Brielle's Ramblings

There's some major changes and updates coming to Firewall/SOSDG 0.9.4.  I've been changing code and adding functions, trying to simplify how things are laid out.  I'm hoping over the next month or two to get the code up to production status (1.0 would be nice).

There's nothing wrong with a business making money - that is what they are supposed to do.

There is one major change between businesses of today, and those of the 1900s:

CEOs, investors, etc were once rewarded for successful business practices - things like increasing sales, expanding the business, hiring workers, etc.

Instead, the higher ups and management types of today are rewarded for running the company into the ground, then firing/laying off thousands of workers, and putting the 'savings' into their own golden parachute.

There's a huge difference between making a profit and making an obscene profit - profit is made from good business practices, expansion, selling quality products, etc.  Obscene profit is laying off thousands of people even though you made more money this year then in previous years 10 fold.

Just an FYI to all users, over the next few days, we'll be doing some upgrades to the servers.  Shiny new large hard drives, upgraded Xen software, and other good stuff.  If we are down at times, please be patient as these types of upgrades take time.

[ Update 7/27/2010 ]

Good news everyone! (I've always wanted to say that)

99% of the upgrades are already complete thanks to efficent and quick work, two days earlier then expected.  Please let us know of any website issues you may run into.

Just a quick note to everyone, version 0.9.3 of Firewall/SOSDG has been released.  This update features a new ability to create files with custom commands to inject at specific places during the file loading.  I've also tweaked the coloring of the output a bit prettier.

Sometimes, people/companies do things which leave me scratching my head.  In this case, Orange Internet of France wants us to whitelist or at least monitor for listings and spam from their network.  Normally, this kinda request isn't all that unusual, however in this case, it looks like Orange Internet sent a mass mailing to DNSbl maintainers and possibly large ISPs.

Subject: Orange introduces new MTA servers
Date: Mon, 12 Jul 2010 18:43:33 +0200
From: Service Abuse Orange Internet <abuse@orange.fr>
Reply-To: abuse@orange.fr
To: abuse@orange.fr

Miss, Sir,

Orange Internet is the major ISP in France where it provides about 6
million individual Internet accesses and about 16 million email accounts.

By the end of this month, Orange will put on line few new email
equipments (MTA) with new outgoing IP addresses.
Therefore, we would like to share these new IP addresses since you could
be able to observe a sudden raise of email traffic coming from them.

Our new IP addresses will be :

 80.12.242.123
 80.12.242.124
 80.12.242.125
 80.12.242.126
 80.12.242.127
 80.12.242.128
 80.12.242.129
 80.12.242.130
 80.12.242.131
 80.12.242.132
 80.12.242.133
 80.12.242.134
and
 193.252.23.210
 193.252.23.211
 193.252.23.212
 193.252.23.213
 193.252.23.214
 193.252.23.215

Please, let us quickly remind you of our policy to fight, under our
national laws, against Internet abuses from our subscribers:
- All email traffic sent from a dynamic IP address is driven to our
"subscribers MTA"
- Legal measures of protection against spam are applied
- Known compromised accounts are suspended and blocked
- Every complaint, documented with the headers of the abusive emails, is
treated by Orange abuse team (abuse@orange.fr) within 24h

Complaints being a essential source of information about our customers'
behaviour, thank you to let us know if you have a complaint feedback
loop that we could register. You are also welcome to send us all
complaints and all questions you may have at abuse@orange.fr.

Finally, considering the specific role of our MTAs, we would be very
grateful if you could whitelist their associated IP addresses or, at
least, offer them the usual protection you offer to large ISPs SMTP servers.

Regards,

Abuse Orange Internet technical role.

*sigh*

They probably should have run this by someone who actually has dealt with DNSbl maintainers before.

Recently on the NANOG list, there was discussion going on about IPv6 and e-mail, and it slightly diverged into SMTP TLS.  After some off-list discussion about SMTP level security and what a Debian system will do on a default install, I've made some observations I'd like to share.

• The default install of Debian unstable with EXIM4 will have TLS support enabled by default thanks to the options in /etc/exim4/conf.d/main - its not the most optimal setup, but it will work for basic TLS support.
• SMTP TLS security can't really easily be compared to HTTP SSL/TLS security.  When you browse to a HTTPS website, its an entirely interactive process, which gives you a chance to see the certificate in question and respond.  In an SMTP TLS session, its done entirely by the MTA in an automated matter
• Depending on TLS to give security, authentication, and reliability to SMTP is a long, and probably fruitless process.  Unless you are going to refuse connections to every server which you can't verify their certificate or which doesn't have a certificate, you aren't really solving anything.  In tests, I've yet to have a system refuse to talk to my SMTP server because its using a self signed certificate.
• TLS will provide wire level security when talking to another mail server - however, your message will most likely be stored plain text on the sending server, receiving server, and places in between, including the MUA, completely defeating the purpose of keeping the contents of the message secret.  PGP/GPG is the proper answer to the message security issue.

Given how easy its been for people in the past to get valid but fake certs from Verisign and similar companies, is dependng on TLS/SSL certificates to guarantee the identity of the person you are communicating with really such a great idea?