Re: [Mimedefang] Re: VERY Newbie Question
On 30 Oct 2004 at 0:16, David F. Skoll wrote: > > ...and the RFC pretty clearly says that an IP address should *never* be > > used as the argument to HELO, so that rule *should* reject all e-mail. > > Umm... reread his code. Maybe you should? This is his test: if ($ip ne $helo) $ip is *always* of the form ###.###.###.###. $helo can *never* be of that form *if* the connecting machine follows the RFC...it must be either foobar.domain.tld or [###.###.###.###]. So, if everybody followed RFC, that test can never be true, thus it will reject all mail. As you said, it will only reject *almost* all e-mail, because a few machines don't follow RFC. -- Jeff Rife| Sam: What d'ya say to a beer, Normie? SPAM bait: | [EMAIL PROTECTED] | Norm: Hi, sailor...new in town? [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] VERY Newbie Question
Am Sa, den 30.10.2004 schrieb Kevin A. McGrail um 5:29: > > To speak freely, a > > mail server administrator who does not setup his server > > properly, means the server hostname / IP fits both the > > forward and reverse DNS entries, is responsible himself if > > his wrong setup leads to rejected mails. > > I disagree whole-heartedly with this statement. Virtual hosters and > companies with multiple corporate entities using one mail server is just one > of the very legitimate reasons for this. I would also put forth that the > concept of any security methodology based on reverse DNS seems highly > antiquated. Sorry, I did not vote for rejecting based on a missing reverse DNS entry. No RFC states that such an entry is required for an MTA. But I really see no reason why the forward DNS entry and the hostname of a constant, legitimate mail server should differ. > KAM Back to the HELO check in filter_sender: to be less restrictive you can check whether the HELO says to be the recipient host's name/IP. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 06:07:29 up 10 days, 2:47, load average: 0.15, 0.31, 0.81 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1
On Fri, 29 Oct 2004, Mike Atkinson wrote:
> 2 of them are adding an X-Scanned-By header with 127.0.0.1 showing as
> the IP in the header while the other 2 are showing the correct IP that
> the message was received on.
Do the two that think they're 127.0.0.1 have proper host names that resolve
to a real IP address?
The algorithm that adds the IP address works like this:
1) If the Sendmail macro ${if_addr} is not 127.0.0.1, use that.
2) Otherwise, use whatever gethostbyname(gethostname()) returns as the
machine's IP address.
--
David
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
On Fri, 29 Oct 2004, Jeff Rife wrote:
> On 29 Oct 2004 at 15:01, David F. Skoll wrote:
>
> > > elsif ($ip ne $helo){
> > > return ('REJECT', "You are not who you say you are.")
> > > }
> >
> > That will reject 99.999% of all your e-mail. Most machines use the
> > machine name in HELO, not an IP address, so...
> ...and the RFC pretty clearly says that an IP address should *never* be
> used as the argument to HELO, so that rule *should* reject all e-mail.
Umm... reread his code.
Regards,
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] VERY Newbie Question
> To speak freely, a > mail server administrator who does not setup his server > properly, means the server hostname / IP fits both the > forward and reverse DNS entries, is responsible himself if > his wrong setup leads to rejected mails. I disagree whole-heartedly with this statement. Virtual hosters and companies with multiple corporate entities using one mail server is just one of the very legitimate reasons for this. I would also put forth that the concept of any security methodology based on reverse DNS seems highly antiquated. But, I also believe firmly that not penalizing legitimate email should be significantly more important than SPAM proliferation as much as I hate SPAM. False Positives are 100x worse then SPAM. Regards, KAM ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
Am Fr, den 29.10.2004 schrieb Yang Xiao um 18:10: > Won't this check generate a lot of false positive if the sending host > has a hostname that's different from it's public DNS name? I have had > several mailhost like this in places I've worked before, it's not > because we are lazy or careless, but because it's very hard to change > the hostnmae for various reasons. I see only spam attempts being rejected. To speak freely, a mail server administrator who does not setup his server properly, means the server hostname / IP fits both the forward and reverse DNS entries, is responsible himself if his wrong setup leads to rejected mails. In times where SPF and other methods to reduce spam delivery I feel it is a central job to take care a mail server can't be mistreated as a suspicious machine. > But as to my problem, I just want to stop anybody from sending to the > mail gateway as local domain users because it's a incoming spam filter > mail host. I guess I would just need to check for MAIL FROM header > somewhere? But where should I implement this check in MIMEdefang? and > do you see any senario that it will break anything? From your more recent posting I see you are on the right way. You will have to think which parameter combinations ($sender, $recipient, $helo, $ip, ...) do fulfill requirements for a scenario you want to block by rejecting the mail. filter_recipient in the mimedefang-filter would be a proper place to do so. See "man 5 mimedefang-filter". It is an example for a very good man page and has examples. You can find a lot of other code when going through this list's archive. > Yang Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 04:31:57 up 10 days, 1:11, load average: 0.38, 0.45, 0.44 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
On 29 Oct 2004 at 15:01, David F. Skoll wrote:
> > elsif ($ip ne $helo){
> > return ('REJECT', "You are not who you say you are.")
> > }
>
> That will reject 99.999% of all your e-mail. Most machines use the
> machine name in HELO, not an IP address, so...
...and the RFC pretty clearly says that an IP address should *never* be
used as the argument to HELO, so that rule *should* reject all e-mail.
--
Jeff Rife|
SPAM bait: | http://www.nabs.net/Cartoons/Dilbert/Evaluation.jpg
[EMAIL PROTECTED] |
[EMAIL PROTECTED] |
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_relay
On Fri, 29 Oct 2004, David Hiebert wrote:
> I was more concerned with the first problem/question though. No matter
> how I format the return('REJECT'), the $msg isn't passed to sendmail.
That's odd; it works for me. Are you going by Sendmail logs, or actually
telnetting in on port 25 to simulate an SMTP session? (The logs are
unreliable; try modifying your filter for test purposes to refuse mail from
a host you control, and simulate an SMTP session.)
Regards,
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_relay
On Fri, 29 Oct 2004, David F. Skoll wrote:
> Date: Fri, 29 Oct 2004 21:41:44 -0400 (EDT)
> From: David F. Skoll <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: [Mimedefang] filter_relay
>
> On Fri, 29 Oct 2004, David Hiebert wrote:
>
> > My second question/problem is the 3 commented out lines. The man page for
> > mimedefang-filter indicates that if an IP has no reverse dns, then
> > $hostname is a duplicate of $hostip. This then should make a real quick
> > and easy check for no reverse, however the if statement (when not
> > commented) never seems to be true.
>
> My mistake, the man page is wrong. If $hostip is 1.2.3.4 and has no
> reverse DNS lookup, then $hostname is [1.2.3.4]. That is:
>
> if ($hostname eq "[$hostip]") {
> # You have no reverse DNS
> }
>
> However, I question the wisdom of rejecting mail from machines with no
> reverse DNS. I'm not convinced it will block bad mail more often than
> good.
>
> --
> David.
> ___
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> [EMAIL PROTECTED]
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
David,
I appreciate your response, and agree with your opinion in part. I
believe that it will block some legitimate mail, however larger ISP's are
already blocking based on this rule, which essentially forces smaller
ISP's with poorly configured DNS to get their act together.
I was more concerned with the first problem/question though. No matter
how I format the return('REJECT'), the $msg isn't passed to sendmail.
Also, upon further testing, the $smtp_dsn, and $code are not passed
either, however the $delay is being passed. Any ideas, or any more
information that I can provide to assist?
David Hiebert
Keyway Internet Services
909-933-3699
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_relay
On Fri, 29 Oct 2004, David Hiebert wrote:
> My second question/problem is the 3 commented out lines. The man page for
> mimedefang-filter indicates that if an IP has no reverse dns, then
> $hostname is a duplicate of $hostip. This then should make a real quick
> and easy check for no reverse, however the if statement (when not
> commented) never seems to be true.
My mistake, the man page is wrong. If $hostip is 1.2.3.4 and has no
reverse DNS lookup, then $hostname is [1.2.3.4]. That is:
if ($hostname eq "[$hostip]") {
# You have no reverse DNS
}
However, I question the wisdom of rejecting mail from machines with no
reverse DNS. I'm not convinced it will block bad mail more often than
good.
--
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filter_relay
I am attempting to reject mail for ip's with no reverse DNS (not
mismatched forward/reverse.) The below filter_relay works, however it is
not passing the $msg for return(REJECT) to sendmail (or maybe sendmail
isn't picking it up?) The maillog reports: "sm-mta[82794]:
i9U00cCx082794: Milter: connect: host=[216.117.199.248],
addr=216.117.199.248, rejecting commands" for IP's without reverse, and
successfully sends with reverse.
My second question/problem is the 3 commented out lines. The man page for
mimedefang-filter indicates that if an IP has no reverse dns, then
$hostname is a duplicate of $hostip. This then should make a real quick
and easy check for no reverse, however the if statement (when not
commented) never seems to be true.
use Net::DNS;
sub filter_relay () {
my ($hostip, $hostname) = @_;
my $res = Net::DNS::Resolver->new;
my $query = $res->search($hostip);
#if ($hostip eq $hostname) {
#return ('TEMPFAIL',"Please fix your reverse DNS before sending us mail.");
#}
if ($query) {
$query->answer;
}
$response=$res->errorstring;
if ($response eq 'NXDOMAIN') {
return ('REJECT', "Please fix your reverse DNS before sending us mail.", 550,
5.7.1, 1);
}
return ('CONTINUE', "ok");
}
David Hiebert
Keyway Internet Services
909-933-3699
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] X-Scanned-By: MIMEDefang 2.48 on 127.0.0.1
I've got 4 FreeBSD boxes running MIMEDefang. All of them have multiple IP's assigned. 2 of them are adding an X-Scanned-By header with 127.0.0.1 showing as the IP in the header while the other 2 are showing the correct IP that the message was received on. This is definitely not something to loose sleep over but does anyone have some thoughts on what might be causing this or how to find the cause? -- Mike Atkinson - [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Easy way to scan for List-Id's
Thanks to all for the help.. I've had my head buried in: RF schematics/Pcb's HighSpeed Digital schematics/pcb's Analog op-amp stuff... Ugh. My brain is fried. What's my name again? ;) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Easy way to scan for List-Id's
--On Friday, October 29, 2004 2:48 PM -0500 Aleksandar Milivojevic <[EMAIL PROTECTED]> wrote: Funny thing is, I'd wish none of the lists put [list] in Subject. I'm sorting lists in separate IMAP folders on the server, so it is kind of reduntant and just wastes the space on the Subject line ;-) Same here, but one of my list users wants it because he reads mail from a dumb web client. And, alas, mailman lacks the option to make the "subject_prefix" a per-subscriber customization. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Easy way to scan for List-Id's
--On Friday, October 29, 2004 2:15 PM -0500 Ben Kamen <[EMAIL PROTECTED]> wrote: Since I'm on a couple of lists and wish they'd put [list] in the subject line (and don't) is there an easy way to do this via MimeDefang? (this way, every place I look at my mail doesn't have to have duplicate mail filter setups.. it would just be done on the server..) Most of the lists use the header "List-Id:" Seems like that would be a job for procmail. Moreover, you can use procmail to centralize your filtering. I didn't want to have to reload filters every time I changed mail clients or every time I looked at mail from a new location. So I set up IMAP (Dovecot on Fedora, originally UW-IMAP on Red Hat), and set up procmail filters to do all the filtering that I used to run on all my mail clients. Here's a typical procmail "recipe": :0 : * ^List-Id:.*MIMEDefang mail/Lists/Mail/MIMEDefang The first line is a rule-start marker and a set of rule flags, in this case meaning lock the destination mailbox. The second line is the filter expression. The third is the destination for messages matching the expression, relative to the home directory. Whenever I join a new list I just copy this sequence and edit to match the new list. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Easy way to scan for List-Id's
On Fri, 29 Oct 2004, Aleksandar Milivojevic wrote:
> > Most of the lists use the header "List-Id:"
> Funny thing is, I'd wish none of the lists put [list] in Subject. I'm
> sorting lists in separate IMAP folders on the server, so it is kind of
> reduntant and just wastes the space on the Subject line ;-)
Well, MIMEDefang can fix that! :-)
my $new_subj = $Subject;
$new_subj =~ s/^\[.*\]\s+//;
action_change_header("Subject", $new_subj) if $new_subj ne $Subject;
For Ben's case, you want to pull out the List-ID: header and call
action_change_header("Subject", "[$listname] $Subject");
--
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Easy way to scan for List-Id's
Ben Kamen wrote:
Since I'm on a couple of lists and wish they'd put [list] in the subject
line (and don't) is there an easy way to do this via MimeDefang? (this
way, every place I look at my mail doesn't have to have duplicate mail
filter setups.. it would just be done on the server..)
Most of the lists use the header "List-Id:"
Funny thing is, I'd wish none of the lists put [list] in Subject. I'm
sorting lists in separate IMAP folders on the server, so it is kind of
reduntant and just wastes the space on the Subject line ;-)
Anyhow, if you are using IMAP, it might be easier to just use procmail
or sieve (depending on IMAP server you use) to sort mailing lists into
separate folders. That way, from wherever you look your mail, you get
same view of it, and you manage filtering at single spot (the mail
server itself).
If you still want to add tags to Subject, you can do it in MIMEDefang.
You can change Subject line in filter_end. Use
$entity->head->get("List-Id") to check for headers, and if found rewrite
Subject line to contain appropriate tag. You might want to remove tag
from emails that you send out in other not to pollute mailing lists that
I'm subscribe to ;-). And you'll need to handle 'Re: ' and similar
prefixes, and make sure you don't add tag if it is already there.
BTW, wanted to send to you directly instead of mailing list (original
reply didn't had MIMEDefang part), but you completely blocked off my ISP
(GT). Actually, after that guy from US who blocked entire ".ca" domain
because of spam, you are the first one who bounced my mail back, eh ;-)
--
Aleksandar Milivojevic <[EMAIL PROTECTED]>Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Easy way to scan for List-Id's
Since I'm on a couple of lists and wish they'd put [list] in the subject line (and don't) is there an easy way to do this via MimeDefang? (this way, every place I look at my mail doesn't have to have duplicate mail filter setups.. it would just be done on the server..) Most of the lists use the header "List-Id:" Just wondering, -Ben ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding virus scanning after MIMEDefang installation
--On Friday, October 29, 2004 1:27 PM -0500 Aleksandar Milivojevic
<[EMAIL PROTECTED]> wrote:
I'm not sure if you are going to need to reinstall MIMEDefang.
Nope. I install MD by RPM and the RPM is built to disable all virus
scanners. One then selectively enables them in mimedefang-filter by setting
a feature variable. My mimedefang-filter contains this:
# manually override compile-time features, clamd is installed
$Features{'Virus:CLAMD'} = 1;
$ClamdSock = "/var/run/clamav/clamd.sock";
The rest of your instructions match my understanding. I make clamav and
defang members of each others' group.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
On Fri, 29 Oct 2004, Yang Xiao wrote:
> sub filter_sender {
> my ($sender, $ip, $hostname, $helo) = @_;
> return('CONTINUE', "OK") if ($ip eq "127.0.0.1");
> if ($helo =~ /mydomain\.com$/i) {
> return ('REJECT', "We Don't Like Spammers, Go Away!!!.");
> }
That's a good rule.
