Re: [Mimedefang] $Sender - Return-Path
On Nov 18, 2014, at 12:01 , Fredrik Pettai pet...@nordu.net wrote: We noted that this filter function didn't work although both the criterias seemed to be true. It turns out that $Sender isn't the email address of From: header in those cases, instead $Sender is set to the email address of the Return-Path header. Maybe this has always been the case, and we where just lucky until now… Ok, I get it. $Sender is set to what comes from MAIL FROM: … command, nothing else. So we'll have to rewrite our filter to match at From: too… /P ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] $Sender - Return-Path
On Tue, 18 Nov 2014 12:01:27 +0100 Fredrik Pettai pet...@nordu.net wrote: It turns out that $Sender isn't the email address of From: header in those cases, instead $Sender is set to the email address of the Return-Path header. Strictly speaking, $Sender is whatever the other end used in the MAIL From:... SMTP command. MIMEDefang has worked this way since the very beginning. I guess the question is if it's possible to avoid having Return-Path ending up in $Sender, or if we should do the matching against $Sender (or something else) in a different way? (We don't want to put in all possible Return-Path email addresses in the $Sender matching) You need to parse the headers yourself to pick out the From: header sender; you can open the file ./HEADERS and pick out the address. Alternatively, I believe you can get the header with: $entity-head-get('From') where $entity is the top-level MIME entity passed to filter_begin or filter_end. To extract just the mail address and not any extraneous text on the From: line, you can use the Perl module Mail::Address which has a parse() method. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] helo callback
Check the Sendmail source. It seems to me that the version I checked (8.14.5) lets the HELO go by successfully even if the milter says not to. Yep. 8.14.9 still has the bug that I see first referenced back in 2004. The routine in sendmail/srvrstmp.c where I suspect the bug resides is a small 2800 lines long. I'll be happy to see what I can accomplish. Dale Moore ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Sendmail source (was Re: helo callback)
On Tue, 18 Nov 2014 14:51:14 -0500 Dale Moore dale.mo...@cs.cmu.edu wrote: The routine in sendmail/srvrstmp.c where I suspect the bug resides is a small 2800 lines long. Ah, you think it's 2800 lines long. Run it through the C preprocessor to expand all the horrible macros. The MILTER_REPLY macro alone is more than 60 lines long. Sendmail source code should be in a text book, in the cautionary tales chapter. :) Regards, David. (I guess I shouldn't complain that much... I do use it after all!) ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Net::DNS referral section for a Domain?
On 2014-11-13 23:44 , Kevin A. McGrail wrote: Trying to do some checks on spam by nameservers but I can't figure out how to find the referral nameservers for a domain from the root servers. You need to figure out what the root name servers for a TLD are, first. It depends a bit on how thorough you want to be. Something like this would probably work: my ($tld) = $fqdn =~ /\.([\w-]+)\.?$/; $resolver ||= Net::DNS::Resolver-new(); my $answer = $resolver-send($tld, NS); if ( $answer and $answer-header-rcode eq 'NOERROR' ) { @tld_nameserver = map { $_-nsdname } grep { $_-type eq 'NS' } $answer-answer; } else { # TLD doesn't exist... } That will give you the nameservers of a TLD, given an FQDN. At least, in every case that I'm aware of. There's a slim possibility that a TLD is actually served by the root name servers, in which case you get nothing querying for the name servers of that TLD. If you want to tackle that case, you have to first get the root name servers ( $resolver-send(., NS) ), then specifically ask one of those name servers for the FQDN, without the recursion flag. You'd get back a first level nameservers as a reference in the authority section. If you want to get any further, it's going to be a bit of a hassle. You either have to keep chasing after each NS reference using non-recursive queries, or use something like the publicsuffix.org project to determine the appropriate top level domain. But both cases will likely give you another answer as to what the nameservers of a domain are, and it depends on what you are looking for, what the right answer is. This snippet gets the SOA records which don't have to agree with whois, for example: Err... SOA? I think you mean NS records. ns3.pccc.com ns.2rad.net ns.pccc.com ns2.pccc.com But perhaps it's because our system will check and the servers are authoritative. What we want is the equivalent of a dig +trace referral record which would be: ;; Received 486 bytes from 198.41.0.4#53(a.root-servers.net) in 9 ms pccc.com. 172800 IN NS ns.pccc.com. pccc.com. 172800 IN NS ns2.pccc.com. pccc.com. 172800 IN NS ns3.pccc.com. That difference is caused by the fact that your registrar only lists {ns,ns2,ns3}.pccc.com as name servers, while those name servers also list ns.2rad.net. So you'd see that extra name server depending on whether the caching name servers where you're sending the queries, previously queried that domain. Normally, domains wouldn't exhibit this sort of behaviour (and if you want my advice - drop the extra nameserver, it'll only cause confusion). -- Jan-Pieter Cornet joh...@xs4all.nl Any sufficiently advanced incompetence is indistinguishable from malice. - Grey's Law signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Net::DNS referral section for a Domain?
Trying to do some checks on spam by nameservers but I can't figure out how to find the referral nameservers for a domain from the root servers. For example, this snippet is NOT what I need, I don't think: use Net::DNS; my $res = Net::DNS::Resolver-new; my $reply = $res-query(pccc.com, NS); if ($reply) { foreach $rr (grep { $_-type eq 'NS' } $reply-answer) { print $rr-nsdname, \n; } } else { warn query failed: , $res-errorstring, \n; } This snippet gets the SOA records which don't have to agree with whois, for example: ns3.pccc.com ns.2rad.net ns.pccc.com ns2.pccc.com But perhaps it's because our system will check and the servers are authoritative. What we want is the equivalent of a dig +trace referral record which would be: ;; Received 486 bytes from 198.41.0.4#53(a.root-servers.net) in 9 ms pccc.com. 172800 IN NS ns.pccc.com. pccc.com. 172800 IN NS ns2.pccc.com. pccc.com. 172800 IN NS ns3.pccc.com. Any thoughts on how to do that programmatically with Net::DNS? Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] helo callback
On Fri, 7 Nov 2014 13:06:29 -0500 Dale Moore dale.mo...@cs.cmu.edu wrote: Client: Helo naughtywords Mimedefang filter_helo: return('REJECT', 'I do not like naughtywords'); Server: 220 somehost.cs.cmu.edu Hello someclient.cs.cmu.edu [128.2.x.x], pleased to meet you Client: Mail From:somevalidaddr...@cs.cmu.edu Mimedefang filter_sender: return('CONTINUE'); Server: 554 5.7.1 I do not like naughtywords [...] Explanations appreciated. Check the Sendmail source. It seems to me that the version I checked (8.14.5) lets the HELO go by successfully even if the milter says not to. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] detect failed auth
On 10/9/2014 4:37 AM, Tomasz Ostrowski wrote: On 2014-09-10 16:29, David F. Skoll wrote: Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: d...@hydrogen.roaringpenguin.com [192.168.10.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6 I've recently configured fail2ban on my CentOS5 server with blocking based solely on this line: Oct 9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834: cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA We had the same issue and working with Claus Assman who put us in touch with Jim Hranicky to get a patch for sendmail 8.14.5 for this issue. It needs some eyes on it though as we've tried to make it compatible with multiple versions of SASL So based on / inspired by a patch from Jim Hranicky acontributed to sendmail.org is a first pass at logging Auth failures. Anyone able to do some testing with it? It compiles and doesn't blow things up but we need to put this on a server with SASL 2.0 but I don't want to delay other people testing it because I've had this sitting on my to-do list for a month+. Regards, KAM --- /tmp/srvrsmtp.c Fri Nov 7 15:37:19 2014 +++ ./srvrsmtp.cFri Nov 7 16:01:19 2014 @@ -593,6 +593,7 @@ volatile int authenticating; char *user; char *in, *out2; + char auth_user[256]; # if SASL = 2 char *auth_id = NULL; const char *out; @@ -1309,9 +1310,11 @@ in = xalloc(strlen(inp) + 1); result = sasl_decode64(inp, strlen(inp), in, strlen(inp), inlen); +(void) sm_strlcpy(auth_user, in, sizeof(auth_user)); # else /* SASL = 2 */ out = xalloc(strlen(inp)); result = sasl_decode64(inp, strlen(inp), out, outlen); + (void) sm_strlcpy(auth_user, out, sizeof(auth_user)); # endif /* SASL = 2 */ if (result != SASL_OK) { @@ -1471,9 +1474,9 @@ { /* not SASL_OK or SASL_CONT */ message(535 5.7.0 authentication failed); - if (LogLevel 9) + if (LogLevel = 9) sm_syslog(LOG_WARNING, e-e_id, - AUTH failure (%s): %s (%d) %s, relay=%.100s, + AUTH failure (1) (%s): %s (%d) %s, relay=%.100s user=%s, auth_type, sasl_errstring(result, NULL, NULL), @@ -1483,6 +1486,7 @@ # else /* SASL = 2 */ errstr == NULL ? : errstr, # endif /* SASL = 2 */ + auth_user, CurSmtpClient); RESET_SASLCONN; authenticating = SASL_NOT_AUTH; @@ -1699,6 +1703,7 @@ result = sasl_decode64(q, strlen(q), in, inlen); # endif /* SASL = 2 */ + (void) sm_strlcpy(auth_user, in, sizeof(auth_user)); if (result != SASL_OK) { message(501 5.5.4 cannot BASE64 decode '%s', @@ -1738,9 +1743,9 @@ if (result != SASL_OK result != SASL_CONTINUE) { message(535 5.7.0 authentication failed); - if (LogLevel 9) + if (LogLevel = 9) sm_syslog(LOG_ERR, e-e_id, - AUTH failure (%s): %s (%d) %s, relay=%.100s, + AUTH failure (2) (%s): %s (%d) %s, relay=%.100s user=%s, p, sasl_errstring(result, NULL, NULL), @@ -1750,6 +1755,7 @@ # else /* SASL = 2 */ errstr, # endif /* SASL = 2 */ + auth_user, CurSmtpClient); RESET_SASLCONN; break; ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit
[Mimedefang] Slightly OT: Sendmail config option for accepting user.n...@domain.com
I don't remember unconfiguring this -- but my system currently doesn't accept mail at the full name user field like it used to. I wonder if over time I managed to turn it off. What's the config option so that sendmail accepts mail to a user's Full Name field? (like mine is Ben Kamen -- so ben.ka...@benjammin.net should work - but it doesn't. Thanks, -Ben p.s. When did Sendmail get sold? I wonder if this is a good or bad thing. :O ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slightly OT: Sendmail config option for accepting user.n...@domain.com
On 10/23/2014 11:36 AM, Ben Kamen wrote: I don't remember unconfiguring this -- but my system currently doesn't accept mail at the full name user field like it used to. I wonder if over time I managed to turn it off. What's the config option so that sendmail accepts mail to a user's Full Name field? (like mine is Ben Kamen -- so ben.ka...@benjammin.net should work - but it doesn't. Sendmail was acquired last October by Proofpoint. So far, I haven't seen much impact and Sendmail, Inc. was commercial before that supporting Opensource as well. One of the good examples of a company built on open source that seems to do a good job of supporting the community and still keeping the lights on. I'm not aware of a full name option (doesn't mean it doesn't exist) but you could add a file called virtusertable and put in a line that routes the alias to your local account such as: ben.ka...@benjammin.net\bkamen Then compile it, etc. Your sendmail.mc will need something like this line which activates the feature and tells it the hash is in /etc/mail/virtusertable.db FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slightly OT: Sendmail config option for accepting user.n...@domain.com
On Thu, 23 Oct 2014 10:36:13 -0500 Ben Kamen bka...@benjammin.net wrote: What's the config option so that sendmail accepts mail to a user's Full Name field? There's a really ancient Sendmail configuration directive that makes it look at the gecos field of /etc/passwd. define(`confMATCH_GECOS',`true')dnl http://docstore.mik.ua/orelly/other/Docs/oreilly/other2/Sendmail_3rd/1565928393_ch24-34890.html Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slightly OT: Sendmail config option for accepting user.n...@domain.com
On 2014-10-23 11:29 AM, Kevin A. McGrail wrote: On 10/23/2014 11:36 AM, Ben Kamen wrote: I don't remember unconfiguring this -- but my system currently doesn't accept mail at the full name user field like it used to. I wonder if over time I managed to turn it off. What's the config option so that sendmail accepts mail to a user's Full Name field? (like mine is Ben Kamen -- so ben.ka...@benjammin.net should work - but it doesn't. Sendmail was acquired last October by Proofpoint. So far, I haven't seen much impact and Sendmail, Inc. was commercial before that supporting Opensource as well. One of the good examples of a company built on open source that seems to do a good job of supporting the community and still keeping the lights on. I'm not aware of a full name option (doesn't mean it doesn't exist) but you could add a file called virtusertable and put in a line that routes the alias to your local account such as: ben.ka...@benjammin.net\bkamen Then compile it, etc. Your sendmail.mc will need something like this line which activates the feature and tells it the hash is in /etc/mail/virtusertable.db FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl Yep -- know all about the virtual user table... we're like this (crossing fingers) But there used to be a built in feature (somewhere) in Sendmail that did from the user's Account info in /etc/passwd. Hmmm... Thanks KAM. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slightly OT: Sendmail config option for accepting user.n...@domain.com
On Thu, 23 Oct 2014, David F. Skoll wrote: On Thu, 23 Oct 2014 10:36:13 -0500 Ben Kamen bka...@benjammin.net wrote: What's the config option so that sendmail accepts mail to a user's Full Name field? There's a really ancient Sendmail configuration directive that makes it look at the gecos field of /etc/passwd. define(`confMATCH_GECOS',`true')dnl http://docstore.mik.ua/orelly/other/Docs/oreilly/other2/Sendmail_3rd/1565928393_ch24-34890.html Don't use that! It is way too fuzzy and error prone. At least it was a long time ago on a Silicon Graphics Irix 5.x system. One of our users had the habit to enter a q (for quit) when he had entered a recipient list in his interactive, text based, mail client. The mail client took this q as recipient name and handed it over to sendmail. Sendmail used the GECOS field to resolved this q into a user name. The only match for q in the GECOS fields happend to be the third initial of one of the other users. So that guy received quite a few unintentional CC's of the first user's outbound mail. I would just put the alternative addresses in the aliases file. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Slightly OT: Sendmail config option for accepting user.n...@domain.com
On 10/23/2014 2:01 PM, Kees Theunissen wrote: define(`confMATCH_GECOS',`true')dnl Don't use that! It is way too fuzzy and error prone. At least it was a long time ago on a Silicon Graphics Irix 5.x system. Sounds like some sed/awk parsing of passwd could create a very quick virtusertable table instead... ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail Skipping Filter
On 10/20/2014 10:38 PM, Nathan F wrote: I have a mimedefang filter that discards all messages with relayaddr ne 127.0.0.1. It is a sort of journaling server for mail. Sometimes I am finding that some (a very small number) of mails are somehow being sent out. These mails are coming from an external system originally, but they don't seem to hit mimedefang's filter. Any ideas? pseudo-code: filter_end { if($RelayAddr ne '127.0.0.1') { do processing; discard; } } Nathan, What I would do is add an else to that pseudo loop with a mimedefang log entry for the $RelayAddr that you are not hitting on. I would want to know that MD is getting called for every single email and then you know if it's logic or bypassing MD. Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail Skipping Filter
Nathan F nat...@zenlok.com wrote: I have a mimedefang filter that discards all messages with relayaddr ne 127.0.0.1. I suppose the reason to do this is to have Mimedefang log information on what the messsage was? Purely to discard, access.db with value DISCARD would be more efficient. Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail Skipping Filter
Hi there, On Tue, 21 Oct 2014, Nathan F wrote: I have a mimedefang filter that discards all messages with relayaddr ne 127.0.0.1. I think you mean that's what you want it to do, but it doesn't. :) I am finding that some (a very small number) of mails are somehow being sent out. Ah, yes. :) These mails are coming from an external system originally, but they don't seem to hit mimedefang's filter. Any ideas? Intrument the code. pseudo-code: filter_end { if($RelayAddr ne '127.0.0.1') { do processing; discard; } } pseudo-patch: filter_end { LOG_SOMETHING_USEFUL if($RelayAddr ne '127.0.0.1') { LOG_SOMETHING_USEFUL do processing; discard; } LOG_SOMETHING_USEFUL } server log entry: Oct 20 10:16:09 inbound sendmail[12981]: s9K1G8oB012981: from=a@b, size=32820, class=0, nrcpts=1, msgid=z@z, proto=ESMTP, daemon=MTA, relay=ip-10-0-4-5 [10.0.4.5] Oct 20 10:31:21 inbound sendmail[6491]: s9K1G8oB012981: to=d@e, delay=00:15:12, xdelay=00:00:00, mailer=esmtp, pri=242820, relay=abc.com., dsn=5.3.5, stat=Local configuration error Oct 20 10:31:21 inbound sendmail[6491]: s9K1G8oB012981: s9K1VGlK006491: DSN: Local configuration error Oct 20 10:31:22 inbound sendmail[6491]: s9K1G8oB012981: s9K1VGlL006491: postmaster notify: Local configuration error I see nothing there that's useful except the error message. Ignoring the fact that this is failing with an error ... Don't do that. ... the important thing is ... To find out what's going on. I suspect your filter code isn't being called at all in the cases where it fails to do what you want. I like to see this sort of thing in my logs: Oct 21 17:01:14 mail5 mimedefang.pl[14765]: s9LG09SX004394: MDLOG,\ s9LG09SX004394,*=*=*=*=* filter_end(): \ processing message from IP [198.148.79.53],,,clamav-devel-bounces@... 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail Skipping Filter
Hi all, As these things go, I sometimes treat sendmail as if it might be doing something under the covers that I am not entirely aware of, but in this case it turns out that I simply made an error. I had a call to an external program whose (extremely rare) failure was not resulting in a proper temp failure return value from mimedefang simply because I wasn't calling action_tempfail. This resulted in the mail attempting delivery because it 1) hadn't yet hit the discard and 2) was not temp failing. It was slipping through the cracks in other words. I had sorted it out minutes after sending the original email. Thanks for your time, Nate ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Sendmail Skipping Filter
Hi all, I have a mimedefang filter that discards all messages with relayaddr ne 127.0.0.1. It is a sort of journaling server for mail. Sometimes I am finding that some (a very small number) of mails are somehow being sent out. These mails are coming from an external system originally, but they don't seem to hit mimedefang's filter. Any ideas? pseudo-code: filter_end { if($RelayAddr ne '127.0.0.1') { do processing; discard; } } server log entry: Oct 20 10:16:09 inbound sendmail[12981]: s9K1G8oB012981: from=a@b, size=32820, class=0, nrcpts=1, msgid=z@z, proto=ESMTP, daemon=MTA, relay=ip-10-0-4-5 [10.0.4.5] Oct 20 10:31:21 inbound sendmail[6491]: s9K1G8oB012981: to=d@e, delay=00:15:12, xdelay=00:00:00, mailer=esmtp, pri=242820, relay=abc.com., dsn=5.3.5, stat=Local configuration error Oct 20 10:31:21 inbound sendmail[6491]: s9K1G8oB012981: s9K1VGlK006491: DSN: Local configuration error Oct 20 10:31:22 inbound sendmail[6491]: s9K1G8oB012981: s9K1VGlL006491: postmaster notify: Local configuration error Ignoring the fact that this is failing with an error, the important thing is that somehow sendmail is trying to send out some of my mails on a server with a discard all milter. In the first log entry, it shows a relay address that isn't 127.0.0.1. However the code should digest all non-local mails. Is this mail somehow being turned into a local relay message (say if the server is overloaded and it has to queue some messages) ? My apologies if my terminology isn't spot on. Regards, Nate ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] spam score different from when scanning via mimedefang
A quick update on this guys, i have added a DNS caching server, added KAM.cf. Spam did get better, however bayesan still sucks in my configuration. here is an email i got 15 min ago, scores like this: -Spam-Score: 1.308 (*) BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PASS,SPF_PASS,T_KAM_HTML_FONT_INVALID,T_RP_MATCHES_RCVD,URIBL_RED X-Scanned-By: MIMEDefang 2.75 save this email as .eml and running on command line does detect as spam X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on newcitymedia.net X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=6.9 required=3.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PASS,SPF_PASS, TVD_RCVD_SPACE_BRACKET,T_KAM_HTML_FONT_INVALID,T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY,URIBL_RED autolearn=no autolearn_force=no version=3.4.0 This is the last piece in the puzzle i think. thanks! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] spam score different from when scanning via mimedefang
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 17 Oct 2014, i...@bsolution.net wrote: Spam did get better, however bayesan still sucks in my configuration. here is an email i got 15 min ago, scores like this: well, Bayes could have learnt in that time. However, did you checked if the Bayes database has more than one user? Maybe SpamAssassin uses two users internally. -Spam-Score: 1.308 (*) BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PASS,SPF_PASS,T_KAM_HTML_FONT_INVALID,T_RP_MATCHES_RCVD,URIBL_RED X-Scanned-By: MIMEDefang 2.75 save this email as .eml and running on command line does detect as spam X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on newcitymedia.net X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=6.9 required=3.0 tests=BAYES_99,BAYES_999, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PASS,SPF_PASS, TVD_RCVD_SPACE_BRACKET,T_KAM_HTML_FONT_INVALID,T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY,URIBL_RED autolearn=no autolearn_force=no version=3.4.0 - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBVEEi0lGgR0+MU/4GAQKItggAxYD6v3BLediuN9g/dCEdagOgcXZMlS9J B1dK4j8dTD2mS6NS6HFwBmwReLdZy5iStsNFFQj/vm2XqgPIjhrmlWIcL5/O13yL OCUrPMqK3ekBsVc9CTMwpOgTTZl8O9ZmSsTATttyz7qmt7EP2bzw2om1r0IEIN40 KHzpvqzAHGzctfTFVnoHhWsyjnG6BoeJbO/tD1xH9k3l31R1YhrZrfFUgD0HZJiV 93Aa/Wguvo3+djV//iMe+rh3RM2wR/CkF+XrcCuDTgf9OzbktQV+PGFl5afHnTpP Ta4cGmzqy43udh0IBsrcZZtXEJI52hRplgGyLHCRbuWU/mwM7MHJwg== =fey0 -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] spam score different from when scanning via mimedefang
On 2014-10-17 10:08, Steffen Kaiser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 well, Bayes could have learnt in that time. However, did you checked if the Bayes database has more than one user? Maybe SpamAssassin uses two users internally. Thanks Steffen i will look into that. This is all done via sa-learn command right ? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] spam score different from when scanning via mimedefang
Hello guys, i am desperate. this question has been asked many times - yet the resolution does not apply to me because most cases mimedefang runs a different user. I also Searched many places, read a lot of docs and posts - still can't solve the mystrey. i have a relatively straight forward setup Sendmail-MimeDefang-CLAM+SPAM-Cyrus. Mimedefang/Clam/Spam - all running as user spam spam 22277 0.0 7.2 381188 292124 ? Ssl Oct15 0:33 /usr/local/sbin/clamd spam 9547 0.0 0.0 8340 740 ?S11:12 0:00 /usr/local/bin/mimedefang-multiplexor -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -S mail -m 2 -x 10 -U spam -b 600 -N /var/imap/socket/smmapd -l -t /var/log/mimedefang/stats -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock spam 9549 1.5 2.0 182468 83556 ?S11:12 0:03 /usr/bin/perl /usr/local/bin/mimedefang.pl -server spam 9581 0.0 0.0 18728 836 ?Sl 11:12 0:00 /usr/local/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -m /var/spool/MIMEDefang/mimedefang-multiplexor.sock -R -1 -U spam -S mail -s -t -q -p /var/spool/MIMEDefang/mimedefang.sock spam 9591 0.1 0.7 86040 32136 ?S11:12 0:00 /usr/bin/perl /usr/local/bin/mimedefang.pl -server spam 8918 0.0 0.0 87412 1776 ?Ssl Aug19 0:08 /usr/bin/dk-filter -l -p inet:8891@localhost -c simple -d bsolution.net,newcitymedia.net -s /etc/mail/domainkeys/mail.key.pem -S mail -u spam -m msa mail mta MTA-SSL -h -H root 15317 0.0 1.7 244704 72664 ?Ss Oct13 0:29 /usr/local/bin/spamd -d -c -m5 -H -u spam -r /var/run/spamd.pid spam 15320 0.0 2.0 257316 84728 ?SOct13 0:43 spamd child spam 15321 0.0 1.7 244704 69700 ?SOct13 0:00 spamd child I get email in my mailbox that has headers with following: X-Spam-Score: 2.328 (**) AWL,BAYES_50,HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,T_KAM_HTML_FONT_INVALID,URIBL_BLOCKED X-Scanned-By: MIMEDefang 2.75 However when i run same email in the eml format while being as a user spam on the server through spamassassin - i get a correct recognition of a spam. [spam@newcitymedia ~]$ spamassassin -x -p /etc/mail/sa-mimedefang.cf -D ./test.eml X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on newcitymedia.net X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=6.5 required=3.0 tests=AWL,BAYES_99,BAYES_999, HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_BRBL_LASTEXT,RCVD_IN_RP_RNBL, RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,TVD_RCVD_SPACE_BRACKET, T_KAM_HTML_FONT_INVALID,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Obviously i am missing something. my sa-mimedefang.cf look like this required_score 3.0 use_bayes 1 bayes_learn_to_journal 1 add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ ok_locales all ok_languages all header KH_FORGED_RECEIVED Received =~ /forged/i score KH_FORGED_RECEIVED 10.0 describe KH_FORGED_RECEIVED This is a rule to catch ip that is forged use_dcc 1 dcc_timeout 15 dcc_path /usr/local/bin/dccproc skip_rbl_checks 0 thank you all! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] spam score different from when scanning via mimedefang
On 10/16/2014 11:26 AM, i...@bsolution.net wrote: Hello guys, i am desperate. this question has been asked many times - yet the resolution does not apply to me because most cases mimedefang runs a different user. I also Searched many places, read a lot of docs and posts - still can't solve the mystrey. i have a relatively straight forward setup Sendmail-MimeDefang-CLAM+SPAM-Cyrus. I get email in my mailbox that has headers with following: X-Spam-Score: 2.328 (**) AWL,BAYES_50,HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,T_KAM_HTML_FONT_INVALID,URIBL_BLOCKED X-Scanned-By: MIMEDefang 2.75 However when i run same email in the eml format while being as a user spam on the server through spamassassin - i get a correct recognition of a spam. [spam@newcitymedia ~]$ spamassassin -x -p /etc/mail/sa-mimedefang.cf -D ./test.eml X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on newcitymedia.net X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=6.5 required=3.0 tests=AWL,BAYES_99,BAYES_999, HTML_IMAGE_RATIO_06,HTML_MESSAGE,RCVD_IN_BRBL_LASTEXT,RCVD_IN_RP_RNBL, RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,TVD_RCVD_SPACE_BRACKET, T_KAM_HTML_FONT_INVALID,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 I don't know that you are missing anything. I'm assuming time has elapsed between these two tests because you are showing different Bayes scores, different RBL hits, etc. which would indicate that the RBLs reactively added information after you received the email. However, overall, I think I would focus on a few things to improve your installation and not focus on the MD vs CLI differences as I think that's a red-herring. Someone else might notice something I'm not, though. 1 - URIBL_BLOCKED means your DNS queries are being blocked. See https://wiki.apache.org/spamassassin/DnsBlocklists under the first QA. Short answer, install a caching local nameserver fixes this issue for most installations 2 - Your required score of 3.0 is very aggressively low. We suggest 5 and I often use 5.0 to 6.5 for more real world usage. 3 - Consider adding KAM.cf 4 - Switch AWL to TxRep regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] spam score different from when scanning via mimedefang
On 2014-10-16 12:13, Kevin A. McGrail wrote: I don't know that you are missing anything. I'm assuming time has elapsed between these two tests because you are showing different Bayes scores, different RBL hits, etc. which would indicate that the RBLs reactively added information after you received the email. but why Bayes rules are so different? shouldn't they be relatively close ? However, overall, I think I would focus on a few things to improve your installation and not focus on the MD vs CLI differences as I think that's a red-herring. Someone else might notice something I'm not, though. 1 - URIBL_BLOCKED means your DNS queries are being blocked. See https://wiki.apache.org/spamassassin/DnsBlocklists under the first QA. Short answer, install a caching local nameserver fixes this issue for most installations Thanks i will try this. 2 - Your required score of 3.0 is very aggressively low. We suggest 5 and I often use 5.0 to 6.5 for more real world usage. 3 - Consider adding KAM.cf 4 - Switch AWL to TxRep i will look into the 3 and 4 as well. Thank you. regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
I did the following and it worked: su -s /bin/bash clamav cd /var/spool/MIMEDefang cat mimedefang-multiplexor.pid So clamav user is able to look at defang's directory but clamd still can't if mimedefang calls it to do a virus check. On 10/13/2014 4:54 PM, Les Mikesell wrote: On Mon, Oct 13, 2014 at 4:46 PM, Cliff Hayes cha...@afo.net wrote: Two problems: a) the shell for clamav is set to /sbin/nologin so I can't su to it ... should I change the shell? You can do: su -s /bin/bash clamav'. b) the email files clamd is trying to look at never stay on the server for more than a second or two. At least see if you can access anything that needs the defang group. If it doesn't work manually, then there group is set up wrong. If it does, something must be wrong with the clamd startup that it isn't picking up the group membership. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
I think you should make sure mimedefang is actually being started with the -G option. Like, look at output from `ps`. Also, stick a sleep(60) in the filter or something to slow it down. That way, you can catch the Work directories live and see what their permissions look like. If the directory is 700 instead of 750 (or similiar) or the files are 600 instead of 640, then mimedefang's umask is the issue. Otherwise, as was noted, maybe clamd isn't picking up the group membership somehow. -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav vs clamd vs clamscan
Hi there, On Mon, 13 Oct 2014, Cliff Hayes wrote: Now I get this error when starting clamd: ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf I am starting as root as instructed in clamd.conf I have gotten that error before ... it usually means there is a user issue. That sounds like mystic nonsense. What's a user issue supposed to mean? When I go back to running as root it knows to look in /etc/ for clamd.conf This just means that you are starting the process in two different ways, possibly from two different scripts, or you might even have two different binaries installed. Note that the search paths in the shell environment which are used by a root shell and by a non-root shell will be different. A root shell will usually have /sbin/ and /usr/sbin/ in the path, but a non-root shell won't. When you run an executable, always type the full path so that you know which one you're running or you'll confuse yourself. Before the binaries are compiled the sources must be configured. Part of that configuration tells them to look for their configurations by default in certain places. These can be whatever locations you choose. So for example if you have /sbin/clamd compiled to look in /etc/ and /usr/local/sbin/clamd compiled to look in /usr/local/etc/ by default then you will see something like what you're describing if you start one and then the other *without* explicitly stating in the command which starts the process where it is to look for its configuration. If you look at the manpage for clamd by typing man clamd at a shell prompt it will explain this. The clamd executable can be instructed to look for its configuration file by means of a command-line option. So you could for example say /usr/local/sbin/clamd -c /home/configfile or /sbin/clamd -c /usr/local/etc/clamdconfigurationfile.2014.10.13 or whatever takes your fancy. If you're really desperate you could for example just make a symlink in /usr/local/ which points to /etc/clamd.conf but you'd be far better off finding out what's really going on. -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Sun, Oct 12, 2014 at 4:54 PM, Richard Laager rlaa...@wiktel.com wrote: On Sun, 2014-10-12 at 14:18 -0500, Cliff Hayes wrote: I tried your idea. I updated the following in clamd.conf: LocalSocket /var/run/clamav/clamd.socket PidFile /var/run/clamav/clamd.pid User clamav Now I get this error when starting clamd: ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf I am starting as root as instructed in clamd.conf I have gotten that error before ... it usually means there is a user issue. When I go back to running as root it knows to look in /etc/ for clamd.conf I have no idea why your clamd is looking in /usr/local/etc instead of /etc. There are probably 2 or more different version of clamd on this system, built with different default options. If packages have been installed from different 3rd party repositories or installed from source plus a packaged install, that is a likely scenario. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
Per other comments I removed all traces of previous clam installs and started over with binaries. Got clamd running as root and mimedefang running as defang - no problem. But I'd like to run clamd as clamav so I did your idea and added defang to clamav as such: usermod -G defang clamav So now clamd is a member of two groups: clamav and defang but I still get the following error: Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Clamd returned error: lstat() failed: Permission denied. Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Problem running virus scanner: code=999, category=swerr, action=tempfail Mon Oct 13 15:53:47 2014 - WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work On 10/9/2014 1:36 PM, Kees Theunissen wrote: On Thu, 9 Oct 2014, Kevin A. McGrail wrote: On 10/9/2014 10:28 AM, Cliff Hayes wrote: Thanks to this list I am making progress :) Now clamd is failing due to this... Wed Oct 8 16:32:20 2014 - WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s98LWK78002037/Work ...I'm assuming this is because the mimedefang working directory is owned by defang and clamd runs as clamav. I fixed by running clamd as root ... is this the preferred solution or is there a better way? In general, you don't want daemons running as privileged users. I run clamd as the same user as I run MD and that would be my recommendation as well. On my systems (debian) I run mimedefang as user defang and group defang while clamd is runing as user clamav and group clamav. I made the clamav user a menber of the defang group so clamd can read the contents of subdirs below /var/spool/MIMEDefang with group rights. ~# id defang uid=108(defang) gid=110(defang) groups=110(defang) ~# id clamav uid=107(clamav) gid=109(clamav) groups=110(defang),109(clamav) Regards, Kees Theunissen. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Mon, Oct 13, 2014 at 4:01 PM, Cliff Hayes cha...@afo.net wrote: Per other comments I removed all traces of previous clam installs and started over with binaries. Got clamd running as root and mimedefang running as defang - no problem. But I'd like to run clamd as clamav so I did your idea and added defang to clamav as such: usermod -G defang clamav So now clamd is a member of two groups: clamav and defang but I still get the following error: Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Clamd returned error: lstat() failed: Permission denied. Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Problem running virus scanner: code=999, category=swerr, action=tempfail Mon Oct 13 15:53:47 2014 - WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work Did you restart clamd after the change? Also , check that the directories above /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work have rx permissions for group or other and the new files mimedefang is creating have group access. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
restarted clamd; same error permissions for each directory up to and including /var/spool/MIMEDefang: drwxr-xr-x. 22 root root4096 Oct 7 14:55 var drwxr-xr-x. 14 root root 4096 Oct 7 12:49 spool drwxr-x--- 3 defang defang 4096 Oct 13 16:23 MIMEDefang I tried 755 on MIMEDefang and still got same error: drwxr-xr-x 3 defang defang 4096 Oct 13 16:23 MIMEDefang selinux is not running at this time and I have the following option set: MD_ALLOW_GROUP_ACCESS=yes On 10/13/2014 4:17 PM, Les Mikesell wrote: On Mon, Oct 13, 2014 at 4:01 PM, Cliff Hayes cha...@afo.net wrote: Per other comments I removed all traces of previous clam installs and started over with binaries. Got clamd running as root and mimedefang running as defang - no problem. But I'd like to run clamd as clamav so I did your idea and added defang to clamav as such: usermod -G defang clamav So now clamd is a member of two groups: clamav and defang but I still get the following error: Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Clamd returned error: lstat() failed: Permission denied. Oct 13 15:53:47 sendmail mimedefang.pl[27449]: s9DKrlSJ027472: Problem running virus scanner: code=999, category=swerr, action=tempfail Mon Oct 13 15:53:47 2014 - WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work Did you restart clamd after the change? Also , check that the directories above /var/spool/MIMEDefang/mdefang-s9DKrlSJ027472/Work have rx permissions for group or other and the new files mimedefang is creating have group access. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
Two problems: a) the shell for clamav is set to /sbin/nologin so I can't su to it ... should I change the shell? b) the email files clamd is trying to look at never stay on the server for more than a second or two. On 10/13/2014 4:42 PM, Les Mikesell wrote: On Mon, Oct 13, 2014 at 4:30 PM, Cliff Hayes cha...@afo.net wrote: restarted clamd; same error permissions for each directory up to and including /var/spool/MIMEDefang: drwxr-xr-x. 22 root root4096 Oct 7 14:55 var drwxr-xr-x. 14 root root 4096 Oct 7 12:49 spool drwxr-x--- 3 defang defang 4096 Oct 13 16:23 MIMEDefang I tried 755 on MIMEDefang and still got same error: drwxr-xr-x 3 defang defang 4096 Oct 13 16:23 MIMEDefang selinux is not running at this time and I have the following option set: MD_ALLOW_GROUP_ACCESS=yes If you su to the clamav user, can you read the file in question? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Mon, Oct 13, 2014 at 4:46 PM, Cliff Hayes cha...@afo.net wrote: Two problems: a) the shell for clamav is set to /sbin/nologin so I can't su to it ... should I change the shell? You can do: su -s /bin/bash clamav'. b) the email files clamd is trying to look at never stay on the server for more than a second or two. At least see if you can access anything that needs the defang group. If it doesn't work manually, then there group is set up wrong. If it does, something must be wrong with the clamd startup that it isn't picking up the group membership. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
Did what you said and I can't touch a new temp file in /var/spool/MIMEDefang ... permission denied ... but clamd appears to be running as clamav su -s /bin/bash clamav bash-4.1$ cd /var/spool/MIMEDefang bash-4.1$ ls -l total 8 -rw-r- 1 defang defang 5 Oct 13 16:50 mimedefang-multiplexor.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang-multiplexor.sock -rw--- 1 defang defang 5 Oct 13 16:50 mimedefang.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang.sock bash-4.1$ vi mimedefang.pid bash-4.1$ touch temp touch: cannot touch `temp': Permission denied bash-4.1$ su root Password: [root@sendmail MIMEDefang]# ps aux | grep clamd clamav1652 0.0 3.5 518068 288956 ? Ssl 16:50 0:00 /usr/local/sbin/clamd root 1838 0.0 0.0 103256 848 pts/2S+ 16:59 0:00 grep clamd On 10/13/2014 4:54 PM, Les Mikesell wrote: su -s /bin/bash clamav ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
touch should never work in the spool directory - clamd is reading files and deciding whether they are infected, so it should never try to create a file. You have set the permissions to make the directory group readable, not group writable, and this is correct. You need to ensure that the spool directories are also created group readable, so turn on -d to keep the temporary directories for a short time so you can see that the permissions are correct. Once you have a few to test with, su to your clamav user, cd to the spool directory, and run clamdscan on the INPUTMSG to ensure that the daemon can read it. The odds are that your MD_ALLOW_GROUP_ACCESS is not taking effect, so the working directories are not accessible by clamdscan. Paul. -Original Message- From: mimedefang-boun...@lists.roaringpenguin.com [mailto:mimedefang-boun...@lists.roaringpenguin.com] On Behalf Of Cliff Hayes Sent: 13 October 2014 23:01 To: mimedefang@lists.roaringpenguin.com Subject: Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan Did what you said and I can't touch a new temp file in /var/spool/MIMEDefang ... permission denied ... but clamd appears to be running as clamav su -s /bin/bash clamav bash-4.1$ cd /var/spool/MIMEDefang bash-4.1$ ls -l total 8 -rw-r- 1 defang defang 5 Oct 13 16:50 mimedefang-multiplexor.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang-multiplexor.sock -rw--- 1 defang defang 5 Oct 13 16:50 mimedefang.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang.sock bash-4.1$ vi mimedefang.pid bash-4.1$ touch temp touch: cannot touch `temp': Permission denied bash-4.1$ su root Password: [root@sendmail MIMEDefang]# ps aux | grep clamd clamav1652 0.0 3.5 518068 288956 ? Ssl 16:50 0:00 /usr/local/sbin/clamd root 1838 0.0 0.0 103256 848 pts/2S+ 16:59 0:00 grep clamd On 10/13/2014 4:54 PM, Les Mikesell wrote: su -s /bin/bash clamav ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang Scanned by MIMEDefang - s9DM4mDX006711 Report as SPAM: http://www.ousekjarr.org/learn.php?msg=s9DM4mDX006711 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Mon, 2014-10-13 at 17:00 -0500, Cliff Hayes wrote: Did what you said and I can't touch a new temp file in /var/spool/MIMEDefang ... permission denied ... but clamd appears to be running as clamav Your tests below should be expected to fail. mimedefang.pid is not group-readable. And the directory is not group-writable. Try reading mimedefang-multiplexor.pid which is group-readable: su -s /bin/bash clamav cd /var/spool/MIMEDefang cat mimedefang-multiplexor.pid su -s /bin/bash clamav bash-4.1$ cd /var/spool/MIMEDefang bash-4.1$ ls -l total 8 -rw-r- 1 defang defang 5 Oct 13 16:50 mimedefang-multiplexor.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang-multiplexor.sock -rw--- 1 defang defang 5 Oct 13 16:50 mimedefang.pid srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang.sock bash-4.1$ vi mimedefang.pid bash-4.1$ touch temp touch: cannot touch `temp': Permission denied -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
