Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 25.03.2013 19:51, schrieb David F. Skoll: my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); Why four result elements? The manpage says md_check_against_smtp_server returns only two. Thanks, Tilman -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFcZjAACgkQ780oymN0g8OVFQCg494i+BEcJO2XcOKru7vK+JmB /aQAniYKv5StPoNONnd2NSsLTOuGd1qu =L36K -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Wed, 03 Apr 2013 19:26:08 +0200 Tilman Schmidt t.schm...@phoenixsoftware.de wrote: Why four result elements? The manpage says md_check_against_smtp_server returns only two. Ah... the man page is wrong. I will fix it. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 27.03.2013 01:43, schrieb James Curtis: I made the modification to /etc/sysconfig/mimedefang (still not sure why this is referred to as 'running with the -t option') MX_RECIPIENT_CHECK=yes That sysconfig setting tells the init script to start MIMEdefang with the -t option. Running with the -t option is low-level speak, running with MX_RECIPIENT_CHECK enabled would be the corresponding high-level expression. -Code sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); } Code- I now get the following response before the data phase that rejects the user! 550 5.1.1 t...@testdomain.com... User unknown - Yea! It's working Good. I tried changing the code as suggested below: --Code- sub filter_recipient { my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); # if ($retval eq Reject) { # md_graphdefang_log('notauser', $recip, $sender); # return action_discard #} #else{ # md_graphdefang_log('valid', $retval, $code); # } } -Code-- I told you not to remove the first line my($recip, $sender, ...) = @_; Without that line, the $sender and $recip variables will not be set, so your md_check_against_smtp_server call will try to check an empty address. I also told you to compare $retval to REJECT in all capitals in your if statement because that's what md_check_against_smtp_server will return. As it stands, the comparison will never be true so the else branch will always be run. And finally I told you to insert a return statement before the closing brace. The code above will return an empty result, which the caller doesn't expect. Btw, return action_discard is not appropriate in filter_recipient either. It should be something like return('REJECT', 'You lose!');. Having tried with the remarked statement and having it fail, I remarked it back to just ther ecommended line and it still fails all email address', whether valid or not valid with this response: 501 5.5.4 Invalid Address And quite rightly so. The empty address is indeed invalid as a recipient. :-) In sum, try something like this: (Sorry for the line wraps.) -Code sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; my($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); if ($retval eq REJECT) { md_graphdefang_log('notauser', $recip, $sender); return ('REJECT', 'go away'); } else { md_graphdefang_log('valid', $retval, $code); return ('CONTINUE', 'ok'); } } Code- HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Date: Wed, 27 Mar 2013 12:19:30 schm...@phoenixsoftware.de I told you not to remove the first line my($recip, $sender, ...) = @_; Without that line, the $sender and $recip variables will not be set, so your md_check_against_smtp_server call will try to check an empty address. I also told you to compare $retval to REJECT in all capitals in your if statement because that's what md_check_against_smtp_server will return. As it stands, the comparison will never be true so the else branch will always be run. And finally I told you to insert a return statement before the closing brace. The code above will return an empty result, which the caller doesn't expect. Btw, return action_discard is not appropriate in filter_recipient either. It should be something like return('REJECT', 'You lose!');. Having tried with the remarked statement and having it fail, I remarked it back to just ther ecommended line and it still fails all email address', whether valid or not valid with this response: 501 5.5.4 Invalid Address And quite rightly so. The empty address is indeed invalid as a recipient. :-) In sum, try something like this: (Sorry for the line wraps.) -Code sub filter_recipient { (redacted for brevity) ... } } Code- Thanks for the thorough explanation. I had spent some time looking at the mimedefang.pl script (specifically the interaction between md_check_against_smtp_server and watching how it calls get_smtp_return_code) and I was getting close. . I put in the code as you provided, but it still doesn't log anything (either valid or notauser) into the md_graphdefang_log. However I did find this in my /var/log/maillog Mar 27 09:59:40 monitor mimedefang.pl[23405]: md_graphdefang_log called outside of message context -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On 3/27/2013 10:05 AM, James Curtis wrote: However I did find this in my /var/log/maillog Mar 27 09:59:40 monitor mimedefang.pl[23405]: md_graphdefang_log called outside of message context # man mimedefang-filter [...] md_graphdefang_log($event, $v1, $v2) [...] Note that md_graphdefang_log should not be used in filter_relay, filter_sender or filter_recipient. The global variables it relies on are not valid in that context. [...] I work around this in my filters by making a my_graphdefang_log() that doesn't access the variables that aren't yet defined in the above contexts. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
27 Mar 2013 10:59:45 -0400 -mattg Note that md_graphdefang_log should not be used in filter_relay, filter_sender or filter_recipient. The global variables it relies on are not valid in that context. [...] This has been a very long thread to say, You can't get there from here :-) I work around this in my filters by making a my_graphdefang_log() that doesn't access the variables that aren't yet defined in the above contexts. I am glad that I have been able to get the md_check_against_smtp_server added to remove the backscatter. I am really glad that I've learned some context for Perl (some concepts from BASIC apply, but that's about it). Can't imagine the amount of errors I'll incur when creating a new sub-routine for my_graphdefang_log(), but it will be a fun time. I'm assuming that I start with the code from md_graphdefang_log and remove the variables. Cheers, (can you hear the sound of my O'Reily Perl for Beginners book opening?) Thanks for all the help and consideration during this process from all involved. -Bill Curtis ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 27.03.2013 15:59, schrieb Matt Garretson: # man mimedefang-filter [...] md_graphdefang_log($event, $v1, $v2) [...] Note that md_graphdefang_log should not be used in filter_relay, filter_sender or filter_recipient. The global variables it relies on are not valid in that context. [...] OMG *blush* Although I checked the manpage several times in the course of this thread I never noticed that paragraph. Well, you live and learn. Thanks, Matt, for pointing that out. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Wed, 2013-03-27 at 19:45 +0100, Tilman Schmidt wrote: Am 27.03.2013 15:59, schrieb Matt Garretson: Note that md_graphdefang_log should not be used in filter_relay, filter_sender or filter_recipient. The global variables it relies on are not valid in that context. [...] Although I checked the manpage several times in the course of this thread I never noticed that paragraph. Well, you live and learn. This is a silly restriction that I wish was lifted. Yes, the subject will be blank if you call it earlier, but that's unavoidable. I don't actually use graphdefang, though. So that may be coloring my thinking. In my filter, I have code that does more-or-less the same thing but without this restriction. It works great. -- Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
27 Mar 2013 14:11:08 -0500 Although I checked the manpage several times in the course of this thread I never noticed that paragraph. Well, you live and learn. Hindsight is 20/20, I found this thread from 2008, indicating the same issue, and possible resolution. http://lists.roaringpenguin.com/pipermail/mimedefang/2008-September/034277.html Thanks again for all the help. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On 3/27/2013 12:41 PM, James Curtis wrote: Can't imagine the amount of errors I'll incur when creating a new sub-routine for my_graphdefang_log(), but it will be a fun time. I'm assuming that I start with the code from md_graphdefang_log and remove the variables. Precisely. I'd suggest adding the new function to your filter instead of modifying mimedefang.pl . Also, note this excerpt from the mimedefang.pl man page: TESTING FILTERS You are strongly recommended to test your filter before installing it in /etc/mail/mimedefang-filter. To test the filter, save it in a file (e.g. test-filter) and run this command: mimedefang.pl -f test-filter -test This tests the filter for syntactic correctness. If it passes, you can install it as a production filter. (Note that the test tests only for correct Perl syntax; it doesn’t make sure your filter does something sensible.) As a simple example, you could start with something like this, which is basically a stripped-down md_graphdefang_log(): sub my_graphdefang_log($;$$) { return unless defined($GraphDefangSyslogFacility); my $event = shift; my $value1 = shift; my $value2 = shift; $value1 = unless defined($value1); $value2 = unless defined($value2); # Make values safe for graphdefang $event = percent_encode_for_graphdefang($event); $value1 = percent_encode_for_graphdefang($value1); $value2 = percent_encode_for_graphdefang($value2); md_syslog($GraphDefangSyslogFacility|info,MYLOG,_NOMSGID_, . $event,$value1,$value2,_NOSENDER_,_NORECIP_,_NOSUBJ_); } That should work from filter_relay() onwards. It's up to you what you want to log, as long as you don't try to access any variables that are not defined in the current state of the milter. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Mon, 3/25/13, James Curtis jameswcur...@hotmail.com wrote: From what I have read of the documentation (man mimedefang-filter, Rejecting Unknown Users Early section), the md_check_against_smtp_server is meant to verify that the email address someone is sending to actually exists on the server they are trying to send to (through the filter server that is running mimedefang). To the best of my knowledge it doesn't check the sender to make sure that the sender exists on the domain that the sending email address. Exchange the sender and recipient mailboxes (for the recipient(s), pick one if more than one) and it can be used to perform a callback which is abusive, intended or not. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013, James Curtis wrote: FILTERING BY RECIPIENT You can define a function called filter_recipient in your filter. This lets you reject messages to certain recipients, rather than waiting until the whole message has been sent. Note that for this check to take place, you must use the -t flag with mimedefang. Can someone verify that modifying the /etc/rc.d/init.d/mimedefang script daemon $PROGDIR/$prog-multiplexor -p /var/spool/MIMEDefang/$prog-multiplexor.pid -t \ OR daemon $PROGDIR/$prog-multiplexor -t -p /var/spool/MIMEDefang/$prog-multiplexor.pid \ OR am I misunderstanding what it means to run it with the -t option. I think this may be why my md_check_against_smtp_server doesn't appear to be working. If you want to start mimedefang with the -t flag then you better put -t in the command that starts mimedefang rather than in the command that starts mimedefang-multiplexor. But normally you don't need to modify the /etc/rc.d/init.d/mimedefang script. The startup script reads a configuration file and will start the daemons depending on the contents of that configuration file. File names and locations of startup scripts and config files might vary among OS-es/distributions/versions. On a Debian Linux Squeeze system the config file is located in /etc/default/mimedefang. In that file I have: # yes turns on the multiplexor recipient checking function # MX_RECIPIENT_CHECK=no MX_RECIPIENT_CHECK=yes Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 um 04:35 schrieb kd6...@yahoo.com: If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. That would exclude a lot of useful and legitimate applications. Hint: Not every mail server has an MX RR pointing to it. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 25 Mar 2013, kd6...@yahoo.com wrote: 2) md_check_against_smtp_server is intended to be used against servers you control. If you want to blacklist your own MIMEDefang relay... That may have been your intent for adding the function, but it can easily be abused to perform callbacks to random servers, especially when well, there is Net::SMTP, which can be abused, too, the same way. However, pointing out the intention puts the burden of abuse that code onto the user. used to test the sender's address for validity as a return address. If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. I don't agree, using the MX is necessary for external addresses, but for internal ones, esp. if the server does not relay many domains, which are managed by others, one usually knows the correct _internal_ maildrop host, which has probably no MX at all. At least one saves the DNS requests. The use of MX records would make it much more easier to use the function for external addresses. Actually, the man page could stress the fact more, that external hosts will not like using the function against them maybe blacklist the server, because this is considered address harvesting. Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUVFTn58mjdm1m0FfAQLgWAf/fWYrtmFoj7armpAry8prZLRtkipFfMFM t57TiSuAgFIuX3M/HV8IIfs/pf929nf9u27efiy792uFqYmwqKRZrRxVCo96pesi VS7qZC+UzSClWKsi7EQ6RUqTzg1Mj27pjqCxaUmjOn3bMdOJjeGx0YlQuJcd9BOC pb49mdgo3s/u2bnEOMuYDRhSZpdwOU0vBFrzaQxcvdiDfIDrF+dlXJpmAlRoOn/d VKDPTka3ub+nSulb+T4C2VYYe1rpIMivcU2dgG4typHEFB+Uu+VEsPvEO6zuQp1F 7jxeRdDisQg6iP4R/O8YiqM9sjrE9QsFK8LZisrpr8vkf4nfe+zgOg== =jD3F -END PGP SIGNATURE-___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 05:25, schrieb James Curtis: From what I have read of the documentation (man mimedefang-filter, Rejecting Unknown Users Early section), the md_check_against_smtp_server is meant to verify that the email address someone is sending to actually exists on the server they are trying to send to (through the filter server that is running mimedefang). To the best of my knowledge it doesn't check the sender to make sure that the sender exists on the domain that the sending email address. md_check_against_smtp_server is a generic function for testing whether a given mail server will accept a given mail address. If you pass it the recipient address and destination server, it will test that the destination server is prepared to accept mail for that recipient address. This is the intended use. But you can just as well pass it the sender address and sending server, and it will dutifully check whether the sending server would accept mail to the sender address, no matter how inadvisable such a test would be. FILTERING BY RECIPIENT You can define a function called filter_recipient in your filter. This lets you reject messages to certain recipients, rather than waiting until the whole message has been sent. Note that for this check to take place, you must use the -t flag with mimedefang. Can someone verify that modifying the /etc/rc.d/init.d/mimedefang script daemon $PROGDIR/$prog-multiplexor -p /var/spool/MIMEDefang/$prog-multiplexor.pid -t \ OR daemon $PROGDIR/$prog-multiplexor -t -p /var/spool/MIMEDefang/$prog-multiplexor.pid \ OR am I misunderstanding what it means to run it with the -t option. Normally you shouldn't need to modify the init script directly. Most versions read a configuration file where you can adjust common settings such as this. The location of that configuration file varies for operating systems (you don't seem to have mentioned yours yet) and, in the case of Linux, distributions. In my case (CentOS) the configuration file is /etc/sysconfig/mimedefang, containing, among others, these lines: # If yes, turn on the multiplexor recipient checking function MX_RECIPIENT_CHECK=yes HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
From: jameswcurtis Date: Tue, 26 Mar 2013 06:23:30 -0400 In my case (CentOS) the configuration file is /etc/sysconfig/mimedefang, containing, among others, these lines: # If yes, turn on the multiplexor recipient checking function MX_RECIPIENT_CHECK=yes I do use CentOS and I have modified the line as suggested. Now my MIMEDefang server is blocking unknown recipients. Thanks everyone for getting me to this point. Now just one more thing. I want to md_graphdefang_log if it is an unknown user. Here is what I have put together based on the other entries in this post. I'm sure I'm missing something because it doesn't work. Please advise for this last piece of the puzzle. Obviously I wouldn't log all valid, its for testing purposes, what am I missing? --code sub filter_recipient { my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); # my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; # return md_check_against_smtp_server($sender, $recip, mail.hml.com, 192.168.1.10); if ($retval eq Reject) { md_graphdefang_log('notauser', $recip, $sender); }else{ md_graphdefang_log('valid', $retval, $code); } } --code--- Actually the code above blocks all email with a 5.7.1 ? response, but I think you can see what I want to accomplish. -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 11:23, schrieb James Curtis: Now just one more thing. I want to md_graphdefang_log if it is an unknown user. Here is what I have put together based on the other entries in this post. I'm sure I'm missing something because it doesn't work. Please advise for this last piece of the puzzle. Obviously I wouldn't log all valid, its for testing purposes, what am I missing? --code sub filter_recipient { my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); # my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; This line is needed and should be the very first line of the subroutine. Don't comment it out, and don't insert anything before it. Just change the return in the line below into my ($retval, $code, $dsn, $text) = . # return md_check_against_smtp_server($sender, $recip, mail.hml.com, 192.168.1.10); if ($retval eq Reject) { According to the manpage $retval will be REJECT, not Reject in the reject case, so you should compare against the string in all capitals. md_graphdefang_log('notauser', $recip, $sender); }else{ md_graphdefang_log('valid', $retval, $code); } Here you are missing a return statement to pass the result of md_check_against_smtp_server to the caller of filter_recipient. Ie. insert return ($retval, $code); before the closing brace. } --code--- HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 25.03.2013 23:08, schrieb Kees Theunissen: On Mon, 25 Mar 2013, David F. Skoll wrote: my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); Shouldn't that be: my ($retval, $text, $code, $dsn) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); Why four variables? My man mimedefang-filter says: The return value is always a two-element array. If the RCPT TO: command succeeds, the return value is (CONTINUE, OK). If the RCPT fails with a permanent failure, the return value is (REJECT, $msg), where $msg is the message from the SMTP server. Any temporary failures, connec- tion errors, etc. result in a return value of (TEMPFAIL, $msg). -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, Steffen Kaiser skmimedef...@smail.inf.fh-bonn-rhein-sieg.de wrote: I wrote: used to test the sender's address for validity as a return address. If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. I don't agree, using the MX is necessary for external addresses, but for internal ones, esp. if the server does not relay many domains, which are managed by others, one usually knows the correct _internal_ maildrop host, which has probably no MX at all. At least one saves the DNS requests. You may not agree but that is what the function is for per the author. I agree that there are better ways (e.g. LDAP database) to do this than to fake an SMTP transaction, aborting just before the DATA phase. When I first saw this function years ago, I thought that its purpose was to make callbacks to the sender's mailbox to test reverse deliverability, not to exclusively test the primary MX's acceptability of the message from a secondary. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, Tilman Schmidt t.schm...@phoenixsoftware.de wrote: Am 26.03.2013 um 04:35 schrieb kd6...@yahoo.com: If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. That would exclude a lot of useful and legitimate applications. Hint: Not every mail server has an MX RR pointing to it. 1) I don't consider sender callbacks useful. Such is abuse. 2) If this is to be used by secondary MXs to test the primary, there will be MX records present in the DNS for that domain/hostname label. In the case where there is a single incoming mail server (thus no MX record and the address record(s) are used to contact the host directly), just what other server would be tested? 3) Forwarding services shouldn't be randomly probing the ultimate destinations. They should simply attempt to deliver directly. Without entering the data phase, there's no guarantee that the message would be delivered (cf. content spam filters), and thus a bounce DSN (not SMTP rejection) would be generated anyway. Where there are multiple forwarders in a chain and they all attempt to test, one may get timeouts at the first forwarder before others further down the line respond back to their predecessors, thus not yielding a useful conclusion (i.e. tempfails). ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013 11:33:33 -0700 (PDT) kd6...@yahoo.com wrote: 3) Forwarding services shouldn't be randomly probing the ultimate destinations. I disagree strongly (assuming we remove the noise word randomly) Attempting to deliver to nonexistent recipients is by far the most common cause of backscatter, and doing an SMTP call-forward on the ultimate destination is a simple and cheap way to avoid this. Your point about post-DATA rejection is valid, but this makes up a very small percentage of backscatter. -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, James Curtis jameswcur...@hotmail.com wrote: sub filter_recipient { my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); # my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; # return md_check_against_smtp_server($sender, $recip, mail.hml.com, 192.168.1.10); if ($retval eq Reject) { md_graphdefang_log('notauser', $recip, $sender); }else{ md_graphdefang_log('valid', $retval, $code); } } How does that prove that the rejection was for the unknown recipient mailbox? One needs to inspect the actual rejection code to determine this; not merely that a rejection occurred. The sending address could have been blacklisted. Extended codes: 5.1.1 - No such destination mailbox. 5.1.3 - Bad destination mailbox syntax (should have been checked by the current relay MTA but wasn't) 5.1.4 - Destination mailbox ambiguous (matches multiple possibilities) 5.2.1 - Destination mailbox (valid but) disabled 5.2.2 - Destination mailbox full (also may be tempfailed) 5.2.3 - Message too big (if the SIZE parameter is used with MAIL FROM) 5.3.1 - Mail system full (usually disk storage full) 5.3.4 - Message too big (systemwide limit, as opposed to a per user limit) and these which have nothing to do with the recipient: 5.1.7 - Bad sending mailbox syntax 5.1.8 - Bad sending mailbox's system address 5.7.1 - Spam or other similar refusal (mailboxes otherwise valid) etc Only the first two indicate a no valid user, but all of these (and probably others) can occur during such a test. Can you 100% guarantee that these other error reasons will never occur between your primary and secondaries? I don't think so ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, Mar 26, 2013 at 1:20 PM, kd6...@yahoo.com wrote: You may not agree but that is what the function is for per the author. I agree that there are better ways (e.g. LDAP database) to do this than to fake an SMTP transaction, aborting just before the DATA phase. When I first saw this function years ago, I thought that its purpose was to make callbacks to the sender's mailbox to test reverse deliverability, not to exclusively test the primary MX's acceptability of the message from a secondary. It's not necessarily between a primary and secondary with public MX's. I found it very useful when the public MX's for a domain do not host the actual users but instead relay through a private firewall to a hidden internal delivery host. However the inbound spam rate eventually made it impractical - and I started maintaining virtusers tables with a default reject rule on the MX hosts that sendmail can process very quickly. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, David F. Skoll d...@roaringpenguin.com wrote: Attempting to deliver to nonexistent recipients is by far the most common cause of backscatter, and doing an SMTP call-forward on the ultimate destination is a simple and cheap way to avoid this. Point noted, but your response seems to assume (or at least I infer) that no other measures to prevent backscatter are implemented. At the point that this remote check can be performed, one has already passed the point where an SPF check (and other similar methods) has occurred (or can), and if failed, has probably been rejected during the SMTP transaction thus meaning that this remote check will not be performed. In my opinion, a message with other than an SPF fail is a candidate for a DSN, although I always reject during the SMTP transaction when possible. If a domain or hostname manager has not chosen to protect his message source with SPF, that's his problem - because he's effectively saying that he doesn't care about receiving backscatter (or with SPF softfail, wants it), or is too ignorant on how to properly run a mail server and needs a lesson. I note that DKIM, PGP, and other message validators aren't available at this point. Those require entering the DATA phase. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am Di, 26.03.2013, 19:33, kd6...@yahoo.com schrieb: On Tue, 3/26/13, Tilman Schmidt t.schm...@phoenixsoftware.de wrote: Am 26.03.2013 um 04:35 schrieb kd6...@yahoo.com: If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. That would exclude a lot of useful and legitimate applications. Hint: Not every mail server has an MX RR pointing to it. 1) I don't consider sender callbacks useful. Nor do I. That's not what I was talking about. 2) If this is to be used by secondary MXs to test the primary, there will be MX records present in the DNS for that domain/hostname label. Neither is this. 3) Forwarding services shouldn't be randomly probing the ultimate destinations. I agree. Such things should be done systematically, not randomly. :-) Alright, I'll spell it out for you. Here's the scenario: - You have a so-called groupware server on your internal network, let's say Microsoft Exchange or Lotus Notes. - Quite sensibly you do not want to expose the SMTP port of that server directly to the Internet. - So you put a *nix relay server in your DMZ which accepts mail from the outside and forwards it to your groupware server. - The internal server does not appear in the public DNS at all. - The relay server has a mailertable entry pointing to the groupware server. - The relay server runs MIMEdefang to do all sorts of checks on incoming mail before accepting responsibility for forwarding it. - One of these checks should be whether the recipient address actually exists. - The easiest and most reliable way for that is to ask the groupware server. - The easiest way for that is SMTP call-ahead aka md_check_against_smtp_server. Now I'm sure you'll find a nit to pick with that approach, but to me it's quite sensible and time proven, and it would not work if md_check_against_smtp_server insisted in checking only against servers with published MX RRs. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013 13:45:31 -0700 (PDT) kd6...@yahoo.com wrote: --- On Tue, 3/26/13, David F. Skoll d...@roaringpenguin.com wrote: Attempting to deliver to nonexistent recipients is by far the most common cause of backscatter, and doing an SMTP call-forward on the ultimate destination is a simple and cheap way to avoid this. Point noted, but your response seems to assume (or at least I infer) that no other measures to prevent backscatter are implemented. At the point that this remote check can be performed, one has already passed the point where an SPF check (and other similar methods) has occurred (or can), and if failed, has probably been rejected during the SMTP transaction thus meaning that this remote check will not be performed. SPF is completely useless in the following sense: Rejecting mail because of SPF fail will absolutely cause valid mail to be rejected. You (and I) may say Tough luck for domains that publish broken SPF records, but for some reason our customers don't see it that way. Because it is not practical to reject messages because of SPF fail, you have no choice but to guard against backscatter. And while an LDAP or other form of directory lookup is the superior approach, real-world constraints often limit you to using an SMTP call-forward. In my opinion, a message with other than an SPF fail is a candidate for a DSN, although I always reject during the SMTP transaction when possible. If a domain or hostname manager has not chosen to protect his message source with SPF, that's his problem - because he's effectively saying that he doesn't care about receiving backscatter (or with SPF softfail, wants it), or is too ignorant on how to properly run a mail server and needs a lesson. That may well be your opinion, but that's because you don't have paying customers who rely on you to relay their mail. It's very easy to be cavalier with your own email; not so easy with tens of thousands of end-users. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am Di, 26.03.2013, 19:33, kd6...@yahoo.com schrieb: On Tue, 3/26/13, Tilman Schmidt t.schm...@phoenixsoftware.de wrote: Am 26.03.2013 um 04:35 schrieb kd6...@yahoo.com: If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. That would exclude a lot of useful and legitimate applications. Hint: Not every mail server has an MX RR pointing to it. 1) I don't consider sender callbacks useful. Nor do I. That's not what I was talking about. 2) If this is to be used by secondary MXs to test the primary, there will be MX records present in the DNS for that domain/hostname label. Neither is this. 3) Forwarding services shouldn't be randomly probing the ultimate destinations. I agree. Such things should be done systematically, not randomly. :-) Alright, I'll spell it out for you. Here's the scenario: - You have a so-called groupware server on your internal network, let's say Microsoft Exchange or Lotus Notes. - Quite sensibly you do not want to expose the SMTP port of that server directly to the Internet. - So you put a *nix relay server in your DMZ which accepts mail from the outside and forwards it to your groupware server. - The internal server does not appear in the public DNS at all. - The relay server has a mailertable entry pointing to the groupware server. - The relay server runs MIMEdefang to do all sorts of checks on incoming mail before accepting responsibility for forwarding it. - One of these checks should be whether the recipient address actually exists. - The easiest and most reliable way for that is to ask the groupware server. - The easiest way for that is SMTP call-ahead aka md_check_against_smtp_server. Now I'm sure you'll find a nit to pick with that approach, but to me it's quite sensible and time proven, and it would not work if md_check_against_smtp_server insisted in checking only against servers with published MX RRs. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, t...@phoenixsoftware.de t...