Re: [Mimedefang] KAM for MIMEDefang Leadership Role
On 10/22/2019 07:19, Dianne Skoll wrote: > On 10/21/19 5:51 PM, Kevin A. McGrail wrote: >> Good Evening everyone, >> My name is Kevin A. McGrail. I've been a long-time user of MIMEDefang >> and I'd like to put myself forward to take the mantle of leadership from >> DFS now that she has moved on to other work. I don't envision it will >> be as amazing as under Dianne's leadership but I look to continue >> maintaining MD for the public good. > I would love to see MIMEDefang continue as an actively-developed > open-source project. I know Kevin and think he'd be an excellent > person to lead the project, whether it continues under the MIMEDefang > name or changes to a new name. > > I'm not in a position to support this project for the next 18 months or > so, unfortunately, other than to provide a vote of confidence for Kevin. I haven't been very active with MIMEDefang in recent years, but I have been using it for over 15 years now. Kevin has provided useful assistance on this list as well as contributing to the code as well for at least as long as I've been using it. For what it's worth, he gets my vote as well. Alan ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Logwatch stopped gleening as much useful (MdF) info following FC5 upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Philip Prindeville wrote: I used to get some useful Logwatch info when I was running FC3: ...snip... Then I upgraded the OS to FC5 (but kept everything else the same), and now I hardly get anything useful at all: ...snip... So... Anyone know what might have changed to stop logwatch from gathering as much useful information? Did one of the log formats change in either Sendmail or MdF that might cause it to not be grepped out properly by logwatch? Of course, that wouldn't have stopped Logwatch from gathering the useful summary information that it used to about top relays, volumes handled, etc. Thanks, -Philip I ran into issues like this as well and dug into the logwatch configs, etc. I'm pretty sure that along with the FC3 - FC5 upgrade you upgraded logwatch (from RPM) correct? that's what happened to me and I found that by default the latest logwatch ignores Milter: changed (or something like that) lines now. HTH Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFj4EyE2gsBSKjZHQRAmnNAKCoWQv11pbVv8tYtUT+khD1bHNK3ACgra8h dP8CshurF51b58kcJhAsIpY= =OQUO -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] My semi-cached version of md_check_against_smtp_server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yizhar Hurwitz wrote: HI. Here is my cached implementation of md_check_against_smtp_server. I publish it here for other to look at, and for tips on improving it. [...snip...] sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; if ($CheckRecipientEnable and ($rcpt_mailer ne 'local')) { if ($vrc_ram{$recip}) { return ('CONTINUE', 'OK'); } else { ### Check if $rcpt_host is in mailertable by looking for square brackets []: if ($rcpt_host =~ /^\[(.*)\]$/) { my ($stat,$msg,$code) = md_check_against_smtp_server($sender, $recip, $HostName, $1); if ($stat eq 'CONTINUE') { $vrc_ram{$recip} = 1; tie (%vrc_disk, 'SDBM_File', $vrc_filename, O_RDWR, 0666) or die Cannot tie $vrc_file for write, $!; $vrc_disk{$recip} = time; untie (%vrc_disk); } return ($stat, $msg, $code); } } } return ('CONTINUE', 'OK'); } Comments are welcome. Yizhar Hurwitz. Yizhar, I have some comments that hopefully you'll find useful. This is kind of a cool idea in that if the primary server used to check against isn't available you can still reject users that are unknown. There are a couple problems with your current code that I can see. Firstly, I would probably check_against_smtp_server before checking the cache, because you don't have any housecleaning code to handle the case where an account was deleted within the 30 days of the last cache store. This could cause your system to potentially accept mail for an unknown user and thus have to generate an NDS and defeat the entire purpose of this feature. What I propose is: 1. check against the smtp server. if you get a tempfail, check your cache, otherwise use the pass/fail results from md_check_against_smtp_server() 2. if md_check_against_smtp_server() fails (i.e. the account does not exist), remove the account from your cache for house cleaning. that way if the primary server is unreachable, you won't accept mail for an ultimately undeliverable user because it was left in your cache. Secondly, I'm assuming that you just haven't gotten around to writing the code to check the mailertable for the relay host. however, it doesn't appear that you have a contingency plan for if the host does not appear in the mailertable. (i.e. what if all or some of the forwarding is handled by the virtusertable? what if it's aliases?) you may want to consider an assignable override variable as well so that way an administrator could give it a fixed value should they choose and still keep the code fairly portable. also, there is no guarantee that even if the hostname is configured in the mailertable that it will be enclosed in square brackets [] ... as, the absense of the brackets just tells sendmail to actually do a DNS lookup on the hostname whereas the brackets tell it NOT to do the lookup. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFeYxVE2gsBSKjZHQRAsW+AKCgCrUIx5dcxw6PUNWlrlzFTnNYdQCfU5uF ThZFvguaz5OCswTZ/L4f0ok= =tix5 -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] spamassassin config files - I'm confused
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Delahunty, Mark wrote: When I run spamassassin manually it seems to behave differently from when MIMEdefang runs it. ...snip... I've attached my local.cf, init.pre and the full output from spamassassin --lint -debug What am I missing/doing wrong/breaking? Thanks for any suggestions Mark Delahunty UCC Computer Centre Cork Ireland Mark, basically, MIMEDefang doesn't allow Spamassassin to actually modify the message at all. Also, the network tests are determined by the $SALocalTestsOnly (i think, i'd have to check the code to be sure) value. if this is 0 then it will run network tests and you'll see things like *_SPAMCOP, etc. in your tests. you should probably take another glance at the MIMEDefang documentation for specifics. hope this helps. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFdu7YE2gsBSKjZHQRAiPZAJ9h+tBjJv2pLGqRzaBUZ2tfGFPHNACdHhu4 nfqSQ99AJ/yxxg+cZV9v+ag= =EnfH -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spamassassin detailed score in message header
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Boyer wrote: action_change_header(X-Spam-Score, $hits ($score) $names); works great, and gives me the total score. It would be great, however, if I could get more detail, e.g., X-Spam-Score: 8.152 () AWL,BAYES_99 (5.38),DCC_CHECK (2.10),DNS_FROM_RFC_ABUSE (0.32),DNS_FROM_RFC_POST (0.22),FORGED_RCVD_HELO (1.23),UNDISC_RECIPS (0.01) Is there an easy way to do this? Or could someone point me to where it's spelled out in excruciating detail in the docs and I missed it completely? Thanks much, Tim, for what it's worth, I have a couple of pretty simple patches to SpamAssassin that will produce test score results as above minus the space between the name and the open parenthesis. the patches require one additional configuration setting in your sa-mimedefang.cf to basically turn on the option to have scores output in that manner. the only downside is that everytime I update SpamAssassin I have to re-patch it. If you're interested, contact me off-list and I'll send them. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFbjJDE2gsBSKjZHQRArXpAJ9hAOFE+IKEmZQE7pDEIt9R9rWKTQCg2jQR MtnQX/qA6AruzXKVUXQGhjI= =cgh+ -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What services need to be started?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 megaspaz wrote: ...snip... I'm only really interested in mimedefang for the antivirus integration, so setting up mimedefang to process only emails with suspicious attachments and letting spamassassin process everything else would be fine, but it seems that having all services running is grossly inefficient as spamassassin would be processing emails that would already possibly be processed by mimedefang. Thanks for your consideration in this request and for any insight. Vincent Jong --If there's anything more important than my ego around, I want it caught and shot now... Vincent, If you're only interested in using MIMEDefang for anti-virus then you would still need to have spamd running as you're calling spamc from somewhere as you were previously and spamc requires spamd to be running. HOWEVER, using MD for only anti-virus seems like a lot of overkill when you could probably use a different milter for the anti-virus (like clamav-milter, etc) if you're interested in a site-wide anti-spam solution ( calling spamc from cron? ) then you may want to use MD configured with anti-virus AND spamassassin calls. If you know perl, MD is a great tool for taking control of your mail server filtering and protection. So, when it's said that spamd isn't required with MD, it's specifically referring to standard MD install which includes calls into the SpamAssassin API (Mail::SpamAssassin) which have nothing to do with spamd at all. hope this helps. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFY+nQE2gsBSKjZHQRAjDiAJwJQ9V2n9okUBaqijBm4y7aKUhjQgCgpP2f HNG2tZo9xHvwvo8jGlkX1sM= =YvkU -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: netset: cannot include w.x.y.z as it has already been included
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler wrote: Gilles Hamel wrote: Hello, We are running v3.1.5 with mimedefang. Here is our setup : our own MTA with spamassassin ---/-- MTA at our ISP, our MX is HERE w.x.y.z / INTERNET In the local.cf file we have : trusted_networks w.x.y.z # Our MX Every time mimedefang spawn a child, we get this warning in log file. If we remove the trusted_networks parameter, the warning vanishes. Can you explain the reason of this warning ? Thank you Is there a duplicate setting in some other config file, ie: sa-mimedfang.cf? I've just done a new install of mimedefang 2.58 with spamassassin 3.17 and have confirmed that there are no duplicate settings in any of the config files in /etc/mail/spamassassin. also /etc/mail/sa-mimedefang.cf is a symbolic link to /etc/mail/spamassassin/sa-mimedefang.cf for forwards compatibility. the error happens once each for every network included in either trusted_networks or internal_networks. as an example in sa-mimedefang.cf: trusted_networks 1.1.1.1/32 2.2.2.2/32 internal_networks 127.0.0.1/32 3.3.3.0/24 the error in my log files are: mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 1.1.1.1/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 2.2.2.2/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 127.0.0.1/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 3.3.3.0/24 as it has already been included This doesn't appear to be causing any problems, however. cross-posting to mimedefang list as well. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUabbE2gsBSKjZHQRAsFfAKDs0jgr4mFGbI+dWTzUgILiuaSWiwCg4P79 RA2RFW42Ivnn0D9M33hQnv0= =+BKD -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Rejecting forged senders - comments?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cormack, Ken wrote: I'd like to see if anyone has any comments on an idea to block spam from forged senders who claim my domain in the sender address. I'm assuming something like this could (or should?) be done for both the SMTP MAIL FROM: and the From: in the header. If my domains are @domain1, @domain2, and @domain3, and the IPs that I EXPECT to relay me mail with my domains in the SMTP FROM line are accounted for, would anyone expect problems with something like the following? Lets say I have a this function, to accommodate my known Ips... sub Relayed_FromME() { if ($RelayAddr eq 127.0.0.1 || $RelayAddr eq 1.2.3.4 || $RelayAddr =~ /10.0.0/) { return 1; } return 0; } ...And that I put this in filter_sender()... # If not relayed from an IP address that I EXPECT # my domains to be relaying from... if (!Relayed_FromME()) { if ($sender =~ /@([^]+)/) { my $domain = $1; # ...yet the claimed domain in the sender's # SMTP address is one of mine... if ($domain =~ /domain1/i || $domain =~ /domain2/i || $domain =~ /domain3/i) { # log it... md_syslog 'info', $QueueID: Forged_Sender_SMTP: Sender SMTP address claims to be from $domain, but $ip not an expected source for $domain senders.; # and reject it... return ('REJECT', 'Sender SMTP address claims to be from $domain, but $ip not an expected source for $domain senders.'); } } } Does anyone see any problems? Ken Ken, If you use this machine for both incoming and outgoing mail *AND* you have any remote users then you'll likely start rejecting mail from those remote users. It might be more prudent (if possible) to implement SMTP AUTH checks in conjunction with these checks. (i.e. if the user claims to be from your domain but isn't authenticated, reject) Also, you'll want to escape the @ in your tests to avoid any unexpected results. you should probably make your relay test look like $RelayAddr =~ /^10\.0\.0/ as well (to anchor it to the beginning of the line) just to make sure it doesn't mactch on some funky relay address (although it shouldn't). you may also want to put in some SPF tests in your filter and setup SPF records for your domains (if possible). That may make it a little easier to administrate in the future. other than that, i don't see anything jumping out at me. HTH Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFEN9IE2gsBSKjZHQRAsOzAKCBoQTJPQVFdBP34enYiz5Ali95ywCfWqIE uX16D439e2pDEi6/5C4hs0g= =FkwS -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Rejecting forged senders - comments?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cormack, Ken wrote: I'd like to see if anyone has any comments on an idea to block spam from forged senders who claim my domain in the sender address. I'm assuming something like this could (or should?) be done for both the SMTP MAIL FROM: and the From: in the header. If my domains are @domain1, @domain2, and @domain3, and the IPs that I EXPECT to relay me mail with my domains in the SMTP FROM line are accounted for, would anyone expect problems with something like the following? Lets say I have a this function, to accommodate my known Ips... sub Relayed_FromME() { if ($RelayAddr eq 127.0.0.1 || $RelayAddr eq 1.2.3.4 || $RelayAddr =~ /10.0.0/) { return 1; } return 0; } ...And that I put this in filter_sender()... # If not relayed from an IP address that I EXPECT # my domains to be relaying from... if (!Relayed_FromME()) { if ($sender =~ /@([^]+)/) { my $domain = $1; # ...yet the claimed domain in the sender's # SMTP address is one of mine... if ($domain =~ /domain1/i || $domain =~ /domain2/i || $domain =~ /domain3/i) { # log it... md_syslog 'info', $QueueID: Forged_Sender_SMTP: Sender SMTP address claims to be from $domain, but $ip not an expected source for $domain senders.; # and reject it... return ('REJECT', 'Sender SMTP address claims to be from $domain, but $ip not an expected source for $domain senders.'); } } } Does anyone see any problems? Ken Ken, If you use this machine for both incoming and outgoing mail *AND* you have any remote users then you'll likely start rejecting mail from those remote users. It might be more prudent (if possible) to implement SMTP AUTH checks in conjunction with these checks. (i.e. if the user claims to be from your domain but isn't authenticated, reject) Also, you'll want to escape the @ in your tests to avoid any unexpected results. you should probably make your relay test look like $RelayAddr =~ /^10\.0\.0/ as well (to anchor it to the beginning of the line) just to make sure it doesn't mactch on some funky relay address (although it shouldn't). you may also want to put in some SPF tests in your filter and setup SPF records for your domains (if possible). That may make it a little easier to administrate in the future. other than that, i don't see anything jumping out at me. HTH Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFEN9IE2gsBSKjZHQRAsOzAKCBoQTJPQVFdBP34enYiz5Ali95ywCfWqIE uX16D439e2pDEi6/5C4hs0g= =FkwS -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Fwd: Re: [Mimedefang] Should I try to do MIMEDefang with Mailscanner forbackup MX