I tried your idea. I updated the following in clamd.conf: LocalSocket /var/run/clamav/clamd.socket PidFile /var/run/clamav/clamd.pid User clamav Now I get this error when starting clamd: ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf I am starting as root as instructed in clamd.conf I have gotten that error before ... it usually means there is a user issue. When I go back to running as root it knows to look in /etc/ for clamd.conf On 10/10/2014 11:27 PM, Richard Laager wrote: If you still have problems, make sure you run MIMEDefang with the -G option. If your MIMEDefang is packaged like mine, set MD_ALLOW_GROUP_ACCESS=yes in /etc/default/mimedefang. This causes MIMEDefang to use a umask that allows group readability. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On Sun, 2014-10-12 at 14:18 -0500, Cliff Hayes wrote: I tried your idea. I updated the following in clamd.conf: LocalSocket /var/run/clamav/clamd.socket PidFile /var/run/clamav/clamd.pid User clamav Now I get this error when starting clamd: ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf I am starting as root as instructed in clamd.conf I have gotten that error before ... it usually means there is a user issue. When I go back to running as root it knows to look in /etc/ for clamd.conf I have no idea why your clamd is looking in /usr/local/etc instead of /etc. -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
If you still have problems, make sure you run MIMEDefang with the -G option. If your MIMEDefang is packaged like mine, set MD_ALLOW_GROUP_ACCESS=yes in /etc/default/mimedefang. This causes MIMEDefang to use a umask that allows group readability. -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] detect failed auth
On 2014-09-10 16:29, David F. Skoll wrote: Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: d...@hydrogen.roaringpenguin.com [192.168.10.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6 I've recently configured fail2ban on my CentOS5 server with blocking based solely on this line: Oct 9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834: cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Installed fail2ban from EPEL. Created /etc/fail2ban/filter.d/smtp.conf: # Fail2Ban filter for sendmail authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = sendmail failregex = ^ ?%(__prefix_line)s\w{14}: (\S+ )?\[HOST\]( \(may be forged\))? did not issue MAIL/EXPN/VRFY/ETRN during connection to (TLS)?MTA$ ignoreregex = And created /etc/fail2ban/jail.local: [DEFAULT] ignoreip = 127.0.0.0/8 192.168.0.0/16 usedns = no [ssh-iptables] enabled = false [smtp] enabled = true filter = smtp action = iptables-multiport[name=sendmail-auth, port=submission,465,smtp, protocol=tcp, blocktype=DROP] logpath = /var/log/maillog Then simply run: # chkconfig fail2ban on # service fail2ban start And bruteforce attacks slowed considerably. I think this would work also for CentOS/RHEL6 with no modifications. I assumed that no legitimate client would connect with not issuing MAIL/EXPN/VRFY/ETRN. Definitely not more than two times in 5 minutes to trigger a ban. There could be problem if some user would try to login with bad password more than twice in 5 minutes - he would not be able to send mail for an hour. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
Thanks to this list I am making progress :) Now clamd is failing due to this... Wed Oct 8 16:32:20 2014 - WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s98LWK78002037/Work ...I'm assuming this is because the mimedefang working directory is owned by defang and clamd runs as clamav. I fixed by running clamd as root ... is this the preferred solution or is there a better way? Original Message From: - Wed Oct 08 14:36:48 2014 X-Account-Key: account6 X-UIDL: 0004705d47d56bfd X-Mozilla-Status: 0011 X-Mozilla-Status2: X-Mozilla-Keys: Return-Path: mimedefang-boun...@lists.roaringpenguin.com Received: from nitronium05.afomx.net (wsip-66-210-221-15.pn.at.cox.net [66.210.221.15]) by sendmail.afo.net (8.14.7/8.14.7) with ESMTP id s98JZNUc019081 for cha...@afo.net; Wed, 8 Oct 2014 14:35:23 -0500 Received: from colo3.roaringpenguin.com (roaringpenguin.com [70.38.112.54]) by nitronium05.afomx.net (8.14.4/8.14.4) with ESMTP id s98JZK7f005795 for cha...@afo.net; Wed, 8 Oct 2014 14:35:20 -0500 Received: from colo3.roaringpenguin.com (localhost [127.0.0.1]) by colo3.roaringpenguin.com (8.14.3/8.14.3/Debian-9.4) with ESMTP id s98JZCbl013124; Wed, 8 Oct 2014 15:35:14 -0400 Received: from mail-ig0-f180.google.com (mail-ig0-f180.google.com [209.85.213.180]) by colo3.roaringpenguin.com (8.14.3/8.14.3/Debian-9.4) with ESMTP id s98JZ9xd013097 for mimedefang@lists.roaringpenguin.com; Wed, 8 Oct 2014 15:35:10 -0400 Received: by mail-ig0-f180.google.com with SMTP id uq10so50255igb.7 for mimedefang@lists.roaringpenguin.com; Wed, 08 Oct 2014 12:35:09 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.51.17.66 with SMTP id gc2mr19990383igd.40.1412796908717; Wed, 08 Oct 2014 12:35:08 -0700 (PDT) Received: by 10.107.131.1 with HTTP; Wed, 8 Oct 2014 12:35:08 -0700 (PDT) In-Reply-To: 54358afe.8090...@afo.net References: 54356bde.30...@afo.net CAOAgVpy3vPQEH_-ozdji6BOt=ce3fbcsa1txntrey4euont...@mail.gmail.com 54358afe.8090...@afo.net Date: Wed, 8 Oct 2014 14:35:08 -0500 Message-ID: CAOAgVpzRmMW_28RvmnQXhiN6oN=x93_3J=xuc8+wgkwjqrl...@mail.gmail.com From: Les Mikesell lesmikes...@gmail.com To: mimedefang@lists.roaringpenguin.com X-Spam-Score: undef - lesmikes...@gmail.com is whitelisted. For help, please call +1 613 231-6599. X-RP-Info: score=0.0, reason=sender-whitelisted, tests=, remote=209.85.213.180, cc=US, city=Mountain View, trained=none, os=Linux 2.2.x-3.x, link=Google, s= X-CanIt-Geo: ip=209.85.213.180; country=US; region=California; city=Mountain View; latitude=37.4192; longitude=-122.0574; http://maps.google.com/maps?q=37.4192,-122.0574z=6 X-CanItPRO-Stream: nolinks (inherits from default) X-Canit-Stats-ID: 01N0HzaBq - d9e2254476c8 - 20141008 X-CanIt-Archive-Cluster: SQVyZJxqklY5buiWXYCN4T/BjiM X-CanIt-Archived-As: base/20141008 / 01N0HzaBq X-Auto-Response-Suppress: OOF, DR, RN, NRN X-Scanned-By: MIMEDefang 2.73 X-Scanned-By: MIMEDefang 2.75 X-Scanned-By: CanIt (www . roaringpenguin . com) on 70.38.112.54 Subject: Re: [Mimedefang] clamav vs clamd vs clamscan X-BeenThere: mimedefang@lists.roaringpenguin.com X-Mailman-Version: 2.1.13 Precedence: list Reply-To: mimedefang@lists.roaringpenguin.com List-Id: For users of the MIMEDefang mail scanner mimedefang.lists.roaringpenguin.com List-Unsubscribe: http://lists.roaringpenguin.com/mailman/options/mimedefang, mailto:mimedefang-requ...@lists.roaringpenguin.com?subject=unsubscribe List-Archive: http://lists.roaringpenguin.com/pipermail/mimedefang List-Post: mailto:mimedefang@lists.roaringpenguin.com List-Help: mailto:mimedefang-requ...@lists.roaringpenguin.com?subject=help List-Subscribe: http://lists.roaringpenguin.com/mailman/listinfo/mimedefang, mailto:mimedefang-requ...@lists.roaringpenguin.com?subject=subscribe Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: mimedefang-boun...@lists.roaringpenguin.com Errors-To: mimedefang-boun...@lists.roaringpenguin.com On Wed, Oct 8, 2014 at 2:05 PM, Cliff Hayes cha...@afo.net wrote: I will have to go with clamd because clamav is taking 12 seconds to scan an email with five words in it. I tried disabling all repositories except epel like this... yum --disablerepo=atrpms-bleeding --disablerepo=atrpms --disablerepo=atrpms-testing --disablerepo=elrepo --disablerepo=epel-testing --disablerepo=rpmforge --disablerepo=sl6x --disablerepo=sl install clamd ... but then I got a long list of dependencies, then a bunch of errors and requires, then ended with this... You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest ... so I guess I should go back to binaries? Mixing 3rd party repos generally leads to conflicts. On a Centos system with EPEL as the only extra repo it 'just works'. Either you already have some conflicting package from a different repo or you needed something from the base SL.Also, if you get mimedefang and clamd from different repos you may end up with a mismatch
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
On 10/9/2014 10:28 AM, Cliff Hayes wrote: Thanks to this list I am making progress :) Now clamd is failing due to this... Wed Oct 8 16:32:20 2014 - WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s98LWK78002037/Work ...I'm assuming this is because the mimedefang working directory is owned by defang and clamd runs as clamav. I fixed by running clamd as root ... is this the preferred solution or is there a better way? In general, you don't want daemons running as privileged users. I run clamd as the same user as I run MD and that would be my recommendation as well. Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/9/2014 8:37 AM, Kevin A. McGrail wrote: On 10/9/2014 10:28 AM, Cliff Hayes wrote: Thanks to this list I am making progress :) Now clamd is failing due to this... Wed Oct 8 16:32:20 2014 - WARNING: lstat() failed on: /var/spool/MIMEDefang/mdefang-s98LWK78002037/Work ...I'm assuming this is because the mimedefang working directory is owned by defang and clamd runs as clamav. I fixed by running clamd as root ... is this the preferred solution or is there a better way? In general, you don't want daemons running as privileged users. I run clamd as the same user as I run MD and that would be my recommendation as well. If you're building clamav from source that's pretty easily maintained, but if you're using clamav from one of the third-party repositories I like to mess with it as little as possible (so that it doesn't get broken on version updates) and instead do a little more upfront configuration with MD. The RPMForge clamav packages use clamav.clamav, so I do the following: 1. Add the clamav user to the defang group; 2. Make sure that AllowSupplementaryGroups yes line exists in clamd.conf; 3. Change mode for MD spool directory (on tmpfs of course) to 750; 4. Configure MD to create group readable working files (-G option to multiplexor); 5. Tweak other MD settings as necessary (location of clamd.sock, etc.) - -- Nels Lindquist nli...@maei.ca -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iEYEARECAAYFAlQ2uTMACgkQh6z5POoOLgTQ7gCfcTy7STyd7DnCN69QLV0bF5kw lZEAniMntSg+spQ3yoJpXJ3M2oQj+g5/ =tZ5N -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] clamav vs clamd vs clamscan
I am installing a new mail server on Scientific Linux 6.5. What is the recommended way to install clam for mimedefang? I have used binaries in the past but would prefer to use yum package unless binaries are better for some reason. I have listed the available packages below ... clamd won't install via yum ... i get a message that it was obsoleted by clamav. I see examples on the internet that mimedefang can fall back to clamscan if clamd fails but I don't know which packages to load to enable that. Now that clamd is no longer available, what is the recommended course of action? clamav-db.x86_64 : Virus database for clamav clamd.x86_64 : The Clam AntiVirus Daemon clamav.x86_64 : Anti-virus software Thanks in advance. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Fwd: clamav vs clamd vs clamscan
--Update: I decided to try clamav. I did yum install clamav, then freshclam. However, I am unsure of the format of the following line in mimedefang.pl $Features{'Virus:CLAMAV'} = ('/usr/bin' ne '/bin/false' ? '/bin/false' : 0); I did a which on clamav and it is not found. I did a which on clamscan and it's in /usr/bin. So I'll do this: $Features{'Virus:CLAMAV'} = ('/usr/bin/clamscan' ne '/bin/false' ? '/usr/bin/clamscan' : 0); Is the above correct? I'm curious about the zero at the end. Original Message From: - Wed Oct 08 11:56:48 2014 X-Account-Key: account6 X-UIDL: 0004703247d56bfd X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-Path: mimedefang-boun...@lists.roaringpenguin.com Received: from nitronium01.afomx.net (wsip-66-210-221-11.pn.at.cox.net [66.210.221.11]) by sendmail.afo.net (8.14.7/8.14.7) with ESMTP id s98GrqKb012184 for cha...@afo.net; Wed, 8 Oct 2014 11:53:52 -0500 Received: from colo3.roaringpenguin.com (roaringpenguin.com [70.38.112.54]) by nitronium01.afomx.net (8.14.4/8.14.4) with ESMTP id s98GrnPJ011412 for cha...@afo.net; Wed, 8 Oct 2014 11:53:50 -0500 Received: from colo3.roaringpenguin.com (localhost [127.0.0.1]) by colo3.roaringpenguin.com (8.14.3/8.14.3/Debian-9.4) with ESMTP id s98GrBfB007009; Wed, 8 Oct 2014 12:53:18 -0400 Received: from sendmail.afo.net (sendmail.afo.net [66.210.32.133]) by colo3.roaringpenguin.com (8.14.3/8.14.3/Debian-9.4) with ESMTP id s98Gr8ic007003 for mimedefang@lists.roaringpenguin.com; Wed, 8 Oct 2014 12:53:09 -0400 Received: from [66.210.32.144] (wsip-66-210-32-144.pn.at.cox.net [66.210.32.144] (may be forged)) (authenticated bits=0) by sendmail.afo.net (8.14.7/8.14.7) with ESMTP id s98Gr7rb011898; Wed, 8 Oct 2014 11:53:07 -0500 Message-ID: 54356bde.30...@afo.net Date: Wed, 08 Oct 2014 11:52:46 -0500 From: Cliff Hayes cha...@afo.net User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: mimedefang@lists.roaringpenguin.com X-Scanned-By: MIMEDefang 2.73 X-Scanned-By: MIMEDefang 2.75 X-Scanned-By: CanIt (www . roaringpenguin . com) on 70.38.112.54 X-Scanned-By: MIMEDefang 2.73 X-Bayes-Prob: 0.0001 (Score 0, tokens from: nolinks, default, @@RPTN) X-Spam-Score: -0.10 () [Hold at 4.60] SPF(pass:0), DKIM(none:0), RBL(rp-good:-0.1) X-RP-Info: score=-0.1, reason=, tests=SPF(pass:0), DKIM(none:0), RBL(rp-good:-0.1), remote=66.210.32.133, cc=US, city=Destin, trained=none, os=Linux 3.1-3.10, link=Ethernet or modem, s= X-CanIt-Geo: ip=66.210.32.133; country=US; region=Florida; city=Destin; latitude=30.3981; longitude=-86.4563; http://maps.google.com/maps?q=30.3981,-86.4563z=6 X-CanItPRO-Stream: nolinks (inherits from default) X-Canit-Stats-ID: 01N0ER9uX - 640d84e49ddc - 20141008 X-CanIt-Archive-Cluster: SQVyZJxqklY5buiWXYCN4T/BjiM X-CanIt-Archived-As: base/20141008 / 01N0ER9uX X-Auto-Response-Suppress: OOF, DR, RN, NRN Subject: [Mimedefang] clamav vs clamd vs clamscan X-BeenThere: mimedefang@lists.roaringpenguin.com X-Mailman-Version: 2.1.13 Precedence: list Reply-To: mimedefang@lists.roaringpenguin.com List-Id: For users of the MIMEDefang mail scanner mimedefang.lists.roaringpenguin.com List-Unsubscribe: http://lists.roaringpenguin.com/mailman/options/mimedefang, mailto:mimedefang-requ...@lists.roaringpenguin.com?subject=unsubscribe List-Archive: http://lists.roaringpenguin.com/pipermail/mimedefang List-Post: mailto:mimedefang@lists.roaringpenguin.com List-Help: mailto:mimedefang-requ...@lists.roaringpenguin.com?subject=help List-Subscribe: http://lists.roaringpenguin.com/mailman/listinfo/mimedefang, mailto:mimedefang-requ...@lists.roaringpenguin.com?subject=subscribe Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii; Format=flowed Sender: mimedefang-boun...@lists.roaringpenguin.com Errors-To: mimedefang-boun...@lists.roaringpenguin.com I am installing a new mail server on Scientific Linux 6.5. What is the recommended way to install clam for mimedefang? I have used binaries in the past but would prefer to use yum package unless binaries are better for some reason. I have listed the available packages below ... clamd won't install via yum ... i get a message that it was obsoleted by clamav. I see examples on the internet that mimedefang can fall back to clamscan if clamd fails but I don't know which packages to load to enable that. Now that clamd is no longer available, what is the recommended course of action? clamav-db.x86_64 : Virus database for clamav clamd.x86_64 : The Clam AntiVirus Daemon clamav.x86_64 : Anti-virus software Thanks in advance. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
