> their dmarc records to p=reject:
> 
>   dig +short txt _dmarc.yahoo.com
>   "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua@xxxxxxxxx;";
> 
> So, if your mail hosting provider enforces dmarc,(gmail does) and you
> get mail from a list that doesn't rewrite the headers, and people
> from places like yahoo post to the list, you'll likely get some form
> of warning about being being kicked off the mailing list every now
> and then. The frequency depends on how often people from p=reject
> places post, and what the settings are for bounce handling of the
> mailing list in question.
> 
> I believe that the current version of mailman can be configured to do
> the necessary header rewrites. Some lists I'm on only do the rewrites
> for headers of posts coming from p=reject sites (much less annoying
> than having them all rewritten).

This is indeed what happened.  An email from yahoo.com.uk caused gmail
to reject all the mails sent by that user because of the yahoo DMARC
settings.

We have now set the mailing list to rewrite headers.  That also has set
the From: of the email to the Mailing list and not the Original Author.
The author is moved to the CC: block and you can still easily see who
sent it and my email client (thunderbird) still does things the same way
(reply to list sends to the list, reply sends to the  original author).

 This should prevent the yahoo/gmail (or other dmarc) issues from
happening again.

For others running mailings lists on CentOS with this issue, Red Hat has
back ported the 'dmarc_moderation_action' into the current version of
mailman that is used in RHEL and CentOS.  You can follow the
instructions here for Mailman 2 (for version 2.1.18) even though the
version in CentOS is mailman-2.1.15-26.el7_4.1

we will be watching the list for the next few days to see if this change
is working as expected.  If it id not working for other email clients
please let us know.

Great job by Brian Stinson to figure all this out :)

Thanks,
Johnny Hughes



Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux