[Mimedefang] md_check_against_smtp_server
Hello, I am using our external mail box to ask our internal server for valid users. I have mimedefang doing this now, I am just unsure on how I tell mimedefang to reject or tempfail invalid users. I am using the stock filter from the man page. Any examples would be very useful. sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, "external","internal"); } I can see the entries in the log asking the internal server for valid users and it responding back if they are unknown. Gord ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server
Hi I'm trying to use md_check_against_smtp_server to check the email recipient against valid users on another mail server. The problem I have is that invalid recipients cause the incoming email to continually bounce between my two mail servers. Valid recipients work fine! Any clues as to what I've missed/got wrong? I have this in sendmail.mc on the other mail server. Could this be the cause? define(`SMART_HOST',`mail.maidment.com.au') mimedefang-filter snippet and email sample follow: #*** sub filter_recipient ($) { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, "mail.maidment.com.au", "video.maidment.com.au"); } >Date: Mon, 2 Aug 2004 15:15:07 +1000 >>From: Mail Delivery Subsystem <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Subject: Returned mail: see transcript for details >>Auto-Submitted: auto-generated (failure) >>X-Spam-Score: -0.074 () BAYES_01,IS_A_BOUNCE,L_hR_NOREPLY,MY_BOUNDARY3,MY_MTPARENS >>X-Scanned-By: MIMEDefang 2.42 >>X-Scanned-By: MIMEDefang 2.45 >> >>The original message was received at Mon, 2 Aug 2004 15:13:33 +1000 >from mail.maidment.com.au [192.168.2.2] >> >> - The following addresses had permanent fatal errors - >><[EMAIL PROTECTED]> >>(reason: 554 5.4.6 Too many hops) >>(expanded from: <[EMAIL PROTECTED]>) >> >> - Transcript of session follows - >>554 5.4.6 Too many hops 26 (25 max): from <[EMAIL PROTECTED]> via localhost, to <[EMAIL PROTECTED]> >>Reporting-MTA: dns; video.maidment.com.au >>Arrival-Date: Mon, 2 Aug 2004 15:13:33 +1000 >> >>Final-Recipient: RFC822; [EMAIL PROTECTED] >>X-Actual-Recipient: RFC822; [EMAIL PROTECTED] >>Action: failed >>Status: 5.4.6 >>Diagnostic-Code: SMTP; 554 5.4.6 Too many hops >>Last-Attempt-Date: Mon, 2 Aug 2004 15:15:07 +1000 >>Return-Path: <[EMAIL PROTECTED]> >>Received: from mail.maidment.com.au (mail.maidment.com.au [192.168.2.2]) >> by video.maidment.com.au (8.13.0/8.13.0) with ESMTP id i725DXwF032594 >> for <[EMAIL PROTECTED]>; Mon, 2 Aug 2004 15:13:33 +1000 >>Received: from video.maidment.com.au (video.maidment.com.au [192.168.2.5]) >> by mail.maidment.com.au (8.13.0/8.13.0) with ESMTP id i725DRBR013005 >> for <[EMAIL PROTECTED]>; Mon, 2 Aug 2004 15:13:27 +1000 >>Received: from mail.maidment.com.au (mail.maidment.com.au [192.168.2.2]) >> by video.maidment.com.au (8.13.0/8.13.0) with ESMTP id i725DV5U032585 >> for <[EMAIL PROTECTED]>; Mon, 2 Aug 2004 15:13:31 +1000 etc... ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server
md_check_against_smtp_server($sender, $rcpt_addr, $MyFilterHostName, $rcpt_host);aid: $msg. So I have started to use md_check and it's sort of working. It appears to be checking the internal server and getting the right results, the problem, large problem, is the system appears to be bouncing after the fact, vs return action_bounce, where my front end server would tell the connecting host, to go fly a kite, not a valid user. I don't want to accept and bounce, that is the point of this option, but that's what it's doing. Or it's in fact not working correctly, however my unix front ending a 2003 server, would not show user unknowns in the mail log, that the exchange server would only know about if it was not doing the checks. So I have to believe that my unix host is making the call to the internal server and getting the OK (it then sends) or user unknown and it starts it's little bounce process, instead of rejecting during the smtp session.. What's going on? How Is this suppose to work, I need upon a "user unknown", to action_bounce, not REJECT (which appears to be an accept and bounce and that is unacceptable. Any idea what I'm doing wrong, is there a way to change the behaviour? Thanks Tory Using Larry Schumacher's example. sub filter_initialize { require DB_File; use Fcntl; tie %relaydomains, "DB_File", "/etc/mail/mailertable.db", O_RDONLY; } sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; ($user,$domain) = split /\@/, $recip; if( $relaydomains{$domain} =~ /^smtp:\[(.+)\]/){ return md_check_against_smtp_server($sender, $recip, "mymailhost", $1); } else { return ("CONTINUE", "OK"); } } ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server
If the host you're checking against, in md_check_against_smtp_server(), is using a Greet_Pause, how long will md_check_against_smtp_server wait()? Does it wait for as long as it needs to? does it timeout in less than 30 seconds? Some other timeout value? Can I set the timeout? ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server
I'd like to thank everyone who replied to my recent query regarding md_check_against_smtp_server. The end result is now working beautfifully and inspired by the replies I am looking into caching the lookup results. I'd like to wish everyone here seasons felicitations. All the best for 2015 ! Regards jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server question
I believe md_check_against_smtp_server will TEMPFAIL if the server trying to be queried cannot be reached. Since I am implementing this on the Backup MX, I NEED it to queue if it can't be reached. I was thinking that one parameter could be added to allow for this and I've worked up the following code for comment: http://www.peregrinehw.com/downloads/MIMEDefang/contrib/md_check_disable_tempfail_patch --- mimedefang.pl.inWed Mar 24 22:47:58 2004 +++ mimedefang.pl.KAM Thu Apr 1 11:21:35 2004 @@ -6227,7 +6227,7 @@ # HELO / MAIL FROM: / RCPT TO: / QUIT sequence #*** sub md_check_against_smtp_server () { -my($sender, $recip, $helo, $server) = @_; +my($sender, $recip, $helo, $server, $notempfail) = @_; my($code, $text, $dsn, $retval); # Add angle-brackets if needed @@ -6243,8 +6243,14 @@ PeerPort => 'smtp(25)', Proto=> 'tcp', Timeout => 15); + if (!defined($sock)) { - return ('TEMPFAIL', "Could not connect to other SMTP server: $!"); +if ($notempfail) { +#tempfail disabled - continue regardless +return ('CONTINUE', "Accepting Message: TEMPFAIL Disabled & could not connect to other SMTP server: $!", 250, "2.1.5"); +} else { +return ('TEMPFAIL', "Could not connect to other SMTP server: $!"); +} } ($retval, $code, $dsn, $text) = get_smtp_return_code($sock); regards, KAM ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
Since I do secondary for some domains, I wanted to check if those servers are up and otherwise accept the mail for queuing. I'll probably add a hash to make things easier rather than a REALLY long # of if loops. sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; my($answer, $explanation); if ($recip =~ /luselaw.com/i) { ($answer, $explanation) = md_check_against_smtp_server($sender, $recip, "intel1.peregrinehw.com", "mail.luselaw.com"); if ($answer eq 'TEMPFAIL') { $answer = 'CONTINUE'; } return ($answer, $explanation); } if ($recip =~ /mmri.com/i) { ($answer, $explanation) = md_check_against_smtp_server($sender, $recip, "intel1.peregrinehw.com", "mail.mmri.com"); if ($answer eq 'TEMPFAIL') { $answer = 'CONTINUE'; } return ($answer, $explanation); } ... etc ... return ('CONTINUE', "ok"); } - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 19, 2004 12:35 PM Subject: [Mimedefang] md_check_against_smtp_server > Hello, > > I am using our external mail box to ask our internal server for valid > users. I have mimedefang doing this now, I am just unsure on how I tell > mimedefang to reject or tempfail invalid users. I am using the stock > filter from the man page. Any examples would be very useful. > > sub filter_recipient > { > my($recip, $sender, $ip, $host, $first, $helo, > $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; > return md_check_against_smtp_server($sender, $recip, > "external","internal"); > } > > I can see the entries in the log asking the internal server for valid > users and it responding back if they are unknown. > > Gord > > > ___ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
On Mon, Aug 02, 2004 at 05:41:19PM +1000, Bill Maidment wrote: > I'm trying to use md_check_against_smtp_server to check the email > recipient against valid users on another mail server. > > The problem I have is that invalid recipients cause the incoming email > to continually bounce between my two mail servers. Valid recipients work > fine! > > Any clues as to what I've missed/got wrong? Wild guess: have you enabled filter_recipient processing by running mimedefang with the "-t" option? (or by specifying MX_RECIPIENT_CHECK="yes" in the appropriate startup script). > I have this in sendmail.mc on the other mail server. Could this be the > cause? > > define(`SMART_HOST',`mail.maidment.com.au') That is only one of the causes, probably. You can use a smarthost, however. > mimedefang-filter snippet and email sample follow: > > #*** > > > sub filter_recipient ($) { > my($recip, $sender, $ip, $host, $first, $helo, > $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; > return md_check_against_smtp_server($sender, $recip, > "mail.maidment.com.au", > "video.maidment.com.au"); > } You are testing here against the recipient given by the external relay. I noticed in the headers below that you are actually forwarding to [EMAIL PROTECTED] You might want to make the same translation before checking, by adding: $recip =~ s/\@(mail\.)?maidment\.com\.au/[EMAIL PROTECTED]/i; ... or something similar. > >> - The following addresses had permanent fatal errors - > >><[EMAIL PROTECTED]> > >>(reason: 554 5.4.6 Too many hops) > >>(expanded from: <[EMAIL PROTECTED]>) > >> > >> - Transcript of session follows - > >>554 5.4.6 Too many hops 26 (25 max): from > > <[EMAIL PROTECTED]> via localhost, > to <[EMAIL PROTECTED]> > > >>Reporting-MTA: dns; video.maidment.com.au > >>Arrival-Date: Mon, 2 Aug 2004 15:13:33 +1000 > >> > >>Final-Recipient: RFC822; [EMAIL PROTECTED] > >>X-Actual-Recipient: RFC822; [EMAIL PROTECTED] > >>Action: failed > >>Status: 5.4.6 > >>Diagnostic-Code: SMTP; 554 5.4.6 Too many hops > >>Last-Attempt-Date: Mon, 2 Aug 2004 15:15:07 +1000 > >>Return-Path: <[EMAIL PROTECTED]> > >>Received: from mail.maidment.com.au (mail.maidment.com.au [192.168.2.2]) > >>by video.maidment.com.au (8.13.0/8.13.0) with ESMTP id i725DXwF032594 > >>for <[EMAIL PROTECTED]>; Mon, 2 Aug 2004 15:13:33 +1000 > >>Received: from video.maidment.com.au (video.maidment.com.au > [192.168.2.5]) > >>by mail.maidment.com.au (8.13.0/8.13.0) with ESMTP id i725DRBR013005 > >>for <[EMAIL PROTECTED]>; Mon, 2 Aug 2004 15:13:27 +1000 > >>Received: from mail.maidment.com.au (mail.maidment.com.au [192.168.2.2]) > >>by video.maidment.com.au (8.13.0/8.13.0) with ESMTP id i725DV5U032585 > >>for <[EMAIL PROTECTED]>; Mon, 2 Aug 2004 15:13:31 +1000 Apparently you are rewriting to [EMAIL PROTECTED] If this works for known users, then maybe you added those users to something like virtusertable? If so, maybe you forgot to add the catch-all entry at the end of virtusertable, saying: @[192.168.2.5] error:"5.1.1" No such user -- #!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]> $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
Jan Pieter Cornet wrote: On Mon, Aug 02, 2004 at 05:41:19PM +1000, Bill Maidment wrote: I'm trying to use md_check_against_smtp_server to check the email recipient against valid users on another mail server. Wild guess: have you enabled filter_recipient processing by running mimedefang with the "-t" option? (or by specifying MX_RECIPIENT_CHECK="yes" in the appropriate startup script). MX_RECIPIENT_CHECK="yes" is set You are testing here against the recipient given by the external relay. I noticed in the headers below that you are actually forwarding to [EMAIL PROTECTED] You might want to make the same translation before checking, by adding: $recip =~ s/\@(mail\.)?maidment\.com\.au/[EMAIL PROTECTED]/i; I didn't deliberately rename to [192.168.2.5], maybe something to do with SRS or something I did in sendmail that I've forgotten about. But that was part of the problem. Apparently you are rewriting to [EMAIL PROTECTED] If this works for known users, then maybe you added those users to something like virtusertable? If so, maybe you forgot to add the catch-all entry at the end of virtusertable, saying: @[192.168.2.5] error:"5.1.1" No such user Yep. This was the biggy. I didn't move my /etc/mail/access rules from the external server to the internal server, so there was no catch-all. Many thanks for your help. Cheers Bill ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
Jan Pieter Cornet wrote: You are testing here against the recipient given by the external relay. I noticed in the headers below that you are actually forwarding to [EMAIL PROTECTED] You might want to make the same translation before checking, by adding: $recip =~ s/\@(mail\.)?maidment\.com\.au/[EMAIL PROTECTED]/i; ... or something similar. - The following addresses had permanent fatal errors - <[EMAIL PROTECTED]> (reason: 554 5.4.6 Too many hops) (expanded from: <[EMAIL PROTECTED]>) This turned out to be bug in sendmail-8.13.0 (fixed in 8.13.1) ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
Bill Maidment wrote: Jan Pieter Cornet wrote: You are testing here against the recipient given by the external relay. I noticed in the headers below that you are actually forwarding to [EMAIL PROTECTED] You might want to make the same translation before checking, by adding: $recip =~ s/\@(mail\.)?maidment\.com\.au/[EMAIL PROTECTED]/i; ... or something similar. - The following addresses had permanent fatal errors - <[EMAIL PROTECTED]> (reason: 554 5.4.6 Too many hops) (expanded from: <[EMAIL PROTECTED]>) This turned out to be bug in sendmail-8.13.0 (fixed in 8.13.1) Replying to myself. No it wasn't!!! I was confusing mail logs with mail headers. The apparent forwarding is from the define(`MAIL_HUB', `[192.168.2.5]') statement in sendmail.mc ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
Bill Maidment wrote: Hi I'm trying to use md_check_against_smtp_server to check the email recipient against valid users on another mail server. The problem I have is that invalid recipients cause the incoming email to continually bounce between my two mail servers. Valid recipients work fine! OK. I've finally found the last problem. I had, for some strange reason, set LUSER_RELAY in the sendmail.mc on the internal server, to point to the external server. Once that was removed, and I added the renaming host line as previously suggested, all was well. Thanks everyone for all the assistance. Cheers Bill ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
Tory Blue wrote: > I don't want to accept and bounce, that is the point of this option, but > that's what it's doing. Or it's in fact not working correctly, however my > unix front ending a 2003 server, would not show user unknowns in the mail > log, that the exchange server would only know about if it was not doing the > checks. You need to do some Deep Black Magic to get Microsoft Ex-pain-ge 2003 to reject at RCPT TO: time: http://kbase.vircom.com/Kbase32/print.asp?id=1188&Lang=1 > So I have to believe that my unix host is making the call to the internal > server and getting the OK (it then sends) or user unknown and it starts it's > little bounce process, instead of rejecting during the smtp session.. Exactly. It's fixable with Exchange 2003, but not any earlier version. -- David. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] md_check_against_smtp_server
Behalf Of David F. Skoll Tory Blue wrote: > I don't want to accept and bounce, that is the point of this option, but > that's what it's doing. Or it's in fact not working correctly, however my > unix front ending a 2003 server, would not show user unknowns in the mail > log, that the exchange server would only know about if it was not doing the > checks. You need to do some Deep Black Magic to get Microsoft Ex-pain-ge 2003 to reject at RCPT TO: time: http://kbase.vircom.com/Kbase32/print.asp?id=1188&Lang=1 > So I have to believe that my unix host is making the call to the internal > server and getting the OK (it then sends) or user unknown and it starts it's > little bounce process, instead of rejecting during the smtp session.. Exactly. It's fixable with Exchange 2003, but not any earlier version. Yep 2003 allows this and that's why I was able to start using it. the exchange server returns 550 5.1.1 User unknown So it's working and it's giving the proper insight into my Senmail/Mimedefang system, but mimedefang is not bouncing during the smtp commection, it's bouncing after the fact. So not sure what is going on, Tory ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] md_check_against_smtp_server
an example Jun 3 14:29:14 gateway1 sendmail[28109]: j53LTDqI028109: from=<[EMAIL PROTECTED]>, size=43172, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=bmailrly05f.starwave.com [199.181.134.25] Jun 3 14:29:16 gateway1 mimedefang.pl[27125]: MDLOG,j53LTDqI028109,mail_in,,,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,D on't miss our Fun in the Sun event in Anaheim, CA! Jun 3 14:29:16 gateway1 sendmail[28109]: j53LTDqI028109: Milter add: header: X-Scanned-By: MIMEDefang 2.44 Jun 3 14:29:16 gateway1 sendmail[28113]: j53LTDqI028109: to=<[EMAIL PROTECTED]>, delay=00:00:03, xdelay=00:00:00, mailer=smtp, pri=163172, relay=maui.responsys.com. [10.5.2.20], dsn=5.1.1, stat=User unknown Jun 3 14:29:16 gateway1 sendmail[28113]: j53LTDqI028109: j53LTGqI028113: DSN: User unknown Jun 3 14:29:17 gateway1 sendmail[28113]: j53LTGqI028113: to=<[EMAIL PROTECTED]>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=74448, relay=bmailrly07f.starwave.com. [199.181.134.27], dsn=2.0.0, stat=Sent ( <[EMAIL PROTECTED]> Queued mail for delivery) It checked ,got a user unknown and then is now bouncing after the fact.. Need it to action_bounce.. Tell the connecting server invalid user during the smtp connection Tory ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] md_check_against_smtp_server
Tory Blue wrote: > It checked ,got a user unknown and then is now bouncing after the > fact.. Need it to action_bounce.. Tell the connecting server invalid > user during the smtp connection > > Tory 1) Are you sure your mailertable holds the right data (tie a hash and DataDumper it) 2) Are you sure your md_check_against_smtp_server is being called (put a logging line inside the if statement) 3) Are you sure your Exchange is sending the 5xx code for invalid users (telnet to it manually and verify) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] md_check_against_smtp_server
I didn't have MX_RECIPIENT turned on, now I do, same results. Yes I get the 5.x.x results back from the exchange server Yes my mailertable is correct, I have even reverted to the most basic md_check_against_smtp_server config and still seeing a resulting bounce message being created and sent. I will put a logging statement in and see Thanks -Tory 1) Are you sure your mailertable holds the right data (tie a hash and DataDumper it) 2) Are you sure your md_check_against_smtp_server is being called (put a logging line inside the if statement) 3) Are you sure your Exchange is sending the 5xx code for invalid users (telnet to it manually and verify) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
On Oct 24, 7:56am, Tory Blue wrote: } } md_check_against_smtp_server($sender, $rcpt_addr, $MyFilterHostName, } $rcpt_host);aid: $msg. } } So I have started to use md_check and it's sort of working. It appears to be } checking the internal server and getting the right results, the problem, } large problem, is the system appears to be bouncing after the fact, vs } return action_bounce, where my front end server would tell the connecting } host, to go fly a kite, not a valid user. } } I don't want to accept and bounce, that is the point of this option, but } that's what it's doing. Or it's in fact not working correctly, however my } unix front ending a 2003 server, would not show user unknowns in the mail } log, that the exchange server would only know about if it was not doing the } checks. } } So I have to believe that my unix host is making the call to the internal } server and getting the OK (it then sends) or user unknown and it starts it's } little bounce process, instead of rejecting during the smtp session.. } } What's going on? How Is this suppose to work, I need upon a "user unknown", } to action_bounce, not REJECT (which appears to be an accept and bounce and } that is unacceptable. } } Any idea what I'm doing wrong, is there a way to change the behaviour? There are several problems with your filter (see below). } Using Larry Schumacher's example. } } sub filter_initialize { } } require DB_File; } use Fcntl; } tie %relaydomains, "DB_File", "/etc/mail/mailertable.db", O_RDONLY; } } } } sub filter_recipient { } } my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, } $rcpt_addr) = @_; } } ($user,$domain) = split /\@/, $recip; This is not the proper way to parse $recip. First, if an SMTP client is following the RFCs then it will send the command, RCTP To:<[EMAIL PROTECTED]> Sendmail passes everything after the ':' to a milter. In this case, the milter is MIMEDefang, which in turn passes it to you. Using your parsing, $domain will end up containing "domain>" (notice the '>' on the end), which, of course, won't match anything in your mailertable. The second issue is that according to the DNS RFCs domain names are case insensitive. This means that if somebody were to send mail to Responsys.com the mail would reach you but your lookup would fail. The proper way to parse $recip looks more like this (somebody else may be able to optimize it a bit more, but this works; my mimedefang-filter is my first Perl project): $recip =~ tr/<>//d; $user = $recip; $user =~ s/(^.*)[EMAIL PROTECTED]/$1/; $domain = lc $recip; $domain =~ s/.*\@(.*$)/$1/; $fulladdr = $user . '@' . $domain; Also, you may want to create log entries so that you can see exactly what is happening, i.e.: md_syslog("debug", $QueueID . ", filter_recipient: \$user is $user and \$domain is $domain"); } if( $relaydomains{$domain} =~ /^smtp:\[(.+)\]/){ } return md_check_against_smtp_server($sender, $recip, "mymailhost", $1); You may want to put the results of md_check_against_smtp_server() into a variable so that you can log it and then do a return $variable. } } else { Possibly add another log entry here: md_syslog("debug", $QueueID . ", filter_recipient: recipient not checked"); } return ("CONTINUE", "OK"); } } } } } BTW, about the log entries you sent in another message. The entry showing your Exchange server rejecting the user isn't from when your mimedefang_filter used md_check_against_smtp_server(), but rather from when sendmail attempted to forward the message after accepting it. At that point, sendmail had no choice but to generate a bounce message. }-- End of excerpt from Tory Blue ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
John Rudd wrote: > > If the host you're checking against, in md_check_against_smtp_server(), > is using a Greet_Pause, how long will md_check_against_smtp_server > wait()? Forever. But if you're using md_check_against_smtp_server, then you really ought to set greet_pause to zero for connections from the MIMEDefang machine, or you're just shooting yourself in the foot. Regards, David. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
On Sep 21, 2005, at 2:31 PM, David F. Skoll wrote: John Rudd wrote: If the host you're checking against, in md_check_against_smtp_server(), is using a Greet_Pause, how long will md_check_against_smtp_server wait()? Forever. But if you're using md_check_against_smtp_server, then you really ought to set greet_pause to zero for connections from the MIMEDefang machine, or you're just shooting yourself in the foot. Yeah, internally I don't have a greet_pause. I was just thinking about whether or not to do sender verification, sort of like verizon's call-back, with the same functionality ... for various reasons I wont, but it occurred to me that this would be impacted by the other side doing a greet_pause. ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server question
I try to avoid bounce messages by using md_check_against_smtp_server function. When I tested I got smtp failure code 5.x.x for all "unkown user" messages, which is a good sign, but bounce messages still got generated on my mimedefang_server. How do I discard these "unkown user" messages? Here's the filter code I use: sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; my $relay = undef; $relay = "internal_server" if ($recip =~ m/[EMAIL PROTECTED]/i); if ($relay) { return md_check_against_smtp_server($sender, $recip, "mimedefang_server", $relay); } return('CONTINUE', "OK"); # accept recipient if dont find relay } from Mimedefang slide: md_check_against_smtp_server runs the first bit of an SMTP conversation to see if a local user exists on another mail server. If you're running MIMEDefang on a gateway, you can reject messages at the gateway instead of being responsible for generating a bounce message ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
2014-12-30 23:53 GMT+01:00 Jon Rowlan : > I'd like to thank everyone who replied to my recent query regarding > md_check_against_smtp_server. > > The end result is now working beautfifully and inspired by the replies I > am looking into caching the lookup results. I use a Redis database for that. It's quite efficient. Joris sub filter_recipient() { my($recipient, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; $recipient =~ s/[<>]//g; if($RelayAddr =~ /^127|^192|^172/) { return ("CONTINUE", "OK"); } #XXX: redis connection fail not handled my $redis = Redis->new(); my $key = $redis->get("$recipient"); if($key eq "OK") { $redis->quit; return ("CONTINUE", "OK"); } elsif($key eq "WRONG") { $redis->quit; return ("REJECT", "User unknown"); } else { my ($status, $message) = md_check_against_smtp_server($sender, $recipient, "blaba", "X",25); if($status eq "CONTINUE") { $redis->set("$recipient","OK"); $redis->expire("$recipient", 432000); } if($status eq "REJECT") { $redis->set("$recipient","WRONG"); $redis->expire("$recipient", 432000); } if($status eq "TEMPFAIL") { $status = "CONTINUE"; $message = "OK"; } $redis->quit; return ($status, $message); } } > > I'd like to wish everyone here seasons felicitations. > > All the best for 2015 ! > > Regards > > jON > > ___ > NOTE: If there is a disclaimer or other legal boilerplate in the above > message, it is NULL AND VOID. You may ignore it. > > Visit http://www.mimedefang.org and http://www.roaringpenguin.com > MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server
On 1/2/2015 6:29 AM, joris dedieu wrote: 2014-12-30 23:53 GMT+01:00 Jon Rowlan : I'd like to thank everyone who replied to my recent query regarding md_check_against_smtp_server. The end result is now working beautfifully and inspired by the replies I am looking into caching the lookup results. I use a Redis database for that. It's quite efficient. Joris Thanks Joris, We refined your caching and added more debugging and error checking so we thought we would post back to the list in like and kind. Best, KAM #Thanks to Joris Dedieu for inspiration and example code for this function sub cached_md_smtp_check { my ($sender, $recipient, $helo, $server, $port) = @_; my ($redis, $key, $status, $message, $redis_server, $redis_password, $start_time, $end_time, $status_message); md_syslog("warning", "DEBUG: Edge Test - Checking Recipient $recipient with cached_md_smtp_check"); # IN ORDER TO MAKE SURE WE DON'T GET STUCK, RUN IN AN EVAL SO WE CAN TIME OUT THAN md_check_against_smtp_server ($status, $message) = eval { # SET TIMEOUT FUNCTION $SIG{ALRM} = sub { md_syslog("warning", "DEBUG: Edge Test - Timing Out"); die "timeout" }; # NB: \n required # SET TIMEOUT TO 15 SECONDS alarm 15; $redis_server = "XXX:6379"; $redis_password = "YYY"; $recipient =~ s/[<>]//g; # ATTEMPT CONNECTION TO REDIS SERVER eval { $redis = Redis->new(server => $redis_server, password => $redis_password); }; # IF THERE IS AN ERROR WHEN TRYING TO CONNECT TO REDIS, JUST USE A REGULAR CALL if ($@) { # WARN THAT REDIS ISN'T WORKING md_syslog("warning", "WARNING: Edge Test - Redis Failed, calling md_check_against_smtp_server. Error: $@"); # RESET ALARM BEFORE RETURNING alarm 0; return md_check_against_smtp_server($sender, $recipient, $helo, $server, $port); } else { md_syslog("warning", "DEBUG: Edge Test - Redis connection success, checking for cached value for $recipient"); $key = $redis->get("$recipient"); # PARSE RESPONSE FROM REDIS IF IT IS SET if ($key ne '' and $key =~ /(.*):(.*)/) { $status = $1; $message = $2; if (uc($status) eq "CONTINUE" or uc($status) eq "REJECT") { md_syslog("warning", "DEBUG: Edge Test - Returning cached value from Redis Status: '$status' Message: '$message' Recipient: $recipient"); $redis->quit; # RESET ALARM BEFORE RETURNING alarm 0; return ($status, $message); } else { $redis->quit; md_syslog("warning", "WARNING: Edge Test - Cached value in Redis returned an incorrect value for $recipient. Calling md_check_against_smtp_server"); # RESET ALARM BEFORE RETURNING alarm 0; return md_check_against_smtp_server($sender, $recipient, $helo, $server, $port); } } else { md_syslog("warning", "DEBUG: Edge Test - Response for $recipient Not Cached, calling md_check_against_smtp_server"); ($status, $message) = md_check_against_smtp_server($sender, $recipient, $helo, $server, $port); # IF NOT TEMPFAIL, SAVE RESPONSE IN REDIS WITH APPROPRIATE EXPIRATION if(uc($status) eq "CONTINUE") { $redis->set($recipient,"$status:$message"); # GOOD RESPONSE, CACHE FOR 5 DAYS $redis->expire("$recipient", 432000); } elsif(uc($status) eq "REJECT") { $redis->set($recipient,"$status:$message"); # BAD RESPONSE, CACHE FOR 1 DAY $redis->expire("$recipient", 86400); } elsif (uc($status) eq "TEMPFAIL") { # IF THE RESPONSE IS TEMPORARY FAIL, DON'T CACHE THE RESULT alarm 0; return ($status, $message); } $redis->quit; # RESET ALARM BEFORE RETURNING alarm 0; return ($status, $message); } } }; if ($@) { # FUNCTION TIMED OUT, FOR NOW, JUST SEND CONTINUE, LATER WE WILL NEED TO CALL THE md_check_against_smtp_server FUNCTION if ($@ =~ /timeout/) { md_syslog("warning", "DEBUG: Edge Test - Redis Eval timed out, sending CONTINUE, OK"); return ("CONTINUE", "OK"); } else { # FAILURE DID NOT COME FROM TIMEOUT, WARN AND DIE md_syslog("warning", "DEBUG: Edge Test - Redis Eval failed for reasons other than timeout $@, calling die"); die; } } else { # NO TIMEOUT, RETURN VALUES SET return ($status, $message); } } ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server() REJECTing everyone
Apologies if this has been covered already. I can't get md_check_against_smtp_server to return "OK" for a valid user Here's the relevant bit from mimedefang-filter sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo) = @_; my $thishost = "mail7.MYDOMAIN.EDU" ; ## This host (or anything that resolves?) if ( $recipient =~ /[EMAIL PROTECTED]>?$/i ) { logv("Checking for user $recipient on SMTP server student RECIP:$recipient FIRST:$first SENDER:$sender RELAY:$ip/$hostname HELO:$helo") ; my @rec_chk = md_check_against_smtp_server($sender, $recip, $thishost, "student.MYDOMAIN.EDU") ; open (rec_log, ">>/tmp/rec_log"); print rec_log join(":",@_), "\n", join(":", @rec_chk), "\n\n"; close (rec_log); } else { logv("Not Checking for user $recipient on SMTP server RECIP:$recipient FIRST:$first SENDER:$sender RELAY:$ip/$hostname HELO:$helo") ; } ### Every user, whether valid or nonexistent gets "User address required:553:5.0.0" Here's an example entry from /tmp/rec_log <[EMAIL PROTECTED]>:<[EMAIL PROTECTED]>:64.4.49.20:bay14- f20.bay14.hotmail.com:<[EMAIL PROTECTED]>:hotmai l.com:esmtp:student.MYDOMAIN.EDU.:[EMAIL PROTECTED] REJECT:<>... User address required:553:5.0.0 But L.REALUSER gets a "Recipient ok" in SMTP to the mailbox server: [EMAIL PROTECTED] root]# telnet student 25 Trying 143.239.1.13... Connected to student. Escape character is '^]'. 220 student.ucc.ie ESMTP Sendmail 8.12.8/8.12.8; Thu, 4 Mar 2004 22:53:35 GMT helo mail7 250 student.ucc.ie Hello mail0.ucc.ie [143.239.1.30], pleased to meet you mail from: [EMAIL PROTECTED] 250 2.1.0 [EMAIL PROTECTED] Sender ok rcpt to: [EMAIL PROTECTED] 250 2.1.5 [EMAIL PROTECTED] Recipient ok rcpt to: l.realuser 250 2.1.5 [EMAIL PROTECTED] Recipient ok quit 221 2.0.0 student.MYDOMAIN.EDU closing connection Connection closed by foreign host. Any ideas? Is there a way to debug md_check_against_smtp_server? TIA Mark Delahunty UCC Computer Centre Cork Ireland ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server question
On Thu, 1 Apr 2004, Kevin A. McGrail wrote: > be queried cannot be reached. Since I am implementing this on the Backup > MX, I NEED it to queue if it can't be reached. > I was thinking that one parameter could be added to allow for this and I've > worked up the following code for comment: You don't need to hack the function. Just do this in filter_recipient: sub filter_recipient { my($recipient, $sender, $rest) = @_; my($answer, $explanation) = md_check_against_smtp_server($sender, $recip, "helo", 'server'); # Convert TEMPFAIL to CONTINUE $answer = 'CONTINUE' if ($answer eq 'TEMPFAIL'); return ($answer, $explanation); } Regards, David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server question
Thanks, that'll work! KAM > You don't need to hack the function. Just do this in filter_recipient: > # Convert TEMPFAIL to CONTINUE > $answer = 'CONTINUE' if ($answer eq 'TEMPFAIL'); > return ($answer, $explanation); ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server and backscatter
Hi, Has anyone use the md_check_against_smtp_server to check if the recipients are valid and if not, discard the message so as to not cause back scatter? I am currently using this in filter_recipient: return md_check_against_smtp_server($sender, $recip, "nexus.pointone.com", "prd07smse001.pointone.com"); Regards Kayne ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server and md_graphdefang_log
I'm trying to piece together a filter that logs and blocks traffic that is unnecessary. I can't get md_graphdefang_log to put in an entry for items that are refused because of 'User unknown' responses. As you can tell from my code snip below, I am not a programmer. I am adding a few lines above, and a few lines below where I put my code for reference. Blocking and logging is working for the DNSBL. Blocking and logging are not working for the check against smtp server, but it is sending a bounce back and not trying to deliver to internal server. Mimedefang version is 2.70.1 Any help would be greatly appreciated. -Bill Curtis # IMPORTANT NOTE: YOU MUST CALL send_quarantine_notifications() AFTER # ANY PARTS HAVE BEEN QUARANTINED. SO IF YOU MODIFY THIS FILTER TO # QUARANTINE SPAM, REWORK THE LOGIC TO CALL send_quarantine_notifications() # AT THE END!!! my($result); # yea, I know that the DNSBL is more effecient in sendmail, but I want to know how many blocked for what user by blacklist. if ($result = (relay_is_blacklisted($RelayAddr, "zen.spamhaus.org"))) { md_graphdefang_log('spamhaus', $hits, $RelayAddr); return action_bounce("reject: mail from ($RelayHostname || $RelayAddr) rejected due to http://www.spamhaus.org/zen";); # the reject works, but graphdefang log shows the Subject instead of Relay address action_discard(); } elsif ($result = (relay_is_blacklisted($RelayAddr, "bl.spamcop.net"))) { md_graphdefang_log('spamcop', $hits, $RelayAddr); return action_bounce("reject: mail from ($RelayHostname || $RelayAddr) rejected due to http://bl.spamcop.net/";); # the reject works, but graphdefang log shows the Subject instead of Relay address action_discard(); } sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; md_check_against_smtp_server($sender, $recip, "", ""); md_graphdefang_log('notuser', $recip, $sender); # graphdefang log doesn't log entry as 'notuser', eventually logs it as spam, or mail_in depending on score because of code that follows. return action_discard(); } # Drop anything with a score over 6 (*works) if ($hits > 6) { md_graphdefang_log('spamdrop', $hits, $RelayAddr); action_discard(); } # No sense doing any extra work return if message_rejected(); # Spam checks if SpamAssassin is installed if ($Features{"SpamAssassin"}) { if (-s "./INPUTMSG" < 100*1024) { ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server() REJECTing everyone
On Fri, 5 Mar 2004, Delahunty, Mark wrote: > REJECT:<>... User address required:553:5.0.0 What do the log files on the internal server reveal? Try doing a tcpdump to capture the traffic. -- David. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server() REJECTing everyone
On Fri, 5 Mar 2004, Delahunty, Mark wrote: >my @rec_chk = md_check_against_smtp_server($sender, $recip, > $thishost, "student.MYDOMAIN.EDU") ; I think you need to change $recip to $recipient. HTH... Jim McCullars University of Alabama in Huntsville ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server() REJECTing everyone
"Delahunty, Mark" wrote: > .ucc.ie [143.239.1.30], reject=553 5.0.0 <>... User address required ^^^ Quite aside from the problem you're asking about, it looks like the internal server is a little misconfigured... -kgd -- "Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken." - Unknown ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server() REJECTing everyone
On Fri, 5 Mar 2004, Kris Deugau wrote: > "Delahunty, Mark" wrote: > > .ucc.ie [143.239.1.30], reject=553 5.0.0 <>... User address required > ^^^ > Quite aside from the problem you're asking about, it looks like the > internal server is a little misconfigured... That is the standard sendmail reply when a MTA does a command like this: RCPT TO: <> which is what his typo would have caused MD to send to the server it was checking against. Jim McCullars University of Alabama in Huntsville ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server() REJECTing everyone
Jim McCullars wrote: >That is the standard sendmail reply when a MTA does a command like > this: > > RCPT TO: <> Gahh.. Thought that was referring to the sender, not the recipient. Must be time for a weekend. -kgd -- "Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken." - Unknown ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server not IPv6 proof?
Hi all I just noticed that md_check_against_smtp_server seams to be failing checking an IPv6 only destination server. (Not sure if $ip contains only IPv4 but in other routines the IPv6 address is correctly returned...) Also on Servers which are reachable through IPv6 and IPv4 I noticed that md_check_against_smtp_server does a IPv4 connection for testing the recipient and then sendmail sends the email itself via IPv6. This could lead to strange problems in case there are different virutal mailservers on those different IP-Addresses. Is this going to be fixed in future releases? -Benoit- -- SPAM SPAM SPAM SPAM / Hormel's new miracle meat in a can Tastes fine, saves time. / If you want something grand, / Ask for SPAM! - Hormel's 1937 jingle for SPAM ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] md_check_against_smtp_server - Got it
I think I was being a jackarse. A) I didn't have MX_RECIPIENT_CHECK enabled in my /etc/sysconfig/mimedefang file and due to this I have a bunch of questionable attempts at my milter code. enabling MX_RECIPIENT and using the simple example, works fine. Now that I have it working, I can go and start customizing, since I'm in a known good state. Thanks all. Larry Starr's version: WORKS "" - should be the name of the machine that you are relaying for i.e. "internalserver.mydomain.com" The RE for setting $relay should be your mail domain "mydom.com" should, of course be your domain "\bmydomain\.com\b" "myfqdn" should be the name of the server running mimedefang i.e "mail.mydomain.com" Hope this helps someone. sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; my $relay = undef; $relay = "" if ($recip =~ /\bmydom\.com\b/); if ($relay) { return md_check_against_smtp_server($sender, $recip, "myfqdn", $relay); } return('CONTINUE', "OK"); # accept recipient if dont find relay } ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] md_check_against_smtp_server and down server?
Just a quick question, a quick search didnt render any hits. In the situation as described on: http://www.mimedefang.org/kwiki/index.cgi?RelayCheckAddresses What happens during this check if the remote smtp server is down? Would it tempfail the message or outright bounce? If it tempfails, its an easy solution to a previously complicated ldap export and reformat. Im trying to determine if I should query our internal mail server for actual valid addresses live if this can tempfail, or just use a file based db and export out the address via ldap. Kayne ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and backscatter
Kayne Kruse wrote: > Has anyone use the md_check_against_smtp_server to check if the > recipients are valid and if not, discard the message so as to not cause > back scatter? Yes; we use it all the time, as do many (most?) of our CanIt customers. Our hosted CanIt service uses it too. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and backscatter
On Tue, 2009-07-28 at 16:07 -0400, David F. Skoll wrote: > Kayne Kruse wrote: > > > Has anyone use the md_check_against_smtp_server to check if the > > recipients are valid and if not, discard the message so as to not cause > > back scatter? Would throwing away users not valid as recipients cause more bad than good? ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and backscatter
>> Has anyone use the md_check_against_smtp_server to check if the >> recipients are valid and if not, discard the message so as to not >> cause back scatter? >Would throwing away users not valid as recipients cause more bad than good? Yes - return a 5xx message instead, so the sender knows that the address doesn't exist. Worst case is they ignore it and keep spamming addresses which will never work, while the best case is they tune their lists and the load on your server may go down. In cases where a legitimate sender has got the address wrong, it is better to tell them than to silently drop the message, especially as some mail clients keep a Frequent Contacts list which will then offer to use the wrong address in future (bad addresses get dropped from the list if a bounce is received). I keep a running record of good/bad recipients for each sending IP, and automatically firewall systems which have sent to more bad recipients than good recipients if they've sent more than 10 messages. Real e-mail is unlikely to be this bad, although the problem with idiot-proofing your system is that idiots are very imaginative. Paul. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and backscatter
--- On Tue, 7/28/09, Kayne Kruse wrote: > Has anyone use the md_check_against_smtp_server to check if the > recipients are valid and if not, discard the message so as to not cause > back scatter? I check recipients for validity directly in sendmail and reject at the SMTP level so a DSN will never be generated in the first place. MimeDefang isn't a replacement for sendmail's rules, but an addition for things that can't be done in the rulesets. With all possible checks done during the SMTP transaction, only forwarding problems will cause DSNs. Since those DSNs will go only to senders which are not forged (because SPF and DomainKeys are checked), didn't send spam, and didn't send a virus, the DSN will never be backscatter. DSNs sent to sending mailboxes that are NOT protected by an anti-forgery method are also NOT backscatter - because the mailbox owner, by not protecting his mailbox and thus letting anyone (including spammers) use it as a sender identity, is not receiving an unsolicited response (DSN or otherwise). ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and backscatter
on 7-28-2009 2:27 PM Kayne Kruse spake the following: > On Tue, 2009-07-28 at 16:07 -0400, David F. Skoll wrote: >> Kayne Kruse wrote: >> >>> Has anyone use the md_check_against_smtp_server to check if the >>> recipients are valid and if not, discard the message so as to not cause >>> back scatter? > > Would throwing away users not valid as recipients cause more bad than > good? > > If the message has no valid recipient, why is it bad to reject it? If you get junk mail at home addressed to someone that doesn't exist, do you read it? signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and backscatter
Kayne Kruse wrote: > Would throwing away users not valid as recipients cause more bad than > good? Yes. That's a terrible thing to do. Suppose someone sends you something important, but makes a typo in your e-mail address... Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Fri, 3/22/13, James Curtis wrote: > I'm trying to piece together a filter > that logs and blocks traffic that is unnecessary. I > can't get md_graphdefang_log to put in an entry for items > that are refused because of 'User unknown' responses. The problem is that when Sendmail has already determined an error has occurred based on its rulesets, the corresponding milter function is NOT called - thus there will be no such log entry for the above error unless your MD filter code determines that the user is unknown, not sendmail. I don't know whether other MTAs (e.g. postfix) that have the milter interface behave similarly. This means that the only things that MD will get to log are things that passed the MTA's checks. In part, this makes sense in that there's no reason to call the milter if the MTA has already determined an error. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
> Date: Fri, 22 Mar 2013 18:56:44 -0700 > > --- On Fri, 3/22/13, James Curtis wrote: > > I'm trying to piece together a filter > > that logs and blocks traffic that is unnecessary. I > > can't get md_graphdefang_log to put in an entry for items > > that are refused because of 'User unknown' responses. > > The problem is that when Sendmail has already determined an error has > occurred based on its rulesets, the corresponding milter >function is NOT > called - thus there will be no such log entry for the above error unless your > MD filter code determines that the user >is unknown, not sendmail. I don't have any sendmail configuration that checks for bad users. If I take out the "md_check_against_smtp_server($sender, $recip, "mail.hml.com", "192.168.1.10");" it doesn't block any unknown users. -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Fri, 3/22/13, James Curtis wrote: > I don't have any sendmail configuration that checks for bad users. If you're using the default provided rulesets, you do have a configuration that checks for bad users. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
> Date: Fri, 22 Mar 2013 21:49:31 -0700 > From: kd6lvw > --- On Fri, 3/22/13, James Curtis wrote: > > I don't have any sendmail configuration that checks for bad users. > > If you're using the default provided rulesets, you do have a configuration > that checks for bad users. I guess I should have mentioned, my mimedefang server is just a filter. It filters, then forwards to an internal server. Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 23.03.2013 05:49, schrieb kd6...@yahoo.com: > --- On Fri, 3/22/13, James Curtis wrote: >> I don't have any sendmail configuration that checks for bad users. > > If you're using the default provided rulesets, you do have a configuration > that checks for bad users. Sendmail default rulesets only check for bad _local_ users. The OP was inquiring about SMTP call-ahead. Sendmail does not have a default ruleset for that. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 23.03.2013 01:43, schrieb James Curtis: > # yea, I know that the DNSBL is more effecient in sendmail, but I want to > know how many blocked for what user by blacklist. > if ($result = (relay_is_blacklisted($RelayAddr, "zen.spamhaus.org"))) { > md_graphdefang_log('spamhaus', $hits, $RelayAddr); > return action_bounce("reject: mail from ($RelayHostname || > $RelayAddr) rejected due to http://www.spamhaus.org/zen";); > # the reject works, but graphdefang log shows the Subject instead of > Relay address That's strange. Please show an example log entry. > sub filter_recipient >{ >my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, > $rcpt_host, $rcpt_addr) = @_; >md_check_against_smtp_server($sender, $recip, " serverexternal DNS name>", ""); > md_graphdefang_log('notuser', $recip, $sender); > # graphdefang log doesn't log entry as 'notuser', eventually logs it as > spam, or mail_in depending on score because of code that follows. > return action_discard(); >} This cannot work. You call md_check_against_smtp_server but never check the result. md_graphdefang_log and action_discard are called unconditionally. If this code was what your MIMEdefang actually runs, all messages would be logged with 'notuser' and discarded. So there must be something else wrong. Perhaps your MIMEdefang is not using the filter script you think it does. Perhaps filter_recipient is redefined later. Perhaps it's a simple copy/paste error or your sanitizing. HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Fri, 22 Mar 2013 21:49:31 -0700 (PDT) kd6...@yahoo.com wrote: > If you're using the default provided rulesets, you do have a > configuration that checks for bad users. He's using Sendmail as a relay. No local users. -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 23.03.2013 01:43, schrieb James Curtis: >> # yea, I know that the DNSBL is more effecient in sendmail, but I want to >> know how many blocked for what user by blacklist. >> if ($result = (relay_is_blacklisted($RelayAddr, "zen.spamhaus.org"))) { >> md_graphdefang_log('spamhaus', $hits, $RelayAddr); >> return action_bounce("reject: mail from ($RelayHostname || $RelayAddr) >> rejected due to http://www.spamhaus.org/zen";); >> # the reject works, but graphdefang log shows the Subject instead of Relay >> address >That's strange. Please show an example log entry. Sample log entry Mar 24 09:39:05 monitor mimedefang.pl[15805]: MDLOG,r2ODcuhx026963,spamcop,,217.29.152.157,,,Huge 79%25 discount for luvme_mwah13 Mar 24 09:44:06 monitor mimedefang.pl[15805]: MDLOG,r2ODhv3a027039,spamhaus,,31.16.181.217,,,Huge 83%25 discount for sandseatravel Mar 22 18:46:23 monitor mimedefang.pl[29141]: MDLOG,r2MMkKhj002512,mail_in,2.344,88.43.32.209,,,hope Mar 22 20:11:52 monitor mimedefang.pl[29141]: MDLOG,r2N0Bolt004255,mail_in,0.939,23.19.31.184,,,Relieve Your Tax Debt Today Mar 22 18:46:23 monitor mimedefang.pl[29141]: MDLOG,r2MMkKhj002512,mail_in,2.344,88.43.32.209,,,hope Mar 24 02:01:01 monitor mimedefang.pl[15805]: MDLOG,r2O610nv008049,spam,17.521,118.179.250.162,,,Huge 70%25 discount for ack_serpents >> sub filter_recipient >> { >> my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, >> $rcpt_addr) = @_; >> md_check_against_smtp_server($sender, $recip, "> name>", ""); >> md_graphdefang_log('notuser', $recip, $sender); >> # graphdefang log doesn't log entry as 'notuser', eventually logs it as >> spam, or mail_in depending on score because of code that >follows. >> return action_discard(); >> } >This cannot work. You call md_check_against_smtp_server but never >check the result. md_graphdefang_log and action_discard are called >unconditionally. If this code was what your MIMEdefang actually >runs, all messages would be logged with 'notuser' and discarded. >So there must be something else wrong. >Perhaps your MIMEdefang is not using the filter script you think >it does. Perhaps filter_recipient is redefined later. Perhaps it's >a simple copy/paste error or your sanitizing. I guess I need a mimedefang-filter and Perl for dummies book. Is there a place I can find such a document? It seems to be working, but not when I would like. I have gotten by with code snips from other configs, but adding functionality for features that aren't as documented as other features. How do I know what outputs a command will produce when called so I can base an if rule against it? I just now realized that the unknown user reports are because I had to enable the recipient filter on the internal server, so that explains why the bounces are going out. But I really want it to check before sending so it doesn't accept, instead of bounce. Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Sun, 3/24/13, James Curtis wrote: > >> # yea, I know that the DNSBL is more effecient in > sendmail, but I want to know how many blocked for what user > by blacklist. > >> if ($result = (relay_is_blacklisted($RelayAddr, "zen.spamhaus.org"))) { > >> md_graphdefang_log('spamhaus', $hits, $RelayAddr); ... > >> # the reject works, but graphdefang log shows the > Subject instead of Relay address Is the variable $hits empty at this point? That would explain why the subject (which is the field which follows the relay address) is being read instead of the address. The empty field may cause an omitted comma. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 24.03.2013 15:28, schrieb James Curtis: >>> md_graphdefang_log('spamhaus', $hits, $RelayAddr); [...] >>> # the reject works, but graphdefang log shows the Subject instead of Relay >>> address [...] > Mar 24 09:44:06 monitor mimedefang.pl[15805]: > MDLOG,r2ODhv3a027039,spamhaus,,31.16.181.217,,,Huge > 83%25 discount for sandseatravel You are reading this wrong. Quoting the manpage for mimedefang-filter: md_graphdefang_log($event, $v1, $v2) Logs an event with up to two optional additional parameters. The log message has a specific format useful for graphing tools; the message looks like this: MDLOG,msgid,event,v1,v2,sender,recipient,subj So your log entry contains: - the fixed string MDLOG, -- just as promised by the manpage - msgid = r2ODhv3a027039, -- a plausible message ID - event = spamhaus, -- as you specified - v1 = empty, -- unsurprisingly, as you passed $hits which is never set in your filter - v2 = 31.16.181.217, -- a plausible relay IP address - sender = , - recipient = , - subj = Huge 83%25 discount for sandseatravel -- all quite plausible To me that looks like everything's working fine. > I guess I need a mimedefang-filter and Perl for dummies book. > Is there a place I can find such a document? I seem to remember a book "Perl for Dummies" actually exists. The best approximation to "mimedefang-filter for Dummies" is probably this mailinglist. :-) > How do I know what outputs a command will produce when called so I can base > an if rule against it? The mimedefang-filter manpage would be the canonical source for that. > I just now realized that the unknown user reports are because I had to enable > the recipient filter on the internal server, so that explains why the bounces > are going out. Yes, that makes more sense. > But I really want it to check before sending so it doesn't accept, instead of > bounce. Sure, that's the way it can and should be done. Bounces are to be avoided whenever possible. I'm doing something similar on a mail server serving several domains, some local and some relayed. My filter_recipient just contains, for each relayed domain: if ($recipient =~ /[@.]relayeddoma\.in>?$/i) { return md_check_against_smtp_server($sender, $recipient, $helo, 'mail.relayeddoma.in'); } ie. it just passes on the result of md_check_against_smtp_server without even looking at it. This works for me because (a) md_check_against_smtp_server's return value is designed to be a valid return value for filter_recipient, and (b) I don't need to do any further checks or actions on relayed mails in filter_recipient after md_check_against_smtp_server. If do you need to do more in filter_recipient after md_check_against_smtp_server has returned "OK" you'll have to assign its result to a variable and check it with appropriate if statements. But I'd recommend against that. SpamAssassin and virus checking belong in filter_end, and additional logging doesn't add anything useful IMHO. So if you relay *all* mails to , your filter_recipient could in fact be as simple as: sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, "", ""); } HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Sun, 24 Mar 2013 10:28:16 -0400 James Curtis wrote: > I guess I need a mimedefang-filter and Perl for dummies book. There are plenty of pretty good "Intro to Perl" books; check the O'Reilly site. As for intro to MIMEDefang, you could have a look at slides from a talk I gave (a long time ago): http://www.mimedefang.org/static/mimedefang-lisa04.pdf The slides are somewhat dated, but mostly still relevant. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
