date:20141211

Re: [Assp-test] Google drops NoTLS?

2014-12-11 Thread Grayhat

:: On Thu, 11 Dec 2014 22:50:05 +0100
:: <009a01d0158c$6ce8b860$46ba2920$@scandinavianhosting.se>
:: "Pontus Hellgren"  wrote:

> Thanx for all info!
> 
> ASSP was set to proxy TLS but I guess I have some work to do on the
> MTA and ASSP because the chain of delivery is not working as I would
> like it to do. I do want assp to check all mail so I will try and
> make assp make use of the MTAs certificate.
> For now I will have to live with ASSP and "no TLS", because clearly
> the MTA is not doing TLS right.
> 
> Thanks for a great program and a Great forum.

if you want to use TLS you'll need to install on ASSP the same
certificate(s) you're using for your MTA, next, set ASSP to "do TLS"
this way, ASSP will deal with the TLS negotiation *and* will be able to
see the incoming email "in clear" so being able to filter it

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Email's HTML in maillog as a result of Resend mail (from Block Report)

2014-12-11 Thread Thomas Eckardt

This HTML stuff was in the resend request email - why?

Thomas





Von:James Brown 
An: ASSP development mailing list 
Datum:  12.12.2014 05:46
Betreff:[Assp-test] Email's HTML in maillog as a result of Resend 
mail(from Block Report)



Saw this in the log when a user requested a blocked email:

Dec-12-14 15:15:13 [Worker_1] Info: got command 'BlockReportFromQ' 
from command queue - 0 commands pending
Dec-12-14 15:15:13 [Worker_1] Info: processing queued blocked mail 
request from p...@bordo.com.au
Dec-12-14 15:15:13 [Worker_1] Info: BlockReport::modify::modify called
Dec-12-14 15:15:13 [Worker_1] Info: BlockReport will call the module 
BlockReport::modify to make your custom changes
Dec-12-14 15:15:13 [Worker_1] Info: got resend blocked mail request 
from p...@bordo.com.au for /Applications/assp/spam/8111.eml - special 
specification: PWarehouse 
ManagerBordo International Pty 
Ltd3 
Kingston Park CourtScoresby 3179Direct Telephone +61 3 9212 7000Direct Facsmile +61 3 9212
Dec-12-14 15:15:13 [Worker_1] Info: resend: modifying mail header for 
8111.eml

ASSP version 2.4.4(14343)

The user got the email fine. So it’s just a cosmetic thing with it all 
appearing in the log.

James.
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test



DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Email's HTML in maillog as a result of Resend mail (from Block Report)

2014-12-11 Thread James Brown

Saw this in the log when a user requested a blocked email:

Dec-12-14 15:15:13 [Worker_1] Info: got command 'BlockReportFromQ' from 
command queue - 0 commands pending
Dec-12-14 15:15:13 [Worker_1] Info: processing queued blocked mail request 
from p...@bordo.com.au
Dec-12-14 15:15:13 [Worker_1] Info: BlockReport::modify::modify called
Dec-12-14 15:15:13 [Worker_1] Info: BlockReport will call the module 
BlockReport::modify to make your custom changes
Dec-12-14 15:15:13 [Worker_1] Info: got resend blocked mail request from 
p...@bordo.com.au for /Applications/assp/spam/8111.eml - special specification: 
PWarehouse 
ManagerBordo International Pty 
Ltd3 Kingston 
Park CourtScoresby 3179Direct Telephone +61 3 9212 7000Direct Facsmile +61 3 9212
Dec-12-14 15:15:13 [Worker_1] Info: resend: modifying mail header for 
8111.eml

ASSP version 2.4.4(14343)

The user got the email fine. So it’s just a cosmetic thing with it all 
appearing in the log.

James.
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread James Brown

Thanks heaps Thomas!

There was a bit missing in that code - &main:: before the mlog line. Figured it 
out.

I didn’t bother with the password line, as long as I knew which account it was, 
I could just change that account’s password.

So I made the change at home, drove to work and looked at logs and hardly had 
to scroll back at all. 20 mins after restarting ASSP there it was:

Dec-12-14 09:19:30 [Worker_1] Connected: session:7FDE4BA3C2D0 127.0.0.1:65354 > 
127.0.0.1:25 > 127.0.0.1:10026
Dec-12-14 09:19:33 [Worker_1] 127.0.0.1 info: authentication - plain is used
Dec-12-14 09:19:33 [Worker_1] 127.0.0.1 info: authentication (PLAIN) realms - 
foruser:, user:m...@bordo.com.au
Dec-12-14 09:20:01 id-36379-18627 [Worker_1] [RelayAttempt] 127.0.0.1 
 to: st...@ford.com relay attempt blocked for unknown 
local sender domain
Dec-12-14 09:20:01 id-36379-18627 [Worker_1] [RelayAttempt] 127.0.0.1 
 to: st...@ford.com info: server has closed the 
connection without sending a reply - classify mail as rejected by MTA
Dec-12-14 09:20:01 [Worker_1] Finished message - received DATA size: 1.15 kByte 
- sent DATA size: 0 Byte
Dec-12-14 09:20:01 [Worker_1] Disconnected: session:7FDE4BA3C2D0 127.0.0.1 - 
processing time 31 seconds

So I’ve now changed m’s password. (I’ve edited the email address for this post).

Will keep monitoring it for a while in case there are any others.

Thanks again Thomas.

James.

