Can you read this email? (second attempt)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
39 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Can you read this email? (second attempt)

Alberto Salvia Novella
Some emails, including mines, have been dropped in this mailing list.
Can you read this one?


--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Kevin Godby-2
Hi, Alberto.

On Wed, Mar 1, 2017 at 5:20 PM, Alberto Salvia Novella
<[hidden email]> wrote:
> Some emails, including mines, have been dropped in this mailing list. Can
> you read this one?

Yes, this message came through successfully.

—Kevin

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Alberto Salvia Novella
Kevin Godby:
> Yes, this message came through successfully.

Then the problem is that the mailing list is filtering any message which
has an attachment, at least of a certain size.

This will silently left out any email which is digitally signed,
probably also using GPG.

The configuration needs to be reviewed. Specially silently dropping
messages under this criteria is a bad thing.

Thanks for your attention.


--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Kevin Godby-2
On Wed, Mar 1, 2017 at 5:33 PM, Alberto Salvia Novella
<[hidden email]> wrote:
> Then the problem is that the mailing list is filtering any message which has
> an attachment, at least of a certain size.
>
> This will silently left out any email which is digitally signed, probably
> also using GPG.
>
> The configuration needs to be reviewed. Specially silently dropping messages
> under this criteria is a bad thing.

I'm looking through some of the configuration options now. Here are
some that I see that might apply:

 • Messages with bodies of size greater than 40 KB will be rejected.
(I would the sender to get a bounce message.)
 • Messages to the list from non-members will receive a bounce message.
 • Messages that match the content filtering rules will be discarded
without notice to the sender. The content filtering rules are set such
that they should only apply to messages with no text in the body and
only a potentially dangerous attachment (e.g., a Windows executable).

I didn't see any other ways for a message to be silently discarded,
though I may have overlooked something. The mailing list uses the
Mailman software, so if you're familiar with that and would like me to
check some specific settings, please let me know.

—Kevin

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Alberto Salvia Novella
Kevin Godby:
> Messages that match the content filtering rules will be discarded
> without notice to the sender. The content filtering rules are set such
> that they should only apply to messages with no text in the body and
> only a potentially dangerous attachment (e.g., a Windows executable).

We can enable the bounce message, send another email digitally signed,
and see what the bounce says.

All the bounce messages I have seen on Mailmal explained in detail why
the emails were discarded.


--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

RE: Can you read this email? (second attempt)

Doug Smythies
In reply to this post by Kevin Godby-2
On 2017.03.01 15:33 Alberto Salvia Novella wrote:

> Kevin Godby:
>> Yes, this message came through successfully.
>
> Then the problem is that the mailing list is filtering any message which
> has an attachment, at least of a certain size.
>
> This will silently left out any email which is digitally signed,
> probably also using GPG.
>
> The configuration needs to be reviewed. Specially silently dropping
> messages under this criteria is a bad thing.
>
> Thanks for your attention.

Yes, but your e-mails got through to other Ubuntu e-mail lists just fine.
I am still not understanding that.

I also do not understand some of the other missing e-mails. That had no
attachment or digital signature or whatever.

... Doug



--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Alberto Salvia Novella
In reply to this post by Alberto Salvia Novella
C de-Avillez:
> For the record, all emails from Alberto that I have seem signed are
> being signed using X.509 certificates, generating the "smime.p7s"
> attachment. Not GPG.

Yeap, but nobody else seems to be using ".p7s" certificates apart from
me, and still they are being filtered. So probably it also affects GPG
signatures.

Please change silently discarding messages to bouncing them, so I can
perform a black box analysis of what's going on.


--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Gunnar Hjalmarsson
On 2017-03-05 02:28, Alberto Salvia Novella wrote:
> C de-Avillez:
>> For the record, all emails from Alberto that I have seem signed
>> are being signed using X.509 certificates, generating the
>> "smime.p7s" attachment. Not GPG.
>
> Yeap, but nobody else seems to be using ".p7s" certificates apart
> from me, and still they are being filtered.

If such messages made it previously, and Kevin don't see anything which
explains it, can there be some new global setting for all lists?

> So probably it also affects GPG signatures.

They are transfered as 7bit encoded text strings.

--
Gunnar Hjalmarsson
https://launchpad.net/~gunnarhj

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

RE: Can you read this email? (second attempt)

Doug Smythies
In reply to this post by Alberto Salvia Novella
On 2017.03.04 17:28 Alberto Salvia Novella wrote:

> C de-Avillez:
>> For the record, all emails from Alberto that I have seem signed are
>> being signed using X.509 certificates, generating the "smime.p7s"
>> attachment. Not GPG.
>
> Yeap, but nobody else seems to be using ".p7s" certificates apart from
> me, and still they are being filtered. So probably it also affects GPG
> signatures.
>
> Please change silently discarding messages to bouncing them, so I can
> perform a black box analysis of what's going on.

Kevin (an admin) checked and couldn't see any setting.
After the failed e-mail from Robert Young yesterday, with no
signature or attachment, I submitted a ticket for help.

If you think you have something to add, please add it to the ticket.