> elsif ($ip ne $helo){
> return ('REJECT', "You are not who you say you are.")
> }
That will reject 99.999% of all your e-mail. Most machines use the
machine name in HELO, not an IP address, so...
--
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Killing slaves after max number of requests is processed
While I was running MIMEDefang 2.46, I've noticed in logs that if max requests per slave is set to 500, that slaves do not exit normally, and must be killed with SIGTERM ten seconds later. This was happening every time slave gets to 500 requests and is instructed to exit. After I decreased it to 100 (and upgraded to 2.47), all seems to work normal. Mimedefang-multiplexor doesn't need to send SIGTERM to the slave anymore. I don't see anything in changelog mentioning this, so I guess what helped was lowering max requests to 100. 10 seconds for the slave to exit seems reasonable, so I haven't attempted to experiment with that. Anybody else seeing this? -- Aleksandar Milivojevic <[EMAIL PROTECTED]>Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
OK, this what I have came up with so far,.
1. Check for anybody claims to be from mydomain.com in the HELO Line
2. Check for RCPT TO anyone in mydomain.com
3. $helo doesn't match $ip
#***
# %PROCEDURE: filter_recipient
# %DESCRIPTION:
# Check whether HELO claims to be from internal domain and reverse DNS
# lookup doesn't check
#***
sub filter_sender {
my ($sender, $ip, $hostname, $helo) = @_;
return('CONTINUE', "OK") if ($ip eq "127.0.0.1");
if ($helo =~ /mydomain\.com$/i) {
return ('REJECT', "We Don't Like Spammers, Go Away!!!.");
}
elsif ($ip ne $helo){
return ('REJECT', "You are not who you say you are.")
}
else {
return ('CONTINUE',"OK");
}
}
#***
# %PROCEDURE: filter_recipient
# %DESCRIPTION:
# Check whether MAIL FROM claims to be from internal domain
#***
sub filter_recipient {
my ($recipient, $sender, $ip, $hostname, $first, $helo,
$rcpt_mailer, $rcpt_host, $rcpt_addr) = @_;
if ($sender =~ /[EMAIL PROTECTED]>?$/i) {
return ('REJECT', "Service Not Available.");
}
return ('CONTINUE',"ok");
}
I'm just concerned about the reverse dns lookup would reject too many
legit emails.
Many Thanks,
Yang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Adding virus scanning after MIMEDefang installation
Mark Osbourne wrote:
From what I can tell, it looks like I probably need to update
/usr/bin/mimedefang.pl and change $Features{'Virus:CLAMD'} so that it is
set to 1 and make sure that the clamd processes is running as the defang
user and writing it's socket in /var/spool/MIMEDefang/clamd.sock.
I'm not sure if you are going to need to reinstall MIMEDefang.
However, documentation for MIMEDefang is proposing some not needed
changes for it to interoperate with ClamAV. I don't know why.
All clamd needs is read access to the file that it is supposed to scan.
That can be done by adding user clamav (that clamd is running under)
to group defang (/var/spool/MIMEDefang is owned and readable by group
defang, if not than make it that way).
Also you don't need to change ClamAV socket. Actually, you can't
because /var/spool/MIMEDefang will not be writtable for clamd. You can
leave it at its default value (/var/run/clamav/clamd.sock) and use
$ClamdSock variable in mimedefang-filter to point MIMEDefang to the
right place.
That way you will achieve:
- two daemon processes (MIMEDefang and ClamAV) will be separated, which
is nice from security point of view
- you run ClamAV in more or less default mode, which makes it easier to
maintain
- makes it possible to use clamd from other appliactions
(/var/spool/MIMEDefang is not world accessible, /var/run/clamav is world
accessible)
IMHO, this is better and much cleaner configuration than the one
proposed by MIMEDefang documentation.
--
Aleksandar Milivojevic <[EMAIL PROTECTED]>Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] /etc/sysconfig/mimedefang option questions
On 29 Oct 2004 at 13:03, Rich West wrote: > In the /etc/sysconfig/mimedefang file, there are the following options: > > # If "yes", turn on the multiplexor relay checking function > # MX_RELAY_CHECK=yes Calls "filter_relay" in mimedefang-filter, if it exists. > # If "yes", turn on the multiplexor sender checking function > # MX_SENDER_CHECK=yes Calls "filter_sender" in mimedefang-filter, if it exists. > # If "yes", turn on the multiplexor recipient checking function > # MX_RECIPIENT_CHECK=yes Calls "filter_recipient" in mimedefang-filter, if it exists. -- Jeff Rife| "Grab a shovel...I'm only one skull SPAM bait: | short of a Mouseketeer reunion." [EMAIL PROTECTED] | [EMAIL PROTECTED] | -- Bender, "Futurama" ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_bad_name and virus check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Davide Vaghetti wrote: | Do someone know how to the antivirus check before filter_bad_filename() ? | the original question was "Do someone know how to execute the antivirus check before filter_bad_filename() ?" sorry for the typo bye ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang - -- Davide Vaghetti University of Pisa NOC - Centro SerRA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBgngRxKJAsKiy+1ARArtCAJ97es7h0SRDFRml09q3+rL/gUhn2QCfb3xh hd3p5dj8NxVkVmIBdwGqZlU= =0B+L -END PGP SIGNATURE- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] /etc/sysconfig/mimedefang option questions
In the /etc/sysconfig/mimedefang file, there are the following options: # If "yes", turn on the multiplexor relay checking function # MX_RELAY_CHECK=yes # If "yes", turn on the multiplexor sender checking function # MX_SENDER_CHECK=yes # If "yes", turn on the multiplexor recipient checking function # MX_RECIPIENT_CHECK=yes What *exactly* do each of these do? I enabled them even though I am doing sender and recipient checks (rudimentary) within mimedefang-filter, but I'm curious to know if I just enabled something that was going to potentially block valid email. Additionally, by enabling the MX_RELAY_CHECK, I've gotten a few syslog broadcasts: Message from [EMAIL PROTECTED] at Fri Oct 29 12:55:19 2004 ... myhost perl: Host 211.228.227.141 claims to be my.numeric.ip.addr I did set the syslog facility to "mail", and it does mention that I need to set "Also set $SyslogFacility in your filter", but where in the filter should that be set? -Rich ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Pounded by spam
While I know it can be easy to simply block the host, I was wondering if there was some way to avoid the problem all together by potentially identifying hosts attempting to overload the server (Denial Of Service) by throttling down the amount of allowed inbound connections (from external sources) from a single host. Yes. Sendmail >=8.13.0 has several nice options. FEATURE(`ratecontrol',`nodelay',`terminate')dnl FEATURE(`conncontrol')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`60')dnl I was looking at those, in addition to the FEATURE(`greet_pause', ).. The documentation on sendmail.org's site regarding greet_pause was just a step above non-existent. I didn't check the others (ratecontrol and conncontrol).. Looking in to them now. I am the SysAdmin for an ISP here in Billings. I am unafraid of using these controls and they have really helped our situation. I limit 25 Connections/sec period. I also limit 3 connections from any one external host/min. Just out of curiosity, how, exactly, are you limiting the connections per second and connections from external hosts/domains? I occasionally get the "25" connections and deferring at that rate in my logs, but not enough to worry me and we handle ~200,000 emails a day. Adjust your connection/defer times accordingly to your normal load. Have fun and knock them dead at the gate. Thanks! -Rich ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Adding virus scanning after MIMEDefang installation
At the time I installed MIMEDefang, I wasn't allowed to integrate virus
scanning into the setup since ClamAV wasn't approved software yet (long
story there, lawyers, etc).
Now that I've been given the go ahead to use ClamAV, I've built it for
the mailserver and have it installed (in /usr/local/bin). Now I need to
let MIMEDefang know it can use ClamAV, but would prefer to not have to
rebuild/re-install MIMEDefang just to make that happen, unless that is
the only safe way to do it.
Has anyone else done this sort of setup? If so, could I get some
pointers on where to look?
>From what I can tell, it looks like I probably need to update
/usr/bin/mimedefang.pl and change $Features{'Virus:CLAMD'} so that it is
set to 1 and make sure that the clamd processes is running as the defang
user and writing it's socket in /var/spool/MIMEDefang/clamd.sock.
Anything else I have missed?
Thanks in advance for any help.
Mark.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Sender Verification (was Re: VERY Newbie Question)
Kelson wrote:
> Ian Mitchell wrote:
>> Then I would wonder if something along the lines of SPF
>> (spf.pobox.com) would work. I know this method was recently
>> critisized for Microsoft's liscensing methods and such forth.
>
> You're thinking of SenderID, which is a combination of SPF with
> Microsoft's own proposals. SPF itself isn't license/patent/etc.
> encumbered, but Microsoft's sections are. (Though reportedly less so
> than they were originally. Something to research when I have time...)
SPF works by itself just fine. SenderID is a specialization of SPF.
Also worth a look is Yahoo's DomainKeys idea.
These are compatible. GMail, for example, sends all of its email from SPF-verifiable
hosts, using DomainKeys-signed headers.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
On 10/29/2004 11:13, Ian Mitchell wrote: > Then I would wonder if something along the lines of SPF (spf.pobox.com) > would work. I know this method was recently critisized for Microsoft's > liscensing methods and such forth. Having followed that debacle for a while... SPF has nothing to do with the technical and IPR criticisms of Microsoft's SenderID. In a nutshell, the criticisms are directed specifically against the SenderID technical method of validating the PRA (more or less the From: header inside the message) and also the incompatibility of a patent license that covers this PRA checking with licenses like the gpl which demand that users retain the same development rights as the developers. There are also technical concerns with how PRA checking gets along with envelope MAIL FROM checking. Note that SPF, which validates with the envelope MAIL FROM header, has it's own technical problems, mostly with mail forwarding services which intentionally spoof it. > [...] I would be hesitant to > suggest this type of functionality be included in MimeDefang, atleast > until a much better industry following took place, besides, its probably > better suited in SpamAssassin instead, Yep, it's already in SA 3.x and I find that SA works real nice in tandem with MIMEDefang :) In my case, I just reject anything (after DATA, oh well) that outright fails the SPF check (sending domain has "-all" in there DNS record). Note that I have no concerns at my site with the SPF forwarding issues. For now, I give a slight score advantage in Spamassassin for everything that has SPF and passes. That will likely change at some point :) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
On Fri, 29 Oct 2004 17:42:36 +0200, Alexander Dalloz
<[EMAIL PROTECTED]> wrote:
> Am Fr, den 29.10.2004 schrieb Yang Xiao um 15:54:
>
> > Hi,
> > I found out that the filter_sender() function will be enabled if I
> > turn the MX_SENDER_CHECK option on. I was just wondering where should
> > I put it and how to use it.
>
> For you as a Fedora user it has to be activated in
> /etc/sysconfig/mimedefang.
>
> > I got to read the man pages more carefully.
> > As for the usefullness of the code sample, I think it at least get rid
> > of half of the problem, and spammers can still forge the MAIL FROM
> > header if he uses a legit HELO. So the problem is, how do you check
> > the MAIL FROM header then?
>
> Both HELO and MAIL FROM can be easily forged. The question is, what do
> you want to prohibit? Often a combination of tests is needed to properly
> detect spamming attempts and to not reject valid senders.
>
> One test which stops quite some guys at the front door is following:
>
> #***
> # %PROCEDURE: filter_relay
> # %DESCRIPTION:
> # Check whether helo fits with hosts IP address.
> #***
> sub filter_relay () {
> my ($ip, $name, $helo, $RelayAddr) = @_;
> # Check if IP correlates to given HELO
> if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) &&
> ($ip ne $helo)) {
> md_syslog('warning', "Header forgery attempt: $ip claims to be
> $helo");
> return ('REJECT', "Header forgery attempt, $ip claims to be
> $helo");
> }
> return ('CONTINUE', "ok");
> }
>
> > Yang
>
> Alexander
>
Alex,
Good to see you here.
Won't this check generate a lot of false positive if the sending host
has a hostname that's different from it's public DNS name? I have had
several mailhost like this in places I've worked before, it's not
because we are lazy or careless, but because it's very hard to change
the hostnmae for various reasons.
But as to my problem, I just want to stop anybody from sending to the
mail gateway as local domain users because it's a incoming spam filter
mail host. I guess I would just need to check for MAIL FROM header
somewhere? But where should I implement this check in MIMEdefang? and
do you see any senario that it will break anything?
Thanks,
Yang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
Am Fr, den 29.10.2004 schrieb David F. Skoll um 18:04:
> > sub filter_relay () {
> > my ($ip, $name, $helo, $RelayAddr) = @_;
> Note that recent versions of MIMEDefang don't pass $helo in filter_relay;
> you need to do HELO checks in filter_sender.
> David.
Oops, yes my fault! I am still running MimeDefang 2.42 on that host with
this filter_relay code. Same can be done in filter_sender. IIRC the
change came with release 2.43.
Thanks David for your attention :) Could be a trap for a MimeDefang
starter with a current version.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp
Serendipity 18:35:14 up 9 days, 15:14, load average: 0.00, 0.21, 0.26
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
Ian Mitchell wrote: Then I would wonder if something along the lines of SPF (spf.pobox.com) would work. I know this method was recently critisized for Microsoft's liscensing methods and such forth. You're thinking of SenderID, which is a combination of SPF with Microsoft's own proposals. SPF itself isn't license/patent/etc. encumbered, but Microsoft's sections are. (Though reportedly less so than they were originally. Something to research when I have time...) -- Kelson Vibber SpeedGate Communications ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
On Fri, 29 Oct 2004, Alexander Dalloz wrote:
> sub filter_relay () {
> my ($ip, $name, $helo, $RelayAddr) = @_;
Note that recent versions of MIMEDefang don't pass $helo in filter_relay;
you need to do HELO checks in filter_sender.
--
David.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
Am Fr, den 29.10.2004 schrieb Yang Xiao um 15:54:
> Hi,
> I found out that the filter_sender() function will be enabled if I
> turn the MX_SENDER_CHECK option on. I was just wondering where should
> I put it and how to use it.
For you as a Fedora user it has to be activated in
/etc/sysconfig/mimedefang.
> I got to read the man pages more carefully.
> As for the usefullness of the code sample, I think it at least get rid
> of half of the problem, and spammers can still forge the MAIL FROM
> header if he uses a legit HELO. So the problem is, how do you check
> the MAIL FROM header then?
Both HELO and MAIL FROM can be easily forged. The question is, what do
you want to prohibit? Often a combination of tests is needed to properly
detect spamming attempts and to not reject valid senders.
One test which stops quite some guys at the front door is following:
#***
# %PROCEDURE: filter_relay
# %DESCRIPTION:
# Check whether helo fits with hosts IP address.
#***
sub filter_relay () {
my ($ip, $name, $helo, $RelayAddr) = @_;
# Check if IP correlates to given HELO
if (($helo =~ /^(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})(.)(\d{1,3})$/) &&
($ip ne $helo)) {
md_syslog('warning', "Header forgery attempt: $ip claims to be
$helo");
return ('REJECT', "Header forgery attempt, $ip claims to be
$helo");
}
return ('CONTINUE', "ok");
}
> Yang
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp
Serendipity 17:34:56 up 9 days, 14:14, load average: 0.02, 0.06, 0.09
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: VERY Newbie Question
Then I would wonder if something along the lines of SPF (spf.pobox.com) would work. I know this method was recently critisized for Microsoft's liscensing methods and such forth. And while it's adoption or lack there of might not allow it to be fully effective (catching people who spoof yahoo) if your domain is participating in it, then you can definately deny emails inbound to your domain that are spoofed. I would be hesitant to suggest this type of functionality be included in MimeDefang, atleast until a much better industry following took place, besides, its probably better suited in SpamAssassin instead, and the Apache crew will have to accept the terms before that will happen. In the mean time, a google search can find several instances of milters designed to handle the protocol. Nice thing is it will allow you to catch spoofed messages from any domain, not just your own (barring that domain chooses to participate). > That is correct, but I don't think that is what the meaning of the code > snippet is > This piece of code is to reject mail that comes from someone > impersonating your domain, > that is an external source saying it is internal. > > I use almost the same setup here... > > -- > > Paul Pries ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
On Fri, 29 Oct 2004 15:33:32 +0200, Paul Pries <[EMAIL PROTECTED]> wrote: > Ian Mitchell wrote: > > >>Ok, for something like this, a sample function on the FAQ site that > >>filters HELO line > >> > >>How do I integrate this into the filter file ? > >> > >> > > > >I'm not sure that I would. Sendmail has the capability to limit > >connections based on where the IP's come from (outside of the HELO which > >can be spoofed). You can limit based on relaying (access_db) or you can > >actually limit based on connections (tcp_wrappers). There is actually many > >different ways that this can be accomplished without the need for using > >expensive resources by having mimedefang catch it. Think of it this way, > >if you have your mimedefang process scanning for it, then the child > >processes for your mimedefang/spamassassin/virus scanner could potentially > >all be called for a connection your just going to drop anyways (depend on > >how you put together your filter) when sendmail could easily make a call > >to tcpd and determine it's not legitimate and kill right away. Not a > >problem with only a few connections, but what happens if you get hit by a > >spam bot that is attempting hundreds or thousands or more connections > >close together from all different ip's? > > > > > That is correct, but I don't think that is what the meaning of the code > snippet is > This piece of code is to reject mail that comes from someone > impersonating your domain, > that is an external source saying it is internal. > > I use almost the same setup here... > > -- > > Paul Pries > Hi, I found out that the filter_sender() function will be enabled if I turn the MX_SENDER_CHECK option on. I was just wondering where should I put it and how to use it. I got to read the man pages more carefully. As for the usefullness of the code sample, I think it at least get rid of half of the problem, and spammers can still forge the MAIL FROM header if he uses a legit HELO. So the problem is, how do you check the MAIL FROM header then? Many Thanks, Yang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filter_bad_name and virus check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Do someone know how to the antivirus check before filter_bad_filename() ? thanks in advance P.S. maybe this question was made before, but I'm new to this mailing-list and from the searches I made I cannot find anything related. - -- Davide Vaghetti University of Pisa NOC - Centro SerRA -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBglldxKJAsKiy+1ARArVgAJ9KiN7BDv+KGR4+FCKIr5+kE/wugwCfZ4HI JZXhylaLXOGFC4gBDwnCRSo= =rOBM -END PGP SIGNATURE- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIMEDefang 2.48 is available
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
MIMEDefang 2.48 is at http://www.mimedefang.org/node.php?id=1
This one finally fixes the silly bugs from 2.46 and 2.47. Honest!
Changelog to 2.45 follows.
Regards,
David.
2004-10-29 David F. Skoll <[EMAIL PROTECTED]>
* Version 2.48 RELEASED
* Fix dumb bugs introducted in 2.46 and 2.47 related to
slave status reports.
* embperl.c: Detect if user opens file descriptors inside his/her
filter. If so, log a loud and nasty warning that such code should
be moved to filter_initialize.
2004-10-28 David F. Skoll <[EMAIL PROTECTED]>
* Version 2.47 RELEASED
* Move slave "status reports" onto their own file descriptor.
If you want the status reports, you must invoke mimedefang-multiplexor
with the "-Z" flag. In the sample init scripts, set
MX_STATUS_UDPATES=yes
2004-10-28 David F. Skoll <[EMAIL PROTECTED]>
* Version 2.46 RELEASED
* mimedefang-multiplexor.c: Added mechanism for slaves to send
back "status reports" to the multiplexor. The command
"md-mx-ctrl slaves" now shows the current status of busy slaves
(eg, "Running SpamAssassin", "recipok <[EMAIL PROTECTED]>", etc.)
* redhat/mimedefang-init.in: Unconditionally execute "ulimit -s 2048"
before invoking mimedefang.
2004-10-28 Bill Maidment <[EMAIL PROTECTED]>
* Added support for Command "csav" anti-virus.
2004-10-27 David F. Skoll <[EMAIL PROTECTED]>
* Version 2.46-BETA-2 released.
* mimedefang.c: Print and log an error if we can't determine our
own IP address.
* mimedefang.pl.in: append_html_boilerplate and append_text_boilerplate
refuse to tamper with S/MIME messages. They won't descend into
multipart/signed or multipart/encrypted parts. Similarly for
remove_redundant_html_parts.
* mimedefang.pl.in: Split-and-rebuild algorithm is greatly improved.
In particular: In filter_end, the $entity->head correctly contains
all message headers. And we try to avoid creating useless
multipart containers -- if we would end up with a multipart/mixed
or multipart/alternative with only one sub-part, we "pop" the sub-part
up to the top level.
2004-10-26 David F. Skoll <[EMAIL PROTECTED]>
* Version 2.46-BETA-1 released.
* mimedefang-filter.5.in: Corrected an error in one of the examples
* mimedefang.c: Add IP address of scanning host to X-Scanned-By:
header.
* SECURITY FIX: mimedefang.c: Tempfail message if RESULTS file
doesn't terminate with 'F' line. (Detects disk-full condition.)
* mimedefang.pl.in (rebuild_entity): Add a Content-Type: header
if MIME part lacks one. Some marginal e-mail software chokes on
a part with a missing content-type header.
* mimedefang.pl.in: flatten_mime removed. Support for
$Stupidity{"flatten"} removed. *** NOTE INCOMPATIBILITY ***
* action_add_part revamped completely; we try to preserve original
multipart type of message. action_add_part now simply keeps a list
of parts to be added. At the end:
a) If original message was multipart/mixed, we simply add
the part.
b) Otherwise, we make a new multipart/mixed container, put
original message as the first part of this new container, and
then add part to the multipart/mixed container.
*** NOTE INCOMPATIBILITY ***
* Proper multipart type passed to filter_end.
* All mimedefang.pl-generated messages have an
Auto-Submitted: auto-generated header.
* mimedefang.pl.in: Return codes of I/O operations are checked; we
die if any fail. This is a security fix.
* mimedefang.pl.in (interpret_trend_code): Treat any code from
1 to 9 as indicative of a virus, upon recommendation of Stephane Lentz.
* mimedefang.pl.in (spam_assassin_init): Add a
LOCAL_RULES_DIR => @CONFDIR@/spamassassin argument to SpamAssassin
constructor.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFBglkudB1gkTPXMwsRAjodAKDYl3dhYEhMYOM8FkbWNrrXfk53tACg7unK
S8c/mPx7jT/yXNfpluse8hQ=
=BaBc
-END PGP SIGNATURE-
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
Ian Mitchell wrote: Ok, for something like this, a sample function on the FAQ site that filters HELO line How do I integrate this into the filter file ? I'm not sure that I would. Sendmail has the capability to limit connections based on where the IP's come from (outside of the HELO which can be spoofed). You can limit based on relaying (access_db) or you can actually limit based on connections (tcp_wrappers). There is actually many different ways that this can be accomplished without the need for using expensive resources by having mimedefang catch it. Think of it this way, if you have your mimedefang process scanning for it, then the child processes for your mimedefang/spamassassin/virus scanner could potentially all be called for a connection your just going to drop anyways (depend on how you put together your filter) when sendmail could easily make a call to tcpd and determine it's not legitimate and kill right away. Not a problem with only a few connections, but what happens if you get hit by a spam bot that is attempting hundreds or thousands or more connections close together from all different ip's? That is correct, but I don't think that is what the meaning of the code snippet is This piece of code is to reject mail that comes from someone impersonating your domain, that is an external source saying it is internal. I use almost the same setup here... -- Paul Pries ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] VERY Newbie Question
> Ok, for something like this, a sample function on the FAQ site that > filters HELO line > > How do I integrate this into the filter file ? I'm not sure that I would. Sendmail has the capability to limit connections based on where the IP's come from (outside of the HELO which can be spoofed). You can limit based on relaying (access_db) or you can actually limit based on connections (tcp_wrappers). There is actually many different ways that this can be accomplished without the need for using expensive resources by having mimedefang catch it. Think of it this way, if you have your mimedefang process scanning for it, then the child processes for your mimedefang/spamassassin/virus scanner could potentially all be called for a connection your just going to drop anyways (depend on how you put together your filter) when sendmail could easily make a call to tcpd and determine it's not legitimate and kill right away. Not a problem with only a few connections, but what happens if you get hit by a spam bot that is attempting hundreds or thousands or more connections close together from all different ip's? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Milter (mimedefang): to error state
On Thu, 2004-10-28 at 12:53 +0200, Stefaan Van Hoornick wrote: > Hello, > > I receive following error: > > Oct 28 12:51:44 mail sendmail[659]: [ID 801593 mail.error] i9SApiO659: Milter > (mimedefang): local socket name /var/spool/MIMEDefang/mimedefang.sock unsafe > Oct 28 12:51:44 mail sendmail[659]: [ID 801593 mail.info] i9SApiO659: Milter > (mimedefang): to error state Sendmail does like the permissions on /var/spool/MIMEDefang. Change the permissions to 0700 or 0755 and make sure that the MD user owns the directory. Group and/or world writable does not work without turning off a feature of sendmail (which is not recommended). Alex ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] SURBL - MIMEDefang 2.47
Hi, I've upgraded to MIMEDefang 2.47 I modified mimedefang.pl And changed $SALocalTestsOnly = 0; and skip_rbl_checks 0 SURBL is still not working, I had 2.45 previously and it worked Fine. Are there any other changes that need to be made in 2.47? Thanks Trevor ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