> On 12 Dec 2014, at 12:30 am, Thomas Eckardt  
> wrote:
> 
>> Is there anyway to get it to show any more authentication info - eg which 
> username was used? Any debug setting?
> 
> James, add the following lines (case sensitive) to the 'sub set' in the 
> file 'assp/lib/CorrectASSPcfg.pm'
> 
>$main::AUTHLogUser = 1;  # shows the login user
>$main::AUTHLogPWD = 1; # shows the password 
>mlog(0,"info: AUTH logging is now enabled"); 
> 
> and restart ASSP
> 
> 
> James be carefull!!! Setting 'AUTHLogPWD' to 1 - ASSP will log the 
> passwords (for PLAIN and LOGIN) to the maillog.txt in clear text  
> If you don't really need to know the password, remove the password line or 
> set AUTHLogPWD to zero!
> 
> - Protect the log files
> - remove (comment out) these lines if the problem is solved
> - remove the password lines from the maillog.txt files
> 
> This feature is hidden and undocumented in V2 for security reasons - YOU 
> ARE WARNED !
> 
> Thomas
> 
> 
> 
> Von:James Brown 
> An: ASSP development mailing list 
> Datum:  11.12.2014 14:10
> Betreff:Re: [Assp-test] I'm sending messages from Yahoo?
> 
> 
> 
> 
>> On 11 Dec 2014, at 8:48 pm, Doug Lytle  wrote:
>> 
>> James Brown wrote:
>>> Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 
> 127.0.0.1:51769 > 127.0.0.1:25 > 127.0.0.1:10026
>>> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is 
> used
>> 
>> You've got a compromised account on your system.  The sender 
> authenticated.
>> 
>> A failed authentication would be similar to the below:
>> 
>> 07-12-2014 05:15:00 [Worker_1] Connected: session:7F3F0DB2AF98 
>> 5.189.129.101:61808 > 10.10.10.247:587 > 10.10.10.250:25
>> 07-12-2014 05:15:01 [Worker_1] 5.189.129.101 info: got STARTTLS request 
>> from 5.189.129.101
>> 07-12-2014 05:15:01 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 info: 
>> authentication - plain is used
>> 07-12-2014 05:15:02 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 warning: 
> 
>> SMTP authentication failed on 10.10.10.250
> 
> Thanks Doug.
> 
> Is there anyway to get it to show any more authentication info - eg which 
> username was used? Any debug setting?
> 
> Regards,
> 
> James.
> 
> 
> --
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> 
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
> 
> 
> 
> 
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally 
> privileged and protected in law and are intended solely for the use of the 
> 
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no 
> known virus in this email!
> ***
> 
> --
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get

Re: [Assp-test] Google drops NoTLS?

2014-12-11 Thread Pontus Hellgren

Thanx for all info!

ASSP was set to proxy TLS but I guess I have some work to do on the MTA and
ASSP because the chain of delivery is not working as I would like it to do.
I do want assp to check all mail so I will try and make assp make use of the
MTAs certificate.
For now I will have to live with ASSP and "no TLS", because clearly the MTA
is not doing TLS right.

Thanks for a great program and a Great forum.

Regards,
Pontus

-Original Message-
From: Grayhat [mailto:gray...@gmx.net] 
Sent: den 11 december 2014 15:45
To: assp-test@lists.sourceforge.net
Subject: Re: [Assp-test] Google drops NoTLS?

:: On Thu, 11 Dec 2014 14:55:31 +0100
:: <028501d0154a$210e68a0$632b39e0$@scandinavianhosting.se>
:: "Pontus Hellgren"  wrote:

> Hi there!
> 
> Got some people complaining about not getting mail from domains hosted 
> at googles mailservers.

> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 info: got STARTTLS 
> request from 209.85.214.182
> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 [SMTP Error] 502 command 
> not implemented
> Dec-11-14 14:44:24 [Worker_1] Disconnected: session:AA61610
> 209.85.214.182 - processing time 1 seconds

hmmm... why don't you just configure your ASSP to act as a TLS proxy ?
I suspect that your mail server is offering TLS but ASSP isn't configured to
deal with it, so "the Goog" tries to use TLS and getting a 5xx error just
does what the RFCs say, that is, generates an NDR.

If your backend SMTP server doesn't support TLS it may be a good idea to
configure "doTLS" to "do TLS" and, by the way, to add the needed
certificates to ASSP.

On a second thought... not sure about it, probably Thomas may shed some
light... let's suppose the backend SMTP server is configured to do TLS and
offers a "250-STARTTLS" to the "EHLO" command, now, let's also say that ASSP
"doTLS" is set to "drop TLS"; in such a case, the sender will see a "Hey, I
support TLS" message but when it tries to use TLS, ASSP will drop it and
emit an error... if that's the case then the issue is related to ASSP which
will need to "eat" the STARTTLS offer emitted by the server... although,
sincerely, I think the real issue is due to a wrong setup, not to the ASSP
code :P

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from
Actuate! Instantly Supercharge Your Business Reports and Dashboards with
Interactivity, Sharing, Native Excel Exports, App Integration & more Get
technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Google drops NoTLS?

2014-12-11 Thread Thomas Eckardt

>let's suppose the backend SMTP server is configured to do TLS
>and offers a "250-STARTTLS" to the "EHLO" command, now, let's also say
>that ASSP "doTLS" is set to "drop TLS"; in such a case, the sender will
>see a "Hey, I support TLS" message but when it tries to use TLS,

ASSP deals right with the STARTTLS offer. If TLS is disabled in assp.cfg 
the STARTTLS offer will be removed from the EHLO/HELP reply. The offer is 
added to the reply if it is not seen by assp but TLS should be used 
(DoTLS).

more simple:

if DoTLS is set to 'Do TLS' assp will add the STARTTLS offer
if DoTLS is set to 'drop TLS' assp will remove the STARTTLS offer
if DoTLS is set to 'TLS to proxy' assp will not modify the STARTTLS offer

sendEHLO should be switched on, if  DoTLS is set to 'Do TLS' !!!

How ever, some Mail servers are sending the STARTTLS command, even they 
only used the 'HELO' command.

ASSP will not send the STARTTLS command to a MTA, that has not offered 
STARTTLS.
ASSP will reject the STARTTLS command with 502... if the IP is in the 
SSLfailed cache (and for some other reasons).

> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 info: got STARTTLS
> request from 209.85.214.182
> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 [SMTP Error] 502 command
> not implemented

This 502 comes from ASSP.

Normaly the SMTP stuff should go on after the above mistake.
It is useless to configure assp to drop a connection because of a single 
SMTP command error (see MaxErrors).

Thomas

Von:Grayhat 
An: assp-test@lists.sourceforge.net
Datum:  11.12.2014 15:50
Betreff:Re: [Assp-test] Google drops NoTLS?

:: On Thu, 11 Dec 2014 14:55:31 +0100
:: <028501d0154a$210e68a0$632b39e0$@scandinavianhosting.se>
:: "Pontus Hellgren"  wrote:

> Hi there!
> 
> Got some people complaining about not getting mail from domains
> hosted at googles mailservers.

> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 info: got STARTTLS
> request from 209.85.214.182
> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 [SMTP Error] 502 command
> not implemented
> Dec-11-14 14:44:24 [Worker_1] Disconnected: session:AA61610
> 209.85.214.182 - processing time 1 seconds

hmmm... why don't you just configure your ASSP to act as a TLS proxy ?
I suspect that your mail server is offering TLS but ASSP isn't
configured to deal with it, so "the Goog" tries to use TLS and getting
a 5xx error just does what the RFCs say, that is, generates an NDR.

If your backend SMTP server doesn't support TLS it may be a good idea
to configure "doTLS" to "do TLS" and, by the way, to add the needed
certificates to ASSP.

On a second thought... not sure about it, probably Thomas may shed some
light... let's suppose the backend SMTP server is configured to do TLS
and offers a "250-STARTTLS" to the "EHLO" command, now, let's also say
that ASSP "doTLS" is set to "drop TLS"; in such a case, the sender will
see a "Hey, I support TLS" message but when it tries to use TLS, ASSP
will drop it and emit an error... if that's the case then the issue is
related to ASSP which will need to "eat" the STARTTLS offer emitted by
the server... although, sincerely, I think the real issue is due to a
wrong setup, not to the ASSP code :P

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Google drops NoTLS?

2014-12-11 Thread Grayhat

:: On Thu, 11 Dec 2014 14:55:31 +0100
:: <028501d0154a$210e68a0$632b39e0$@scandinavianhosting.se>
:: "Pontus Hellgren"  wrote:

> Hi there!
> 
> Got some people complaining about not getting mail from domains
> hosted at googles mailservers.

> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 info: got STARTTLS
> request from 209.85.214.182
> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 [SMTP Error] 502 command
> not implemented
> Dec-11-14 14:44:24 [Worker_1] Disconnected: session:AA61610
> 209.85.214.182 - processing time 1 seconds

hmmm... why don't you just configure your ASSP to act as a TLS proxy ?
I suspect that your mail server is offering TLS but ASSP isn't
configured to deal with it, so "the Goog" tries to use TLS and getting
a 5xx error just does what the RFCs say, that is, generates an NDR.

If your backend SMTP server doesn't support TLS it may be a good idea
to configure "doTLS" to "do TLS" and, by the way, to add the needed
certificates to ASSP.

On a second thought... not sure about it, probably Thomas may shed some
light... let's suppose the backend SMTP server is configured to do TLS
and offers a "250-STARTTLS" to the "EHLO" command, now, let's also say
that ASSP "doTLS" is set to "drop TLS"; in such a case, the sender will
see a "Hey, I support TLS" message but when it tries to use TLS, ASSP
will drop it and emit an error... if that's the case then the issue is
related to ASSP which will need to "eat" the STARTTLS offer emitted by
the server... although, sincerely, I think the real issue is due to a
wrong setup, not to the ASSP code :P

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Google drops NoTLS?

2014-12-11 Thread Colin

The SMTP error is from your MTA. Neither Google nor ASSP dropped this 
message. Your MTA rejected it with "502 command not implemented".

Have a look at those logs to see why.

All the best,
Colin Waring.

On 11/12/2014 13:55, Pontus Hellgren wrote:
> Hi there!
>
> Got some people complaining about not getting mail from domains hosted at
> googles mailservers.
>
> Made a fast check at the ASSP logs and found a bunch of these:
> Dec-11-14 14:44:23 [Worker_1] Connected: session:AA61610
> 209.85.214.182:52540 > x.x.x.x:25  > y.y.y.y:125
> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 info: got STARTTLS request from
> 209.85.214.182
> Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 [SMTP Error] 502 command not
> implemented
> Dec-11-14 14:44:24 [Worker_1] Disconnected: session:AA61610 209.85.214.182 -
> processing time 1 seconds
>
> Is this ASSP dropping the connection for some reason or is Google being
> rude, not delivering the mail unless we implement TLS?
>
> Running ASSP version 2.4.4(14307) on Ubuntu 14.04.1 LTS
>
> Regards,
> Pontus
>
>
>
> --
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread Robert K Coffman Jr. -Info From Data Corp.

> I’ll start changing everyone’s email passwords tomorrow.

James,

When this happened to me, I changed the user's password, but it 
continued happening.  If I remember right, I had to restart Postfix 
because the old credentials had been cached or something.

- Bob

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Google drops NoTLS?

2014-12-11 Thread Pontus Hellgren

Hi there!

Got some people complaining about not getting mail from domains hosted at
googles mailservers.

Made a fast check at the ASSP logs and found a bunch of these:
Dec-11-14 14:44:23 [Worker_1] Connected: session:AA61610
209.85.214.182:52540 > x.x.x.x:25  > y.y.y.y:125
Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 info: got STARTTLS request from
209.85.214.182
Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 [SMTP Error] 502 command not
implemented
Dec-11-14 14:44:24 [Worker_1] Disconnected: session:AA61610 209.85.214.182 -
processing time 1 seconds

Is this ASSP dropping the connection for some reason or is Google being
rude, not delivering the mail unless we implement TLS?

Running ASSP version 2.4.4(14307) on Ubuntu 14.04.1 LTS

Regards,
Pontus



--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread Thomas Eckardt

>Is there anyway to get it to show any more authentication info - eg which 
username was used? Any debug setting?

James, add the following lines (case sensitive) to the 'sub set' in the 
file 'assp/lib/CorrectASSPcfg.pm'

$main::AUTHLogUser = 1;  # shows the login user
$main::AUTHLogPWD = 1; # shows the password 
mlog(0,"info: AUTH logging is now enabled"); 

and restart ASSP


James be carefull!!! Setting 'AUTHLogPWD' to 1 - ASSP will log the 
passwords (for PLAIN and LOGIN) to the maillog.txt in clear text  
If you don't really need to know the password, remove the password line or 
set AUTHLogPWD to zero!

- Protect the log files
- remove (comment out) these lines if the problem is solved
- remove the password lines from the maillog.txt files

This feature is hidden and undocumented in V2 for security reasons - YOU 
ARE WARNED !

Thomas



Von:James Brown 
An: ASSP development mailing list 
Datum:  11.12.2014 14:10
Betreff:Re: [Assp-test] I'm sending messages from Yahoo?




> On 11 Dec 2014, at 8:48 pm, Doug Lytle  wrote:
> 
> James Brown wrote:
>> Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 
127.0.0.1:51769 > 127.0.0.1:25 > 127.0.0.1:10026
>> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is 
used
> 
> You've got a compromised account on your system.  The sender 
authenticated.
> 
> A failed authentication would be similar to the below:
> 
> 07-12-2014 05:15:00 [Worker_1] Connected: session:7F3F0DB2AF98 
> 5.189.129.101:61808 > 10.10.10.247:587 > 10.10.10.250:25
> 07-12-2014 05:15:01 [Worker_1] 5.189.129.101 info: got STARTTLS request 
> from 5.189.129.101
> 07-12-2014 05:15:01 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 info: 
> authentication - plain is used
> 07-12-2014 05:15:02 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 warning: 

> SMTP authentication failed on 10.10.10.250

Thanks Doug.

Is there anyway to get it to show any more authentication info - eg which 
username was used? Any debug setting?

Regards,

James.


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread James Brown


> On 11 Dec 2014, at 8:48 pm, Doug Lytle  wrote:
> 
> James Brown wrote:
>> Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 
>> 127.0.0.1:51769 > 127.0.0.1:25 > 127.0.0.1:10026
>> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used
> 
> You've got a compromised account on your system.  The sender authenticated.
> 
> A failed authentication would be similar to the below:
> 
> 07-12-2014 05:15:00 [Worker_1] Connected: session:7F3F0DB2AF98 
> 5.189.129.101:61808 > 10.10.10.247:587 > 10.10.10.250:25
> 07-12-2014 05:15:01 [Worker_1] 5.189.129.101 info: got STARTTLS request 
> from 5.189.129.101
> 07-12-2014 05:15:01 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 info: 
> authentication - plain is used
> 07-12-2014 05:15:02 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 warning: 
> SMTP authentication failed on 10.10.10.250

Thanks Doug.

Is there anyway to get it to show any more authentication info - eg which 
username was used? Any debug setting?

Regards,

James.


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread James Brown

I’ll start changing everyone’s email passwords tomorrow.

Have also turned on outbound checking of mail on the Sophos UTM, which is 
stopping these emails leaving. So at least I won’t get on an RBL.

Will also have a look at other examples in logs.

Thanks everyone for your help.

James.

> On 11 Dec 2014, at 9:32 pm, Colin  wrote:
> 
> Ahh, then I went into far too much detail! You need to find out the 
> credentials being used because it looks like someone has gotten hold of 
> a password. Authenticated email bypasses a lot of checks that ASSP does.
> 
> On 11/12/2014 10:15, James Brown wrote:
>> Done some more looking at logs.
>> 
>> One thing I didn’t mention is that we use stunnel to TLS SMTP. Looking at 
>> its log at this time I see:
>> 
>> 2014.12.11 10:23:51 LOG7[140735150184800]: Service [ssmtp] accepted (FD=10) 
>> from 41.43.219.15:3693
>> 2014.12.11 10:23:51 LOG7[4403986432]: Service [ssmtp] started
>> 2014.12.11 10:23:51 LOG5[4403986432]: Service [ssmtp] accepted connection 
>> from 41.43.219.15:3693
>> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): before/accept 
>> initialization
>> 2014.12.11 10:23:51 LOG7[4403986432]: SNI: no virtual services defined
>> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 read client 
>> hello A
>> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server 
>> hello A
>> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write 
>> certificate A
>> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write key 
>> exchange A
>> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server 
>> done A
>> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 flush data
>> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read client 
>> key exchange A
>> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read 
>> finished A
>> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write 
>> session ticket A
>> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write change 
>> cipher spec A
>> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write 
>> finished A
>> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 flush data
>> 2014.12.11 10:23:53 LOG7[4403986432]:   51 items in the session cache
>> 2014.12.11 10:23:53 LOG7[4403986432]:0 client connects (SSL_connect())
>> 2014.12.11 10:23:53 LOG7[4403986432]:0 client connects that finished
>> 2014.12.11 10:23:53 LOG7[4403986432]:0 client renegotiations requested
>> 2014.12.11 10:23:53 LOG7[4403986432]:  101 server connects (SSL_accept())
>> 2014.12.11 10:23:53 LOG7[4403986432]:   98 server connects that finished
>> 2014.12.11 10:23:53 LOG7[4403986432]:0 server renegotiations requested
>> 2014.12.11 10:23:53 LOG7[4403986432]:   14 session cache hits
>> 2014.12.11 10:23:53 LOG7[4403986432]:0 external session cache hits
>> 2014.12.11 10:23:53 LOG7[4403986432]:1 session cache misses
>> 2014.12.11 10:23:53 LOG7[4403986432]:9 session cache timeouts
>> 2014.12.11 10:23:53 LOG6[4403986432]: No peer certificate received
>> 2014.12.11 10:23:53 LOG6[4403986432]: SSL accepted: new session negotiated
>> 2014.12.11 10:23:53 LOG6[4403986432]: Negotiated TLSv1.2 ciphersuite 
>> ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
>> 2014.12.11 10:23:53 LOG6[4403986432]: Compression: null, expansion: null
>> 2014.12.11 10:23:53 LOG6[4403986432]: s_connect: connecting 127.0.0.1:25
>> 2014.12.11 10:23:53 LOG7[4403986432]: s_connect: s_poll_wait 127.0.0.1:25: 
>> waiting 10 seconds
>> 2014.12.11 10:23:53 LOG5[4403986432]: s_connect: connected 127.0.0.1:25
>> 2014.12.11 10:23:53 LOG5[4403986432]: Service [ssmtp] connected remote 
>> server from 127.0.0.1:51769
>> 2014.12.11 10:23:53 LOG7[4403986432]: Remote socket (FD=11) initialized
>> 2014.12.11 10:24:12 LOG7[4403986432]: SSL_read returned WANT_READ: retrying
>> 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (read): warning: close notify
>> 2014.12.11 10:24:14 LOG6[4403908608]: SSL closed (SSL_read)
>> 2014.12.11 10:24:14 LOG7[4403908608]: Sent socket write shutdown
>> 2014.12.11 10:24:14 LOG6[4403908608]: Read socket closed (readsocket)
>> 2014.12.11 10:24:14 LOG7[4403908608]: Sending close_notify alert
>> 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (write): warning: close 
>> notify
>> 2014.12.11 10:24:14 LOG6[4403908608]: SSL_shutdown successfully sent 
>> close_notify alert
>> 2014.12.11 10:24:14 LOG5[4403908608]: Connection closed: 296 byte(s) sent to 
>> SSL, 17742 byte(s) sent to socket
>> 2014.12.11 10:24:14 LOG7[4403908608]: Remote socket (FD=9) closed
>> 2014.12.11 10:24:14 LOG7[4403908608]: Local socket (FD=3) closed
>> 2014.12.11 10:24:14 LOG7[4403908608]: Service [ssmtp] finished (1 left)
>> 2014.12.11 10:24:24 LOG7[4403986432]: SSL_read returned WANT_READ: retrying
>> 2014.12.11 10:24:26 LOG6[4403986432]: Read socket closed (readsocket)
>> 2014.12.11 10:24:26 LOG7[4403986

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread Colin

Ahh, then I went into far too much detail! You need to find out the 
credentials being used because it looks like someone has gotten hold of 
a password. Authenticated email bypasses a lot of checks that ASSP does.

On 11/12/2014 10:15, James Brown wrote:
> Done some more looking at logs.
>
> One thing I didn’t mention is that we use stunnel to TLS SMTP. Looking at its 
> log at this time I see:
>
> 2014.12.11 10:23:51 LOG7[140735150184800]: Service [ssmtp] accepted (FD=10) 
> from 41.43.219.15:3693
> 2014.12.11 10:23:51 LOG7[4403986432]: Service [ssmtp] started
> 2014.12.11 10:23:51 LOG5[4403986432]: Service [ssmtp] accepted connection 
> from 41.43.219.15:3693
> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): before/accept 
> initialization
> 2014.12.11 10:23:51 LOG7[4403986432]: SNI: no virtual services defined
> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 read client 
> hello A
> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server 
> hello A
> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write 
> certificate A
> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write key 
> exchange A
> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server 
> done A
> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 flush data
> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read client 
> key exchange A
> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read finished 
> A
> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write session 
> ticket A
> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write change 
> cipher spec A
> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write 
> finished A
> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 flush data
> 2014.12.11 10:23:53 LOG7[4403986432]:   51 items in the session cache
> 2014.12.11 10:23:53 LOG7[4403986432]:0 client connects (SSL_connect())
> 2014.12.11 10:23:53 LOG7[4403986432]:0 client connects that finished
> 2014.12.11 10:23:53 LOG7[4403986432]:0 client renegotiations requested
> 2014.12.11 10:23:53 LOG7[4403986432]:  101 server connects (SSL_accept())
> 2014.12.11 10:23:53 LOG7[4403986432]:   98 server connects that finished
> 2014.12.11 10:23:53 LOG7[4403986432]:0 server renegotiations requested
> 2014.12.11 10:23:53 LOG7[4403986432]:   14 session cache hits
> 2014.12.11 10:23:53 LOG7[4403986432]:0 external session cache hits
> 2014.12.11 10:23:53 LOG7[4403986432]:1 session cache misses
> 2014.12.11 10:23:53 LOG7[4403986432]:9 session cache timeouts
> 2014.12.11 10:23:53 LOG6[4403986432]: No peer certificate received
> 2014.12.11 10:23:53 LOG6[4403986432]: SSL accepted: new session negotiated
> 2014.12.11 10:23:53 LOG6[4403986432]: Negotiated TLSv1.2 ciphersuite 
> ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
> 2014.12.11 10:23:53 LOG6[4403986432]: Compression: null, expansion: null
> 2014.12.11 10:23:53 LOG6[4403986432]: s_connect: connecting 127.0.0.1:25
> 2014.12.11 10:23:53 LOG7[4403986432]: s_connect: s_poll_wait 127.0.0.1:25: 
> waiting 10 seconds
> 2014.12.11 10:23:53 LOG5[4403986432]: s_connect: connected 127.0.0.1:25
> 2014.12.11 10:23:53 LOG5[4403986432]: Service [ssmtp] connected remote server 
> from 127.0.0.1:51769
> 2014.12.11 10:23:53 LOG7[4403986432]: Remote socket (FD=11) initialized
> 2014.12.11 10:24:12 LOG7[4403986432]: SSL_read returned WANT_READ: retrying
> 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (read): warning: close notify
> 2014.12.11 10:24:14 LOG6[4403908608]: SSL closed (SSL_read)
> 2014.12.11 10:24:14 LOG7[4403908608]: Sent socket write shutdown
> 2014.12.11 10:24:14 LOG6[4403908608]: Read socket closed (readsocket)
> 2014.12.11 10:24:14 LOG7[4403908608]: Sending close_notify alert
> 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (write): warning: close notify
> 2014.12.11 10:24:14 LOG6[4403908608]: SSL_shutdown successfully sent 
> close_notify alert
> 2014.12.11 10:24:14 LOG5[4403908608]: Connection closed: 296 byte(s) sent to 
> SSL, 17742 byte(s) sent to socket
> 2014.12.11 10:24:14 LOG7[4403908608]: Remote socket (FD=9) closed
> 2014.12.11 10:24:14 LOG7[4403908608]: Local socket (FD=3) closed
> 2014.12.11 10:24:14 LOG7[4403908608]: Service [ssmtp] finished (1 left)
> 2014.12.11 10:24:24 LOG7[4403986432]: SSL_read returned WANT_READ: retrying
> 2014.12.11 10:24:26 LOG6[4403986432]: Read socket closed (readsocket)
> 2014.12.11 10:24:26 LOG7[4403986432]: Sending close_notify alert
> 2014.12.11 10:24:26 LOG7[4403986432]: SSL alert (write): warning: close notify
> 2014.12.11 10:24:26 LOG6[4403986432]: SSL_shutdown successfully sent 
> close_notify alert
> 2014.12.11 10:24:27 LOG7[4403986432]: SSL alert (read): warning: close notify
> 2014.12.11 10:24:27 LOG6[4403986432]: SSL closed (SSL_read)
> 2014.12.11 10:24:27 LOG7[4403986432]: Sent socket write shutdown
> 2014.12.11

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread James Brown

Done some more looking at logs.

One thing I didn’t mention is that we use stunnel to TLS SMTP. Looking at its 
log at this time I see:

2014.12.11 10:23:51 LOG7[140735150184800]: Service [ssmtp] accepted (FD=10) 
from 41.43.219.15:3693
2014.12.11 10:23:51 LOG7[4403986432]: Service [ssmtp] started
2014.12.11 10:23:51 LOG5[4403986432]: Service [ssmtp] accepted connection from 
41.43.219.15:3693
2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): before/accept 
initialization
2014.12.11 10:23:51 LOG7[4403986432]: SNI: no virtual services defined
2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 read client 
hello A
2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server 
hello A
2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write 
certificate A
2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write key 
exchange A
2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server 
done A
2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 flush data
2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read client key 
exchange A
2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read finished A
2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write session 
ticket A
2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write change 
cipher spec A
2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write finished A
2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 flush data
2014.12.11 10:23:53 LOG7[4403986432]:   51 items in the session cache
2014.12.11 10:23:53 LOG7[4403986432]:0 client connects (SSL_connect())
2014.12.11 10:23:53 LOG7[4403986432]:0 client connects that finished
2014.12.11 10:23:53 LOG7[4403986432]:0 client renegotiations requested
2014.12.11 10:23:53 LOG7[4403986432]:  101 server connects (SSL_accept())
2014.12.11 10:23:53 LOG7[4403986432]:   98 server connects that finished
2014.12.11 10:23:53 LOG7[4403986432]:0 server renegotiations requested
2014.12.11 10:23:53 LOG7[4403986432]:   14 session cache hits
2014.12.11 10:23:53 LOG7[4403986432]:0 external session cache hits
2014.12.11 10:23:53 LOG7[4403986432]:1 session cache misses
2014.12.11 10:23:53 LOG7[4403986432]:9 session cache timeouts
2014.12.11 10:23:53 LOG6[4403986432]: No peer certificate received
2014.12.11 10:23:53 LOG6[4403986432]: SSL accepted: new session negotiated
2014.12.11 10:23:53 LOG6[4403986432]: Negotiated TLSv1.2 ciphersuite 
ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
2014.12.11 10:23:53 LOG6[4403986432]: Compression: null, expansion: null
2014.12.11 10:23:53 LOG6[4403986432]: s_connect: connecting 127.0.0.1:25
2014.12.11 10:23:53 LOG7[4403986432]: s_connect: s_poll_wait 127.0.0.1:25: 
waiting 10 seconds
2014.12.11 10:23:53 LOG5[4403986432]: s_connect: connected 127.0.0.1:25
2014.12.11 10:23:53 LOG5[4403986432]: Service [ssmtp] connected remote server 
from 127.0.0.1:51769
2014.12.11 10:23:53 LOG7[4403986432]: Remote socket (FD=11) initialized
2014.12.11 10:24:12 LOG7[4403986432]: SSL_read returned WANT_READ: retrying
2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (read): warning: close notify
2014.12.11 10:24:14 LOG6[4403908608]: SSL closed (SSL_read)
2014.12.11 10:24:14 LOG7[4403908608]: Sent socket write shutdown
2014.12.11 10:24:14 LOG6[4403908608]: Read socket closed (readsocket)
2014.12.11 10:24:14 LOG7[4403908608]: Sending close_notify alert
2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (write): warning: close notify
2014.12.11 10:24:14 LOG6[4403908608]: SSL_shutdown successfully sent 
close_notify alert
2014.12.11 10:24:14 LOG5[4403908608]: Connection closed: 296 byte(s) sent to 
SSL, 17742 byte(s) sent to socket
2014.12.11 10:24:14 LOG7[4403908608]: Remote socket (FD=9) closed
2014.12.11 10:24:14 LOG7[4403908608]: Local socket (FD=3) closed
2014.12.11 10:24:14 LOG7[4403908608]: Service [ssmtp] finished (1 left)
2014.12.11 10:24:24 LOG7[4403986432]: SSL_read returned WANT_READ: retrying
2014.12.11 10:24:26 LOG6[4403986432]: Read socket closed (readsocket)
2014.12.11 10:24:26 LOG7[4403986432]: Sending close_notify alert
2014.12.11 10:24:26 LOG7[4403986432]: SSL alert (write): warning: close notify
2014.12.11 10:24:26 LOG6[4403986432]: SSL_shutdown successfully sent 
close_notify alert
2014.12.11 10:24:27 LOG7[4403986432]: SSL alert (read): warning: close notify
2014.12.11 10:24:27 LOG6[4403986432]: SSL closed (SSL_read)
2014.12.11 10:24:27 LOG7[4403986432]: Sent socket write shutdown
2014.12.11 10:24:27 LOG5[4403986432]: Connection closed: 596 byte(s) sent to 
SSL, 4446 byte(s) sent to socket
2014.12.11 10:24:27 LOG7[4403986432]: Remote socket (FD=11) closed
2014.12.11 10:24:27 LOG7[4403986432]: Local socket (FD=10) closed
2014.12.11 10:24:27 LOG7[4403986432]: Service [ssmtp] finished (0 left)

So looks like the remote IP is 41.43.219.15 in this case (not our IP).

James.

> On 11 Dec 2014, at 8:46 pm, Col

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread Doug Lytle

James Brown wrote:
> Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 127.0.0.1:51769 
> > 127.0.0.1:25 > 127.0.0.1:10026
> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used

You've got a compromised account on your system.  The sender authenticated.

A failed authentication would be similar to the below:

07-12-2014 05:15:00 [Worker_1] Connected: session:7F3F0DB2AF98 
5.189.129.101:61808 > 10.10.10.247:587 > 10.10.10.250:25
07-12-2014 05:15:01 [Worker_1] 5.189.129.101 info: got STARTTLS request 
from 5.189.129.101
07-12-2014 05:15:01 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 info: 
authentication - plain is used
07-12-2014 05:15:02 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 warning: 
SMTP authentication failed on 10.10.10.250
07-12-2014 05:15:02 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 [SMTP 
Error] 535 5.7.8 Error: authentication failed: authentication failure
07-12-2014 05:15:02 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 info: 
authentication - login is used
07-12-2014 05:15:02 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 warning: 
SMTP authentication failed on 10.10.10.250
07-12-2014 05:15:02 [Worker_1] [TLS-in] [TLS-out] 5.189.129.101 [SMTP 
Error] 535 5.7.8 Error: authentication failed: authentication failure
07-12-2014 05:15:02 [Worker_1] Disconnected: session:7F3F0DB2AF98 
5.189.129.101 - processing time 2 seconds


Doug


-- 
Ben Franklin quote:

"Those who would give up Essential Liberty to purchase a little Temporary 
Safety, deserve neither Liberty nor Safety."


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] I'm sending messages from Yahoo?

2014-12-11 Thread Colin

Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used

This line gives me cause for concern for you. Something running on 
localhost sent or proxied this message AND used valid credentials to 
send the message.

What do the collected emails show?  Are they definitely junk messages? 
If so you need to turn up logging to find out which credentials have 
been used and change those. Next step would be to see what process on 
localhost is passing these messages to ASSP and lock it down.

I did a little bit of poking around on your IP to see if anything 
obvious stood out, but didn't want to do anything intrusive without 
asking. The only thing I can see is it looks like you have two different 
MTAs running. Port 25 responds with a Symantec banner and port 587 
responds with a Postfix banner. I'm not sure if one may be proxying and 
less secure but I didn't test.

You could update OpenSSL that Apache is using from za to zc as there 
have been a lot of OpenSSL vulnerabilities this year. I don't know if 
that is likely to have any relevance though.

On 11/12/2014 00:21, James Brown wrote:
> I’m a bit puzzled by this. I’ve noticed in the logs emails coming from and 
> going to email addresses that have nothing to do with my domain.
>
> Eg:
>
> Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 127.0.0.1:51769 
> > 127.0.0.1:25 > 127.0.0.1:10026
> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used
> Dec-11-14 10:24:12 id-53842-01613 [Worker_2] [MessageOK] 127.0.0.1 
>  to: mj.bas...@orange.fr message ok [Re Josette et 
> Michel Basset] -> /Applications/assp/notspam/1613.eml
> Dec-11-14 10:24:14 [Worker_1] Finished message - received DATA size: 17.27 
> kByte - sent DATA size: 17.49 kByte
> Dec-11-14 10:24:14 [Worker_1] Disconnected: session:7FACFD3C7970 127.0.0.1 - 
> processing time 62 seconds
> Dec-11-14 10:24:25 id-53858-12500 [Worker_2] [MessageOK] 127.0.0.1 
>  to: mj.bur...@orange.fr message ok [To MJ Burgat] -> 
> /Applications/assp/notspam/12500.eml
> Dec-11-14 10:24:26 [Worker_2] Finished message - received DATA size: 1.78 
> kByte - sent DATA size: 2.18 kByte
> Dec-11-14 10:24:26 [Worker_2] Disconnected: session:7FAD1B6519F8 127.0.0.1 - 
> processing time 33 seconds
>
> My domain is bordo.com.au , not yahoo.com or orange.fr 
> .
>
> I’ve done external tests and they all show that I’m not an open relay.
>
> I think I need to remove 127.0.0.1 from acceptAllMail, and turn on 
> DoLocalSenderDomain.
>
> Does this sound right?
>
> Anything else I should look at?
>
> ASSP version 2.4.4(14343)
>
> Thanks,
>
> James.
>
> --
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] [bug] DoIPinHelo catches also whitelisted

2014-12-11 Thread Thomas Eckardt

what is your setting for 'ForceValidateHelo' ?

Thomas





Von:"krz...@gmail.com " 
An: ASSP development mailing list 
Datum:  11.12.2014 09:42
Betreff:Re: [Assp-test] [bug] DoIPinHelo catches also whitelisted



There is such whitelisting bug when using DoInvalidFormatHelo. I did
use it to recreate DoIPinHelo functionality and disabled DoIPinHelo,
so I managed to walk around this bug for now.

2014-12-11 6:58 GMT+01:00 krz...@gmail.com :
> DoFakedWL = 1
>
> Dec-05-14 10:33:26 72006-2995428 [Worker_2] 178.32.201.69
>  info: found message size announcement: 1.59 kByte
> Dec-05-14 10:33:26 72006-2995428 [Worker_2] 178.32.201.69
>  Message-Score: added 150 (fiphValencePB) for
> Suspicious HELO - contains IP: '171-32-201-69.ovh.net', total score
> for this message is now 150
> Dec-05-14 10:33:26 [Worker_2] sen...@domain.com,recipi...@mydomain.com
> matches sen...@domain.com,recipi...@mydomain.com in whiteListedDomain
> Dec-05-14 10:33:26 72006-2995428 [Worker_2] 178.32.201.69
>  [scoring] (Suspicious HELO - contains IP:
> '172-32-201-69.ovh.net')
> Dec-05-14 10:33:26 72006-2995428 [Worker_2] [MessageLimit]
> 172.32.201.69  to: recipi...@mydomain.com [spam
> found] (MessageScore 150, limit 50) [Kolejny test];
>
> DoIPinHelo catches also whitelisted in both cases:
> 1) whitelisted as sen...@domain.com
> 2) whitelisted as sen...@domain.com => recipi...@mydomain.com
> (personal whitelist)
>
> There is a bug somewhere in the code:
>
> sub IPinHeloOK_Run {
> ...
> return 1 if $DoFakedWL && &Whitelist($this->{mailfrom});
>
>
> this code does not work at all and even if it would it does not pass
> $this{rcpt} to function Whitelist (so personal whitelist would not
> work).
>
> when I've changed this to
> return 1 if $this->{whitelisted}  && $DoFakedWL;
>
> whitelisting did work but not for personal whitelists.
>
>
>
> another bug is that sub validHeloOK Run uses old whitelisting method
> without handling for personal whitelists:
> return 1 if $this->{whitelisted}  && !$DoHeloWL;

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] [bug] DoIPinHelo catches also whitelisted

2014-12-11 Thread krz...@gmail.com

There is such whitelisting bug when using DoInvalidFormatHelo. I did
use it to recreate DoIPinHelo functionality and disabled DoIPinHelo,
so I managed to walk around this bug for now.

2014-12-11 6:58 GMT+01:00 krz...@gmail.com :
> DoFakedWL = 1
>
> Dec-05-14 10:33:26 72006-2995428 [Worker_2] 178.32.201.69
>  info: found message size announcement: 1.59 kByte
> Dec-05-14 10:33:26 72006-2995428 [Worker_2] 178.32.201.69
>  Message-Score: added 150 (fiphValencePB) for
> Suspicious HELO - contains IP: '171-32-201-69.ovh.net', total score
> for this message is now 150
> Dec-05-14 10:33:26 [Worker_2] sen...@domain.com,recipi...@mydomain.com
> matches sen...@domain.com,recipi...@mydomain.com in whiteListedDomain
> Dec-05-14 10:33:26 72006-2995428 [Worker_2] 178.32.201.69
>  [scoring] (Suspicious HELO - contains IP:
> '172-32-201-69.ovh.net')
> Dec-05-14 10:33:26 72006-2995428 [Worker_2] [MessageLimit]
> 172.32.201.69  to: recipi...@mydomain.com [spam
> found] (MessageScore 150, limit 50) [Kolejny test];
>
> DoIPinHelo catches also whitelisted in both cases:
> 1) whitelisted as sen...@domain.com
> 2) whitelisted as sen...@domain.com => recipi...@mydomain.com
> (personal whitelist)
>
> There is a bug somewhere in the code:
>
> sub IPinHeloOK_Run {
> ...
> return 1 if $DoFakedWL && &Whitelist($this->{mailfrom});
>
>
> this code does not work at all and even if it would it does not pass
> $this{rcpt} to function Whitelist (so personal whitelist would not
> work).
>
> when I've changed this to
> return 1 if $this->{whitelisted}  && $DoFakedWL;
>
> whitelisting did work but not for personal whitelists.
>
>
>
> another bug is that sub validHeloOK Run uses old whitelisting method
> without handling for personal whitelists:
> return 1 if $this->{whitelisted}  && !$DoHeloWL;

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Google drops NoTLS?

Re: [Assp-test] Email's HTML in maillog as a result of Resend mail (from Block Report)

[Assp-test] Email's HTML in maillog as a result of Resend mail (from Block Report)

Re: [Assp-test] I'm sending messages from Yahoo?

Re: [Assp-test] Google drops NoTLS?

Re: [Assp-test] Google drops NoTLS?

Re: [Assp-test] Google drops NoTLS?

Re: [Assp-test] Google drops NoTLS?

Re: [Assp-test] I'm sending messages from Yahoo?

[Assp-test] Google drops NoTLS?

Re: [Assp-test] I'm sending messages from Yahoo?

Re: [Assp-test] I'm sending messages from Yahoo?

Re: [Assp-test] I'm sending messages from Yahoo?

Re: [Assp-test] I'm sending messages from Yahoo?

Re: [Assp-test] I'm sending messages from Yahoo?

Re: [Assp-test] I'm sending messages from Yahoo?

Re: [Assp-test] I'm sending messages from Yahoo?

Re: [Assp-test] [bug] DoIPinHelo catches also whitelisted

Re: [Assp-test] [bug] DoIPinHelo catches also whitelisted

19 matches

Site Navigation

Mail list logo

Footer information