Re: Permission fixup (was RE: [Mimedefang] Quarantine management - anyone else working on this?)
--- David F. Skoll [EMAIL PROTECTED] wrote: On Fri, 2 Apr 2004, Paul Murphy wrote: system(chmod -R g+rwX $dir); Perl has its own embeded chmod function. The system call to the shell should be avoided if at all possible, since it does slow things down. You'd have to write more code since perl's chmod function doesn't give you the option to recursivley descend through the directory structure. But I'll bet the Perl Cookbook by Christianson and Torkington has some code you could appropriate. === Al ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Quarantine management - anyone else working on this?
On Mon, 12 Apr 2004 09:12:01 -0500 Mike Campbell [EMAIL PROTECTED] wrote: When trying to use the new v1.2 quarantine management files there seems to be some syntax errors. I was getting errors in my apache error_log file and when I run 'perl -c quarantine.pl' I get the following errors: Now none of these prevent the script from running but everytime I access the file from the web browser I get similar errors in the error_log file. -- ___ Mike Campbell Whilst I probably can't really help much, I will just say that I copied and pasted both the files directly from the mail message to the files via ssh onto my mail server. The only thing I did was change the mailing addresses to appropriate ones to my network, adjusted the mail server names as required, and that was that (other than make the files executable of course). Worked right from the word go for me after I adjusted mimedefang to quarantine to a separate directory... maybe you missed copying a bracket or edited too much perhaps? Just a thought... HTH Pete ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Quarantine management - anyone else working on this?
Mike, When trying to use the new v1.2 quarantine management files there seems to be some syntax errors. I was getting errors in my apache error_log file and when I run 'perl -c quarantine.pl' I get the following errors I can confirm the warning messages appear on my system as well when run with perl -c, so have corrected them in version 1.3, which is attached. Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ quarantine.pl Description: quarantine.pl ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Quarantine management - anyone else working on this?
When trying to use the new v1.2 quarantine management files there seems to be some syntax errors. I was getting errors in my apache error_log file and when I run 'perl -c quarantine.pl' I get the following errors: [Mon Apr 12 09:11:01 2004] quarantine.pl: Parentheses missing around my list at quarantine.pl line 491. [Mon Apr 12 09:11:01 2004] quarantine.pl: Useless use of a variable in void context at quarantine.pl line 491. [Mon Apr 12 09:11:01 2004] quarantine.pl: Parentheses missing around my list at quarantine.pl line 529. [Mon Apr 12 09:11:01 2004] quarantine.pl: Useless use of private variable in void context at quarantine.pl line 529. [Mon Apr 12 09:11:01 2004] quarantine.pl: Name main::group used only once: possible typo at quarantine.pl line 45. Now none of these prevent the script from running but everytime I access the file from the web browser I get similar errors in the error_log file. -- ___ Mike Campbell ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Quarantine management - anyone else working on this?
On Mon, 05 Apr 2004 14:20:58 +0100 Paul Murphy [EMAIL PROTECTED] wrote: Pete, Excellent, thanks for the update. If you find any problems with the system, or have any requests for additional features, let me know - I've started a list, and will implement some/all of them eventually. All I would count out at the moment is displaying the decoded attachments, as this is likely to cause security issues, as you'd expect. Updating the display program to limit the size of the ENTIRE_MESSAGE section is high on my list... Best Wishes, Paul. __ No worries Paul. The only thing I can imagine doing at the moment would be to reduce the font size so more fits on the screen, and maybe adding a return link so that after you empty the quarantine, it's a bit easier to return to the main quarantine page. Other than that, it seems to do what I need it to. Security issues aren't a problem here as it's a home mail server, so there's only 5 email accounts, all of which I'm sort of in control of. Thanks again Paul, Pete ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Quarantine management - anyone else working on this?
