Fwd: Why we need qmail owner files for all committers

[Craig Russell <cr...@oracle.com>]

Hi,

Is this a good whimsy project?

Craig

> Begin forwarded message:
> 
> From: Joe Schaefer <jo...@yahoo.com>
> Subject: Why we need qmail owner files for all committers
> Date: August 24, 2016 at 10:25:41 PM PDT
> To: Apache Infrastructure <in...@apache.org>
> Reply-To: Joe Schaefer <jo...@yahoo.com>
> 
> Simply put, every time a sender, whose domain has an SPF rule ending in -all, tries to email a user at their apache.org address, the message will bounce when qmail attempts to deliver to the final destination server.  This is because modern mail forwarders are required by the SPF framework to rewrite the SMTP envelope sender to originate from an address on the intermediate forwarding domain.  It is notoriously difficult for users to track down the origin of the problem because the envelope sender rewriting needs to happen on the recipient's account with us, even though the crux of the problem is with the sending domain's strict SPF rule.
> 
> Fortunately most major domain owners refrain from going all in with SPF and simply use ~all, which means the SPF records aren't authoritative.  However, many (like microsoft.com or recently gmx.de) do use strict SPF, so their attempts to contact committers directly will get rejected as described above.
> 
> This issue can be put to bed squarely in about 5 minutes of script testing and implementation.  Just do an ldapsearch on the uid, and xarg that list to the qmail-owner-setup.sh script in ~apmail/bin.  Problem solved for the existing committers.  Just add a call to the script for new users as well during account creation, and you'll never have to worry about it again.
> 
> 

Craig L Russell
Architect
craig.russell@oracle.com
P.S <ma...@oracle.comP.S>. A good JDO? O, Gasp!

Re: Why we need qmail owner files for all committers

[Gav <ip...@gmail.com>]

right this is an Infra issue and not a whimsy one.

On Sat, Aug 27, 2016 at 9:35 AM, Sam Ruby <ru...@intertwingly.net> wrote:

> On Fri, Aug 26, 2016 at 4:45 PM, Craig Russell <cr...@oracle.com>
> wrote:
> > Hi,
> >
> > Is this a good whimsy project?
>
> Sounds to me like the first part is literally:
>
> ldapsearch -x -LLL uid=* dn | perl -ne '/uid=(.*?),/ && print "$1\n"'
> | xargs ~apmail/bin/qmail-owner-setup.sh
>
> That is to be run *once*.  The second part is a one line addition to
>
> https://svn.apache.org/repos/infra/infrastructure/trunk/tools/ap-adduser
>
> > Craig
>
> - Sam Ruby
>
> >> Begin forwarded message:
> >>
> >> From: Joe Schaefer <jo...@yahoo.com>
> >> Subject: Why we need qmail owner files for all committers
> >> Date: August 24, 2016 at 10:25:41 PM PDT
> >> To: Apache Infrastructure <in...@apache.org>
> >> Reply-To: Joe Schaefer <jo...@yahoo.com>
> >>
> >> Simply put, every time a sender, whose domain has an SPF rule ending in
> -all, tries to email a user at their apache.org address, the message will
> bounce when qmail attempts to deliver to the final destination server.
> This is because modern mail forwarders are required by the SPF framework to
> rewrite the SMTP envelope sender to originate from an address on the
> intermediate forwarding domain.  It is notoriously difficult for users to
> track down the origin of the problem because the envelope sender rewriting
> needs to happen on the recipient's account with us, even though the crux of
> the problem is with the sending domain's strict SPF rule.
> >>
> >> Fortunately most major domain owners refrain from going all in with SPF
> and simply use ~all, which means the SPF records aren't authoritative.
> However, many (like microsoft.com or recently gmx.de) do use strict SPF,
> so their attempts to contact committers directly will get rejected as
> described above.
> >>
> >> This issue can be put to bed squarely in about 5 minutes of script
> testing and implementation.  Just do an ldapsearch on the uid, and xarg
> that list to the qmail-owner-setup.sh script in ~apmail/bin.  Problem
> solved for the existing committers.  Just add a call to the script for new
> users as well during account creation, and you'll never have to worry about
> it again.
> >>
> >>
> >
> > Craig L Russell
> > Architect
> > craig.russell@oracle.com
> > P.S <ma...@oracle.comP.S>. A good JDO? O, Gasp!
> >
> >
> >
> >
> >
>



-- 
Gav...

Re: Why we need qmail owner files for all committers

[Sam Ruby <ru...@intertwingly.net>]

On Fri, Aug 26, 2016 at 4:45 PM, Craig Russell <cr...@oracle.com> wrote:
> Hi,
>
> Is this a good whimsy project?

Sounds to me like the first part is literally:

ldapsearch -x -LLL uid=* dn | perl -ne '/uid=(.*?),/ && print "$1\n"'
| xargs ~apmail/bin/qmail-owner-setup.sh

That is to be run *once*.  The second part is a one line addition to

https://svn.apache.org/repos/infra/infrastructure/trunk/tools/ap-adduser

> Craig

- Sam Ruby

>> Begin forwarded message:
>>
>> From: Joe Schaefer <jo...@yahoo.com>
>> Subject: Why we need qmail owner files for all committers
>> Date: August 24, 2016 at 10:25:41 PM PDT
>> To: Apache Infrastructure <in...@apache.org>
>> Reply-To: Joe Schaefer <jo...@yahoo.com>
>>
>> Simply put, every time a sender, whose domain has an SPF rule ending in -all, tries to email a user at their apache.org address, the message will bounce when qmail attempts to deliver to the final destination server.  This is because modern mail forwarders are required by the SPF framework to rewrite the SMTP envelope sender to originate from an address on the intermediate forwarding domain.  It is notoriously difficult for users to track down the origin of the problem because the envelope sender rewriting needs to happen on the recipient's account with us, even though the crux of the problem is with the sending domain's strict SPF rule.
>>
>> Fortunately most major domain owners refrain from going all in with SPF and simply use ~all, which means the SPF records aren't authoritative.  However, many (like microsoft.com or recently gmx.de) do use strict SPF, so their attempts to contact committers directly will get rejected as described above.
>>
>> This issue can be put to bed squarely in about 5 minutes of script testing and implementation.  Just do an ldapsearch on the uid, and xarg that list to the qmail-owner-setup.sh script in ~apmail/bin.  Problem solved for the existing committers.  Just add a call to the script for new users as well during account creation, and you'll never have to worry about it again.
>>
>>
>
> Craig L Russell
> Architect
> craig.russell@oracle.com
> P.S <ma...@oracle.comP.S>. A good JDO? O, Gasp!
>
>
>
>
>