Re: [Mimedefang] clamav vs clamd vs clamscan
On Wed, Oct 8, 2014 at 11:52 AM, Cliff Hayes cha...@afo.net wrote: I am installing a new mail server on Scientific Linux 6.5. What is the recommended way to install clam for mimedefang? I have used binaries in the past but would prefer to use yum package unless binaries are better for some reason. I have listed the available packages below ... clamd won't install via yum ... i get a message that it was obsoleted by clamav. I see examples on the internet that mimedefang can fall back to clamscan if clamd fails but I don't know which packages to load to enable that. Now that clamd is no longer available, what is the recommended course of action? clamav-db.x86_64 : Virus database for clamav clamd.x86_64 : The Clam AntiVirus Daemon clamav.x86_64 : Anti-virus software Is that from SL's own repository? EPEL has clamd and it pulls clamav as a dependency. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav vs clamd vs clamscan
I will have to go with clamd because clamav is taking 12 seconds to scan an email with five words in it. I tried disabling all repositories except epel like this... yum --disablerepo=atrpms-bleeding --disablerepo=atrpms --disablerepo=atrpms-testing --disablerepo=elrepo --disablerepo=epel-testing --disablerepo=rpmforge --disablerepo=sl6x --disablerepo=sl install clamd ... but then I got a long list of dependencies, then a bunch of errors and requires, then ended with this... You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest ... so I guess I should go back to binaries? On 10/8/2014 1:05 PM, Les Mikesell wrote: On Wed, Oct 8, 2014 at 11:52 AM, Cliff Hayes cha...@afo.net wrote: I am installing a new mail server on Scientific Linux 6.5. What is the recommended way to install clam for mimedefang? I have used binaries in the past but would prefer to use yum package unless binaries are better for some reason. I have listed the available packages below ... clamd won't install via yum ... i get a message that it was obsoleted by clamav. I see examples on the internet that mimedefang can fall back to clamscan if clamd fails but I don't know which packages to load to enable that. Now that clamd is no longer available, what is the recommended course of action? clamav-db.x86_64 : Virus database for clamav clamd.x86_64 : The Clam AntiVirus Daemon clamav.x86_64 : Anti-virus software Is that from SL's own repository? EPEL has clamd and it pulls clamav as a dependency. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav vs clamd vs clamscan
On 10/8/2014 3:05 PM, Cliff Hayes wrote: I will have to go with clamd because clamav is taking 12 seconds to scan an email with five words in it. Correct. Using anything but clamd is not going to work for anything but the smallest of installations. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav vs clamd vs clamscan
On Wed, Oct 8, 2014 at 2:05 PM, Cliff Hayes cha...@afo.net wrote: I will have to go with clamd because clamav is taking 12 seconds to scan an email with five words in it. I tried disabling all repositories except epel like this... yum --disablerepo=atrpms-bleeding --disablerepo=atrpms --disablerepo=atrpms-testing --disablerepo=elrepo --disablerepo=epel-testing --disablerepo=rpmforge --disablerepo=sl6x --disablerepo=sl install clamd ... but then I got a long list of dependencies, then a bunch of errors and requires, then ended with this... You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest ... so I guess I should go back to binaries? Mixing 3rd party repos generally leads to conflicts. On a Centos system with EPEL as the only extra repo it 'just works'. Either you already have some conflicting package from a different repo or you needed something from the base SL.Also, if you get mimedefang and clamd from different repos you may end up with a mismatch in user/group settings that will cause permission problems on the socket they use to communicate. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav vs clamd vs clamscan
Ok. Is it advisable to use clamd first and clamav as a fallback (per code example below)? If so, do I still need to set the Features in mimedefang.pl like this ... $Features{'Virus:CLAMAV'} = ('/usr/bin/clamscan' ne '/bin/false' ? '/usr/bin/clamscan' : 0); $Features{'Virus:CLAMD'}= ('/bin/false' ne '/bin/false' ? '/bin/false' : 0); ... since I'm calling the appropriate module instead of the generic message_contains_virus() module? code example: my ($code, $category, $action) = message_contains_virus_clamd(); if ($category eq 'virus') { $FoundVirus = 1; } elsif ($category ne 'ok') { md_syslog('err',$QueueID: clamd error: code=$code, category=$category, action=$action); # try clamscan if clamd failed my ($code, $category, $action) = message_contains_virus_clamav(); if ($category eq 'virus') { $FoundVirus = 1; } elsif ($category ne 'ok') { md_syslog('err',$QueueID: clamav error: code=$code, category=$category, action=$action ); action_tempfail(error: problem running virus scanners); return; } } On 10/8/2014 2:18 PM, Kevin A. McGrail wrote: On 10/8/2014 3:05 PM, Cliff Hayes wrote: I will have to go with clamd because clamav is taking 12 seconds to scan an email with five words in it. Correct. Using anything but clamd is not going to work for anything but the smallest of installations. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav vs clamd vs clamscan
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/8/2014 1:05 PM, Cliff Hayes wrote: I will have to go with clamd because clamav is taking 12 seconds to scan an email with five words in it. Yep. I tried disabling all repositories except epel like this... yum --disablerepo=atrpms-bleeding --disablerepo=atrpms --disablerepo=atrpms-testing --disablerepo=elrepo --disablerepo=epel-testing --disablerepo=rpmforge --disablerepo=sl6x --disablerepo=sl install clamd You can accomplish the same thing a little simpler like so: yum --disablerepo=* --enablerepo=epel [...] ... but then I got a long list of dependencies, then a bunch of errors and requires, then ended with this... You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest ... so I guess I should go back to binaries? I suspect somewhere along the way you got a mixed installation between EPEL and RPMForge. They both have clam* packages with similar names, but the files are put into different directories, etc. and end up causing cross-repo conflicts. Your best bet is to pick one, and put an exclude= line in the other repo file to avoid conflicts. - -- Nels Lindquist nli...@maei.ca -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iEYEARECAAYFAlQ1nCkACgkQh6z5POoOLgReHwCePrgLUYAhfz4fKnlEmPKO4d/D /g0An2vOUWbDKbCD5+EwyDiRo+J/QQYx =GXiE -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] clamav vs clamd vs clamscan
On 10/8/2014 4:05 PM, Cliff Hayes wrote: Is it advisable to use clamd first and clamav as a fallback (per code example below)? If so, do I still need to set the Features in mimedefang.pl like this ... Never needed fall-back. Clamav has always been pretty solid. And if I started running clamav, it would like spin the server out of resources ;-) ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filter_cleanup question
So I have a filter_cleanup and I see these errors: Sep 26 07:54:03 intel1 mimedefang-multiplexor[30156]: Slave 11 stderr: Use of uninitialized value in exit at /usr/local/bin/mimedefang.pl line 5577, STDIN line 10. Sep 26 07:54:03 intel1 mimedefang-multiplexor[30156]: Reap: slave 11 (pid 5463) exited normally with status 0 From looking at the code, I think maybe I should have a return status on my function so I've added return 0; If I'm right, I think perhaps the man page could be a bit more effusive on that point? Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_cleanup question
On Fri, 26 Sep 2014 09:49:10 -0400 Kevin A. McGrail kmcgr...@pccc.com wrote: From looking at the code, I think maybe I should have a return status on my function so I've added return 0; If I'm right, I think perhaps the man page could be a bit more effusive on that point? Well, it currently reads: The return value from filter_cleanup becomes the slave's exit status. I guess I can change it to: The return value from filter_cleanup becomes the slave's exit status, so make sure filter_cleanup returns an integer suitable for a process exit status. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_cleanup question
On 9/26/2014 10:01 AM, David F. Skoll wrote: From looking at the code, I think maybe I should have a return status on my function so I've added return 0; If I'm right, I think perhaps the man page could be a bit more effusive on that point? Well, it currently reads: The return value from filter_cleanup becomes the slave's exit status. I guess I can change it to: The return value from filter_cleanup becomes the slave's exit status, so make sure filter_cleanup returns an integer suitable for a process exit status. I agree it's there. It just seemed easy to gloss over. Perhaps an example such as return 0 for ok and anything else for an error ;-) Or even a little mini-stub in an example filter. regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Perl Developer
Hi there, On Fri, 26 Sep 2014, Paul Rabbideau wrote: I'm looking for a Perl developer with MIMEDefang experience for some contract work. If you are interested, please contact me. I'm interested. I've been using Perl for approaching 20 years. I can't now remember when I started using it, but I was writing mod_perl scripts for Apache Webservers around the turn of the century for a legal training firm in Los Angeles which had in excess of four million users (unfortunately I can't identify the firm, which is still in business and my contract still binds me to confidentiality). Before that I coded some of the early sites for an online holiday site which was then owned by EMAP Publications in the UK - I think that was my first Perl contract. Also at about that time, together with Stas Bekman I re-wrote and greatly extended the 'Mod_perl Guide'. I've been using MIMEDefang for over nine years in both my own and client mail servers. I try to minimize the number of messages which are scanned by heavyweight Perl scripts, and MIMEDefang is generally the last in a string of about seven Sendmail milters. I wouldn't describe myself as primarily a Perl developer. I have a very wide range of experience with GNU/Linux systems, mostly based on Debian, Red Hat and Slackware distributions. The attached list is to be the basis of a training course which I'm planning for a client, I've quickly hacked it to avoid identifying the client and to remove some of the less interesting items. I'm based in the UK and France. I have business interests in the UK, and a home in the French Pyrenees. Where are you based? Kind regards, Ged Haywood.User training Documentation Hardware PCs, Servers, CNC, Clock card reader, Network kit e.g. switches, hubs, cabling and connectors. Memory, discs, CPUS. Fans. Routine maintenance. 32-bit/64-bit issues. Telephone systems. Linux Disc partitions, filesystems, swap, boot records Boot loaders Grub, LiLo, configuration Kernel modules module versioning problems with some modules e.g. ethernet drivers (e.g jme.ko, r8168/r8169) Filesystem (mostly ext2/3/4 but also NTFS/VFAT/ISO9660, +Rock Ridge extensions, etc.) root (/), /etc/, /bin/, /sbin/, /home/, /proc/, /sys/, /dev/, /run/, /tmp/, /mnt/, ... Users, groups, root (UID 0), addusers, /etc/addusers.conf, ... Permissions Filesystem layout Filesystems on e.g. flash memory Limitations - 32-bit/64-bit issues Startup - scripts, directories, (see also updates) Daemons e.g. sshd, ntpd, bind, crond, imapd, inetd/xinetd, named, dhcpd, sensord, ... Shells sh, bash, ash, csh, tcsh, login/terminal/non-login configuration, aliases, command history restricted shell stdio, redirection, pipes globs shell scripts Utilities e.g. ... man, mount, umount, fsck, date, ls, ps, df, du, sensors, ifconfig (see also 'network tools') less, editors, echo, cut, tr, grep, gzip, mail, nice, sed, top, kill, killall, perl, perl -e '', perl scripts, ... Regular expressions Logging, syslog, syslog-ng Log rotation - logrotate Configuration files - general Distributions Debian HDD install; LiveCD; Boot from HDD, grub menu etc. Install from packages (apt-get install), apt-get update ; apt-get ugrade sources.lst squeeze-lst Perl cygwin Networks Hardware Ethernet switches, hubs. Cabling, specifications, make/test cabling. Wireless links. Routers, ADSL router, watch out for bloody printers etc. behaving as routers. Protocols standards RFCs Ethernet DNS, DNSSEC SMTP HTTP FTP SMB NTP Enabling Software Firewalls iptables, tc, traffic shaping IPCop SSH access Web UI DHCP service Routes VPNs - routes, iptables Servers for mail, web, time, file SSH, ssh, scp, VNC, vnc4server, x11vnc, xtightvncviewer, RDESKTOP, rdesktop. Network tools tcpdump, nmap, iftop, p0f, wireshark, netcat, socat (and of course netstat, ifconfig, ip, route, traceroute, ping, arp,...) NFS/CIFS/other, remote mounts /etc/services; hosts.allow etc., inetd /etc/hosts /etc/resolv.conf Network rules of engagement Minimum surface Africa, China, Eastern Europe, etc. Machinery can be connected to the computers! Dropbox, bubbles, DomaIQ, ... Monitoring software Nagios General host/network monitoring with Nagios Temperatures, disc space, load, SMART, time service Plugins Security Host monitoring using nrpe Smokeping Network monitoring with Smokeping slaves Build software from source [download, configure, make, install, configure, run, check] Mail Sendmail Configure - sendmail.mc, local configuration, m4 macros, delivery agents, build, install. Build sendmail.cf etc., certificates, aliases, virtusertable, BerkleyDB, ... Milters - daemons,
[Mimedefang] Perl Developer
Hello, All. I'm looking for a Perl developer with MIMEDefang experience for some contract work. If you are interested, please contact me. Regards, Paul signature.asc Description: Message signed with OpenPGP using GPGMail ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] delay on relay problems