Peter, I've also had to do some very specific permission changes as the UNIX socket files are also placed into this directory, and changing the perm's on them gives the old unsafe socket error with sendmail. Yes, that's why I have a completely separate quarantine folder, plus on a busy server where you are quarantining a lot of large messages, in theory the quarantine could fill the disk and kill the mail system. When clicking the quarantine folder link, I get this error: Unable to open directory /var/spool/MIMEDefang/qdir-2004-02-24-17.20.39-001 at /usr/lib/cgi-bin/quar_display.pl line 110. The permissions on all the qdir folders are: dr--rwx---2 defang www-data 4096 Apr 3 11:46 qdir-2004-04-03-11.46.08-001 Odd - this should work if the web user is in the www-data group. The best way to resolve this sort of thing is to use su from root to become the web user, and try to browse the qdir folders. When you have the permissions set correctly, the script will work. Given that the main quarantine list is OK, the folders must already be accessible, as the main list opens the sender, recipient and headers files from each folder, as well as the entity header files and the message files which say why it was quarantined. Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Quarantine management - anyone else working on this?
On Mon, 05 Apr 2004 10:53:32 +0100 Paul Murphy [EMAIL PROTECTED] wrote: Peter, Yes, that's why I have a completely separate quarantine folder, plus on a busy server where you are quarantining a lot of large messages, in theory the quarantine could fill the disk and kill the mail system. Odd - this should work if the web user is in the www-data group. The best way to resolve this sort of thing is to use su from root to become the web user, and try to browse the qdir folders. When you have the permissions set correctly, the script will work. Given that the main quarantine list is OK, the folders must already be accessible, as the main list opens the sender, recipient and headers files from each folder, as well as the entity header files and the message files which say why it was quarantined. Best Wishes, Paul. Thanks for your reply Paul, much appreciated. You hit the nail right on the head with su'ing as www-data. Believe it or not, I never realised you could su as a system user like that! Every day I learn how much I don't know about Linux... I su'd as www-data and get permission denied just trying to get into any of the qdir directories within /var/spool/MIMEDefang, so this explains the problem. Rather than try to fix this in its current location and risk screwing up anything, I'll now look into moving my quarantine directory to another location. I did consider this when I initially looked at your scripts, but thought it should be possible right where they are, but I was wrong (again). I believe the reason I initially got any results at all from quarantine.pl was that I think I looked at that while I was unknowingly receiving unsafe socket errors by making the /var/spool/MIMEDefang directory world writeable. I think it was only after I fixed this that I actually tried entering into the qdir's themselves, and therefore got the error. Thanks again for that, and hopefully the only response you'll hear next is it's all working in a new directory :-) Pete ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Quarantine management - anyone else working on this?
On Mon, 05 Apr 2004 10:53:32 +0100 Paul Murphy [EMAIL PROTECTED] wrote: Peter, Yes, that's why I have a completely separate quarantine folder, plus on a busy server where you are quarantining a lot of large messages, in theory the quarantine could fill the disk and kill the mail system. Best Wishes, Paul. __ Hi again Paul, Just letting you know that you're a legend, it's now all sorted and I can manage my quarantine (now in /var/spool/MD-Quarantine) successfully. Thanks again for the scripts and your help. Pete ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Quarantine management - anyone else working on this?
Pete, Excellent, thanks for the update. If you find any problems with the system, or have any requests for additional features, let me know - I've started a list, and will implement some/all of them eventually. All I would count out at the moment is displaying the decoded attachments, as this is likely to cause security issues, as you'd expect. Updating the display program to limit the size of the ENTIRE_MESSAGE section is high on my list... Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 -Original Message- From: Peter A. Cole [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 14:00 To: [EMAIL PROTECTED] Subject: Re: [Mimedefang] Quarantine management - anyone else working on this? On Mon, 05 Apr 2004 10:53:32 +0100 Paul Murphy [EMAIL PROTECTED] wrote: Peter, Yes, that's why I have a completely separate quarantine folder, plus on a busy server where you are quarantining a lot of large messages, in theory the quarantine could fill the disk and kill the mail system. Best Wishes, Paul. __ Hi again Paul, Just letting you know that you're a legend, it's now all sorted and I can manage my quarantine (now in /var/spool/MD-Quarantine) successfully. Thanks again for the scripts and your help. Pete ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Quarantine management - anyone else working on this?
Looking for a copy of the scripts this thread speaks of, perhaps I can help work out some of the required features... this seems like a viable project to get going. I need to write my own package to manage quarantined attachments and/or emails, and figured rather than try re-inventing the wheel, I could perhaps help improve upon what's already out there. -- Nathan Vidican [EMAIL PROTECTED] Innovative Product Sales http://www.InnovativeProductSales.com/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Quarantine management - anyone else working on this?
Nathan, See http://lists.roaringpenguin.com/pipermail/mimedefang/2004-April/021509.html Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Quarantine management - anyone else working on this?
OK, here's my code (attached) as it stands at the moment, with some instructions and comments below. Status == This is very much ALPHA code - if you read the source, you'll see that it uses a horrible mix of Perl CGI calls and raw HTML, which is not good style. However, it works, and I'll have time later to carry out some plastic surgery to make it look better. Use it at your own risk - there is no warranty. Installation Drop the two files into your CGI bin, making sure that they are executable, and owned by the user you run your webserver as, so that they can be executed. Ensure that they cannot be modified by anyone else. Configure your webserver to include an appropriate CGI handler for Perl code, if it doesn't already have one. On Apache, this should be something like: AddHandler cgi-script .cgi .sh .pl You must also edit the main quarantine.pl script as indicated, so that it uses the correct inbound and outbound e-mail servers - the assumption is that the server running MIMEDefang is a gateway system, which forwards incoming mail to another server, and which optionally forwards outbound mail to a smart host for onward delivery. If your system is an end-node which does direct outbound delivery, set both the local and remote SMTP servers to localhost, and ensure that your mimedefang-filter has a way to skip checks on mail from the local system, otherwise you will re-examine and re-quarantine released messages. Permissions === MIMEDefang creates its quarantine folders as the defang user (or whatever user you've configured MIMEDefang to run as), which means that your webserver user probably has no access to the quarantine folders. This has to be sorted out before the scripts will work. There are three approaches: A. Make all of your programs run as the same unprivileged user, such as defang or nobody. While this will work, it can possibly open up all of the systems to compromise if one has a security issue. B. Patch the MIMEDefang code to force all quarantine folders to be created with full group access (mode 770), and to set the group to something which the web server is a member of, so that full access is granted. This works OK, but has to be re-done every time a new version of MIMEDefang is installed, and is not guaranteed to be future proof. C. Have a cron job which runs every minute (or whatever interval you prefer) which changes the permissions appropriately. I use this method, running chmod -R g+rwx /var/spool/MD-Quarantine If the permissions are incorrect, the main script will display a warning that it cannot access the folder. Note that if a message has been quarantined after the last run of the cron job, you will not be able to view it until the next cron run has completed. Functionality = This code is intended to perform five main tasks: A. Display a summary of the messages which have been quarantined so that the queue can be managed B. Release messages for delivery if they have been quarantined in error C. Delete messages which have been quarantined correctly D. Re-direct messages to IT Support addresses for further inspection or action E. Allow viewing of the message details wherever possible. The main display presents a table of messages which are being held in quarantine. These are displayed in date order. The table shows the sender, recipients, subject, the filename of quarantined parts, and the reason for a message being quarantined. Sorting of messages by other field headings is not supported at this time. When viewing a message, the display program will show a navigation header which lists the files which can be viewed in the quarantine folder. Binary files (from quarantined parts) are not displayed. When an entire message has been quarantined, this can be viewed, but you should be wary of large messages as this could cause difficulties when the file is sent to the browser. All fields which could contain HTML code are displayed using the XMP formatting tag, which prevents interpretation of the contents as HTML - this tag is supported by most browsers but is described as obsolete, which is a shame since the suggested replacement is PRE, which most browsers treat in the same way as FONT or B, i.e. they change the formatting, but embedded HTML tags are still interpreted. Think of a message which has something nasty in it, either as javascript or something like an image which has a remote CGI script as its source. Since you want to look at the source, we have to stop the HTML being interpreted. Security These scripts make no effort to authenticate the user who runs them - this is not the job of the script, since the web server is more than capable of doing this for you using an or all of the following: basic/digest/certificate authentication SSL .htaccess files httpd.conf directives to restrict access by
Permission fixup (was RE: [Mimedefang] Quarantine management - anyone else working on this?)
On Fri, 2 Apr 2004, Paul Murphy wrote: B. Patch the MIMEDefang code to force all quarantine folders to be created with full group access (mode 770), and to set the group to something which the web server is a member of, so that full access is granted. There's another option, (D): Add this to filter_end: if ($QuarantineCount 0 || $EntireMessageQuarantined) { my $dir = get_quarantine_dir(); system(chmod -R g+rwX $dir); } Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: Permission fixup (was RE: [Mimedefang] Quarantine management - anyone else working on this?)
There's another option, (D): Add this to filter_end: if ($QuarantineCount 0 || $EntireMessageQuarantined) { my $dir = get_quarantine_dir(); system(chmod -R g+rwX $dir); } Excellent, thanks David! Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Quarantine management - anyone else working on this?
On Fri, 02 Apr 2004 12:52:46 +0100 Paul Murphy [EMAIL PROTECTED] wrote: OK, here's my code (attached) as it stands at the moment, with some instructions and comments below. Hi Paul, thanks for the code!! After getting around my lack of knowledge with cgi scripts in apache, I've got it going. I'd always wondered how I should go about cleaning up the quarantine directory... The only thing I had to do (other than the mail server names and associated email addresses as you specified) was to change the quarantine directory to /var/spool/MIMEDefang as the Debian Sarge packages change these from the defaults. I've also had to do some very specific permission changes as the UNIX socket files are also placed into this directory, and changing the perm's on them gives the old unsafe socket error with sendmail. I do have one problem, and I've tried my darndest not to bother you with the query, but I'm stuck. When clicking the quarantine folder link, I get this error: Unable to open directory /var/spool/MIMEDefang/qdir-2004-02-24-17.20.39-001 at /usr/lib/cgi-bin/quar_display.pl line 110. The permissions on all the qdir folders are: dr--rwx---2 defang www-data 4096 Apr 3 11:46 qdir-2004-04-03-11.46.08-001 Please tell me if I'm doing something stupid, and if you don't have time to look at this, I'll certainly understand as this has been done off your own bat and you're doing your best just to do us all a favour :-) Thanks again Paul, Pete ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Quarantine management - anyone else working on this?
Hi, I've been working on a CGI program to assist with managing the quarantine folders, which is now working but nowhere near ready for public inspection. The system consists of two Perl CGI scripts - one to display the message details for all quarantined messages (and to approve/delete them) and the other to inspect the quarantined message, and a cron job to sort out the permissions on the qdirs so that the CGI scripts can read the files. Before I invest too much time in this, is there anything else out there to assist with this task? Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741 ___ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Quarantine management - anyone else working on
EOF --- The qdirhelper script: rm -r -f $1 The qdirhelper script needs to be listed in sudoers: apache ALL= NOPASSWD:/usr/local/bin/qdirhelper I think that does it. Let me know if there are any questions. Be aware that I use the digest feature of this list, so I might not answer right away. Troy Carpenter [EMAIL PROTECTED] -Original Message- Date: Thu, 1 Apr 2004 11:31:59 +0100 From: Paul Murphy [EMAIL PROTECTED] Subject: [Mimedefang] Quarantine management - anyone else working on this? To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi, I've been working on a CGI program to assist with managing the quarantine folders, which is now working but nowhere near ready for public inspection. The system consists of two Perl CGI scripts - one to display the message details for all quarantined messages (and to approve/delete them) and the other to inspect the quarantined message, and a cron job to sort out the permissions on the qdirs so that the CGI scripts can read the files. Before I invest too much time in this, is there anything else out there to assist with this task? Best Wishes, Paul. __ Paul Murphy Head of Informatics Ionix Pharmaceuticals Ltd 418 Science Park, Cambridge, CB4 0PA Tel. 01223 433741 Fax. 01223 433788 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang