> Am 06.04.2016 um 20:42 schrieb Michiel van Es <m...@pragmasec.nl>:
>
>
>> On 06 Apr 2016, at 16:58, Michiel van Es <m...@pragmasec.nl> wrote:
>>
>>
>>> On 06 Apr 2016, at 13:52, Michiel van Es <m...@pragmasec.nl> wrote:
>>>
>>>
>>>> On 06 Apr 2016, at 13:38, Joerg Jung <m...@umaxx.net> wrote:
>>>>
>>>>
>>>>
>>>>> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I also posted this as an issue to the OpenSMTPD github repo but somebody
>>>>> told me that the mailinglist would be more accurate to post this question
>>>>> to (I will remove the github issue if preferred).
>>>>>
>>>>> it seems whenever I use filter-dnbl with several hostnames, the lookups
>>>>> always fail.
>>>>> I tried using ipv6 lookups (although this is something opensmtpd does
>>>>> right?) and have the latest version of the master branch of
>>>>> OpenSMTPD-Extras (where this ipv4/ipv6 problem was solved with an earlier
>>>>> similar issue?).
>>>>
>>>> All v6 addresses are just accepted by filter-dnsbl.
>>>> There is no lookup happening for v6 addresses
>>>> (just not implemented).
>>>
>>> ok, then I won’t use IPv6 for now :)
>>>
>>>>
>>>>> The error I get is:
>>>>> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com
>>>>> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5
>>>>> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking
>>>>> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn:
>>>>> session 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed
>>>>> command on session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL
>>>>> smtp-in: Closing session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0:
>>>>> deleting session: done
>>>>
>>>> This looks legit.
>>>> Have you tried to lookup/verify the IP manually
>>>> at the time this happened, was it listed?
>>>
>>> No and I know this ip (its the MX for my company and they/we do checks via
>>> Nagios on most DNSBL’s)
>>> A lookup shows:
>>>
>>> 185.14.168.222 is not listed in the SBL
>>> 185.14.168.222 is not listed in the PBL
>>> 185.14.168.222 is not listed in the XBL
>>>
>>> or PTR
>>>
>>> 222.168.14.185.zen.spamhaus.org is not listed in the DBL
>>>
>>> I tried this config with the Google DNS servers and using a caching
>>> localhost dns (with forwarders to OpenNIC servers) - no difference
>>
>> Also tried with some more debugging and now tried the default SORBS dnsbl,
>> the result (with strace and smtpctl trace all):
>>
>> r_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL
>> filter: waiting for running query
>> 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter-pause[9835]: debug: on_connect: sleeping 5
>> filter: imsg IMSG_FILTER_RESPONSE from procfilter
>> filter-pause[hooks=0xffffffff,flags=0x0000]
>> filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: running filter filter:filter-regex[hooks=0xffffffff,flags=0x0000]
>> for query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL
>> filter: waiting for running query
>> 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: imsg IMSG_FILTER_RESPONSE from procfilter
>> filter-regex[hooks=0xffffffff,flags=0x0000]
>> filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: running filter
>> filter:filter-dnsbl-sorbs[hooks=0xffffffff,flags=0x0000] for query
>> 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL
>> filter: waiting for running query
>> 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter-dnsbl-sorbs[9834]: debug: on_connect: checking
>> 222.169.14.185.dnsbl.sorbs.net.
>> filter-dnsbl-sorbs[9834]: warn: session 511e5d1ea5ee10d1: event_dispatch:
>> REJECT address
>> filter: imsg IMSG_FILTER_RESPONSE from procfilter
>> filter-dnsbl-sorbs[hooks=0xffffffff,flags=0x0000]
>> filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: filter_end_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <->
>> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: query 511e5d1fe40dcd9c done: status=FILTER_CLOSE code=554
>> response="5.7.1 Address in DNSBL"
>> smtp: 0x20ae090: >>> 554 5.7.1 Address in DNSBL
>> smtp-in: Failed command on session 511e5d1ea5ee10d1: "" => 554 5.7.1 Address
>> in DNSBL
>> smtp: 0x20ae090: STATE_CONNECTED -> STATE_QUIT
>> smtp: 0x20ae090: IO_LOWAT <io:0x20ae0d8 fd=4 to=300000 fl=W ib=0 ob=0>
>> smtp-in: Closing session 511e5d1ea5ee10d1
>> debug: smtp: 0x20ae090: deleting session: done
>>
>> The hostname is interesting, it seems to do a lookup of
>> 222.169.14.185.dnsbl.sorbs.net. => on_connect: checking
>> 222.169.14.185.dnsbl.sorbs.net.
>>
>> Off course the . at the end makes it an invalid hostname and a check on
>> SORBS tells me the same: Bad host/domain 222.169.14.185.dnsbl.sorbs.net.
>>
>> Using without the . at then end I get: [222.169.14.185.dnsbl.sorbs.net] Not
>> found in the database
>> Trying the ip and the hostname of the MX: [185.14.169.222/32] Not found in
>> the database & [pro-mail-smtp-002.bol.com] Not found in the database
>>
>> So I am a little bit lost here what is going wrong with the lookups..
>> Can I have more debugging of the filter-dnsbl option?
>
> The interesting thing is that also on Ubuntu LTS 16.04 packaged
> opensmtp-extras the filter-dnsbl fails but with a different error message:
The packaged version might be too old,
missing some bug fixes.
Please test with latest snap.
> lstat("/var/spool/smtpd/offline", {st_mode=S_IFDIR|S_ISVTX|0777,
> st_size=4096, ...}) = 0
> open("/var/spool/smtpd/offline", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) =
> 5
> fstat(5, {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
> getdents(5, /* 2 entries */, 32768) = 48
> getdents(5, /* 0 entries */, 32768) = 0
> close(5) = 0
> write(2, "debug: smtpd: offline scanning d"..., 36debug: smtpd: offline
> scanning done
> ) = 36
> epoll_wait(3,
> debug: smtp: new client on listener: 0xf68180
> smtp-in: session fdbb37cd0253c15c: connection from host
> pro-mail-smtp-001.bol.com [185.14.168.222] established
> debug: filter-pause: sleeping 5
> debug: filter-dnsbl: checking 222.168.14.185.zen.spamhaus.org.
> smtp-in: session fdbb37cd0253c15c: received invalid command: ""
> smtp-in: session fdbb37cd0253c15c: connection from host
> pro-mail-smtp-001.bol.com [185.14.168.222] closed (client sent QUIT)
> debug: smtp: 0xf89ba0: deleting session: done
>
> Is filter-dnsbl even working for some of you? It looks like the filter-dnsbl
> can not get a correct answer (received invalid command: “”)
>
>>
>>>
>>>>
>>>>> My (sniplet of relevant) config is:
>>>>>
>>>>> # filters
>>>>> filter filter-pause pause
>>>>> filter filter-regex regex
>>>>> #filter filter-dnsbl-sorbs dnsbl
>>>>> #filter filter-dnsbl-surriel dnsbl "-dv" "-h psbl.surriel.com"
>>>>> #filter filter-dnsbl-spamhaus dnsbl "-h" "zen.spamhaus.org"
>>>>> filter filter-spamassassin spamassassin "-s accept"
>>>>> filter filter-clamav clamav
>>>>> #filter all chain filter-pause filter-regex filter-dnsbl-surriel
>>>>> filter-dnsbl-spamhaus filter-spamassassin filter-clamav
>>>>> filter all chain filter-pause filter-regex filter-spamassassin
>>>>> filter-clamav
>>>>> #filter all chain filter-pause filter-regex filter-dnsbl-spamhaus
>>>>> filter-spamassassin filter-clamav
>>>>> filter sub chain filter-pause filter-spamassassin filter-clamav
>>>>> # pki/ssl/certs
>>>>> pki server.pragmasec.nl key
>>>>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
>>>>> pki server.pragmasec.nl certificate
>>>>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
>>>>> # listen
>>>>> listen on lo
>>>>> listen on eth0 port 25 filter all hostname server.pragmasec.nl tls pki
>>>>> server.pragmasec.nl
>>>>> listen on eth0 port 587 filter sub hostname server.pragmasec.nl
>>>>> tls-require pki server.pragmasec.nl auth mask-source
>>>>> # queue expiry
>>>>> expire 7d
>>>>> # virtual domains and users
>>>>> table vdomains "/usr/local/etc/vdomains"
>>>>> table vusers "/usr/local/etc/vusers"
>>>>> # our accepted relays
>>>>> accept from any for domain <vdomains> virtual <vusers> deliver to mda
>>>>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>>>>> accept from local for any relay
>>>>>
>>>>> Using Ubuntu 14.04.3 LTS with git branch of opensmtpd (OpenSMTPD 5.9.1p1)
>>>>>
>>>>> What can I do to troubleshoot or further investigate this?
>>>>
>>>> Validate manually with a listed and non-listed IP.
>>>> Try to rule-out local resolving problems.
>>>
>>> It seems everything is listed through the filter rule..even using Gmail or
>>> other big mail servers.
>>>
>>>>
>>>>> Are there any other spam filters that I can use or might be handy to
>>>>> follow RFC’s? for example I do use some HELO checks but I think there
>>>>> might be more then the ones I have:
>>>>>
>>>>> # reject helo with leading or trailing dot, and without dots (non-FQDN)
>>>>> # skipping address literals
>>>>> helo ! ^\[
>>>>> helo ^\.
>>>>> helo \.$
>>>>> helo ^[^\.]*$
>>>>
>>>> In general OpenSMTPD is RFC conform.
>>>> This helo check is just an additional hard restriction.
>>>>
>>>> There are other restrictions possible like enforcing
>>>> line lengths or forcing valid reverse lookups, but
>>>> these might not help but likely break legit mails.
>>>
>>> Hmm then I keep it as is, thanks for the feedback!
>>>
>>>>
>>>>> Michiel
>>>>> --
>>>>> You received this mail because you are subscribed to misc@opensmtpd.org
>>>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>>
>>>
>>> --
>>> You received this mail because you are subscribed to misc@opensmtpd.org
>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>
>>
>> --
>> You received this mail because you are subscribed to misc@opensmtpd.org
>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