Reference: rt.ubuntu.com #29630

I believe, but am not sure, an e-mail with [rt.ubuntu.com #29630]
in the subject line will get to the ticket also.

... Doug



--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Kevin Godby-2
In reply to this post by Alberto Salvia Novella
Alberto's email got forwarded to the list admins with the following
message at the top:

——
The attached message matched the ubuntu-doc mailing list's content
filtering rules and was prevented from being forwarded on to the list
membership.  You are receiving the only remaining copy of the
discarded message.
——

So it looks like that filter is what was being triggered.

Alberto's message has a content-type of multipart/signed.

The mailing list filters out all messages except those with the
following content types:

 • multipart/mixed
 • multipart/alternative
 • text/plain

Since multipart/signed isn't explicitly allowed, messages of that type
were being deleted without notice.

I've added multipart/signed to the list of acceptable message types so
they should come through okay in the future.  I will also leave this
setting to notify admins of filtered messages instead of discarding
them silently.

Alberto, if you'd like to try to send another signed test message,
we'll see if it goes through okay. Thanks for helping us troubleshoot
this!

—Kevin

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Alberto Salvia Novella
Kevin Godby:
> Thanks for helping us troubleshoot this!

You are welcome: this is that message.



--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

C de-Avillez-2
On Wed, 8 Mar 2017 06:30:30 +0100
Alberto Salvia Novella <[hidden email]> wrote:

> Kevin Godby:
> > Thanks for helping us troubleshoot this!  
>
> You are welcome: this is that message.
>
>

Alberto, this message was not signed.

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

RE: Can you read this email? (second attempt)

Doug Smythies
In reply to this post by Alberto Salvia Novella
On 2017.03.08 14:39 C de-Avillez wrote:

> On Wed, 8 Mar 2017 06:30:30 +0100
> Alberto Salvia Novella <[hidden email]> wrote:
>
>> Kevin Godby:
>>> Thanks for helping us troubleshoot this!  
>>
>> You are welcome: this is that message.
>>
>>
>
> Alberto, this message was not signed.

Yes, I think the list system stripped the signature.
There was a signature on my copy (as a directly addressed C.C.) in my inbox.

Kevin and/or Peter: Did you get any bounce message for a test e-mail
from Robert Young at about 05:43 UTC today (the 8th) (21:43 the 7th my time)?

... Doug



--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Kevin Godby-2
Hi, Doug.

On Wed, Mar 8, 2017 at 5:39 PM, Doug Smythies <[hidden email]> wrote:
> Yes, I think the list system stripped the signature.
> There was a signature on my copy (as a directly addressed C.C.) in my inbox.
>
> Kevin and/or Peter: Did you get any bounce message for a test e-mail
> from Robert Young at about 05:43 UTC today (the 8th) (21:43 the 7th my time)?

No, the only one I've seen was the original test message from Alberto.

—Kevin

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

C de-Avillez-2
In reply to this post by C de-Avillez-2
On Wed, 8 Mar 2017 16:39:22 -0600
C de-Avillez <[hidden email]> wrote:

> On Wed, 8 Mar 2017 06:30:30 +0100
> Alberto Salvia Novella <[hidden email]> wrote:
>
> > Kevin Godby:  
> > > Thanks for helping us troubleshoot this!    
> >
> > You are welcome: this is that message.
> >
> >  
>
> Alberto, this message was not signed.

Well, it it, and it is *not*. But, to make a long story (and some emails
sent to the WRONG mailing list) short:

@Kevin:

please add the two following contents as maintained:
 * application/pkcs7-signature
 * application/pgp-signature

These carry the actual signatures for S/MIME and PGP/MIME.

..C..

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

RE: Can you read this email? (second attempt)

Doug Smythies
In reply to this post by Doug Smythies
Hi Kevin,

And thanks very much for helping, particularly considering
you are doing other stuff these days.

On 2107.03.08 15:49 Kevin Godby wrote:

> Hi, Doug.
>
> On Wed, Mar 8, 2017 at 5:39 PM, Doug Smythies <[hidden email]> wrote:
>> Yes, I think the list system stripped the signature.
>> There was a signature on my copy (as a directly addressed C.C.) in my inbox.
>>
>> Kevin and/or Peter: Did you get any bounce message for a test e-mail
>> from Robert Young at about 05:43 UTC today (the 8th) (21:43 the 7th my time)?
>
> No, the only one I've seen was the original test message from Alberto.
>

O.K. so we still have a problem.

Did you at least get a copy in your inbox, since you were also directly
addressed on the C.C. line? (and I am referring to the one from later
last night, the one with the doc team list also on the C.C. line. His earlier
one didn't have the doc team list on the C.C. line, which was the whole point
of the test request.)

... Doug



--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Kevin Godby-2
In reply to this post by C de-Avillez-2
Hi, C.

On Wed, Mar 8, 2017 at 5:53 PM, C de-Avillez <[hidden email]> wrote:

> Well, it it, and it is *not*. But, to make a long story (and some emails
> sent to the WRONG mailing list) short:
>
> @Kevin:
>
> please add the two following contents as maintained:
>  * application/pkcs7-signature
>  * application/pgp-signature
>
> These carry the actual signatures for S/MIME and PGP/MIME.