Short Version: Mimedefang 2.75 doesn't implement delay on filter_relay routine. I think that is a bug. Where do I submit patches? Long Version: I'm trying to run a small experiment to delay on relay connect Under special circumstances, and I'm having some problems. It appears that the perl filter_relay routine Returns an 5 element list ( code, message, code, dsn, delay) Of course many of these can be undef. In examining the source code, and milter specifications, A few things captivate me. The first thing is that we cant call smfi_setreply from connect callback. Ok. That is a limit, but the delay is not implemented in the smfi callbacks, it is instead implemented by the mimedefang process. The mimedefang sources carefully pass the list ( message, code, dsn, delay) Back through - from the mimedefang-filter - through the intermediary multiplexor and its communication buffers - and into mfconnect routine mimedefang.c In the mfconnect routine the code reads if (doRelayCheck) { char buf2[SMALLBUF]; int n = MXRelayOK(MultiplexorSocketName, buf2, data-hostip, data-hostname, data-hostport, data-myip, data-daemon_port); if (n == MD_REJECT) { /* Can't call smfi_setreply from connect callback */ /* set_dsn(ctx, buf2, 5); */ cleanup(ctx); DEBUG_EXIT(mfconnect, SMFIS_REJECT); return SMFIS_REJECT; } if (n = MD_TEMPFAIL) { ... } if (n == MD_ACCEPT_AND_NO_MORE_FILTERING) { /* Can't call smfi_setreply from connect callback */ /* set_dsn(ctx, buf2, 2); */ cleanup(ctx); DEBUG_EXIT(mfconnect, SMFIS_ACCEPT); return SMFIS_ACCEPT; } if (n == MD_DISCARD) { ... } } DEBUG_EXIT(mfconnect, SMFIS_CONTINUE); return SMFIS_CONTINUE; } The set_dsn routine is responsible for - decoding the arguments from the multiplexor - implementing the delay - calling smfi_set_reply but only when the third parameter is 4 or 5. If you'll examine the code above you'll see - that we don't explicty check for MD_CONTINUE - that filter routine always avoids calling set_dsn, even when num param is not 4 or 5 I believe that it is a bug that the 2.75 version of mimedefang does not implement the delay on filter_relay , especially on 'CONTINUE'. I sincerely hope that you agree. I will have some patches I would like to submit. Where should I submit them? Dale Moore ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] delay on relay problems
On Sun, 21 Sep 2014 11:12:42 -0400 Dale Moore dale.mo...@cs.cmu.edu wrote: I will have some patches I would like to submit. Where should I submit them? Please post them to this list; I'll grab them. If they are large, then please send directly to me at d...@roaringpenguin.com Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV effectiveness
Hi there, On Fri, 19 Sep 2014, David F. Skoll wrote: 4. ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3) Oops. Sorry about that. :/ Mr. Skoll also wrote: On Thu, 18 Sep 2014 17:33:44 +0100 (BST) G.W. Haywood mimedef...@jubileegroup.co.uk wrote: In my opinion ClamAV is more or less useless for anything other than the phishing signatures etc. for which I use it. Seconded. ClamAV has become almost completely useless since the Sourcefire and then Cicso acquisition. It's a fine engine, but signatures are awful. On our hosted anti-spam service, we outright block executables as well as executables contained within archive files like ZIP, ARJ, .tar.gz, etc. I call sub filter_bad_filename() in sub filter() and sub filter_multipart() and REJECT the message if it doesn't pass muster. # Doesn't everybody do this? sub filter_bad_filename ($) { my($entity) = @_; my($bad_exts, $re); $bad_exts = $long_list_of_bad_extensions . '(|\{[^\}]+\})'; $re = '\.' . $bad_exts . '\.*$'; return 1 if (re_match($entity, $re)); # Note: Install Archive::Zip on this server! if (re_match($entity, '\.zip$') and $Features{Archive::Zip}) { my $bh = $entity-bodyhandle(); if (defined($bh)) { my $path = $bh-path(); if (defined($path)) { return re_match_in_zip_directory($path, $re); } } } return 0; } Mr. Skoll wrote further: On Thu, 18 Sep 2014 14:17:13 -0500 Richard Laager rlaa...@wiktel.com wrote: Is there a virus scanner you'd recommend for use with MIMEDefang on Linux? ... I'd recommend not running Windows which reduces your exposure to viruses Seconded. by 99%. I respectfully disagree with the 99%. I'm sure it's more than that. :) -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] ClamAV + SaneSecurity signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've been thinking of experimenting with some of the additional ClamAV signatures distributed by SaneSecurity in an attempt to beef up malware detection a bit. Has anyone done much on this front? If so, what's your experience? Given the way that ClamAV is used in a typical MD setup, I'm really only interested in malware detection; I'd prefer to leave phishing, spam, etc. detection to SpamAssassin for aggregate scoring rather than an all-or-nothing detect and drop policy. - -- Nels Lindquist nli...@maei.ca -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iEYEARECAAYFAlQa65MACgkQh6z5POoOLgQo+ACeMjtqi5VRWyK/K7UyBVaW23f6 uk0AnRI1zbZkRI9grIEjWNXhy2m+vTE1 =2C0O -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV + SaneSecurity signatures
On Thu, 18 Sep 2014 08:26:30 -0600 Nels Lindquist nli...@maei.ca wrote: Has anyone done much on this front? If so, what's your experience? I experimented with Sane Security signatures. They are far better than the official ClamAV signatures (which are next to useless), but I would stick to the virus ones. We got an unacceptably high false-positive rate with the spam/phishing signatures. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV + SaneSecurity signatures
Nels Lindquist wrote: I've been thinking of experimenting with some of the additional ClamAV signatures distributed by SaneSecurity in an attempt to beef up malware detection a bit. Has anyone done much on this front? If so, what's your experience? Given the way that ClamAV is used in a typical MD setup, I'm really only interested in malware detection; I'd prefer to leave phishing, spam, etc. detection to SpamAssassin for aggregate scoring rather than an all-or-nothing detect and drop policy. *nod* That's been my view as well, so on systems that call both I've set up the ClamAV check to watch for Heuristics.* hits and flag the message rather than rejecting it right away (as with most other ClamAV hits). Further down, after SA has had a go, I take the returned score and add some points if the flag from earlier is set before finally deciding if the message was spam or not. No reason you couldn't do that with any other subset of either native or third-party ClamAV signatures. -kgd ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3)
On Thu, 18 Sep 2014 17:33:44 +0100 (BST) G.W. Haywood mimedef...@jubileegroup.co.uk wrote: In my opinion ClamAV is more or less useless for anything other than the phishing signatures etc. for which I use it. Seconded. ClamAV has become almost completely useless since the Sourcefire and then Cicso acquisition. It's a fine engine, but signatures are awful. On our hosted anti-spam service, we outright block executables as well as executables contained within archive files like ZIP, ARJ, .tar.gz, etc. If you want to do this, see the lsar package that can scan many types of archives and extract filenames. It's packaged with Debian and home page is http://unarchiver.c3.cx/commandline Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV effectiveness (was Re: MIMEDefang Digest, Vol 132, Issue 3)
On Thu, 18 Sep 2014 14:17:13 -0500 Richard Laager rlaa...@wiktel.com wrote: Is there a virus scanner you'd recommend for use with MIMEDefang on Linux? No, not really. I'd recommend not running Windows which reduces your exposure to viruses by 99%. And rather than any sort of virus scanner, I'd simply block all EXE, SCR, PIF, etc. files completely, including if they're inside archive files. Any signature-based virus scanner is going to miss new viruses by definition. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] detect failed auth
Hi, is there a way to detect a failed smtp auth in Milter? I know how to detect succeeded auth, but how to differentiate a failed auth from no auth at all? I want to block brute force attacks. Best regards, Frank. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] detect failed auth
On Wed, 10 Sep 2014 11:40:42 +0200 Frank Doepper f...@taz.de wrote: is there a way to detect a failed smtp auth in Milter? No, not as far as I know. If you want to block brute-force attacks, your best bet is something like fail2ban. http://www.fail2ban.org/ Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] detect failed auth
Am 10.09.14 um 09:13 schrieb David F. Skoll: On Wed, 10 Sep 2014 11:40:42 +0200 Frank Doepper f...@taz.de wrote: is there a way to detect a failed smtp auth in Milter? No, not as far as I know. Ok. Too bad. If you want to block brute-force attacks, your best bet is something like fail2ban. http://www.fail2ban.org/ Unfortunately saslauthd does not log the IP address. Best regards, Frank. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] detect failed auth
On Wed, 10 Sep 2014 16:08:31 +0200 Frank Doepper f...@taz.de wrote: Unfortunately saslauthd does not log the IP address. Ah. This apparently is a long-standing problem: http://objectmix.com/sendmail/760733-getting-ip-address-failed-authentications.html I believe if you increase the Sendmail log level to higher than 9, it will log lines like this: Sep 10 10:27:46 vanadium sm-mta[2670]: s8AEQtDU002670: AUTH failure (PLAIN): authentication failure (-13) SASL(-13): authentication failure: Password verification failed which unfortunately does NOT include the remote IP. However, later on if the client disconnects, you'll get: Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: d...@hydrogen.roaringpenguin.com [192.168.10.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6 so you have to correlate those lines based on queue-ID to figure out which IP is failing AUTH. All in all, quite painful. And the default log level is 9, so these messages are not usually logged. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] quarantine bad_filename messages
Hi, I'd like to use action_quarantine_entire_message for messages containing attachments with bad_filename, but not sure where to place the quarantine command. Is sub filter_bad_filename the right place? Something like this? # This procedure returns true for entities with bad filenames. sub filter_bad_filename { my($entity) = @_; my($bad_exts, $re); $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt| dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi| msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs| vxd|wmd|wms|wmz|wsc|wsf|wsh| \{[^\}]+\})'; # Do not allow: # - CLSIDs {foobarbaz} # - bad extensions (possibly with trailing dots) at end $re = '\.' . $bad_exts . '\.*$'; # quarantine message if (re_match($entity, $re)) { action_quarantine_entire_message(bad_filename queueid= $QueueID,relayaddr=$RelayAddr,name=bad_filename); }; return 1 if (re_match($entity, $re)); # Look inside ZIP files if (re_match($entity, '\.zip$') and $Features{Archive::Zip}) { my $bh = $entity-bodyhandle(); if (defined($bh)) { my $path = $bh-path(); if (defined($path)) { return re_match_in_zip_directory($path, $re); } } } return 0; } Ciao! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] quarantine bad_filename messages
On Tue, 09 Sep 2014 12:12:03 +0200 Marcus Schopen li...@localguru.de wrote: I'd like to use action_quarantine_entire_message for messages containing attachments with bad_filename, but not sure where to place the quarantine command. Is sub filter_bad_filename the right place? You can do it there, or you can do something like this: my $do_quarantine; sub filter_begin { $do_quarantine = 0; } sub filter_bad_filename { if (...) { $do_quarantine = 1; } } sub filter_end { if ($do_quarantine) { action_quarantine_entire_message(...); return; } } Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] quarantine bad_filename messages
Marcus Schopen li...@localguru.de asked: I'd like to use action_quarantine_entire_message for messages containing attachments with bad_filename, but not sure where to place the quarantine command. Is sub filter_bad_filename the right place? David F. Skoll d...@roaringpenguin.com replied: You can do it there, or you can do something like this: my $do_quarantine; sub filter_begin { $do_quarantine = 0; } sub filter_bad_filename { if (...) { $do_quarantine = 1; } } sub filter_end { if ($do_quarantine) { action_quarantine_entire_message(...); return; } } But that uses a global variable that assumes that the same slave will be used for the filter_begin and filter_end calls - I thought we were supposed to be very careful about such global variables. Or is is safe to assume that although the filter_{relay,helo,sender,recipient} calls for a given message might be made to different slaves, once we're past the DATA block, then filter_{begin,multipart,end} and filter itself will all be under the control of a single slave? Also, what's filter_bad_filename? I find no reference to it in the mimedefang.pl file that comes with 4.75. Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 a...@encs.concordia.ca+1 514 848-2424 x2285 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] quarantine bad_filename messages
On Tue, 09 Sep 2014 10:43:44 -0400 Anne Bennett a...@encs.concordia.ca wrote: But that uses a global variable that assumes that the same slave will be used for the filter_begin and filter_end calls - I thought we were supposed to be very careful about such global variables. In the mimedefang-filter(5) man page, there's a section called MAINTAINING STATE that shows the different groups of functions. The documentation is weak... it doesn't explicitly say that you can count on the same process handling filter_begin/filter/filter_multipart/filter_end, so I'll have to fix that because you can in fact count on that. Also, what's filter_bad_filename? I believe it's a function defined in the sample filter. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Perl version
I've been using mimedefang on centos 6.x with the default perl version of 5.10 for a while now. Everything working well. I wanted to do an upgrade to perl to 5.20. Is there any obvious issue I will encounter? I can't comment on 5.20, but I'm using 5.18.2 with no problems on my development machine (with MD 4.75). Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 a...@encs.concordia.ca+1 514 848-2424 x2285 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Perl version
I've been using mimedefang on centos 6.x with the default perl version of 5.10 for a while now. Everything working well. I wanted to do an upgrade to perl to 5.20. Is there any obvious issue I will encounter? I plan to yum remove perl and then install perl from source.(or possibly from rpm if I find them). 5.10 is 7 years old. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Upgrading MIME::Tools to 5.505?
I noticed in mimedefang.pl there is the following statement: use MIME::Tools 5.410 (); The latest MIME::Tools seems to be 5.505.. MD 2.75 still references the old version. Should we be updating this? Or is this planned for the future? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Upgrading MIME::Tools to 5.505?
On 8/22/2014 1:51 PM, Amit Gupta wrote: I noticed in mimedefang.pl there is the following statement: use MIME::Tools 5.410 (); The latest MIME::Tools seems to be 5.505.. MD 2.75 still references the old version. Should we be updating this? Or is this planned for the future? I think that just enforces a minimum. But DFS maintains MIME::Tools and MD. I recommend running the latest of both. Regards, kAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Perl version
Hi there, On Fri, 22 Aug 2014, Amit Gupta wrote: ... 5.10 is 7 years old. And 5.20 is three months old. How much do you value stability? I can still remember the pain that 5.6 caused me, way back at the turn of the century. -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Telling Mailer to disconnect
Hello I have implemented some anti-phishing and rate limiting via MIMEDefang. Some of this is done during filter_recipient. This is called for each recipient. So if it's clear that the connection being processed is abusive, I would like to tell the mailer to disconnect that connection, instead of having to reject every single recipient (every single call of filter_recipient) to save some processing load. Does anyone know how to do this? Kind regards Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Telling Mailer to disconnect
Am Thursday, 14. August 2014, 10.03:03 schrieben Sie: SMTP error code 421 = Abort connection. Nope, during the RCPT TO: phase this is a temporary error of just this recipient. The other (even future recipients) could be valid, so the milter is getting the remaining recipients until the 'max recipients' limit of the mailer is reached. But the mailer then also only rejects the additional recipients with a 'too many recipients' tempfail. Well postfix somewhen disconnect with 'too many errors' but that limit is even higher. The problem with those abusers is that they try to send emails to thausends of recipients causing some load on the database that I would like to avoid. What I would like to do is disconnect the client connection during filter_recipient. I fear this is not possible. Of course, if $SendmailMacros{auth_authen} points to a phished account that got 'blocked' in the past, I can reject the connection during filter_sender. But still this leaves the problems of the recently blocked account. I see bots opening one connection and then keeping that connection open while trying to spam. As they got detected during the filter_recipient phase, they cannot send emails as I reject every recipient. No matter if I use TEMPFAIL or REJECT they keep trying to send undil they disconnect. Next connection they are blocked earlier, in filter_sender. Not all connections get permanently blocked (triggered by simultaneous logins from many different IP's or different geoIPlocations). If only one IP is involved I only rate limit the recipients and put up a nagios warning so a human can determine if this is a bot sending spam or a customer who got the spledid idea to use our infrastructure as smarthost for his mailing tool. But still in such a case I would like to disconnect our customer instead of processing every recipient his tool is trying to send emails to. Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Telling Mailer to disconnect
SMTP error code 421 = Abort connection. Aehm, you were right. I was not aware that this specific code causes the mailer to disconnect... Thank you! 421 4.2.1 Bitte SMTP-AUTHENTICATION aktivieren. Zu viele Empfaenger/Stunde: 25 20 Connection closed by foreign host. Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang Digest, Vol 131, Issue 5
Hi there, On Wed, 13 Aug 2014, Bill Cole wrote: On 9 Aug 2014, at 13:41, G.W. Haywood wrote: You guys do REJECT your spam, don't you? Generally, yes. ... On my personal domain ... I reject 95% of all attempted SMTP transactions before DATA ... We're on the same page. -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] learner indicated ham
On 9 Aug 2014, at 13:41, G.W. Haywood wrote: Hi there, On Sat, 9 Aug 2014, Bill Cole wrote: ... you probably could get a better answer from the broader SA community, but I'll offer a vague rambling one :) It wasn't all that vague. :) You guys do REJECT your spam, don't you? Generally, yes. I actually manage spam control for multiple systems that operate under a diversity of policy regimes, some of which require tag-and-release and/or quarantine for some mail that is in fact nearly pure spam. On my personal domain (20yo, including still-live addresses used for about a decade unmunged on Usenet) I reject 95% of all attempted SMTP transactions before DATA (a majority doomed before MAIL) so my filter_end function in MD (where SA gets a look) sees a mostly de-spammed stream of messages. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] learner indicated ham
On 11 Aug 2014, at 10:22, Justin Edmands wrote: Bill, Thank you very much for the response. The detail is much appreciated. As Ged mentioned, not vague, helpful to say the least. The part about highly trusted rules caught my attention: Another way to increase autolearning without going all the way to the learn on error behavior is to flag rules that you trust highly as autolearn_force so that messages matching them won't ever be excluded from autolearning based on the existing Bayes DB disagreeing with the deterministic rules. I think these will get me started: tflags URIBL_DBL_SPAM autolearn_force tflags URIBL_JP_SURBL autolearn_force tflags URIBL_BLACK autolearn_force tflags INVALID_DATE autolearn_force Any others that are definites? That's a hard question for anyone to answer without knowing your mailstream's quirks. I can't tell you who your users are and what sort of mail they want that matches which rules. The default SA rules have mostly low scores because they are all individually highly error-prone. I'm especially wary about putting too much trust in individual rules because I get lots of mail that talks about spam, often with things like lists of evil domains that trigger URIBL rules. And INVALID_DATE shows up in a surprising number of ethically upstanding but technically sordid messages (e.g. Terminix customer notices.) This is why I reserve autolearn_force for meta-rules, since it carries a risk of turning a few false positives into a bad Bayes DB. The specific example of what I described that I can share is this locally-defined rule: describe URIBL_MULTI1 Multiple URIBL hits meta URIBL_MULTI1 URIBL_DBL_SPAM + URIBL_RED + URIBL_BLACK + URIBL_SBL + URIBL_WS_SURBL + URIBL_OB_SURBL + URIBL_JP_SURBL + URIBL_SC_SURBL 2 score URIBL_MULTI1 10 tflags URIBL_MULTI1 autolearn_force That means that if 3 or more of 8 different URIBL tests hit on a message, In tack on an extra 10 point and override the learner protections. I should add a note of warning by example: last week a thread in the Postfix users list was started with a message including a long list of spammer domains, causing the original message and any that fully quoted it to match *6* of those URIBLs. If your mailstream includes mail discussing spam, you have to take precautions to protect from such things ruining your Bayes DB. My other autolearn_force rules are also meta-rules that bundle multiple rules, but I unfortunately cannot freely share their details as the constituent rules come from private (i.e. encumbered) sources. The general process I use is to look for clusters of rules (positive OR negative) that often hit together on mail that gets a Bayes score in the opposite direction. Before SA 3.4 I just set high scores on those meta-rules to assure rejection, but autolearn_force improves on that. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] learner indicated ham
On Sat, Aug 9, 2014 at 1:41 PM, G.W. Haywood mimedef...@jubileegroup.co.uk wrote: It wasn't all that vague. :) You guys do REJECT your spam, don't you? -- 73, Ged. Bill, Thank you very much for the response. The detail is much appreciated. As Ged mentioned, not vague, helpful to say the least. The part about highly trusted rules caught my attention: Another way to increase autolearning without going all the way to the learn on error behavior is to flag rules that you trust highly as autolearn_force so that messages matching them won't ever be excluded from autolearning based on the existing Bayes DB disagreeing with the deterministic rules. I think these will get me started: tflags URIBL_DBL_SPAM autolearn_force tflags URIBL_JP_SURBL autolearn_force tflags URIBL_BLACK autolearn_force tflags INVALID_DATE autolearn_force Any others that are definites? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] learner indicated ham
On 8 Aug 2014, at 12:05, Justin Edmands wrote: Aug 8 12:00:53.067 [19948] dbg: learn: auto-learn: message score: 13.934, computed score for autolearn: 17.583 Aug 8 12:00:53.067 [19948] dbg: learn: auto-learn? ham=0, spam=7, body-points=7.448, head-points=5.511, learned-points=-1.9 Aug 8 12:00:53.067 [19948] dbg: learn: auto-learn: autolearn_force not flagged for a rule. Body Only Points: 7.448 (3 req'd) / Head Only Points: 5.511 (3 req'd) Aug 8 12:00:53.067 [19948] dbg: learn: auto-learn? no: scored as spam but learner indicated ham (-1.9 -1) This is really a SpamAssassin issue rather than a MIMEDefang issue, so you probably could get a better answer from the broader SA community, but I'll offer a vague rambling one :) The SA auto-learn subsystem is designed to be very cautious in what it learns because it carries diverse mistraining risks. The obvious part of the caution is the spam/non-spam thresholds for auto-learning, but there are also less prominent: the message is rescored for the threshold check using scoreset 0 or 1, the learner demands a minimum of 3 pts each from body header/network rules to score as spam unless a matched rule has the autolearn_force tflasg set, and other per-rule 'tflags' can modify how the learner acts on a matching message. As a result, a message actually has 5 scores tallied by SA: the normal score using scoreset 3 or 4, the score using scoreset 0 or 1 that gets compared to the spam nonspam autolearn threshold settings, the body-only score, the header-only score, and the score using only rules with the learn tflag (by default, that's only BAYES_* rules) which is reported in debug messages as learned-points. By default, that last value is used as a backstop to prevent wildly divergent auto-learning. If the Bayes rules score a message -1 or 1 (by default: a Bayes probability below 1% or above 50%) in dissent from the overall score, the message will not be autolearned. Is this something that I can fix? I want stuff to be trained as spam but it doesn't seem to make it. I am thinking it's either a setting I am not aware of or I need to retrain my bayes DB ham. Any help would be great. The real question is whether it is a problem at all, i.e. whether it's a thing that merits fixing rather than a thing that is working as designed and, at least in aggregate, for your benefit. Probably that particular message was spam, given the very high score spread across rule types, but it is certain that learning it as spam would change the way your Bayes DB interprets similar messages and possible (absent other evidence) that it was not spam at all. Unless you do intensive periodic score adjustments of your non-Bayes rules based on a carefully human-classified corpus of messages that are representative of the actual mailstream seen by SA, a well-fed Bayes DB is going to be a better judge than the other (static and mostly default) rules. As of SA v3.4 (which you apparently have, as autolearn_force is new) you can switch bayes_auto_learn_on_error to 1 to flip the auto-learner into a mode where it *ONLY* learns a message when its learned-points classification (i.e. the judgment of the existing Bayes DB) disagrees with classification based on surpassing an autolearn threshold. Whether you leave bayes_auto_learn_on_error at its default 0 for the traditional behavior or switch it to 1 depends on what you believe to be true about the relative accuracy of your Bayes and non-Bayes SA rules. The traditional behavior expresses an assumption that the Bayes DB is less likely to make a large classification error than the rules used for the autolearn score, while the learn on error behavior assumes that your Bayes DB is probably in error when it disagrees with the other SA rules. Which way is better is site-specific, as that is influenced by a site's particular mailstream idiosyncrasies, the autolearn thresholds, local rules, local score adjustments to standard rules, the exclusion of messages from SA scoring by other anti-spam measures, and the nature of what gets fed to the Bayes DB after explicit human classification. Another way to increase autolearning without going all the way to the learn on error behavior is to flag rules that you trust highly as autolearn_force so that messages matching them won't ever be excluded from autolearning based on the existing Bayes DB disagreeing with the deterministic rules. I have started doing this for locally-defined meta-rules that match on multiple hits on net rules such as the URIBL family. My reasoning there is that an identical message can get autolearned as ham at 12:00 because the spammer filled it with Bayes-busting garbage and freshly minted payload URLs and sent from a fresh snowshoe range but score well past the autolearn spam threshold at 12:05 because by then multiple network services checked by SA rules have switched their opinions. In short: there are non-Bayes rules which
Re: [Mimedefang] learner indicated ham
Hi there, On Sat, 9 Aug 2014, Bill Cole wrote: ... you probably could get a better answer from the broader SA community, but I'll offer a vague rambling one :) It wasn't all that vague. :) You guys do REJECT your spam, don't you? -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] learner indicated ham
Aug 8 12:00:53.067 [19948] dbg: learn: auto-learn: message score: 13.934, computed score for autolearn: 17.583 Aug 8 12:00:53.067 [19948] dbg: learn: auto-learn? ham=0, spam=7, body-points=7.448, head-points=5.511, learned-points=-1.9 Aug 8 12:00:53.067 [19948] dbg: learn: auto-learn: autolearn_force not flagged for a rule. Body Only Points: 7.448 (3 req'd) / Head Only Points: 5.511 (3 req'd) Aug 8 12:00:53.067 [19948] dbg: learn: auto-learn? no: scored as spam but learner indicated ham (-1.9 -1) Is this something that I can fix? I want stuff to be trained as spam but it doesn't seem to make it. I am thinking it's either a setting I am not aware of or I need to retrain my bayes DB ham. Any help would be great. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIMEDefang and systemd
Hi, There is apparently some demand for a systemd unit file for MIMEDefang: https://bugzilla.redhat.com/show_bug.cgi?id=789768 I replied to that ticket at https://bugzilla.redhat.com/show_bug.cgi?id=789768#c10 If anyone is using MIMEDefang on a Linux distro that uses systemd and would like to help with making MIMEDefang systemd-friendly, I'm happy to take patches... :) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang and systemd
On 8/6/2014 2:00 PM, David F. Skoll wrote: Hi, There is apparently some demand for a systemd unit file for MIMEDefang: https://bugzilla.redhat.com/show_bug.cgi?id=789768 I replied to that ticket at https://bugzilla.redhat.com/show_bug.cgi?id=789768#c10 If anyone is using MIMEDefang on a Linux distro that uses systemd and would like to help with making MIMEDefang systemd-friendly, I'm happy to take patches... :) https://bugzilla.redhat.com/show_bug.cgi?id=656911 was done by some people for SpamAssassin that I think did a good job. Might want to look at what Warren Togami came up with for SA which didn't require a fork. I currently don't have a system that requires systemd but I expect it soon. And I liked your wrapper idea. Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hi Jon, On Sat, 26 Jul 2014, Jon Rowlan wrote: That is helpful That was the intention. :) although for some odd reason I feel very much told off :-) Er, sorry about that. I spend too much time dealing with issues caused by mail systems which have been badly configured by others. Sometimes I get a little tetchy. I should have added that I checked the sender domains and they all had SPF in place which is why I was tempted to try using the SPF mechanism. SPF is a sort of Good Samaritan thing. By and large the Internet protocols were developed for technical reasons by technical people. It never occurred to them that one day criminals would be by far the most numerous users. SMTP permits very simple forgery of mail sender addresses because at the time we (mea culpa) didn't think about the problems which we'd be facing forty years down the line. SPF lets others check, in a fairly secure way, mail claiming to be from your domain is coming from a server entitled to send it. Simple as that. But not much use to you unless other people use it too. Most of the time they don't, and in the unlikely event that they do, more often than not they get it wrong. I have tried using hosts.deny but that doesn't seem to work for me, You're doing it wrong. :) To use hosts.deny (and hosts.allow) you have to be running what's known as a 'super-server'. The super-server is started instead of the service that would normally have been run, it checks the files hosts.allow and hosts.deny, and then it either runs the service or it doesn't, depending on what it finds in those files. There are other ways of doing the same thing. Check out the man pages for inetd, tcpd, hosts_access, services and xinetd. If you don't have the man pages you might need to install the relevant packages, what they're called depends on what distribution you're using but they should be easy to find. You would either use inetd or xinetd, not both at the same time. I tend to use the more venerable inetd but xinetd has its followers (and its advantages). There are pages on Wikipedia which give brief descriptions in less, er, manpage style. iptables may well be something to look at as you say. There's great documentation, if rather a lot of it to digest at one sitting, on the Netfilter Website. It will very much be worth your while spending some quality time with it: http://www.netfilter.org/documentation/index.html At our sites iptables does most of the heavy lifting. We block about 25% of the IPV4 address space where 95% of the malicious connections come from. The mail filtering system can do the rest with one hand tied behind its back. -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 24 Jul 2014, Jon Rowlan wrote: In filter_begin() you know sender and all recipients, there you can deploy the different checks. However, what will do if one recipient checks and another one does not and the message is to reject? You either need to silentliy discard the message for some recipients or generate bounce messages. There will not be any cross contamination between domains. So a message will be for someone at one customer domain and a number of their users but not for other domains that I host. In reality I only need to check the first recipient. Well, maybe the possibility is quite low, that one message hits two domains with different filter sets, but how do you ensure there will not? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU9H2yFGgR0+MU/4GAQK2ywf/XsHOHIBbACWVqMdQfkOE56dx5unICISo RUh8ntB1MlH6I8jQ8+p4Ew8XpHjRYR37n3FGeK1TOthPt+SDrknz0ScKKh8tX67s 85uNqR2rE/NNUMCFzE/x9TonRqxp/9A7m5pJ+ErwA93Q9Yvqcmv0kbHusq+zW/Ro dKSHdvmGUqjN6PybQqklrG8TxMigz+wVh2Kij17i7hPWUHilUtIkE9VI6AjNeAiH YXSxamB+yb7GeuHf+25WiuZ0h0JcPNZtPEA5JL2ErOx4uJ99Mb4gHmsjIjwABy7/ 3rWJENhOY2QzFVrVOYaxh533AWTyWr6Azr4xwYEvZk3h/rpgCu5FyA== =NIf6 -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hello again, On Fri, 25 Jul 2014, Jon Rowlan wrote: The problem is that some domains that I host on my mail server I want a harsher protection than others. That's not a problem, it's a requirement. Almost everybody does it. In this particular case, a certain set of recipients have received bombardments of email from a set of IP's and they complain about two or three hundred emails in a day coming into their mail box. Two or three hundred spam mails in a day isn't really a bombardment. Several hundred thousand might be called a bombardment. At my own business, the most we've seen in one day is about seventy thousand. All rejected of course. Once you see the rejection rates rising in the logs (you keep a weather eye on your logs, don't you?) then for example something like /sbin/iptables -A FORWARD -j LOG_DROP -s spammy.IP.addr.ess in the firewall stops them even connecting, with very little fuss and no complicated Perl scripts. I don't see what SPF has to do with it. They would suffer the consequences of an SPF protected mail server What consequences? (innocent senders are blocked because they don't use SPF That's nonsense. Go read the RFCs, understand what SPF is about. If a sender doesn't use SPF then the receiving mail server takes no action as a result. At least that's what's supposed to happen in a properly configured server. and mail bounces) You do know the difference between a mail rejection and a bounce? because they would see less spam, SPF is about forgery of mail, not about spam. Granted, forged mail is often spam, but there's a clear distinction. whereas other clients want to see all email # Tryhing to stay vaguely on-topic, as this is the MIMEDefang list :) sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; if ($recipient =~ /^?spamlover\@example\.com?$/i) { return ('ACCEPT_AND_NO_MORE_FILTERING', ok); } return ('CONTINUE', ok); } ... but I probably wouldn't do it that way. and will not tolerate too many bounces from their clients. I didn't follow that part. I want to selectively use SPF for some domains and not others for the purposes of the functionality that SPF offers. I want to tune this depending on the client domain. Assuming that it's implemented properly, SPF tells you if a mail is forged. For some meaning of the word 'forged'. Nobody wants forged mail, so there's no reason to implement SPF for only some of your clients. But to be perfectly honest, at present (after all SPF has only been with us for about a decade) so few people publish sane SPF records that you might as well simply not bother with it at all. Really. Put your efffort into something that will yield some return. The vast majority of SPF records that I see have been cobbled together using some bug-riddled WebWizard by incompetents who have no idea of what SPF is for, nor how it works. Once they've set up the faulty SPF record they seem to be either terrified or incapable of doing anything to it - such as fixing it so it doesn't cause more trouble than it's intended to prevent. Customers of these incompetents then start going round in small circles and yelling that we've rejected their mail when it's their provider's policy that said we should do so. Go figure. The best thing you can do is forget you ever heard of SPF and do some reading on mail protocols so that you understand what you're doing, which clearly you do not at the moment. Stop digging. Digging for what? Answers, I thought that was the point of asking? I meant stop digging that hole. Clarify the issues before you go off solving problems of your own making. You might want to run the SPF record for sads.com past the people on the spf-help mailing list: spf-h...@listbox.com -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Thanks Ged. That is helpful although for some odd reason I feel very much told off :-) I should have added that I checked the sender domains and they all had SPF in place which is why I was tempted to try using the SPF mechanism. I have tried using hosts.deny but that doesn't seem to work for me, iptables may well be something to look at as you say. jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 23 Jul 2014, Jon Rowlan wrote: I have been looking though k/b articles but can find no real help on whether its possible to SPF check certain recipient domains? I would like certain domains that we accept mail for to use SPF but not on others. In filter_begin() you know sender and all recipients, there you can deploy the different checks. However, what will do if one recipient checks and another one does not and the message is to reject? You either need to silentliy discard the message for some recipients or generate bounce messages. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU9Cja1GgR0+MU/4GAQL//Qf/Z3nwV51WIdbIypEM8T1LFNqf1QRbdceA x3eM6Ixo7GHuLzXGMr1s0dwVQltYV6ilRQLIwtRSCKOwlVWa9KhUFJ1CiGrXERaX Cq/PqdN1L0kQGwtSaQqMamtRb9pb915nOOua3RoIcwJiUSIKCBd4IPTsxDIrZjaA J8jcXilT3dJ4DBX6UO9WAyRhdu8uHKEa6ilGFSQCva9zyTHAUw2f3yBnnKByINq6 vmerElFjyx7MLo/KZ6iVTQFVddDAs9j7xrk1uRV1OTU6e7FsGneUQ4D0Yl+RZbGU GNgv0PUxuXDrs5pvoCx4Th1Qx8TS9lxEV8AzzNhOtVrX0dN4zuJHMQ== =2BJH -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hi there, On Thu, 24 Jul 2014, Jon Rowlan wrote: I would like certain domains that we accept mail for to use SPF but not on others. If you say so. But if you actually explain the problem rather than your own suggested solution (which just creates more problems), then there's a good chance we might be able to help you better. Is the only option to install an SPF sendmail/MD server and a separate non SPF one? There you go again. No, of course not. Does anyone have any thoughts or ideas on this please? Stop digging. -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hi Steffen, thanks for replying .. In filter_begin() you know sender and all recipients, there you can deploy the different checks. However, what will do if one recipient checks and another one does not and the message is to reject? You either need to silentliy discard the message for some recipients or generate bounce messages. There will not be any cross contamination between domains. So a message will be for someone at one customer domain and a number of their users but not for other domains that I host. In reality I only need to check the first recipient. jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hi Ged, I am not sure that I was that imprecise. If you say so. But if you actually explain the problem rather than your own suggested solution (which just creates more problems), then there's a good chance we might be able to help you better. The problem is that some domains that I host on my mail server I want a harsher protection than others. In this particular case, a certain set of recipients have received bombardments of email from a set of IP's and they complain about two or three hundred emails in a day coming into their mail box. They would suffer the consequences of an SPF protected mail server (innocent senders are blocked because they don't use SPF and mail bounces) because they would see less spam, whereas other clients want to see all email and will not tolerate too many bounces from their clients. I want to selectively use SPF for some domains and not others for the purposes of the functionality that SPF offers. I want to tune this depending on the client domain. Does anyone have any thoughts or ideas on this please? Stop digging. Digging for what? Answers, I thought that was the point of asking? jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
From: Jon Rowlan jon.row...@sads.com I want to selectively use SPF for some domains and not others for the purposes of the functionality that SPF offers. I want to tune this depending on the client domain. Then test for the domain name and if they want SPF test, run them. If not, skip them. You might want to stream by domain in case a message is sent to multiple domains. You might want to look into Roaring Penguin's CanIt Pro, which is based on MIMEDefang. It handles this easily and let's you define SPF (and other rules) rules for each stream. Bill (Just a happy CanIt Pro user) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang