On 2018-11-30 9:29 a.m., Roberto C. Sánchez wrote: > That is just how email works. With the help of a cooperating mail > server (which is trivial to setup) anybody in the world can send mail > with any from address that they wish. This problem is not unique to > Debian. Yes and no. It is true that others are vulnerable, but this is a choice that Debian makes and it can be fixed. If we wanted, we could largely limit this with more restrictive debian.org DNS records. When a mail server accepts incoming emails, it has the responsibility of checking the mail comes from. Debian can specify which servers it sends emails from and ask mail servers around the world to only accept emails from these servers and discard the others. This is done trough DNS, with DMARC and SPF records: - https://en.wikipedia.org/wiki/Sender_Policy_Framework - https://en.wikipedia.org/wiki/DMARC Currently, Debian does not publish such records so it opts out from this protection. == SPF example == I use gmail to send mails from alexandre@alexandreviau.net. alexandreviau.net has the following TXT record: - "v=spf1 include:_spf.google.com ~all" It reads: - version: spf1 - include google's SPF config, effectively authorizing everything that google asks to authorize. - ~ "SoftFail": don't take this rule too seriously but consider it when filtering spam - "all": match all addresses (not sure if we can specify one or groups..) If I wanted, I could change "~all" to "-all" in my spf config, asking mail servers to discard every emails that pretends to be from alexandreviau.net but wasn't sent from google servers. Cheers, -- Alexandre Viau aviau@debian.org
Attachment:
signature.asc
Description: OpenPGP digital signature