--- Log opened Wed Apr 29 00:00:01 2020
01:44 -!- K`Tetch_ [~no@047-039-211-239.res.spectrum.com] has joined #se2600
01:44 -!- K`Tetch_ [~no@047-039-211-239.res.spectrum.com] has quit [Changing host]
01:44 -!- K`Tetch_ [~no@unaffiliated/ktetch] has joined #se2600
01:47 -!- K`Tetch [~no@unaffiliated/ktetch] has quit [Ping timeout: 240 seconds]
02:04 -!- K`Tetch [~no@unaffiliated/ktetch] has joined #se2600
02:07 -!- K`Tetch_ [~no@unaffiliated/ktetch] has quit [Ping timeout: 240 seconds]
06:39 <@Evilpig> Mirage: yeah I saw that, just couldn't figure out why.  best answer I had was this was their way to revert from a failed update instead of just having the last rpm around
07:48 <@Dolemite> mr0ning, be0tches and h0ez!
07:50 <@Mirage> Evilpig: My guess is that it's old stuff left in there that isn't really needed anymore.  Of course I think this was originally created to grab for a different distro and I modified it to grab for CentOS.
08:02 -!- rpifan [~rpifan@p200300D26700BD4455C74F588BB5C145.dip0.t-ipconnect.de] has joined #se2600
08:15 -!- PigBot [~PigBot@wilpig.org] has quit [Ping timeout: 265 seconds]
08:22  * Evilpig throws his hands in the air and takes a victory lap
08:23 -!- PigBot [~PigBot@wilpig.org] has joined #se2600
08:23 <@Evilpig> our exchange admin is a fucking joke
08:23 <@Evilpig> he sends out an edict this morning saying we need to install named certs on our postfix relays immediately or they will no longer be able to send to office365
08:24 <@Evilpig> when I ask for the notice from microsoft on why this is required he sends back a screenshot saying that cert based authentication is an option and he doesn't want to allow everyone in our nat pool to relay through that connection so he's wanting certs.
08:24 <@Evilpig> fine.  split my postfix relays out into their own connector, ass.  problem solved.
08:25 <@Evilpig> and he has no reason not to because it's a reasonable request.  when we set up our relay, because he refused, we went to great trouble to make sure we had unique external addresses for them to prevent this type of shit exactly
08:52 <@Dolemite> Evilpig: Your  Exchange admin is officially more pedantic than the US Government
09:20 -!- dc0de [~jim@198.46.153.211] has quit [Remote host closed the connection]
09:24 <@Evilpig> Dolemite: he's done everything in his limited power to make us sending email difficult.  It's a miracle that I have an o365 account and can call bs on his nonsense
09:24 -!- dc0de [~jim@198.46.153.211] has joined #se2600
09:25 -!- mode/#se2600 [+o dc0de] by ChanServ
09:28 <@Evilpig> Hello Linux, 
09:28 <@Evilpig> We have run into an issue with one of our O365 connectors used for smtp email relay which is now requiring us to switch from IP access to using a certificate issued from a third party CA.  I spoke to the SoftwareStore and they told me your team has a VUMC cert.  Is this something you would be willing to provide me a copy of to install on the 2 SRFS servers?  Or will I have to purchase a new one?  
09:28 <@Evilpig> Also, as a result of the cert change to the connector your relay-trusted server(s) will also be required to have this same cert installed to be able to continue to relay email. 
09:28 <@Evilpig> Once I have worked out this certificate my plan was to choose a time and implement this change.
09:28 <@Evilpig> here was his entire message.
09:28 <@Evilpig> since he's the exchange admin, he has a cert that has all of their exchange names on it because for some reason they couldn't use our wildcard but he seemingly doens't know this
09:57 <@Dolemite> That sure does seem overly complicated.   We simply force all outbound traffic through a single load balanced Proofpoint appliance for scrubbing and DKIM signature
10:55 <@Dagmar> Evilpig: THe people mailing you are idiots
10:56 <@Dagmar> If they can't handle a publicly-issued cert, DO BUSINESS WITH SOMEONE ELSE
10:56 <@Dagmar> That's fucking idiocy
10:57 <@Dagmar> That whole "third party" thing is some bullshit.  They've fallen for fraud or they are mentally incapable of doing the job for which they were hired
10:59 <@Dagmar> Fuck people who don't understand how email goddamn works
11:00 <@Dagmar> They can stick to SMS
11:03 <@Dagmar> ...or just barking at strangers
11:04 <@Dagmar> How the fuck does this guy have a job doing this and not even know how to use @#$@#$ openssl to look at what's in play
11:04 <@Dagmar> Oh wait, _Vanderbilt_ is why
11:20 < jb7od> certs are a scam.
11:22 < jb7od> I can't believe you guys are on o365. Sad to hear it actually. Surprised you're only just now being bayonetted into rooting yourselfs with a cert.
11:28 < jb7od> Dagmar: I ran Exchange under openssl certs back when that was still possible. Somewhere during the o2k10 lifecycle it was changed to *require* 3rd party signed- and you have to pack it with a bunch of aliases that cert companies don't/won't add. I was crazy mad about this a couple of years ago- but yeah, certs are a scam. I think in another 50 years it'll be revealed that the only reason this push for certification is so that the Feds don't ev
11:28 < jb7od> er have to learn how to hack anything in order to spy on anyone they want.