@phoenixsoftware.de wrote: ... - The easiest way for that is SMTP call-ahead aka md_check_against_smtp_server. A much better way is to access the user database directly. That's what LDAP is for, but it can be done with other database types too. With properly set up LDAP servers, one may even choose to make a subset of the information available to sending servers so they can check before even attempting to connect to yours. SQL-based servers could also be used, but they're much less common and not as standardized. Several MTA programs (e.g. sendmail) have had LDAP query ability built in for more than a decade. Technically within SMTP, the proper way for a secondary to check with a primary for valid users would not be by faking a mail transaction but by using the VRFY or EXPN commands (which may be restricted to only the secondaries to prevent outside abuse). VRFY is simpler - it returns a validity indicator. EXPN will tell the querying server if it will be forwarded again (in which case it could substitute the recipient address with the one returned by the query and if going off-site, completely bypass the need to send it to the primary in the first place). ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, David F. Skoll d...@roaringpenguin.com wrote: ... [snipped] SPF is completely useless in the following sense: Rejecting mail because of SPF fail will absolutely cause valid mail to be rejected. You (and I) may say Tough luck for domains that publish broken SPF records, but for some reason our customers don't see it that way. Broken SPF records do not generate a fail response. They generate an error response (one of two types). Either way, you seem to be saying that LEGITIMATE errors should not be sent back, and I must disagree with such. Only DSN errors from spoofing should be suppressed. I do say tough luck for otherwise valid mail rejected by an SPF fail. If the administrator tells my server that the mail is not authorized (when it actually is valid), how is that my server's problem? My server was told the mail is bogus so it was refused. Not my problem. Because it is not practical to reject messages because of SPF fail, I regularly reject SPF failure messages directly at the SMTP MAIL FROM stage. Per my own logs, it was clear that all such attempts were clearly spoofed mail (e.g. country of origin didn't match location of domain used, etc.,...). you have no choice but to guard against backscatter. And while an LDAP or other form of directory lookup is the superior approach, real-world constraints often limit you to using an SMTP call-forward. As I deny all mail that fails security checks (SPF, DKIM, PGP, virus, spam, etc.) during the SMTP transaction, I guard against backscatter just fine by never accepting responsibility for the bad mail in the first place via rejection during SMTP. In my opinion, a message with other than an SPF fail is a candidate for a DSN, although I always reject during the SMTP transaction when possible. If a domain or hostname manager has not chosen to protect his message source with SPF, that's his problem - because he's effectively saying that he doesn't care about receiving backscatter (or with SPF softfail, wants it), or is too ignorant on how to properly run a mail server and needs a lesson. That may well be your opinion, but that's because you don't have paying customers who rely on you to relay their mail. It's very easy to be cavalier with your own email; not so easy with tens of thousands of end-users. I pay for my own mail by use of the bandwidth I pay for, and I have users other than just me in my domains. They don't participate here. Being liberal in what one accepts means getting spammed. I find that legitimate mail generally follows all the rules and formats and gets through just fine. A standard is an ENFORCED set of specifications and if I choose to enforce it more tightly than others, too bad for them when they don't comply. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 19:53, schrieb kd6...@yahoo.com: Extended codes: 5.1.1 - No such destination mailbox. 5.1.3 - Bad destination mailbox syntax (should have been checked by the current relay MTA but wasn't) 5.1.4 - Destination mailbox ambiguous (matches multiple possibilities) 5.2.1 - Destination mailbox (valid but) disabled 5.2.2 - Destination mailbox full (also may be tempfailed) 5.2.3 - Message too big (if the SIZE parameter is used with MAIL FROM) 5.3.1 - Mail system full (usually disk storage full) 5.3.4 - Message too big (systemwide limit, as opposed to a per user limit) and these which have nothing to do with the recipient: 5.1.7 - Bad sending mailbox syntax 5.1.8 - Bad sending mailbox's system address 5.7.1 - Spam or other similar refusal (mailboxes otherwise valid) etc Only the first two indicate a no valid user, but all of these (and probably others) can occur during such a test. Can you 100% guarantee that these other error reasons will never occur between your primary and secondaries? I don't think so Welcome to real life, where there are no 100% guarantees, ever. In fact, there isn't even a 100% guarantee that a mailserver will return an extended code at all, let alone one that correspond to the actual reason for the rejection. signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 26.03.2013 23:24, schrieb kd6...@yahoo.com: --- On Tue, 3/26/13, t...@phoenixsoftware.de t...@phoenixsoftware.de wrote: ... - The easiest way for that is SMTP call-ahead aka md_check_against_smtp_server. A much better way is to access the user database directly. That's what LDAP is for, but it can be done with other database types too. Sure, in a perfect world that would be the way to go. Unfortunately, real life tends to get into the way of such theoretically better solutions. You did notice my mentioning of the 'M' and 'N' words, I trust? (Microsoft and Notes, that is.) With properly set up LDAP servers, one may even choose to make a subset of the information available to sending servers so they can check before even attempting to connect to yours. I'll try to remember your advice should I ever come across a properly set up LDAP server. Several MTA programs (e.g. sendmail) have had LDAP query ability built in for more than a decade. Ever tried to make that work against a Microsoft Exchange or Lotus Notes server? I did, and ruefully returned to SMTP call-ahead. Technically within SMTP, the proper way for a secondary to check with a primary for valid users would not be by faking a mail transaction but by using the VRFY or EXPN commands Technically, yes. But again, reality gets in the way of technically proper solutions and forces you to make do with actually working ones instead. signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Tue, 3/26/13, Tilman Schmidt t.schm...@phoenixsoftware.de wrote: ... In fact, there isn't even a 100% guarantee that a mailserver will return an extended code at all, let alone one that correspond to the actual reason for the rejection. Exactly. So how does the OP conclude that the error was no such user as the recipient when in truth, he doesn't know? Big problem. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