> > I guess I need a mimedefang-filter and Perl for dummies book. > > There are plenty of pretty good "Intro to Perl" books; check the O'Reilly > site. As for intro to MIMEDefang, you could have a look at slides from a > talk I gave (a long time ago): > > http://www.mimedefang.org/static/mimedefang-lisa04.pdf I read through that before going to the list. Page 86 seems to be the relevant page, but without sample code in context I'm still lost. I did read through the mimedefang.pl file enough to find: #*** # %PROCEDURE: md_check_against_smtp_server # %ARGUMENTS: # sender -- sender e-mail address # recip -- recipient e-mail address # helo -- string to put in "HELO" command # server -- SMTP server to try. # port -- optional: Port to connect on (defaults to 25) # %RETURNS: # ('CONTINUE', "OK") if recipient is OK # ('TEMPFAIL', "err") if temporary failure # ('REJECT', "err") if recipient is not OK. # %DESCRIPTION: # Verifies a recipient against another SMTP server by issuing a # HELO / MAIL FROM: / RCPT TO: / QUIT sequence #*** AND this ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); if ($retval ne 'CONTINUE') { $sock->print("QUIT\r\n"); $sock->flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock->close(); return ($retval, $text, $code, $dsn); } My rookie brain seems to think that it is returning the value to $retval But I can't figure out why this doesn't put an entry into the mdlog, either notauser, or unsure, even if the other variables are incorrect. sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); if ($retval eq "REJECT") { md_graphdefang_log('notauser', $recip, $sender); # return action_discard(); }else{ md_graphdefang_log('unsure', $retval, $code); } } I verified that I was running mimedefang.pl with the -t option (listed as requirement for filter_recipient) [root@monitor ~]# ps ax |grep mimedefang 27993 ? S 0:00 /usr/bin/mimedefang-multiplexor -t -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -m 2 -x 10 -y 0 -U defang -b 600 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock Any additional help? -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 25 Mar 2013 13:30:31 -0400 James Curtis wrote: > md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); You are throwing away the return values from that function. You need to assign them to some local variables like this: my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Date: Mon, 25 Mar 2013 13:05:16 +0100 (From: t.schm...@phoenixsoftware.de) >So if you relay *all* mails to , >your filter_recipient could in fact be as simple as: >sub filter_recipient >{ >my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, >$rcpt_host, $rcpt_addr) = @_; >return md_check_against_smtp_server($sender, $recip, >"", ""); >} OK, so I tried this simple strip of code, just to get it to reject unknown users without logging. It still doesn't seem to be working. Should it be in a separate section of the code, it's own section of code. I have tried adding it to filter_begin, filter_end, and as it's own section of code directly after the } after all of the filter_begin. Could location be part of the equation that I'm missing? -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Mon, 3/25/13, James Curtis wrote: > I did read through the mimedefang.pl file enough to find: ... > AND this > ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); > if ($retval ne 'CONTINUE') { > $sock->print("QUIT\r\n"); > $sock->flush(); # Swallow return value > get_smtp_return_code($sock, $recip, $server); > $sock->close(); > return ($retval, $text, $code, $dsn); > } Poor coding (for today; perhaps OK in 2004). Although this will issue a QUIT when an error is returned, it does NOT do so when the transaction succeeds to the point where 'DATA' is normally issued. There are at least two blacklisting DNSBLs that track systems that track callbacks and the failure to issue QUIT. This is a good way to get listed and therefore banned. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 2013-03-25 at 13:53 -0700, kd6...@yahoo.com wrote: > Although this will issue a QUIT when an error is returned, it does NOT > do so when the transaction succeeds to the point where 'DATA' is > normally issued. I'm not seeing that. I have MIMEDefang 2.71-2build1 on Ubuntu Precise. I see code to issue a QUIT unconditionally after the RCPT TO command. -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 25 Mar 2013, David F. Skoll wrote: >On Mon, 25 Mar 2013 13:30:31 -0400 >James Curtis wrote: > >> md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); > >You are throwing away the return values from that function. You need >to assign them to some local variables like this: > >my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, >$recip, "localhost", "192.168.1.10"); Shouldn't that be: my ($retval, $text, $code, $dsn) = md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); I assume that you intent to use meaningfull variable names. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 25.03.2013 20:54, schrieb James Curtis: >> your filter_recipient could in fact be as simple as: >> sub filter_recipient >> { >> my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, >> $rcpt_host, $rcpt_addr) = @_; >> return md_check_against_smtp_server($sender, $recip, >> "", ""); >> } > > OK, so I tried this simple strip of code, just to get it to reject unknown > users without logging. It still doesn't seem to be working. That doesn't match what I am observing. With my very similar setup I get log entries for all rejections. So whatever it is that rejects unknown users in your setup, I'm pretty sure it isn't that filter_recipient function. What exactly do you mean by "reject unknown users without logging", anyway? What happens when a server attempts to deliver a mail message for an unknown user? What response does the sending server get? What does your server log? Nothing at all? That would be very odd. In my experience, Sendmail always logs at least the connection attempt. Please show an actual log excerpt. > Should it be in a separate section of the code, it's own section of code. I > have tried adding it to filter_begin, filter_end, and as it's own section of > code directly after the } after all of the filter_begin. filter_recipient is a filter function of its own. It should not be stuffed inside one of the other filter functions. One other thing I forgot: MIMEdefang must actually be told that you want it to run a filter_recipient function, by starting it with the -t option. If you don't give that option it'll just ignore any filter_recipient function you might have in your filter script. Bit me more than once, that one. > Could location be part of the equation that I'm missing? Well, of course where you place code makes all the difference. In programming, where you place a piece of code determines when it is run. If you are unsure how all of this hangs together, perhaps it would be best to post your mimedefang-filter script in its entirety so knowledgeable people can have a look at it. HTH T. signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
*Date: Mon, 25 Mar 2013 23:43:15 +0100 From: t.schmidt >>> your filter_recipient could in fact be as simple as: >>> sub filter_recipient >>> { >>> my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, >>> $rcpt_host, $rcpt_addr) = @_; >>> return md_check_against_smtp_server($sender, $recip, >>> "", ""); >>> } >> >> OK, so I tried this simple strip of code, just to get it to reject unknown >> users without logging. It still doesn't seem to be>>working. >That doesn't match what I am observing. With my very similar >setup I get log entries for all rejections. So whatever it is >that rejects unknown users in your setup, I'm pretty sure it >isn't that filter_recipient function. >What exactly do you mean by "reject unknown users without >logging", anyway? What happens when a server attempts to >deliver a mail message for an unknown user? What response >does the sending server get? What does your server log? >Nothing at all? That would be very odd. In my experience, >Sendmail always logs at least the connection attempt. >Please show an actual log excerpt. I get the normal sendmail logs, but since my filter is a relay, it doesn't know what users exist, so it accepts the email, and then has to send a bounce message. when I said reject without logging, I meant md_graphdefang_log > >One other thing I forgot: MIMEdefang must actually be told >that you want it to run a filter_recipient function, by >starting it with the -t option. If you don't give that option >it'll just ignore any filter_recipient function you might >have in your filter script. Bit me more than once, that one. > I modified the mimedefang init script as follows is this correct for what you meant? (previously the -t wasn't there): daemon $PROGDIR/$prog-multiplexor -t -p /var/spool/MIMEDefang/$prog-multiplexor.pid\ ps ax |grep mimedefang reports this: 32559 ?S 0:00 /usr/bin/mimedefang-multiplexor -t -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -m 2 -x 10 -y 0 -U defang -b 600 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock 32560 ?S 0:12 /usr/bin/perl /usr/bin/mimedefang.pl -server 32575 ?Sl 0:00 /usr/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -m /var/spool/MIMEDefang/mimedefang-multiplexor.sock -R -1 -U defang -q -p /var/spool/MIMEDefang/mimedefang.sock 32588 ?S 0:00 /usr/bin/perl /usr/bin/mimedefang.pl -server >> Could location be part of the equation that I'm missing? >Well, of course where you place code makes all the difference. >In programming, where you place a piece of code determines >when it is run. >If you are unsure how all of this hangs together, perhaps it >would be best to post your mimedefang-filter script in its >entirety so knowledgeable people can have a look at it. Is this forum a good place to post in entirety, or somewhere else? It really is simple mods to the stock mimedefang-filter. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 2013-03-25 at 17:00 -0700, kd6...@yahoo.com wrote: > This is what I saw: > > if ($retval ne 'CONTINUE') { > > $sock->print("QUIT\r\n"); > > Looks pretty conditional to me. If the return value is the continue literal, > no quit is issued. I've now pulled mimedefang.pl.in from the 2.73 tarball off the website. Here's the function from HELO onwards: $sock->print("HELO $helo\r\n"); $sock->flush(); ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); if ($retval ne 'CONTINUE') { $sock->print("QUIT\r\n"); $sock->flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock->close(); return ($retval, $text, $code, $dsn); } $sock->print("MAIL FROM:$sender\r\n"); $sock->flush(); ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); if ($retval ne 'CONTINUE') { $sock->print("QUIT\r\n"); $sock->flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock->close(); return ($retval, $text, $code, $dsn); } $sock->print("RCPT TO:$recip\r\n"); $sock->flush(); ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); $sock->print("QUIT\r\n"); $sock->flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock->close(); return ($retval, $text, $code, $dsn); Here, in the last chunk, is the unconditional QUIT. The other, conditional, QUIT commands handle error cases. If the whitespace was like this instead, it'd be easier to see: $sock->print("RCPT TO:$recip\r\n"); $sock->flush(); ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); $sock->print("QUIT\r\n"); ... -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 25 Mar 2013 13:53:34 -0700 (PDT) kd6...@yahoo.com wrote: > Although this will issue a QUIT when an error is returned, it does > NOT do so when the transaction succeeds to the point where 'DATA' is > normally issued. There are at least two blacklisting DNSBLs that > track systems that track callbacks and the failure to issue QUIT. > This is a good way to get listed and therefore banned. Two comments: 1) Read the MIMEDefang source, not the purported source as published by a poster on this list. 2) md_check_against_smtp_server is intended to be used against servers you control. If you want to blacklist your own MIMEDefang relay... *shrug* -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Mon, 3/25/13, David F. Skoll wrote: > On Mon, 25 Mar 2013 13:53:34 -0700 (PDT) kd6...@yahoo.com wrote: > > Although this will issue a QUIT when an error is returned, it does > > NOT do so when the transaction succeeds to the point where 'DATA' is > > normally issued. There are at least two blacklisting DNSBLs that > > track systems that track callbacks and the failure to issue QUIT. > > This is a good way to get listed and therefore banned. > > Two comments: > > 1) Read the MIMEDefang source, not the purported source as published > by a poster on this list. I was responding directly to what was posted to the list, which has the defect. > 2) md_check_against_smtp_server is intended to be used against servers > you control. If you want to blacklist your own MIMEDefang relay... That may have been your intent for adding the function, but it can easily be abused to perform callbacks to random servers, especially when used to test the sender's address for validity as a return address. If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
> Date: Mon, 25 Mar 2013 20:35:53 -0700 > From: kd6...@yahoo.com > I was responding directly to what was posted to the list, which has the > defect. > The original post was a cut/paste from my /usr/bin/mimedefang.pl file (version 2.70-1) > > > 2) md_check_against_smtp_server is intended to be used against servers > > you control. If you want to blacklist your own MIMEDefang relay... > > That may have been your intent for adding the function, but it can easily be > abused to perform callbacks to random servers, especially when used to test > the sender's address for validity as a return address. If it were to be > limited to servers under one's control and enforced as such, the routine > would have to obtain the recipient's MX-RRset internally and test all higher > priority MTAs; thus it would not need the remote host address parameter. It > would determine which host in the MX-RRset it is running on based on the > macro variables passed in via the milter interface. > ___ >From what I have read of the documentation (man mimedefang-filter, Rejecting >Unknown Users Early section), the md_check_against_smtp_server is meant to >verify that the email address someone is sending to actually exists on the >server they are trying to send to (through the filter server that is running >mimedefang). To the best of my knowledge it doesn't check the sender to make >sure that the sender exists on the domain that the sending email address. > FILTERING BY RECIPIENT You can define a function called filter_recipient in your filter. This lets you reject messages to certain recipients, rather than waiting until the whole message has been sent. Note that for this check to take place, you must use the -t flag with mimedefang. > Can someone verify that modifying the /etc/rc.d/init.d/mimedefang script daemon $PROGDIR/$prog-multiplexor -p /var/spool/MIMEDefang/$prog-multiplexor.pid -t \ OR daemon $PROGDIR/$prog-multiplexor -t -p /var/spool/MIMEDefang/$prog-multiplexor.pid \ OR am I misunderstanding what it means to run it with the -t option. I think this may be why my md_check_against_smtp_server doesn't appear to be working. -Bill Curtis ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Mon, 3/25/13, James Curtis wrote: > From what I have read of the documentation (man > mimedefang-filter, Rejecting Unknown Users Early section), > the md_check_against_smtp_server is meant to verify that the > email address someone is sending to actually exists on the > server they are trying to send to (through the filter server > that is running mimedefang). To the best of my > knowledge it doesn't check the sender to make sure that the > sender exists on the domain that the sending email > address. Exchange the sender and recipient mailboxes (for the recipient(s), pick one if more than one) and it can be used to perform a callback which is abusive, intended or not. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013, James Curtis wrote: >FILTERING BY RECIPIENT > You can define a function called filter_recipient in your filter. > This lets you reject messages to certain recipients, rather than > waiting until the whole message has been sent. Note that for this > check to take place, you must use the -t flag with mimedefang. >> >Can someone verify that modifying the /etc/rc.d/init.d/mimedefang script >daemon $PROGDIR/$prog-multiplexor -p > /var/spool/MIMEDefang/$prog-multiplexor.pid -t \ >OR >daemon $PROGDIR/$prog-multiplexor -t -p > /var/spool/MIMEDefang/$prog-multiplexor.pid \ >OR >am I misunderstanding what it means to run it with the -t option. > >I think this may be why my md_check_against_smtp_server doesn't appear to be >working. If you want to start "mimedefang" with the "-t" flag then you better put "-t" in the command that starts "mimedefang" rather than in the command that starts "mimedefang-multiplexor". But normally you don't need to modify the /etc/rc.d/init.d/mimedefang script. The startup script reads a configuration file and will start the daemons depending on the contents of that configuration file. File names and locations of startup scripts and config files might vary among OS-es/distributions/versions. On a Debian Linux Squeeze system the config file is located in /etc/default/mimedefang. In that file I have: # "yes" turns on the multiplexor recipient checking function # MX_RECIPIENT_CHECK=no MX_RECIPIENT_CHECK=yes Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 um 04:35 schrieb kd6...@yahoo.com: > If it were to be limited to servers under one's control and enforced as > such, the routine would have to obtain the recipient's MX-RRset internally > and test all higher priority MTAs; thus it would not need the remote host > address parameter. It would determine which host in the MX-RRset it is > running on based on the macro variables passed in via the milter interface. That would exclude a lot of useful and legitimate applications. Hint: Not every mail server has an MX RR pointing to it. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 25 Mar 2013, kd6...@yahoo.com wrote: 2) md_check_against_smtp_server is intended to be used against servers you control. If you want to blacklist your own MIMEDefang relay... That may have been your intent for adding the function, but it can easily be abused to perform callbacks to random servers, especially when well, there is Net::SMTP, which can be abused, too, the same way. However, pointing out the intention puts the burden of abuse that code onto the user. used to test the sender's address for validity as a return address. If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. I don't agree, using the MX is necessary for external addresses, but for internal ones, esp. if the server does not relay many domains, which are managed by others, one usually knows the correct _internal_ maildrop host, which has probably no MX at all. At least one saves the DNS requests. The use of MX records would make it much more easier to use the function for external addresses. Actually, the man page could stress the fact more, that external hosts will not like using the function against them maybe blacklist the server, because this is considered address harvesting. Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUVFTn58mjdm1m0FfAQLgWAf/fWYrtmFoj7armpAry8prZLRtkipFfMFM t57TiSuAgFIuX3M/HV8IIfs/pf929nf9u27efiy792uFqYmwqKRZrRxVCo96pesi VS7qZC+UzSClWKsi7EQ6RUqTzg1Mj27pjqCxaUmjOn3bMdOJjeGx0YlQuJcd9BOC pb49mdgo3s/u2bnEOMuYDRhSZpdwOU0vBFrzaQxcvdiDfIDrF+dlXJpmAlRoOn/d VKDPTka3ub+nSulb+T4C2VYYe1rpIMivcU2dgG4typHEFB+Uu+VEsPvEO6zuQp1F 7jxeRdDisQg6iP4R/O8YiqM9sjrE9QsFK8LZisrpr8vkf4nfe+zgOg== =jD3F -END PGP SIGNATURE-___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 05:25, schrieb James Curtis: > From what I have read of the documentation (man mimedefang-filter, Rejecting > Unknown Users Early section), the md_check_against_smtp_server is meant to > verify that the email address someone is sending to actually exists on the > server they are trying to send to (through the filter server that is running > mimedefang). To the best of my knowledge it doesn't check the sender to make > sure that the sender exists on the domain that the sending email address. md_check_against_smtp_server is a generic function for testing whether a given mail server will accept a given mail address. If you pass it the recipient address and destination server, it will test that the destination server is prepared to accept mail for that recipient address. This is the intended use. But you can just as well pass it the sender address and sending server, and it will dutifully check whether the sending server would accept mail to the sender address, no matter how inadvisable such a test would be. > FILTERING BY RECIPIENT >You can define a function called filter_recipient in your filter. > This lets you reject messages to certain recipients, rather than waiting > until the whole message >has been sent. Note that for this check to take place, you must use > the -t flag with mimedefang. >> > Can someone verify that modifying the /etc/rc.d/init.d/mimedefang script > daemon $PROGDIR/$prog-multiplexor -p > /var/spool/MIMEDefang/$prog-multiplexor.pid -t \ > OR > daemon $PROGDIR/$prog-multiplexor -t -p > /var/spool/MIMEDefang/$prog-multiplexor.pid \ > OR > am I misunderstanding what it means to run it with the -t option. Normally you shouldn't need to modify the init script directly. Most versions read a configuration file where you can adjust common settings such as this. The location of that configuration file varies for operating systems (you don't seem to have mentioned yours yet) and, in the case of Linux, distributions. In my case (CentOS) the configuration file is /etc/sysconfig/mimedefang, containing, among others, these lines: # If "yes", turn on the multiplexor recipient checking function MX_RECIPIENT_CHECK=yes HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Date: Tue, 26 Mar 2013 10:21:42 From: t.schmidt >In my case (CentOS) the configuration file is >/etc/sysconfig/mimedefang, containing, among others, these lines: > ># If "yes", turn on the multiplexor recipient checking function >MX_RECIPIENT_CHECK=yes I do use CentOS and I have modified the line as suggested. Now my MIMEDefang server is blocking unknown recipients. Thanks everyone for getting me to this point. Now just one more thing. I want to md_graphdefang_log if it is an unknown user. Here is what I have put together based on the other entries in this post. I'm sure I'm missing something because it doesn't work. Please advise for this last piece of the puzzle. Obviously I wouldn't log all valid, its for testing purposes, what am I missing? --code sub filter_recipient { my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); # my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; # return md_check_against_smtp_server($sender, $recip, "mail.hml.com", "192.168.1.10"); if ($retval eq "Reject") { md_graphdefang_log('notauser', $recip, $sender); }else{ md_graphdefang_log('valid', $retval, $code); } } --code--- Thanks everyone for the help so far -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
> From: jameswcurtis Date: Tue, 26 Mar 2013 06:23:30 -0400 > >In my case (CentOS) the configuration file is > >/etc/sysconfig/mimedefang, containing, among others, these lines: > > > ># If "yes", turn on the multiplexor recipient checking function > >MX_RECIPIENT_CHECK=yes > I do use CentOS and I have modified the line as suggested. Now my MIMEDefang > server is blocking unknown recipients. > Thanks everyone for getting me to this point. > Now just one more thing. I want to md_graphdefang_log if it is an unknown > user. Here is what I have put together > based on the other entries in this post. I'm sure I'm missing something > because it doesn't work. Please advise for this > last piece of the puzzle. Obviously I wouldn't log all valid, its for testing > purposes, what am I missing? > --code > sub filter_recipient > { > my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, > $recip, "localhost", "192.168.1.10"); > # my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, > $rcpt_addr) = @_; > # return md_check_against_smtp_server($sender, $recip, "mail.hml.com", > "192.168.1.10"); > if ($retval eq "Reject") { > md_graphdefang_log('notauser', $recip, $sender); > }else{ > md_graphdefang_log('valid', $retval, $code); > } > } > --code--- Actually the code above blocks all email with a 5.7.1 ? response, but I think you can see what I want to accomplish. -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 11:23, schrieb James Curtis: > Now just one more thing. I want to md_graphdefang_log if it is an unknown > user. Here is what I have put together > based on the other entries in this post. I'm sure I'm missing something > because it doesn't work. Please advise for this > last piece of the puzzle. Obviously I wouldn't log all valid, its for > testing purposes, what am I missing? > --code > sub filter_recipient > { > my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, > $recip, "localhost", "192.168.1.10"); > # my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, > $rcpt_host, $rcpt_addr) = @_; This line is needed and should be the very first line of the subroutine. Don't comment it out, and don't insert anything before it. Just change the "return" in the line below into "my ($retval, $code, $dsn, $text) = ". > # return md_check_against_smtp_server($sender, $recip, "mail.hml.com", > "192.168.1.10"); > if ($retval eq "Reject") { According to the manpage $retval will be "REJECT", not "Reject" in the reject case, so you should compare against the string in all capitals. > md_graphdefang_log('notauser', $recip, $sender); > }else{ > md_graphdefang_log('valid', $retval, $code); > } Here you are missing a return statement to pass the result of md_check_against_smtp_server to the caller of filter_recipient. Ie. insert return ($retval, $code); before the closing brace. > } > --code--- HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 25.03.2013 23:08, schrieb Kees Theunissen: > On Mon, 25 Mar 2013, David F. Skoll wrote: >> >> my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, >> $recip, "localhost", "192.168.1.10"); > > Shouldn't that be: > my ($retval, $text, $code, $dsn) = md_check_against_smtp_server($sender, > $recip, "localhost", "192.168.1.10"); Why four variables? My man mimedefang-filter says: The return value is always a two-element array. If the RCPT TO: command succeeds, the return value is ("CONTINUE", "OK"). If the RCPT fails with a permanent failure, the return value is ("REJECT", $msg), where $msg is the message from the SMTP server. Any temporary failures, connec- tion errors, etc. result in a return value of ("TEMPFAIL", $msg). -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, Steffen Kaiser wrote: > I wrote: > > used to test the sender's address for validity as a > return address. If it were to be limited to servers > under one's control and enforced as such, the routine would > have to obtain the recipient's MX-RRset internally and test > all higher priority MTAs; thus it would not need the remote > host address parameter. It would determine which host > in the MX-RRset it is running on based on the macro > variables passed in via the milter interface. > > I don't agree, using the MX is necessary for external > addresses, but for internal ones, esp. if the server does > not relay many domains, which are managed by others, one > usually knows the correct _internal_ maildrop host, which > has probably no MX at all. At least one saves the DNS > requests. You may not agree but that is what the function is for per the author. I agree that there are better ways (e.g. LDAP database) to do this than to fake an SMTP transaction, aborting just before the DATA phase. When I first saw this function years ago, I thought that its purpose was to make callbacks to the sender's mailbox to test reverse deliverability, not to exclusively test the primary MX's acceptability of the message from a secondary. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, Tilman Schmidt wrote: > Am 26.03.2013 um 04:35 schrieb kd6...@yahoo.com: > > If it were to be limited to servers under one's > control and enforced as such, the routine would have to > obtain the recipient's MX-RRset internally and test all > higher priority MTAs; thus it would not need the remote host > address parameter. It would determine which host in > the MX-RRset it is running on based on the macro variables > passed in via the milter interface. > > That would exclude a lot of useful and legitimate > applications. Hint: Not every mail server has an MX RR > pointing to it. 1) I don't consider sender callbacks useful. Such is abuse. 2) If this is to be used by secondary MXs to test the primary, there will be MX records present in the DNS for that domain/hostname label. In the case where there is a single incoming mail server (thus no MX record and the address record(s) are used to contact the host directly), just what other server would be tested? 3) Forwarding services shouldn't be randomly probing the ultimate destinations. They should simply attempt to deliver directly. Without entering the data phase, there's no guarantee that the message would be delivered (cf. content spam filters), and thus a bounce DSN (not SMTP rejection) would be generated anyway. Where there are multiple forwarders in a chain and they all attempt to test, one may get timeouts at the first forwarder before others further down the line respond back to their predecessors, thus not yielding a useful conclusion (i.e. tempfails). ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013 11:33:33 -0700 (PDT) kd6...@yahoo.com wrote: > 3) Forwarding services shouldn't be randomly probing the ultimate > destinations. I disagree strongly (assuming we remove the noise word "randomly") Attempting to deliver to nonexistent recipients is by far the most common cause of backscatter, and doing an SMTP call-forward on the ultimate destination is a simple and cheap way to avoid this. Your point about post-DATA rejection is valid, but this makes up a very small percentage of backscatter. -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, James Curtis wrote: > sub filter_recipient > { > my ($retval, $code, $dsn, $text) = > md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); > # my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, > $rcpt_host, $rcpt_addr) = @_; > # return > md_check_against_smtp_server($sender, $recip, "mail.hml.com", "192.168.1.10"); > if ($retval eq "Reject") { > md_graphdefang_log('notauser', $recip, $sender); > }else{ > md_graphdefang_log('valid', $retval, $code); > } > } How does that prove that the rejection was for the unknown recipient mailbox? One needs to inspect the actual rejection code to determine this; not merely that a rejection occurred. The sending address could have been blacklisted. Extended codes: 5.1.1 - No such destination mailbox. 5.1.3 - Bad destination mailbox syntax (should have been checked by the current relay MTA but wasn't) 5.1.4 - Destination mailbox ambiguous (matches multiple possibilities) 5.2.1 - Destination mailbox (valid but) disabled 5.2.2 - Destination mailbox full (also may be tempfailed) 5.2.3 - Message too big (if the SIZE parameter is used with MAIL FROM) 5.3.1 - Mail system full (usually disk storage full) 5.3.4 - Message too big (systemwide limit, as opposed to a per user limit) and these which have nothing to do with the recipient: 5.1.7 - Bad sending mailbox syntax 5.1.8 - Bad sending mailbox's system address 5.7.1 - Spam or other similar refusal (mailboxes otherwise valid) etc Only the first two indicate a "no valid user," but all of these (and probably others) can occur during such a test. Can you 100% guarantee that these other error reasons will never occur between your primary and secondaries? I don't think so ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, Mar 26, 2013 at 1:20 PM, wrote: > > You may not agree but that is what the function is for per the author. > I agree that there are better ways (e.g. LDAP database) to do this than to > fake an SMTP transaction, aborting just before the DATA phase. When I first > saw this function years ago, I thought that its purpose was to make callbacks > to the sender's mailbox to test reverse deliverability, not to exclusively > test the primary MX's acceptability of the message from a secondary. It's not necessarily between a primary and secondary with public MX's. I found it very useful when the public MX's for a domain do not host the actual users but instead relay through a private firewall to a hidden internal delivery host. However the inbound spam rate eventually made it impractical - and I started maintaining virtusers tables with a default reject rule on the MX hosts that sendmail can process very quickly. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, David F. Skoll wrote: > Attempting to deliver to nonexistent recipients is by far the most > common cause of backscatter, and doing an SMTP call-forward on the > ultimate destination is a simple and cheap way to avoid this. Point noted, but your response seems to assume (or at least I infer) that no other measures to prevent backscatter are implemented. At the point that this remote check can be performed, one has already passed the point where an SPF check (and other similar methods) has occurred (or can), and if failed, has probably been rejected during the SMTP transaction thus meaning that this remote check will not be performed. In my opinion, a message with other than an SPF fail is a candidate for a DSN, although I always reject during the SMTP transaction when possible. If a domain or hostname manager has not chosen to protect his message source with SPF, that's his problem - because he's effectively saying that he doesn't care about receiving backscatter (or with SPF softfail, wants it), or is too ignorant on how to properly run a mail server and needs a lesson. I note that DKIM, PGP, and other message validators aren't available at this point. Those require entering the DATA phase. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am Di, 26.03.2013, 19:33, kd6...@yahoo.com schrieb: > On Tue, 3/26/13, Tilman Schmidt wrote: >> Am 26.03.2013 um 04:35 schrieb kd6...@yahoo.com: >> > If it were to be limited to servers under one's >> control and enforced as such, the routine would have to >> obtain the recipient's MX-RRset internally and test all >> higher priority MTAs; thus it would not need the remote host >> address parameter. It would determine which host in >> the MX-RRset it is running on based on the macro variables >> passed in via the milter interface. >> >> That would exclude a lot of useful and legitimate >> applications. Hint: Not every mail server has an MX RR >> pointing to it. > > 1) I don't consider sender callbacks useful. Nor do I. That's not what I was talking about. > 2) If this is to be used by secondary MXs to test the primary, there will > be MX records present in the DNS for that domain/hostname label. Neither is this. > 3) Forwarding services shouldn't be randomly probing the ultimate > destinations. I agree. Such things should be done systematically, not randomly. :-) Alright, I'll spell it out for you. Here's the scenario: - You have a so-called groupware server on your internal network, let's say Microsoft Exchange or Lotus Notes. - Quite sensibly you do not want to expose the SMTP port of that server directly to the Internet. - So you put a *nix relay server in your DMZ which accepts mail from the outside and forwards it to your groupware server. - The internal server does not appear in the public DNS at all. - The relay server has a mailertable entry pointing to the groupware server. - The relay server runs MIMEdefang to do all sorts of checks on incoming mail before accepting responsibility for forwarding it. - One of these checks should be whether the recipient address actually exists. - The easiest and most reliable way for that is to ask the groupware server. - The easiest way for that is SMTP call-ahead aka md_check_against_smtp_server. Now I'm sure you'll find a nit to pick with that approach, but to me it's quite sensible and time proven, and it would not work if md_check_against_smtp_server insisted in checking only against servers with published MX RRs. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013 13:45:31 -0700 (PDT) kd6...@yahoo.com wrote: > --- On Tue, 3/26/13, David F. Skoll wrote: > > Attempting to deliver to nonexistent recipients is by far the most > > common cause of backscatter, and doing an SMTP call-forward on the > > ultimate destination is a simple and cheap way to avoid this. > Point noted, but your response seems to assume (or at least I infer) > that no other measures to prevent backscatter are implemented. At > the point that this remote check can be performed, one has already > passed the point where an SPF check (and other similar methods) has > occurred (or can), and if failed, has probably been rejected during > the SMTP transaction thus meaning that this remote check will not be > performed. SPF is completely useless in the following sense: Rejecting mail because of SPF "fail" will absolutely cause valid mail to be rejected. You (and I) may say "Tough luck for domains that publish broken SPF records", but for some reason our customers don't see it that way. Because it is not practical to reject messages because of SPF fail, you have no choice but to guard against backscatter. And while an LDAP or other form of directory lookup is the superior approach, real-world constraints often limit you to using an SMTP call-forward. > In my opinion, a message with other than an SPF fail is a candidate > for a DSN, although I always reject during the SMTP transaction when > possible. If a domain or hostname manager has not chosen to protect > his message source with SPF, that's his problem - because he's > effectively saying that he doesn't care about receiving backscatter > (or with SPF softfail, wants it), or is too ignorant on how to > properly run a mail server and needs a lesson. That may well be your opinion, but that's because you don't have paying customers who rely on you to relay their mail. It's very easy to be cavalier with your own email; not so easy with tens of thousands of end-users. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am Di, 26.03.2013, 19:33, kd6...@yahoo.com schrieb: > On Tue, 3/26/13, Tilman Schmidt wrote: >> Am 26.03.2013 um 04:35 schrieb kd6...@yahoo.com: >>> If it were to be limited to servers under one's >> control and enforced as such, the routine would have to >> obtain the recipient's MX-RRset internally and test all >> higher priority MTAs; thus it would not need the remote host >> address parameter. It would determine which host in >> the MX-RRset it is running on based on the macro variables >> passed in via the milter interface. >> >> That would exclude a lot of useful and legitimate >> applications. Hint: Not every mail server has an MX RR >> pointing to it. > > 1) I don't consider sender callbacks useful. Nor do I. That's not what I was talking about. > 2) If this is to be used by secondary MXs to test the primary, there will > be MX records present in the DNS for that domain/hostname label. Neither is this. > 3) Forwarding services shouldn't be randomly probing the ultimate > destinations. I agree. Such things should be done systematically, not randomly. :-) Alright, I'll spell it out for you. Here's the scenario: - You have a so-called groupware server on your internal network, let's say Microsoft Exchange or Lotus Notes. - Quite sensibly you do not want to expose the SMTP port of that server directly to the Internet. - So you put a *nix relay server in your DMZ which accepts mail from the outside and forwards it to your groupware server. - The internal server does not appear in the public DNS at all. - The relay server has a mailertable entry pointing to the groupware server. - The relay server runs MIMEdefang to do all sorts of checks on incoming mail before accepting responsibility for forwarding it. - One of these checks should be whether the recipient address actually exists. - The easiest and most reliable way for that is to ask the groupware server. - The easiest way for that is SMTP call-ahead aka md_check_against_smtp_server. Now I'm sure you'll find a nit to pick with that approach, but to me it's quite sensible and time proven, and it would not work if md_check_against_smtp_server insisted in checking only against servers with published MX RRs. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, t...@phoenixsoftware.de wrote: > ... > - The easiest way for that is SMTP call-ahead aka > md_check_against_smtp_server. A much better way is to access the user database directly. That's what LDAP is for, but it can be done with other database types too. With properly set up LDAP servers, one may even choose to make a subset of the information available to sending servers so they can check before even attempting to connect to yours. SQL-based servers could also be used, but they're much less common and not as standardized. Several MTA programs (e.g. sendmail) have had LDAP query ability built in for more than a decade. Technically within SMTP, the proper way for a secondary to check with a primary for valid users would not be by faking a mail transaction but by using the VRFY or EXPN commands (which may be restricted to only the secondaries to prevent outside abuse). VRFY is simpler - it returns a validity indicator. EXPN will tell the querying server if it will be forwarded again (in which case it could substitute the recipient address with the one returned by the query and if going off-site, completely bypass the need to send it to the primary in the first place). ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, David F. Skoll wrote: > ... [snipped] > > SPF is completely useless in the following sense: Rejecting mail because > of SPF "fail" will absolutely cause valid mail to be rejected. You (and I) > may say "Tough luck for domains that publish broken SPF records", but for > some reason our customers don't see it that way. Broken SPF records do not generate a "fail" response. They generate an "error" response (one of two types). Either way, you seem to be saying that LEGITIMATE errors should not be sent back, and I must disagree with such. Only DSN errors from spoofing should be suppressed. I do say "tough luck" for otherwise valid mail rejected by an SPF fail. If the administrator tells my server that the mail is not authorized (when it actually is valid), how is that my server's problem? My server was told the mail is bogus so it was refused. Not my problem. > Because it is not practical to reject messages because of SPF fail, I regularly reject SPF failure messages directly at the SMTP "MAIL FROM" stage. Per my own logs, it was clear that all such attempts were clearly spoofed mail (e.g. country of origin didn't match location of domain used, etc.,...). > you have no choice but to guard against backscatter. And while an > LDAP or other form of directory lookup is the superior approach, > real-world constraints often limit you to using an SMTP call-forward. As I deny all mail that fails security checks (SPF, DKIM, PGP, virus, spam, etc.) during the SMTP transaction, I guard against backscatter just fine by never accepting responsibility for the bad mail in the first place via rejection during SMTP. > > In my opinion, a message with other than an SPF fail is a candidate > > for a DSN, although I always reject during the SMTP transaction when > > possible. If a domain or hostname manager has not chosen to protect > > his message source with SPF, that's his problem - because he's > > effectively saying that he doesn't care about receiving backscatter > > (or with SPF softfail, wants it), or is too ignorant on how to > > properly run a mail server and needs a lesson. > > That may well be your opinion, but that's because you don't have > paying customers who rely on you to relay their mail. It's very easy > to be cavalier with your own email; not so easy with tens of thousands > of end-users. I pay for my own mail by use of the bandwidth I pay for, and I have users other than just me in my domains. They don't participate here. "Being liberal in what one accepts" means getting spammed. I find that legitimate mail generally follows all the rules and formats and gets through just fine. A standard is an ENFORCED set of specifications and if I choose to enforce it more tightly than others, too bad for them when they don't comply. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 19:53, schrieb kd6...@yahoo.com: > Extended codes: > 5.1.1 - No such destination mailbox. > 5.1.3 - Bad destination mailbox syntax (should have been checked by the > current relay MTA but wasn't) > 5.1.4 - Destination mailbox ambiguous (matches multiple possibilities) > 5.2.1 - Destination mailbox (valid but) disabled > 5.2.2 - Destination mailbox full (also may be tempfailed) > 5.2.3 - Message too big (if the SIZE parameter is used with MAIL FROM) > 5.3.1 - Mail system full (usually disk storage full) > 5.3.4 - Message too big (systemwide limit, as opposed to a per user limit) > > and these which have nothing to do with the recipient: > 5.1.7 - Bad sending mailbox syntax > 5.1.8 - Bad sending mailbox's system address > 5.7.1 - Spam or other similar refusal (mailboxes otherwise valid) > etc > > Only the first two indicate a "no valid user," but all of these (and probably > others) can occur during such a test. Can you 100% guarantee that these > other error reasons will never occur between your primary and secondaries? I > don't think so Welcome to real life, where there are no 100% guarantees, ever. In fact, there isn't even a 100% guarantee that a mailserver will return an extended code at all, let alone one that correspond to the actual reason for the rejection. signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 23:24, schrieb kd6...@yahoo.com: > --- On Tue, 3/26/13, t...@phoenixsoftware.de wrote: >> ... >> - The easiest way for that is SMTP call-ahead aka >> md_check_against_smtp_server. > > A much better way is to access the user database directly. That's what LDAP > is for, but it can be done with other database types too. Sure, in a perfect world that would be the way to go. Unfortunately, real life tends to get into the way of such theoretically better solutions. You did notice my mentioning of the 'M' and 'N' words, I trust? ("Microsoft" and "Notes", that is.) > With properly set up LDAP servers, one may even choose to make a subset of > the information available to sending servers so they can check before even > attempting to connect to yours. I'll try to remember your advice should I ever come across a properly set up LDAP server. > Several MTA programs (e.g. sendmail) have had LDAP query ability built in for > more than a decade. Ever tried to make that work against a Microsoft Exchange or Lotus Notes server? I did, and ruefully returned to SMTP call-ahead. > Technically within SMTP, the proper way for a secondary to check with a > primary for valid users would not be by faking a mail transaction but by > using the VRFY or EXPN commands Technically, yes. But again, reality gets in the way of technically proper solutions and forces you to make do with actually working ones instead. signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, Tilman Schmidt wrote: > ... > In fact, there isn't even a 100% guarantee that a mailserver > will return an extended code at all, let alone one that > correspond to the actual reason for the rejection. Exactly. So how does the OP conclude that the error was "no such user" as the recipient when in truth, he doesn't know? Big problem. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
So I'm still trying to get md_check_against_smtp_server working with md_graphdefang_log. = I made the modification to /etc/sysconfig/mimedefang (still not sure why this is referred to as 'running with the -t option') MX_RECIPIENT_CHECK=yes = I made the following additions to /etc/mail/mimedefang-filter (after filter_begin subrouting completes, before filter) -Code sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); } Code- I now get the following response before the data phase that rejects the user! 550 5.1.1 t...@testdomain.com... User unknown - Yea! It's working I am trying to get a log entry for all emails that are getting rejected because managers like metrics. I tried changing the code as suggested below: --Code- sub filter_recipient { my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); # if ($retval eq "Reject") { # md_graphdefang_log('notauser', $recip, $sender); # return action_discard #} #else{ # md_graphdefang_log('valid', $retval, $code); # } } -Code-- Having tried with the remarked statement and having it fail, I remarked it back to just ther ecommended line and it still fails all email address', whether valid or not valid with this response: 501 5.5.4 Invalid Address Thaks for all the info, the pros and cons. Most of them I knew, I'll probably be looking for info on how to get MIMEDefang to work with SPF later. -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013 15:24:17 -0700 (PDT) kd6...@yahoo.com wrote: > --- On Tue, 3/26/13, t...@phoenixsoftware.de > > - The easiest way for that is SMTP call-ahead aka > > md_check_against_smtp_server. > A much better way is to access the user database directly. Yes, but that may not be possible for policy reasons. Our spam-filtering service filters mail for a number of clients who (obviously) are willing to open up TCP/25 for us, but are far more reluctant to expose their LDAP directory to us. [...] > Technically within SMTP, the proper way for a secondary to check with > a primary for valid users would not be by faking a mail transaction > but by using the VRFY or EXPN commands (which may be restricted to > only the secondaries to prevent outside abuse). Almost all SMTP servers are configured not to support VRFY or EXPN. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013 15:42:42 -0700 (PDT) kd6...@yahoo.com wrote: > > SPF is completely useless in the following sense: Rejecting mail > > because of SPF "fail" will absolutely cause valid mail to be > > rejected. You (and I) may say "Tough luck for domains that publish > > broken SPF records", but for some reason our customers don't see it > > that way. > Broken SPF records do not generate a "fail" response. You misunderstand. I mean that an SPF record is "broken" if it specifies "fail" for a valid sending host. > I do say "tough luck" for otherwise valid mail rejected by an SPF > fail. You do not have to explain yourself to tens of thousands of customers, correct? In our anti-spam software and service, we recently implemented a policy decision that ignores sender and domain whitelists on SPF "fail" or "softfail". We've had endless complaints about this! We're not even blocking such mail; we're just *not* allowing it to be whitelisted, and still people complained. (So we made it possible to turn off the policy.) [...] > I pay for my own mail by use of the bandwidth I pay for, and I have > users other than just me in my domains. Do they pay you to provide service? In principle, I agree with your approach, but it's doomed to failure in the real world. The real world is a mess and sticking to strict, pristine principles of email delivery quickly means you'll have no paying customers. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, Mar 26, 2013 at 9:02 PM, David F. Skoll wrote: > > Do they pay you to provide service? In principle, I agree with your > approach, but it's doomed to failure in the real world. The real > world is a mess and sticking to strict, pristine principles of email > delivery quickly means you'll have no paying customers. Besides which, real spammers are much more likely to take the trouble to set up SPF properly than an ordinary person who just wants to send you a message that you'd want to see. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 27.03.2013 01:43, schrieb James Curtis: > I made the modification to /etc/sysconfig/mimedefang (still not sure why this > is referred to as 'running with the -t option') > MX_RECIPIENT_CHECK=yes That sysconfig setting tells the init script to start MIMEdefang with the -t option. "Running with the -t option" is low-level speak, "running with MX_RECIPIENT_CHECK enabled" would be the corresponding high-level expression. > -Code > sub filter_recipient > { > my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, > $rcpt_addr) = @_; > return md_check_against_smtp_server($sender, $recip, "localhost", > "192.168.1.10"); > } > Code- > > I now get the following response before the data phase that rejects the user! > 550 5.1.1 t...@testdomain.com... User unknown > - > Yea! It's working Good. > I tried changing the code as suggested below: > --Code- > sub filter_recipient > { > my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, > $recip, "localhost", "192.168.1.10"); > # if ($retval eq "Reject") { > # md_graphdefang_log('notauser', $recip, $sender); > # return action_discard > #} > #else{ > # md_graphdefang_log('valid', $retval, $code); > # } > } > -Code-- I told you not to remove the first line my($recip, $sender, ...) = @_; Without that line, the $sender and $recip variables will not be set, so your md_check_against_smtp_server call will try to check an empty address. I also told you to compare $retval to "REJECT" in all capitals in your if statement because that's what md_check_against_smtp_server will return. As it stands, the comparison will never be true so the else branch will always be run. And finally I told you to insert a return statement before the closing brace. The code above will return an empty result, which the caller doesn't expect. Btw, "return action_discard" is not appropriate in filter_recipient either. It should be something like "return('REJECT', 'You lose!');". > Having tried with the remarked statement and having it fail, I remarked it > back to just ther ecommended line and it still fails all email address', > whether valid or not valid with this response: > 501 5.5.4 Invalid Address And quite rightly so. The empty address is indeed invalid as a recipient. :-) In sum, try something like this: (Sorry for the line wraps.) -Code sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; my($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, "localhost", "192.168.1.10"); if ($retval eq "REJECT") { md_graphdefang_log('notauser', $recip, $sender); return ('REJECT', 'go away'); } else { md_graphdefang_log('valid', $retval, $code); return ('CONTINUE', 'ok'); } } Code- HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
>Date: Wed, 27 Mar 2013 12:19:30 schm...@phoenixsoftware.de >I told you not to remove the first line >my($recip, $sender, ...) = @_; >Without that line, the $sender and $recip variables will not be set, >so your md_check_against_smtp_server call will try to check an empty >address. >I also told you to compare $retval to "REJECT" in all capitals in >your if statement because that's what md_check_against_smtp_server >will return. As it stands, the comparison will never be true so >the else branch will always be run. >And finally I told you to insert a return statement before the >closing brace. The code above will return an empty result, which >the caller doesn't expect. >Btw, "return action_discard" is not appropriate in filter_recipient >either. It should be something like "return('REJECT', 'You lose!');". >> Having tried with the remarked statement and having it fail, I remarked it >> back to just ther >ecommended line and it still fails all email address', >> whether valid or not valid with this response: >> 501 5.5.4 Invalid Address >And quite rightly so. The empty address is indeed invalid as a >recipient. :-) >In sum, try something like this: (Sorry for the line wraps.) >-Code >sub filter_recipient >{ (redacted for brevity) ... >} >} >Code- Thanks for the thorough explanation. I had spent some time looking at the mimedefang.pl script (specifically the interaction between md_check_against_smtp_server and watching how it calls get_smtp_return_code) and I was getting close. . I put in the code as you provided, but it still doesn't log anything (either valid or notauser) into the md_graphdefang_log. However I did find this in my /var/log/maillog Mar 27 09:59:40 monitor mimedefang.pl[23405]: md_graphdefang_log called outside of message context -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On 3/27/2013 10:05 AM, James Curtis wrote: > However I did find this in my /var/log/maillog > Mar 27 09:59:40 monitor mimedefang.pl[23405]: md_graphdefang_log called > outside of message context # man mimedefang-filter [...] md_graphdefang_log($event, $v1, $v2) [...] Note that md_graphdefang_log should not be used in filter_relay, filter_sender or filter_recipient. The global variables it relies on are not valid in that context. [...] I work around this in my filters by making a my_graphdefang_log() that doesn't access the variables that aren't yet defined in the above contexts. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
27 Mar 2013 10:59:45 -0400 -mattg > Note that md_graphdefang_log should not be used in filter_relay, > filter_sender or filter_recipient. The global variables it relies > on are not valid in that context. > [...] This has been a very long thread to say, "You can't get there from here" :-) > > I work around this in my filters by making a my_graphdefang_log() that > doesn't access the variables that aren't yet defined in the above contexts. > I am glad that I have been able to get the md_check_against_smtp_server added to remove the backscatter. I am really glad that I've learned some context for Perl (some concepts from BASIC apply, but that's about it). Can't imagine the amount of errors I'll incur when creating a new sub-routine for my_graphdefang_log(), but it will be a fun time. I'm assuming that I start with the code from md_graphdefang_log and remove the variables. Cheers, (can you hear the sound of my O'Reily Perl for Beginners book opening?) Thanks for all the help and consideration during this process from all involved. -Bill Curtis ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 27.03.2013 15:59, schrieb Matt Garretson: > # man mimedefang-filter > [...] >md_graphdefang_log($event, $v1, $v2) > [...] > > Note that md_graphdefang_log should not be used in filter_relay, > filter_sender or filter_recipient. The global variables it relies > on are not valid in that context. > [...] OMG *blush* Although I checked the manpage several times in the course of this thread I never noticed that paragraph. Well, you live and learn. Thanks, Matt, for pointing that out. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Wed, 2013-03-27 at 19:45 +0100, Tilman Schmidt wrote: > Am 27.03.2013 15:59, schrieb Matt Garretson: > > Note that md_graphdefang_log should not be used in filter_relay, > > filter_sender or filter_recipient. The global variables it relies > > on are not valid in that context. > > [...] > > Although I checked the manpage several times in the course of this > thread I never noticed that paragraph. Well, you live and learn. This is a silly restriction that I wish was lifted. Yes, the subject will be blank if you call it earlier, but that's unavoidable. I don't actually use graphdefang, though. So that may be coloring my thinking. In my filter, I have code that does more-or-less the same thing but without this restriction. It works great. -- Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
27 Mar 2013 14:11:08 -0500 > > Although I checked the manpage several times in the course of this > > thread I never noticed that paragraph. Well, you live and learn. > Hindsight is 20/20, I found this thread from 2008, indicating the same issue, and possible resolution. http://lists.roaringpenguin.com/pipermail/mimedefang/2008-September/034277.html Thanks again for all the help. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On 3/27/2013 12:41 PM, James Curtis wrote: > Can't imagine the amount of errors I'll incur when creating a new > sub-routine for my_graphdefang_log(), but it will be a fun time. I'm > assuming that I start with the code from md_graphdefang_log and > remove the variables. Precisely. I'd suggest adding the new function to your filter instead of modifying mimedefang.pl . Also, note this excerpt from the mimedefang.pl man page: TESTING FILTERS You are strongly recommended to test your filter before installing it in /etc/mail/mimedefang-filter. To test the filter, save it in a file (e.g. test-filter) and run this command: mimedefang.pl -f test-filter -test This tests the filter for syntactic correctness. If it passes, you can install it as a production filter. (Note that the test tests only for correct Perl syntax; it doesn’t make sure your filter does something sensible.) As a simple example, you could start with something like this, which is basically a stripped-down md_graphdefang_log(): sub my_graphdefang_log($;$$) { return unless defined($GraphDefangSyslogFacility); my $event = shift; my $value1 = shift; my $value2 = shift; $value1 = "" unless defined($value1); $value2 = "" unless defined($value2); # Make values safe for graphdefang $event = percent_encode_for_graphdefang($event); $value1 = percent_encode_for_graphdefang($value1); $value2 = percent_encode_for_graphdefang($value2); md_syslog("$GraphDefangSyslogFacility|info","MYLOG,_NOMSGID_," . "$event,$value1,$value2,_NOSENDER_,_NORECIP_,_NOSUBJ_"); } That should work from filter_relay() onwards. It's up to you what you want to log, as long as you don't try to access any variables that are not defined in the current state of the milter. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang