Dispatches From The Geeks

News and Announcements from the MCS Systems Group

DMARC and you (with bonus story on mailing lists)

Hey, everybody!

So you’ve seen a couple of announcements about the lab’s setting “DMARC” policy on outgoing mail. If you’re a mail wonk, you get it. If you’re not, and I’m sure most of you aren’t, I’m going to explain a few things about it and what it means to you. I’m really trying to remove as much of the tech jargon as I can, because it helps to understand the process a little better. This is a dry topic, I know. I’ll do what I can to assuage the boredom. And with that, let’s begin!

A long time ago, dinosaurs roamed the earth. Shortly thereafter, e-mail was invented.

Okay, it wasn’t quite like that, but the internet standards we’re using for e-mail today are by and large the same ones that were put in place all those many years ago. They were developed in a simpler time, when there was no security or spam or reality TV. Those very lax rules make it very easy to just send mail as whoever you want from wherever you want, and systems kinda just trust you’re not doing something malicious.

Obviously, those days are long gone. We’re all getting tons of spam, and even more annoying, tons of bounce messages from spam that’s pretending to be us!

To combat this, a bunch of rules and procedures were developed to better ensure the “From:” in an e-mail was really who it said it was. This all involves SPF, DKIM, and DMARC. I’m not going to explain the lower level stuff about how these operate, so I’ll just say SPF and DKIM combine to ensure that mail came from where it claims, and that it’s authorized to do that, and DMARC tells the recipient what to do with it if it didn’t.

When Argonne sets a DMARC policy of “reject”, we’re saying to any mail server who listens to that sort of thing “If the mail claims to be from anl.gov and doesn’t pass these tests to show it’s from Argonne, reject it.”

It’s a sensible rule, and, thanks to some policy from above in the agency, it’s now a mandatory one. Soon every .gov will be doing the same thing (if they haven’t already).

As noted in the announcements from BIS, this will be going into effect soon. This will only affect mail that has a from: ending in “anl.gov” and won’t affect you receiving mail from others.

“But wait, Craig!” I can hear you shouting, “You told us there was a bonus story on mailing lists!” I sure did, children! So gather round and get ready for part 2.

Many places (.gov and otherwise) have already implemented the policy above. lanl.gov, for one, has been doing it for a while. And many people who have email addresses with this policy set are users of our mailing lists. The very mailing lists like the one I’m sending this to you on! And ever since we started the process of getting this all ready to roll, we’ve now become acutely aware of something thanks to error reports we get back from other email servers; mail’s been getting rejected already, and it has nothing to do with what we set our DMARC policy to.

Let me paint you a picture. Imagine I’ve got a big Bob Ross afro going on here – it’ll help.

john.doe@lanl.gov sends an email to bcfg-dev@mcs.anl.gov. It leaves LANL servers, comes here to MCS servers and the list happily sends it out to everyone on the list.

But, heavens to Murgatroyd, now we’ve got a problem. The mail claims to be from “john.doe@lanl.gov” but that’s not who’s delivering it. Nosiree, bob, that looks like it’s coming from Argonne! Now, unless LANL lists Argonne as an acceptable sender for mail coming from lanl.gov, there’s only one course of action; reject it.

Now, we may at some point be able to convince other fed sites to add Argonne servers to their list of acceptable delivery agents, but that’s just a part of the problem. There are schools, private e-mail providers, other governments, and myriad other sources where this mail can originate.

There’s only one real solution for this. Mailman (our mailing list software) provides a fix for this. It’s a fundamental shift on how mailing list mail will look, though. The fix is to change the “From:” of the mail so it no longer looks like it’s coming from “john.doe@lanl.gov” but is instead coming from “John Doe via bcfg-dev@mcs.anl.gov” with a Reply-to: of “john.doe@lanl.gov” set.

I’m going to repeat that on a line by itself for the skimmers.

Soon, mailing list From: addresses will be from the list, not the sender.

I’m still waffling on when to make this change. I wanted to announce it first and with luck have some healthy brainstorming for other solutions if people had ideas. But my research and understanding of how DMARC policies work, coupled with the fact that mailman puts a config option to deal with this very case, tells me it’s probably the best solution.

