From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from kanga.kvack.org ([205.233.56.17]:37256 "EHLO kanga.kvack.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752694AbcKHW5c (ORCPT ); Tue, 8 Nov 2016 17:57:32 -0500 Date: Tue, 8 Nov 2016 17:56:51 -0500 From: Benjamin LaHaise To: "Eric W. Biederman" Cc: Kees Cook , Oleg Nesterov , Jann Horn , Alexander Viro , Roland McGrath , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Andrew Morton , Janis Danisevskis , Seth Forshee , Thomas Gleixner , Ben Hutchings , Andy Lutomirski , Linus Torvalds , Krister Johansen , "linux-fsdevel@vger.kernel.org" , linux-security-module , "security@kernel.org" Subject: Re: [PATCH v3 1/8] exec: introduce cred_guard_light Message-ID: <20161108225651.GJ16345@kvack.org> References: <1477863998-3298-2-git-send-email-jann@thejh.net> <20161102181806.GB1112@redhat.com> <20161102205011.GF8196@pc.thejh.net> <20161103181225.GA11212@redhat.com> <87k2cj2x6j.fsf@xmission.com> <87k2cjuw6h.fsf@xmission.com> <20161104180416.GA19221@redhat.com> <20161104184505.GA21320@redhat.com> <87bmxptwrv.fsf@xmission.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87bmxptwrv.fsf@xmission.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Tue, Nov 08, 2016 at 04:46:44PM -0600, Eric W. Biederman wrote: > Kees Cook writes: ... > > This is a problem for Google folks too sometimes. This is saying that > > xmission.com is checking redhat.com's SPF records and refusing to let > > kernel.org deliver email as if it were redhat.com (due to > > security@kernel.org being an alias not a mailing list). There aren't > > good solutions for this, but best I've found is to have my > > security@kernel.org alias be a @kernel.org address instead of an > > @google.com address... > > Ugh. Is even redhat configuring the redhat email to do that? > I will have to look. > > Last I looked xmission.com was just enforcing the policy that the other > mail domains were asking to be enforced on themselves. But those are > policies that are incompatible with mailing lists in general. Although > I do get confused about which part SPF and DKIM play in this mess. > > I just remember that the last several ``enhancements'' to email were > busily breaking mailing lists and I thought they were completely insane. > I can even find evidence that it is (or at least was) so bad that email > standards comittee member's can't comminicate with each other via email > lists. > > vger.kernel.org appears to rewrite the envelope sender to avoid > problems. Envelope sender rewriting is insufficient, the From: lines need to be rewritten to be compliant. This is a pain in the ass for the @kvack.org mailing lists as well -- people with @google.com addresses don't see the mailing list postings of users from @google.com and other domains using "enhanced" email header "validation" techniques. -ben > If xmission is doing any more than just performing what the domain of > the senders of email asked them to do I will be happy to see if I can > to sort it out. > > Eric -- "Thought is the essence of where you are now."