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve, Steve Campbell wrote: ...snip... Why don't you just use sendmail to trow them away? As others already pointed that out, you could provision your primary access database(s) to the secondary (or make the secondary use the primary's access.db over a TCP socket) and have sendmail do the rejecting without bothering MIMEDefang. I'm getting the feeling that I am not using sendmail properly with regards to mail accounts. Right now, whenever I need a new mail account, I just create a new user on the box. Imap and pop accounts are then available when needed. I dont add anything to the access files for users. For now, I just use the access files for spam, blocking IPs, and the like. You're using sendmail properly. My setup is nearly identical to yours (only my primary MX is the primary MX for *ALL* my domains, and my secondary MX is the secondary MX for *ALL* my domains, that's the only difference) You could deliver the primary's access database to the secondary somehow (via scp/rsync, ftp, etc. like in every 5 minutes or so, or just when your primary access database gets updated, e.g. when you add a new mailbox) and merge both access files before building the access.db. Thus the secondary MX will always have all the information needed to reject mail coming to non-existing recipients for both of your domains. My paragraph above sort of explains why this won't work, since my access file doesn't contain much. I'll look and see what it has, though, and maybe I can do something with it. Distributed access lists, while providing an independant means of rejecting unknown users even if the primary MX is unavailable, is more of an administrative burden. Plus, if whatever system that provides the list of valid users for you to distribute to your secondary MX is unavailable, your access list will be out of sync and you could potentially accept messages for no longer valid users and somewhere down the road end up generating a DSN. If your backup MX is unable to reject unknown recipients when the primary is unreachable, it would need either to accept and queue everything and then relay that to the primary, or to tempfail everything. The first could result in a lot of junk and useless bounces clogging the queues, the second would be equivalent to not having a secondary at all. Agreed, and the former is what it does at the present time. if your MX servers are decent hardware, and regularly monitored / maintained, your primary MX shouldn't be offline much (if at all) and this shouldn't really be a big issue. I kept wondering why everyone kept saying I didn't need MD, and now I see why. I'll have to rethink my entire access scheme. At the moment, all mailboxes for a domain are on the primary MX. If mail goes to the backup MX, it gets relayed, but only because I relay the entire domain to the where the mailboxes are (the primary MX for the domain). It all used to be so simple. It's still pretty simple. The reason people are telling you you don't need MD is because you apparently JUST want to reject unknown users on your secondary MX. of course, if you wanted to implement AV and SA scanning into your MD filter, it makes sense to use it to do all of that, instead of using MD to only check recipients against the primary MX and then using other milters, etc to do the other functions. especially since you can do so much more with MD that could reduce (even more) the amount of mail that's being processed by your AV scanner and SA (like bogus HELO checks, greylisting, etc). Also, since your primary MX is the secondary MX for *SOME* of your domains, and your secondary MX is the primary MX for *SOME* of your domains, you essentially make this process more difficult. so you'd either need to manage nearline access/virtual domain lists carefully enough to know which is on which machine, or you'll need to write an MD filter that'll check against the proper primary MX machine based on which domain the mail is coming in for. then you'll have to take into consideration what happens if one mail comes in for users in two overlapping domains? (i.e. one domains's primary MX is the other domain's secondary MX) you could potentially use MD's stream_by_domain() functions, but then that'll basically nullify your ability to 5xx reject mail and force you to generate DSNs for even unknown users (which kind of defeats your purpose and everyone elses' arguments about rejecting mail) I would say that if you want to keep your (real) user accounts on two separate servers for certain domains, then your ideal setup would be to make each of those servers the primary MX for those domains respectively and then install one or more additional servers as backup MX for all domains. since a backup MX isn't intended to be used for much traffic, and only intended to queue mail if the primary MX is down, you should have problem using an
Re: [Mimedefang] Should I try to do MIMEDefang with Mailscanner forbackup MX
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Atanas wrote: ...snip... I primarily deal with non-standard sendmail setups hosting virtual domains (e.g. multiple mailboxes and multiple domains per single user) via local delivery agent (LDA) like procmail and maildrop, where sendmail acts as a middleman between the sender and the LDA. For your standard sendmail setup (i.e. one mailbox per user and no LDA) on your primary MX you don't really need that list in your access.db. Sendmail already knows how to deal with non-deliverable messages and effectively rejects them before entering the queue. Just to clarify, if the destination mailbox is local, then at least with sendmail an LDA (Local Delivery Agent) is required. I'm not familiar with other MTA software so I don't know if the LDA functionality is built-in to the MTA itself or not, but with sendmail a separate LDA is required. By default the LDA is procmail. 1. Sender = Primary MTA - Mailbox On your secondary MX however, the situation is quite similar to my virtual domain setup. Here's what your delivery chain looks like: 2. Sender = Secondary MTA = Primary MTA - Mailbox and here's mine: 3. Sender = Primary MTA = LDA - Mailbox In both cases (#2 and #3) there's one middleman - your secondary MTA or my primary MTA. I have also longer delivery chain with two middlemans in case mail comes in through my secondary: 4. Sender = Secondary MTA = Primary MTA = LDA - Mailbox In all of the above scenarios, leaving at least one middleman with no clue about the destination end point what's valid and what not, creates a gap which depending on the mail volume (or a dictionary attack for instance) could quickly get filled with useless junk floating around. both sets of examples are identical, only in one set you've explicitly mentioned the LDA and in the first set the LDA is implied. If your middleman is sendmail, then your explanation above is incorrect. sendmail needs to know the delivery path before it can process the message for delivery. which means that sendmail knows if the email address is valid or not. if the email address is *NOT LOCAL*, sendmail may not know the deliverability of the address, but it knows if it's valid. so, for instance, sendmail when receiving a message for [EMAIL PROTECTED] first has to determine if it is to accept mail for domain.tld. if it doesn't accept mail for domain.tld, it has to determine which MX host DOES accept mail for domain.tld and whether or not it is allowed to relay the mail. if sendmail *DOES* accept mail for domain.tld, then it checks to see if [EMAIL PROTECTED] is local to this machine. if it is then it checks to see if there are restrictions to sending to [EMAIL PROTECTED] (often with access database or virtualuser database, etc) part of these checks are to see if this user actually exists on this host. this is part of sendmails validation of deliverability. once it is determined to be locally deliverable, the message is then passed to the LDA for actual delivery. I wanted to make these points clear because it seems that Steve may not be fully knowledgable of the mail transport/delivery process and what you've explained could potentially be *really confusing*. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEnL7YE2gsBSKjZHQRAnzZAJ9xYLy2efRKY3phTJV7l6G374FFAQCgrNjt FvjAW5htMKJEerVUVXBGYcY= =Fqyv -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Should I try to do MIMEDefang with Mailscanner for backup MX
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve, Steve Campbell wrote: [snip] a) MIMEDefang does things like relay checks, sender checks, and recipient checks that MailScanner doesn't do. This is where I want to remove the backup MX senders. This type of scenario has been debated in a number of different mail related lists over time. One thing you need to consider is that, it is perfectly reasonable for legitimate mailers to hit your secondary MX server even if your primary MX server is running. This could be related to temporary failures on your primary MX causing the sending server to retry your secondary MX, or it could be cached information about which MX server to connect to. Because of this, you need to be really careful about blocking mail coming into your secondary server. b) MailScanner does bulk AV and AS checks, instead of one at a time checks (which may lead to a net gain in efficiency). I would leave the MS/SA functions as they are. They would still do the AV and AS checks, but probably have less emails to check as MD has deleted the spammers' attempt around the primary MX. Although both servers are primary and secondary MX servers, they are deleting at the MTA, so both have less process cycles due to reduced MS/SA emails to check. if your only means of reducing the load of your AV/SA scanning is based on the point of the connection, you may find that the effort to implement this doesn't provide quite the impact that you hope for or expect. [snip] The real problem I saw is that I can't find online man pages for mimedefang-filter, and most stuff I saw dealt with the md_check_smtp_*, or something like that, for checking if a user is a valid recipient on a server. Sorry, I'm at home now and don't have my notes in front of me. in my setup, I have a machine that hosts multiple domains (MX1) and a backup MX (MX2) for those multiple domains. not as complicated a setup as yours, but on a basic level I have MX2 use md_check_smtp_server against MX1 to validate users and reject on invalid users right off. I also have duplicate spamassassin and AV software installations on each of the MX servers, sharing a mysql database hosted on a third machine (spamassassin). in this situation, if MX1 is offline, the mail coming into MX2 is still checked for viruses and run thru SA. if it passes those phases, it's queued for delivery to MX1 when it becomes available. if not, it's rejected as appropriate. this ensures that legitimate connections to MX2 (even if MX1 is available) aren't rejected, and worst case scenario is that while MX1 is offline and unable to validate users, some mail for unknown users may be queued and sent to MX1 when it's available, and then rejected causing MX2 to generate a DSN. as this happens so infrequently, I feel it's a reasonable compromise. One for, one against. I have just started playing with milters, so I like something that is configurable, more so than those that are fairly single-purposed. MIMEDefang is an extremely powerful tool that gives you a broad range of possibilities for mail filtering. The downside is that you need to know at least the very basics of Perl in order for it to be configurable to your tastes. (and obviously the more you know about Perl, the better you can tweak it to your tastes) I definitely recommend that you learn Perl, as doing so would allow you to easily do what you're looking to do with MIMEDefang. HTH Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEmLLWE2gsBSKjZHQRAl37AJ9VSoFtKdm81ihLrMuK0JM1BDcP+wCeJoMd uI+4Zmxm2KSNzhdGRAUfQvM= =lFCG -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Warning: unable to close filehandle LOGF properly.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tory Blue wrote: Did a search and a few people see this but no answers. Did I miss something running Mime 2.44/clamav/sendmail 8.13 on a Linux box mimedefang-multiplexor[15477]: Slave 1 stderr: Warning: unable to close filehandle LOGF properly. Thanks Tory Just to kind of raise this issue again... I've googled and haven't found any definitive information (yet) ... I just upgraded to SA 3.1.3 and just now started seeing this problem (i.e. i wasn't having this problem up to SA version 3.1.0) I'm running mimedefang 2.53 (embedded perl), SA 3.1.3, Perl 5.8.0, RedHat 9.0 I'll note that I also just started getting the WARNING: Something in your Perl filter appears to have opened a file descriptor outside of any function... message. I haven't changed my filter at all, and i'm not making any database calls. All other file handling routines should be w/in functions (i.e. reading headers file, etc) any ideas? alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEhoyVE2gsBSKjZHQRAikKAJ0XSRVlg3238J+zocnus1HbUiUNkACePPug HpuGdkHcDq3wDhuhvFD9wlg= =J0vd -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Warning: unable to close filehandle LOGF properly.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan Premselaar wrote: Just to kind of raise this issue again... I've googled and haven't found any definitive information (yet) ... I just upgraded to SA 3.1.3 and just now started seeing this problem (i.e. i wasn't having this problem up to SA version 3.1.0) I'm running mimedefang 2.53 (embedded perl), SA 3.1.3, Perl 5.8.0, RedHat 9.0 I'll note that I also just started getting the WARNING: Something in your Perl filter appears to have opened a file descriptor outside of any function... message. I haven't changed my filter at all, and i'm not making any database calls. All other file handling routines should be w/in functions (i.e. reading headers file, etc) any ideas? alan AND to reply to myself... I probably shouldn't be working on this while i'm sick. anyways, as it turns out, I installed SA 3.1.2 from CPAN as 3.1.3 apparently hasn't propogated to CPAN yet. also, i'm running sendmail 8.13.6 alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEhpASE2gsBSKjZHQRArxsAJ0XXcfF5sRfcax1MhODn9s2DpuPgACg5rVj ieo6t0TrgW+lsm1J4PTST00= =Mjul -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] DNS and MX records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Les Mikesell wrote: ..snip.. The place this is likely to be a problem is where you have virtual web servers with names in lots of domains pointing to the same box and you do want to accept mail for some of those names. Note that CNAMES take all the associated data for the related A records, so if you have an MX for the real A record, the CNAME'd names get it as well, and if you don't, mailers will follow the CNAME to the related A record. This last part doesn't make a lot of sense, considering it's not legal to use a CNAME entry as an argument for your MX record. of course, while an interesting topic none-the-less, none of this is directly relevant to MIMEDefang. Just thought I'd be the one to say it. ;) Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEYtC/E2gsBSKjZHQRAsOOAKDcF5w50IlQYqkwoRNWKfxiqq1lHwCgw11J nCorI934tsWzN1Oq9WC2BMI= =h0Ck -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] DNS and MX records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kris Deugau wrote: netguy wrote: Receintly I updated DNS for a few domains. My registrar gives the option of assigning an IP addy for domain.tld without having an alias: mail.domain.tld Ok, says I, lets give it a go. Bam! Slam, Spam started invading my privacy. This leads me to believe either: 1. Mail ( spam ) in this case is being sent to domain names without doing MX lookups. Yep. Spamware will certainly blindly open a connection to port 25 on domain.tld, rather than sorting through MX records. Personally, I think it's better to have that A record in place, spam notwithstanding. If I'm not mistaken, even properly configured MTAs will revert to the A record of a domain of there are no MX records available. (although I haven't done any real research to back up this statement recently so I could be completely off base) Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEYY4kE2gsBSKjZHQRAqDxAJ99cB20GY+mTVfDa1K0Pr6YDlxM3ACfUpHu nJyzmBvCoPxmv6DE9TvXyE8= =TpOS -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] exempt user problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luke Worthy wrote: Sorry about my previous post, I now realize that we need to keep some other features of this filter (it keeps a copy of everyones email as well as the exemption thinggy). So below is my original post, and the listing of the filter code. To: mimedefang@lists.roaringpenguin.com Recently I have started with a new company, and they have deployed MIMEDefang on a few different sites, with a custom filter, that has exemption lists. Unfortunately the custom exemption list only works sometimes. IANAPP (I Am Not A Perl Programmer), and would really like some help on either how to fix this current filter. Here are the logs from me sending a Movie.wmv to an exempt user. May 1 12:05:45 mail sendmail[20621]: k412XBf0020621: from=[EMAIL PROTECTED], size=3898524, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=cpe-61-9-140-241.vic.bigpond.net.au [61.9.140.241] May 1 12:05:45 mail mimedefang.pl[9050]: MDLOG,k412XBf0020621,exempt user,,0,[EMAIL PROTECTED],[EMAIL PROTECTED],testing May 1 12:05:45 mail mimedefang.pl[9050]: MDLOG,k412XBf0020621,exempt user,,0,[EMAIL PROTECTED],[EMAIL PROTECTED],testing May 1 12:05:45 mail mimedefang.pl[9050]: MDLOG,k412XBf0020621,bad_filename,Movie.wmv,video/x-ms-wmv,[EMAIL PROTECTED],[EMAIL PROTECTED],testing May 1 12:05:45 mail mimedefang.pl[9050]: MDLOG,k412XBf0020621,mail_in,,,[EMAIL PROTECTED],[EMAIL PROTECTED],testing May 1 12:05:45 mail mimedefang.pl[9050]: filter: k412XBf0020621: append_text_boilerplate=1 drop_with_warning=1 May 1 12:05:45 mail sendmail[20642]: k412XBf0020621: to=[EMAIL PROTECTED], delay=00:02:33, xdelay=00:00:00, mailer=local, pri=61316, dsn=2.0.0, stat=Sent It kinda looks like it's going through twice. Luke (filter snipped) Luke, After looking at your filter I can tell you what's going on. firstly, it looks like it's going through twice because you're using stream_by_domain / stream_by_recipient functions which actually re-insert the message on either a per-domain or per-recipient basis (as appropriate) so that is normal. secondly, the reason that you're getting inconsistant results from this is because you're trying to save exemption state information in a global variable. This won't work because the way MIMEDefang works, different slaves may process different parts of the same message. you should read the man pages for MIMEDefang and pay particular attention to the section that covers SAVING STATE INFORMATION. hope this help. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEWAwiE2gsBSKjZHQRApzqAJ43x1pIhb6K0KnJQNmnr6eZFlKMswCeNjGi /eDqOL7dZGm04NIRlAnCHsM= =Uz7/ -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Filter not working (properly)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ashley M. Kirchner wrote: Anyone have any idea why this piece of my mimedefang filter suddenly quit working? if ($FoundVirus) { md_graphdefang_log('virus', $VirusName, $RelayAddr); md_syslog('warning', Discarding because of virus $VirusName); $QuarantineDir = '/var/spool/MD-Quarantine/virus'; action_quarantine_entire_message(Message quarantined because of virus: $VirusName.); $QuarantineDir = '/var/spool/MD-Quarantine'; return action_discard(); } It's logging the virus message just fine, and I get the quarantined e-mails as well, and clamav is also reporting the virus as it should in its log file, but MD is not saving the data in /var/spool/MD-Quarantine/virus anymore, it just stopped. Any ideas as to why? The last two items that got updated were clamav (0.88.1) and sendmail (8.13.6). Haven't touched MD just yet, though it also needs an update. Ashley, here are the obvious questions: have the permissions on the directory changed at all? do you have any files in /var/spool/MD-Quarantine? (as opposed to /var/spool/MD-Quarantine/virus) I'm not sure why you set $QuarantineDir twice, and theoretically it shouldn't have any impact, but maybe somehow it is and it's writing the files in the wrong place. (really reaching here) I'm assuming you've restarted sendmail and MIMEDefang as well during the upgrade process for sendmail but, just in case you haven't, you should. I would be tempted to question the clamav upgrade as a number of people have apparently been having problems with 0.88.1 (although I haven't had any at all), but it appears that it's returning the virus name properly so unlikely to be the cause. that pretty much leaves sendmail ... if you downgrade back to 8.13.5 (or whichever version you were using previously) does it work again? alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEPezwE2gsBSKjZHQRAvYWAKDqgoRu5msEHLeeMzvgVof3sW1uDgCg5lE/ p0f1K3XwphZVhjMcfSg0hV4= =JVcK -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD 2.51/clamav .88.1 failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard J. Kieran wrote: On Friday, 4/7, I updated clamav from version .88 to .88.1. When I did so, virus scanning broke. Maillog was filled with entries like: Apr 7 15:49:23 hoover mimedefang.pl[66764]: Problem running virus scanner: code=999, category=cannot-execute, action=tempfail Apr 7 15:49:23 hoover sm-mta[67374]: k37JnNo4067374: Milter: data, reject=451 4.3.0 Problem running virus-scanner Apr 7 15:49:23 hoover sm-mta[67374]: k37JnNo4067374: to=[EMAIL PROTECTED], delay=00:00:00, pri=145673, stat=Problem running virus-scanner The clamd.log showed no problems. It seemed to be happy as a, well, clam. I'm running MD version 2.51 on FreeBSD 5.4. I was able to fix it by re-installing clamav .88 Has anyone else seen this problem? Do I need to update MD? Any other thoughts? Richard Richard, There's been some conversation on the clamav list about problems with the config files since upgrading to 0.88.1 (even not associated with mimedefang). you should check your clamav config files to make sure you don't have more than one space between the directive and the value, specifically in relation to the LocalSocket directive. apparently while the following works: LocalSocket /tmp/name/of/socket/file the following is broken in 0.88.1: LocalSocket /tmp/name/of/socket/file(notice the extra space?) So far on the clamav users list there's no talk about a patch or a fix for this problem other than to check your config files for extraenous spaces. hope this helps. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEOwkyE2gsBSKjZHQRAmnlAJ0b8MQVp97TDUINVG2WzXPm4GQyHQCffaam izV2uvlw3dSzGiXYsAD9kc4= =Pd5u -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] sa-mimedefang.cf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Mickey Hill wrote: On Thu, 2006-03-02 at 11:12 -0500, webmaster wrote: Well, sa-mimedefang.cf doesn't exist. Where can I obtain it and what does it say? I believe it's in /etc/mail now. I concur. Although I softlink my /etc/mail/sa-mimedefang.cf to /etc/mail/spamassassin/local.cf So, to more directly answer the OPs question, /etc/mail/sa-mimedefang.cf should be whatever the contents of your local.cf file normally are, although configured for your mimedefang installation. I also, like Matthew, have a symlink of /etc/mail/sa-mimedefang.cf - /etc/mail/spamassassin/local.cf which should be all you need to do. I think primarily this was done to prevent mimedefang from clobbering the SA local.cf file and keeping things separated for easy administration (i could be wrong). one thing it does do is make it easy to identify what config files are necessary for the mimedefang installation. HTH alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEB/2uE2gsBSKjZHQRAmiKAJ92B4eCM2CVHn7c2oOZqjFOtwqwSQCg6HXz 4DA0mSbvkHzE6Rwl4Ii+jrs= =GGff -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang and mailman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel O'Connor wrote: [snip] Hmm but mail that is destined to pass through mailman is handled by MIMEDefang first - I want to tell MD to treat all mail to my lists as for the mailman user (ie use the mailman user's Bayes DB). I don't mind if I have to put something like.. if ($to == list1 | $to == list2) { $user = mailman; } Daniel, I'm using mailman as well. If memory serves, I had to allocate a seperate virtual domain specifically for the mailman lists in order for mailman to handle them properly. Assuming you're using the same type of configuration, you may want to look at stream_by_domain to process different domains with different parameters. I don't personally use stream_by_domain or stream_by_recipient so I can't help you with specifics related to these, but hopefully this will point you in the right direction. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD+8kWE2gsBSKjZHQRAmJjAJwK6B7fh4EHEcSBdhVBUArVLe4OXQCeKFeE ZLCELMKpURWCUYfKbrISEno= =zkNF -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: Disclaimer Madness
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ya, if you gather all the disclaimers and then send them to the originating companies all at once, can you cause a disclaimer paradox and thus the universe to explode? Dave Williss wrote: I hope you sent a copy of the combined disclaimers to them. :-) - Original Message - From: Charles [EMAIL PROTECTED] To: mimedefang@lists.roaringpenguin.com Sent: Tuesday, February 14, 2006 6:38 AM Subject: Re: [Mimedefang] OT: Disclaimer Madness David F. Skoll wrote: We should be grateful if you would also notify the IT Operations Manager at City Guilds of the e-mail, then delete it and destroy any copies of it. To contact the IT Operations Manager, please email [EMAIL PROTECTED] I love this one. We *should* be grateful. D'Oh! I wonder if a boilerplate like this would be an effective method for seeding a honeypot address?? H. Charles ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD8s1PE2gsBSKjZHQRAhJvAKDiS8ndWcu+kv8H0pA7B6dy94rjRACeMc8Q kQ5pvVXXuZ8Mul6ZSlQBvVU= =0aqE -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] poor performence from SA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: [snip] I have upgraded to SA 3.1 but i get strange actions... I think that the SA is now checked before mimedefang filters and skips other filters...(but i'm not 100% sure about that? how can check?) Did you install spamass-milter during your 3.1 install? I stop about 1000 spam mail per day and get about 3000 legit mail per day (some of it SPAM!!) are you saying that you block about 1000 spam per day and receive 3000 per day, some of which is spam? by definition legit mail != SPAM. I noticed another very anoing problem that I posted before but could NOT resolved it here...which is GOOD email with spam score less then 5 end-up in spamdrop instead of delivered to user mailbox! what are you using to move the mail to your spamdrop? are you quarantining the mail in mimedefang? are you pre-sorting to a different folder using something like procmail? are you just discarding the mail? we're a little short of useful information here. and checking the headers it says: [quote] X-Spam-Status: No, score=3.1 required=5.0 tests=DATE_IN_FUTURE_96_XX, MSGID_FROM_MTA_ID autolearn=no version=3.0.3 [end quote] this was from the spamdrop mailbox!! why is it there is the spam-status is NO ??? for one thing, this still shows it was scanned with version 3.0.3. are you sure that you properly upgraded to 3.1? make sure that any pre-existing 3.0.3 installation has been successfully removed. most importantly, for anyone to provide you any assistance, you'll need to provide more details about how you have it all installed. hope this helps (even just a little) alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDxjlyE2gsBSKjZHQRAn5pAKDiIaYgf+Go1JeEtlk2SWRwTlVwVQCdEcdu JGUPyEJMVIjon/Rm2kDYulI= =MJTr -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] disclamer only for out going mails.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joseph Brennan wrote: ...snip... No, since I have not been asked to do such a thing. The question just got me started thinking about how difficult it is to define what outgoing mail is. I didn't even mention the situation we have here, and also at many universities, that the company has many email servers, so that some mail outbound from the main system is actually internal mail by some definition. I require all my users to use SMTP AUTH to send mail from our mail server, even from the internal network. So I use the SendmailMacros{auth_authen} (i think) to check to see if SMTP AUTH has been used to determine if mail is outgoing ... it seems to be fairly simple, but granted, not every place can enforce an SMTP AUTH policy. alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDp9GxE2gsBSKjZHQRArd5AKDGEDW9BRDSGo31KBbDAAt7OMsVVgCeP7N6 fI1QHkFT0zFVmL/bFmX2c9c= =EJjx -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Error message:Problem running virus scanner: code=2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Mathew, Sorry for not answering your exact question...BUT What should should sertainly do is upgrade mimedefang to latest 2.54 and SA 3.0.3 and clamAV 0.87 Actually, SA 3.0.3 is still susceptable to a remote exploitable DoS attack, if anything upgrade to 3.0.4 (or the recent 3.0.5 release if you want to stick with the 3.0.x series or you can go to version 3.1.x) likewise, ClamAV 0.87 is also vulnerable to a remote exploit and 0.87.1 is recommended. alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDlpMzE2gsBSKjZHQRApqcAJ0TKR/kf1YUbJ9ir68Ml3DTnLm2KgCfcpMy mQWzBNxUKu/381mPrQIy8Ks= =nICS -END PGP SIGNATURE- ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Creating live graph for monitoring the mail systems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew Thomas wrote: Hi I use some Perl script to analyse the syslog which produces a lot of information like total mail, no. inbound/outbound mail, no. of spam, no. of mail with viruses, dropped mail, etc daily via a cron job. I would like to use the data to produce some graph for live monitoring the mail gateways via web. I can run the script every half an hour or 15 min and produce the necessary data. I don't know how to go ahead with it. Please reply. Thanks in advance for the help Mathew Mathew, You can do all of that with Graphdefang, which should be in the contrib directory of MIMEDefang. I haven't checked to see if it's still included, but it used to be. not sure if this is exactly what you want, since it won't use your script, but it should produce semi-real-time-graph-monitoring. HTH Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDj9mIE2gsBSKjZHQRAmiSAKDtkPAPcieIia+Nl1kGK4K0w+YI2gCgkicc 41W7FhdJJCIo/qrmcMiZ2ds= =FP/Y -END PGP SIGNATURE- ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Suggestions please ... ;)
Garry Glendown wrote: Oh how easy life would be if customers just bought services and stopped complaining about missing features ... ;) OK, here we go ... after some advice from the list, I installed MD to add special filtering capabilities to a customer mailserver. So far so good ... working as originally intended. I.e., filtering mails with a certain maximum size, filtering with a maximum number of recipients, etc ... I tried to clarify the exact handling and now got the request to have the filters modifiable based on the recipient/sender of the mail (at the customer's site). So, while the default might state that only attachments at 2MB are permitted, [EMAIL PROTECTED] is allowed to send or receive 5MB attachments, whereas [EMAIL PROTECTED] is supposed to receive msgs even if the number of recipient is greater than the default 50. Now - how would you folks handle this? Problem is the former mailserver (Tobit David) had such features ... And, can MD handle this split logic, i.e. can I duplicate the mail, deliver it to certain recipients, whereas I quarantine it to the rest (in case of multiple recipients)? Gary, I don't personally use the feature so I'm not going to be able to give you much details, but it sounds like stream_by_recipient() might be what you're looking for. check man mimedefang-filter for more details. you'll probably also want to look at filter_sender and or filter_recipient to handle the recipient count logic and the file size logic. hope this helps alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] (no subject)
[EMAIL PROTECTED] wrote: I'm confused... I got a mailbox call spamdrop, where all spam detected by Mimedefang-SA is quarantined. Some of the emails subject is altered to contain:'*SPAM*', some '[SPAM]', and some are not changed???!!!??? I still have the problem of honest spam endup in spamdrop mailbox and NOT marked as spam by mimedefang headers?!?! Meni ...snip... Meni, are you also calling Spamassassin/spamc via procmail by any chance? alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Rejecting some recipients
Jeff Grossman wrote: [snip] Sorry for the run on message before. I have MIMEDefang set up with the md_check_against_smtp_server setting. So, it checks my server first to see if the address is valid or not. So, do you think it is still a problem with just putting the addresses I want to reject in the access database? The reason I would prefer that method is because the list of rejections is much smaller than the accept list, and the reject list does not change like the accept list does. [snip] Jeff, if you have sendmail configured to use virtusertables, then you could put something like this in the virtusertables file: [EMAIL PROTECTED] error: nouser No such user here you'll have to check the docs for what the values of the error: directive are for virtusertables, but that will probably do what you want it to do. alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] exiting the filter before any processing
Rolf wrote: hello I've tried so many combinations and none work. Feeling a bit silly. Where can I put in mimedefang-filter a statement so that the filter exits before any processing happens based on $RelayAddr ?? I've tried a simple: return if ($RelayAddr eq ip address); in various parts of the filter but none make any difference. Do I need such a statement in each of the subroutines? What am I missing and/or misunderstanding? Rolf, I think you want to put something like this in filter_relay: if ($RelayAddr eq 'ip address') { return('ACCEPT_AND_NO_MORE_FILTERING', 'ok'); } and you'll also need to make sure you're calling mimedefang with relay checking turned on. You should check the man pages for how to do this specifically as I don't remember off the top of my head. HTH alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Checking origin of sender
Ian Mitchell wrote: ...snip... HELO junkmail.com MAIL FROM: [EMAIL PROTECTED] RCTP TO: [EMAIL PROTECTED] DATA From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] ... Why would this make it past your SPAM filter? Unless you're doing something like whitelisting your domain (which is a bad idea in general) it should still be scanned. Especially since in your example you have: MAIL FROM: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] which means that as far as the MTA is concerned, the mail came from [EMAIL PROTECTED] .. Now what's the advantage of the above? It appears to come from the receiver thus allowing it to be filtered on appropriately. Now as long as the email doesn't break too many of the litterally thousands of other rules, it will make it through an appear to be legitimate (at least on the side of the server). actually, it will only appear to be legitimate on the side of the client. assuming the client displays the [EMAIL PROTECTED] part of the FROM: value as the sender (which a lot of clients do) this is more of a social engineering issue, except that it's not really since the system is working exactly as it's been designed to. No email from my domain either in the plain text name portion or the actual sender email address should orgininate outside my domain's SPF record. Any suggestions for hunting and destroying these emails? In this case, if you want to avoid your end users being confused by this type of email, I would suggest that you check the comment portions (in quotes) and the email portion (in ) of the From: to see if the comment contains your domain name, and if so if it matches the domain from the . if it doesn't match, markup the Subject or add a tag to the From: comment to make it obvious that it wasn't originated from your network. HTH alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mimedefang, spamassassin and /etc/mail/spamassassin
Rudy Attias wrote: Hey all, I'm quite new with this configuration but I seem to get the hang of it. I'm running a mail relay(no local account) that forward to an exchange 2003 server in the lan. The relay is running sendmail and mimedafang that scan using spamassassin and clamav. I have 2 main problems, both of them are related about the way that mimedafang function with spamassassin. First problem that is partly solved is the bayes processing with spamassassin, in order to enable it I have added first to the /etc/mail/spamassassin/local.cf the following lines which made no effects: #Enable bayes auto_learn 1 use_bayes 1 bayes_path /var/spool/MIMEDefang/bayes bayes_file_mode 0666 trying to put the same lines to the /etc/mail/sa-mimedafang.cf created the files required in the directory /var/spool/MIMEDefang/bayes, bayes_toks and bayes_seen (is it all the files that need to be created?). With later versions of MIMEDefang, it looks for /etc/mail/sa-mimedefang.cf instead of /etc/mail/spamassassin/sa-mimedefang.cf ... I've just created a symlink during my upgrade process and that works fine. (you could also make a symlink to /etc/mail/spamassassin/local.cf if you so chose) I do not have local accounts so I'm not sure how bayes makes the learning? you should consult the SA documentation and/or mailing list for specifics of how the autolearn function works. How can I check the count of learned messages, if I'm not mistaking bayes will start filtering only after about 200 auto learned messages? Please feel free to correct me and enlighten me. you are correct, Bayes will not kick in until you have at least 200 ham *AND* 200 spam learned. you can check using the commandline by running the following command: sa-learn --dump magic Second problem is that I want to add some custom rules to spamassassin by adding some file (e.g newrules.cf) to /etc/mail/spamassassin but I have no indication that mimedafang read those, on the contrary it seems that when I added the bayes configuration to local.cf in that directory it didn't effect the spamassassin the is run from mimedafang. appending to sa-mimedafang.cf is the only option? If not how do I check or seen in the logs that it actually loaded those files? if i remember correctly, MD needs the primary config file (in this case /etc/mail/sa-mimedefang.cf) to pass to the SA API when initializing the modules. once this is done, any config directory directives (and defaults) are in place. So you can put anyfile.cf in /etc/mail/spamassassin and it will be used. HTH alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spam with more than one recipient - reject or not?
Michal Jankowski wrote: There are two users - user A and user B. User A wants to receive everything, user B wants to have all spam mail rejected (with action_bounce, so in case of a false positive the sender is notified). There comes a mail addressed to both A and B. What should mimedefang do? 1. Bounce Pro: B doesn't get unwanted spam Sender is notified Con: It's not delivered to A 2. Deliver to A only Pro: B doesn't get unwanted spam A gets everything Con: The sender thinks they both received it 3. Deliver to A and B Pro: A gets everything No problem with false positives Con: B gets unwanted spam 4. ? Any ideas? Michal, It seems to me like the 'most ideal' option would be 1. I say this because if someone sent mail to A B that got scored high enough to be bounced but it wasn't actually spam, then at least the sender is notified that it got rejected by the filters and they can fix the mail and send again. 2 would be my second option if A didn't accept the fact that if the mail scored high enough to be bounced that the likelyhood of it being spam outweighed the likelyhood of it being a FP. The problem is that if it is a FP in scenario 2, nobody knows and thus the problem can't be fixed. 3 would be the 'safest' option in the fact that no mail is being rejected or discarded, but it's certainly not an ideal installation. It would bring up the why do we even have a spam filter anyways? question from B quite often I would think. I personally do global rejection if the mail scores above a certain score, otherwise I add spam headers and pass it on to the user to do with as they please (i sort mine into a spam folder). To date I've had 0 complaints about it and nobody has contacted me saying my mail got rejected, why? (that doesn't necessarily mean that someone hasn't thought that but just not known how to get ahold of me, however) so, that being said, i'd choose door #1. Alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] RE: Filtering on sender, recipient, and subject at the same time
Craig Green wrote: ...snip... Note that since you're in filter_end, the HEADERS file *is* available, so you can just parse that if you'd prefer. There was nothing wrong with your initial logic; it's just that parsing the file on disk is slower *and* it takes more code than using the MIME entity. However, if it works, it works. ;-) Although if the spool directory is configured on a tmpfs (ramdisk) as has been recommended for quite some time now, then reading a file on disk is no longer an issue, as the disk itself is in RAM. (I do, however, agree that using the MIME Tools code is much cleaner to look at.) Alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blatent spam getting X-Spam-Score: 0 ()
Bill Curtis wrote: So any idea why these aren't getting any scores at all? Bill, If it were I, I'd put some debuging md_syslog calls in. right after you receive the results from the sa check and then also write before you write those values to the header. chances are somewhere in between, the variables you're using to populate the header are either nulled out or becoming undefined. find out for sure with debugging. alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Chris Gauch wrote: Alan wrote: One of the reasons I use 550 rejects for viruses is that I also scan outgoing mail... so if by some chance one of my users gets infected with a virus (regardless of the fact that we have desktop antivirus software installed on all our machines as well as ClamAV on the MX server) and it tries to send out using our mail gateway, the mail gateway will reject that mail with a 550 and throw an error back to the client machine. if the virus is in an attachment that they're legitimately trying to send, they'll get an error message and then they'll undoubtedly come crying to the helpdesk which will then kick them and tell them to run the latest antivirus software/signatures. While it certainly makes sense to reject viruses when scanning outgoing mail from your own network, it's best to make sure that virus attachment is removed prior to rejecting and generating the bounce. We also used to do the same thing (rejecting viruses) when it came to outbound mail from our own mail server (which is completely separate from our MD/ClamAV (CanIt-PRO) gateway cluster), where we run a commercial AV scanner. In at least a dozen or so situations early last year, we were basically rejecting viruses from client PCs, but the ignorant users (who WERE NOT infected prior to receiving the bounce), would open the attachments in the bounce and infect their PCs, spreading the virus like wild fire. Let me explain... I'm not generating bounces... i'm merely 550 rejecting ... which is fine in my situation because it's the SMTP outgoing gateway machine that is rejecting the contect coming directly from the client machine. (which is on our local network) ... so, what happens is, the user (on said client machine) writes email, attaches a file, hits send, gets a popup windows that says ERROR 550 YOUR MESSAGE CONTAINS A VIRUS and doesn't go beyond that point until they either a) figure it out themselves and run their anti-virus scanner or (more likely) b) contact our helpdesk and admit that they don't know enough to really be allowed to touch a computer even indirectly connected to the internet. then our help desk eraddicates the virus or tells the user they're SOL. no bounces (aka DSN or NDN) involved. we have instituted a no MS internet software policy, but it doesn't necessarily mean that someone's not going to open OE or IE out of habit or just cuz they think they know what they're doing. Also, one point that has been glazed over in this entire thread is that email is not the only way for these machines to be infected with viruses, and the user doesn't even have to be a complete moron to become infected any longer. Especially with exploits in which all you have to do is open the wrong URL, without knowing it or any indication on the site itself, just that one little act can infect your machine. nothing to do with mail. right or wrong, i don't think either solution really adds any more to the problem, nor does it really remove anything from the problem. I think what these solutions do is change the way the problem is perceived by the people that are directly affected by the implementation of these solutions. if AV scanners were absolutely, without a doubt 100% reliable, that would be a different story. if there were NO OTHER WAYS to contract these viruses, it would be a different story. if there weren't other legitimate causes for DSNs, NDN, or whathave you, then the argument would hold more weight. As it stands, obviously, my solution isn't appropriate for everyone, but it is most appropriate for me. my solution is rejection (not bouncing). my solution can have some adverse effects on other people as a result of someone else's malicious software, true. so does yours. just in a different way. I take the stand (as others on the list also have) that I am not, and can not be responsible for everyone I come into contact with either directly or indirectly. As much as I would like to help everyone, i'm neither qualified, nor is it entirely appropriate. At a certain point, people need to take responsibility for themselves. That includes being responsible for what they do and/or do not tolerate, how they deal with those things that they find they are unable to tolerate, and how to alter their environment so that they can protect themselves from those things they are unable to tolerate. The argument that i've seen here has been two-in-one. the first is that discarding is better than rejecting. for some, that is true and appropriate. the second, parallel argument is that the reason to discard is because people other than [insert admin/implementing authority/etc. here] are unable to accept or even understand responsibility for themselves and that we (the mail admin community) must accept responsibility for them and every other netizen instead of educating them as necessary for them to accept responsibility. This is the role of an enabler
Re: [Mimedefang] Timeouts when filter-sender is employed
Dirk the Daring wrote: ...snip... ## sub filter_sender { my($sender, $hostip, $hostname, $helo) = @_; # Can't be psicorps.org unless it's one of our IP's. if ($helo =~ /(^|\.)psicorps\.org$/i) { if ($hostip ne 127.0.0.1 and $hostip ne 209.170.141.XXX and $hostip ne 209.170.141.XXX and $hostip ne 209.170.141.103) and the ) before the and in the above line is probably what's causing your problem. (non-matching parens) $hostip ne 209.170.141.XXX and $hostip ne 209.170.141.XXX) { syslog('info', MIMEDefang rejected a connection where Host $hostip said HELO $helo); return(0, Connection Rejected: $hostip is not authorized to use $helo for identification); I'm sure it's been recommended that instead of returning 0 or 1 etc, you should return 'CONTINUE' or 'REJECT' etc. it shouldn't cause filter failures however. } } return (1, OK); } ## when in doubt, running mimedefang.pl -test on your filter will show you most problems with your filter before running it live. perl -c should show you any serious compilation errors HTH Alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Start order for sendmail, MD and Clam
Dirk the Daring wrote: Is there a particular order in which I should start sendmail, MD and Clam? That is, are there any dependencies, or reason that one should be running before the other (seems that sendmail will gripe about a missing socket if MD is not running, so I start MD first, but what about Clam?) Sendmail v8.13.4 MIMEDefang v2.51 Clam v0.85 Dirk, I start mine in the order of: CLAMD MIMEDefang Sendmail considering the logic that MIMEDefang makes calls that may require CLAMAV's resources (in this case clamd), and sendmail makes calls that may require MIMEDefang's resources, it seemed appropriate to ensure that those resources available before any chance of them being called. subsequently, i shut them down in reverse order. HTH Alan ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] 4.7.1 sendmail error
Greg Schlut wrote: Still bringing back that error. Spamassassin was not scanning the files and I did increase the delay. Any other ideas? I may try upgrading mimedefang this weekend, and see if that solves it, but it really does look like a timeout issue. Thanks for the help. --Greg Greg, are you using embedded Perl? do you still get the error if you run without embedded Perl? I've seen situations where while running in embedded Perl mode, the filter would time out trying to scan with SA, but in non-embedded Perl mode it would either work or fail with an error message. (it's been awhile, i don't remember the specifics off the top of my head) I've also experienced odd time outs when I experienced hard disk problems on my MySQL server in which the disk would go into an endless loop while doing a seek and not time out or return an error. This wreaked all sorts of havoc on my mail server. anyways, just some things to try in order to narrow down the cause of the problem. hope this helps. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sober virus highlights problem
David F. Skoll wrote: ...snip... Interesting idea. I wonder how easy it would be to maintain local signatures for Clam, just to catch this kind of thing? I'll have to investigate. I've never personally done it, but from following the conversations on the clamav users list, it seems like it's *REALLY* easy to do. something along the lines of using the sigtool to generate your own signature database and putting that in the database directory. (obviously this is a highly oversimplified, mostly uneducated explanation) alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [possibly off-topic] ALL TRUSTED SA Problem
Kevin A. McGrail wrote: I am trying to assist with a problem where emails coming through an anti-spam gateway are getting scored with ALL_TRUSTED. I don't see a reason why they should be. I've looked at the SA Source code but still at a loss and I'm worried it's something in the mimedefang filter. Here's the headers from an email received by a user on an outlook client and I've obscured the data to protect the innocent. Any thoughts? Microsoft Mail Internet Headers Version 2.0 Received: from fees.acompany.com ([192.168.216.48]) by vaexchange.acompany.com with Microsoft SMTPSVC(6.0.3790.0); Wed, 18 May 2005 05:29:48 -0400 Received: from spam.acompany.com ([192.168.216.222]) by fees.acompany.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 18 May 2005 05:29:47 -0400 Received: from sndr132.beta-ca.mxsvrbsminc.net (sndr132.beta-ca.mxsvrbsminc.net [72.5.1.132]) by spam.acompany.com (8.12.11/8.12.11) with ESMTP id j4I9VSCr009059 for [EMAIL PROTECTED]; Wed, 18 May 2005 05:31:29 -0400 Received: by sndr132.beta-ca.mxsvrbsminc.net id hhc3p806574u for [EMAIL PROTECTED]; Wed, 18 May 2005 02:14:52 -0700 (envelope-from [EMAIL PROTECTED]) Received: from localhost by BSMgateway.2558621 (ver.3.3.100) with ESMTP id mid72236008.msg for [EMAIL PROTECTED]; Wed, 18 May 2005 02:14:52 -0700 ...snip... Kevin, This is definitely an issue with SpamAssassin. You should set your trusted_network and internal_network settings for SpamAssassin appropriately. SA will do its best to try to figure this out on its own, however, especially in the case where your mail gateway server is on a private space IP address, it's not always able to do this. It's been cautioned numerous times that correcting these settings is the most appropriate way to solve the problem, as other tests may be partially dependant on the trust path to function properly. If you have your trusted_networks and internal_networks set properly, then just set the score to ALL_TRUSTED to 0 for now. There are some known bugs related to the ALL_TRUSTED rules and code, you should scan SA's bugzilla for them to determine if you're seeing symptoms of a bug or not. Hope this helps. Alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Incorrect required_hits setting
Richard J. Kieran wrote: Thanks for the thoughts. The required_hits setting is in sa-mimedefang.cf only. SpamAssassin figures it out and MIMEDefang doesn't. hmmm... I restarted MIMEDefang every time I made a change to the setting. No change. The same .cf files work on the old server. Definitely weird. I suppose I could bump up all my scores by 25%. Richard, Older versions of MIMEDefang looked for sa-mimedefang.cf in /etc/mail/spamassassin. 2.51 looks for it in /etc/mail. probably what is happening is that you don't have a /etc/mail/sa-mimedefang.cf file and thus it's using default values. I've put a symlink in /etc/mail/sa-mimedefang.cf - /etc/mail/spamassassin/sa-mimedefang.cf and that solved this issue for me. of course all of this is covered in the changlogs HTH alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SMTP
Christopher Roberts wrote: Ben wrote: You literally telnet on P:25 to their SMTP server and type the commands by hand. If you still get the error - something is wrong on their end. You live and learn! I have tried doing this for mailgate01.barclays.co.uk and mailgate02.barclays.co.uk and 90% of the time both immediately fail with: 421 4.0.0 mailgate02.barclays.co.uk Server error So the error is at their end... ? But, I did managed to connect successfully a few times, and got as far as: RCPT TO: MY [EMAIL PROTECTED] Christopher, I'd telnet to their server on port 25 and do the following: EHLO your.mailserver.hostname (you should get a string of 250- response messages) MAIL FROM: [EMAIL PROTECTED] (you should see another 250- response, if you get an error here, their mail server doesn't like something about your email address. more than likely your domain. more than likely your domain doesn't resolve properly) RCPT TO: the.email.address.you'[EMAIL PROTECTED] if at this point it returns a 421 error, the problem is definitely on their side, and it appears to be a problem with the recipient. if you get another 250- response then type: DATA (you should get a 354- response, type in anything and then follow it by a single . on its own line) if HERE you get the error, then it could be related to anti-virus or anti-spam software configuration on their end, or other general configuration problems on their end. It could be related to sender or recipient depending on how their mail server is configured. Whereon I get domain invalid response. But I haven't seen any such failures in the logs, so I suspect that it generally doesn't get this far... Unless I don't have the log level set correctly - is there a recommended level for debugging? Currently: define(`confLOG_LEVEL', `8')dnl define(`confMILTER_LOG_LEVEL', `8')dnl for debugging you might want to crank it up to 14 hope this helps alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Tiny Text
-ray wrote: [snip] No, but I have seen 2.5 points before. :) Silly question, where would i put a new rule like that? I'm already changing some scores in /etc/mail/mimedefang/sa-mimedefang.cf, but not sure where to add a new rule. ray Ray, you should be able to create a file in /etc/mail/spamassassin (or where your spamassassin local rules directory is set to) called tiny_text.cf (or really anything.cf will work) with your rules and scores in them. otherwise, if you're not comfortable with that or don't know where the spamassassin local rules directory is set to, you can just add them to the sa-mimedefang.cf file HTH alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] canonicalize_email error
Jan Pieter Cornet wrote: [snip] sub canonicalize_email ($) { my ($email) = @_; $email =~ s/^//; $email =~ s/$//; return lc($email); } basically all it does is remove any or from the email and return it in lowercase. Actually, looking at this code again (with a clear mind) all it does is remove a preceeding and a trailing if i'm not mistaken, i yanked the code from DFS's Verisign SiteFinder checking code that circulated the list awhile back. Have you considered RCPT To: aL\ien+foo@mail.12inch.com. which your mailer could accept as valid and deliver to you (Except that in your case, you're not accepting mail to the hostname of your MX, which is good, but in some cases that or something similar might be configured). I very specifically do not accept mail for the hostname of my MX server (unless it's generated locally) as I don't *ever* use it. (and it's prone to changes at any given point in time) ... my experience has been that any mail (not locally generated) to [EMAIL PROTECTED] is 100% SPAM. even if ' aL\ien+foo@mail.12inch.com.' gets passed to sendmail having passed thru my filters, if sendmail knows to strip the plussed content and handle the \i as an 'i' then it'll still get delivered, but SpamAssassin / CLAMAV / etc will still be run on the message. and [EMAIL PROTECTED] should be rejected. (I'll have to re-read thru my filter to double check all of this... I've pretty much got it in 'set and forget' mode for awhile) I've got a somewhat monstrous routine that will actually rewrite this to a canonicalized email address, and it does a loose RFC2821 compliance check too (somewhat less monstrous than the last chapter of mastering regular expressions, though). I wouldn't mind seeing the code if you're planning to share it, although I probably won't spend a lot of time/resources implenting it on my personal server(s) just yet. [snip] alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Using Stream_by_recipient
Mack wrote: When i stream by recipient, the email get's discarded and resent to each recipient as expected, however the new email doesn't pass through mimedefang (specifically filter begin/part/end). This results in not being virus chk/spam chk/boilerplated. It just seems to get sent directly from the queue and not pass back through mimedefang. I've tried alsorts, but have not been able to resolve this one. Somebody must know what i'm doing wrong lol TIA Mack Mack, I don't personally use stream_by_recipient, but if I'm not mistaken, when the mail gets requeued, it's queued from localhost. Make sure that you're not skipping checks based on mail originating from localhost, as that would pretty much result in the behavior you're seeing. also, sharing your filter (or at least the relevant parts) may help to provide more specific advice. HTH alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] canonicalize_email error
Tim Boyer wrote: I tried putting in one of the subroutines that David presented at the Lisa '03 session. It's got the line $recipient = canonicalize_email($recipient); in filter_recipient. But when I run it, I get this in the logs: ...snip... Have I typed it wrong? Spelled it wrong? Tim, You need to actually define a subroutine called canonicalize_email in the filter as well. mine looks like: sub canonicalize_email ($) { my ($email) = @_; $email =~ s/^//; $email =~ s/$//; return lc($email); } basically all it does is remove any or from the email and return it in lowercase. hope this helps. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Foreign Character Sets.
Keith Patton wrote: Yes sendmail accepts it, then it passes it to netscape and it rejects it.. Funny thing is that sometimes it works other is doesn't.I have noticed that nearly all the bounces I have seen has the content in foreign character set ( chineese or Korean )... That is why I asked my question could the foreign char set cause problems for MD? I receive email with the iso-2022-jp and utf-8 character sets without any problems. of course I'm using sendmail 8.13.3 mimedefang 2.51, non-relay. previously I had an exchange server that I was relaying for, running older versions of sendmail and mimedefang. I didn't have any problems with those either. Perhaps it's configuration issue with iplanet? alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Compliance
Josh Kelley wrote: alan premselaar wrote: I'd be interested in at least looking at it. Currently I'm using procmail for local delivery and its Quota handling is kludgey at best. I'd really like to get something working within MD. Since the method Jan uses calls the perl module for Quota directly, I don't think setting setuid on the quota application will make any difference (although I haven't looked at the Quota module code either) Here you go. A brief explanation: we're only really interested in checking quotas for students, since faculty/staff don't have quotas. Students use their student IDs for their usernames, with firstname.lastname set up as an email alias, so we have to check aliases. We test for numeric usernames to see if the account is a student (instead of testing something sensible like the account's gid - I don't know what I was thinking). Rather than checking current space usage against the message size, as Jan did, we just check to see if the user has already exceeded their soft quota and has exceeded their grace period (i.e., grace is 'none'). This means that the occasional over-the-quota bounce still gets generated (for messages that exceed the hard limit before the grace period expires, or for messages so big that they exceed the hard limit for users currently below the soft limit). This hasn't usually been a problem, but sometime I'll go back and add Jan's enhancements - thanks, Jan, for posting your code. ...snip... Josh, thanks. I took some of your code and Jan's code and hacked it all together. I thought about putting in the alias checking as well except that a) I use more than one alias database with sendmail and b) 99% of my aliases map to more than one user so it's not likely that '[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' is going to map to a UID to do quota checking against. Even if i traversed the list of real users in the alias, i'm still in a single recipient stage, so if one real_user in the alias is over quota, it would cause the message to be rejected for the alias, which I don't really want to do. the code's only been written against and tested on RHEL ES3.0 linux. anyways, I figured I'd share my code: $MAILDIR = /path/to/mail/directories; $_QUOTA_CMD = /path/to/setuid/quota/command; sub filter_recipient { my ($to,$from,$ip,$name,$first,$helo,$rcpt_mailer,$rcpt_host,$rcpt_addr) = @; my $local = ($rcpt_mailer eq 'local'); my @qrval = check_quota_info($rcpt_addr) if ($local); return(@qrval) if ( $local lc($qrval[0]) ne 'continue'); # my greylisting code goes here # if this was the only testing done in filter_recipient you # could easily just do this: # # return(check_quota_info($rcpt_addr)) if ($rcpt_mailer eq 'local'); # # and be done with it. } sub check_quota_info { my ($to) = @_; my $uid = getpwnam($to); return('CONTINUE',ok) if (!$uid); # possible alias my $dev = Quota::getqcarg($MAILDIR); my ($bc,$bs,$bh,$bt,$fc,$fs,$fh,$ft) = Quota_query($dev,$uid); return('CONTINUE',ok) if ((!defined $bh) || ($bh == 0)); ## if usage = limit then perm-fail return('REJECT',Quota exceeded.,'552','5.2.2') if ($bc = $bh); ## fetch sendmail macros from commands file read_commands_file() || return('TEMPFAIL',Internal error.); my $mailsize; if (defined $SendmailMacros{msg_size}) { ## round up to the next 4k block $mailsize = int(($SendmailMacros{msg_size} + 4095) / 4096) + 4; } else { $mailsize = 4; } ## if the mail is larget than remaining space, tempfail return('TEMPFAIL',Quota exceeded, try again later,'452','4.2.2') if ($bc + $mailsize $bh); ## else accept return('CONTINUE',ok); } sub Quota_query { my ($device,$uid) = @_; my $retval = (); my ($mailquota) = grep { /^\s+$device/ } split('\n', `$_QUOTA_CMD $uid`); # return if user has no defined quotas return(@retval) if ($mailquota =~ /^Disk quotas .{1,30}: none/); $mailquota =~ s/^\s+//; @retval = split('\s{1,6}',$mailquota); shift @retval; # remove device name from list # strip out '*' characters foreach my $val (@retval) { $val =~ s/\*//g; } my ($homedir) = (getpwuid($uid))[7]; # pretend there's no hard limit for user if .forward file exists $retval[2] = 0 if (-f $homedir/.forward); return(@retval); } I still have the procmail quota kludge setup, so i figure even if some stuff sneaks past this code it'll still get a bounce with mailbox full status, but this should help nearly illiminate unnecessary bounce messages. (which i think is a good idea) thanks again, alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang
Re: [Mimedefang] Compliance
Jan Pieter Cornet wrote: We're not using it for any compliance testing (mainly because we're an ISP), but we do use it for other things: - rejecting on quota exceeded earlier than sendmail detects it How are you checking quota? Sounds interesting. Using the perl interface to quotactl, the Quota module. The big advantage of this is that we are able to reject at the SMTP level, based on quota, instead of having mail.local detect the out of quota condition, and then bounce it. This saves us on average about 4 or 5 bounces per second (with peaks to more than 10/sec during some spam runs). [snip] On what system do you have this implemented? (linux? kernel?) I'm playing around with an implementation on RedHat ES 3.0 and the problem I'm running into is that MIMEDefang runs as the defang user, Quota::query is only allowed to get quota information for other users if run as the superuser. did you run into these kind of issues? do you have a work around? Thanks for sharing your code/logic and any assistance. Alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Compliance
Jan Pieter Cornet wrote: [snip] You probably have direct attached storage on the linux box? Apparently that makes a difference. As a workaround, you could either run the mimedefang slaves as root (not recommended) or run a specialised quota daemon, as root, that can perform the quota queries for you. ahh, yeah, internal storage ... the man page for quotactl states that Q_GETQUOTA is priviledged which makes me believe that (at least for local storage) it would apply to the libraries. i'll try with the quota daemon... thanks alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Compliance
Josh Kelley wrote: [snip] We use a setuid copy of /usr/bin/quota to do quota checking on our Red Hat server. (We use a copy rather than making /usr/bin/quota setuid since any updates to the quota package would reset the setuid bit.) It's probably not the most efficient setup, but I thought that it would be simpler than a quota daemon. I can post my code if anyone's interested, although it's not as fancy as Jan's. For example, we don't do any checking on ESMTP SIZE=, we just bounce for people who have exceeded their quota and exceeded their grace period. Josh, I'd be interested in at least looking at it. Currently I'm using procmail for local delivery and its Quota handling is kludgey at best. I'd really like to get something working within MD. Since the method Jan uses calls the perl module for Quota directly, I don't think setting setuid on the quota application will make any difference (although I haven't looked at the Quota module code either) Thanks, alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Compliance
Jan Pieter Cornet wrote: ...snip... Anyway, I consider it a feature :) It makes users more likely to clean up their act, instead of inadvertently using your system as a rain barrel. are you using stream_by_recipient to do this? or are you rejecting the mail for every recipient if just one of the recipients is over quota? alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] configuring mimedefang
Speedy Sweedy wrote: Ok, based on what you guys are saying in here, I am now only scanning with mimedefang and using it to call clamav. I've tested my install with the resource from testvirus.org and it catches everything jut fine. How do I get mimedefang to test for spam now? I have spamassin installed and mimedefang detected it when i ran ./configure. The file sa-mimedefang.cf is also in my mail directory, yet it does not call spamassassin. What am I missing? You might be missing the documentation. All kidding aside. you'll need to look thru the /etc/mail/mimedefang-filter file to see how you have it configured to call SpamAssassin. by default I don't think it even writes anything to the syslog unless a message scores above a certain score. You should put some debugging calls in to confirm that it's working and then remove them once you're comfortable with it. the mimedefang documentation is your friend. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Integrating SPF...
John Von Essen wrote: [snip] I am looking into SPF plugin for SA now. Does anyone know how it handles domains with no SPF record? I would assume that if no SPF exists, then forgeries are not penalized for that domain. Just need to make sure before I turn this plugin ON in production. basically SA handles SPF in the following way (from my experience): if SPF is non existant, no SPF rules fire if SPF is existant and softfails, an SPF_SOFTFAIL rule fires with very few points if SPF is existant and hardfails, an SPF_HARDFAIL rule fires with slightly more points if SPF is existant and passes, an SPF_PASS rule fires with fairly low negative points overall, the SPF scoring is low enough to have *very minimal* impact and is not designed to be used for rejection based on SPF. One other thing (feel free to email me off list), what is the difference between Sender ID and using SPF records? Or are they the same thing I like SPF, I like the fact that you control it within your own domain via your DNS server. When I hear Microsoft talk about Sender ID I get nervous, I envision some type of paid subscription to be listed on some central repository that Microsoft controls! I haven't been following the progress of Sender ID, so I can't offer you any information about it. sorry. HTH alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] interesting problem with SQL backend
Today I had an interesting situation. This is more of an FYI in case anyone else has run into similar problems. (cross-posted to MIMEDefang list as well) I use SpamAssassin with MIMEDefang. I got notified by one of my users that they were unable to send mail suddenly. after checking the logs I determined that MIMEDefang was timing out and returning errors. the cause for this was very unclear (which is why i'm sharing my findings with all of you)... After digging around (and some assistance from David Skoll on the MIMEDefang list) I was able to determine that the problem was caused by SpamAssassin not being able to connect to the database server where the bayes database is stored. (using MySQL on a remote host) this caused all sorts of weirdness for no apparently good reason and was initially very confusing to diagnose. The symptoms were: * mimedefang started to return busy timeout errors. * when restarting MIMEDefang (with embedded perl enabled) the multiplexor wouldn't complete loading and mimedefang wouldn't create the socket, causing sendmail to spit out file /path/to/mimedefang/socket/file unsafe errors. * turning off embedded perl would allow mimedefang to start and create the socket, but then would spawn multiple instances of mimedefang.pl which just hung. * mimedefang.pl -test and/or mimedefang.pl -features would hang indefinitely with no output. the workaround: after determining the problem to be the connection to the SQL server, simply setting use_bayes 0 in sa-mimedefang.cf and restarting mimedefang resolved the problem. however, this obviously didn't utilize the bayes facilities. the questions: I understand that the SQL code for SA is still 'experimental'. is there any way currently to set a forced timeout to connect to the SQL server? is this something I should open a BZ ticket about? being that I'm definitely not an SQL guru, does anyone have any suggestions for configuring a high-availability MySQL server configuration that could failover to a backup server should the primary one become incapacitated by a low-level hard drive failure? Currently I have 1 MySQL database server with the bayes databases on it (among other databases) and my primary and secondary mail servers both make connections to it to check the bayes database. This may be somewhat specific to the MIMEDefang implentation, but I suspect that there is a possibility that this type of behavior could have negative impact in other types of SA implementations as well. again, this is mostly an FYI, but any suggestions are welcome. Thanks, Alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: mimedefang error mimedefang.sock unsafe??
James Ebright wrote: As far as directories go.. the x bit simply means you can get a directory listing if you have privledges. For files it turns on execute allowing the file to be run as a program. I do not believe that should affect the operation of MimeDefang in any way as MD does not need the x bit on the directory as it already knows what the files are called and it only needs read write on the sockets. For some reason you are not getting the mimedefang.sock created. I would double check your config files and make sure you dont have MD trying to create it elsewhere. You might also want to double check your /var/spool file system and make sure its not an underlying issue like bad inode, out of space, out of inodes, etc. Jim I just encountered this same problem on a system that has been running flawlessly until today. I was seeing a bunch of Mar 24 09:44:04 mail mimedefang-multiplexor[21236]: Killing busy slave 17 (pid 10445): Busy timeout Mar 24 09:44:04 mail mimedefang[21249]: Error from multiplexor: ERR Filter timed out - system may be overloaded (consider increasing busy timeout) and Mar 24 09:44:24 mail mimedefang[21249]: mfconnect: No free slaves errors in my mail log. after trying to restart sendmail and mimedefang I was getting the /var/spool/MIMEDefang/mimedefang.sock unsafe! error message and after doing some research realized that the file is not being created. my /var/spool/MIMEDefang directory is a 2GB tmpfs with proper permissions and the mimedefang-multiplexor.sock file is properly being created. I'm a little perplexed at this moment as to what could cause it to fail seemingly suddenly. any insight would be extremely useful. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: mimedefang error mimedefang.sock unsafe??
alan premselaar wrote: [...snip...] I just encountered this same problem on a system that has been running flawlessly until today. I was seeing a bunch of Mar 24 09:44:04 mail mimedefang-multiplexor[21236]: Killing busy slave 17 (pid 10445): Busy timeout Mar 24 09:44:04 mail mimedefang[21249]: Error from multiplexor: ERR Filter timed out - system may be overloaded (consider increasing busy timeout) and Mar 24 09:44:24 mail mimedefang[21249]: mfconnect: No free slaves errors in my mail log. ...snip... any insight would be extremely useful. alan So, to reply to my own post, I've been toying around and determined that Embedded Perl appears to be the culprit. I turned off embedded perl and mimedefang.sock is being created properly. It ocurred to me that a friend of mine was having some other issues where mimedefang wouldn't start properly with embedded perl turned on and kept hanging on the call to SpamAssassin. I'm running mimedefang 2.49 with Perl 5.8.5 on RedHat EL 3.0 update 4 along with sendmail 8.13.3 is this a bug? for the time being I'll upgrate to mimedefang 2.51 and see if that changes anything. also, just for kicks I rebooted the machine (which I know i shouldn't have had to do, but i figured if i was having weird memory issues a reboot might clear them up) and that had 0 effect on the situation. Alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: mimedefang error mimedefang.sock unsafe??
David F. Skoll wrote: alan premselaar wrote: So, to reply to my own post, I've been toying around and determined that Embedded Perl appears to be the culprit. That kind of makes sense. If the multiplexor is very slow to initialize, mimedefang waits a bit before entering the main loop. The code looks like this: [...snip...] So if the multiplexor is whacked, it can take up to 50*3 seconds, or a minute and a half for the mimedefang.sock to be created. This is probably excessive. :-) I'm thinking 15 iterations around a loop with a sleep(1) in it is probably better. Regards, David. David, the multiplexor appears to be alive however. (as far as I can tell) ... the socket is created and it's in the process list. do you have any idea what might cause it to be so slow (somewhat suddenly) ? I also noticed that mimedefang.pl -features hangs as well. I've narrowed this down to *something* in my filter. Although I haven't figured out what yet, and nothing in the filter has changed during the period of time where everything was working as expected and it stopped working. I'm stumped. Alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: mimedefang error mimedefang.sock unsafe??
David F. Skoll wrote: alan premselaar wrote: So, to reply to my own post, I've been toying around and determined that Embedded Perl appears to be the culprit. ...snip... something's *really* hosed. I copied the mimedefang-filter.example file, and just changed the email addresses of the admin and daemon and i'm getting the same results. the problem is the mimedefang.pl -test just hangs... so, even if i get mimedefang to create the mimedefang.sock file sendmail just spawns a bunch of slave mimedefang.pl calls that all hang. everything was working (untouched) until this morning (JST) mimedefang.pl -features also just hangs... any ideas? alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] This mail's for you... NOT!
[EMAIL PROTECTED] wrote: David F. Skoll wrote: Most of the spam messages that I receive are addresses to non-existing users... Mailing list I guess... Can I setup a way to accept mail for only a list of e-mail addresses? Yes, there are a number of ways to do this. Search the list archives for md_check_against_smtp_server Alas Exchange tends to accept EVERYTHING and send rejects later. With later versions of Exchange there's a registry hack to get it to behave properly. At one point I was using sendmail / mimedefang / etc in front of an exchange server (and have since gotten rid of the exchange server thankfully) ... at that time I used some sendmail rules to do LDAP lookups into the active directory to determine deliverability of mail and reject if undeliverable. We were using Exchange 2000 which didn't have the registry setting. as far as outgoing mail was concerned, the exchange server was on a local subnet (192.168.0.x) and I had the sendmail machine multi-homed. I just added the IP of the Exchange server into the access database with RELAY and used a mailertable to route incoming mail to the exchange server. while we were using the exchange server, it worked pretty nicely. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Anyone using File::Scan?
David F. Skoll wrote: Hi, Does anyone use File::Scan with MIMEDefang? It seems to cause a lot of problems with false positives. For the next release, I'm considering removing the auto-detection of File::Scan. In other words, if you want File::Scan, you'll have to specifically ask for it in your filter. Any objections to this change? Regards, David. I used to use File::Scan on the office mail servers but I got complaints about false positives. I've since switched to ClamAV. I still use a combination of File::Scan and ClamAV on my personal mail server (where I can be more strict about what types of files are accepted as attachments). I think the change would be good, because up until now, if File::Scan is installed, it's used. I could see a case where it may be installed but not desired to be used. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Perl help: quarantine and bounce criteria
Kenneth Porter wrote: I've got the following function for bouncing spam/viri in my office server. This gets invoked whenever the filter would bounce or discard, such as when the spam score is over 10. If the mail was addressed to a legitimate local mailbox (other than info or hostmaster) I want to quarantine instead of drop, but I'm still getting quarantines for a single local recipient of info or hostmaster, so I've got a bug in that expression I need help with. sub action_discard_bounce ($) { my($message) = @_; # don't quarantine if all recipients are @sewingwitch.com my $non_sewingwitch = grep !/[EMAIL PROTECTED]/i, @Recipients; # check for only recipient being # hostmaster or info (almost certain spam so don't quarantine) if ( $non_sewingwitch ( (scalar @Recipients != 1) || ($Recipients[0] !~ /^(info|hostmaster)[EMAIL PROTECTED]/) )) { action_quarantine_entire_message( action_discard_bounce $message); } if (MTA_is_domain_MX($MyDomain,$RelayAddr)) { # don't pester mx backup return action_discard(); } else { return action_bounce($message); } } Kenneth, I think something similar has recently come up on the list. what's the actual value of $Recipients[0]? if it's '[EMAIL PROTECTED]' (no quotes) then it won't match, and it'll call action_quarantine_entire_message. (because you're testing for with !~) hope this helps alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with filter
Ronald Vazquez NLM wrote: (B Hello list: (B (B I have the following code as part of my: (B...snip... (B (B (B my %trustedSubnets = ( (B ^^ (B# Looopback (B '127.0.0.1' = '255.255.255.255', (B (B # Home Network (B '192.168.1.0' = '0.255.255.255', (B}; (B^^^ - this should be ); (B (Balso I think you also want to replace the = with , above. (my code uses (Bcommas, i'm not sure if the = will work as well or not off the top of (Bmy head) (B (Beverything else looked ok to me. (B (Bhope this helps (B (Balan (B___ (BVisit http://www.mimedefang.org and http://www.canit.ca (BMIMEDefang mailing list ([EMAIL PROTECTED] (Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mimedefang - japanese emails
Marco Supino wrote: Hi, I am running mimedefang (2.48) on solaris, through the milter, and have problem with scanning japanese emails, it seems mimedefang strips the japanese mime parts, I dont know where to start in order for this not to happen, and i am still new to mimedefang, any help is appriciated. Marco. Marco, I've been using MIMEDefang (on linux) with japanese emails for a few years at least without any specific problems. can you provide more specific details of the problem? (and possibly attach a copy of your filter) alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Need help with virus notifications
Ronald Vazquez NLM wrote: (B Hello: (B (B I have been tasked with configuring MIMEDefang to allow a virus to come in (B thru the first instance, tag it with X-RrestrictedAttachment to allow our (B virus scanner to process it. The idea is that once Trend Micro drops the (B attachment, we can scan the body with the second instance of MD and drop the (B virus notification. (B (B Why? There are some extensions that even though they are stripped, we do (B notify our users of the action so they can take appropriate action. This (B means that we only want to stop notifications for uncleanable attachments. (B (B Do anybody know a better way to accomplish this? The goal is to avoid (B notifying our users of every virus-infected email we drop while still (B notifying them about a VBA file they were waiting for. (B (B Thanks in advance, (B Ronald Vazquez (BRonald, (B (B It seems to me that because of the nature of most of today's viruses, (Byou don't want to send any notifications if they tested positive. Since (Boften the sender is forged, it's generally a bad idea to notify the (Bsender. Since it's a virus, it's not usually something expected by the (Brecipient anyways, so the notification only adds noise to the end-user's (Bmailbox. (B (Bin the case of a VBA file that gets quarantined or rejected, etc. that (Bcould be caught with the bad_filename routines (not necessarily a virus) (B and you could choose to make notifications seperate for those than your (Bvirus handling. ALthough I would still caution that rejected (Bbad_filenames will also hit potential virus attachments and still cause (Bnoise down the line. (B (BAs a matter of policy, I reject (550 SMTP reject) any virus infected or (Bbad_filename emails. if there's a legitimate user at the other end, (Bthey'll get notification of the failure. if there isn't, the noise (Bshould be minimal. (B (Bhope this is helpful (B (Balan (B___ (BVisit http://www.mimedefang.org and http://www.canit.ca (BMIMEDefang mailing list ([EMAIL PROTECTED] (Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD 2.48 , SA 3.0001 CHARSET_FARAWAY_HEADERS
Paul Murphy wrote: (B Alan, (B (B Check that you are running "spamassassin -D -p (B /etc/mail/spamassassin/sa-mimedefang.cf" or whatever to make sure that MD and (B your manual check are using the same config. If this is the issue, then (B carefully compare the default SA config with the MD version, and the (B difference (B should indicate the problem. (B (B Best Wishes, (B (BPaul, (B (B I've only got the sa-mimedefang.cf file in /etc/mail/spamassassin and (Bi double-checked the debug information from spamassassin -D to confirm (Bthat it was using the same config file. (B (BI appreciate the response however. (B (Balan (B___ (BVisit http://www.mimedefang.org and http://www.canit.ca (BMIMEDefang mailing list ([EMAIL PROTECTED] (Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD 2.48 , SA 3.0001 CHARSET_FARAWAY_HEADERS
Aleksandar Milivojevic wrote: ...snip... Starting with MD 2.46 (or 2.47?) location of sa-mimedefang.cf was moved from /etc/mail/spamassassin to /etc/mail. Try moving the file, or making symbolic link, and see if that is going to make any difference. sweeet. that was it. not sure why i missed that, but i did. thanks for your help alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MD 2.48 , SA 3.0001 CHARSET_FARAWAY_HEADERS
I'm having an interesting problem. I have: MD 2.48 SA 3.0x (happens with 3.00 and 3.01) perl 5.8.5 5.6.1 (happens on two seperate systems) RedHat ES 3.0 RedHat 7.2 when mail passes through MIMEDefang and calls SpamAssassin, even though I've got ok_locales and ok_languages set to en ja (to also accept japanese mail) mail that comes in with a subject in ISO-2022-JP encoding is triggering the CHARSET_FARAWAY_HEADER (and sometimes the GAPPY_SUBJECT) rules. If I run the same mail thru spamassassin -D it doesn't trigger these rules. the Bayes database hasn't been fully trained yet so there's no Bayes scoring taking place. I have MD 2.45 and SA 3.00 running on a RH 9 machine elsewhere with the same settings (with regards to language) but not experiencing the same problem. (although bayes has been trained on that system) being unable to duplicate the problem with spamassassin -D makes me curious if there is some sort of setting or problem related to language handling that i'm missing with the latest version of MIMEDefang. any help/information is greatly appreciated. Thanks, alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Frustration...
Lisa, Lisa Casey wrote: Hi Folks, ...snip... I'ld also like to drop, bounce, whatever mail that has certain words in the subject, such as rolex, penis, viagra, etc. I know I can do the above with MIMEDefang/Spamassassin, but I'll be darned if I can figure out how. And the more I try to figure it out, it seems, the more confused I am getting. You should look at the /etc/mail/mimedefang-filter file (assuming your sendmail config directory is /etc/mail, it may be different on your system). hopefully you are familiar with Perl. Also, I'm not sure how I'm supposed to feed it spam. I have Sendmail/Qpopper and most of my users pick up their mail using Outlook Express. I understand I can't just forward spam to a spam mailbox and run sa-learn on that as the forwarding will not get the original headers. you could add code in your mimedefang-filter to copy mail scoring (x) points to a spam catch-all, although being an ISP you may have privacy issue concerns. There has to be a easy way to learn to use this and get it to do what I want but I can't really figure it out. Surely there are some other ISP's on these lists who might be willing to tell me how they use it. for your situation, the commercially available CanIT (or CanIT-PRO) may be more appropriate. Have you considered it? alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: VERY Newbie Question
Jeff Rife wrote: On 30 Oct 2004 at 0:16, David F. Skoll wrote: ...and the RFC pretty clearly says that an IP address should *never* be used as the argument to HELO, so that rule *should* reject all e-mail. Umm... reread his code. ...snip... Jeff, I think what David was trying to point out is that with his code, unless the IP is 127.0.0.1 or *IT MATCHES $helo*, the mail will be rejected. :) alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Installed Modules
Trevor Dodds wrote: Hi, Can someone please tell me the command that will display all the modules mimedefang is using. Thanks Trevor Trevor, I believe what you're looking for is mimedefang.pl -features alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spamassassin not using SURBL
Kris Deugau wrote: alan premselaar wrote: I just recently installed a system with MD 2.45 and SA 3. and while doing some testing to see if the network tests were running, I determined that the -C option to spamassassin does not work as expected. the man pages are a little hazey about the description, Hmm. Seems clear enough to me: -C path, --configpath=path, --config-file=path Use the specified path for locating the distributed configuration files. Ignore the default directories (usually /usr/share/spamassassin or similar). you're right, now that I look at them again (and not in the middle of the night... it must have been my head that was hazey) although i still contend that --config-file= is a little mis-leading. I seem to remember there actually being an option to specify the config *file* to load, not just the directory. of course i could be hazey here too :) alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Spamassassin not using SURBL
[EMAIL PROTECTED] wrote: Graham Dunn wrote: What options are required when running spamassassin from the command line to get the same behaviour as you would see when run in mimedefang? Other than using -C /usr/local/etc/mimedefang/spamassassin/sa-mimedefang.cf Also should run as the defang user su -c spamassassin -C /usr... defang I just recently installed a system with MD 2.45 and SA 3. and while doing some testing to see if the network tests were running, I determined that the -C option to spamassassin does not work as expected. the man pages are a little hazey about the description, but when i ran (as defang user) spamassassin -D -C /etc/mail/sa-mimedefang.cf it didn't pick up *ANY* of the default rules located in /usr/share/spamassassin. instead it reported the working rule DIRECTORY was /etc/mail/sa-mimedefang.cf I haven't had the time (since) to check out bugzilla for SA and see if this has already been reported, so i haven't filed a bug report yet. interestingly enough, spamassassin -D (as defang user) picks up my sa-mimedefang.cf (mostly because in the upgrade from 2.39 to 2.45 I left sa-mimedefang.cf in /etc/mail/spamassassin and just made /etc/mail/sa-mimedefang.cf a symlink to it) and it picks up the /usr/share/spamassassin/*.cf files so everything is hunky-dorey. i tinkered with it so much, i forget what I did to make it start working the way i expected it to. I did make sure that all my module requirements were up to date. I also ran spamassassin --lint to make sure I fixed any problems in my .cf files that creeped in from the previous version of SA. anyways, hope this is useful information. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mimedefang-2.45 and dual opteron
Bill Maidment wrote: I've had mimedefang-2.45 spamassassin-3.0.0 clamav-0.80rc2 running for about a week OK on a dual opteron. Then yesterday a friendly bz2 file came in as an attachment and clamav threw a fit. I upgraded to clamav-0.80rc3 and still had the same problem, so I went back to clamav-0.75.1 which handled the bz2 file OK on i386 machine. That's when mimdefang stopped working. I've gone through a myriad of software combinations and just cannot get mimedefang to work again. I can't even get the original problem to occur again. sendmail/mimedefang just stops on receiving an email as below. Sep 30 22:51:52 mail mimedefang-multiplexor[2396]: Starting slave 1 (pid 2479) (2 running): Bringing slaves up to minSlaves (2) Sep 30 22:53:44 mail sendmail[3205]: i8UCrgoP003205: from=[EMAIL PROTECTED], size=1244, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=video.maidment.com.au [192.168.2.5] Bill, I've been installing a new machine with MD 2.45, SA 3.0 and clamav 0.75.1 and it was working fine until I added some greylisting code. then it did the same thing. it turns out that for some reason it was choking on my use strict; line. more specifically it was complaining (during debugging) about calls to non-existant subroutines main::sub_routine_name which actually did exist. I must have beat my head against the wall for 2 hours debugging this. I reverted to a previous version of the filter and it started working again as expected, so i stepped thru changes, etc and finally once I removed the use strict; line with all my code changes, everything started to work. (i still need to figure out why that was happening) anyways, the point (i think) is... check the little things and make sure you don't have something really little and really obvious taunting you and causing you problems. in my case, it was get as far as you show in your log and then the slave would timeout and die and tempfail. anyways, probably not much help, but thought i'd share. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OFF TOPIC - Need a product to block spyware
Johann wrote: [snip] http://fedora.redhat.com/download/ It is the only thing that will get rid of all the malware you have now, including Windows 2000. :-) a good pair of wire cutters will prevent spyware too. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Deadline for SPF records
Ben Kamen wrote: ...snip... But seriously, it's so easy to set up StartTLS on the client side... you know, you would think that... but, as an example, Microsoft Entourage (part of Office 2000) for OS X doesn't support STARTTLS, only SSMTP. sure you can use SMTP AUTH, but you'd have to configure your mail server to support STARTTLS and SSMTP as well. as an ISP, you can't be platform biased either. you have to take into account every possible mail client that anyone using your servers may attempt to use. like it or not. granted, *I* don't like it... and I pretty much force all my users (of my personal domain's mail server) to use SMTP AUTH/STARTTLS, but I only have about 14 users, and they don't pay for the service so they know it's my way or the highway. (heh) ... anyways, I've been thru the i want it as secure as possible without being too restrictive for what platform/mail client my users choose to use thing. much easier said than implemented. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang not scanning for Spam??
Sven Schuster wrote: ...snip... This rule usually does work, even when I reinject this mail (as present in the users mbox) into sendmail (port 25). I also don't have any rules to skip spam scanning for certain senders or recipients or the like. Any idea what's going wrong here?? are you using the mimedefang-filter that's included with MIMEDefang? what's the size of the email? chances are that the email is larger than 102400 bytes then SpamAssassin checks will be skipped. hope this helps alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Sendmail 8.10 and MIMEDefang
Kenneth Chan wrote: Hi, I have a raq4 with sendmail 8.10. Which is the most recent version that will work with sendmail 8.10? Is there an archive of previous versions available for download? Thanks Ken. Kenneth, If I'm not mistaken (and this is off the top of my head after a long day at work) then sendmail 8.10 doesn't support MILTER which is required to run MIMEDefang. also, apparently some versions of sendmail 8.11 have some MILTER related bugs and it's recommended to use at least sendmail 8.12 with MIMEDefang. anyone else on the list can correct me if i'm wrong (please). hope this helps, alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Relaying denied
Les Mikesell wrote: On Thu, 2004-07-22 at 10:24, Vivek Kumar wrote: Yes its gorave not gorav (typo error). I was trying to send it to lists related to mail as I was not getting porper answer for that. Sorry for any inconvenience. [snip] Note that by doing this you lose the ability to check valid user names as the relay server accepts messages. There has been some recent discussion on the list about how to validate via smtp to the delivery host. If forwarding to an MS Exchange server, md_check_against_smtp_server() won't work as exchange will always accept recipients and then send out seperate user not found emails after the fact. since this is the case, you'll want to look into using either LDAP lookups to validate users or use some scripts to export your valid AD users into a local user table on the mail gateway. Both solutions have been discussed on this list. hope this helps alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Reversing the process
Ashley M. Kirchner wrote: Not that I really want to do this, but I have a mail server right now on which I want to remove MIMEDefang all together, and just leave sendmail running. The folks on that machine actually WANT all their spam and viruses, so...who the hell am I to tell them no. So, how do I go about reversing the install, and remove MD (which has SA also tied into it)? Ashley, It seems like you could just remove any reference to mimedefang in the milter definition section of your sendmail.mc and rebuild your sendmail.cf file and you should be golden. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Globals
Rich West wrote: Thanks to all of those that responded. Based upon all of the ideas, I came up with the following code to do the trick. -Rich sub filter_begin () { ... %lists = get_lists(); ...snip... open (LISTS, /var/mailman/bin/list_lists -b|) or die Could not execute '/var/mailman/bin/list_lists -b'.\n; my only suggestion is that you do not call die in your filter. it could cause strange things to happen. you're better off returning a null hash if the open fails. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Still outbound messages are getting blocked by s pamassassin
[EMAIL PROTECTED] wrote: From: Jim McCullars [mailto:[EMAIL PROTECTED] On Fri, 9 Jul 2004, Vivek Kumar wrote: Hi Matthew, I tried both the following syntax you suggested but I got compliation error. How about just: if ($hostip =~ /^191\.0\.(?:0|1)/) { return(ACCEPT_AND_NO_MORE_FILTERING,OK) } That would aslo match 191.0.12.38, for example. This might work though: if ($hostip =~ /^(?:191\.0\.(?:0|1)|127\.0\.0)\./) { return(ACCEPT_AND_NO_MORE_FILTERING,OK) } I use a subroutine that allows me to be creative and/or easily expand my list of machines/networks that can send email unfiltered. The code had been posted to the list awhile back so i'm not going to take credit for writing it. I obviously modified it for my own use. I personally don't use ACCEPT_AND_NO_MORE_FILTERING because I still force virus scans of outgoing mail, but i use these tests to bypass the SpamAssassin tests as necessary. hope this helps, alan code follows: - use Socket; sub valid_local_network { my ($hostip) = @_; my $addr =''; my $network_string = ''; my $mask_string = ''; my %exempt_subnets = ( '127.0.0.0','255.0.0.0', '192.168.0.0','255.255.255.0', '192.168.1.0','255.255.255.0', ); $addr = inet_aton $hostip; while ( ($network_string,$mask_string) = each %exempt_subnets) { my $network = inet_aton $network_string; my $mask = inet_aton $mask_string; if ( ($addr $mask) eq $network) { return 1; } } return 0; } then in filter_relay you could have: sub filter_relay ($$$) { my ($hostip, $hostname, $helo) = @_; if (valid_local_network($hostip)) { return('ACCEPT_AND_NO_MORE_FILTERING', It's from us.); } # ... other relay tests here return('CONTINUE',); } ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] white listing $senders
Jeffrey Goldberg wrote: [snip...] To mimedefang-filter I've added the following two functions sub filter_sender { my ($sender, $ip, $hostname, $helo) = @_; return('ACCEPT_AND_NO_MORE_FILTERING', Sender whitelisted) if is_whitelisted($sender, $ip); return ('CONTINUE', ok); } sub is_whitelisted { my ($sender, $ip) = @_; my ($whitelistfile) = '/var/spool/MIMEDefang/whitelist.txt' ; return true if ($ip =~ /^192\.168/ ); if(open (WHITELIST, $whitelistfile )) { @whitelist = WHITELIST ; return true if grep { /\b$sender$/i } @whitelist ; } return false; } [snip...] I have a couple of questions. (1) Other than my forgetting to chomp are there other errors in the code that people notice. One thing I noticed is that you are storing your file in /var/spool/MIMEDefang. if you have your system configured as recommended with /var/spool/MIMEDefang being on a tmpfs or RAMdisk, then you'll obviously need to have some sort of external way to make sure this information isn't hosed if you lose power or reboot the machine (etc.) also, although the file handle should be closed once the script exits, it's usually good practice (in my opinion) to close your file handles when you're done with them. so, in sub is_whitelisted, just before you return you may want to close(WHITELIST); if you're only going to whitelist based on senders who publish SPF, you should (if you haven't already) look into using Mail::SPF::Query. if your intention is to whitelist any sender who's publishing SPF records, then you could probably save yourself a lot of trouble by just whitelisting based on the results of Mail::SPF::Query as opposed to keeping a local flat-file. otherwise you could use the results of Mail::SPF::Query in conjunction with your flat-file read to determine if the mail should be scanned or not. (2) Will the whitelist file be opened anew with every incoming mail? or will it only be opened when the mutliplexor starts a slave? the way you have it configured here, everytime filter_sender is called your whitelist file will be opened. (3) If the answer to (2) is every time is there something I can to fix that while still keeping the whitelist in an external file? you may want to consider using embedded perl. then you could setup your filehandles in filter_initialize and just reference them as approprite in filter_sender. (4) I'm using bayes autolearn for spamassassin, if I by-pass spamassassin with this whitelisting am I depriving the autolearn system with important information? obviously, any information you don't pass thru the bayes autolearn facility is depriving it from information. whether or not it's important information is dependant on the contents of the mail and your auto-learn criteria. I also have a few policy questions. (4) What I'm doing will exempt whitelisted mail not only from defanging, bad extention checks and SpamAssassin, but also from virus scanning. Is that stupid? Note that at the site in question almost all (but not all) email users are on Linux. Of the few MS-Windows users, almost everyone (but not everyone) is using a Mozilla based MUA. (But I know that there is at least one Outhouse user still, and that is not going to change). Firstly, I personally am a little uneasy with setting up whitelisting facilities based on fields that could potentially be exploited or forged. You may want to keep that in mind when setting up your whitelisting. I prefer to do my sender whitelisting (per se) based on SMTP AUTH. My mail server doesn't have any local senders (i.e. from the box itself) and is located in a co-lo so there's no local network to authenticate against. since all of my users are remote (and world-wide) the only useful way for me to determine if scanning should be done is by checking SMTP AUTH. My policy decisions are such that I scan every piece of mail thru my server for viruses. even outgoing mail that has been SMTP AUTH'd. the overhead is minimal and it only takes ONE virus mail to cause a problem so, if you even only have 1 machine that could possibly send a virus, you're better off scanning than not (in my opinion). I do, however, skip spam scanning from my authenticated users as i know my users don't send spam. YMMV hope this is useful information. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] file descriptor scope and embedded perl
Chris Masters wrote: Hi All, Since upgrading to the latest MIMEDefang today I have bad file descriptor errors - I assume this is an embedded perl scope issue. So, I currently do the following: 1) I do *not* use filer_initialise 2) The file descriptor are global and are declared *outside* of any function. 3) valid connections are made using a 'connection test function' within functions called within the 3 main filter functions. 4) file descriptors are closed in filter_cleanup I take it that I shouldn't be doing 2? Can/Should I declare *slave* globals in filter_initialise? Thanks for your help, Chris Chris, The documentation for mimedefang-filter specifically states that if you're using Embedded Perl, you *MUST* use filter_initialize to initilize variables (such as file descriptors) that need to be seen across slaves. with embedded perl, the (outside of any subroutine) global variables are only initialized once on initial startup, and not on a per-slave basis. check the mimedefang-filter man pages for more specific information. hope this helps. alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] block based on outgoing recipient
Lucas Albers wrote: Would this item; in filter_end exclude all further mail filtering, on mail going from localhost to this a particular recipient? #in filter_end. if ($recipient =~ /[EMAIL PROTECTED]/) { exit; } Does not appear to be working... Lucas, if you just want to bypass all filtering for mail originating on your localhost and being sent to a specific recipient, wouldn't using filter_recipient be more appropriate? I haven't used it personally, but the pseudo-code could look something like: sub filter_recipient { if (localhost) { if ($recipient =~ /[EMAIL PROTECTED]/) { return ('ACCEPT_WITH_NO_MORE_PROCESSING', ok); } } } ** this is pseudocode, it's not meant to run as-is. also, I couldn't remember the return code off the top of my head, so be sure to double-check it for accuracy hope this helps, alan ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mimedefang/Spamassassin/bayesian
On 2/17/04 9:31 PM, "Paul Murphy" [EMAIL PROTECTED] wrote: (B (B...snip... (B debug: bayes: 29638 tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks (B debug: bayes: 29638 tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen (B debug: bayes: found bayes db version 2 (B debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB 200 (B debug: bayes: 29638 untie-ing (B debug: bayes: 29638 untie-ing db_toks (B debug: bayes: 29638 untie-ing db_seen (B (B Since we get about 600 incoming messages per day of which around 50 are scored (B 10+, and 20 scored between 5 and 10, I'd expect to see this number be non-zero (B by now (B (B (Bthe bayes learning process takes into account the score of the email without (Bnetwork and whitelist/blacklist scores added. So, that means that if the (Bemail scored say a 5 or 6 with network tests, but the actual non-network (Bscore is say a 2 or a 3 then it may not be learned automatically (keeping in (Bmind these figures aren't necessarily accurate, just being used as an (Bexample) ... I recommend checking the docs for SpamAssassin for specifics (Babout how the bayes learning works. (B (B The relevant parts of my sa-mimedefang.cf are: (B (B use_bayes 1 (B auto_learn 1 (B bayes_path /var/spool/spamassassin/bayes (B bayes_file_mode 0666 (B (B The bayes stuff looks like this: (B (B localhost:/var/spool/spamassassin# ls -al (B total 24 (B drwxr-xr-x2 root root 4096 Feb 17 12:29 . (B drwxr-xr-x 14 root root 4096 Jan 19 17:30 .. (B -rw-rw-rw-1 defang root 4096 Jan 19 18:36 bayes_seen (B -rw-rw-rw-1 defang root20480 Jan 19 18:36 bayes_toks (B (B What's missing? (B (Btry running sa-learn --dump magic to show you relevant information regarding (Bthe bayes database. (B (Bhope this helps (B (Balan (B (B___ (BVisit http://www.mimedefang.org and http://www.canit.ca (BMIMEDefang mailing list (B[EMAIL PROTECTED] (Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Problem running clamd but not clamscan
On 1/29/04 1:44 AM, "Ole Craig" [EMAIL PROTECTED] wrote: (B (B On 01/28/04 at 08:32, 'twas brillig and Scott Harris scrobe: (B Subject: RE: [Mimedefang] Problem running clamd but not clamscan (B (B (B Scott, et al - (B I had similar issues with clamd versus clamscan (see (B lists.roaringpenguin.com/pipermail/mimedefang/2003-December/01 (B 8671.html) (B but nobody else seemed to (or at least, nobody responded) and (B I gave up due to lack of time. (Figuring, "I've got a (B solution that works for my current mail load, why fsck with it...") (B (B Ole (B -- (B (B I'm tempted to take the same route, except for the fact that (B I noticed the filter time has gone up dramatically: (B (B Scott - (B The problem I had seemed to be that MD wasn't actually talking (B to clamd. (Do you catch the EICAR text file with clamd enabled?) It (B would make sense that MD processed significantly faster if it's not (B incurring the virusscan overhead at all. Maybe we could have someone (B with a working MD-clamd setup try your speed test and report the (B difference in MD time between clamav and clamd... (B (B (B Ole (B (BOle, (B (B I was having the opposite problem. well, kind of. I originally (Bconfigured my filter to use CLAMAV instead of CLAMD (mostly because the (Bfilter fails and then discards mail if clamd isn't accessible via the (Bsocket), and although it was catching the virus, it wasn't returning any (Bname into $VirusName. I configured CLAMD and changed the filter to use (BCLAMD and now it's working properly (and returning a value into $VirusName) (B (BI'm not sure how to get the filter times into the syslog like that however, (Bi'd be willing to help in anyway I can. (B (Balan (B (B___ (BVisit http://www.mimedefang.org and http://www.canit.ca (BMIMEDefang mailing list (B[EMAIL PROTECTED] (Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] clamav and $VirusName variable
Hi, (B (B I recently installed clamav 0.65 on my machine (in conjunction with (BFile::Scan) and I've noticed that ocassionally clamav is returning that it's (Bfound a virus, but $VirusName is empty. (B (Bany ideas as to why this might be happening? or where to look for this? (B (Bi'm pretty sure it's running properly on another machine (where i'm not (Busing File::Scan) but i can't find any differences in how i'm calling it in (Bmy filter. (B (Bthanks in advance, (B (Balan (B (B___ (BVisit http://www.mimedefang.org and http://www.canit.ca (BMIMEDefang mailing list (B[EMAIL PROTECTED] (Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filter timing out
I'm sure this has been covered before, but i couldn't find it in the (Barchives (could just be i'm tired) ... (B (Banyways, lately i've been seeing A LOT of 4.7.1 failures in my log file. (BI've got my MIMEDefang spool dir on a tmpfs, and i haven't made any changes (Bto my filter recently. (B (BJan 20 17:43:52 uchuu sendmail[16529]: i0K8gKEB016529: (Bto=[EMAIL PROTECTED], delay=00:01:31, pri=32001, stat=Please try again (Blater (BJan 20 17:43:52 uchuu mimedefang-multiplexor: Reap: Killed slave 5 (pid (B16240) exited due to SIGTERM/SIGKILL as expected. (BJan 20 17:43:52 uchuu mimedefang-multiplexor: Slave 5 resource usage: (Breq=15, scans=5, user=88.460, sys=0.680, nswap=0, majflt=760, minflt=13997, (Bmaxrss=0, bi=0, bo=0 (B (Bthe machine isn't a powerhorse, but it should still be enough to handle mail (Bfor this domain.. (i don't receive a lot of mail, and i have maybe 12 users) (B (Bit'S a PII 400Mhz with 384MB of RAM running Redhat 7.3 (B (Bit doesn't appear to be running out of slaves. Any known issues with (Bspamassassin and/or network tests that I might be missing? (i stopped (Bsubscribing to the SA talk list because there was just too much traffic (Bdaily and I couldn't get thru it all) (B (Banyways, as always, any help is appreciated. (B (Balan (B (B___ (BVisit http://www.mimedefang.org and http://www.canit.ca (BMIMEDefang mailing list (B[EMAIL PROTECTED] (Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang