[Cerowrt-devel] Dave needs to get better at pushing out patches

[Dave Taht]

On Thu, Dec 8, 2011 at 1:18 PM,  <david at lang.hm> wrote:
> On Thu, 8 Dec 2011, Dave Taht wrote:
>
>>> as a holdout pine user I understand your frustration :-)
>>>
>>> have you considered doing something like setting up openvpn to connect to
>>> the bufferbloat.net server and then configuring the mail server to trust
>>> mail arriving form the VPN clients?
>>>
>>> I know this is horrible overkill for such a trivial job, but it avoids
>>> all
>>> the problems of doing authentication for the SMTP connection (and the
>>> fact
>>> that many locations block outbound connections from dhcp addresses to
>>> port
>>> 25)
>>
>>
>> Both 25 and VPNs are blocked at lincs. 567 works. Neither certs nor
>> sasl from postfix worked. So far I've figured out
>
>
> openvpn works over any port you want.

udp is completely blocked here. a tcp implementation of openvpn works,
but at 170ms latencies, it's pretty horrible, and I don't know if
openvpn can do both udp and tcp at the same time.
>
> now, as a security person I am going to point out that you should not break
> the security of a company network by establishing a VPN that bypasses the
> security controls.

I'm not into that too.

>
> but if it's just a careless network config (they allow anyone to connect to
> it, but then block specific ports outbound), I feel no guilt over
> establishing connections over oddball ports :-)

No, they are highly paranoid here. They have grad students to cope with,
and after exposure to them, I kind of understand.

I can get stuff out to the submit port, and it's just remote auth that's
failing me. I'm getting there, but I've had to yank out a lot of hair so
far.

(thx for listening)
>
> I just took an openvpn class, and one of the upcoming features is the
> ability for openvpn to work over ping, so I'll bet that you can make it work

Heh. Even tunneling over DNS is blocked. I had never heard of someone
using ping before now.


> (odds are really good that it will work over port 443 from just about
> anywhere, and anyone who has security setup well enough that you can't do it
> over 443 is probably a place where youreally shouldn't be doing it anywhay
> :-)

443 is kind of in use on all servers I have.
>
>
>> That the last 'update' from ubuntu wiped out my certs on my main
>> email box.
>>
>> That dovecot sieve sucks compared to procmail
>>
>> that they've created a new abstraction for mail handling
>> for doing sasl that doesn't want to work
>>
>> and I forget what else.
>>
>> I mean, mail used to 'just work'. Even with bang
>> paths it would mostly just work. Nowadays you have
>> to be a rocket scientist to run your own server,
>> and damn it, I LIKE running my own mail server.
>>
>> Or at least, I used to.
>
>
> It's not quite that bad, but yes, the spammers have required significant
> changes.

If postel had lived, he'd have found a solution.

>
> If the problem is doing this from one particular network (and one that you
> trust to be sane, like your office), why not just configure the mail server
> to allow unauthenticated mail from that IP (or IP range)?

Not going to be at this office much longer, am mostly on the road.


>
> David Lang



-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
FR Tel: 0638645374
http://www.bufferbloat.net