eric separating tcprules for smtp and submission works great. we have been using this for years.
concerning the error tony is facing i have noticed in the past that : intrusion threshold error (571 sorry, you are violating our security policies) is recd when the number of wrong recepients gets triggered. in case of outlook i have noted that it somehow does this if i add an user in my address book in some cases it converts it into : 'u...@abc.com' -- ie with quotes at both ends you can google : "outlook adds quotes to email address" and you will find over 50000 results ... :) and there are hundreds of people complaining about this stupdity of microsoft. if an email is sent to the above email id then i get error : invalid host : abc.com' note the quote at the end ... probably this is what triggers the intrusion policy rule CHKUSER_MAXWRONGRCPT_STRING when sending to 300 recepients especially with outlook there is every possibility of this issue coming up. on a side note : i feel that qmailtoaster would need a slight modification to remove quotes and other non-permitted characters from both ends ie starting and ending of the email id to care off such issues of quotes. rajesh > These are all good things to do to QMT, and I hope to have separate > tcprules for smtp and submission ports in the stock QMT at some point. > > Tony, from what you've indicated though, I expect it's the intrusion > threshold rule that's biting you. I'm not certain what triggers this > rule, and I could be wrong about this. Hopefully Tonino will clarify > things in this regard. > > Please let us know if changing the CHKUSER_RCPTLIMIT variable gets you > going or not. > > -- > -Eric 'shubes' > > On 12/24/2012 04:53 AM, Rajesh M wrote: >> tony >> >> we faced similar problems and this is what we have done >> >> in the /var/qmail/supervise >> >> there are folders smtp and submission >> >> smtp is for people connecting on port 25 -- primarily external users >> if you open smtp/run then you will see a line >> TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" >> this tcp.smtp.cdb is generated from the file tcp.smtp >> when you run the command >> tcprules tcp.smtp.cdb tcp.smtp.tmp < tcp.smtp >> tcp.smtp contains the chkuser rules >> since you already have spamdyke you don't need to set the maximum number >> of recepients in chkuser >> CHKUSER_RCPTLIMIT="150" >> >> coming to your specific problem is submission >> transmission via submission port 587 is authenticated ie your clients >> use it >> >> the submission/run file also uses the >> TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" -- which is by default >> this means that you will be compelled to use the same setting for smtp >> >> however what we have done is make a duplicate of tcp.smtp ie >> tcp.smtp.587 >> >> this allows me to have separate chkuser rules exclusively submission >> port. >> >> next i created cdb file out of it using command >> tcprules tcp.smtp.587.cdb tcp.smtp.587.tmp < tcp.smtp.587 >> >> next i changed the submission/run file to use >> TCP_CDB="/etc/tcprules.d/tcp.smtp.587.cdb" >> >> and i got a separate rule applied for submission port exclusively >> >> my smtp port has spamdyke and chkuser protecting it while my >> authenticated >> senders via submission port can enjoy unrestricted services >> >> if you want one single static ip to have a separate rule then >> >> you can add this line just above the allow: line in >> /etc/tcprules.d/tcp.smtp.587 >> >> xxx.xxx.xxx.:allow,CHKUSER_RCPTLIMIT="300" >> >> here xxx.xxx.xxx is the static ip of your customer >> >> NOTE : we have also compiled chkuser so that we can start or stop >> chkuser >> using the CHKUSER_START="ALWAYS" OR CHKUSER_START="NONE" >> >> rajesh >> >> >>> Hi Eric, >>> Yes, it is on a static IP and that IP is in the whitelist for >>> spamdyke. >>> Also they are using the submission port for sending. The client has >>> to use M$ Outlook unless you can suggest a an alternative? >>> One point is that Outlook seems to attach everything as winmail.dat! >>> Yet sometimes it attaches as a PDF. >>> >>> best wishes >>> Tony White >>> >>> Yea Computing Services >>> http://www.ycs.com.au >>> 4 The Crescent >>> Yea >>> Victoria >>> Australia 3717 >>> >>> Telephone No's >>> VIC : 03 9008 5614 >>> FAX : 03 9008 5610 (FAX2Email) >>> >>> >>> >>> IMPORTANT NOTICE >>> >>> This communication including any file attachments is intended solely >>> for >>> the use of the individual or entity to whom it is addressed. If you are >>> not the intended recipient, or the person responsible for delivering >>> this communication to the intended recipient, please immediately notify >>> the sender by email and delete the original transmission and its >>> contents. Any unauthorised use, dissemination, forwarding, printing or >>> copying of this communication including file attachments is prohibited. >>> It is your responsibility to scan this communication including any file >>> attachments for viruses and other defects. To the extent permitted by >>> law, Yea Computing Services and its associates will not be liable for >>> any loss or damage arising in any way from this communication including >>> any file attachments. >>> You may not disclose this information to a third party without written >>> permission from the Author. >>> >>> On 23/12/2012 03:40, Eric Shubert wrote: >>>> I guess it's coming from chkuser after all. 571 is the >>>> chkuser_intrusionthreshold_string. >>>> >>>> I don't see any variable setting for this threshold at >>>> http://opensource.interazioni.it/qmail/chkuser/documentation/chkuser_settings.html >>>> This would only be helpful though if the user was coming from a >>>> specific >>>> static IP address. Is this the case? >>>> >>>> Hey Tonino (chkuser author), any suggestions or insight? >>>> >>>> Thanks. >>>> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