And, to be clear, all this will accomplish is ensuring that mailing lists run by CELS Systems won’t get rejected by remote sites due to the From: address mismatch. (BIS also plans to implement this change on some of its mailing lists as well). However, once BIS turns on “DMARC=reject”, and if you send mail to a mailing list that’s not run by us, it could get dropped if the recipient obeys DMARC policies. Spoiler alert: gmail is one of those that does.

So, there you go. I won’t turn this on for any lists without warning. Well, that’s a lie, I just turned it on for *this very list*, so can see what it looks like in the From line.

I’ve also turned it on in a new list I’ve created called “tech-discuss@cels.anl.gov” where we can have some back and forth about this. I thought about asking folks to bring it up in either “linux-users@mcs” or “mac-users@mcs”, but this isn’t a mac issue, and it’s not a linux issue. Oh, also, if you’re on one of those lists, I’ve invited you to subscribe to this list, too. Or just visit https://lists.cels.anl.gov/mailman/listinfo/tech-discuss and sign up there.

Cheers, and happy Friday!

Craig
Advertisements

Written by Craig Stacey

October 19, 2018 at 6:09 pm

Posted in Uncategorized

A note about the new version of Dayforce

Hi, everyone!

First of all, if you currently use Dash (https://dash.anl.gov) to access Dayforce and are happy with that, just stop reading. There’s nothing of interest to you here and you’re using the approved and supported method for accessing Dayforce.

Okay, if you’re still reading, perhaps you don’t like using Dash for that, or you used to use our handy shortcut to use Dayforce in your browser. But recent updates to Chrome, Firefox, and Safari (in that order) meant that stopped working for you.

Well, the good news is it started working again as of today. The new version of Dayforce is (almost) all HTML and no Silverlight required. Yes, I said "almost". There are a handful of administrative/managerial functions that still need silverlight, and that means if you do that you need to go to Dash for those tasks. But, if you’re reading this far, chances are good you won’t be in that group.

If you want to use this entirely handy and entirely unofficial and unsupported shortcut: https://www.cels.anl.gov/dayforce is a good thing to bookmark. And if it doesn’t work you, just fall back to using Dash.

And, again, if you’re happy with Dash, you don’t need to change a thing (and you should have stopped reading after the first paragraph, shame on you).

Cheers!

Craig

Written by Craig Stacey

October 11, 2018 at 3:11 pm

Posted in Uncategorized

Vulnerabilty Reports for VPN and Wireless Connections

Hi, everyone.

From time to time, you may receive an e-mail from the lab’s vulnerability scanner telling you about a vulnerability on your laptop.  These are important, and you should contact us (help@cels.anl.gov) with any questions you might have about them.  But I want to focus on a very specific one I’m seeing a lot of.

There is a surprisingly high number of laptops out there that are running web servers that are accessible to other computers.  Some of you may be doing this intentionally, and some of you may not be.  What I want to do is make sure if you are among these people. you’re aware of the situation and are protected accordingly.

If you get a notice about an SSL vulnerability or a PHP vulnerability, chances are very high you’re running a web server on your computer.  You need to either lock this down on your own, or contact us to help you do it.

If you don’t know what do, just let us know at help@cels.anl.gov and we’ll work with you to make sure you’re secure.  What we’ll do is work with you to determine if you do need to run a web server, and if so, to harden it properly so you’re not in danger.  I wanted to send out a nice quick recipe anyone could follow to lock this down, but I haven’t found a simple and quick recipe using built-in tools that’s universally going to work for everybody.

(If you run Little Snitch on a Mac, just block incoming connections on ports 80, 443, and 8080.  https://dl.dropbox.com/s/e6zq985pershdz1/Screenshot%202018-10-04%2018.00.44.png is an example for port 80.)

Thanks!

Written by Craig Stacey

October 4, 2018 at 6:11 pm

Posted in Uncategorized

New Help Desk Operation Procedures

Hi, everybody.

Due to staffing changes and space constraints, we’re going to be making some changes to the concept of the “Help Desk” for CELS.

First up, we need to convert the existing location into a regular office. That’s happening this afternoon (September 17). With the loss of that location as a help desk, I’d like to take the opportunity to shift how we’re handling front line support. But let’s talk about what’s not changing.

As always, the first line of support is sending an e-mail to help@cels.anl.gov, nothing is changing there. Another process that’s not changing is phone support, so if you can’t e-mail or it’s urgent, you can continue to call us at 630-252-6813 during our regular support hours.

But that brings up the first in the list of the things that are changing, which are our regular support hours. Our new hire, Tim Livolsi, will be joining us on September 24th. He’ll be splitting his time between user support and systems administration. We’re excited to bring him on, and effective October 1, we’ll be going back to regular hours of 9AM-11:30, and 1PM-5PM for our staffed help phone hours.

The next change will be how you get in-person support. When you call or e-mail us, we’ll try to help remotely where we can. If it requires an in-person visit, we’ll set up a time with you to come visit and help (including right away). And in the cases where you need to visit us, we’ll set up a time we can work with you in our interaction area.

“What’s that?” I can hear you collectively asking yourselves. The Systems Interaction Area is that area with the black sofa and chairs just inside the main entrance to the building, across the atrium. We’ve converted the adjacent workspace into a more interactive spot we can sit with you and your computer to work on issues. But our goal is to move to a more virtualized than physical help desk so we can to better make use of our resources.

Of course, as always, if you need a walk-up spot for help, you can use the BIS Service Desk over by the west entrance of 240. If they can fix it for you, they will, and if they can’t, they’ll escalate to the CELS Systems team, where we’ll take care of you.

If you have questions about this, please let me know.

Thanks!

Craig

Written by Craig Stacey

September 17, 2018 at 11:55 am

Posted in Uncategorized

COMPLETED GitLab maintenance window

Maintenance of our GitLab services has been completed. Please let us know if you encounter any issues by emailing help@cels.anl.gov

Merge request code review should be working properly again.

– CELS Systems

Written by Craig Stacey

September 10, 2018 at 5:30 pm

Posted in Uncategorized

STARTING GitLab maintenance window

Beginning work to update our GitLab services at https://gitlab.cels.anl.gov and https://xgitlab.cels.anl.gov

Services will be disrupted during this maintenance window.

Service is expected to be restored by 18:00 CDT and may be available sooner than that.

We will send a followup email upon completion of the work.

– CELS Systems

Written by Craig Stacey

September 10, 2018 at 5:02 pm

Posted in Uncategorized

GitLab off-schedule maintenance Today @ 17:00 CDT

In order to resolve the issue with merge requests on GitLab we will be updating to a later release starting today (2018-09-10) at 17:00 CDT.

Maintenance is scheduled for 17:00 to 18:00, and service may be restored sooner than that.

– CELS Systems

Written by Craig Stacey

September 10, 2018 at 11:23 am

Posted in Uncategorized

Issue with CELS GitLab instances

We have been notified of an issue affecting the CELS GitLab instances that impacts the ability to view changes when reviewing a merge request.

We have opened an issue with the gitlab-ce project, and others have reported the same issue. We are hopeful that we will be able to update to a later release where the bug has been fixed sometime Monday.

A work-around, identified by one of our customers, is to use the ‘branch compare’ feature of GitLab to compare the branches to merge; to use the feature:

1. Select ‘Repository’ in the left-hand menu
2. Select ‘Compare’
3. Choose the two branches you want to merge to view the diff

From the command line, you can also use:

git diff origin/destination_branch origin/source_branch

Where ‘origin’ is the name of your remote (origin is the default, ‘git remote’ to view names of your remotes) and destination_branch is the name of the branch you wish to merge changes from source_branch into.

Please let us know if you have any questions by emailing help@cels.anl.gov

– CELS Systems

Written by Craig Stacey

September 7, 2018 at 11:11 am

Posted in Uncategorized

COMPLETED GitLab maintenance window

Maintenance of our GitLab services has been completed. Please let us know if you encounter any issues by emailing help@cels.anl.gov

– CELS Systems

Written by Craig Stacey

September 5, 2018 at 12:26 pm

Posted in Uncategorized

STARTING GitLab maintenance window

Beginning work to update our GitLab services at https://gitlab.cels.anl.gov and https://xgitlab.cels.anl.gov

Services will be disrupted during this maintenance window.

Service is expected to be restored by 13:00 CDT and may be available sooner than that.

We will send a followup email upon completion of the work.

– CELS Systems

Written by Craig Stacey

September 5, 2018 at 12:00 pm

Posted in Uncategorized