Right.. well, that raises a question, I guess.

While the attachments will be stripped, the message body should still
come through okay now. The message body has a content type of
multipart/signed and the attachment would be one of
application/pkcs7-signature or application/pgp-signature.

If we want to allow the signature attachments to come through, I can
add those content types to the whitelist.

Any content type not on the whitelist (whether the full message or
individual attachments) will be stripped away. If all the content in a
multipart message is removed and nothing remains, or if the top-level
message itself has a content type other than those whitelisted, then
the entire message will be discarded.

The whitelist currently contains the following content types:

 • multipart/mixed
 • multipart/alternative
 • multipart/signed
 • text/plain

—Kevin

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

Kevin Godby-2
In reply to this post by Doug Smythies
Hi, Doug.

On Wed, Mar 8, 2017 at 6:11 PM, Doug Smythies <[hidden email]> wrote:
> And thanks very much for helping, particularly considering
> you are doing other stuff these days.

No problem!

> On 2107.03.08 15:49 Kevin Godby wrote:
> O.K. so we still have a problem.
>
> Did you at least get a copy in your inbox, since you were also directly
> addressed on the C.C. line? (and I am referring to the one from later
> last night, the one with the doc team list also on the C.C. line. His earlier
> one didn't have the doc team list on the C.C. line, which was the whole point
> of the test request.)

Yes, I received the message he CC'd me on.

It has the following content types:

Main content type: multipart/signed
Message body: text/plain
Signature attachment: application/pkcs7-signature

Since we recently added the multipart/signed content type to the
whitelist, the mailing list is okay with that part. The text/plain
content type was already there, so that part was okay. The
application/pkcs7-signature content type is not whitelisted, though,
so the mailing list stripped that attachment.

—Kevin

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

RE: Can you read this email? (second attempt)

Doug Smythies
In reply to this post by Doug Smythies
On 2017.03.08 16:32 Kevin Godby wrote:
> On Wed, Mar 8, 2017 at 6:11 PM, Doug Smythies <[hidden email]> wrote:
>> On 2107.03.08 15:49 Kevin Godby wrote:

>>>> Kevin and/or Peter: Did you get any bounce message for a test e-mail
>>>> from Robert Young at about 05:43 UTC today (the 8th) (21:43 the 7th my time)?
>>
>>> No, the only one I've seen was the original test message from Alberto.
>> O.K. so we still have a problem.
>>
>> Did you at least get a copy in your inbox, since you were also directly
>> addressed on the C.C. line? (and I am referring to the one from later
>> last night, the one with the doc team list also on the C.C. line. His earlier
>> one didn't have the doc team list on the C.C. line, which was the whole point
>> of the test request.)
>
> Yes, I received the message he CC'd me on.
>
> It has the following content types:
>
> Main content type: multipart/signed
> Message body: text/plain
> Signature attachment: application/pkcs7-signature
>
> Since we recently added the multipart/signed content type to the
> whitelist, the mailing list is okay with that part. The text/plain
> content type was already there, so that part was okay. The
> application/pkcs7-signature content type is not whitelisted, though,
> so the mailing list stripped that attachment.

Hi Kevin,

I am getting confused. To clarify, I have moved away from Alberto
and onto to test case 2 from last night, Robert Young (I added back
some of my earlier e-mail above).

His e-mail did not get to the list, and, if I understand correctly,
you did not get a bounce message. So it was silently dropped,
which I thought should not occur anymore.
There was no signature on his e-mail, but it was html, which used to
work fine on this list (although it makes searching the text archives
annoying).



--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
Reply | Threaded
Open this post in threaded view
|

Re: Can you read this email? (second attempt)

C de-Avillez-2
In reply to this post by Kevin Godby-2
On Wed, 8 Mar 2017 18:24:24 -0600
Kevin Godby <[hidden email]> wrote:

<snip/>

> Right.. well, that raises a question, I guess.
>
> While the attachments will be stripped, the message body should still
> come through okay now. The message body has a content type of
> multipart/signed and the attachment would be one of
> application/pkcs7-signature or application/pgp-signature.
>
> If we want to allow the signature attachments to come through, I can
> add those content types to the whitelist.

I would suggest you should. Without the actual signature, there is no
way to verify it. Yes, there is an attachment that will state the
message is signed, but not with what key. Taking out the actual
signature completely defeats signing.

>
> Any content type not on the whitelist (whether the full message or
> individual attachments) will be stripped away. If all the content in a
> multipart message is removed and nothing remains, or if the top-level
> message itself has a content type other than those whitelisted, then
> the entire message will be discarded.

>  • multipart/mixed
>  • multipart/alternative
>  • multipart/signed
>  • text/plain

May I also suggest that you forward messages worked by the content
filter to list owner? This would be temporary, but would allow you to
monitor how aggressive the filter is (and, perhaps, save the eventual
message that would be lost).

Cheers,

..C..

--
ubuntu-doc mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc
12