From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.1 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 10ffbac9 for ; Mon, 25 Jun 2018 05:40:28 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id B85F3A1564; Mon, 25 Jun 2018 15:40:27 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 6F0739E5BE; Mon, 25 Jun 2018 15:39:56 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=tnetconsulting.net header.i=@tnetconsulting.net header.b=3nL0qoMO; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id A6FC89E5BE; Mon, 25 Jun 2018 15:39:53 +1000 (AEST) Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [45.33.28.24]) by minnie.tuhs.org (Postfix) with ESMTPS id 9A9F99E5BD for ; Mon, 25 Jun 2018 15:39:52 +1000 (AEST) Received: from REDACTED (drscriptt-2-pt.tunnel.tserv1.den1.ipv6.he.net [IPv6:2001:470:39:62a:0:0:0:2]) (authenticated bits=0) by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id w5P5doeT014073 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 25 Jun 2018 00:39:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2015; t=1529905192; bh=GZRhfBKBNuOGKAgBnHGJbDcRdxPX9De6p90j2Zp+atI=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Content-Language: Content-Transfer-Encoding:Cc:Content-Disposition:Content-Language: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Message-ID:MIME-Version:References:Reply-To:Resent-Date: Resent-From:Resent-To:Resent-Cc:Sender:Subject:To:User-Agent; b=3nL0qoMOsR6CX1ezLJ+H2w5iuAT/H/Eb4H4C/kdXUBtUFNADcyBk68PlkWiASK5VA cSeJMpDupUydavv3WJ7NdoCaYFU+wFM98WCVLIygTbjmZfA2sk9JSZ78aG0MXD78pj VdX4GzQYoaWRUp/a9skw177n2Nk2/3fDz9YTa9wE= To: tuhs@minnie.tuhs.org References: <20180621234706.GA23316@minnie.tuhs.org> <20180622142846.GS21272@mcvoy.com> <20180622145402.GT21272@mcvoy.com> <20180622151751.BEK9i%steffen@sdaoden.eu> <20180622192505.mfig_%steffen@sdaoden.eu> <89e5ae21-ccc0-5c84-837b-120a1a7d9e26@spamtrap.tnetconsulting.net> <20180623144959.M9byU%steffen@sdaoden.eu> Organization: TNet Consulting Message-ID: <1e57a799-813a-4a3d-bda8-f460220ac0ea@spamtrap.tnetconsulting.net> Date: Sun, 24 Jun 2018 23:40:52 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [TUHS] off-topic list X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Grant Taylor via TUHS Reply-To: Grant Taylor Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" On 06/24/2018 08:53 PM, Dave Horsfall wrote: > Anyone with any concept of security will not be running Procmail; I'm going to have to throw a flag and cry foul on that play. 1) "Anyone (with)" is a rather large group. 2) "any concept of security" is a rather large (sub)group. 3) "will not" is rather absolute. I do believe that I have a better concept of security than many (but not all) of my colleagues. - I've got leading (if not bleeding) edge email security. - I've got full disk encryption on multiple server and workstations. - I use encrypted email when ever I can. - I play with 802.1ae MACsec (encrypted Ethernet frames). - I use salted hashes in proof of concepts. - I advocate for proper use of sudo... - ...and go out of my way to educate others on how to use sudo properly. I could go on, but you probably don't care. In short, I believe I fall squarely in categories #1 and #2. Seeing as how I run procmail I invalidate #3. So, I ask that you retract or amend your statement. Or at least admit it's (partial) inaccuracies. > it's not even supported by its author any more, Many of the software packages that TUHS subscribers run on physical and / or virtual systems are not supported by their authors any more. Some of them are directly connected to the Internet too. How many copies if (Open)VMS are running on (virtual) VAX (emulators)? Don't like (Open)VMS, then how about ancient versions of BSD or AT&T SYS V? How many people are running wide array ancient BBSs on as many platforms? How many people in corporate offices are running software that went End of Support 18 months ago? Lack of support does not make something useless. > due to its opaque syntax I'm not aware of Procmail ever having claimed to have simple syntax. I also believe that Procmail is not alone in this. m4 is known for being obtuse, as is Sendmail, both of which are still used too. SQL is notorious for being finicky. I think there's a lot of C and C++ code that can fall in the same category. (LISP … enough said) > and likely vulnerabilities Everything has vulnerabilities. It's about how risky the (known) vulnerabilities are, and how likely they are to be exploited. It's a balancing act. Every administrator (or company directing said administrator) performs a risk assessment and makes a decision. > (it believes user-supplied headers Does the latest and greatest SMTP server from Google believe the information that the user supplies to it? What about the Nginx web server that seems to be in vogue, does it believe the verb, URL, HTTP version and Host: header that users supply? Does Mailman that hosts the TUHS mailing list believe the information that minnie provides that was originally user supplied? Does your web browser believe and act on the information that the web server you are connecting to provided? Applications are designed to trust the information that is provided to them. Sure, run some sanity checks on it. But ultimately it's the job of software to act on the user supplied information. > and runs shell commands based upon them). I've seen exceedingly few procmail recipes that actually run shell commands. Almost all of the procmail recipes that I've seen and use do a very simple match for fixed text and file the message away in a folder. These are functions built into procmail and NOT shell commands. The very few procmail recipes that I've seen that do run shell commands are passing the message into STDIN of another utility that is itself designed to accept user supplied data, ideally in a safe way. So, I believe your statement, "Anyone with any concept of security will not be running Procmail", is false, literally from word one. If you want to poke fun at something, take a look at SpamAssassin and it's Perl. Both of which are still actively supported. Or how about all the NPM stuff that people are using in web page that are being pulled from places that God only knows. -- Grant. . . . unix || die