Re: [Mimedefang] utf-8 issue?
Hi > What does all this talk about spam and anti virus stuff have ro do with the > program remind? Sorry, if this seemed off-topic. MIMEDefang makes heavy use of MIME::Tools to unpack MIME Parts and extract files and filenames. So I supposed the problem described could have the same issue as the one I encountered and could be fixed within the affected mimedefang-filter with the code snippled I supplied. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] utf-8 issue?
Hi
I suppose I came over a very similar issue while building an spamtrap
which extracts attachements with MIME::Parser and feeds them down the
throat of clamav.
It boils more or down how perl threat UTF-8 strings on file functions
and how posix systems don't care about the encoding of filenames
What I found out to work with try and error, still not sure why:
use utf8;
use open ':std', ':encoding(UTF-8)';
[...]
my $filename = $part->head->recommended_filename;
open(SPAMFILE,">$spamdir/$filename");
print SPAMFILE $attachment;
close(SPAMFILE);
if (utf8::is_utf8($filename)) {
print "Filename IS UTF8, encode Filename for AV\n";
utf8::encode($filename); # This encodes UTF-8 Perl Strings to binary
string.
}
my ($path,$found) = $av->scan_path("$spamdir/$filename"); # Now Umlauts and
similar characters in the filename do not cause the file not to be found.
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] No such file or directory at /usr/share/perl5/MIME/Parser.pm line 627
Hi Gang De-Installed MIME-Tools and MIMEDefang. Re-Installed. => Fixed. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] No such file or directory at /usr/share/perl5/MIME/Parser.pm line 627
Hi Gang Happy X-mas to all. Yesterday I updated one MIMEDefang machine because of actual security fixes with SpamAssassin. Those packages were updated: libsasl2-2 libsasl2-modules libsasl2-modules-db sa-compile sasl2-bin spamassassin spamc They don't seem to be related to perl in any way. Since, the MIMEDefang Worker fail because MIME::Parser throws an error on: my $headstr = ''; open(my $outfh, '>:scalar', \$headstr) or die $!; $hdr_rdr->read_chunk($in, $outfh, 0, 1); close $outfh; I checked the obvious thinks like full disk, /var/spool/MIMEDefang, permission issue, but I am at a loss. Has anyone encountered this problem and could point me to the right direction? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Passing on added Header from SpamAssassin to MIMEDefang
Dear List I have started using the ASN SpamAssassin Plugin to penalize emails originating from certain know spam operation ASN with great success (especially for the actual sextortion email wave). Now I reckoned it would be nice to also have the X-SPAM-ASN Header which is added by SpamAssassin to be passed on to MIMEDefang so it is added to the original message, just to be able to see with one glance, from which ASN it originated in case of spam which slips through. I know SpamAssassin operates on a copy of the message, so it is normally not possible to keep headers added by SpamAssassin. But, is there a way to still achieve this, which I am missing? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Doing SRS Rewriting with Postfix (do not look up recipients starting with SRS)
Hi Benny > > This causes Postfix to accept all emails which match this local mailbox > > regexp and make it believe to deliver them to /dev/null, which never > > happens as we will extract the real recipient from the SRS header with > > MIMEDefang. > > how does this prevent accept and bounce ? > how does it protect to not loose emails ? > why is this not the same as catch-all domain ? > > one day i begin to understand mimedefang, it takes time Well we have a very complex set-up. One of the goals: * Minimize Backscatter (excessive backscatter could get your services blacklisted) I suppose you know, how SPF works and that therefore you cannot forward an email to a destination and leave the original sender intact. This is also bound to cause your server to generate backscatter in case the email cannot be delivered to the destination. So SRS is used to rewrite and sign the envelope sender. Of a reply (a bounce in most cases) is getting back to this SRS signed sender, the signature is verified to make sure it is legitimate and not somebody trying to just relay emails over your server. But still, this cases backscatter if your server (or the remote server) bounces emails which cannot be delivered. So how do we minimize the problem? SRS only encodes the original sender, not the forwarding mailbox. We encode the local recipient, which forwarded the email, into the SRS sender. So if we get a bounce back, we can decode this and get both informations: * Original Sender (to which we want to return the bounce) * Local Recipient with defunct forwarding. This allows us to count the bounces generated by a local recipient with a defunct forwarding. Of course, there are always reasons, why an email, even forwarded, does not reach the destination (server down etc). So we have to allow for a certain amount of bounces per day. But if a threshold is reached, we just stop accepting email for the local recipient and issue a message like "550 Forwarding Disabled because of bounces from far server". This prevents DDOS like attacks where the sender address is the email address of a victim, the destination is purposefully an address which generated delayed bounces, and the goal is to flood that victim's mailbox with those bounces (SPF cannot help in such a case and yes, we had such cases). So hopefully you understand what we are doing to try to fix design issues of the aging SMTP protocol :-) Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Doing SRS Rewriting with Postfix (do not look up recipients starting with SRS)
Hi List Ok, after some more google and try and error. I figured it out. So let's put the solution here so google can index it if somebody else looks for it. If you use the verify functions to do a call ahead destination verification for relayed domains, you need to smtpd_recipient_restrictions = [...] check_recipient_access regexp:/etc/postfix/noverify reject_unverified_recipient /etc/postfix/noverify /^SRS.*/OK For local mailboxes you need something similar: virtual_mailbox_maps = mysql:(whatever you use to query local mailboxes) regexp:/etc/postfix/dummy-recipients.regexp /etc/postfix/dummy-recipients.regexp /^SRS.*//dev/null This causes Postfix to accept all emails which match this local mailbox regexp and make it believe to deliver them to /dev/null, which never happens as we will extract the real recipient from the SRS header with MIMEDefang. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang
Hi Kris Yes, using an ip socket circumvents the permission maze of file based sockets :-) > Plugging ClamAV into MIMEDefang tends to hit the same permissions maze, > along with a light dose of "where did Clam actually put the socket?", > since I think MD looks in the "wrong" place by default. This has > probably been fixed in newer packages. Aye! Having ClamAV / SpamAssassin / MIMEDefang all running under the same user, their directories and logfiles (also mind logrotate / syslog configs) belonging to that user etc. fixed the issue for us, with the new issue that upgrading those packets usually revert the 'user' fix and we have to fix it again. But that's life as a Sysadmin :-) Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang
Hi Allan I'm trying to give you a little bit of help. I'm looking at an ubuntu system, but I hope it's quite identical to Debian. /etc/default/mimedefang Make sure MIMEDefang is listening to an inet socket, maybe better on localhost, if you don't run your MIMEDefang on a dedicated filter machine. SOCKET=inet:3 Then in the postfix main.cf, specify that socket as smtpd_milter: smtpd_milters = inet:filter-machine.local:3 That's basically it. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Localized SpamAssassin report template?
Hi List Well, probably a bit off-list here, but I'm still trying my luck. Has anyone managed to find a way to have language specific report templates in spamassassin? Being Switzerland, we have several national languages and we have customers who would like to get such messages in their language. We can pull the language of the customer from our email account database within MIMEDefang, but then, how do we get localized messages FROM SpamAssassin? How could I define the same template (or even rule descriptions) in multiple languages in a SpamAssassin Config file? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Postfix: How to run the milter BEFORE reject_unverified_recipient
Hi Wietse
> Not possible. The Milter protocol implements the 'change sender'
> feature AFTER the entire message is received. That is long
> after the MAIL FROM and RCPT TO commands.
Ok, so if you activate reject_unverified_recipient it's not possible to
tell postfix not to call this function for local recipients, which
would anyway be rejected.
I did some further digging and found a posting of another user having
the problem, that he used reject_unverified_recipient but wanted to be
able to queue mails for a specific domain that is relayed through his
server in case the destination server is down.
Yes, sounds similar to my problem. He used check_recipient_access with
a hash map listing all recipients he wanted to queue.
This information and a google query if I could replace a hash map with
a regexp map later I had a working solution for my SRS problem:
smtpd_recipient_restrictions =
reject_unknown_sender_domain
reject_unknown_recipient_domain
check_recipient_access regexp:/etc/postfix/noverify
reject_unverified_recipient
And in /etc/postfix/noverify
/^SRS\d{1}.*/ OK
Now I just have to check that I didn't open an unauthenticated relay
door.
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Postfix: How to run the milter BEFORE reject_unverified_recipient
Dear Lists (sorry for the xpost). I have a milter which performs SRS Signing in case of forwarded emails and SRS Verification of bounces. This worked quite well, until we configured our mail plattform to also relay emails for other domains and thus activated reject_unverified_recipient to perform smtp forward recipient checking. http://www.postfix.org/ADDRESS_VERIFICATION_README.html Well unfortunately reject_unverified_recipient is checking the recipient BEFORE it is passed throught the milter check_recipient would extract the real recipient from a valid signed SRS address. So every recipient SRS signed bounced recipient is being rejected by reject_unverified_recipient. So is there any way to configure postfix to either run the milter BEFORE reject_unverified_recipient or to not run reject_unverified_recipient for the transports address_verify_local_transport or address_verify_virtual_transport but only for address_verify_relay_transport? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter for header line
Hi > I am curious. Why not just add a rule > to /etc/mail/spamassassin/local.cf to match the desired header. Are > you not using SpamAssassin? There is a lot of other helpful things stuff you can do with mimedefang. Just a few ideas: * Rewrite sender in an SRS compatible way. * Handle forwarding in an SPF compatible way and detect loops. * Throttle emails to prevent sending too much spam in case a user got himself phished * Detect phished accounts (many different IP's pro hour logging in). * Compute MD5 or SHA1 Hashes of attachments and compare to Malware database (not so useful anymore with polymorphic malware which generated a different checksum on every specimen) and so on. And maybe you want to recognize if an email already passed a mailserver under your control. So you check for the value of a specific header and if not present, you add that header, which contains for example a MD5 sum of the MSGID signed with a password you know to prevent others injecting such emails to your system. -- -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter for header line
Dear Hans
> I am looking for a possibility to filter for an existing header line.
> I found a lot of examples where $Subject, $Sender and others can be
> used. But I need the possibility to find a certain header line, for
> example X-Someinfo: Can someone point me to some examples.
> I was searching at Google but obviously with the wrong keywords.
I fear you have to do this the hard way by reading the HEADERS file
from the spool directory:
in filter_end, because this is the place where you get the content...
if (open(HDRCHECK, "<./HEADERS")) {
while() {
if ($_ =~ /^X-Someinfo:[\t ]+(.*?)/ {
$SomeinfoValue = $1;
}
}
}
-Benoît Panizzon-
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mimedefang-Problem
Hi Sauraj > I have been using mimedefang for long time with sendmail as the MTA > but when I try to change the MTA to postfix and use mimedefang it > seems to be not working. Could you please help me with this. We use MIMEDefang with Postfix. Could you please be a bit more specific about the problem? Maybe I could help. -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Connecting Clamd via inet socket?
Hi all Thank you for the comments. I wrote that email a bit in a hurry, because we have an 'old' installation which uses MIMEDefang where we cannot update clamd (and the OS base) anymore. Clamd keeps crashing with new definition files. So as a quick fix I got clamd on our new filter installation listining to an inet socket and failed to have this connected from MIMEDefang on the old one trying to set $clamdsock = "inet:clamdhost:port" or similar. After sending the email I read on what I could find on the toppic. Yes, the problem is that MIMEDefang passes the path to be scanned to the clamd socket, so the file needs to be local on the machine running clamd. Of course it would not bee too dificult to add: ClamAV::Client to mimedefang-filter and then use the scan_stream method which, as I understand, would use the INSTREAM command to pass the content to be scanned to clamd. I'm not sure yet, if INSTREAM takes care of unpacking zip payloads and similar. I have not tested and probably will not have the time to do so. I guess I'll have to put a higher priority on moving the remaining customers from our 'old' infrastructure to the new one. -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Connecting Clamd via inet socket?
Hi all Does anyone know, if it's possible to use ClamdSock = "host:port"; in MIMEDefang? I found very old posts stating, that clamd can only scan local files, thus has to be called on the machine the file resides. Is still this the case, or can the content to be scanned streamed via inet socket to a clamd host? -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] filter_bad_filename based on recipient
Hi
> is it possible to define $bad_exts in sub filter_bad_filename based on
> domain name? I'd like to filter ".docm"-attachments, but not globally
> for all domains on that server, just for my private domain. Seems to
> be that $recipient is not known in sub filter_bad_filename?
Sure it is. You have to store the recipient domain into a file in the working
directory first. I use
'storable' to do this.
Beware, you have an array of recipients when sub filter{} is called.
So if you have different settings per domain, you have to make sure you only
accept one domain per connection.
You can use this error code within filter recipient to reject recipients in
other domains:
return ('TEMPFAIL', "We only accept one domains at the time, please resend this
domain separately", 452, '4.5.3');
452 4.5.3 is the code for 'too many recipients' causing most mailservers out
there in the wild
(well all of which I know of) to immediately open a new connection and re
submit the email to the remaining recipients
causing only little delays.
sub filter {
my($entity, $fname, $ext, $type) = @_;
my $vars=&load_vars();
[...]
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
&update_stats($vars->{rec_domain},'bad_filename',$vars->{imp_rcpt_count}-1);
action_bounce("Unsafe attachment / Verdaechtiger Anhang (exe in zip
oder bekannter Anhang mit Malware");
return;
}
[...]
}
sub filter_bad_filename {
my($entity) = @_;
my($bad_exts, $re, $suspicious_exts);
my $vars=&load_vars();
$bad_exts = '';
$suspicious_exts =
'(zip|exe|ini|ocx|com|msi|scr|sys|vb|vbe|vbs|cab|arj|rar|z7|bat|doc|docx|xls|xlsx)';
if (defined($vars->{imp_mxgate})) {
my $query = "select extension from forbidden_file_extensions join
relay_domains on relay_domains.id=forbidden_file_extensions.relay_domain_id
where domain=?";
my $sth = $dbh->prepare($query);
$sth->execute($vars->{rec_domain});
if ($sth->rows > 0) {
my @badextlist;
while (my $badextref = $sth->fetchrow_hashref()) {
push(@badextlist,$badextref->{'extension'});
}
$bad_exts = '(' . join ('|',@badextlist) . ')';
md_syslog('warning',"DEBUG: Loaded banned extensions for
MX-Gate " . $vars->{rec_domain} . ": $bad_exts");
}
}
$re = '\.' . $bad_exts . '\.*$';
if (re_match($entity, $re)) {
md_syslog('warning',"Attached file banned by MX-Gate settings");
return 1;
}
# And if you like you can compute MD5 hashes of suspicious files and compare
them to a database with informations about an ongoing outbreak or a DNS Based
MD5 Blacklist:
# Yes I know Diane will tell me that the filename could potentially not
# be correctly found with "Content-Disposition.filename" but it works in most
cases.
$re = '\.' . $suspicious_exts . '\.*$';
if (re_match($entity, $re)) {
my $bh = $entity->bodyhandle();
my $head = $entity->head;
my $filename = $head->mime_attr("Content-Disposition.filename");
$filename = decode_mimewords($filename);
if (defined($bh)) {
my $path = $bh->path();
my $fsize = (stat $path)[7];
if (defined($path)) {
open(FILE, $path) or return 0;
binmode(FILE);
my $dnsdigest =
Digest::MD5->new->addfile(*FILE)->hexdigest;
md_syslog('warning',"Suspicious File:$filename
Size:$fsize WDir:$path MD5:$dnsdigest");
close(FILE);
# my $res = Net::DNS::Resolver->new;
# my $dnsquery = $res->search("$dnsdigest.banned.
DISCONTINUED .");
# if (defined($dnsquery)) {
# foreach my $rr ( $dnsquery->answer ) {
# next unless $rr->type eq "A";
# md_syslog('warning',"Suspicious File:
$path MD5 atthash blacklist hit");
# return 1;
# }
# } else {
# if ( !$res->errorstring =~ /NXDOMAIN/ ) {
# md_syslog('error',"MD5 atthash
BLACKLIST DNS ERROR: " . $res->errorstring);
# }
# }
}
}
}
# And of course you want to look into ZIP Files:
# Look inside ZIP files
$re = '\.' . $suspicious_exts . '\.*$';
if (re_match($entity, '\.zip$') and
$Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
md_syslog('warning',"Looking for executable file in zip file
$path");
$b
Re: [Mimedefang] MIMEDefang DOS with UTF-32?
Hello I just found a description of the problem. It has been fixed in libencode >= 2.77 https://github.com/dankogai/p5-encode/commit/27682d02f7ac0669043faeb419dd5a104eecfb73 -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIMEDefang DOS with UTF-32?
Hi all This morning, all our mimedefang instances started to repeateldy crash: UTF-32:Unrecognised BOM 4900 at /usr/lib/perl/5.18/Encode/MIME/Header.pm line 81. The emails all originate from the same sender. It's probably not an attack but a Massmailer sending some strange kind of UTF-32 Emails. Anyone a hint, how to solve the problem? Kind regards -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SRS with mimedefang
Hi Marcus
> is there a way to implement SRS using mimedefang? GMX set SPF to
> "-all" and forwarded mails to gmx accounts get blocked.
Sure...
Just some Code Fragments:
use Mail::SRS;
sub filter_recipient {
[...]
my $srs = new Mail::SRS(
Secret => $srskey,
MaxAge => 30,
HashLength => 4,
HashMin => 4,
);
[...]
Get and Process SRS Signed bounces with something like:
if ($user =~ m/(.*)\+bounce-(SRS.*)/) {
$user = $1;
my @recipientstoadd;
$vars->{imp_bounce_user} = $1;
$vars->{imp_bounce_domain} = $domain;
$vars->{imp_bounce} = $2;
my $srsreturn = eval { $srs->reverse($2 . '@' . $domain); };
if ($@) {
if ($SendmailMacros{'mail_mailer'} eq 'smtp') {
md_syslog('warning',"SRS FAILED $1 $2 $domain");
return ('REJECT',"SRS Signatur ungueltig / SRS
Signature invalid",571,'5.7.1');
} else {
# DEBUGGING, wie kann dies passieren?
md_syslog('warning',"DEBUG: SRS FAILED NOT SMTP $1 $2
$domain");
$vars->{imp_special} = "SRS-FAIL: ";
md_syslog('warning',"DEBUG: BOUNCE SRS FAIL id ".
$2 .", Not forwarding recipient " . $user . "\@" . $domain);
push(@recipientstoadd,"$user\@$domain");
$vars->{delete_recipient} = $originalrecipient;
}
} else {
md_syslog('warning',"SRS REWRITE SUCCESS <$1\@$2> $domain =>
<$srsreturn>");
md_syslog('warning',"BOUNCE id ". $2 .", Not forwarding
recipient <" . $user . "\@" . $domain . ">. But returning to " . <$srsreturn>);
push(@recipientstoadd,"$user\@$domain");
push(@recipientstoadd,$srsreturn);
$vars->{add_recipient} = \@recipientstoadd;
$vars->{delete_recipient} = $originalrecipient;
}
$vars->{add_recipient} = \@recipientstoadd;
&store_vars($vars);
}
Here is the part about actualy forwarding the email, altering the sender.
