Re: [Assp-test] upgrading from 2.4.4(14296) to 2.4.8(16036)
On Thu, Feb 18, 2016 at 5:01 PM, Thomas Eckardt wrote: > - install openssl from source first i did download openssl-1.0.1r.tar.gz and usual .config/make/checkinstall but i lost the binary openssl... ASSP was reporting openssl-lib updated, but was missing openssl i rolled back, and downloaded packages from http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/ : *libssl1.0.0_1.0.2f-2ubuntu1_amd64.deb* *libssl-dev_1.0.2f-2ubuntu1_amd64.deb* *libssl-doc_1.0.2f-2ubuntu1_all.deb* *openssl_1.0.2f-2ubuntu1_amd64.deb* and installed them with no errors. now ASSP is not complaining anymore: *OpenSSL 1.0.2f 1.0.2f / 0.9.8 * *OpenSSL-lib 1.0.2f 28 Jan 2016 1.0.2f / 1.0.1h* *Feb-19-16 10:09:36 [init] The underlying SSL library Net::SSLeay version 1.72 uses OpenSSL 1.0.2f 28 Jan 2016* btw, wasn't able to upgrade libcrypto1.0.0-udeb_1.0.2f-2ubuntu1_amd64.udeb due to libc6 dependancy... is this an issue? can i live with that? just asking, if i stay with 1.0.1f will assp continue working flawlessly despite the version mismatch? is this just a security concern? thanks -- "Madness, like small fish, runs in hosts, in vast numbers of instances." Nessuno mi pettina bene come il vento. -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] AFC Plugin, UserAttach. Encrypted zip
Ken , I made a mistake in any of my early posts. It works like GUI describe it - if a single valid record for a regular attachment blocking is found in UserAttach - all level definitions are ignored for all mails. The zip: definitions are in the same file, but they not affect the above rule. There was a fallback function in some older code, but this was removed. Thomas Von:K Post An: ASSP development mailing list Datum: 19.02.2016 05:32 Betreff:Re: [Assp-test] AFC Plugin, UserAttach. Encrypted zip I'm sorry to irritate you, really I am, but I have read the GUI, over and over, and over and over. Seeing it here doesn't help. To me - very technical, English speaker, decades of experience - the GUI is not clear. Maybe if I had a better understanding of the intent of your writing / how ASSP works here I could help to re-write (just) the description for this section. "No rule, no check" is a start for complete understanding, but the gui also says " If the user name matches for a sender or recipient and a (in/out) regex definition is found in this file, *all level definition are overwritten* for this mail."I'm not sure if what you wrote in the email and the gui contradict each other or not. For an example of my confusion, if there is a good-*out* rule only for a user and no good-in, bad-in, or bad-out , does that mean that the level 1 block rules are overwritten and that user may only send the attachment types specified in good-out, but may not receive ANY attachments, or are is attachment type now accepted because there wasn't a good-in or bad-in specified for that user? What if the receiving user has .doc allowed but the sending user has .doc blocked? From what I'm reading they're OR'ed together but is the action to allow or block. Block the attachment if it's a .doc OR allow it if it's a .doc Which has priority? And last for now, given the level 1 line that I provided, shouldn't a zip containing a DLL file be removed from the email? It's not. Thanks again. On Thu, Feb 18, 2016 at 12:15 AM, Thomas Eckardt wrote: > THE GUI! > If the user name matches for a sender or recipient and a (in/out) regex > definition is found in this file, all level definition are overwritten for > this mail. > good, good-out and good-in - and also - block, block-out and block-in - > will be logical OR combined according to the mail flow. > > >If so, what does a blank good-in and bad-in rule do? Everything is good, > >but everything is bad? Which wins? > > No rule - no check. > > > If I define a zip: line for a specific user but not a non-zip: line, will > the level 1,2,3,4 blocks still be effective? > > yes - zip: (as written in the doc) is an extension provided by AFC. > > Thomas > > > > Von:K Post > An: ASSP development mailing list > Datum: 18.02.2016 01:56 > Betreff:Re: [Assp-test] AFC Plugin, UserAttach. Encrypted zip > > > > Here's my pertinent settings: > > DoBlockExes block > BlockExec (external) Level 2 > BlockWLExes Level 1 > BlockNPExecs Level 1 > > BaddAttachLevel1 > > exe-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh > > Levels2, 3, 4 are currently blank > > In UserAttach I have only this: > > zip: allo...@ourdomain.org => good-out => *|crypt\-zip > > DoASSP_AFC enabled > ASSP_AFCblockEncryptedZip is checked > > No matter if the documentation is clear, I find the options to be a bit > convoluted and the way I understand it doesn't match what I see happening. > > Here's what happening for me > > 1) No user may send or receive encrypted zip files except > allo...@ourdomain.org [as expected] > 2) If I didn't have the *|crypt\-zip and instead just had crypt\-zip, > allowed@ourdomain could not send non-encrypted zip files [as expected] > 3) files that match level 1 (but aren't zipped) are blocked for all users > [as expected] > > 4) The allo...@ourdomain.org user, the one who is in the UserAttach file, > CAN receive zip files (just not encrypted) despite what you've explained. > I thought you said that if the line isn't fully defined, everything else > would be a block. [*not as expected*] > 5) all users >can< receive zip files that contain dll files as an example. > I though that they'd be disallowed as dll is in level 1 [*not as > expected*] > > 6) I didn't test allo...@ourdomain.com and other non-zip attachments. What > would you expect to happen? > > > *So, let me please restate my questions, maybe more clearly?* > Based on my settings, does it look like I'm doing something wrong? Is it > working as expected, but I just don't understand? > > If there isn't a FULLY definted UserAttach line for a user and there's > only > say a good-out, are you saying that bad-out, bad-in, and good-in will be > considered to be blank? > If so, what does a blank good-in a
Re: [Assp-test] AFC Plugin, UserAttach. Encrypted zip
As always, I appreciate your responses, but there's no need to be patronizing. And so say that you've perfectly explained everything is the GUI is a bit silly, I wouldn't be asking if you had done a better job there, or you're just calling me an idiot. To say that you can't help if anyone is "not able to understand" what you wrote, is pretty narrow minded. Assuming my competency, maybe what you wrote just need CLEAR CLARIFICATION. * I'm hoping that my question #2 below might show you how there's room for interpretation of the GUI doc.* Whatever the case, please know that *my goal is to obtain a better understanding, get attachment filtering done the way my users need, and hopefully help the ASSP community at the same time. * I know you're busy, bright, and the only reason that I have any hope of time for my family at the end of the day, but still, this is a place for discussion. I think part of the problem here is translation. Maybe the German to English in your head translation covers everything, but to native English speakers isn't not quite clear? Once I understand this all, I bet I can write it just as concisely but more clearly - and if you'll accept that, I'd be more than happy to have that in the gui. If you recall, I've done this for other sections over the years for you too. 1) [asked before but not addressed] If in level 1, .dll is listed, shouldn't we expect a zip file that contains a .dll file to be rejected if the AFC plugin is enabled? I'm not seeing that behavior (nothing matching in UserAttach) 2) [ example of different interpretations being possible] You've said "if there is a matching entry" in UserAttach. When you say match, do you mean just matching the sender or receiver, or do you mean matching BOTH a sender/receiver AND the direction of the rule? Example in UserAttach: exceptionu...@ourdomain.org => good-in => .exe If an .exe file comes inbound, I know they can get it Level 1 is ignored, so that means that anything else can ALSO come *inbound* (I think) but is Level 1 also ignored for OUTBOUND email? I ask this because I don't know if a "match" in userattach needs to *match both the user and the direction or just the user. * Does only having a good-in rule for a user allow all other attachment types OUT because all levels are now ignored in either direction? If that's the case, we'd need to copy the level definitions to each line in userattach for them to be effective. Might we be able to have a variable definition in UserAttach to make maintenance easier or a flag to include them with userattach rules being additive for block and subtractive for allow (only if this is easy for you to implement).For an admin with a dozen exceptions, if I decide to change level1 to block some new sort of attachment, I'd need to edit 12 lines of UserAttach too (right?(. On Fri, Feb 19, 2016 at 12:15 AM, Thomas Eckardt wrote: > >I have read the GUI, over and over, and over and over. > > reading is step one - think about is step two - leads in to understand, > step three :):):) > > again: > > If there is a matching entry found in UserAttach - the entry is used and > ALL level definitions are ignored. > > >From what I'm reading they're OR'ed together but is the action to > allow or block. > > ASSP is a spam filter to BLOCK bad attachment. Blocking has and had the > higher priority. > > This is the simple logic behind > > BLOCK IF > (has blockrule and extension matches blockrule) > or > (has goodrule and extension not matches good rule) > > The used rules are 'OR' combined from the recipient and the sender, if > both matches a rule. > > All these facts are perfecltly technical described in the GUI! Yes the > description is short, but it exactly points out all required facts. > > If anybody is not able to understand > > "If the user name matches for a sender or recipient and a (in/out) regex > definition is found in this file" > and > "all level definition are overwritten for this mail" > and > "will be logical OR combined according to the mail flow" > > I can not help. Use the old way (level definitions). > > > Thomas > > > > Von:K Post > An: ASSP development mailing list > Datum: 19.02.2016 05:32 > Betreff:Re: [Assp-test] AFC Plugin, UserAttach. Encrypted zip > > > > I'm sorry to irritate you, really I am, but I have read the GUI, over and > over, and over and over. Seeing it here doesn't help. To me - very > technical, English speaker, decades of experience - the GUI is not clear. > Maybe if I had a better understanding of the intent of your writing / how > ASSP works here I could help to re-write (just) the description for this > section. > > "No rule, no check" is a start for complete understanding, but the gui > also > says " If the user name matches for a sender or recipient and a (in/out) > regex definition is found in this file, *all level definition are > overwritten* for this mail."I'm not sure if what you wrote in the > email > and the
Re: [Assp-test] AFC Plugin, UserAttach. Encrypted zip
This is the new GUI description for UserAttach - not much changed - but more clear. To define entries you have to use the 'file:...' option. Define one entry per line - comments are not allowed in a definition line. The syntax of an entry is as follows: username => good => goodAttachRegex , good-out => goodoutRegex , good-in => goodinRegex , block => blockAttachRegex , block-out => blockoutRegex , block-in => blockinRegex username - Mail solely to or from any of these addresses. Accepts specific addresses (u...@domain.com), user parts (user) or entire domains (@domain.com) or a Group definition [GROUP]. Wildcards are supported (fribo*@domain.com). good => goodAttachRegex - good attachment for incoming and outgoing mails good-out => goodoutRegex - good attachment for outgoing mails good-in => goodinRegex - good attachment for incoming mails block => blockAttachRegex - bad attachment for incoming and outgoing mails block-out => blockoutRegex - bad attachment for outgoing mails block-in => blockinRegex - bad attachment for incoming mails For example: u...@domain.tld => good => ai|asc|bhx|dat|doc|eps|gif|htm|html|ics|jpg|jpeg|hqx|od[tsp]|pdf|ppt|rar|rpt|rtf|snp|txt|xls|zip *@domain.tld => good => ai|asc|bhx , good-out => eps|gif , good-in => htm|html , block => pdf|ppt , block-out => rar|rpt , block-in => xls|exe\-bin At least one of the above option must be defined in a line - a maximum of all (six) could be defined, if this makes sense. This feature replaces the above level definitions. If at least one valid regular (not zip:...) attachment blocking rule is defined here, all level definitions are ignored for all emails! The defined blocking rules for the sender and the first envelope recipient are combined together using an OR logic. good, good-out and good-in - and also - block, block-out and block-in - will be logical OR combined according to the mail flow. Notice: if a bad attachment is found on a user based attachment check, the penalty box IP address scoring is skipped. Thomas Von:K Post An: ASSP development mailing list Datum: 19.02.2016 15:24 Betreff:Re: [Assp-test] AFC Plugin, UserAttach. Encrypted zip As always, I appreciate your responses, but there's no need to be patronizing. And so say that you've perfectly explained everything is the GUI is a bit silly, I wouldn't be asking if you had done a better job there, or you're just calling me an idiot. To say that you can't help if anyone is "not able to understand" what you wrote, is pretty narrow minded. Assuming my competency, maybe what you wrote just need CLEAR CLARIFICATION. * I'm hoping that my question #2 below might show you how there's room for interpretation of the GUI doc.* Whatever the case, please know that *my goal is to obtain a better understanding, get attachment filtering done the way my users need, and hopefully help the ASSP community at the same time. * I know you're busy, bright, and the only reason that I have any hope of time for my family at the end of the day, but still, this is a place for discussion. I think part of the problem here is translation. Maybe the German to English in your head translation covers everything, but to native English speakers isn't not quite clear? Once I understand this all, I bet I can write it just as concisely but more clearly - and if you'll accept that, I'd be more than happy to have that in the gui. If you recall, I've done this for other sections over the years for you too. 1) [asked before but not addressed] If in level 1, .dll is listed, shouldn't we expect a zip file that contains a .dll file to be rejected if the AFC plugin is enabled? I'm not seeing that behavior (nothing matching in UserAttach) 2) [ example of different interpretations being possible] You've said "if there is a matching entry" in UserAttach. When you say match, do you mean just matching the sender or receiver, or do you mean matching BOTH a sender/receiver AND the direction of the rule? Example in UserAttach: exceptionu...@ourdomain.org => good-in => .exe If an .exe file comes inbound, I know they can get it Level 1 is ignored, so that means that anything else can ALSO come *inbound* (I think) but is Level 1 also ignored for OUTBOUND email? I ask this because I don't know if a "match" in userattach needs to *match both the user and the direction or just the user. * Does only having a good-in rule for a user allow all other attachment types OUT because all levels are now ignored in either direction? If that's the case, we'd need to copy the level definitions to each line in userattach for them to be effective. Might we be able to have a variable definition in UserAttach to make maintenance easier or a flag to include them with userattach rules being additive for block and subtractive for allow (only if this is easy for you to implement).For an admin with a dozen exceptions, if I decide to change level1 to blo
Re: [Assp-test] AFC Plugin, UserAttach. Encrypted zip
I added a bit. Confirm that this is correct? (see bold) This feature replaces the above level definitions. If at least one valid regular (not zip:...) attachment blocking rule is defined here, all level definitions are ignored for all emails, *regardless of direction! This means that if, for example, only a good-out * *definition exists for a user, the level definitions for any email sent OR RECEIVED will* *be ignored. Only having a good-out defined for a user means that this user will only be able* *to send files matching that good-out definition, will not be able to send any other kinds of* *file, but will have no block-in definition, so any attachment type can be sent to that user. To have the* *level rules apply for a user in UserAttach, the level rule entries need to be copied into userattach for each user.* Also, still outstanding, if .dll is blocked in level 1 and the AFC plugin is used, shouldn't a .dll within a .zip be blocked? On Fri, Feb 19, 2016 at 9:34 AM, Thomas Eckardt wrote: > This is the new GUI description for UserAttach - not much changed - but > more clear. > > To define entries you have to use the 'file:...' option. Define one > entry per line - comments are not allowed in a definition line. > The syntax of an entry is as follows: > username => good => goodAttachRegex , good-out => goodoutRegex , good-in > => goodinRegex , block => blockAttachRegex , block-out => blockoutRegex , > block-in => blockinRegex > username - Mail solely to or from any of these addresses. Accepts > specific addresses (u...@domain.com), user parts (user) or entire domains > (@domain.com) or a Group definition [GROUP]. Wildcards are supported > (fribo*@domain.com). > good => goodAttachRegex - good attachment for incoming and outgoing > mails > good-out => goodoutRegex - good attachment for outgoing mails > good-in => goodinRegex - good attachment for incoming mails > block => blockAttachRegex - bad attachment for incoming and outgoing > mails > block-out => blockoutRegex - bad attachment for outgoing mails > block-in => blockinRegex - bad attachment for incoming mails > For example: > u...@domain.tld => good => > > ai|asc|bhx|dat|doc|eps|gif|htm|html|ics|jpg|jpeg|hqx|od[tsp]|pdf|ppt|rar|rpt|rtf|snp|txt|xls|zip > *@domain.tld => good => ai|asc|bhx , good-out => eps|gif , good-in => > htm|html , block => pdf|ppt , block-out => rar|rpt , block-in => > xls|exe\-bin > At least one of the above option must be defined in a line - a maximum > of all (six) could be defined, if this makes sense. > This feature replaces the above level definitions. If at least one valid > regular (not zip:...) attachment blocking rule is defined here, all level > definitions are ignored for all emails! > The defined blocking rules for the sender and the first envelope > recipient are combined together using an OR logic. > good, good-out and good-in - and also - block, block-out and block-in - > will be logical OR combined according to the mail flow. > Notice: if a bad attachment is found on a user based attachment check, > the penalty box IP address scoring is skipped. > > Thomas > > -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Opposite of Block Report
I'm getting some verbal reports of people getting spam, from some of my more difficult users (despite clear instructions on how to report them). Question: How difficult would it be to have either a daily or on demand report that's essentially the opposite of the block report? Show me everything for a user that was NOT blocked. That way, I could run the report, see what the person is getting and take appropriate action without searching through the logs. Is there mass benefit for this functionality or am I the only one with these tough users? Is there a better way? I don't want to go back to the days of manually looking through the OK mail folder... -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Opposite of Block Report
:: On Fri, 19 Feb 2016 09:59:58 -0500 :: :: K Post wrote: > I'm getting some verbal reports of people getting spam, from some of > my more difficult users (despite clear instructions on how to report > them). > > Question: > How difficult would it be to have either a daily or on demand report > that's essentially the opposite of the block report? Show me not a task for ASSP also since it should be relatively easy to parse the logs of your backend mailserver (protected by ASSP) and use those data to build your "notspam" report -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Opposite of Block Report
> How difficult would it be to have either a daily or on demand report that's > essentially the opposite of the block report? On Linux or Windows using Gnu grep: grep "\] \[" maillog.txt |grep -i u...@domain.com |grep MessageOK For blocked, one small change: grep "\] \[" maillog.txt |grep -i u...@domain.com |grep -v MessageOK -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Sinece 16/02/2016 [Worker_1] [TLS-in] IP <...> to: ....u [SMTP Status] 451 Requested action abort, ed: local error in processing
Dear all, Since 16 feb I see in my assp logs lot of 451 with like the on in subject. I did a tcpdump capturing on of these events and it appear that there is non data received by the postfix behind assp which seems the issue. Someone got this kind of trouble or have an idea of what's could happen ? Regards, Renaud -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Sinece 16/02/2016 [Worker_1] [TLS-in] IP <...> to: ....u [SMTP Status] 451 Requested action abort, ed: local error in processing
The assp - reply 451 Requested action aborted: local error in processing indicates, that your MTA has closed the connection or the connection to the MTA was lost. Notice the missing 'ed:' - if this is really in the reply, the reply comes from the MTA. Thomas Von:Renaud An: assp-test@lists.sourceforge.net Datum: 19.02.2016 18:17 Betreff:[Assp-test] Sinece 16/02/2016 [Worker_1] [TLS-in] IP <...> to: u [SMTP Status] 451 Requested action abort, ed: local error in processing Dear all, Since 16 feb I see in my assp logs lot of 451 with like the on in subject. I did a tcpdump capturing on of these events and it appear that there is non data received by the postfix behind assp which seems the issue. Someone got this kind of trouble or have an idea of what's could happen ? Regards, Renaud -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test