Re: [Mimedefang] KAM for MIMEDefang Leadership Role

2019-10-21 Thread alan premselaar 


On 10/22/2019 07:19, Dianne Skoll wrote:
> On 10/21/19 5:51 PM, Kevin A. McGrail wrote:
>> Good Evening everyone,
>> My name is Kevin A. McGrail.  I've been a long-time user of MIMEDefang
>> and I'd like to put myself forward to take the mantle of leadership from
>> DFS now that she has moved on to other work.  I don't envision it will
>> be as amazing as under Dianne's leadership but I look to continue
>> maintaining MD for the public good.
> I would love to see MIMEDefang continue as an actively-developed
> open-source project.  I know Kevin and think he'd be an excellent
> person to lead the project, whether it continues under the MIMEDefang
> name or changes to a new name.
>
> I'm not in a position to support this project for the next 18 months or
> so, unfortunately, other than to provide a vote of confidence for Kevin.

I haven't been very active with MIMEDefang in recent years, but I have
been using it for over 15 years now.
Kevin has provided useful assistance on this list as well as
contributing to the code as well for at least as long as I've been using it.

For what it's worth, he gets my vote as well.

Alan
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Logwatch stopped gleening as much useful (MdF) info following FC5 upgrade

2006-12-24 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Philip Prindeville wrote:
 I used to get some useful Logwatch info when I was
 running FC3:
...snip...

 Then I upgraded the OS to FC5 (but kept everything else
 the same), and now I hardly get anything useful at all:
 
...snip...

 
 So...  Anyone know what might have changed to stop logwatch from
 gathering as much useful information?  Did one of the log formats
 change in either Sendmail or MdF that might cause it to not be
 grepped out properly by logwatch?
 
 Of course, that wouldn't have stopped Logwatch from gathering the
 useful summary information that it used to about top relays,
 volumes handled, etc.
 
 Thanks,
 
 -Philip

I ran into issues like this as well and dug into the logwatch configs, etc.

I'm pretty sure that along with the FC3 - FC5 upgrade you upgraded
logwatch (from RPM) correct?  that's what happened to me and I found
that by default the latest logwatch ignores Milter: changed (or
something like that) lines now.

HTH

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFj4EyE2gsBSKjZHQRAmnNAKCoWQv11pbVv8tYtUT+khD1bHNK3ACgra8h
dP8CshurF51b58kcJhAsIpY=
=OQUO
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] My semi-cached version of md_check_against_smtp_server

2006-12-08 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yizhar Hurwitz wrote:
 HI.


 Here is my cached implementation of md_check_against_smtp_server.

 I publish it here for other to look at, and for tips on improving it.



[...snip...]


 sub filter_recipient
 {
 my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host,
 $rcpt_addr) = @_;
 if ($CheckRecipientEnable and ($rcpt_mailer ne 'local')) {
  if ($vrc_ram{$recip}) {
   return ('CONTINUE', 'OK');
  }
  else {
   ### Check if $rcpt_host is in mailertable by looking for square
 brackets []:
   if ($rcpt_host =~ /^\[(.*)\]$/) {
my ($stat,$msg,$code) = md_check_against_smtp_server($sender, $recip,
 $HostName, $1);
if ($stat eq 'CONTINUE') {
 $vrc_ram{$recip} = 1;
 tie (%vrc_disk, 'SDBM_File', $vrc_filename, O_RDWR, 0666) or die
 Cannot tie $vrc_file for write, $!;
 $vrc_disk{$recip} = time;
 untie (%vrc_disk);
}
return ($stat, $msg, $code);
   }
  }
 }
 return ('CONTINUE', 'OK');
 }


 Comments are welcome.


 Yizhar Hurwitz.


Yizhar,

 I have some comments that hopefully you'll find useful.

This is kind of a cool idea in that if the primary server used to check
against isn't available you can still reject users that are unknown.
There are a couple problems with your current code that I can see.

Firstly, I would probably check_against_smtp_server before checking the
cache, because you don't have any housecleaning code to handle the case
where an account was deleted within the 30 days of the last cache store.
 This could cause your system to potentially accept mail for an unknown
user and thus have to generate an NDS and defeat the entire purpose of
this feature.  What I propose is:

1. check against the smtp server. if you get a tempfail, check your
cache, otherwise use the pass/fail results from
md_check_against_smtp_server()

2. if md_check_against_smtp_server() fails (i.e. the account does not
exist), remove the account from your cache for house cleaning.  that way
if the primary server is unreachable, you won't accept mail for an
ultimately undeliverable user because it was left in your cache.


Secondly, I'm assuming that you just haven't gotten around to writing
the code to check the mailertable for the relay host. however, it
doesn't appear that you have a contingency plan for if the host does not
appear in the mailertable. (i.e. what if all or some of the forwarding
is handled by the virtusertable? what if it's aliases?)

you may want to consider an assignable override variable as well so that
way an administrator could give it a fixed value should they choose and
still keep the code fairly portable.

also, there is no guarantee that even if the hostname is configured in
the mailertable that it will be enclosed in square brackets [] ... as,
the absense of the brackets just tells sendmail to actually do a DNS
lookup on the hostname whereas the brackets tell it NOT to do the lookup.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFeYxVE2gsBSKjZHQRAsW+AKCgCrUIx5dcxw6PUNWlrlzFTnNYdQCfU5uF
ThZFvguaz5OCswTZ/L4f0ok=
=tix5
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] spamassassin config files - I'm confused

2006-12-06 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Delahunty, Mark wrote:
 When I run spamassassin manually it seems to behave differently from when
 MIMEdefang runs it.
...snip...
 
 I've attached my local.cf, init.pre and the full output from spamassassin
 --lint -debug
 
 What am I missing/doing wrong/breaking?
 
 Thanks for any suggestions
 
 Mark Delahunty
 UCC Computer Centre
 Cork
 Ireland

Mark,

 basically, MIMEDefang doesn't allow Spamassassin to actually modify the
message at all.  Also, the network tests are determined by the
$SALocalTestsOnly (i think, i'd have to check the code to be sure)
value.  if this is 0 then it will run network tests and you'll see
things like *_SPAMCOP, etc. in your tests.

you should probably take another glance at the MIMEDefang documentation
for specifics.

hope this helps.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFdu7YE2gsBSKjZHQRAiPZAJ9h+tBjJv2pLGqRzaBUZ2tfGFPHNACdHhu4
nfqSQ99AJ/yxxg+cZV9v+ag=
=EnfH
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Spamassassin detailed score in message header

2006-11-29 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tim Boyer wrote:
 action_change_header(X-Spam-Score, $hits ($score) $names);
 
 works great, and gives me the total score.  It would be great, however, if I
 could get more detail, e.g.,
 
 X-Spam-Score: 8.152 () AWL,BAYES_99 (5.38),DCC_CHECK
 (2.10),DNS_FROM_RFC_ABUSE (0.32),DNS_FROM_RFC_POST (0.22),FORGED_RCVD_HELO
 (1.23),UNDISC_RECIPS (0.01)
 
 Is there an easy way to do this?  Or could someone point me to where it's
 spelled out in excruciating detail in the docs and I missed it completely?
 
 Thanks much,
 

Tim,

 for what it's worth, I have a couple of pretty simple patches to
SpamAssassin that will produce test score results as above minus the
space between the name and the open parenthesis.

the patches require one additional configuration setting in your
sa-mimedefang.cf to basically turn on the option to have scores output
in that manner.

the only downside is that everytime I update SpamAssassin I have to
re-patch it.

If you're interested, contact me off-list and I'll send them.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFbjJDE2gsBSKjZHQRArXpAJ9hAOFE+IKEmZQE7pDEIt9R9rWKTQCg2jQR
MtnQX/qA6AruzXKVUXQGhjI=
=cgh+
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] What services need to be started?

2006-11-21 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

megaspaz wrote:
...snip...
 
 I'm only really interested in mimedefang for the antivirus integration, so
 setting up mimedefang to process only emails with suspicious attachments
 and letting spamassassin process everything else would be fine, but it
 seems that having all services running is grossly inefficient as
 spamassassin would be processing emails that would already possibly be
 processed by mimedefang.
 
 Thanks for your consideration in this request and for any insight.
 
 Vincent Jong
 --If there's anything more important than my ego around, I want it
 caught and shot now...

Vincent,

 If you're only interested in using MIMEDefang for anti-virus then you
would still need to have spamd running as you're calling spamc from
somewhere as you were previously and spamc requires spamd to be running.


HOWEVER, using MD for only anti-virus seems like a lot of overkill when
you could probably use a different milter for the anti-virus (like
clamav-milter, etc)

if you're interested in a site-wide anti-spam solution ( calling spamc
from cron? ) then you may want to use MD configured with anti-virus AND
spamassassin calls.  If you know perl, MD is a great tool for taking
control of your mail server filtering and protection.

So, when it's said that spamd isn't required with MD, it's specifically
referring to standard MD install which includes calls into the
SpamAssassin API (Mail::SpamAssassin) which have nothing to do with
spamd at all.

hope this helps.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFY+nQE2gsBSKjZHQRAjDiAJwJQ9V2n9okUBaqijBm4y7aKUhjQgCgpP2f
HNG2tZo9xHvwvo8jGlkX1sM=
=YvkU
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Re: netset: cannot include w.x.y.z as it has already been included

2006-11-08 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Kettler wrote:
 Gilles Hamel wrote:
 Hello,

 We are running v3.1.5 with mimedefang.
 Here is our setup :

  our own MTA with spamassassin ---/-- MTA at our ISP, our MX is HERE 
 w.x.y.z / INTERNET

 In the local.cf file we have :
 trusted_networks w.x.y.z # Our MX

 Every time mimedefang spawn a child, we get this warning in log file.
 If we remove the trusted_networks parameter, the warning vanishes.

 Can you explain the reason of this warning ?

 Thank you

   
 Is there a duplicate setting in some other config file, ie: sa-mimedfang.cf?
 


I've just done a new install of mimedefang 2.58 with spamassassin 3.17
and have confirmed that there are no duplicate settings in any of the
config files in /etc/mail/spamassassin.

also /etc/mail/sa-mimedefang.cf is a symbolic link to
/etc/mail/spamassassin/sa-mimedefang.cf for forwards compatibility.


the error happens once each for every network included in either
trusted_networks or internal_networks.

as an example in sa-mimedefang.cf:

trusted_networks 1.1.1.1/32 2.2.2.2/32
internal_networks 127.0.0.1/32 3.3.3.0/24

the error in my log files are:

mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include
1.1.1.1/32 as it has already been included
mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include
2.2.2.2/32 as it has already been included
mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include
127.0.0.1/32 as it has already been included
mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include
3.3.3.0/24 as it has already been included

This doesn't appear to be causing any problems, however.

cross-posting to mimedefang list as well.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFUabbE2gsBSKjZHQRAsFfAKDs0jgr4mFGbI+dWTzUgILiuaSWiwCg4P79
RA2RFW42Ivnn0D9M33hQnv0=
=+BKD
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Rejecting forged senders - comments?

2006-09-20 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cormack, Ken wrote:
 I'd like to see if anyone has any comments on an idea to block spam from
 forged senders who claim my domain in the sender address.  I'm assuming
 something like this could (or should?) be done for both the SMTP MAIL
 FROM: and the From: in the header.
 
 If my domains are @domain1, @domain2, and @domain3, and the IPs that I
 EXPECT to relay me mail with my domains in the SMTP FROM line are accounted
 for, would anyone expect problems with something like the following?
 
 Lets say I have a this function, to accommodate my known Ips...
 
 sub Relayed_FromME() {
 if ($RelayAddr eq 127.0.0.1 || $RelayAddr eq 1.2.3.4 || $RelayAddr
 =~ /10.0.0/) {
 return 1;
 }
 return 0;
 }
 
 
 ...And that I put this in filter_sender()...
 
 # If not relayed from an IP address that I EXPECT
 # my domains to be relaying from...
 if (!Relayed_FromME()) {
 if ($sender =~ /@([^]+)/) {
 my $domain = $1;
 # ...yet the claimed domain in the sender's
 # SMTP address is one of mine...
 if ($domain =~ /domain1/i
 || $domain =~ /domain2/i
 || $domain =~ /domain3/i) {
 # log it...
 md_syslog 'info', $QueueID: Forged_Sender_SMTP: Sender SMTP
 address claims to be from $domain, but $ip not an expected source for
 $domain senders.;
 # and reject it...
 return ('REJECT', 'Sender SMTP address claims to be from
 $domain, but $ip not an expected source for $domain senders.');
 }
 }
 }
 
 Does anyone see any problems?
 
 Ken


Ken,

  If you use this machine for both incoming and outgoing mail *AND* you
have any remote users then you'll likely start rejecting mail from those
remote users.  It might be more prudent (if possible) to implement SMTP
AUTH checks in conjunction with these checks. (i.e. if the user claims
to be from your domain but isn't authenticated, reject)

Also, you'll want to escape the @ in your tests to avoid any unexpected
results.

you should probably make your relay test look like $RelayAddr =~
/^10\.0\.0/ as well (to anchor it to the beginning of the line) just to
make sure it doesn't mactch on some funky relay address (although it
shouldn't).

you may also want to put in some SPF tests in your filter and setup SPF
records for your domains (if possible).  That may make it a little
easier to administrate in the future.


other than that, i don't see anything jumping out at me.

HTH

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFEN9IE2gsBSKjZHQRAsOzAKCBoQTJPQVFdBP34enYiz5Ali95ywCfWqIE
uX16D439e2pDEi6/5C4hs0g=
=FkwS
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Rejecting forged senders - comments?

2006-09-20 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cormack, Ken wrote:
 I'd like to see if anyone has any comments on an idea to block spam from
 forged senders who claim my domain in the sender address.  I'm assuming
 something like this could (or should?) be done for both the SMTP MAIL
 FROM: and the From: in the header.
 
 If my domains are @domain1, @domain2, and @domain3, and the IPs that I
 EXPECT to relay me mail with my domains in the SMTP FROM line are accounted
 for, would anyone expect problems with something like the following?
 
 Lets say I have a this function, to accommodate my known Ips...
 
 sub Relayed_FromME() {
 if ($RelayAddr eq 127.0.0.1 || $RelayAddr eq 1.2.3.4 || $RelayAddr
 =~ /10.0.0/) {
 return 1;
 }
 return 0;
 }
 
 
 ...And that I put this in filter_sender()...
 
 # If not relayed from an IP address that I EXPECT
 # my domains to be relaying from...
 if (!Relayed_FromME()) {
 if ($sender =~ /@([^]+)/) {
 my $domain = $1;
 # ...yet the claimed domain in the sender's
 # SMTP address is one of mine...
 if ($domain =~ /domain1/i
 || $domain =~ /domain2/i
 || $domain =~ /domain3/i) {
 # log it...
 md_syslog 'info', $QueueID: Forged_Sender_SMTP: Sender SMTP
 address claims to be from $domain, but $ip not an expected source for
 $domain senders.;
 # and reject it...
 return ('REJECT', 'Sender SMTP address claims to be from
 $domain, but $ip not an expected source for $domain senders.');
 }
 }
 }
 
 Does anyone see any problems?
 
 Ken


Ken,

  If you use this machine for both incoming and outgoing mail *AND* you
have any remote users then you'll likely start rejecting mail from those
remote users.  It might be more prudent (if possible) to implement SMTP
AUTH checks in conjunction with these checks. (i.e. if the user claims
to be from your domain but isn't authenticated, reject)

Also, you'll want to escape the @ in your tests to avoid any unexpected
results.

you should probably make your relay test look like $RelayAddr =~
/^10\.0\.0/ as well (to anchor it to the beginning of the line) just to
make sure it doesn't mactch on some funky relay address (although it
shouldn't).

you may also want to put in some SPF tests in your filter and setup SPF
records for your domains (if possible).  That may make it a little
easier to administrate in the future.


other than that, i don't see anything jumping out at me.

HTH

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFEN9IE2gsBSKjZHQRAsOzAKCBoQTJPQVFdBP34enYiz5Ali95ywCfWqIE
uX16D439e2pDEi6/5C4hs0g=
=FkwS
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: Fwd: Re: [Mimedefang] Should I try to do MIMEDefang with Mailscanner forbackup MX

2006-06-23 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Steve,

Steve Campbell wrote:
...snip...


 Why don't you just use sendmail to trow them away? As others already
 pointed that out, you could provision your primary access database(s) to
 the secondary (or make the secondary use the primary's access.db over a
 TCP socket) and have sendmail do the rejecting without bothering
 MIMEDefang.
 
 I'm getting the feeling that I am not using sendmail properly with regards to
 mail accounts. Right now, whenever I need a new mail account, I just create a
 new user on the box. Imap and pop accounts are then available when needed. I
 dont add anything to the access files for users. For now, I just use the 
 access
 files for spam, blocking IPs, and the like.

You're using sendmail properly.  My setup is nearly identical to yours
(only my primary MX is the primary MX for *ALL* my domains, and my
secondary MX is the secondary MX for *ALL* my domains, that's the only
difference)


 
 You could deliver the primary's access database to the secondary somehow 
 (via scp/rsync, ftp, etc. like in every 5 minutes or so, or just when 
 your primary access database gets updated, e.g. when you add a new 
 mailbox) and merge both access files before building the access.db. Thus 
 the secondary MX will always have all the information needed to reject 
 mail coming to non-existing recipients for both of your domains.
 
 My paragraph above sort of explains why this won't work, since my access file
 doesn't contain much. I'll look and see what it has, though, and maybe I can 
 do
 something with it. 

Distributed access lists, while providing an independant means of
rejecting unknown users even if the primary MX is unavailable, is more
of an administrative burden.  Plus, if whatever system that provides the
list of valid users for you to distribute to your secondary MX is
unavailable, your access list will be out of sync and you could
potentially accept messages for no longer valid users and somewhere down
the road end up generating a DSN.

 
 If your backup MX is unable to reject unknown recipients when the 
 primary is unreachable, it would need either to accept and queue 
 everything and then relay that to the primary, or to tempfail 
 everything. The first could result in a lot of junk and useless bounces 
 clogging the queues, the second would be equivalent to not having a 
 secondary at all.
 
 Agreed, and the former is what it does at the present time.

if your MX servers are decent hardware, and regularly monitored /
maintained, your primary MX shouldn't be offline much (if at all) and
this shouldn't really be a big issue.

 
 I kept wondering why everyone kept saying I didn't need MD, and now I see why.
 I'll have to rethink my entire access scheme. At the moment, all mailboxes 
 for a
 domain are on the primary MX. If mail goes to the backup MX, it gets relayed,
 but only because I relay the entire domain to the where the mailboxes are (the
 primary MX for the domain).
 
 It all used to be so simple.

It's still pretty simple.  The reason people are telling you you don't
need MD is because you apparently JUST want to reject unknown users on
your secondary MX.

of course, if you wanted to implement AV and SA scanning into your MD
filter, it makes sense to use it to do all of that, instead of using MD
to only check recipients against the primary MX and then using other
milters, etc to do the other functions.  especially since you can do so
much more with MD that could reduce (even more) the amount of mail
that's being processed by your AV scanner and SA (like bogus HELO
checks, greylisting, etc).

Also, since your primary MX is the secondary MX for *SOME* of your
domains, and your secondary MX is the primary MX for *SOME* of your
domains, you essentially make this process more difficult.  so you'd
either need to manage nearline access/virtual domain lists carefully
enough to know which is on which machine, or you'll need to write an MD
filter that'll check against the proper primary MX machine based on
which domain the mail is coming in for.

then you'll have to take into consideration what happens if one mail
comes in for users in two overlapping domains? (i.e. one domains's
primary MX is the other domain's secondary MX)

you could potentially use MD's stream_by_domain() functions, but then
that'll basically nullify your ability to 5xx reject mail and force you
to generate DSNs for even unknown users (which kind of defeats your
purpose and everyone elses' arguments about rejecting mail)


I would say that if you want to keep your (real) user accounts on two
separate servers for certain domains, then your ideal setup would be to
make each of those servers the primary MX for those domains respectively
and then install one or more additional servers as backup MX for all
domains.  since a backup MX isn't intended to be used for much traffic,
and only intended to queue mail if the primary MX is down, you should
have problem using an

Re: [Mimedefang] Should I try to do MIMEDefang with Mailscanner forbackup MX

2006-06-23 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Atanas wrote:
...snip...

 
 I primarily deal with non-standard sendmail setups hosting virtual
 domains (e.g. multiple mailboxes and multiple domains per single user)
 via local delivery agent (LDA) like procmail and maildrop, where
 sendmail acts as a middleman between the sender and the LDA.
 
 For your standard sendmail setup (i.e. one mailbox per user and no LDA)
 on your primary MX you don't really need that list in your access.db.
 Sendmail already knows how to deal with non-deliverable messages and
 effectively rejects them before entering the queue.

Just to clarify, if the destination mailbox is local, then at least with
sendmail an LDA (Local Delivery Agent) is required.  I'm not familiar
with other MTA software so I don't know if the LDA functionality is
built-in to the MTA itself or not, but with sendmail a separate LDA is
required. By default the LDA is procmail.

 
   1. Sender = Primary MTA - Mailbox
 
 On your secondary MX however, the situation is quite similar to my
 virtual domain setup. Here's what your delivery chain looks like:
 
   2. Sender = Secondary MTA = Primary MTA - Mailbox
 
 and here's mine:
 
   3. Sender = Primary MTA = LDA - Mailbox
 
 In both cases (#2 and #3) there's one middleman - your secondary MTA or
 my primary MTA. I have also longer delivery chain with two middlemans in
 case mail comes in through my secondary:
 
   4. Sender = Secondary MTA = Primary MTA = LDA - Mailbox
 
 In all of the above scenarios, leaving at least one middleman with no
 clue about the destination end point what's valid and what not, creates
 a gap which depending on the mail volume (or a dictionary attack for
 instance) could quickly get filled with useless junk floating around.

both sets of examples are identical, only in one set you've explicitly
mentioned the LDA and in the first set the LDA is implied.

If your middleman is sendmail, then your explanation above is
incorrect.  sendmail needs to know the delivery path before it can
process the message for delivery. which means that sendmail knows if the
email address is valid or not.  if the email address is *NOT LOCAL*,
sendmail may not know the deliverability of the address, but it knows if
it's valid.

so, for instance, sendmail when receiving a message for [EMAIL PROTECTED]
first has to determine if it is to accept mail for domain.tld.  if it
doesn't accept mail for domain.tld, it has to determine which MX host
DOES accept mail for domain.tld and whether or not it is allowed to
relay the mail.

if sendmail *DOES* accept mail for domain.tld, then it checks to see if
[EMAIL PROTECTED] is local to this machine. if it is then it checks to see
if there are restrictions to sending to [EMAIL PROTECTED] (often with
access database or virtualuser database, etc) part of these checks are
to see if this user actually exists on this host.  this is part of
sendmails validation of deliverability.

once it is determined to be locally deliverable, the message is then
passed to the LDA for actual delivery.



I wanted to make these points clear because it seems that Steve may not
be fully knowledgable of the mail transport/delivery process and what
you've explained could potentially be *really confusing*.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEnL7YE2gsBSKjZHQRAnzZAJ9xYLy2efRKY3phTJV7l6G374FFAQCgrNjt
FvjAW5htMKJEerVUVXBGYcY=
=Fqyv
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Should I try to do MIMEDefang with Mailscanner for backup MX

2006-06-20 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Steve,

Steve Campbell wrote:

[snip]


 a) MIMEDefang does things like relay checks, sender checks, and 
 recipient checks that MailScanner doesn't do.
 
 This is where I want to remove the backup MX senders.

This type of scenario has been debated in a number of different mail
related lists over time.  One thing you need to consider is that, it is
perfectly reasonable for legitimate mailers to hit your secondary MX
server even if your primary MX server is running. This could be related
to temporary failures on your primary MX causing the sending server to
retry your secondary MX, or it could be cached information about which
MX server to connect to.  Because of this, you need to be really careful
about blocking mail coming into your secondary server.

 
 b) MailScanner does bulk AV and AS checks, instead of one at a time 
 checks (which may lead to a net gain in efficiency).
 
 I would leave the MS/SA functions as they are. They would still do the AV and 
 AS
 checks, but probably have less emails to check as MD has deleted the spammers'
 attempt around the primary MX. Although both servers are primary and secondary
 MX servers, they are deleting at the MTA, so both have less process cycles due
 to reduced MS/SA emails to check.
 

if your only means of reducing the load of your AV/SA scanning is based
on the point of the connection, you may find that the effort to
implement this doesn't provide quite the impact that you hope for or expect.

[snip]

 
 The real problem I saw is that I can't find online man pages for
 mimedefang-filter, and most stuff I saw dealt with the md_check_smtp_*, or
 something like that, for checking if a user is a valid recipient on a server.
 Sorry, I'm at home now and don't have my notes in front of me.
 

in my setup, I have a machine that hosts multiple domains (MX1) and a
backup MX (MX2) for those multiple domains.  not as complicated a setup
as yours, but on a basic level I have MX2 use md_check_smtp_server
against MX1 to validate users and reject on invalid users right off.  I
also have duplicate spamassassin and AV software installations on each
of the MX servers, sharing a mysql database hosted on a third machine
(spamassassin).

in this situation, if MX1 is offline, the mail coming into MX2 is still
checked for viruses and run thru SA.  if it passes those phases, it's
queued for delivery to MX1 when it becomes available.  if not, it's
rejected as appropriate.

this ensures that legitimate connections to MX2 (even if MX1 is
available) aren't rejected, and worst case scenario is that while MX1 is
offline and unable to validate users, some mail for unknown users may be
queued and sent to MX1 when it's available, and then rejected causing
MX2 to generate a DSN.  as this happens so infrequently, I feel it's a
reasonable compromise.

 One for, one against.
 
 I have just started playing with milters, so I like something that is
 configurable, more so than those that are fairly single-purposed.

MIMEDefang is an extremely powerful tool that gives you a broad range of
possibilities for mail filtering.  The downside is that you need to know
at least the very basics of Perl in order for it to be configurable to
your tastes.  (and obviously the more you know about Perl, the better
you can tweak it to your tastes)

I definitely recommend that you learn Perl, as doing so would allow you
to easily do what you're looking to do with MIMEDefang.

HTH

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEmLLWE2gsBSKjZHQRAl37AJ9VSoFtKdm81ihLrMuK0JM1BDcP+wCeJoMd
uI+4Zmxm2KSNzhdGRAUfQvM=
=lFCG
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Warning: unable to close filehandle LOGF properly.

2006-06-07 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Tory Blue wrote:
 Did a search and a few people see this but no answers.
 
 Did I miss something running Mime 2.44/clamav/sendmail 8.13 on a Linux box
 
 mimedefang-multiplexor[15477]: Slave 1 stderr: Warning: unable to close
 filehandle LOGF properly. 
 
 Thanks
 Tory


Just to kind of raise this issue again... I've googled and haven't found
any definitive information (yet) ...

I just upgraded to SA 3.1.3 and just now started seeing this problem
(i.e. i wasn't having this problem up to SA version 3.1.0)

I'm running mimedefang 2.53 (embedded perl), SA 3.1.3, Perl 5.8.0,
RedHat 9.0

I'll note that I also just started getting the WARNING: Something in
your Perl filter appears to have opened a file descriptor outside of any
function... message.  I haven't changed my filter at all, and i'm not
making any database calls.  All other file handling routines should be
w/in functions (i.e. reading headers file, etc)

any ideas?

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhoyVE2gsBSKjZHQRAikKAJ0XSRVlg3238J+zocnus1HbUiUNkACePPug
HpuGdkHcDq3wDhuhvFD9wlg=
=J0vd
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Warning: unable to close filehandle LOGF properly.

2006-06-07 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Alan Premselaar wrote:

 
 Just to kind of raise this issue again... I've googled and haven't found
 any definitive information (yet) ...
 
 I just upgraded to SA 3.1.3 and just now started seeing this problem
 (i.e. i wasn't having this problem up to SA version 3.1.0)
 
 I'm running mimedefang 2.53 (embedded perl), SA 3.1.3, Perl 5.8.0,
 RedHat 9.0
 
 I'll note that I also just started getting the WARNING: Something in
 your Perl filter appears to have opened a file descriptor outside of any
 function... message.  I haven't changed my filter at all, and i'm not
 making any database calls.  All other file handling routines should be
 w/in functions (i.e. reading headers file, etc)
 
 any ideas?
 
 alan

AND to reply to myself... I probably shouldn't be working on this while
i'm sick.

anyways, as it turns out, I installed SA 3.1.2 from CPAN as 3.1.3
apparently hasn't propogated to CPAN yet.


also, i'm running sendmail 8.13.6

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhpASE2gsBSKjZHQRArxsAJ0XXcfF5sRfcax1MhODn9s2DpuPgACg5rVj
ieo6t0TrgW+lsm1J4PTST00=
=Mjul
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] DNS and MX records

2006-05-11 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Les Mikesell wrote:
..snip..

 
 The place this is likely to be a problem is where you have
 virtual web servers with names in lots of domains pointing
 to the same box and you do want to accept mail for some
 of those names.  Note that CNAMES take all the associated
 data for the related A records, so if you have an MX for
 the real A record, the CNAME'd names get it as well, and
 if you don't, mailers will follow the CNAME to the related
 A record.  

This last part doesn't make a lot of sense, considering it's not legal
to use a CNAME entry as an argument for your MX record.

of course, while an interesting topic none-the-less, none of this is
directly relevant to MIMEDefang.  Just thought I'd be the one to say it. ;)

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEYtC/E2gsBSKjZHQRAsOOAKDcF5w50IlQYqkwoRNWKfxiqq1lHwCgw11J
nCorI934tsWzN1Oq9WC2BMI=
=h0Ck
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] DNS and MX records

2006-05-10 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Kris Deugau wrote:
 netguy wrote:
 Receintly I updated DNS for a few domains.  My registrar gives the
 option of assigning an IP addy for domain.tld without having an alias:
 mail.domain.tld  Ok, says I, lets give it a go.  Bam!  Slam, Spam
 started invading my privacy.  This leads me to believe either:
1. Mail ( spam ) in this case is being sent to domain names without
 doing MX lookups.
 
 Yep.  Spamware will certainly blindly open a connection to port 25 on
 domain.tld, rather than sorting through MX records.  Personally, I
 think it's better to have that A record in place, spam notwithstanding.
 


If I'm not mistaken, even properly configured MTAs will revert to the A
record of a domain of there are no MX records available. (although I
haven't done any real research to back up this statement recently so I
could be completely off base)

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEYY4kE2gsBSKjZHQRAqDxAJ99cB20GY+mTVfDa1K0Pr6YDlxM3ACfUpHu
nJyzmBvCoPxmv6DE9TvXyE8=
=TpOS
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] exempt user problem

2006-05-02 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Luke Worthy wrote:
 Sorry about my previous post, I now realize that we need to keep some
 other features of this filter (it keeps a copy of everyones email as
 well as the exemption thinggy).
 
 So below is my original post, and the listing of the filter code.
 
 To: mimedefang@lists.roaringpenguin.com
 
 Recently I have started with a new company, and they have deployed
 MIMEDefang on a few different sites, with a custom filter, that has
 exemption lists.  Unfortunately the custom exemption list only works
 sometimes.  IANAPP (I Am Not A Perl Programmer), and would really like
 some help on either how to fix this current filter.
 
 Here are the logs from me sending a Movie.wmv to an exempt user.
 
 May  1 12:05:45 mail sendmail[20621]: k412XBf0020621:
 from=[EMAIL PROTECTED], size=3898524, class=0, nrcpts=1,
 msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA,
 relay=cpe-61-9-140-241.vic.bigpond.net.au [61.9.140.241]
 May  1 12:05:45 mail mimedefang.pl[9050]: MDLOG,k412XBf0020621,exempt
 user,,0,[EMAIL PROTECTED],[EMAIL PROTECTED],testing
 May  1 12:05:45 mail mimedefang.pl[9050]: MDLOG,k412XBf0020621,exempt
 user,,0,[EMAIL PROTECTED],[EMAIL PROTECTED],testing
 May  1 12:05:45 mail mimedefang.pl[9050]:
 MDLOG,k412XBf0020621,bad_filename,Movie.wmv,video/x-ms-wmv,[EMAIL 
 PROTECTED],[EMAIL PROTECTED],testing
 
 May  1 12:05:45 mail mimedefang.pl[9050]:
 MDLOG,k412XBf0020621,mail_in,,,[EMAIL PROTECTED],[EMAIL PROTECTED],testing
 
 May  1 12:05:45 mail mimedefang.pl[9050]: filter: k412XBf0020621:
 append_text_boilerplate=1 drop_with_warning=1
 May  1 12:05:45 mail sendmail[20642]: k412XBf0020621:
 to=[EMAIL PROTECTED], delay=00:02:33, xdelay=00:00:00,
 mailer=local, pri=61316, dsn=2.0.0, stat=Sent
 
 
 It kinda looks like it's going through twice.
 
 Luke
 
(filter snipped)

Luke,

 After looking at your filter I can tell you what's going on.

firstly, it looks like it's going through twice because you're using
stream_by_domain / stream_by_recipient functions which actually
re-insert the message on either a per-domain or per-recipient basis (as
appropriate)  so that is normal.

secondly, the reason that you're getting inconsistant results from this
is because you're trying to save exemption state information in a global
variable.  This won't work because the way MIMEDefang works, different
slaves may process different parts of the same message.  you should read
the man pages for MIMEDefang and pay particular attention to the section
that covers SAVING STATE INFORMATION.

hope this help.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEWAwiE2gsBSKjZHQRApzqAJ43x1pIhb6K0KnJQNmnr6eZFlKMswCeNjGi
/eDqOL7dZGm04NIRlAnCHsM=
=Uz7/
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Filter not working (properly)

2006-04-13 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Ashley M. Kirchner wrote:
 
Anyone have any idea why this piece of my mimedefang filter suddenly
 quit working?
 
if ($FoundVirus) {
md_graphdefang_log('virus', $VirusName, $RelayAddr);
md_syslog('warning', Discarding because of virus $VirusName);
$QuarantineDir = '/var/spool/MD-Quarantine/virus';
action_quarantine_entire_message(Message quarantined because of
 virus: $VirusName.);
$QuarantineDir = '/var/spool/MD-Quarantine';
return action_discard();
}
 
It's logging the virus message just fine, and I get the quarantined
 e-mails as well, and clamav is also reporting the virus as it should in
 its log file, but MD is not saving the data in
 /var/spool/MD-Quarantine/virus anymore, it just stopped.  Any ideas as
 to why?  The last two items that got updated were clamav (0.88.1) and
 sendmail (8.13.6).  Haven't touched MD just yet, though it also needs an
 update.
 

Ashley,

  here are the obvious questions:

have the permissions on the directory changed at all?
do you have any files in /var/spool/MD-Quarantine? (as opposed to
/var/spool/MD-Quarantine/virus)

I'm not sure why you set $QuarantineDir twice, and theoretically it
shouldn't have any impact, but maybe somehow it is and it's writing the
files in the wrong place. (really reaching here)

I'm assuming you've restarted sendmail and MIMEDefang as well during the
upgrade process for sendmail but, just in case you haven't, you should.

I would be tempted to question the clamav upgrade as a number of people
have apparently been having problems with 0.88.1 (although I haven't had
any at all), but it appears that it's returning the virus name properly
so unlikely to be the cause.

that pretty much leaves sendmail ... if you downgrade back to 8.13.5 (or
whichever version you were using previously) does it work again?

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEPezwE2gsBSKjZHQRAvYWAKDqgoRu5msEHLeeMzvgVof3sW1uDgCg5lE/
p0f1K3XwphZVhjMcfSg0hV4=
=JVcK
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD 2.51/clamav .88.1 failure

2006-04-10 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Richard J. Kieran wrote:
 On Friday, 4/7, I updated clamav from version .88 to .88.1. When I did so, 
 virus scanning broke. Maillog was filled with entries like:
 Apr  7 15:49:23 hoover mimedefang.pl[66764]: Problem running virus scanner: 
 code=999, category=cannot-execute, action=tempfail 
 Apr  7 15:49:23 hoover sm-mta[67374]: k37JnNo4067374: Milter: data, 
 reject=451 4.3.0 Problem running virus-scanner
 Apr  7 15:49:23 hoover sm-mta[67374]: k37JnNo4067374: to=[EMAIL PROTECTED], 
 delay=00:00:00, pri=145673, stat=Problem running virus-scanner
 
 The clamd.log showed no problems. It seemed to be happy as a, well, clam. I'm 
 running MD version 2.51 on FreeBSD 5.4. 
 
 I was able to fix it by re-installing clamav .88
 Has anyone else seen this problem? Do I need to update MD? Any other thoughts?
 Richard

Richard,

 There's been some conversation on the clamav list about problems with
the config files since upgrading to 0.88.1 (even not associated with
mimedefang).

you should check your clamav config files to make sure you don't have
more than one space between the directive and the value, specifically in
relation to the LocalSocket directive.

apparently while the following works:

LocalSocket /tmp/name/of/socket/file

the following is broken in 0.88.1:

LocalSocket  /tmp/name/of/socket/file(notice the extra space?)

So far on the clamav users list there's no talk about a patch or a fix
for this problem other than to check your config files for extraenous
spaces.

hope this helps.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEOwkyE2gsBSKjZHQRAmnlAJ0b8MQVp97TDUINVG2WzXPm4GQyHQCffaam
izV2uvlw3dSzGiXYsAD9kc4=
=Pd5u
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] sa-mimedefang.cf

2006-03-03 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
 Mickey Hill wrote:
 On Thu, 2006-03-02 at 11:12 -0500, webmaster wrote:
 Well, sa-mimedefang.cf doesn't exist. Where can I obtain it and what
 does it say?
 I believe it's in /etc/mail now.
 
 I concur.  Although I softlink my /etc/mail/sa-mimedefang.cf to 
 /etc/mail/spamassassin/local.cf
 


So, to more directly answer the OPs question, /etc/mail/sa-mimedefang.cf
 should be whatever the contents of your local.cf file normally are,
although configured for your mimedefang installation.

I also, like Matthew, have a symlink of /etc/mail/sa-mimedefang.cf -
/etc/mail/spamassassin/local.cf  which should be all you need to do.

I think primarily this was done to prevent mimedefang from clobbering
the SA local.cf file and keeping things separated for easy
administration (i could be wrong). one thing it does do is make it easy
to identify what config files are necessary for the mimedefang installation.

HTH

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEB/2uE2gsBSKjZHQRAmiKAJ92B4eCM2CVHn7c2oOZqjFOtwqwSQCg6HXz
4DA0mSbvkHzE6Rwl4Ii+jrs=
=GGff
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MIMEDefang and mailman

2006-02-21 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Daniel O'Connor wrote:

[snip]

 Hmm but mail that is destined to pass through mailman is handled by 
 MIMEDefang 
 first - I want to tell MD to treat all mail to my lists as for the mailman 
 user (ie use the mailman user's Bayes DB).
 
 I don't mind if I have to put something like..
 if ($to == list1 | $to == list2) {
   $user = mailman;
 }
 


Daniel,

  I'm using mailman as well. If memory serves, I had to allocate a
seperate virtual domain specifically for the mailman lists in order for
mailman to handle them properly.

Assuming you're using the same type of configuration, you may want to
look at stream_by_domain to process different domains with different
parameters. I don't personally use stream_by_domain or
stream_by_recipient so I can't help you with specifics related to these,
but hopefully this will point you in the right direction.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD+8kWE2gsBSKjZHQRAmJjAJwK6B7fh4EHEcSBdhVBUArVLe4OXQCeKFeE
ZLCELMKpURWCUYfKbrISEno=
=zkNF
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Disclaimer Madness

2006-02-14 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ya, if you gather all the disclaimers and then send them to the
originating companies all at once, can you cause a disclaimer paradox
and thus the universe to explode?

Dave Williss wrote:
 I hope you sent a copy of the combined disclaimers to them. :-)
 
 - Original Message - From: Charles [EMAIL PROTECTED]
 To: mimedefang@lists.roaringpenguin.com
 Sent: Tuesday, February 14, 2006 6:38 AM
 Subject: Re: [Mimedefang] OT: Disclaimer Madness
 
 
 David F. Skoll wrote:
 We should be grateful if you would also notify the IT Operations
 Manager at City  Guilds of the e-mail, then delete it and destroy any
 copies of it. To contact the IT Operations Manager, please email
 [EMAIL PROTECTED]

 I love this one.  We *should* be grateful.  D'Oh!

 I wonder if a boilerplate like this would be an effective method for
 seeding a honeypot address??  H.

 Charles
 ___
 NOTE: If there is a disclaimer or other legal boilerplate in the above
 message, it is NULL AND VOID.  You may ignore it.

 Visit http://www.mimedefang.org and http://www.roaringpenguin.com
 MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
 http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
 ___
 NOTE: If there is a disclaimer or other legal boilerplate in the above
 message, it is NULL AND VOID.  You may ignore it.
 
 Visit http://www.mimedefang.org and http://www.roaringpenguin.com
 MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
 http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD8s1PE2gsBSKjZHQRAhJvAKDiS8ndWcu+kv8H0pA7B6dy94rjRACeMc8Q
kQ5pvVXXuZ8Mul6ZSlQBvVU=
=0aqE
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] poor performence from SA

2006-01-12 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
[snip]
 
 I have upgraded to SA 3.1 but i get strange actions...
 I think that the SA is now checked before mimedefang filters and skips
 other
 filters...(but i'm not 100% sure about that? how can check?)
 

Did you install spamass-milter during your 3.1 install?

 I stop about 1000 spam mail per day and get about 3000 legit mail per
 day (some
 of it SPAM!!)

are you saying that you block about 1000 spam per day and receive 3000
per day, some of which is spam?

by definition legit mail != SPAM.

 I noticed another very anoing problem that I posted before but could NOT
 resolved it here...which is GOOD email with spam score less then 5
 end-up in
 spamdrop instead of delivered to user mailbox!

what are you using to move the mail to your spamdrop? are you
quarantining the mail in mimedefang? are you pre-sorting to a different
folder using something like procmail? are you just discarding the mail?

we're a little short of useful information here.

 and checking the headers it says:
 [quote]
 X-Spam-Status: No, score=3.1 required=5.0 tests=DATE_IN_FUTURE_96_XX,
MSGID_FROM_MTA_ID autolearn=no version=3.0.3
 [end quote]
 this was from the spamdrop mailbox!! why is it there is the spam-status
 is NO
 ???

for one thing, this still shows it was scanned with version 3.0.3. are
you sure that you properly upgraded to 3.1? make sure that any
pre-existing 3.0.3 installation has been successfully removed.

most importantly, for anyone to provide you any assistance, you'll need
to provide more details about how you have it all installed.

hope this helps (even just a little)

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDxjlyE2gsBSKjZHQRAn5pAKDiIaYgf+Go1JeEtlk2SWRwTlVwVQCdEcdu
JGUPyEJMVIjon/Rm2kDYulI=
=MJTr
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] disclamer only for out going mails.

2005-12-20 Thread alan premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Joseph Brennan wrote:
...snip...


 No, since I have not been asked to do such a thing.  The question
 just got me started thinking about how difficult it is to define
 what outgoing mail is.  I didn't even mention the situation we
 have here, and also at many universities, that the company has
 many email servers, so that some mail outbound from the main
 system is actually internal mail by some definition.

I require all my users to use SMTP AUTH to send mail from our mail
server, even from the internal network.  So I use the
SendmailMacros{auth_authen} (i think) to check to see if SMTP AUTH has
been used to determine if mail is outgoing  ... it seems to be fairly
simple, but granted, not every place can enforce an SMTP AUTH policy.

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDp9GxE2gsBSKjZHQRArd5AKDGEDW9BRDSGo31KBbDAAt7OMsVVgCeP7N6
fI1QHkFT0zFVmL/bFmX2c9c=
=EJjx
-END PGP SIGNATURE-
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Error message:Problem running virus scanner: code=2

2005-12-06 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
 Mathew,
 
 Sorry for not answering your exact question...BUT
 
 What should should sertainly do is upgrade mimedefang to latest 2.54 and SA
 3.0.3 and clamAV 0.87
 

Actually, SA 3.0.3 is still susceptable to a remote exploitable DoS
attack, if anything upgrade to 3.0.4 (or the recent 3.0.5 release if you
want to stick with the 3.0.x series or you can go to version 3.1.x)


likewise, ClamAV 0.87 is also vulnerable to a remote exploit and 0.87.1
is recommended.

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDlpMzE2gsBSKjZHQRApqcAJ0TKR/kf1YUbJ9ir68Ml3DTnLm2KgCfcpMy
mQWzBNxUKu/381mPrQIy8Ks=
=nICS
-END PGP SIGNATURE-
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Creating live graph for monitoring the mail systems

2005-12-01 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mathew Thomas wrote:
 Hi
 
 I use some Perl script to analyse the syslog which produces a lot of
 information like total mail, no. inbound/outbound mail, no. of spam, no.
 of mail with viruses, dropped mail, etc daily via a cron job. I would
 like to use the data to produce some graph for live monitoring the mail
 gateways via web. I can run the script every half an hour or 15 min and
 produce the necessary data.
 
 I don't know how to go ahead with it. Please reply. Thanks in advance
 for the help
 
 Mathew

Mathew,

  You can do all of that with Graphdefang, which should be in the
contrib directory of MIMEDefang.  I haven't checked to see if it's still
included, but it used to be.

not sure if this is exactly what you want, since it won't use your
script, but it should produce semi-real-time-graph-monitoring.

HTH

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDj9mIE2gsBSKjZHQRAmiSAKDtkPAPcieIia+Nl1kGK4K0w+YI2gCgkicc
41W7FhdJJCIo/qrmcMiZ2ds=
=FP/Y
-END PGP SIGNATURE-
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Suggestions please ... ;)

2005-11-10 Thread alan premselaar 

Garry Glendown wrote:
Oh how easy life would be if customers just bought services and stopped 
complaining about missing features ... ;)


OK, here we go ... after some advice from the list, I installed MD to 
add special filtering capabilities to a customer mailserver. So far so 
good ... working as originally intended. I.e., filtering mails with a 
certain maximum size, filtering with a maximum number of recipients, etc 
...


I tried to clarify the exact handling and now got the request to have 
the filters modifiable based on the recipient/sender of the mail (at the 
customer's site). So, while the default might state that only 
attachments at 2MB are permitted, [EMAIL PROTECTED] is allowed to send 
or receive 5MB attachments, whereas [EMAIL PROTECTED] is supposed to 
receive msgs even if the number of recipient is greater than the default 
50.


Now - how would you folks handle this? Problem is the former mailserver 
(Tobit David) had such features ...


And, can MD handle this split logic, i.e. can I duplicate the mail, 
deliver it to certain recipients, whereas I quarantine it to the rest 
(in case of multiple recipients)?

Gary,

 I don't personally use the feature so I'm not going to be able to give 
you much details, but it sounds like stream_by_recipient() might be what 
you're looking for.  check man mimedefang-filter for more details.


you'll probably also want to look at filter_sender and or 
filter_recipient to handle the recipient count logic and the file size 
logic.


hope this helps

alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] (no subject)

2005-09-26 Thread alan premselaar 

[EMAIL PROTECTED] wrote:

I'm confused...
I got a mailbox call spamdrop, where all spam detected by Mimedefang-SA is
quarantined.
Some of the emails subject is altered to contain:'*SPAM*', some
'[SPAM]', and some are not changed???!!!???

I still have the problem of honest spam endup in spamdrop mailbox and 
NOT marked

as spam by mimedefang headers?!?!

Meni

...snip...

Meni,

  are you also calling Spamassassin/spamc via procmail by any chance?

alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Rejecting some recipients

2005-09-15 Thread alan premselaar 

Jeff Grossman wrote:
[snip]


Sorry for the run on message before.  I have MIMEDefang set up with the
md_check_against_smtp_server setting.  So, it checks my server first to see
if the address is valid or not.  So, do you think it is still a problem with
just putting the addresses I want to reject in the access database?  The
reason I would prefer that method is because the list of rejections is much
smaller than the accept list, and the reject list does not change like the
accept list does.

[snip]

Jeff,

 if you have sendmail configured to use virtusertables, then you could 
put something like this in the virtusertables file:


[EMAIL PROTECTED]   error: nouser No such user here

you'll have to check the docs for what the values of the error: 
directive are for virtusertables, but that will probably do what you 
want it to do.


alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] exiting the filter before any processing

2005-09-05 Thread alan premselaar 

Rolf wrote:

hello

I've tried so many combinations and none work.  Feeling a bit silly.

Where can I put in mimedefang-filter a statement so that the filter 
exits before any processing happens based on $RelayAddr ??


I've tried a simple: return if ($RelayAddr eq ip address);  in various 
parts of the filter but none make any difference. Do I need such a 
statement in each of the subroutines?


What am I missing and/or misunderstanding?


Rolf,

 I think you want to put something like this in filter_relay:

if ($RelayAddr eq 'ip address') {
return('ACCEPT_AND_NO_MORE_FILTERING', 'ok');
}


and you'll also need to make sure you're calling mimedefang with relay 
checking turned on.


You should check the man pages for how to do this specifically as I 
don't remember off the top of my head.


HTH

alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Checking origin of sender

2005-09-02 Thread alan premselaar 

Ian Mitchell wrote:
...snip...


HELO junkmail.com
MAIL FROM: [EMAIL PROTECTED]
RCTP TO: [EMAIL PROTECTED]
DATA
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
...



Why would this make it past your SPAM filter? Unless you're doing 
something like whitelisting your domain (which is a bad idea in general) 
it should still be scanned.


Especially since in your example you have:
MAIL FROM: [EMAIL PROTECTED]
From: [EMAIL PROTECTED] [EMAIL PROTECTED]

which means that as far as the MTA is concerned, the mail came from 
[EMAIL PROTECTED] ..




Now what's the advantage of the above? It appears to come from the
receiver thus allowing it to be filtered on appropriately. Now as long as
the email doesn't break too many of the litterally thousands of other
rules, it will make it through an appear to be legitimate (at least on the
side of the server).



actually, it will only appear to be legitimate on the side of the 
client.  assuming the client displays the [EMAIL PROTECTED] 
part of the FROM: value as the sender (which a lot of clients do)


this is more of a social engineering issue, except that it's not really 
since the system is working exactly as it's been designed to.



No email from my domain either in the plain text name portion or the
actual sender email address should orgininate outside my domain's SPF
record. Any suggestions for hunting and destroying these emails?



In this case, if you want to avoid your end users being confused by this 
type of email, I would suggest that you check the comment portions (in 
quotes) and the email portion (in ) of the From: to see if the comment 
contains your domain name, and if so if it matches the domain from the .


if it doesn't match, markup the Subject or add a tag to the From: 
comment to make it obvious that it wasn't originated from your network.


HTH

alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Mimedefang, spamassassin and /etc/mail/spamassassin

2005-08-17 Thread Alan Premselaar 

Rudy Attias wrote:

Hey all,

I'm quite new with this configuration but I seem to get the hang of it.
I'm running a mail relay(no local account) that forward to an exchange
2003 server in the lan. The relay is running sendmail and mimedafang
that scan using spamassassin and clamav. I have 2 main problems, both of
them are related about the way that mimedafang function with
spamassassin.
First problem that is partly solved is the bayes processing with
spamassassin, in order to enable it I have added first to the
/etc/mail/spamassassin/local.cf the following lines which made no
effects: 
#Enable bayes

   auto_learn 1
   use_bayes 1
   bayes_path  /var/spool/MIMEDefang/bayes
   bayes_file_mode 0666
trying to put the same lines to the /etc/mail/sa-mimedafang.cf created
the files required in the directory /var/spool/MIMEDefang/bayes,
bayes_toks and bayes_seen (is it all the files that need to be
created?). 


With later versions of MIMEDefang, it looks for 
/etc/mail/sa-mimedefang.cf instead of 
/etc/mail/spamassassin/sa-mimedefang.cf ... I've just created a symlink 
during my upgrade process and that works fine. (you could also make a 
symlink to /etc/mail/spamassassin/local.cf if you so chose)





I do not have local accounts so I'm not sure how bayes makes the
learning?


you should consult the SA documentation and/or mailing list for 
specifics of how the autolearn function works.



How can I check the count of learned messages, if I'm not mistaking
bayes will start filtering only after about 200 auto learned messages? 
Please feel free to correct me and enlighten me.


you are correct, Bayes will not kick in until you have at least 200 ham 
*AND* 200 spam learned.  you can check using the commandline by running 
the following command:


sa-learn --dump magic



Second problem is that I want to add some custom rules to spamassassin
by adding some file (e.g newrules.cf) to /etc/mail/spamassassin but I
have no indication that mimedafang read those, on the contrary it seems
that when I added the bayes configuration to local.cf in that directory
it didn't effect the spamassassin the is run from mimedafang.
appending to sa-mimedafang.cf is the only option? If not how do I check
or seen in the logs that it actually loaded those files?



if i remember correctly, MD needs the primary config file (in this case 
/etc/mail/sa-mimedefang.cf) to pass to the SA API when initializing the 
modules.  once this is done, any config directory directives (and 
defaults) are in place.  So you can put anyfile.cf in 
/etc/mail/spamassassin and it will be used.



HTH

alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Spam with more than one recipient - reject or not?

2005-08-17 Thread Alan Premselaar 

Michal Jankowski wrote:

There are two users - user A and user B. User A wants to receive
everything, user B wants to have all spam mail rejected (with
action_bounce, so in case of a false positive the sender is notified).

There comes a mail addressed to both A and B. What should mimedefang
do?

1. Bounce
   Pro: B doesn't get unwanted spam
Sender is notified
   Con: It's not delivered to A

2. Deliver to A only
   Pro: B doesn't get unwanted spam
A gets everything
   Con: The sender thinks they both received it

3. Deliver to A and B
   Pro: A gets everything
No problem with false positives
   Con: B gets unwanted spam

4. ?

Any ideas?


Michal,

It seems to me like the 'most ideal' option would be 1. I say this 
because if someone sent mail to A  B that got scored high enough to be 
bounced but it wasn't actually spam, then at least the sender is 
notified that it got rejected by the filters and they can fix the mail 
and send again.


2 would be my second option if A didn't accept the fact that if the mail 
scored high enough to be bounced that the likelyhood of it being spam 
outweighed the likelyhood of it being a FP. The problem is that if it is 
a FP in scenario 2, nobody knows and thus the problem can't be fixed.


3 would be the 'safest' option in the fact that no mail is being 
rejected or discarded, but it's certainly not an ideal installation.  It 
would bring up the why do we even have a spam filter anyways? question 
from B quite often I would think.


I personally do global rejection if the mail scores above a certain 
score, otherwise I add spam headers and pass it on to the user to do 
with as they please (i sort mine into a spam folder).


To date I've had 0 complaints about it and nobody has contacted me 
saying my mail got rejected, why? (that doesn't necessarily mean that 
someone hasn't thought that but just not known how to get ahold of me, 
however)


so, that being said, i'd choose door #1.

Alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] RE: Filtering on sender, recipient, and subject at the same time

2005-07-18 Thread alan premselaar 

Craig Green wrote:
...snip...

Note that since you're in filter_end, the HEADERS file *is* available, 
so you can just parse that if you'd prefer.  There was nothing wrong 
with your initial logic; it's just that parsing the file on disk is 
slower *and* it takes more code than using the MIME entity.  However, if 
it works, it works.  ;-)


Although if the spool directory is configured on a tmpfs (ramdisk) as 
has been recommended for quite some time now, then reading a file on 
disk is no longer an issue, as the disk itself is in RAM.


(I do, however, agree that using the MIME Tools code is much cleaner to 
look at.)


Alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Blatent spam getting X-Spam-Score: 0 ()

2005-07-08 Thread alan premselaar 

Bill Curtis wrote:

So any idea why these aren't getting any scores at all?


Bill,

  If it were I, I'd put some debuging md_syslog calls in.  right after 
you receive the results from the sa check and then also write before you 
write those values to the header.


chances are somewhere in between, the variables you're using to populate 
the header are either nulled out or becoming undefined.


find out for sure with debugging.

alan


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

2005-07-01 Thread alan premselaar 

Chris Gauch wrote:

Alan wrote:



One of the reasons I use 550 rejects for viruses is that I also scan
outgoing mail... so if by some chance one of my users gets infected with
a virus (regardless of the fact that we have desktop antivirus software
installed on all our machines as well as ClamAV on the MX server) and it
tries to send out using our mail gateway, the mail gateway will reject
that mail with a 550 and throw an error back to the client machine.

if the virus is in an attachment that they're legitimately trying to
send, they'll get an error message and then they'll undoubtedly come
crying to the helpdesk which will then kick them and tell them to run
the latest antivirus software/signatures.




While it certainly makes sense to reject viruses when scanning outgoing mail
from your own network, it's best to make sure that virus attachment is
removed prior to rejecting and generating the bounce.  We also used to do
the same thing (rejecting viruses) when it came to outbound mail from our
own mail server (which is completely separate from our MD/ClamAV (CanIt-PRO)
gateway cluster), where we run a commercial AV scanner.  In at least a dozen
or so situations early last year, we were basically rejecting viruses from
client PCs, but the ignorant users (who WERE NOT infected prior to receiving
the bounce), would open the attachments in the bounce and infect their PCs,
spreading the virus like wild fire. Let me explain... 


I'm not generating bounces... i'm merely 550 rejecting ... which is fine 
in my situation because it's the SMTP outgoing gateway machine that is 
rejecting the contect coming directly from the client machine. (which is 
on our local network) ... so, what happens is, the user (on said client 
machine) writes email, attaches a file, hits send, gets a popup windows 
that says ERROR 550 YOUR MESSAGE CONTAINS A VIRUS and doesn't go 
beyond that point until they either a) figure it out themselves and run 
their anti-virus scanner or (more likely) b) contact our helpdesk and 
admit that they don't know enough to really be allowed to touch a 
computer even indirectly connected to the internet.  then our help desk 
eraddicates the virus or tells the user they're SOL.


no bounces (aka DSN or NDN) involved.

we have instituted a no MS internet software policy, but it doesn't 
necessarily mean that someone's not going to open OE or IE out of habit 
or just cuz they think they know what they're doing.


Also, one point that has been glazed over in this entire thread is that 
email is not the only way for these machines to be infected with 
viruses, and the user doesn't even have to be a complete moron to become 
infected any longer. Especially with exploits in which all you have to 
do is open the wrong URL, without knowing it or any indication on the 
site itself, just that one little act can infect your machine. nothing 
to do with mail.


right or wrong, i don't think either solution really adds any more to 
the problem, nor does it really remove anything from the problem. I 
think what these solutions do is change the way the problem is perceived 
by the people that are directly affected by the implementation of these 
solutions.



if AV scanners were absolutely, without a doubt 100% reliable, that 
would be a different story.  if there were NO OTHER WAYS to contract 
these viruses, it would be a different story.  if there weren't other 
legitimate causes for DSNs, NDN, or whathave you, then the argument 
would hold more weight.


As it stands, obviously, my solution isn't appropriate for everyone, but 
it is most appropriate for me. my solution is rejection (not bouncing). 
my solution can have some adverse effects on other people as a result of 
someone else's malicious software, true. so does yours. just in a 
different way.


I take the stand (as others on the list also have) that I am not, and 
can not be responsible for everyone I come into contact with either 
directly or indirectly.  As much as I would like to help everyone, i'm 
neither qualified, nor is it entirely appropriate.  At a certain point, 
people need to take responsibility for themselves.  That includes being 
responsible for what they do and/or do not tolerate, how they deal with 
those things that they find they are unable to tolerate, and how to 
alter their environment so that they can protect themselves from those 
things they are unable to tolerate.


The argument that i've seen here has been two-in-one.  the first is that 
discarding is better than rejecting.  for some, that is true and 
appropriate.  the second, parallel argument is that the reason to 
discard is because people other than [insert admin/implementing 
authority/etc. here] are unable to accept or even understand 
responsibility for themselves and that we (the mail admin community) 
must accept responsibility for them and every other netizen instead of 
educating them as necessary for them to accept responsibility.  This is 
the role of an enabler

Re: [Mimedefang] Timeouts when filter-sender is employed

2005-06-15 Thread alan premselaar 

Dirk the Daring wrote:
...snip...



##
sub filter_sender {
my($sender, $hostip, $hostname, $helo) = @_;

# Can't be psicorps.org unless it's one of our IP's.
if ($helo =~ /(^|\.)psicorps\.org$/i) {
if ($hostip ne 127.0.0.1 and $hostip ne 209.170.141.XXX and
$hostip ne 209.170.141.XXX and $hostip ne 209.170.141.103) and
  the ) before the and in the above line is probably 
what's causing your problem. (non-matching parens) 
 	

$hostip ne 209.170.141.XXX and $hostip ne 209.170.141.XXX) {
syslog('info', MIMEDefang rejected a connection where Host $hostip said 
HELO $helo);
return(0, Connection Rejected: $hostip is not authorized to use $helo 
for identification);


I'm sure it's been recommended that instead of returning 0 or 1 etc, you 
should return 'CONTINUE' or 'REJECT' etc. it shouldn't cause filter 
failures however.



}
}
return (1, OK);
}
##



when in doubt, running mimedefang.pl -test on your filter will show you 
most problems with your filter before running it live.


perl -c should show you any serious compilation errors

HTH

Alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Start order for sendmail, MD and Clam

2005-06-07 Thread alan premselaar 

Dirk the Daring wrote:

   Is there a particular order in which I should start sendmail, MD and
Clam? That is, are there any dependencies, or reason that one should be
running before the other (seems that sendmail will gripe about a missing
socket if MD is not running, so I start MD first, but what about Clam?)

Sendmail v8.13.4
MIMEDefang v2.51
Clam v0.85


Dirk,

 I start mine in the order of:

CLAMD
MIMEDefang
Sendmail

considering the logic that MIMEDefang makes calls that may require 
CLAMAV's resources (in this case clamd), and sendmail makes calls that 
may require MIMEDefang's resources, it seemed appropriate to ensure that 
those resources available before any chance of them being called.


subsequently, i shut them down in reverse order.

HTH

Alan
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] 4.7.1 sendmail error

2005-05-20 Thread alan premselaar 
Greg Schlut wrote:
Still bringing back that error.  Spamassassin was not scanning the files 
and I did increase the delay.  Any other ideas?  I may try upgrading 
mimedefang this weekend, and see if that solves it, but it really does 
look like a timeout issue.

Thanks for the help.
--Greg

Greg,
 are you using embedded Perl?  do you still get the error if you run 
without embedded Perl?

I've seen situations where while running in embedded Perl mode, the 
filter would time out trying to scan with SA, but in non-embedded Perl 
mode it would either work or fail with an error message. (it's been 
awhile, i don't remember the specifics off the top of my head)

I've also experienced odd time outs when I experienced hard disk 
problems on my MySQL server in which the disk would go into an endless 
loop while doing a seek and not time out or return an error. This 
wreaked all sorts of havoc on my mail server.

anyways, just some things to try in order to narrow down the cause of 
the problem.

hope this helps.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Sober virus highlights problem

2005-05-19 Thread alan premselaar 
David F. Skoll wrote:
...snip...
Interesting idea.  I wonder how easy it would be to maintain local
signatures for Clam, just to catch this kind of thing?  I'll have
to investigate.
I've never personally done it, but from following the conversations on 
the clamav users list, it seems like it's *REALLY* easy to do.

something along the lines of using the sigtool to generate your own 
signature database and putting that in the database directory.

(obviously this is a highly oversimplified, mostly uneducated explanation)
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [possibly off-topic] ALL TRUSTED SA Problem

2005-05-18 Thread alan premselaar 
Kevin A. McGrail wrote:
I am trying to assist with a problem where emails coming through an
anti-spam gateway are getting scored with ALL_TRUSTED.  I don't see a reason
why they should be.  I've looked at the SA Source code but still at a loss
and I'm worried it's something in the mimedefang filter.
Here's the headers from an email received by a user on an outlook client and
I've obscured the data to protect the innocent.  Any thoughts?
Microsoft Mail Internet Headers Version 2.0
Received: from fees.acompany.com ([192.168.216.48]) by
vaexchange.acompany.com with Microsoft SMTPSVC(6.0.3790.0);
 Wed, 18 May 2005 05:29:48 -0400
Received: from spam.acompany.com ([192.168.216.222]) by fees.acompany.com
with Microsoft SMTPSVC(6.0.3790.211);
 Wed, 18 May 2005 05:29:47 -0400
Received: from sndr132.beta-ca.mxsvrbsminc.net
(sndr132.beta-ca.mxsvrbsminc.net [72.5.1.132])
by spam.acompany.com (8.12.11/8.12.11) with ESMTP id
j4I9VSCr009059
for [EMAIL PROTECTED]; Wed, 18 May 2005 05:31:29 -0400
Received: by sndr132.beta-ca.mxsvrbsminc.net id hhc3p806574u for
[EMAIL PROTECTED]; Wed, 18 May 2005 02:14:52 -0700 (envelope-from
[EMAIL PROTECTED])
Received: from localhost by BSMgateway.2558621
(ver.3.3.100)
with ESMTP id mid72236008.msg
for [EMAIL PROTECTED]; Wed, 18 May 2005 02:14:52 -0700
...snip...
Kevin,
 This is definitely an issue with SpamAssassin. You should set your 
trusted_network and internal_network settings for SpamAssassin 
appropriately.  SA will do its best to try to figure this out on its 
own, however, especially in the case where your mail gateway server is 
on a private space IP address, it's not always able to do this.

It's been cautioned numerous times that correcting these settings is the 
most appropriate way to solve the problem, as other tests may be 
partially dependant on the trust path to function properly.

If you have your trusted_networks and internal_networks set properly, 
then just set the score to ALL_TRUSTED to 0 for now.

There are some known bugs related to the ALL_TRUSTED rules and code, you 
should scan SA's bugzilla  for them to determine if you're seeing 
symptoms of a bug or not.

Hope this helps.
Alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Incorrect required_hits setting

2005-05-14 Thread alan premselaar 
Richard J. Kieran wrote:
Thanks for the thoughts. 
The required_hits setting is in sa-mimedefang.cf only. SpamAssassin figures it out and MIMEDefang doesn't. hmmm...
I restarted MIMEDefang every time I made a change to the setting. No change.
The same .cf files work on the old server.
Definitely weird. I suppose I could bump up all my scores by 25%.

Richard,
  Older versions of MIMEDefang looked for sa-mimedefang.cf in 
/etc/mail/spamassassin.  2.51 looks for it in /etc/mail.

probably what is happening is that you don't have a 
/etc/mail/sa-mimedefang.cf file and thus it's using default values.

I've put a symlink in /etc/mail/sa-mimedefang.cf - 
/etc/mail/spamassassin/sa-mimedefang.cf and that solved this issue for me.

of course all of this is covered in the changlogs
HTH
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] SMTP

2005-05-10 Thread Alan Premselaar 
Christopher Roberts wrote:
Ben wrote:
You literally telnet on P:25 to their SMTP server and type 
the commands by hand. 
If you still get the error - something is wrong on their end.

You live and learn! I have tried doing this for
mailgate01.barclays.co.uk and mailgate02.barclays.co.uk and 90% of the
time both immediately fail with:
   421 4.0.0 mailgate02.barclays.co.uk Server error
So the error is at their end... ?
But, I did managed to connect successfully a few times, and got as far
as:
   RCPT TO: MY [EMAIL PROTECTED]
Christopher,
 I'd telnet to their server on port 25 and do the following:
EHLO your.mailserver.hostname
(you should get a string of 250- response messages)
MAIL FROM: [EMAIL PROTECTED]
(you should see another 250- response, if you get an error here, their 
mail server doesn't like something about your email address. more than 
likely your domain. more than likely your domain doesn't resolve properly)
RCPT TO: the.email.address.you'[EMAIL PROTECTED]

if at this point it returns a 421 error, the problem is definitely on 
their side, and it appears to be a problem with the recipient.

if you get another 250- response then type:
DATA
(you should get a 354- response, type in anything and then follow it by 
a single . on its own line)

if HERE you get the error, then it could be related to anti-virus or 
anti-spam software configuration on their end, or other general 
configuration problems on their end.  It could be related to sender or 
recipient depending on how their mail server is configured.

Whereon I get domain invalid response. But I haven't seen any such
failures in the logs, so I suspect that it generally doesn't get this
far... Unless I don't have the log level set correctly - is there a
recommended level for debugging? Currently:
   define(`confLOG_LEVEL', `8')dnl
   define(`confMILTER_LOG_LEVEL', `8')dnl
for debugging you might want to crank it up to 14
hope this helps
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Tiny Text

2005-05-10 Thread alan premselaar 
-ray wrote:
[snip]
No, but I have seen 2.5 points before. :)  Silly question, where would i 
put a new rule like that?  I'm already changing some scores in 
/etc/mail/mimedefang/sa-mimedefang.cf, but not sure where to add a new 
rule.

ray
Ray,
 you should be able to create a file in /etc/mail/spamassassin (or 
where your spamassassin local rules directory is set to) called 
tiny_text.cf (or really anything.cf will work) with your rules and 
scores in them.

otherwise, if you're not comfortable with that or don't know where the 
spamassassin local rules directory is set to, you can just add them to 
the sa-mimedefang.cf file

HTH
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] canonicalize_email error

2005-05-09 Thread Alan Premselaar 
Jan Pieter Cornet wrote:
[snip]
sub canonicalize_email ($) {
   my ($email) = @_;
   $email =~ s/^//;
   $email =~ s/$//;
   return lc($email);
}
basically all it does is remove any  or  from the email and return it 
in lowercase.

Actually, looking at this code again (with a clear mind) all it does is 
remove a preceeding  and a trailing 

if i'm not mistaken, i yanked the code from DFS's Verisign SiteFinder 
checking code that circulated the list awhile back.

Have you considered
RCPT To: aL\ien+foo@mail.12inch.com.
which your mailer could accept as valid and deliver to you (Except
that in your case, you're not accepting mail to the hostname of
your MX, which is good, but in some cases that or something similar
might be configured).
I very specifically do not accept mail for the hostname of my MX server 
(unless it's generated locally) as I don't *ever* use it. (and it's 
prone to changes at any given point in time) ... my experience has been 
that any mail (not locally generated) to [EMAIL PROTECTED] is 100% SPAM.

even if ' aL\ien+foo@mail.12inch.com.' gets passed to sendmail having 
passed thru my filters, if sendmail knows to strip the plussed content 
and handle the \i as an 'i' then it'll still get delivered, but 
SpamAssassin / CLAMAV / etc will still be run on the message.

and [EMAIL PROTECTED] should be rejected.
(I'll have to re-read thru my filter to double check all of this... I've 
pretty much got it in 'set and forget' mode for awhile)

I've got a somewhat monstrous routine that will actually rewrite this
to a canonicalized email address, and it does a loose RFC2821 compliance
check too (somewhat less monstrous than the last chapter of mastering
regular expressions, though).
I wouldn't mind seeing the code if you're planning to share it, although 
I probably won't spend a lot of time/resources implenting it on my 
personal server(s) just yet.

[snip]
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Using Stream_by_recipient

2005-05-06 Thread alan premselaar 
Mack wrote:
When i stream by recipient, the email get's discarded and resent to each 
recipient as expected, however the new email doesn't pass through mimedefang 
(specifically filter begin/part/end). This results in not being virus chk/spam 
chk/boilerplated.
It just seems to get sent directly from the queue and not pass back through mimedefang. 

I've tried alsorts, but have not been able to resolve this one.
Somebody must know what i'm doing wrong lol
TIA
Mack
Mack,
 I don't personally use stream_by_recipient, but if I'm not mistaken, 
when the mail gets requeued, it's queued from localhost.

Make sure that you're not skipping checks based on mail originating from 
localhost, as that would pretty much result in the behavior you're seeing.

also, sharing your filter (or at least the relevant parts) may help to 
provide more specific advice.

HTH
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] canonicalize_email error

2005-05-04 Thread alan premselaar 
Tim Boyer wrote:
I tried putting in one of the subroutines that David presented at the
Lisa '03 session.  It's got the line
   $recipient = canonicalize_email($recipient);
in filter_recipient.
But when I run it, I get this in the logs:
...snip...
Have I typed it wrong?  Spelled it wrong?

Tim,
 You need to actually define a subroutine called canonicalize_email 
in the filter as well.

mine looks like:
sub canonicalize_email ($) {
my ($email) = @_;
$email =~ s/^//;
$email =~ s/$//;
return lc($email);
}
basically all it does is remove any  or  from the email and return it 
in lowercase.

hope this helps.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Foreign Character Sets.

2005-04-18 Thread alan premselaar 
Keith Patton wrote:
Yes sendmail accepts it, then it passes it to netscape and it rejects
it.. Funny thing is that sometimes it works other is doesn't.I have
noticed that nearly all the bounces I have seen  has the content in
foreign character set ( chineese or Korean )...  That is why I asked my
question could the foreign char set cause problems for MD?
I receive email with the iso-2022-jp and utf-8 character sets without 
any problems.

of course I'm using sendmail 8.13.3  mimedefang 2.51, non-relay.
previously I had an exchange server that I was relaying for, running 
older versions of sendmail and mimedefang.  I didn't have any problems 
with those either.

Perhaps it's configuration issue with iplanet?
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Compliance

2005-04-15 Thread Alan Premselaar 
Josh Kelley wrote:
alan premselaar wrote:
I'd be interested in at least looking at it.  Currently I'm using 
procmail for local delivery and its Quota handling is kludgey at best.
I'd really like to get something working within MD.  Since the method 
Jan uses calls the perl module for Quota directly, I don't think 
setting setuid on the quota application will make any difference 
(although I haven't looked at the Quota module code either)

Here you go.  A brief explanation:  we're only really interested in 
checking quotas for students, since faculty/staff don't have quotas.  
Students use their student IDs for their usernames, with 
firstname.lastname set up as an email alias, so we have to check 
aliases.  We test for numeric usernames to see if the account is a 
student (instead of testing something sensible like the account's gid - 
I don't know what I was thinking).  Rather than checking current space 
usage against the message size, as Jan did, we just check to see if the 
user has already exceeded their soft quota and has exceeded their grace 
period (i.e., grace is 'none').  This means that the occasional 
over-the-quota bounce still gets generated (for messages that exceed the 
hard limit before the grace period expires, or for messages so big that 
they exceed the hard limit for users currently below the soft limit).  
This hasn't usually been a problem, but sometime I'll go back and add 
Jan's enhancements - thanks, Jan, for posting your code.
...snip...
Josh,
thanks.  I took some of your code and Jan's code and hacked it all 
together.  I thought about putting in the alias checking as well except 
that a) I use more than one alias database with sendmail and b) 99% of 
my aliases map to more than one user so it's not likely that 
'[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' is going to map to a UID to do 
quota checking against.  Even if i traversed the list of real users in 
the alias, i'm still in a single recipient stage, so if one real_user in 
the alias is over quota, it would cause the message to be rejected for 
the alias, which I don't really want to do.

the code's only been written against and tested on RHEL ES3.0 linux.
anyways, I figured I'd share my code:
$MAILDIR = /path/to/mail/directories;
$_QUOTA_CMD = /path/to/setuid/quota/command;
sub filter_recipient {
	my 
($to,$from,$ip,$name,$first,$helo,$rcpt_mailer,$rcpt_host,$rcpt_addr) = @;
	my $local = ($rcpt_mailer eq 'local');

my @qrval = check_quota_info($rcpt_addr) if ($local);
return(@qrval) if ( $local  lc($qrval[0]) ne 'continue');
# my greylisting code goes here
# if this was the only testing done in filter_recipient you
# could easily just do this:
#
# return(check_quota_info($rcpt_addr)) if ($rcpt_mailer eq 'local');
#
# and be done with it.
}
sub check_quota_info {
my ($to) = @_;
my $uid = getpwnam($to);
return('CONTINUE',ok) if (!$uid);  # possible alias
my $dev = Quota::getqcarg($MAILDIR);
my ($bc,$bs,$bh,$bt,$fc,$fs,$fh,$ft) = Quota_query($dev,$uid);
return('CONTINUE',ok) if ((!defined $bh) || ($bh == 0));
## if usage = limit then perm-fail
return('REJECT',Quota exceeded.,'552','5.2.2') if ($bc = $bh);
## fetch sendmail macros from commands file
read_commands_file() || return('TEMPFAIL',Internal error.);
my $mailsize;
if (defined $SendmailMacros{msg_size}) {
## round up to the next 4k block
$mailsize = int(($SendmailMacros{msg_size} + 4095) / 4096) + 4;
} else {
$mailsize = 4;
}
	## if the mail is larget than remaining space, tempfail
	return('TEMPFAIL',Quota exceeded, try again later,'452','4.2.2') if 
($bc + $mailsize  $bh);

## else accept
return('CONTINUE',ok);
}
sub Quota_query {
my ($device,$uid) = @_;
my $retval = ();
my ($mailquota) = grep { /^\s+$device/ } split('\n', `$_QUOTA_CMD 
$uid`);
# return if user has no defined quotas
return(@retval) if ($mailquota =~ /^Disk quotas .{1,30}: none/);
$mailquota =~ s/^\s+//;
@retval = split('\s{1,6}',$mailquota);
shift @retval;  # remove device name from list
# strip out '*' characters
foreach my $val (@retval) {
$val =~ s/\*//g;
}
my ($homedir) = (getpwuid($uid))[7];
# pretend there's no hard limit for user if .forward file exists
$retval[2] = 0 if (-f $homedir/.forward);
return(@retval);
}
I still have the procmail quota kludge setup, so i figure even if some 
stuff sneaks past this code it'll still get a bounce with mailbox full 
status, but this should help nearly illiminate unnecessary bounce 
messages. (which i think is a good idea)

thanks again,
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang

Re: [Mimedefang] Compliance

2005-04-12 Thread Alan Premselaar 
Jan Pieter Cornet wrote:
We're not using it for any compliance testing (mainly because
we're an ISP), but we do use it for other things:
- rejecting on quota exceeded earlier than sendmail detects it
How are you checking quota?  Sounds interesting.

Using the perl interface to quotactl, the Quota module. The big
advantage of this is that we are able to reject at the SMTP level,
based on quota, instead of having mail.local detect the out of
quota condition, and then bounce it. This saves us on average
about 4 or 5 bounces per second (with peaks to more than 10/sec
during some spam runs).
[snip]
On what system do you have this implemented? (linux? kernel?)
I'm playing around with an implementation on RedHat ES 3.0 and the 
problem I'm running into is that MIMEDefang runs as the defang user, 
Quota::query is only allowed to get quota information for other users if 
run as the superuser.

did you run into these kind of issues? do you have a work around?
Thanks for sharing your code/logic and any assistance.
Alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Compliance

2005-04-12 Thread alan premselaar 
Jan Pieter Cornet wrote:
[snip]
You probably have direct attached storage on the linux box? Apparently
that makes a difference. As a workaround, you could either run the
mimedefang slaves as root (not recommended) or run a specialised quota
daemon, as root, that can perform the quota queries for you.
ahh, yeah, internal storage ...
the man page for quotactl states that Q_GETQUOTA is priviledged which 
makes me believe that (at least for local storage) it would apply to the 
libraries.

i'll try with the quota daemon... thanks
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Compliance

2005-04-12 Thread alan premselaar 
Josh Kelley wrote:
[snip]
We use a setuid copy of /usr/bin/quota to do quota checking on our Red 
Hat server.  (We use a copy rather than making /usr/bin/quota setuid 
since any updates to the quota package would reset the setuid bit.)  
It's probably not the most efficient setup, but I thought that it would 
be simpler than a quota daemon.

I can post my code if anyone's interested, although it's not as fancy as 
Jan's.  For example, we don't do any checking on ESMTP SIZE=, we just 
bounce for people who have exceeded their quota and exceeded their grace 
period.

Josh,
 I'd be interested in at least looking at it.  Currently I'm using 
procmail for local delivery and its Quota handling is kludgey at best.
I'd really like to get something working within MD.  Since the method 
Jan uses calls the perl module for Quota directly, I don't think setting 
setuid on the quota application will make any difference (although I 
haven't looked at the Quota module code either)

Thanks,
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Compliance

2005-04-07 Thread alan premselaar 
Jan Pieter Cornet wrote:
...snip...
Anyway, I consider it a feature :) It makes users more likely to clean
up their act, instead of inadvertently using your system as a rain barrel.
are you using stream_by_recipient to do this? or are you rejecting the 
mail for every recipient if just one of the recipients is over quota?

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] configuring mimedefang

2005-04-06 Thread alan premselaar 
Speedy Sweedy wrote:
 
 Ok, based on what you guys are saying in here, I am now only scanning 
 with mimedefang and using it to call clamav.  I've tested my install 
 with the resource from testvirus.org and it catches everything jut fine.
 
 How do I get mimedefang to test for spam now?  I have spamassin 
 installed and mimedefang detected it when i ran ./configure.  The file 
 sa-mimedefang.cf is also in my mail directory, yet it does not call 
 spamassassin.  What am I missing?

You might be missing the documentation.

All kidding aside. you'll need to look thru the
/etc/mail/mimedefang-filter file to see how you have it configured to
call SpamAssassin.

by default I don't think it even writes anything to the syslog unless a
message scores above a certain score. You should put some debugging
calls in to confirm that it's working and then remove them once you're
comfortable with it.

the mimedefang documentation is your friend.

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Integrating SPF...

2005-03-29 Thread Alan Premselaar 
John Von Essen wrote:
[snip]
I am looking into SPF plugin for SA now. Does anyone know how it handles 
domains with no SPF record? I would assume that if no SPF exists, then 
forgeries are not penalized for that domain. Just need to make sure 
before I turn this plugin ON in production.

basically SA handles SPF in the following way (from my experience):
if SPF is non existant, no SPF rules fire
if SPF is existant and softfails, an SPF_SOFTFAIL rule fires with very 
few points
if SPF is existant and hardfails, an SPF_HARDFAIL rule fires with 
slightly more points
if SPF is existant and passes, an SPF_PASS rule fires with fairly low 
negative points

overall, the SPF scoring is low enough to have *very minimal* impact and 
is not designed to be used for rejection based on SPF.

One other thing (feel free to email me off list), what is the difference 
between Sender ID and using SPF records? Or are they the same thing 
I like SPF, I like the fact that you control it within your own domain 
via your DNS server. When I hear Microsoft talk about Sender ID I get 
nervous, I envision some type of paid subscription to be listed on some 
central repository that Microsoft controls!
I haven't been following the progress of Sender ID, so I can't offer you 
any information about it. sorry.

HTH
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] interesting problem with SQL backend

2005-03-24 Thread alan premselaar 
Today I had an interesting situation.
This is more of an FYI in case anyone else has run into similar 
problems. (cross-posted to MIMEDefang list as well)

I use SpamAssassin with MIMEDefang.
I got notified by one of my users that they were unable to send mail 
suddenly.  after checking the logs I determined that MIMEDefang was 
timing out and returning errors.  the cause for this was very unclear 
(which is why i'm sharing my findings with all of you)...

After digging around (and some assistance from David Skoll on the 
MIMEDefang list) I was able to determine that the problem was caused by 
SpamAssassin not being able to connect to the database server where the 
bayes database is stored. (using MySQL on a remote host)

this caused all sorts of weirdness for no apparently good reason and 
was initially very confusing to diagnose.

The symptoms were:
* mimedefang started to return busy timeout errors.
* when restarting MIMEDefang (with embedded perl enabled) the 
multiplexor wouldn't complete loading and mimedefang wouldn't create the 
socket, causing sendmail to spit out file 
/path/to/mimedefang/socket/file unsafe errors.
* turning off embedded perl would allow mimedefang to start and create 
the socket, but then would spawn multiple instances of mimedefang.pl 
which just hung.
* mimedefang.pl -test and/or mimedefang.pl -features would hang 
indefinitely with no output.

the workaround:
  after determining the problem to be the connection to the SQL server, 
simply setting use_bayes 0 in sa-mimedefang.cf and restarting 
mimedefang resolved the problem. however, this obviously didn't utilize 
the bayes facilities.

the questions:
 I understand that the SQL code for SA is still 'experimental'.  is 
there any way currently to set a forced timeout to connect to the SQL 
server?

is this something I should open a BZ ticket about?
being that I'm definitely not an SQL guru, does anyone have any 
suggestions for configuring a high-availability MySQL server 
configuration that could failover to a backup server should the primary 
one become incapacitated by a low-level hard drive failure?

Currently I have 1 MySQL database server with the bayes databases on it 
(among other databases) and my primary and secondary mail servers both 
make connections to it to check the bayes database.

This may be somewhat specific to the MIMEDefang implentation, but I 
suspect that there is a possibility that this type of behavior could 
have negative impact in other types of SA implementations as well.
again, this is mostly an FYI, but any suggestions are welcome.

Thanks,
Alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: mimedefang error mimedefang.sock unsafe??

2005-03-23 Thread alan premselaar 
James Ebright wrote:
As far as directories go.. the x bit simply means you can get a directory
listing if you have privledges. For files it turns on execute allowing the
file to be run as a program. I do not believe that should affect the operation
of MimeDefang in any way as MD does not need the x bit on the directory as it
already knows what the files are called and it only needs read write on the
sockets. 

For some reason you are not getting the mimedefang.sock created. I would
double check your config files and make sure you dont have MD trying to create
it elsewhere. You might also want to double check your /var/spool file system
and make sure its not an underlying issue like bad inode, out of space, out of
inodes, etc.
Jim
I just encountered this same problem on a system that has been running 
flawlessly until today.

I was seeing a bunch of
Mar 24 09:44:04 mail mimedefang-multiplexor[21236]: Killing busy slave 
17 (pid 10445): Busy timeout
Mar 24 09:44:04 mail mimedefang[21249]: Error from multiplexor: ERR 
Filter timed out - system may be overloaded (consider increasing busy 
timeout)

and
Mar 24 09:44:24 mail mimedefang[21249]: mfconnect: No free slaves
errors in my mail log.
after trying to restart sendmail and mimedefang I was getting the 
/var/spool/MIMEDefang/mimedefang.sock unsafe! error message and after 
doing some research realized that the file is not being created.

my /var/spool/MIMEDefang directory is a 2GB tmpfs with proper 
permissions and the mimedefang-multiplexor.sock file is properly being 
created.

I'm a little perplexed at this moment as to what could cause it to fail 
seemingly suddenly.

any insight would be extremely useful.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: mimedefang error mimedefang.sock unsafe??

2005-03-23 Thread alan premselaar 
alan premselaar wrote:
[...snip...]
I just encountered this same problem on a system that has been running 
flawlessly until today.

I was seeing a bunch of
Mar 24 09:44:04 mail mimedefang-multiplexor[21236]: Killing busy slave 
17 (pid 10445): Busy timeout
Mar 24 09:44:04 mail mimedefang[21249]: Error from multiplexor: ERR 
Filter timed out - system may be overloaded (consider increasing busy 
timeout)

and
Mar 24 09:44:24 mail mimedefang[21249]: mfconnect: No free slaves
errors in my mail log.
...snip...
any insight would be extremely useful.
alan

So, to reply to my own post, I've been toying around and determined that 
Embedded Perl appears to be the culprit.

I turned off embedded perl and mimedefang.sock is being created properly.
It ocurred to me that a friend of mine was having some other issues 
where mimedefang wouldn't start properly with embedded perl turned on 
and kept hanging on the call to SpamAssassin.

I'm running mimedefang 2.49 with Perl 5.8.5 on RedHat EL 3.0 update 4 
along with sendmail 8.13.3

is this a bug?
for the time being I'll upgrate to mimedefang 2.51 and see if that 
changes anything.

also, just for kicks I rebooted the machine (which I know i shouldn't 
have had to do, but i figured if i was having weird memory issues a 
reboot might clear them up) and that had 0 effect on the situation.

Alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: mimedefang error mimedefang.sock unsafe??

2005-03-23 Thread alan premselaar 
David F. Skoll wrote:
alan premselaar wrote:
So, to reply to my own post, I've been toying around and determined 
that Embedded Perl appears to be the culprit.

That kind of makes sense.  If the multiplexor is very slow to
initialize, mimedefang waits a bit before entering the main loop.
The code looks like this:
[...snip...]
So if the multiplexor is whacked, it can take up to 50*3 seconds, or
a minute and a half for the mimedefang.sock to be created.
This is probably excessive. :-)  I'm thinking 15 iterations around
a loop with a sleep(1) in it is probably better.
Regards,
David.
David,
 the multiplexor appears to be alive however. (as far as I can tell) 
... the socket is created and it's in the process list.  do you have any 
idea what might cause it to be so slow (somewhat suddenly) ?

I also noticed that mimedefang.pl -features hangs as well. I've narrowed 
this down to *something* in my filter.  Although I haven't figured out 
what yet, and nothing in the filter has changed during the period of 
time where everything was working as expected and it stopped working.

I'm stumped.
Alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: mimedefang error mimedefang.sock unsafe??

2005-03-23 Thread alan premselaar 
David F. Skoll wrote:
alan premselaar wrote:
So, to reply to my own post, I've been toying around and determined 
that Embedded Perl appears to be the culprit.

...snip...
something's *really* hosed.  I copied the mimedefang-filter.example 
file, and just changed the email addresses of the admin and daemon and 
i'm getting the same results.

the problem is the mimedefang.pl -test just hangs...
so, even if i get mimedefang to create the mimedefang.sock file sendmail 
just spawns a bunch of slave mimedefang.pl calls that all hang.

everything was working (untouched) until this morning (JST)
mimedefang.pl -features also just hangs...
any ideas?
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] This mail's for you... NOT!

2005-03-04 Thread alan premselaar 
[EMAIL PROTECTED] wrote:
David F. Skoll wrote:
Most of the spam messages that I receive are addresses to
non-existing users... Mailing list I guess...  Can I setup a way to
accept mail for only a list of e-mail addresses?
Yes, there are a number of ways to do this.  Search the list archives
for md_check_against_smtp_server

Alas Exchange tends to accept EVERYTHING and send rejects later.  With later versions of Exchange there's a registry hack to get it to behave properly.

At one point I was using sendmail / mimedefang / etc in front of an 
exchange server (and have since gotten rid of the exchange server 
thankfully) ... at that time I used some sendmail rules to do LDAP 
lookups into the active directory to determine deliverability of mail 
and reject if undeliverable.

We were using Exchange 2000 which didn't have the registry setting.
as far as outgoing mail was concerned, the exchange server was on a 
local subnet (192.168.0.x) and I had the sendmail machine multi-homed.
I just added the IP of the Exchange server into the access database with 
RELAY  and used a mailertable to route incoming mail to the exchange server.

while we were using the exchange server, it worked pretty nicely.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Anyone using File::Scan?

2005-02-16 Thread alan premselaar 
David F. Skoll wrote:
Hi,
Does anyone use File::Scan with MIMEDefang?  It seems to cause a lot
of problems with false positives.
For the next release, I'm considering removing the auto-detection
of File::Scan.  In other words, if you want File::Scan, you'll have to
specifically ask for it in your filter.
Any objections to this change?
Regards,
David.
I used to use File::Scan on the office mail servers but I got complaints 
 about false positives.  I've since switched to ClamAV.

I still use a combination of File::Scan and ClamAV on my personal mail 
server (where I can be more strict about what types of files are 
accepted as attachments).

I think the change would be good, because up until now, if File::Scan is 
installed, it's used.  I could see a case where it may be installed but 
not desired to be used.

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Perl help: quarantine and bounce criteria

2005-01-24 Thread alan premselaar 
Kenneth Porter wrote:
I've got the following function for bouncing spam/viri in my office 
server. This gets invoked whenever the filter would bounce or discard, 
such as when the spam score is over 10.

If the mail was addressed to a legitimate local mailbox (other than info 
or hostmaster) I want to quarantine instead of drop, but I'm still 
getting quarantines for a single local recipient of info or hostmaster, 
so I've got a bug in that expression I need help with.

sub action_discard_bounce ($) {
   my($message) = @_;
   # don't quarantine if all recipients are @sewingwitch.com
   my $non_sewingwitch =  grep !/[EMAIL PROTECTED]/i, @Recipients;
   # check for only recipient being
   # hostmaster or info (almost certain spam so don't quarantine)
   if ( $non_sewingwitch 
( (scalar @Recipients != 1) ||
  ($Recipients[0] !~
/^(info|hostmaster)[EMAIL PROTECTED]/) )) {
   action_quarantine_entire_message(
action_discard_bounce $message);
   }
   if (MTA_is_domain_MX($MyDomain,$RelayAddr)) {
   # don't pester mx backup
   return action_discard();
   } else {
   return action_bounce($message);
   }
}
Kenneth,
  I think something similar has recently come up on the list.  what's 
the actual value of $Recipients[0]?  if it's '[EMAIL PROTECTED]' (no 
quotes) then it won't match, and it'll call 
action_quarantine_entire_message.  (because you're testing for with !~)

hope this helps
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with filter

2004-12-15 Thread alan premselaar 
Ronald Vazquez NLM wrote:
(B Hello list:
(B 
(B I have the following code as part of my:
(B...snip...
(B
(B 
(B   my %trustedSubnets = (
(B ^^
(B# Looopback
(B '127.0.0.1'   = '255.255.255.255',
(B 
(B # Home Network
(B '192.168.1.0'  = '0.255.255.255',
(B};
(B^^^  - this should be );
(B
(Balso I think you also want to replace the = with , above. (my code uses
(Bcommas, i'm not sure if the = will work as well or not off the top of
(Bmy head)
(B
(Beverything else looked ok to me.
(B
(Bhope this helps
(B
(Balan
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
([EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Mimedefang - japanese emails

2004-12-11 Thread alan premselaar 
Marco Supino wrote:
Hi,
I am running mimedefang (2.48) on solaris, through the milter, and have 
problem with scanning japanese emails, it seems mimedefang strips the 
japanese mime parts,

I dont know where to start in order for this not to happen, and i am 
still new to mimedefang, any help is appriciated.

Marco.
Marco,
  I've been using MIMEDefang (on linux) with japanese emails for a few 
years at least without any specific problems.

can you provide more specific details of the problem? (and possibly 
attach a copy of your filter)

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Need help with virus notifications

2004-12-10 Thread alan premselaar 
Ronald Vazquez NLM wrote:
(B Hello:
(B 
(B I have been tasked with configuring MIMEDefang to allow a virus to come in 
(B thru the first instance, tag it with X-RrestrictedAttachment to allow our 
(B virus scanner to process it.  The idea is that once Trend Micro drops the 
(B attachment, we can scan the body with the second instance of MD and drop the 
(B virus notification.
(B 
(B Why?  There are some extensions that even though they are stripped, we do 
(B notify our users of the action so they can take appropriate action.  This 
(B means that we only want to stop notifications for uncleanable attachments.
(B 
(B Do anybody know a better way to accomplish this?  The goal is to avoid 
(B notifying our users of every virus-infected email we drop while still 
(B notifying them about a VBA file they were waiting for.
(B 
(B Thanks in advance,
(B Ronald Vazquez
(BRonald,
(B
(B  It seems to me that because of the nature of most of today's viruses,
(Byou don't want to send any notifications if they tested positive.  Since
(Boften the sender is forged, it's generally a bad idea to notify the
(Bsender.  Since it's a virus, it's not usually something expected by the
(Brecipient anyways, so the notification only adds noise to the end-user's
(Bmailbox.
(B
(Bin the case of a VBA file that gets quarantined or rejected, etc.  that
(Bcould be caught with the bad_filename routines (not necessarily a virus)
(B and you could choose to make notifications seperate for those than your
(Bvirus handling.  ALthough I would still caution that rejected
(Bbad_filenames will also hit potential virus attachments and still cause
(Bnoise down the line.
(B
(BAs a matter of policy, I reject (550 SMTP reject) any virus infected or
(Bbad_filename emails.  if there's a legitimate user at the other end,
(Bthey'll get notification of the failure.  if there isn't, the noise
(Bshould be minimal.
(B
(Bhope this is helpful
(B
(Balan
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
([EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD 2.48 , SA 3.0001 CHARSET_FARAWAY_HEADERS

2004-11-16 Thread alan premselaar 
Paul Murphy wrote:
(B Alan,
(B 
(B Check that you are running "spamassassin -D -p
(B /etc/mail/spamassassin/sa-mimedefang.cf" or whatever to make sure that MD and
(B your manual check are using the same config.  If this is the issue, then
(B carefully compare the default SA config with the MD version, and the 
(B difference
(B should indicate the problem.
(B 
(B Best Wishes,
(B 
(BPaul,
(B
(B  I've only got the sa-mimedefang.cf file in /etc/mail/spamassassin and
(Bi double-checked the debug information from spamassassin -D to confirm
(Bthat it was using the same config file.
(B
(BI appreciate the response however.
(B
(Balan
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
([EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MD 2.48 , SA 3.0001 CHARSET_FARAWAY_HEADERS

2004-11-16 Thread alan premselaar 
Aleksandar Milivojevic wrote:
...snip...
Starting with MD 2.46 (or 2.47?) location of sa-mimedefang.cf was moved 
from /etc/mail/spamassassin to /etc/mail.  Try moving the file, or 
making symbolic link, and see if that is going to make any difference.

sweeet. that was it.  not sure why i missed that, but i did.
thanks for your help
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] MD 2.48 , SA 3.0001 CHARSET_FARAWAY_HEADERS

2004-11-15 Thread alan premselaar 
I'm having an interesting problem.
I have:
MD 2.48
SA 3.0x (happens with 3.00 and 3.01)
perl 5.8.5  5.6.1 (happens on two seperate systems)
RedHat ES 3.0  RedHat 7.2
when mail passes through MIMEDefang and calls SpamAssassin, even though 
I've got ok_locales and ok_languages set to en ja (to also accept 
japanese mail) mail that comes in with a subject in ISO-2022-JP encoding 
is triggering the CHARSET_FARAWAY_HEADER (and sometimes the 
GAPPY_SUBJECT) rules.  If I run the same mail thru spamassassin -D it 
doesn't trigger these rules.

the Bayes database hasn't been fully trained yet so there's no Bayes 
scoring taking place.

I have MD 2.45 and SA 3.00 running on a RH 9 machine elsewhere with the 
same settings (with regards to language) but not experiencing the same 
problem. (although bayes has been trained on that system)

being unable to duplicate the problem with spamassassin -D makes me 
curious if there is some sort of setting or problem related to language 
handling that i'm missing with the latest version of MIMEDefang.

any help/information is greatly appreciated.
Thanks,
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Frustration...

2004-11-04 Thread alan premselaar 
Lisa,
Lisa Casey wrote:
Hi Folks,
...snip...
I'ld also like to drop, bounce, whatever mail that has certain words in the
subject, such as rolex, penis, viagra, etc.
I know I can do the above with MIMEDefang/Spamassassin, but I'll be darned
if I can figure out how. And the more I try to figure it out, it seems, the
more confused I am getting.
You should look at the /etc/mail/mimedefang-filter file (assuming your 
sendmail config directory is /etc/mail, it may be different on your 
system).  hopefully you are familiar with Perl.

Also, I'm not sure how I'm supposed to feed it spam. I have Sendmail/Qpopper
and most of my users pick up their mail using Outlook Express. I understand
I can't just forward spam to a spam mailbox and run sa-learn on that as the
forwarding will not get the original headers.
you could add code in your mimedefang-filter to copy mail scoring (x) 
points to a spam catch-all, although being an ISP you may have privacy 
issue concerns.
There has to be a easy way to learn to use this and get it to do what I want
but I can't really figure it out. Surely there are some other ISP's on these
lists who might be willing to tell me  how they use it.
for your situation, the commercially available CanIT (or CanIT-PRO) may 
be more appropriate. Have you considered it?

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Re: VERY Newbie Question

2004-10-31 Thread alan premselaar 
Jeff Rife wrote:
On 30 Oct 2004 at 0:16, David F. Skoll wrote:

...and the RFC pretty clearly says that an IP address should *never* be
used as the argument to HELO, so that rule *should* reject all e-mail.
Umm... reread his code.

...snip...
Jeff,
  I think what David was trying to point out is that with his code, 
unless the IP is 127.0.0.1 or *IT MATCHES $helo*, the mail will be rejected.

:)
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Installed Modules

2004-10-28 Thread alan premselaar 
Trevor Dodds wrote:
Hi,
 
Can someone please tell me the command that will display all the modules
mimedefang 
is using.  
 
Thanks
Trevor
Trevor,
 I believe what you're looking for is mimedefang.pl -features
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Spamassassin not using SURBL

2004-10-12 Thread alan premselaar 
Kris Deugau wrote:
alan premselaar wrote:
I just recently installed a system with MD 2.45 and SA 3. and
while doing some testing to see if the network tests were running, I
determined that the -C option to spamassassin does not work as
expected.
the man pages are a little hazey about the description,

Hmm.  Seems clear enough to me:
-C path, --configpath=path, --config-file=path
Use the specified path for locating the distributed configuration
files. Ignore the default directories (usually /usr/share/spamassassin
or similar).
you're right, now that I look at them again (and not in the middle of 
the night... it must have been my head that was hazey)  although i still 
contend that --config-file= is a little mis-leading.  I seem to 
remember there actually being an option to specify the config *file* to 
load, not just the directory.  of course i could be hazey here too :)

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Spamassassin not using SURBL

2004-10-07 Thread alan premselaar 
[EMAIL PROTECTED] wrote:
Graham Dunn wrote:
What options are required when running spamassassin from the command
line to get the same behaviour as you would see when run in
mimedefang? 

Other than using -C
/usr/local/etc/mimedefang/spamassassin/sa-mimedefang.cf

Also should run as the defang user
su -c spamassassin -C /usr... defang

I just recently installed a system with MD 2.45 and SA 3. and while 
doing some testing to see if the network tests were running, I 
determined that the -C option to spamassassin does not work as expected.

the man pages are a little hazey about the description, but when i ran 
(as defang user)

spamassassin -D -C /etc/mail/sa-mimedefang.cf
it didn't pick up *ANY* of the default rules located in 
/usr/share/spamassassin.  instead it reported the working rule DIRECTORY
was /etc/mail/sa-mimedefang.cf

I haven't had the time (since) to check out bugzilla for SA and see if 
this has already been reported, so i haven't filed a bug report yet.

interestingly enough, spamassassin -D (as defang user) picks up my 
sa-mimedefang.cf (mostly because in the upgrade from 2.39 to 2.45 I left 
sa-mimedefang.cf in /etc/mail/spamassassin and just made 
/etc/mail/sa-mimedefang.cf a symlink to it) and it picks up the 
/usr/share/spamassassin/*.cf files so everything is hunky-dorey.

i tinkered with it so much, i forget what I did to make it start working 
the way i expected it to.  I did make sure that all my module 
requirements were up to date.  I also ran spamassassin --lint to make 
sure I fixed any problems in my .cf files that creeped in from the 
previous version of SA.

anyways, hope this is useful information.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mimedefang-2.45 and dual opteron

2004-09-30 Thread alan premselaar 

Bill Maidment wrote:
I've had mimedefang-2.45 spamassassin-3.0.0 clamav-0.80rc2 running for 
about a week OK on a dual opteron. Then yesterday a friendly bz2 file 
came in as an attachment and clamav threw a fit. I upgraded to 
clamav-0.80rc3 and still had the same problem, so I went back to 
clamav-0.75.1 which handled the bz2 file OK on i386 machine. That's when 
mimdefang stopped working.

I've gone through a myriad of software combinations and just cannot get 
mimedefang to work again. I can't even get the original problem to occur 
again. sendmail/mimedefang just stops on receiving an email as below.

Sep 30 22:51:52 mail mimedefang-multiplexor[2396]: Starting slave 1 (pid 
2479) (2 running): Bringing slaves up to minSlaves (2)
Sep 30 22:53:44 mail sendmail[3205]: i8UCrgoP003205: 
from=[EMAIL PROTECTED], size=1244, 
class=0, nrcpts=1, msgid=[EMAIL PROTECTED], 
proto=ESMTP, daemon=MTA, relay=video.maidment.com.au [192.168.2.5]
Bill,
  I've been installing a new machine with MD 2.45, SA 3.0 and clamav 
0.75.1 and it was working fine until I added some greylisting code. then 
it did the same thing.

it turns out that for some reason it was choking on my use strict; 
line.  more specifically it was complaining (during debugging) about 
calls to non-existant subroutines main::sub_routine_name which 
actually did exist.

I must have beat my head against the wall for 2 hours debugging this.
I reverted to a previous version of the filter and it started working 
again as expected, so i stepped thru changes, etc and finally once I 
removed the use strict; line with all my code changes, everything 
started to work. (i still need to figure out why that was happening)

anyways, the point (i think) is... check the little things and make sure 
you don't have something really little and really obvious taunting you 
and causing you problems.

in my case, it was get as far as you show in your log and then the slave 
would timeout and die and tempfail.

anyways, probably not much help, but thought i'd share.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OFF TOPIC - Need a product to block spyware

2004-09-30 Thread alan premselaar 

Johann wrote:
[snip]
http://fedora.redhat.com/download/
It is the only thing that will get rid of all the malware you have now, 
including Windows 2000. :-)
a good pair of wire cutters will prevent spyware too.
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Deadline for SPF records

2004-08-11 Thread alan premselaar 

Ben Kamen wrote:
...snip...
But seriously, it's so easy to set up StartTLS on the client side...
you know, you would think that... but, as an example, Microsoft 
Entourage (part of Office 2000) for OS X doesn't support STARTTLS, only 
SSMTP. sure you can use SMTP AUTH, but you'd have to configure your mail 
server to support STARTTLS and SSMTP as well.

as an ISP, you can't be platform biased either. you have to take into 
account every possible mail client that anyone using your servers may 
attempt to use. like it or not.

granted, *I* don't like it... and I pretty much force all my users (of 
my personal domain's mail server) to use SMTP AUTH/STARTTLS, but I only 
have about 14 users, and they don't pay for the service so they know 
it's my way or the highway. (heh) ...

anyways, I've been thru the i want it as secure as possible without 
being too restrictive for what platform/mail client my users choose to 
use thing.  much easier said than implemented.

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MIMEDefang not scanning for Spam??

2004-08-03 Thread alan premselaar 
Sven Schuster wrote:
...snip...

This rule usually does work, even when I reinject this mail (as present
in the users mbox) into sendmail (port 25). I also don't have any
rules to skip spam scanning for certain senders or recipients or the
like.
Any idea what's going wrong here??
are you using the mimedefang-filter that's included with MIMEDefang?
what's the size of the email?
chances are that the email is larger than 102400 bytes then SpamAssassin 
checks will be skipped.

hope this helps
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Sendmail 8.10 and MIMEDefang

2004-08-02 Thread alan premselaar 

Kenneth Chan wrote:
Hi,
I have a raq4 with sendmail 8.10.  Which is the most recent version that will work 
with sendmail 8.10?  Is there an archive of previous versions available for download?
Thanks
Ken.
Kenneth,
 If I'm not mistaken (and this is off the top of my head after a long 
day at work) then sendmail 8.10 doesn't support MILTER which is required 
to run MIMEDefang.  also, apparently some versions of sendmail 8.11 have 
 some MILTER related bugs and it's recommended to use at least sendmail 
8.12 with MIMEDefang.

anyone else on the list can correct me if i'm wrong (please).
hope this helps,
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Relaying denied

2004-07-22 Thread alan premselaar 
Les Mikesell wrote:
On Thu, 2004-07-22 at 10:24, Vivek Kumar wrote:
Yes its gorave not gorav (typo error). I was trying to send it to lists
related to mail as I was not getting porper answer for that.
Sorry for any inconvenience.
[snip]
  Note that by doing this
you lose the ability to check valid user names as the relay
server accepts messages.  There has been some recent discussion
on the list about how to validate via smtp to the delivery
host.
If forwarding to an MS Exchange server, md_check_against_smtp_server() 
won't work as
exchange will always accept recipients and then send out seperate user 
not found emails after the fact.  since this is the case, you'll want 
to look into using either LDAP lookups to validate users or use some 
scripts to export your valid AD users into a local user table on the 
mail gateway.  Both solutions have been discussed on this list.

hope this helps
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Reversing the process

2004-07-22 Thread alan premselaar 
Ashley M. Kirchner wrote:
   Not that I really want to do this, but I have a mail server right now 
on which I want to remove MIMEDefang all together, and just leave 
sendmail running.  The folks on that machine actually WANT all their 
spam and viruses, so...who the hell am I to tell them no.  So, how do I 
go about reversing the install, and remove MD (which has SA also tied 
into it)?

Ashley,
  It seems like you could just remove any reference to mimedefang in 
the milter definition section of your sendmail.mc and rebuild your 
sendmail.cf file and you should be golden.

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Globals

2004-07-13 Thread alan premselaar 

Rich West wrote:
Thanks to all of those that responded.
Based upon all of the ideas, I came up with the following code to do the 
trick.

-Rich
sub filter_begin () {
...
   %lists = get_lists();
...snip...
  open (LISTS, /var/mailman/bin/list_lists -b|)
or die Could not execute '/var/mailman/bin/list_lists -b'.\n;
my only suggestion is that you do not call die in your filter. it could 
cause strange things to happen.  you're better off returning a null hash 
if the open fails.

alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Still outbound messages are getting blocked by s pamassassin

2004-07-09 Thread alan premselaar 

[EMAIL PROTECTED] wrote:
From: Jim McCullars [mailto:[EMAIL PROTECTED]
On Fri, 9 Jul 2004, Vivek Kumar wrote:

Hi Matthew,
I tried both the following syntax you suggested but I got 
compliation
error.
  How about just:
  if ($hostip =~ /^191\.0\.(?:0|1)/) {
   return(ACCEPT_AND_NO_MORE_FILTERING,OK)
  }

That would aslo match 191.0.12.38, for example.
This might work though:
if ($hostip =~ /^(?:191\.0\.(?:0|1)|127\.0\.0)\./) {
 return(ACCEPT_AND_NO_MORE_FILTERING,OK)
}
I use a subroutine that allows me to be creative and/or easily expand my 
list of machines/networks that can send email unfiltered. The code had 
been posted to the list awhile back so i'm not going to take credit for 
writing it. I obviously modified it for my own use.

I personally don't use ACCEPT_AND_NO_MORE_FILTERING because I still 
force virus scans of outgoing mail, but i use these tests to bypass the 
SpamAssassin tests as necessary.

hope this helps,
alan
code follows:
-
use Socket;
sub valid_local_network {
my  ($hostip) = @_;
my  $addr   ='';
my  $network_string = '';
my  $mask_string = '';
my  %exempt_subnets = (
'127.0.0.0','255.0.0.0',
'192.168.0.0','255.255.255.0', 

'192.168.1.0','255.255.255.0',
);
$addr = inet_aton $hostip;
while ( ($network_string,$mask_string) = each %exempt_subnets) {
my $network = inet_aton $network_string;
my $mask = inet_aton $mask_string;
if ( ($addr  $mask) eq $network) { 

return 1; 

} 

} 



return 0; 

}
then in filter_relay you could have:
sub filter_relay ($$$) {
my ($hostip, $hostname, $helo) = @_;
if (valid_local_network($hostip)) {
return('ACCEPT_AND_NO_MORE_FILTERING', It's from us.);
}
# ... other relay tests here
return('CONTINUE',);
}
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] white listing $senders

2004-07-07 Thread alan premselaar 
Jeffrey Goldberg wrote:
[snip...]
To mimedefang-filter I've added the following two functions
sub filter_sender {
  my ($sender, $ip, $hostname, $helo) = @_;
  return('ACCEPT_AND_NO_MORE_FILTERING', Sender whitelisted)
   if is_whitelisted($sender, $ip);
  return ('CONTINUE', ok);
}
sub is_whitelisted {
  my ($sender, $ip) = @_;
  my ($whitelistfile) = '/var/spool/MIMEDefang/whitelist.txt' ;
  return true if ($ip =~ /^192\.168/ );
  if(open (WHITELIST,  $whitelistfile )) {
 @whitelist = WHITELIST ;
 return true if grep { /\b$sender$/i } @whitelist ;
  }
  return false;
}

[snip...]
I have a couple of questions.
(1) Other than my forgetting to chomp are there other errors in the code
that people notice.
One thing I noticed is that you are storing your file in
/var/spool/MIMEDefang.  if you have your system configured as
recommended with /var/spool/MIMEDefang being on a tmpfs or RAMdisk, then
you'll obviously need to have some sort of external way to make sure
this information isn't hosed if you lose power or reboot the machine (etc.)
also, although the file handle should be closed once the script exits,
it's usually good practice (in my opinion) to close your file handles
when you're done with them.
so, in sub is_whitelisted, just before you return you may want to
close(WHITELIST);
if you're only going to whitelist based on senders who publish SPF, you
should (if you haven't already) look into using Mail::SPF::Query.  if
your intention is to whitelist any sender who's publishing SPF records,
then you could probably save yourself a lot of trouble by just
whitelisting based on the results of Mail::SPF::Query as opposed to
keeping a local flat-file.  otherwise you could use the results of
Mail::SPF::Query in conjunction with your flat-file read to determine if
the mail should be scanned or not.
(2) Will the whitelist file be opened anew with every incoming mail? or
will it only be opened when the mutliplexor starts a slave?
the way you have it configured here, everytime filter_sender is called
your whitelist file will be opened.
(3) If the answer to (2) is every time is there something I can to fix
that while still keeping the whitelist in an external file?
you may want to consider using embedded perl.  then you could setup your
 filehandles in filter_initialize and just reference them as approprite
in filter_sender.
(4) I'm using bayes autolearn for spamassassin, if I by-pass spamassassin
with this whitelisting am I depriving the autolearn system with
important information?
obviously, any information you don't pass thru the bayes autolearn
facility is depriving it from information. whether or not it's important
information is dependant on the contents of the mail and your auto-learn
criteria.
I also have a few policy questions.
 (4) What I'm doing will exempt whitelisted mail not only from defanging,
 bad extention checks and SpamAssassin, but also from virus scanning.
 Is that stupid?  Note that at the site in question almost all (but
 not all) email users are on Linux.  Of the few MS-Windows users,
 almost everyone (but not everyone) is using a Mozilla based MUA.
 (But I know that there is at least one Outhouse user still, and
 that is not going to change).
Firstly,  I personally am a little uneasy with setting up whitelisting
facilities based on fields that could potentially be exploited or
forged. You may want to keep that in mind when setting up your
whitelisting.  I prefer to do my sender whitelisting (per se) based on
SMTP AUTH.  My mail server doesn't have any local senders (i.e. from
the box itself) and is located in a co-lo so there's no local network to
authenticate against.  since all of my users are remote (and world-wide)
the only useful way for me to determine if scanning should be done is by
checking SMTP AUTH.
My policy decisions are such that I scan every piece of mail thru my
server for viruses.  even outgoing mail that has been SMTP AUTH'd.  the
overhead is minimal and it only takes ONE virus mail to cause a problem
so, if you even only have 1 machine that could possibly send a virus,
you're better off scanning than not (in my opinion).
I do, however, skip spam scanning from my authenticated users as i know
my users don't send spam. YMMV
hope this is useful information.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] file descriptor scope and embedded perl

2004-07-05 Thread alan premselaar 

Chris Masters wrote:
Hi All,
Since upgrading to the latest MIMEDefang today I have
bad file descriptor errors - I assume this is an
embedded perl scope issue.
So, I currently do the following:
1) I do *not* use filer_initialise
2) The file descriptor are global and are declared
*outside* of any function.
3) valid connections are made using a 'connection test
function' within functions called within the 3 main
filter functions.
4) file descriptors are closed in filter_cleanup
I take it that I shouldn't be doing 2?
Can/Should I declare *slave* globals in
filter_initialise?
Thanks for your help,
Chris
Chris,
  The documentation for mimedefang-filter specifically states that if 
you're using Embedded Perl, you *MUST* use filter_initialize to 
initilize variables (such as file descriptors) that need to be seen 
across slaves.

with embedded perl, the (outside of any subroutine) global variables are 
only initialized once on initial startup, and not on a per-slave basis.

check the mimedefang-filter man pages for more specific information.
hope this helps.
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] block based on outgoing recipient

2004-07-05 Thread alan premselaar 

Lucas Albers wrote:
Would this item; in filter_end exclude all further mail filtering, on mail
going from localhost to this a particular recipient?
#in filter_end.
 if ($recipient =~ /[EMAIL PROTECTED]/) {
exit;
}
Does not appear to be working...
Lucas,
  if you just want to bypass all filtering for mail originating on your 
localhost and being sent to a specific recipient, wouldn't using 
filter_recipient be more appropriate?

I haven't used it personally, but the pseudo-code could look something like:
sub filter_recipient {

if (localhost) {
if ($recipient =~ /[EMAIL PROTECTED]/) {
return ('ACCEPT_WITH_NO_MORE_PROCESSING', ok);
}
}
}
** this is pseudocode, it's not meant to run as-is. also, I couldn't 
remember the return code off the top of my head, so be sure to 
double-check it for accuracy

hope this helps,
alan
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Mimedefang/Spamassassin/bayesian

2004-02-17 Thread alan premselaar 
On 2/17/04 9:31 PM, "Paul Murphy" [EMAIL PROTECTED] wrote:
(B
(B...snip...  
(B debug: bayes: 29638 tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks
(B debug: bayes: 29638 tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen
(B debug: bayes: found bayes db version 2
(B debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB  200
(B debug: bayes: 29638 untie-ing
(B debug: bayes: 29638 untie-ing db_toks
(B debug: bayes: 29638 untie-ing db_seen
(B 
(B Since we get about 600 incoming messages per day of which around 50 are scored
(B 10+, and 20 scored between 5 and 10, I'd expect to see this number be non-zero
(B by now
(B 
(B
(Bthe bayes learning process takes into account the score of the email without
(Bnetwork and whitelist/blacklist scores added.  So, that means that if the
(Bemail scored say a 5 or 6 with network tests, but the actual non-network
(Bscore is say a 2 or a 3 then it may not be learned automatically (keeping in
(Bmind these figures aren't necessarily accurate, just being used as an
(Bexample) ... I recommend checking the docs for SpamAssassin for specifics
(Babout how the bayes learning works.
(B
(B The relevant parts of my sa-mimedefang.cf are:
(B 
(B use_bayes 1
(B auto_learn 1
(B bayes_path /var/spool/spamassassin/bayes
(B bayes_file_mode 0666
(B 
(B The bayes stuff looks like this:
(B 
(B localhost:/var/spool/spamassassin# ls -al
(B total 24
(B drwxr-xr-x2 root root 4096 Feb 17 12:29 .
(B drwxr-xr-x   14 root root 4096 Jan 19 17:30 ..
(B -rw-rw-rw-1 defang   root 4096 Jan 19 18:36 bayes_seen
(B -rw-rw-rw-1 defang   root20480 Jan 19 18:36 bayes_toks
(B 
(B What's missing?
(B
(Btry running sa-learn --dump magic to show you relevant information regarding
(Bthe bayes database.
(B
(Bhope this helps
(B
(Balan
(B
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
(B[EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Problem running clamd but not clamscan

2004-01-28 Thread alan premselaar 
On 1/29/04 1:44 AM, "Ole Craig" [EMAIL PROTECTED] wrote:
(B
(B On 01/28/04 at 08:32, 'twas brillig and Scott Harris scrobe:
(B Subject: RE: [Mimedefang] Problem running clamd but not clamscan
(B 
(B 
(B Scott, et al -
(B I had similar issues with clamd versus clamscan (see
(B lists.roaringpenguin.com/pipermail/mimedefang/2003-December/01
(B 8671.html)
(B but nobody else seemed to (or at least, nobody responded) and
(B I gave up due to lack of time. (Figuring, "I've got a
(B solution that works for my current mail load, why fsck with it...")
(B 
(B Ole
(B --
(B 
(B I'm tempted to take the same route, except for the fact that
(B I noticed the filter time has gone up dramatically:
(B 
(B Scott -
(B The problem I had seemed to be that MD wasn't actually talking
(B to clamd. (Do you catch the EICAR text file with clamd enabled?) It
(B would make sense that MD processed significantly faster if it's not
(B incurring the virusscan overhead at all. Maybe we could have someone
(B with a working MD-clamd setup try your speed test and report the
(B difference in MD time between clamav and clamd...
(B 
(B 
(B Ole
(B
(BOle,
(B
(B  I was having the opposite problem.  well, kind of.  I originally
(Bconfigured my filter to use CLAMAV instead of CLAMD (mostly because the
(Bfilter fails and then discards mail if clamd isn't accessible via the
(Bsocket), and although it was catching the virus, it wasn't returning any
(Bname into $VirusName.  I configured CLAMD and changed the filter to use
(BCLAMD and now it's working properly (and returning a value into $VirusName)
(B
(BI'm not sure how to get the filter times into the syslog like that however,
(Bi'd be willing to help in anyway I can.
(B
(Balan
(B
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
(B[EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] clamav and $VirusName variable

2004-01-27 Thread alan premselaar 
Hi,
(B
(B I recently installed clamav 0.65 on my machine (in conjunction with
(BFile::Scan) and I've noticed that ocassionally clamav is returning that it's
(Bfound a virus, but $VirusName is empty.
(B
(Bany ideas as to why this might be happening? or where to look for this?
(B
(Bi'm pretty sure it's running properly on another machine (where i'm not
(Busing File::Scan) but i can't find any differences in how i'm calling it in
(Bmy filter.  
(B
(Bthanks in advance,
(B
(Balan
(B
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
(B[EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] filter timing out

2004-01-20 Thread alan premselaar 
I'm sure this has been covered before, but i couldn't find it in the
(Barchives (could just be i'm tired) ...
(B
(Banyways, lately i've been seeing A LOT of 4.7.1 failures in my log file.
(BI've got my MIMEDefang spool dir on a tmpfs, and i haven't made any changes
(Bto my filter recently.
(B
(BJan 20 17:43:52 uchuu sendmail[16529]: i0K8gKEB016529:
(Bto=[EMAIL PROTECTED], delay=00:01:31, pri=32001, stat=Please try again
(Blater
(BJan 20 17:43:52 uchuu mimedefang-multiplexor: Reap: Killed slave 5 (pid
(B16240) exited due to SIGTERM/SIGKILL as expected.
(BJan 20 17:43:52 uchuu mimedefang-multiplexor: Slave 5 resource usage:
(Breq=15, scans=5, user=88.460, sys=0.680, nswap=0, majflt=760, minflt=13997,
(Bmaxrss=0, bi=0, bo=0
(B
(Bthe machine isn't a powerhorse, but it should still be enough to handle mail
(Bfor this domain.. (i don't receive a lot of mail, and i have maybe 12 users)
(B
(Bit'S a PII 400Mhz with 384MB of RAM running Redhat 7.3
(B
(Bit doesn't appear to be running out of slaves.  Any known issues with
(Bspamassassin and/or network tests that I might be missing?  (i stopped
(Bsubscribing to the SA talk list because there was just too much traffic
(Bdaily and I couldn't get thru it all)
(B
(Banyways, as always, any help is appreciated.
(B
(Balan
(B
(B___
(BVisit http://www.mimedefang.org and http://www.canit.ca
(BMIMEDefang mailing list
(B[EMAIL PROTECTED]
(Bhttp://lists.roaringpenguin.com/mailman/listinfo/mimedefang