-
rozzin
This "postfix+dovecot" tangent reminds of https://www.justinbuchanan.com/blog/posts/Application-Specific-Passwords-for-Dovecot-and-Postfix Anyone doing the "application-specific passwords" thing with your XMPP service?
-
Neustradamus
rozzin: Dovecot supports SCRAM: https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/ Cyrus SASL supports SCRAM: https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html Postfix with Dovecot or Cyrus SASL too, more informations here: https://github.com/scram-sasl/info/issues/1
-
moparisthebest
what does SCRAM have to do with this
-
Licaon_Kter
> https://www.justinbuchanan.com/blog/posts/Application-Specific-Passwords-for-Dovecot-and-Postfix I find the threat model dump, wtf✎ -
Licaon_Kter
> https://www.justinbuchanan.com/blog/posts/Application-Specific-Passwords-for-Dovecot-and-Postfix I find the threat model dumb, wtf ✏
-
rozzin
Licaon_Kter: yeah, I agree that this sounds pretty dumb: > I always hate the feeling of using any of my username and password combinations on sketchy public computer somewhere. You know the kind I am talking about, those computers at hotels running Windows XP and IE6, signed as "Adminstrator", with every toolbar and add-on installed from a 9 year old version of Real Player to three different versions of some Internet poker game. There's bound to be a key logger in there someplace. > One time use passwords have been around for a long time to mitigate this type of scenario.
-
rozzin
Licaon_Kter: but he goes someplace interesting/useful even if he started the journey for the wrong reasons.
-
Licaon_Kter
Yeah...maybe...it feels like a solution in search of a problem
-
rozzin
Just pretend that he said something like "it's going to be annoying resetting the password in every client program on every device I use if ever my smartphone is stolen" or whatever other reason sounds more reasonable to you.
-
rozzin
Certificate-based login also serves the same sort of purposes, I guess....
-
Link Mauve
Licaon_Kter, in 2012 it wasn’t as common to have a smartphone I think.
-
Link Mauve
Even more recently, I’ve had to use one such computer.
-
Link Mauve
Thankfully I hadn’t restricted all of my servers to certificates, or else I wouldn’t have been able to contact the person I had to contact.
-
Licaon_Kter
Link Mauve: they say phone and typing on it, that confuses me
-
Link Mauve
I only read the quote rozzin pasted.
-
croax
moparisthebest: > what does SCRAM have to do with this SCRAM does not mandate credentials to contain the password. Nor exchanges. Nevertheless, reusing password is bad considering that passwords may leak by any other mean.✎ -
croax
moparisthebest: > what does SCRAM have to do with this SCRAM does not mandate credentials database to contain the password. Nor exchanges. Nevertheless, reusing password is bad considering that passwords may leak by any other mean. ✏
-
Licaon_Kter
So you reject any new password that has a hit on haveibeenpwd dot com?
-
croax
Licaon_Kter: I'm not sure to follow. But if the goal is to block some user passwords, you could still check for a match. More costly, I presume✎ -
croax
Licaon_Kter: I'm not sure to follow. But if the goal is to block some user passwords, you could still check for a match. Wasting more CPU, I presume ✏
-
Licaon_Kter
Was more of a joke as that would force users to some longish pass words, battery, stapler, horse, etc
-
MattJ
correct
-
rozzin
Eh, if I want to pick issues to have, I guess I mostly have trouble with the conclusion of that paragraph: > One time use passwords have been around for a long time to mitigate *this type of scenario*. To me, it seems to like, no mitigating the damage done by intentionally giving a known-malicious MITM access to a login session into a security-sensitive system is actually *not* what one-time passwords or multifactor-authentication requirements are for....
-
Maranda
@ping
- Echo1 drops Maranda's packet.
-
mjk
Ironic echo bot is ironic
-
MattJ
Licaon_Kter, seems like you need to invest in better MUC moderation techniques :)
-
Licaon_Kter
Members only?
-
MattJ
Maybe. Are they using multiple servers?
-
Licaon_Kter
Yes
-
Martin
Just closed the chatroom and removed the autojoin flag for now.
-
Martin
Only noise, no info atm.
-
Licaon_Kter
Let's all do that...oh wa-
-
mjk
> Let's all do that... Just kick everyone but morf :D
-
Martin
That would work. Whom will they spam if nobody is there? Just drain them. 😁
-
MattJ
That's somewhat equivalent to a shadowban, but more inconvenient for the innocent people :)
-
moparisthebest
Shadow banning would probably be pretty effective here... He would think everyone was just ignoring him
-
Holger
Not sure. He's joined with multiple JIDs so unless you shadow-ban all of them immediately, he'll notice himself.
-
mjk
moparisthebest: no, I realized it really wouldn't work on xmpp: they'd easilly observe the ban with another acct
-
moparisthebest
That's ok, more work for him?
-
Holger
Hm?
-
mjk
I mean, a simple ban would be no less effective
-
mjk
And no more...
-
Holger
Exactly.
-
Holger
And that won't do the trick.
-
Licaon_Kter
Holger: ejabberd *can't* set "moderators PM only" right? https://github.com/processone/ejabberd/issues/3736#issuecomment-1039415716 That would help since now I can't be reached there...to give member status to the worthy ones
-
MattJ
Holger, so you echo visitor messages only to admins and other visitors? :)
-
MattJ
That at least cuts out the noise for 90% of people
-
moparisthebest
What if you had muc mode where all new users joined "shadow banned" (except mods would see) and you kept a queue of the last few messages so if mods saw they were good, the unban would let their messages through?
-
Holger
Yeah something like that maybe.
-
moparisthebest
Significantly more annoying to implement of course :(
-
Holger
But for now I'm personally fine with just going members-only for a day :-)
-
MattJ
The vast majority of current occupants are not members though
-
Holger
Yeah. They'd have to wait a day, that's the downside.
-
Holger
Then again the vast majority of the vast majority is probably just idling anyway.
-
Holger
Licaon_Kter: We could configure the room to allow visitors to send PMs to moderators (such as you) you. Not sure that's what you're suggesting?
-
Holger
"to moderators (such as you) only".
-
Licaon_Kter
Holger: I have this in Offtopic but they can't afaik
-
Holger
Well as Badlop explained in that message it's configurable by the room owner.
-
Holger
> Can visitors send private messages to ...
-
Holger
> allow_private_messages_from_visitors : anyone | moderators | visitors
-
Licaon_Kter
Last line says: > The only option that has no equivalent is muc#roomconfig_allowpm : moderators
-
Holger
So now I gotta go reading '45 to understand what it does? :-)
-
Licaon_Kter
Sorry lol
-
Licaon_Kter
moparisthebest: can you PM me in Offtopic?
-
Holger
Licaon_Kter: Ok '45 muc#roomconfig_allowpm controls who may *send* PMs.
-
Holger
Licaon_Kter: ejabberd allows you to configure who may *receive* PMs.
-
Holger
Licaon_Kter: I thought you were asking for the latter.
-
moparisthebest
Licaon_Kter: no, button is greyed out in Conversations
-
Licaon_Kter
Holger: Wonder what Dino sets in room config, the wrong one or nothing, since I can't PM either
-
Licaon_Kter
I gotta reach for Gajim I guess...later
-
Holger
My crystal ball would guess 'nothing', and the default in that case can be specified in ejabberd.yml.
-
Licaon_Kter
Offtopic is on Trashserver for reasons
-
Holger
So yes, Gajim FTW of course.
-
Holger
> members-only (FWIW I meant 'moderated' of course, i.e. 'only members can send messages'.)
-
MattJ
Holger, ah right, yes, that makes more sense :)
-
Licaon_Kter
https://upload.convorb.im/7c370453f738f2c0c995eaee643e5e0aba76aeb0/LZLCzcfpuhihniMyMRfbs945Rh3Q3a5qdK9Y3MGu/mucsettingspm.png
-
Licaon_Kter
Holger, ^^^ now what? > '45 muc#roomconfig_allowpm controls who may *send* PMs. That's what both Dino and Gajim say > ejabberd allows you to configure who may *receive* PMs. So not respecting '45 ?
-
Holger
Licaon_Kter: Well ejabberd isn't actually violating the spec, servers aren't required to offer all config fields listed in '45, and ejabberd just doesn't support the #roomconfig_allowpm field. It offers different, custom fields with similar purposes. (Would be a violation if it offered a field using the '45 name with different semantics.) But yes if possible it would be good to stick to the registered fields, especially for fields that clients explicitly support. I wasn't aware this is the case for the #roomconfig_allowpm field.