Re: IMAP Servers
On Wednesday 12 January 2005 18:34, Eric Jennings wrote: > We've experienced some issues with courier-imapd and Mail.app, > specifically where certain IMAP sub-Maildir mailboxes wouldn't display > within Mail.app. The mailboxes work great within Thunderbird. > > It's been infrequent enough where we haven't really done a thorough > investigation. If anybody else has had similar issues, and knows of a > fix, please share! If you don't have fam setup to automatically notify clients of new mail, Mail.app will poll to look for new messages. It makes a separate IMAP connection for each folder [1]. So check your IMAPDAEMONS setting in /etc/courier/imapd (100 was recommended for 25 clients). Another factor is the max # of authdaemons. I'm pretty sure each IMAP connection generates an authentication request. If the clients obsessively check for new mail, you may need to increase the number of authdaemons you allow courier to startup. Regards, Mark [1] http://staff.washington.edu/oren/weblog/archives/70.html
Re: [OT] Debian package differences from upstream
On Wednesday 05 January 2005 08:58, Marcin Owsiany wrote: > On Wed, Jan 05, 2005 at 08:40:21AM -0500, Mark Bucciarelli wrote: > > On my Woody box, courier-mta logs pop transactions with the tag > > "courierpop3login:". The logs of other courier users (freebsd, gentoo > > for example) have the string "pop3d:" > > As far as I remember, this string is set in the init.d script... From the diff, I see the courier-pop init script was rewritten for Debian. The custom version script starts courierpop3login directly instead of pop3d, and syslog tags log entries accordingly. Got it, thanks! Regards, Mark
[OT] Debian package differences from upstream
[ Is debian-mentors the proper list for this type of packaging question? ] On my Woody box, courier-mta logs pop transactions with the tag "courierpop3login:". The logs of other courier users (freebsd, gentoo for example) have the string "pop3d:" It has been suggested that this is a change the Debian packager made. How can I verify this? I've done apt-get source and poked around a bit but could not tell where the Debian patches made to upstream live. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Courier-IMAPs / POP3s login question
On Tuesday 04 January 2005 08:55, Emmanuel Lacour wrote: > As I understand, he want to authenticate users with ssl certs Courier can do SASL_PLAIN auth for imap and pop auth. See /etc/courier/imapd and /etc/courier/pop3d. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Courier-IMAPs / POP3s login question
On Tuesday 04 January 2005 03:53, Jens Zahner wrote: > martin f krafft wrote: > > Beyond the documentation and the comments in the files in > > /etc/courier, you mean? > > I couldn't find any helpfull information about ssl cert based auth > neither in the files nor in the documentation and google couldn't help > me too. Did you try this? # apt-get install courier-imap-ssl # man mkimapdcert # cat /etc/courier/imapd.cnf If so, try the courier-users mailing list or #courier on freenode. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: EHLO/HELO [was blacklists]
On Friday 10 December 2004 09:36, Mark Bucciarelli wrote: > (1) If SPF HELO checking is on and lookup matches connecting IP > --> PASS [..] > Otherwise, return 517 HELO $hostname does not match $remote-ip Sorry to reply to myself, but this sequence is more complicated if SPF checking is turned on and the SPF lookup fails. You can choose to softfail (417) or hardfail (517). I wanted to set the record straight. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: EHLO/HELO [was blacklists]
[CC'ing Bill Taroli who has been helping me with this on courier-user] On Friday 10 December 2004 07:08, Russell Coker wrote: > On Friday 10 December 2004 00:39, Mark Bucciarelli > <[EMAIL PROTECTED]> > > wrote: > > I've recently turned on EHLO/HELO validation and am encouraged by how > > effective it is. WIth RBL's (spamcop and dnsbl) and SpamAssassin 3, > > only 88% of spam was stopped. So far, it's 100%. (This is a _very_ > > small > > What exactly do you mean by EHLO/HELO validation? The courier man page just says "verify the hostname provided in the ESTMP EHLO/HELO statement." From reading the code, here's what it does: (0) If connecting IP addresses is in the checkhelo whitelist --> PASS (1) If SPF HELO checking is on and lookup matches connecting IP --> PASS (2) If HELO host name is a numeric IP and it matches connecting IP --> PASS (3) Lookup MX records for HELO hostname. If one matches connecting IP --> PASS (4) Lookup A records for hostname. If one matches connecting IP --> PASS Otherwise, return 517 HELO $hostname does not match $remote-ip If there is an RFC1035_MX_HARDERR or RFC1035_MX_BADDNS when looking up the MX record, return a 517. If the MX or A DNS lookup fails, return a 417. > In my postfix configuration I have: > smtpd_helo_restrictions = permit_mynetworks, > reject_non_fqdn_hostname, reject_unknown_sender_domain > > I tried out "reject_unknown_hostname" but had to turn it off, too many > machines had unknown hostnames. I find it interesting that postfix defaults the response code to 450 instead of a 5XX for this failure. This is along the lines that I have been thinking. > For example a zone foo.com has a SMTP server named postfix1 and puts > postfix1.foo.com in the EHLO command but has an external DNS entry of > smtp.foo.com. Such a zone is moderately well configured and there are > too many such zones to block them all. The other helo restrictions get > enough non-spam traffic. > > Using reject_unknown_hostname would get close to blocking 100% of spam, > but that's because it would block huge amounts of non-spam email. So I guess the questions are: (1) Given a log entry (hostname and connecting IP) of an EHLO reject, can I reliably figure out if the host was valid? (2) Can I do this quickly enough that my whitelist will be updated before their MTA stops retrying and customers start complaining? (3) Will the whitelist stabilize enough over time to make this worth it. (4) Would it be possible to build a secure data pool where a group of like-minded and trusted admins could share whitelisted connecting IP's. Regards, Mark
EHLO/HELO [was blacklists]
On Tuesday 07 December 2004 17:55, Michael Loftis wrote: > --On Wednesday, December 08, 2004 08:47 +1100 Craig Sanders > > <[EMAIL PROTECTED]> wrote: > >> Now I reject by 554 code... should I change to 4xx? > > > > if it suits your needs. i wouldn't. > > I have to agree with that statement. For us it suits our needs very > well. I don't mind handling the extra retry traffic if it means > legitimate mail on a 'grey/pink' host is just temporarily rejected or > delayed while they clean up, in fact this is far more desireable for us. > Complaints of 'lost' mail went up when we were using permanent fatal > codes as an experiment. Yes legitimate hosts get blacklisted, but > legitimate hosts will retry, and if they don't well, it's their problem, > not ours. We're telling them 454 listed on spamciop see URL of whatever > (I'm obviously paraphrasing) I've been following this thread with great interest. I'm wondering if the same 4XX technique could apply to EHLO/HELO checks--with automatic whitelisting thrown in. If spammers never retry, couldn't you watch the logs and when you see a retry, add that IP to EHLO/HELO whitelist? (And generate a report so you can check up on this later.) Folks on the courier-user list have reported that the EHLO/HELO whitelist becomes quite stable after a while. I've recently turned on EHLO/HELO validation and am encouraged by how effective it is. WIth RBL's (spamcop and dnsbl) and SpamAssassin 3, only 88% of spam was stopped. So far, it's 100%. (This is a _very_ small sample--one email account for one day, but the change is dramatic from my perspective.) And what's to stop spammers from starting to retry? Does it double their cost of doing business? If I then require a second retry, does it triple their cost? If I want to hack the courier backport package to force an invalid EHLO to get a 4XX instead of the hardcoded 517, are these the correct steps (taken from Debian Quick Reference, Ch. 3): apt-get source courier dpkg-source courier.dsc cd courier-0.47 ... edit source dpkg-buildpackage -rfakeroot -us -uc su -c "dpkg -i courier-mta.deb" Is that correct? How do I change the newly-built package name, and what do I change it to so apt-get update/upgrade will find a new release uploaded to backports.org? Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: authentication with courier-authdaemon 0.37.3 on Woody
On Monday 22 November 2004 15:04, Robert Cates wrote: > Sorry, > > I gotta take something back... I just checked again, closer, and I'm > not able to collect my mail either, using POP. I however do not get any > kind of connection error, and the log file shows: > > Nov 22 20:56:13 lion courierpop3login: Connection, > ip=[:::192.168.1.13] Nov 22 20:56:13 lion courierpop3login: LOGIN, > user=robcat, > ip=[:::192.168.1.13] > Nov 22 20:56:13 lion courierpop3login: LOGOUT, user=robcat, > ip=[:::192.168.1.13], top=0, retr=0 > > any ideas? maybe pop3d has the wrong idea about the user's home directory? regards, mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim4 and maildrop
On Tuesday 16 November 2004 10:06, [EMAIL PROTECTED] wrote: > DEFAULT=/var/spool/courier/user/$LOGNAME/Maildir > $HOME=/var/spool/courier/user/$LOGNAME ^^^ This dollar sign looks wrong. > MAILBOX=$HOME/Maildir > $INCLUDE=$MAILBOX Try it without the dollar sign prefixes; that is, DEFAULT=/var/spool/courier/user/$LOGNAME/Maildir HOME=/var/spool/courier/user/$LOGNAME MAILBOX=$HOME/Maildir INCLUDE=$MAILBOX If that doesn't work, I'm sure someone over at courier-users or on #courier can help you. I only have experience using all the courier tools together. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim4 and maildrop
On Monday 15 November 2004 17:15, [EMAIL PROTECTED] wrote: > so really, this is 2 problems in one: one is the .mailfilter file isn't > read, and that log snippet which no sense. Seems like the same problem--mailrop is not given the correct home dir. Put some logging in /etc/courier/maildroprc and output your environmental variables. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim or postfix
On Thursday 11 November 2004 17:04, Craig Sanders wrote: > 22256 Bad HELO wow. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: exim or postfix
On Saturday 06 November 2004 22:19, Rodney Richison wrote: > Are most of you using exim or postfix? Just curious. I've never tried > exim. neither. courier-mta. just starting to have some production experience, and so far i like it quite a bit. i chose it because it has everything integrated: pop3, esmtp, pop3-ssl, emstp-ssl, esmtp-msa, imap, webmail, and mailing list mgr, etc. Plus it's GPL'd. so far, the only thing i haven't been able to do is setup a per-user preference for rejecting email based on the other server's HELO response. but i'm not going to do that anyway--too much work to maintain the good domains (load balancerers), plus it violates an RFC. regards, mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Limiting User Commands
On Friday 05 November 2004 16:19, Stephen Le wrote: > I don't think sudo is appropriate for what I'm trying to do. I'd like > users to have limited shell access; I'm not trying to give them access > to special commands. Besides, telling users to prefix every command > they run with 'sudo' would be awkward and cumbersome. google vserver for one option. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Restoring /etc
On Saturday 07 August 2004 01:33, Donovan Baarda wrote: > G'day, > > - Original Message - > From: "Mark Bucciarelli" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, August 07, 2004 12:17 AM > Subject: Restoring /etc > > > I screwed up my /etc directory bigtime. I wanted to put it under CVS > > to maintain a history, but didn't realize that CVS does not honor > > symbolic links. Of course, I didn't backup before rm -rf /etc; cvs co > > etc. Doh! > > I use PRCS, and there are debs. PRCS keeps everything, including empty > directories. It's propper branch/merge/rename etc support mean I keep > all my machines in the one project as seperate branches, and I can merge > changes across between them painlessly. It has some limitations, like no > network transport (I use rsync instead), but it is ideal for something > like this; simple, easy to use, reliable, and nothing more. thanks, that works great. logcheck doesn't like CVS crud. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: distributing SSH keys in a cluster environment
On Friday 29 October 2004 16:39, martin f krafft wrote: > also sprach Mark Bucciarelli <[EMAIL PROTECTED]> [2004.10.29.1920 +0200]: > > what about some kind of cheap usb storage for each machine? > > Then I could just take the USB stick, put it onto my laptop, and > subvert the NFS home directories. use superglue. ;) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: distributing SSH keys in a cluster environment
On Friday 29 October 2004 13:03, Martin F Krafft wrote: > So these are the four possible ways I can think of, and not a single > one is satisfactory. i'm a wizard-wannabe, but i'll reply anyway. what about some kind of cheap usb storage for each machine? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mount options for Optimizing ext2/ext3 performance with Maildir's
On Monday 18 October 2004 16:15, Ian Forbes wrote: > What mount options give the best performance, "noatime" "data=journal" ? The fellow that runs KDE's news site recently did some investigation of speed / disk usage for Zope's object database vs. ext3. He figured the hierarchical nature of the article and comment history could be represented by a file system pretty easily, so was curious how ext3 would fare compared to ZODB. There were some useful comments about optimizing ext3 posted in response to his original post. Some things that were mentioned: - use htree - use 2.6 orlov (?) - mount with data=writeback - mount with commit= The blog post and comments are here: http://navindra.blogspot.com/2004/10/kde-dot-news-ext3s-miserable-failure.html His blog entry seems to support the contention that if you want expert feedback about a tool, just say it sucks. ;) Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh and root logins
On Tuesday 10 August 2004 10:52, Dale E Martin wrote: > Anyways, I would like to disable password logins for root on several of > my boxes but allow root to come in from known IPs and with known ssh > keys. Is there a way to disable password logins for root in sshd_config > or root/.ssh/config, while leaving password logins intact for regular > users? Would it work to disable all ssh password logins and only allow logins with the proper private key? I find this most secure--no more worries about password cracks (I just have to worry about the physical security of the USB key on my keychain). Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Restoring /etc
I screwed up my /etc directory bigtime. I wanted to put it under CVS to maintain a history, but didn't realize that CVS does not honor symbolic links. Of course, I didn't backup before rm -rf /etc; cvs co etc. Doh! I have another Debian stable box and I tried recreating the rc.? and alternatives directories based on this working box, but when I rebooted, the network interface didn't come up. So I missed something. Is there some clever way I can recreate the /etc dir? (A dpkg-reconfigure trick?) Or can I just copy the symbolic links from the working box over to the non-working box? Regards, Mark who has a habit of learning things the hard way ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 10:09, Kilian Krause wrote: > Hi Mark, > > > For most cases, it doesn't cost anything to implement SPF now. And if > > you do it, and tell two friends, and they tell two friends ... > > well, this may be correct. However i miss the config sniplet to drop > into exim4 in spf.pobox.com. So how do i make my MTA verify SPF? > (setting up the DNS is easy enough, but i also want to check the others, > wouldn't i? *g*) http://spf.pobox.com/downloads.html
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 20:51, Craig Sanders wrote: > most ISPs (and mail service providers like yahoo and hotmail), for > instance, will never have SPF records in their DNS. they may use SPF > checking on their own MX servers, but they won't have the records in > their DNS. Looks like you can use SPF with Hotmail since February. "February 26th 2004: The latest version of Mail::SPF::Query will parse Caller-ID records! SPF-enabled MTAs can now read Hotmail and Microsoft.com's records and translate them into SPF format." [1] Q: Do all hotmail accounts have Caller-ID records? Regards, Mark [1] http://spf.pobox.com/
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:17, Kilian Krause wrote: > Hi Mark, > > Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06: > > I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, > > not From:, so I think this case should work fine ... > > so you mean this will also cut down the secondary spam through > mailinglists (which have a proper SPF most probably). No. I meant that I send my domain mail through my ISP's SMTP server and I can setup my domain's DNS txt record so this works with SPF. [BTW, debian.org does not have an SPF entry.] > How is that MTA > gonna see within the MAIL FROM whom this was forwarded for? > I mean, the general issue (for me) is not the spam i receive directly > through my primary host, but those that's forwarding email-addresses, > which have a whitelisted mx host re-sending me the spam they accepted It's the other server's responsibility, not yours. I guess you have the option not to whitelist them, since they send you spam. Regards, Mark
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:48, Leonardo Boselli wrote: > On Thu, 24 Jun 2004, Mark Bucciarelli wrote: > > > > I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: > > > > header, not From:, so I think this case should work fine ... > > > > > > are you sure ? i never see such header ! > > > > Yes. See http://spf.pobox.com/faq.html > > that is mail from: not mail-from: > how can i see it as a recipient ? I do not trust other systems for > filtering ! > After all, there is no problem in giving a fake address as "mail from" > so you on the end should test if the alleged from is conformat with the > originatin host, and yopu are agin in teroble is someone send a message > from another domain . Somewhere along the mail trail, the spammer forged the MAIL FROM header and sent an email from a server not associated with the forged domain. That's where SPF can work. Once that email is accepted by the receiving server, the game is over. For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... There are only two significant problem that I know of with SPF: (1) "traditional UNIX .forward files and /etc/aliases files" [1] don't change the return-path address in the envelop. (2) greeting card sites and "e-mail me this news article" sites use your email address in the envelop as well as the From: header. For (1), you can use remailing instead. For (2), you have to ask the site to change their policy. Newer sites may already work (for example, Orkut doesn't have this problem). [1] Linux Journal, May 2004, p. 53 Regards, Mark
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 10:09, Kilian Krause wrote: > Hi Mark, > > > For most cases, it doesn't cost anything to implement SPF now. And if > > you do it, and tell two friends, and they tell two friends ... > > well, this may be correct. However i miss the config sniplet to drop > into exim4 in spf.pobox.com. So how do i make my MTA verify SPF? > (setting up the DNS is easy enough, but i also want to check the others, > wouldn't i? *g*) http://spf.pobox.com/downloads.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:23, Leonardo Boselli wrote: > On Thu, 24 Jun 2004, Mark Bucciarelli wrote: > > On Wednesday 23 June 2004 21:58, Jason Lim wrote: > > > This also applies to most hosting companies. If your ISP prevents > > > outgoing SMTP (port 25) to other mail servers and you are forced to > > > use your ISP's mail servers, then the "mail server" is not going to > > > match that of your hosting account or domain name. Thus SPF fails > > > again in this case. > > > > I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, > > not From:, so I think this case should work fine ... > > are you sure ? i never see such header ! Yes. See http://spf.pobox.com/faq.html Regards, Mark
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 21:58, Jason Lim wrote: > This also applies to most hosting companies. If your ISP prevents > outgoing SMTP (port 25) to other mail servers and you are forced to use > your ISP's mail servers, then the "mail server" is not going to match > that of your hosting account or domain name. Thus SPF fails again in > this case. I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... Regards, Mark
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 20:51, Craig Sanders wrote: > On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote: > > SPF is a proposed standard. > > http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt > > Even Microsoft seemed to drops its CallerID proposal in favor of SPF. > > Check spf.pobox.com > SPF isn't a very effective tool for blocking spam or viruses. it is a > tool for preventing some kinds of forgery. it is useful where the owner > of a domain can strictly define which hosts are allowed to send mail > claiming to be from their domain. it is not useful otherwise. I sense an implication that this is some small percentage of total non-spam email. Doesn't this cover a _huge_ percentage of valid email? Who does this rule out other than power users with an MTA on a their laptop or people using greeting card sites? Also, according to Meng Weng's Linux Journal article, SPF makes provisions for power users with their own MTA on dynamic IP's (even if Russel doesn't ;). In addition, if you are a power user that uses forward files, if you switch to remailing SPF will also work. These require using advanced SPF: the "exists" and "include" mechanisms. > most ISPs (and mail service providers like yahoo and hotmail), for > instance, will never have SPF records in their DNS. they may use SPF > checking on their own MX servers, but they won't have the records in > their DNS. their users have legitimate needs to send mail using their > address from any arbitrary location, which is exactly what SPF works to > prevent. Why do you say never? If it's good enough for aol and google, why not hotmail and yahoo? According to spf.pobox.com, Microsoft has endorsed SPF as a standard. Regards, Mark
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 20:51, Craig Sanders wrote: > most ISPs (and mail service providers like yahoo and hotmail), for > instance, will never have SPF records in their DNS. they may use SPF > checking on their own MX servers, but they won't have the records in > their DNS. Looks like you can use SPF with Hotmail since February. "February 26th 2004: The latest version of Mail::SPF::Query will parse Caller-ID records! SPF-enabled MTAs can now read Hotmail and Microsoft.com's records and translate them into SPF format." [1] Q: Do all hotmail accounts have Caller-ID records? Regards, Mark [1] http://spf.pobox.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:48, Leonardo Boselli wrote: > On Thu, 24 Jun 2004, Mark Bucciarelli wrote: > > > > I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: > > > > header, not From:, so I think this case should work fine ... > > > > > > are you sure ? i never see such header ! > > > > Yes. See http://spf.pobox.com/faq.html > > that is mail from: not mail-from: > how can i see it as a recipient ? I do not trust other systems for > filtering ! > After all, there is no problem in giving a fake address as "mail from" > so you on the end should test if the alleged from is conformat with the > originatin host, and yopu are agin in teroble is someone send a message > from another domain . Somewhere along the mail trail, the spammer forged the MAIL FROM header and sent an email from a server not associated with the forged domain. That's where SPF can work. Once that email is accepted by the receiving server, the game is over. For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... There are only two significant problem that I know of with SPF: (1) "traditional UNIX .forward files and /etc/aliases files" [1] don't change the return-path address in the envelop. (2) greeting card sites and "e-mail me this news article" sites use your email address in the envelop as well as the From: header. For (1), you can use remailing instead. For (2), you have to ask the site to change their policy. Newer sites may already work (for example, Orkut doesn't have this problem). [1] Linux Journal, May 2004, p. 53 Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:17, Kilian Krause wrote: > Hi Mark, > > Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06: > > I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, > > not From:, so I think this case should work fine ... > > so you mean this will also cut down the secondary spam through > mailinglists (which have a proper SPF most probably). No. I meant that I send my domain mail through my ISP's SMTP server and I can setup my domain's DNS txt record so this works with SPF. [BTW, debian.org does not have an SPF entry.] > How is that MTA > gonna see within the MAIL FROM whom this was forwarded for? > I mean, the general issue (for me) is not the spam i receive directly > through my primary host, but those that's forwarding email-addresses, > which have a whitelisted mx host re-sending me the spam they accepted It's the other server's responsibility, not yours. I guess you have the option not to whitelist them, since they send you spam. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:23, Leonardo Boselli wrote: > On Thu, 24 Jun 2004, Mark Bucciarelli wrote: > > On Wednesday 23 June 2004 21:58, Jason Lim wrote: > > > This also applies to most hosting companies. If your ISP prevents > > > outgoing SMTP (port 25) to other mail servers and you are forced to > > > use your ISP's mail servers, then the "mail server" is not going to > > > match that of your hosting account or domain name. Thus SPF fails > > > again in this case. > > > > I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, > > not From:, so I think this case should work fine ... > > are you sure ? i never see such header ! Yes. See http://spf.pobox.com/faq.html Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 21:58, Jason Lim wrote: > This also applies to most hosting companies. If your ISP prevents > outgoing SMTP (port 25) to other mail servers and you are forced to use > your ISP's mail servers, then the "mail server" is not going to match > that of your hosting account or domain name. Thus SPF fails again in > this case. I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 20:51, Craig Sanders wrote: > On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote: > > SPF is a proposed standard. > > http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt > > Even Microsoft seemed to drops its CallerID proposal in favor of SPF. > > Check spf.pobox.com > SPF isn't a very effective tool for blocking spam or viruses. it is a > tool for preventing some kinds of forgery. it is useful where the owner > of a domain can strictly define which hosts are allowed to send mail > claiming to be from their domain. it is not useful otherwise. I sense an implication that this is some small percentage of total non-spam email. Doesn't this cover a _huge_ percentage of valid email? Who does this rule out other than power users with an MTA on a their laptop or people using greeting card sites? Also, according to Meng Weng's Linux Journal article, SPF makes provisions for power users with their own MTA on dynamic IP's (even if Russel doesn't ;). In addition, if you are a power user that uses forward files, if you switch to remailing SPF will also work. These require using advanced SPF: the "exists" and "include" mechanisms. > most ISPs (and mail service providers like yahoo and hotmail), for > instance, will never have SPF records in their DNS. they may use SPF > checking on their own MX servers, but they won't have the records in > their DNS. their users have legitimate needs to send mail using their > address from any arbitrary location, which is exactly what SPF works to > prevent. Why do you say never? If it's good enough for aol and google, why not hotmail and yahoo? According to spf.pobox.com, Microsoft has endorsed SPF as a standard. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Logcheck Keyword Files
On Tuesday 08 June 2004 12:31, Steve Kemp wrote: > On Tue, Jun 08, 2004 at 12:24:26PM -0400, Mark Bucciarelli wrote: > > I like logcheck because it is simple. But it's not packaged for > > Debian, so maybe no-one here uses it. If not, what tool do you > > recommend for intrusion detection? > > Logcheck is a good tool, and can be modified easily. > > It *is* packaged for Debian as you can see from this link: > > http://packages.debian.org/logcheck That's great, thanks. Do you just use the stock filter files that come with the package? Regards, Mark
Logcheck Keyword Files
I'm thinking about using the logcheck [1] program for intrusion detection, and was wondering if anyone here uses it. If so, have you modified the keyword filter files? I like logcheck because it is simple. But it's not packaged for Debian, so maybe no-one here uses it. If not, what tool do you recommend for intrusion detection? Regards, Mark [1] http://www.smittyware.com/contrib/psionic.php
Re: Logcheck Keyword Files
On Tuesday 08 June 2004 12:31, Steve Kemp wrote: > On Tue, Jun 08, 2004 at 12:24:26PM -0400, Mark Bucciarelli wrote: > > I like logcheck because it is simple. But it's not packaged for > > Debian, so maybe no-one here uses it. If not, what tool do you > > recommend for intrusion detection? > > Logcheck is a good tool, and can be modified easily. > > It *is* packaged for Debian as you can see from this link: > > http://packages.debian.org/logcheck That's great, thanks. Do you just use the stock filter files that come with the package? Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Logcheck Keyword Files
I'm thinking about using the logcheck [1] program for intrusion detection, and was wondering if anyone here uses it. If so, have you modified the keyword filter files? I like logcheck because it is simple. But it's not packaged for Debian, so maybe no-one here uses it. If not, what tool do you recommend for intrusion detection? Regards, Mark [1] http://www.smittyware.com/contrib/psionic.php -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Partitioning a Web Server
On Wednesday 02 April 2003 10:58 pm, junkyjunk.com wrote: > 50 domains with web and mail should run you probably around 500 > megs on a busy mail day. hmmm, from the two responses i got, sounds like we could run many more sites on this box. 100? 200? if disk space and bandwidth is no problem, is file handles the next constraint we would hit? mark
Re: Partitioning a Web Server
On Wednesday 02 April 2003 10:58 pm, junkyjunk.com wrote: > 50 domains with web and mail should run you probably around 500 > megs on a busy mail day. hmmm, from the two responses i got, sounds like we could run many more sites on this box. 100? 200? if disk space and bandwidth is no problem, is file handles the next constraint we would hit? mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Partitioning a Web Server
I'm going to be setting up a web server this Friday, and I'm trying to work out how to partition the disk. The plan is to use apache mod_v_host to serve up to 50 domains and will also be an email server. PHP + MySQL also. It's expected that most of the domains will be small fry, probably most of the usage (disk + bandwidth) will be the email. First, the box is a 60G 10,000 RPM disk PIII 750MHz, 512MB RAM. Does this sound reasonable? I have a couple things I need to decide: (1) what partitions to define and (2) what sizes to make them. For example, one document I read suggested creating a seperate partition for /var/spool/mail and /var/lib. I'm a bit nervous that if I guess wrong then I'll be screwed when the partition fills up. I'm not going to mess around with LVM. So, what's a good rule of thumb for how much space to save for emails, for, say, 50 domains, each with say five addresses? Ball park, say +/- 1G. Is it better to break up /var into different partitions or leave it all as one? Thanks for any pointers! Mark
Partitioning a Web Server
I'm going to be setting up a web server this Friday, and I'm trying to work out how to partition the disk. The plan is to use apache mod_v_host to serve up to 50 domains and will also be an email server. PHP + MySQL also. It's expected that most of the domains will be small fry, probably most of the usage (disk + bandwidth) will be the email. First, the box is a 60G 10,000 RPM disk PIII 750MHz, 512MB RAM. Does this sound reasonable? I have a couple things I need to decide: (1) what partitions to define and (2) what sizes to make them. For example, one document I read suggested creating a seperate partition for /var/spool/mail and /var/lib. I'm a bit nervous that if I guess wrong then I'll be screwed when the partition fills up. I'm not going to mess around with LVM. So, what's a good rule of thumb for how much space to save for emails, for, say, 50 domains, each with say five addresses? Ball park, say +/- 1G. Is it better to break up /var into different partitions or leave it all as one? Thanks for any pointers! Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
