From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave.taht@gmail.com>
Received: from mail-iy0-f171.google.com (mail-iy0-f171.google.com
	[209.85.210.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 86324200346
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu,  8 Dec 2011 04:39:25 -0800 (PST)
Received: by iaen33 with SMTP id n33so4051107iae.16
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 08 Dec 2011 04:39:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	bh=o1oVGzt04UKNYJnS7xp+/DBfXj0NQGpw/Q6ZSNAU9bg=;
	b=iqvBLjkYTYL4YCRmMxuCZCux+mYpooNBIf4GtWUZLyAQ+Al7lmX8cf277TEwGjtof7
	1V5opCrSx5E85gY9J4d8t67S2aPc0MW8Yehf3mMsOpQ/f4/dC/izKh8ZrI8sxvWEYsRc
	ProWKtfOUjlhppi1nNR6aiIYr9V10AjW54CEs=
MIME-Version: 1.0
Received: by 10.50.140.1 with SMTP id rc1mr3831332igb.25.1323347963418; Thu,
	08 Dec 2011 04:39:23 -0800 (PST)
Received: by 10.231.204.83 with HTTP; Thu, 8 Dec 2011 04:39:23 -0800 (PST)
In-Reply-To: <alpine.DEB.2.02.1112080412100.2347@asgard.lang.hm>
References: <CAA93jw6ZN8XeLt9RjS_WFPcCVegpoX4TCJC+oY_aJQajuY5_BQ@mail.gmail.com>
	<alpine.DEB.2.02.1112080353040.2347@asgard.lang.hm>
	<CAA93jw7HEqj+6DCU-p7hytLyDDpTg9+p8nA1M7GAmerwebyAqQ@mail.gmail.com>
	<alpine.DEB.2.02.1112080412100.2347@asgard.lang.hm>
Date: Thu, 8 Dec 2011 13:39:23 +0100
Message-ID: <CAA93jw5-pLWV03Zts6LqJyyFuZyLKyt1YsunaV_qevaGP+Df2A@mail.gmail.com>
From: Dave Taht <dave.taht@gmail.com>
To: david@lang.hm
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] Dave needs to get better at pushing out patches
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2011 12:39:25 -0000

On Thu, Dec 8, 2011 at 1:18 PM,  <david@lang.hm> wrote:
> On Thu, 8 Dec 2011, Dave Taht wrote:
>
>>> as a holdout pine user I understand your frustration :-)
>>>
>>> have you considered doing something like setting up openvpn to connect =
to
>>> the bufferbloat.net server and then configuring the mail server to trus=
t
>>> mail arriving form the VPN clients?
>>>
>>> I know this is horrible overkill for such a trivial job, but it avoids
>>> all
>>> the problems of doing authentication for the SMTP connection (and the
>>> fact
>>> that many locations block outbound connections from dhcp addresses to
>>> port
>>> 25)
>>
>>
>> Both 25 and VPNs are blocked at lincs. 567 works. Neither certs nor
>> sasl from postfix worked. So far I've figured out
>
>
> openvpn works over any port you want.

udp is completely blocked here. a tcp implementation of openvpn works,
but at 170ms latencies, it's pretty horrible, and I don't know if
openvpn can do both udp and tcp at the same time.
>
> now, as a security person I am going to point out that you should not bre=
ak
> the security of a company network by establishing a VPN that bypasses the
> security controls.

I'm not into that too.

>
> but if it's just a careless network config (they allow anyone to connect =
to
> it, but then block specific ports outbound), I feel no guilt over
> establishing connections over oddball ports :-)

No, they are highly paranoid here. They have grad students to cope with,
and after exposure to them, I kind of understand.

I can get stuff out to the submit port, and it's just remote auth that's
failing me. I'm getting there, but I've had to yank out a lot of hair so
far.

(thx for listening)
>
> I just took an openvpn class, and one of the upcoming features is the
> ability for openvpn to work over ping, so I'll bet that you can make it w=
ork

Heh. Even tunneling over DNS is blocked. I had never heard of someone
using ping before now.


> (odds are really good that it will work over port 443 from just about
> anywhere, and anyone who has security setup well enough that you can't do=
 it
> over 443 is probably a place where youreally shouldn't be doing it anywha=
y
> :-)

443 is kind of in use on all servers I have.
>
>
>> That the last 'update' from ubuntu wiped out my certs on my main
>> email box.
>>
>> That dovecot sieve sucks compared to procmail
>>
>> that they've created a new abstraction for mail handling
>> for doing sasl that doesn't want to work
>>
>> and I forget what else.
>>
>> I mean, mail used to 'just work'. Even with bang
>> paths it would mostly just work. Nowadays you have
>> to be a rocket scientist to run your own server,
>> and damn it, I LIKE running my own mail server.
>>
>> Or at least, I used to.
>
>
> It's not quite that bad, but yes, the spammers have required significant
> changes.

If postel had lived, he'd have found a solution.

>
> If the problem is doing this from one particular network (and one that yo=
u
> trust to be sane, like your office), why not just configure the mail serv=
er
> to allow unauthenticated mail from that IP (or IP range)?

Not going to be at this office much longer, am mostly on the road.


>
> David Lang



--=20
Dave T=E4ht
SKYPE: davetaht
US Tel: 1-239-829-5608
FR Tel: 0638645374
http://www.bufferbloat.net