if (($sender ne '') and ($sender ne 'UNKNOWN') and
($SendmailMacros{'mail_mailer'} eq 'smtp')) {
$vars->{imp_originalsender}=$sender;
my ($ruser,$rdomain) = split('@',$recipient);
my $srssender = $srs->forward($sender,$recipient);
$ruser = "$user+bounce-$srssender";
$vars->{change_sender} = $ruser;
md_syslog('warning',"FORWARDING > Push Sender
change FROM " . $sender . " TO " . $ruser . " this is done later. <");
$vars->{imp_forwarded}=1;
if ($ref->{'keepFwdCopy'} eq 0) {
md_syslog('warning',"Push Recipient to be
deleted later " . $originalrecipient);
$vars->{delete_recipient} = $originalrecipient;
}
my @recipientstoadd;
while (my $aliasref = $forwards->fetchrow_hashref()) {
md_syslog('warning',"Push Recipient to be added
later: <" . $aliasref->{'destEMailAddr'} . ">");
push(@recipientstoadd,$aliasref->{'destEMailAddr'});
@recipientstoadd =
&recurse_forwards($aliasref->{'destEMailAddr'},0,@recipientstoadd);
}
$vars->{add_recipient}=\@recipientstoadd;
&store_vars($vars);
} else {
md_syslog('warning',"DOH! Sender: <$sender>
Recipient: <$recipient> Mailer:
$SendmailMacros{'mail_mailer'} -
Unencapsulated, unsigned BOUNCE. Not from
us! No SRS, just forward this crap and forget
it!");
[...] do some more stuff...
This is our special version of doing SRS. It encodes the address of the mailbox
which forwards the email as sender, so we can process and count the bounces and
disable email forwarding to specific recipients if we count too many bounces.
But it gives you an idea.
And yes, you can only change sender and recipient in filter_begin and later:
if (defined($vars->{change_sender})) {
md_syslog('warning',"Change Sender: <$vars->{change_sender}>");
change_sender($vars->{change_sender});
}
if (defined($vars->{delete_recipient})) {
md_syslog('warning',"Delete Recipient:
<$vars->{delete_recipient}>");
delete_recipient($vars->{delete_recipient});
}
if (defined($vars->{add_recipient})) {
my $recipientstoadd = $vars->{add_recipient};
my %seen;
@$recipientstoadd = grep { ! $seen{ $_ }++ }
Re: [Mimedefang] Fwd: syncing sent item from pop3 account to webmail sent folder
Hi Indunil > Is there a way to sync sent item from pop3 account to webmail sent > folder ? A POP3 Server does not know about folders and does not know any status of an email. So it does not know what a 'sent' item ist. There is just an INBOX containing email messages, if you want to call it that way. All other thinks, like flagging an email read or sent, or getting the emails from a POP3 server and storing it localy in a folder on your computer is handled by the email client localy on your computer. Or course IMAP does know about folders and can flag emails as being read or replied to etc. With IMAP your email client manages the emails stored on the IMAP Server. So all your various clients have the same 'view' of the emails on the Server. > Can mimedefang do it? or is there any 3 rd party software that can > sync pop3 sent folder to Webmail Sent Folder? If you want to copy the content of the POP3 INBOX on Server A to a IMAP Folder on Server B, you could probably easily write such a script with perl. MIMEDefang ist a Milter (Mail Filter) intended to be used by an MTA like sendmail or postfix. It does not know about POP3 or IMAP Protocols. > what about procmail ? sendmail, postfix and probably other MTA can hand over a received email to procmail who then, for example, files it into a specific folder on your local mailserver. But procmail also won't fetch mails from a POP3 server. 'fetchmail' could download emails from a POP3 or IMAP Server. But afak 'fetchmail' cannot upload emails to an IMAP folder. -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] limit Recipients for auth user
Hi Roman
At the start of your mimedefang-filter, where the 'use' statements are,
add the Perl Storable Module. (You need to have the storable
perl module installed for this to work).
require Storable;
You probably have sub filter_initialize {} and sub filter_cleanup {}
somewhere in your code. Just add those two subs there:
sub store_vars {
my($vars) = @_;
Storable::store($vars, 'vars.db');
}
sub load_vars {
my $vars = {};
if(-f 'vars.db') {
$vars = Storable::retrieve('vars.db');
}
return $vars;
}
Then replace your filter_recipient with this very basic one:
sub filter_recipient {
my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer,
$rcpt_host, $rcpt_addr) = @_;
read_commands_file();
my $vars=&load_vars();
if(!defined($vars->{imp_rcpt_count})) {
$vars->{imp_rcpt_count}=1;
}
md_syslog('warning',"COUNTING: Auth-By: " .
$SendmailMacros{auth_authen} ." Recipient $recipient is number: " .
$vars->{imp_rcpt_count});
$vars->{imp_rcpt_count}++;
&store_vars($vars);
return ('CONTINUE', "ok");
};
But this is basicly just usefull if you want do act differently when
you reached a specific number of recipients, like limiting the number
of emails sent by a user during a certain time. If you just want to
know how many recipients the email goes to, you can use the size of
the array @Recipients in filter_begin, filter or filter_end.
-Benoît Panizzon-
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] limit Recipients for auth user
Hi Roman > Are you sure that you forgot notthing from your code?? > > Because i try and it don't work :-( It was not working code. It was just a quick copy-paste from parts of my code. -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] limit Recipients for auth user
Hi Roman
> I need to limit the Recipients from to, cc bcc for auth user in the
> filter_recipient procedure .is this possible? Realy great it
> would be, to get the count for each to, cc, bcc in the part between
Sure it is. From the viewpoint of the SMTP Transfer, rcpt to: does not
distunguish between to, cc or bcc. All are just recipients.
[...]
require Storable;
[...]
sub store_vars {
my($vars) = @_;
Storable::store($vars, 'vars.db');
}
sub load_vars {
my $vars = {};
if(-f 'vars.db') {
$vars = Storable::retrieve('vars.db');
}
return $vars;
}
sub filter_recipient {
my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer,
$rcpt_host, $rcpt_addr) = @_;
read_commands_file();
my $vars=&load_vars();
my($s_user,$s_domain) = split(/\@/,$SendmailMacros{auth_authen});
my $anonymous=0;
$anonymous = 1 if ($SendmailMacros{auth_authen} eq '');
if(!defined($vars->{imp_rcpt_count})) {
$vars->{imp_rcpt_count}=1;
}
[...]
if ($vars->{imp_rcpt_count} > 10) {
$vars->{imp_rcpt_count}++;
&store_vars($vars);
return ('TEMPFAIL', "Too many recipients: " .
$vars->{imp_rcpt_count}, 452, '4.5.3');
}
$vars->{imp_rcpt_count}++;
&store_vars($vars);
return ('CONTINUE', "ok");
};
I also store the count in a database for the last hour. So I can limit
the number of recipients per hour per authenticated user, and per ip
per hour for non authenticated users. For the later of course the
number is much smaler and the are being tempfailed with: "Please use
SMTP Authentication to send emails to more recipeints".
The vars.db is being stored in the MIMEDefang spoold dir of the email
being processed. So it's not getting mixed up with other emails.
MIMEDefang removes the spool directory after processing, so vars.db is
not left behind.
-Benoît Panizzon-
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] limit Recipients for auth user
Hi Roman > my $recipient_to_count = ??; > my $recipient_cc_count = ??; > my $recipient_bcc_count = ??; I just re-read your email. I guess you want to distinguish the different types of recipient (to,cc and bcc). No, unfortunately this is not possible in filter_recipient as this processes the rcpt to: commands from the MTA. It would somehow unreliably be possible in filter or filter_end when you get the message body. But you should not find BCC: Lines in the body. Or the email client used to send that email is just broken and discloses the BCC recipients. So never trust the content of the email body regarding recipients. Hmm, I should try adding this recipient to my email bodies :-) To: ';drop database email;' -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How to parse pdf files or pass them to spamassassin
Hi > Perhaps we have not seen any of these attacks because the messages > fail our SPF checks: In our case it did not fail. The From: Header was sent to DHL, but not the envelope sender. Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How to parse pdf files or pass them to spamassassin
Hi Dianne That also was my second thought. But I notice that the was the link is embedded in the PDF, prevents it to be extracted by pdftotext. Output by pdftotext === Sehr geehrte Kunden, die Warensendung mit der Nummer 184982474614 wurde an das Transportunternehmen übergeben. Die Auslieferung erfolgt voraussichtlich am 26.05.2015. http://nolp.dhl.de/nextt-online-public/set_identcodes.do?lang=de&idc=184982474614. (ZIP Format) Viele Grüße Ihre DHL === And three more 'blank' page of white on white garbage text, they know they want to trick bayes filters... Looking at the PDF code: << /Type /Annot /Subtype /Link /A 11 0 R /Border [0 0 0] /H /I /Rect [ 209.6477 692.8435 281.6477 704.7235 ] >> endobj 11 0 obj << /Type /Action /S /URI /URI (http://MALWARE_URL) >> endobj I'm not fluent in PDF, but I suppose, that is a box put on top of the link with action to open that URI. I'll have a look at the PDF Info Plug-in as mentioned by Kevin. (thank you Kevin) Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] How to parse pdf files or pass them to spamassassin
Hello Lately we have come across a new trick that is being used to try to infect email recipients with trojans. A simple email is being sent, looking like it's comming from DHL or similar, about the tracking code for a parcel. There is one PDF attachement. The attachement has an official looking letter header from DHL and contains instructions how to track the parcel via DHL website. There is a clickable link in that PDF that points to the tracking service of the DHL Website. But... The real link behind that link points to a website, from which a drive- by infection is being tried and also offers a ZIP file containing an EXE file with a trojan to download. By not sending the exe within a zip (which is easily blocked in the bad_filenames part of MIMEDefang) and not using the Link in a HTML email, the attacker is getting his emails past our MIMEDefang / SpamAssassin / Clamd installation. So my idea to catch such emails would be: => Extract text from PDF and pass it to spamassassin to match blacklisted URI's within the PDF. => Is there a way to check if the displayed URL matches the Link URL behind it within a PDF File? Has anyone already found such a solution? Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Telling Mailer to disconnect
> SMTP error code 421 = "Abort connection." Aehm, you were right. I was not aware that this specific code causes the mailer to disconnect... Thank you! 421 4.2.1 Bitte SMTP-AUTHENTICATION aktivieren. Zu viele Empfaenger/Stunde: 25 > 20 Connection closed by foreign host. Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Telling Mailer to disconnect
Am Thursday, 14. August 2014, 10.03:03 schrieben Sie:
> SMTP error code 421 = "Abort connection."
Nope, during the RCPT TO: phase this is a temporary error of just this
recipient. The other (even future recipients) could be valid, so the milter is
getting the remaining recipients until the 'max recipients' limit of the
mailer is reached. But the mailer then also only rejects the additional
recipients with a 'too many recipients' tempfail.
Well postfix somewhen disconnect with 'too many errors' but that limit is even
higher.
The problem with those abusers is that they try to send emails to thausends of
recipients causing some load on the database that I would like to avoid.
What I would like to do is disconnect the client connection during
filter_recipient. I fear this is not possible.
Of course, if $SendmailMacros{auth_authen} points to a phished account that
got 'blocked' in the past, I can reject the connection during filter_sender.
But still this leaves the problems of the recently blocked account. I see bots
opening one connection and then keeping that connection open while trying to
spam. As they got detected during the filter_recipient phase, they cannot send
emails as I reject every recipient. No matter if I use TEMPFAIL or REJECT they
keep trying to send undil they disconnect. Next connection they are blocked
earlier, in filter_sender.
Not all connections get permanently blocked (triggered by simultaneous logins
from many different IP's or different geoIPlocations). If only one IP is
involved I only rate limit the recipients and put up a nagios warning so a
human can determine if this is a bot sending spam or a customer who got the
spledid idea to use our infrastructure as smarthost for his mailing tool. But
still in such a case I would like to disconnect our customer instead of
processing every recipient his tool is trying to send emails to.
Benoit Panizzon
--
I m p r o W a r e A G-
__
Zurlindenstrasse 29 Tel +41 61 826 93 07
CH-4133 PrattelnFax +41 61 826 93 02
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Telling Mailer to disconnect
Hello I have implemented some anti-phishing and rate limiting via MIMEDefang. Some of this is done during filter_recipient. This is called for each recipient. So if it's clear that the connection being processed is abusive, I would like to tell the mailer to disconnect that connection, instead of having to reject every single recipient (every single call of filter_recipient) to save some processing load. Does anyone know how to do this? Kind regards Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Access to sendmail marco client_addr
Well, after some more RTFM and stumbling over a thread about documentation issues with global variables: http://lists.roaringpenguin.com/pipermail/mimedefang/2010-May/035763.html I constate that $RelayAddr is available in filter_begin but read_commands_file is not. Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Access to sendmail marco client_addr
Hello
We use MIMEdefang in conjunction with postfix.
Postfix does not set a macro if_addr. According to the Postfix Milter
documentation, all milters should use client_addr instead.
According to the MIMEDefang documentation, read_commands_file would populate
if_addr but does not populate client_addr.
Is there a way to tell MIMEDefang to also pull client_addr?
Of could someone tell me a better solution for that situation?
We keep a history of the users which authenticated via smtp during the last
hour and look at how many ip addresses are involved. If the number of
different ip addresses is over a thereshold, we disable the user because of
suspected phished password.
Now we also have users using our webmail. The webmail uses the users
credential for smtp auth, but comes from one specific IP address. We don't
notice if a botnet starts abusing our webmail. But the webmail adds an extra
header telling the IP of the HTTP client.
I would like to do something like this in filter_begin:
read_commands_file;
if ($SendmailMacros{client_addr} eq $webmailip) {
open(./HEADERS);
look for the IP that sent that email via HTTP;
insert into LoginHistory (tstamp, auth_user, HTTP_ip);
}
Wo how can I access the client_ip from within filter_begin?
Mit freundlichen Grüssen
Benoit Panizzon
--
I m p r o W a r e A G-
__
Zurlindenstrasse 29 Tel +41 61 826 93 07
CH-4133 PrattelnFax +41 61 826 93 02
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] add_recipient inconsistent results on postfix
Hi David > > Hmm, maybe you pointed me to the problem. Very strange, that this > > sometimes work even if it's not supposed to work. Well I guess I > > could store all changes via Storable and then pull them in > > filter_begin. > > Yes, you will need to do that. Let me know if that fixes it. Yes, that was the cause. After putting the sender / recipient changes into filter_begin they work reliably as expected. Thanks for your help. Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] add_recipient inconsistent results on postfix
Hi David
> Where are you calling action_add_recipient? It can only be called
> from filter_begin or later. Could you post your filter (or a suitably
> anonymized version)?
Hmm, maybe you pointed me to the problem. Very strange, that this sometimes
work even if it's not supposed to work. Well I guess I could store all changes
via Storable and then
pull them in filter_begin.
I call it from filter_recipient. Well the code is not secret. Here are the part
I belive are relevant. We store some variables in a file (to count the number
of recipients and
check if we already had to forward a recipient or if the spam settings are
different per recipient etc) in the spool directory as we don't know which
MIMEDefang proccess is
getting which calls.
sub store_vars {
my($vars) = @_;
Storable::store($vars, 'vars.db');
}
sub load_vars {
my $vars = {};
if(-f 'vars.db') {
$vars = Storable::retrieve('vars.db');
}
return $vars;
}
sub filter_recipient {
my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer,
$rcpt_host, $rcpt_addr) = @_;
read_commands_file();
md_syslog('warning',"DEBUG: Filter Recipient $recipient starting");
my $vars=&load_vars();
[...]
my $sth = $dbh->prepare("SELECT
id,spamaction,spampoint,virusaction,homeserver,keepFwdCopy,FwdBounceCount,FwdActive,disabled
from user where userid = ". $dbh->quote($user) ."
and domain = ". $dbh->quote($domain));
$sth->execute();
my $forwards = $dbh->prepare("SELECT destEMailAddr from alias where
srcEMailAddr = ". $dbh->quote($recipient));
$forwards->execute();
md_syslog('warning',"DEBUG: FORWARDS: ". $forwards->rows)
[...]
if (($ref->{'FwdActive'} eq 1) && ($forwards->rows gt 0) &&
(!(defined($vars->{imp_bounce} {
md_syslog('warning',"DEBUG: We have to forward this email, let's do
it");
[...]
my ($ruser,$rdomain) = split('@',$recipient);
my $srssender = $srs->forward($sender,$recipient);
$ruser = "$user+bounce-$srssender";
change_sender($ruser);
md_syslog('warning',"DEBUG: FORWARDING > CHANGING
SENDER FROM " . $sender . " TO " . $ruser . " <");
if ($ref->{'keepFwdCopy'} eq 0) {
md_syslog('warning',"DEBUG: Deleting Recipient
" . $originalrecipient);
delete_recipient($originalrecipient);
}
while (my $aliasref = $forwards->fetchrow_hashref()) {
md_syslog('warning',"DEBUG: Adding Recipient "
. $aliasref->{'destEMailAddr'});
add_recipient($aliasref->{'destEMailAddr'});
}
[...]
}
Mit freundlichen Grüssen
Benoit Panizzon
--
I m p r o W a r e A G-
__
Zurlindenstrasse 29 Tel +41 61 826 93 07
CH-4133 PrattelnFax +41 61 826 93 02
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] add_recipient inconsistent results on postfix
Hi David > I'm not familiar with Postfix, but this does sound like a Postfix bug. > I would post on a Postfix list because I think most of the people on this > list are Sendmail users... Thank you for your reply. Via Postfix list I found someone who could tell me how to enable the milter debugging output of the 'cleanup' daemon. That's the one doing the whole rewriting stuff in postfix. This shows that sometimes, there are just no recipient changes submitted by the milter. So I have startet sniffing the inet socket connection between the milter and postfix. It's pretty binary, but after a while I figured out how the header changes look like and those seem to confirm that MIMEDefang ist not sending those changes to postfix. That's pretty weird now, because I have added an md_syslog instruction before those recipient changes dumping what is being changed so I know they are being run. The changes that occur in the body, like adding the line that MIMEDefang has scanned that email, are always run, even if the recipient changes have not been run. MIMEDefang 2.73 in use here. Is there anything known which could cause that issue I'm observing? Kind regards Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] add_recipient inconsistent results on postfix
Hello We moved from sendmail to postfix (unfortunately but my admin colleagues whated it that way). We use MIMEDefang to do some sender / recipient rewriting, mainly to implement email forwarding in a SRS compatible way. Now I have found a situation, where add_recipient apparently fails, but I'm not yet able to tell why. We got a local user, ben...@ambonet.ch Now that user is forwarding his emails to: te...@example.com te...@example.com te...@example.com MIMEDefang doest this: compute SRS sender change_sender($srs-sender) delete_recipient(ben...@ambonet.ch) add_recipient(te...@example.com) add_recipient(te...@example.com) add_recipient(te...@example.com) This works, the sender is rewriten, the email is received by all three recipients. Now that user wants to still have a copy deliviered to his inbox: MIMEDefang doest this: compute SRS sender change_sender($srs-sender) add_recipient(te...@example.com) add_recipient(te...@example.com) add_recipient(te...@example.com) The only diference is, that I don't delete the recipient. Now my MIMEDefang debug output show, that all the parts changing sender and recipients are run. But postfix then ignores those changes and delivers the email only via lmtp and only to ben...@ambonet.ch. The sender is not rewritten. I did als try: compute SRS sender change_sender($srs-sender) delete_recipient(ben...@ambonet.ch) add_recipient(ben...@ambonet.ch) add_recipient(te...@example.com) add_recipient(te...@example.com) add_recipient(te...@example.com) Same result, only local delivery. Does anyone have a hint where to look for the cause of that problem? Or is there some postfix restrictions, that sender/recipients only can be rewritten if after that rewrite none of the recipients are local. Postfix 2.10.2 in use. Btw, is there a way to tell postfix what to do in case a milter fails? No hits with Google Kind regards Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How to change envelope sender?