11:51 <@Corydon76> I'm glad both that LetsEncrypt succeeded in destroying the certificate market, as well as that Chrome/Firefox managed to destroy the EV market.
11:51 <@Corydon76> All that's left for the big certificate makers are wildcards.
12:18 <@Dolemite> We are switching over to InCommon Certificate Manager.   Unlimited certs for a fraction of what we've been paying to DigiCert.
12:20 < K`Tetch> letsencrypt is being a real PITA for my site
12:21 < K`Tetch> my host switched from cpanel to a new setup at the start of the month, added letsencrypt support (finally - I was on the beta list but couldn't use it)
12:21 < K`Tetch> since then, everythings been going weird
12:21 <@Dolemite> For my personal domains, Let's Encrypt is awesome and easy to use, since DigitalOcean supports API updates for the DNS-01 challenges.
12:21 <@Dolemite> However, for work, it's only viable for our publicly visible systems
12:22 < K`Tetch> my issue is getting the letencrypt ones working on my end to cloudflare, then he cloudflare ones working out
12:22 <@brimstone> do you have internal clients where you don't control the CA?
12:23 <@Dolemite> brimstone: Yes, we have a lot of internal routes to other affiliate sites
12:23 <@Dolemite> We also have things using certificates that aren't websites, so HTTP-01 won't work for them, either
12:37 -!- dc0de1 [~jim@198.46.153.211] has joined #se2600
12:37 -!- mode/#se2600 [+o dc0de1] by ChanServ
12:40 -!- dc0de [~jim@198.46.153.211] has quit [Ping timeout: 256 seconds]
12:48 -!- dc0de1 is now known as dc0de
13:45 <@Evilpig> Dagmar: there's no doubt he's an idiot.  this is the same guy that put in a request to us to lookup an mx record on a domain for him
13:45 <@Evilpig> same guy also asked if a domain has to have an A record for an MX record to function
13:53 <@Dolemite> I'm sure he's allergic to the command line, but sure he could at least learn to use mxtoolbox.com
13:53 <@Dolemite> s/but sure/but surely/
13:53 <@Dolemite> And don't call me Shirley
13:54 <@dc0de> heh
13:55 <@Evilpig> he was using mtoolbox.com!  he even send me links to it
13:56 <@Dolemite> So he knows of its existence, just not how to use it.
13:59 <@Evilpig> I think the best part is he hasn't responded to my last email on the topic that was sent to him, his boss, and my entire workgroup at 8:16 that had two pictures of the exchange admin connector interface and
13:59 <@Evilpig> So this isn’t a requirement but a preference.  And there is no reason to have a single connector, you can have the two IPs that are attached to our postfix relays as their own connector, and probably should be for management reasons similarly to why we don’t have every VUMC IT group in the same AD admin group.
14:00 <@Evilpig> his way of defending his email was a picture from that same admin page showing the option to pick an ssl verification method or an IP whitelist
14:13 < jb7od> K`Tetch: There's a letsencrypt site on this site that interferes on certain phone mail setups- they've got something wildcarded, it's only rare mobile (I'm wanting to say android outlook) but it's a nuisance. Surprised it's not a bigger problem.
14:30 <@Evilpig> exchange admin strikes again.  ugh
14:31 <@Evilpig> all outbound mail is supposed to pass through this srfs gateway.  the gateway will not send mail on if the from address is not one of the domains it is authoritative for.  no matter if if is authoritative for the recipient
14:32 <@Evilpig> apparently one of the sharepoint apps is set to send email to some subdomain of ours and the return address is set to @vanderbilt.edu.  so this piece of shit relay accepts the message and says nothing to the client and just silently drops the message
14:33 <@Evilpig> poof.  gone.  client asking why this message didn't get delivered and this ambulatory turd of an admin is pointing his finger at me saying we relayed the mail, talk to us
14:36 <@Evilpig> I still cannot fathom how as an email admin he could ever think that basing the decision if mail is going to get sent out of internal servers on the contents of the from field was ever a good idea
16:25 -!- dc0de [~jim@198.46.153.211] has quit [Ping timeout: 246 seconds]
16:29 -!- dc0de [~jim@198.46.153.211] has joined #se2600
16:29 -!- mode/#se2600 [+o dc0de] by ChanServ
16:35 -!- mode/#se2600 [+ooo xray rpifan K`Tetch] by dc0de
16:35 -!- mode/#se2600 [+ooo K4k_ jb7od dasunt] by dc0de
16:35 -!- mode/#se2600 [+o cordless] by dc0de
18:11 -!- rpifan_ [~rpifan@p200300D26700BD95BB210E8CEF0901F6.dip0.t-ipconnect.de] has joined #se2600
18:13 -!- rpifan [~rpifan@p200300D26700BD4455C74F588BB5C145.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
18:28 -!- rpifan_ is now known as rpifan
20:50 -!- rpifan [~rpifan@p200300D26700BD95BB210E8CEF0901F6.dip0.t-ipconnect.de] has quit [Ping timeout: 244 seconds]
21:49 -!- K`Tetch_ [~no@047-039-211-239.res.spectrum.com] has joined #se2600
21:49 -!- K`Tetch_ [~no@047-039-211-239.res.spectrum.com] has quit [Changing host]
21:49 -!- K`Tetch_ [~no@unaffiliated/ktetch] has joined #se2600
21:52 -!- K`Tetch [~no@unaffiliated/ktetch] has quit [Ping timeout: 260 seconds]
--- Log closed Thu Apr 30 00:00:02 2020