> > Backscatter for the most part is not a problem because it has a simple > > solution: Message source authentication, with varying implementations > > and degrees of success - SPF, DKIM, MTX, PGP-signatures, etc. > > Various degrees of failure would be a better description Ack! It good that there are attempts to solve the problem. SPF is fine so far, as the sender can decide how to block. But there are problems with forwardings if you don't use SRS. SRS is not yet built in MTA products as afaik it's not RFCed yet. For Sendmail there is an ugly socketmap solution. For Postfix you would need a milter or similar. Qmail has a pretty solution, but Qmail itself is imho just broken. Exim, I don't know. DKIM. Yeah, clever idea to sign the headers so the recipient can check the email was not altered and reject it if there is no signature (what you need to do if you want reject emails with forged from address) or those headers were altered. But: There are Mailinglists, like this very MIMEDefang List. Guess what, Subject and Reply-To Headers are signed, but they are altered by mailman. If a DKIM Signed email is sent over the Mimedefang Mailinglist and I would enable DKIM on my MTA, I would reject such emails. So DKIM realy is a NoGo! PGP is fine. But how would you filter spam with PGP unless everyone is using PGP Signatures? And that is never going to happen, so you still have to accept unsigned emails, including spam. MTX? I will have to look up what that is. Well until now I don't know any solution that works flawlessly. SMTP was just designed with a couple of flaws and we have to work around the one kind or the other and try not to break too much. Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How to change envelope sender?
> > I do consider backscatter the more serious problem. > > I strongly disagree. Notifying the sender of delivery problems is an > essential and nonnegotiable element of E-mail. IOW dropping a mail without > notifying the server is Bad. Full stop. I fully agree that dropping an email without notificatin to anyone is bad. But that is not what I intend. I intend to notify the owner of the address being forwarded to another address. Example: Sender: b...@aol.example.com Recipient: al...@bluewin.example.com (being forwarded to e...@gmx.example.com) So Bob is sending an email to Alice. Alice has forwarded her Mailbox zu Emma, but that Mailbox is full. I do rewrite the envelope sender of Bob's Email to al...@bluewin.example.com If the subsequent forwarding to Emma fails, Alice is getting that bounce and not Bob (who could be a spamer and using a forged sender address). As Alice set up that forwarding, it is her responsibility to make sure that forwarding is working. Another advantage: Alice does not disclose to bob, that her email address is being forwarded. Antoher advantage: If aol.example.com is protected by SPF, I don't run into a problem. (SRS is not defined by an RFC yet as I understood). > Backscatter OTOH is a nuisance, which should be minimized of course, but > cannot be completely avoided. Blacklisting because of backscatter would be > a Bad Idea (TM) which I thankfully never encountered so far, but if > someone did that it would certainly be their own fault if they blocked > legitimate mail as a result. In my experience, misguided measures like > that tend to get lifted very quickly if senders and (intended) recipients > of blocked mails are informed in no unclear words who's responsible for > the communication failure. Well, there are such blacklists I can tell you as a tech at an ISP. Still that does not solve the problem of spam being sent via your infrastructure as result of phished email accounts etc. You need some kind of rate limmiting to detect unusual behaviour from users, or unusual logins with the same credentials from many different ip addresses, a functional abuse desk etc, but you can not fully prevent some spam being sent over your infrastructure. We had even the case where one single email was sent over our infrastructure to a 'special' spamcop.net spamtrap causing immediate blacklisting of our main outbound server. And spamcop.net is widely used. Kind regards Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How to change envelope sender?
> Sooo,,, How does the real sender of the email ever find out that he > sent to a broken address? Well, what's worse? - Backscatter? (and getting your server in blacklists because of that). - Sender not knowing his email got not forwarded (but the one forwarding his address can check upon that). I do consider backscatter the more serious problem. Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How to change envelope sender?
Hi Joseph > To my knowledge the recipients are the addresses given in RCPT, not the > resolved addresses after aliasing and forwarding. So how do you detect that > the user forwards? Does sendmail provide the resolved address, or do you > have to mimic what sendmail would do? Actualy we use Postfix in this project and the local recipients and forwarding information is in a database. So I can access that information easily from within MIMEDefang. > > So let's change the sender to the address of the address of the local > > recipient who wants to have his emails forwarded somewhere else. So he > > get's the blame/bounce if his forward does not work. > > I would expect that to loop, since the local recipient forwards to the > address that is not accepting mail. How do you avoid that? I'm aware of that :-) I'll probably add some kind of loop detection header or use some other logic to detect loops or bounces which would loop (eg match empty sender). But one problem at the time please :-) Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] How to change envelope sender?
Yo Goal: Minimize Backscatter. Problem: Customers do forward their email address to some other addresses which are have full quota or just any other problems. Solution: Do this whole Aliasing and Forward-Address handling with MIMEDefang. As the local email address doing the forward is know to be good (or not, but then we don't accept the email so won't create any backscatter) we know we can drop further errors happening while forwarding there. In filter_recipient we check if the recipient is being forwarded to some other Destination. We can md_check_against_smtp_server to see if the recipient exists. But we don't know yet if the quota is full or similar. We only know this wen we queued and sent the actual email, but then we need to generate a bounce if this fails. So let's change the sender to the address of the address of the local recipient who wants to have his emails forwarded somewhere else. So he get's the blame/bounce if his forward does not work. Now I miss some kind of command to do that within MIMEDefang. $sender is read only I assume. The complicated way would be to re-send / discard the email. Is there another solution? This could also be used to implement propper SRS (which we actualy don't need anymore if we use the forwarder's address as sender). Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] How to count recipients in filter_recipient
Hi Dale > In this case, we merely > main::delete_recipient($recipient_A); > then > main::action_accept() > for the rest of the recipients. This is what we don't want to do. Immagine it is a false positive. The Maillogs of the sender, any maybe even an MDN Messages confirm, the email has been received by the server. So that email just disappears. This is what we want to avoid. > You cant tempfail individual recipients once you peek at the message > and see that it is spam. By the time you see the message, you've already > accepted the recipients. Yes, but I know what spam action (reject or accept) the individual recipient has. So I can first handel alle the recipients who want to reject spam and tempfail all the others, and the vice versa. I do not need to know if the email will be handled as spam at that point. I just make sure, that if it will be handled as spam, I only have recipients that want spam rejected. > Different mimedefang-milter processes might handle the same message. > One milter process could handle the relay while a different one handles > the sender. In fact, different processes could handle different recipients > of the same message. This makes persistent variables like $rcpt_count > difficult to implement. After some more Googleing I think I found a solution. For each smtp session, MIMEDefang uses a different spool directory and CWD's to that directory. So I am now writing the recipient and spam settings to a file in the actual CWD and on each recipient I can get the count and what kind of recipients I accept from that file. Kind regards Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] How to count recipients in filter_recipient
Hello
The situation:
Recipients have different SpamAssassin Settings:
Recipeint A => "NO FILTERING";
Recipient B => "REJECT SPAM";
Now an email arrives
mail from:
rcpt to:
rcpt to:
Now if this is an email that will be handled as spam, we have the problem,
that Recipeint A does want to receive that email and Recipient B want us to
reject it during SMTP Handshake.
We could:
Accept the Email and deliver it only to Recipient A.
Problem: If it was a false positive, that sender does not know it was not
delivered to Recipient B. His Maillog will tell him it was successfully
delivered. => NoGo.
We could:
Reject that email: Recipient A will complain that we filtered the email even
though his settings tell us not to do so. = NoGo.
Solution:
We only accept those recipients which have identical anti-spam settings and
tempfail the others, forcing the sending MTA to resent them in a separate
session. So we can then handle that session according the users settings.
sub filter_sender {
$rcpt_count = 0;
return ('CONTINUE',"ok");
}
sub filter_recipient {
if ($rcpt_count eq 0) {
my $filterrule = &getspamsettings($recipient);
} else {
$rcpt_count++;
return ('TEMPFAIL', "Too many Recipients") if ($rcpt_count > 50);
return ('TEMPFAIL', "Different Spam Setting, please resend separately")
if
($filterrule != &getspamsettings($recipient));
}
return ('CONTINUE',"ok");
}
Well, this is the basic idea. Please ignore the syntax errors :-), I just
started with the $rcpt_count in my code. Unfortunately filter_sender and
filter_recipient calls are carried to different filter processes. So the
counter is not reset.
Is there a way to define some sort of over-global variable that is consistent
for one SMTP session between all of the mimedefang processes?
Kind regards
Benoit Panizzon
--
I m p r o W a r e A G-
__
Zurlindenstrasse 29 Tel +41 61 826 93 07
CH-4133 PrattelnFax +41 61 826 93 02
Schweiz Web http://www.imp.ch
__
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Relay: Reject emails after receiving DATA negative result code from destination host?
Am Mittwoch, 18. Oktober 2006 14.58 schrieb David F. Skoll: > Benoit Panizzon wrote: > > Is there a way to delay the 200 Queued message until I get the > > return code to 'DATA' from HOST B to pass this code to HOST A? > > Yes. You need to run your Sendmail in "interactive" delivery mode. > This may have other (undesired) side-effects, though. Check the > Sendmail documentation. Hi David This sounds very promising. I did try turning it on, but still haven't figured out in which filter part (where exactly in mimedefang-filter) I then can react to the 'data' result. Regards Benoit Panizzon -- I m p r o W a r e A G-System Services __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Relay: Reject emails after receiving DATA negative result code from destination host?
Hi all I use MIMEDefang as a Relay in front of other mailservers. I do a md_check_against_smtp_server to check if the sender/recipient pair is valid. So I can reject emails to invalid recipients directly without need to bounce them. Now I have come across the situation where I have a server which also does some basic filtering and rejects emails after the 'DATA' part. At the moment I have to send a bounce for those emails which, in case of unrecognized spam, is sent to the fake address. Example: HOST A => MIMEDefang => HOST B ** HOST A Connects to MIMEDefang. <= mail from:<[EMAIL PROTECTED]> => 200 OK <= rcpt to:<[EMAIL PROTECTED]> ** check_recipient md_check_against_smtp_server connecting to HOST B => 200 OK <= DATA => 200 OK send your DATA <= da...ta (including attachement) ** MIMEDefang does not find anything bad and return 200 QUEUED to HOST A => 550 EXE Files not accepted on HOST B ** MIMEDefang has to bounce as it already accepted the mail from HOST A Is there a way to delay the 200 Queued message until I get the return code to 'DATA' from HOST B to pass this code to HOST A? Regards Benoit Panizzon -- I m p r o W a r e A G-System Services __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ pgprDr8tsTcA6.pgp Description: PGP signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server not IPv6 proof?
Hi all I just noticed that md_check_against_smtp_server seams to be failing checking an IPv6 only destination server. (Not sure if $ip contains only IPv4 but in other routines the IPv6 address is correctly returned...) Also on Servers which are reachable through IPv6 and IPv4 I noticed that md_check_against_smtp_server does a IPv4 connection for testing the recipient and then sendmail sends the email itself via IPv6. This could lead to strange problems in case there are different virutal mailservers on those different IP-Addresses. Is this going to be fixed in future releases? -Benoit- -- SPAM SPAM SPAM SPAM / Hormel's new miracle meat in a can Tastes fine, saves time. / If you want something grand, / Ask for SPAM! - Hormel's 1937 jingle for SPAM ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Multiple socket types?
Hi all I have a centralized MIMEDefang Machine which is connected by socket. Is there a way to listen to multiple sockets? SOCKET=inet:,inet6: -Benoit- -- SPAM SPAM SPAM SPAM / Hormel's new miracle meat in a can Tastes fine, saves time. / If you want something grand, / Ask for SPAM! - Hormel's 1937 jingle for SPAM ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Problem with md_graphdefang_log_enable('mail', '0');
Hi all Problem is solved... I got puzzled by the fact that sendmail logs each recipient when mimedefang finds a virus, but there's only one MDLOG line per connection now. Regards -Benoit- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Problem with md_graphdefang_log_enable('mail', '0');
Hi all
mimedefang 2.43 running here.
As I understand the Man-Page, this should create only one log entry per
message received.
md_graphdefang_log_enable('mail', 0);
is the second way I did try this.
Nevertheless, I still get one entry per recipient while scanning the email for
viruses, which somehow looks very good in the stats, but is not wat I
want :-)
Any way to solve that issue?
Regards
--
Benoît Panizzon, <[EMAIL PROTECTED]>
ImproWare AG, UNIXSP & ISP Phone: +41 61 826 93 00
Zurlindenstrasse 29Fax: +41 61 826 93 01
CH-4133 Pratteln Net: http://www.imp.ch/
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