So I'm still trying to get md_check_against_smtp_server working with md_graphdefang_log. = I made the modification to /etc/sysconfig/mimedefang (still not sure why this is referred to as 'running with the -t option') MX_RECIPIENT_CHECK=yes = I made the following additions to /etc/mail/mimedefang-filter (after filter_begin subrouting completes, before filter) -Code sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); } Code- I now get the following response before the data phase that rejects the user! 550 5.1.1 t...@testdomain.com... User unknown - Yea! It's working I am trying to get a log entry for all emails that are getting rejected because managers like metrics. I tried changing the code as suggested below: --Code- sub filter_recipient { my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); # if ($retval eq Reject) { # md_graphdefang_log('notauser', $recip, $sender); # return action_discard #} #else{ # md_graphdefang_log('valid', $retval, $code); # } } -Code-- Having tried with the remarked statement and having it fail, I remarked it back to just ther ecommended line and it still fails all email address', whether valid or not valid with this response: 501 5.5.4 Invalid Address Thaks for all the info, the pros and cons. Most of them I knew, I'll probably be looking for info on how to get MIMEDefang to work with SPF later. -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013 15:24:17 -0700 (PDT) kd6...@yahoo.com wrote: --- On Tue, 3/26/13, t...@phoenixsoftware.de t...@phoenixsoftware.de - The easiest way for that is SMTP call-ahead aka md_check_against_smtp_server. A much better way is to access the user database directly. Yes, but that may not be possible for policy reasons. Our spam-filtering service filters mail for a number of clients who (obviously) are willing to open up TCP/25 for us, but are far more reluctant to expose their LDAP directory to us. [...] Technically within SMTP, the proper way for a secondary to check with a primary for valid users would not be by faking a mail transaction but by using the VRFY or EXPN commands (which may be restricted to only the secondaries to prevent outside abuse). Almost all SMTP servers are configured not to support VRFY or EXPN. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, 26 Mar 2013 15:42:42 -0700 (PDT) kd6...@yahoo.com wrote: SPF is completely useless in the following sense: Rejecting mail because of SPF fail will absolutely cause valid mail to be rejected. You (and I) may say Tough luck for domains that publish broken SPF records, but for some reason our customers don't see it that way. Broken SPF records do not generate a fail response. You misunderstand. I mean that an SPF record is broken if it specifies fail for a valid sending host. I do say tough luck for otherwise valid mail rejected by an SPF fail. You do not have to explain yourself to tens of thousands of customers, correct? In our anti-spam software and service, we recently implemented a policy decision that ignores sender and domain whitelists on SPF fail or softfail. We've had endless complaints about this! We're not even blocking such mail; we're just *not* allowing it to be whitelisted, and still people complained. (So we made it possible to turn off the policy.) [...] I pay for my own mail by use of the bandwidth I pay for, and I have users other than just me in my domains. Do they pay you to provide service? In principle, I agree with your approach, but it's doomed to failure in the real world. The real world is a mess and sticking to strict, pristine principles of email delivery quickly means you'll have no paying customers. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Tue, Mar 26, 2013 at 9:02 PM, David F. Skoll d...@roaringpenguin.com wrote: Do they pay you to provide service? In principle, I agree with your approach, but it's doomed to failure in the real world. The real world is a mess and sticking to strict, pristine principles of email delivery quickly means you'll have no paying customers. Besides which, real spammers are much more likely to take the trouble to set up SPF properly than an ordinary person who just wants to send you a message that you'd want to see. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 24.03.2013 15:28, schrieb James Curtis: md_graphdefang_log('spamhaus', $hits, $RelayAddr); [...] # the reject works, but graphdefang log shows the Subject instead of Relay address [...] Mar 24 09:44:06 monitor mimedefang.pl[15805]: MDLOG,r2ODhv3a027039,spamhaus,,31.16.181.217,c20195935f81d7e31...@reass.co.uk,sandseatra...@mydomain.com,Huge 83%25 discount for sandseatravel You are reading this wrong. Quoting the manpage for mimedefang-filter: md_graphdefang_log($event, $v1, $v2) Logs an event with up to two optional additional parameters. The log message has a specific format useful for graphing tools; the message looks like this: MDLOG,msgid,event,v1,v2,sender,recipient,subj So your log entry contains: - the fixed string MDLOG, -- just as promised by the manpage - msgid = r2ODhv3a027039, -- a plausible message ID - event = spamhaus, -- as you specified - v1 = empty, -- unsurprisingly, as you passed $hits which is never set in your filter - v2 = 31.16.181.217, -- a plausible relay IP address - sender = c20195935f81d7e31...@reass.co.uk, - recipient = sandseatra...@mydomain.com, - subj = Huge 83%25 discount for sandseatravel -- all quite plausible To me that looks like everything's working fine. I guess I need a mimedefang-filter and Perl for dummies book. Is there a place I can find such a document? I seem to remember a book Perl for Dummies actually exists. The best approximation to mimedefang-filter for Dummies is probably this mailinglist. :-) How do I know what outputs a command will produce when called so I can base an if rule against it? The mimedefang-filter manpage would be the canonical source for that. I just now realized that the unknown user reports are because I had to enable the recipient filter on the internal server, so that explains why the bounces are going out. Yes, that makes more sense. But I really want it to check before sending so it doesn't accept, instead of bounce. Sure, that's the way it can and should be done. Bounces are to be avoided whenever possible. I'm doing something similar on a mail server serving several domains, some local and some relayed. My filter_recipient just contains, for each relayed domain: if ($recipient =~ /[@.]relayeddoma\.in?$/i) { return md_check_against_smtp_server($sender, $recipient, $helo, 'mail.relayeddoma.in'); } ie. it just passes on the result of md_check_against_smtp_server without even looking at it. This works for me because (a) md_check_against_smtp_server's return value is designed to be a valid return value for filter_recipient, and (b) I don't need to do any further checks or actions on relayed mails in filter_recipient after md_check_against_smtp_server. If do you need to do more in filter_recipient after md_check_against_smtp_server has returned OK you'll have to assign its result to a variable and check it with appropriate if statements. But I'd recommend against that. SpamAssassin and virus checking belong in filter_end, and additional logging doesn't add anything useful IMHO. So if you relay *all* mails to internal private address, your filter_recipient could in fact be as simple as: sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, filter serverexternal DNS name, internal private address); } HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Sun, 24 Mar 2013 10:28:16 -0400 James Curtis jameswcur...@hotmail.com wrote: I guess I need a mimedefang-filter and Perl for dummies book. There are plenty of pretty good Intro to Perl books; check the O'Reilly site. As for intro to MIMEDefang, you could have a look at slides from a talk I gave (a long time ago): http://www.mimedefang.org/static/mimedefang-lisa04.pdf The slides are somewhat dated, but mostly still relevant. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
I guess I need a mimedefang-filter and Perl for dummies book. There are plenty of pretty good Intro to Perl books; check the O'Reilly site. As for intro to MIMEDefang, you could have a look at slides from a talk I gave (a long time ago): http://www.mimedefang.org/static/mimedefang-lisa04.pdf I read through that before going to the list. Page 86 seems to be the relevant page, but without sample code in context I'm still lost. I did read through the mimedefang.pl file enough to find: #*** # %PROCEDURE: md_check_against_smtp_server # %ARGUMENTS: # sender -- sender e-mail address # recip -- recipient e-mail address # helo -- string to put in HELO command # server -- SMTP server to try. # port -- optional: Port to connect on (defaults to 25) # %RETURNS: # ('CONTINUE', OK) if recipient is OK # ('TEMPFAIL', err) if temporary failure # ('REJECT', err) if recipient is not OK. # %DESCRIPTION: # Verifies a recipient against another SMTP server by issuing a # HELO / MAIL FROM: / RCPT TO: / QUIT sequence #*** AND this ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); if ($retval ne 'CONTINUE') { $sock-print(QUIT\r\n); $sock-flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock-close(); return ($retval, $text, $code, $dsn); } My rookie brain seems to think that it is returning the value to $retval But I can't figure out why this doesn't put an entry into the mdlog, either notauser, or unsure, even if the other variables are incorrect. sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); if ($retval eq REJECT) { md_graphdefang_log('notauser', $recip, $sender); # return action_discard(); }else{ md_graphdefang_log('unsure', $retval, $code); } } I verified that I was running mimedefang.pl with the -t option (listed as requirement for filter_recipient) [root@monitor ~]# ps ax |grep mimedefang 27993 ? S 0:00 /usr/bin/mimedefang-multiplexor -t -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -m 2 -x 10 -y 0 -U defang -b 600 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock Any additional help? -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 25 Mar 2013 13:30:31 -0400 James Curtis jameswcur...@hotmail.com wrote: md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); You are throwing away the return values from that function. You need to assign them to some local variables like this: my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Date: Mon, 25 Mar 2013 13:05:16 +0100 (From: t.schm...@phoenixsoftware.de) So if you relay *all* mails to internal private address, your filter_recipient could in fact be as simple as: sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, filter serverexternal DNS name, internal private address); } OK, so I tried this simple strip of code, just to get it to reject unknown users without logging. It still doesn't seem to be working. Should it be in a separate section of the code, it's own section of code. I have tried adding it to filter_begin, filter_end, and as it's own section of code directly after the } after all of the filter_begin. Could location be part of the equation that I'm missing? -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Mon, 3/25/13, James Curtis jameswcur...@hotmail.com wrote: I did read through the mimedefang.pl file enough to find: ... AND this ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); if ($retval ne 'CONTINUE') { $sock-print(QUIT\r\n); $sock-flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock-close(); return ($retval, $text, $code, $dsn); } Poor coding (for today; perhaps OK in 2004). Although this will issue a QUIT when an error is returned, it does NOT do so when the transaction succeeds to the point where 'DATA' is normally issued. There are at least two blacklisting DNSBLs that track systems that track callbacks and the failure to issue QUIT. This is a good way to get listed and therefore banned. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 2013-03-25 at 13:53 -0700, kd6...@yahoo.com wrote: Although this will issue a QUIT when an error is returned, it does NOT do so when the transaction succeeds to the point where 'DATA' is normally issued. I'm not seeing that. I have MIMEDefang 2.71-2build1 on Ubuntu Precise. I see code to issue a QUIT unconditionally after the RCPT TO command. -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 25 Mar 2013, David F. Skoll wrote: On Mon, 25 Mar 2013 13:30:31 -0400 James Curtis jameswcur...@hotmail.com wrote: md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); You are throwing away the return values from that function. You need to assign them to some local variables like this: my ($retval, $code, $dsn, $text) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); Shouldn't that be: my ($retval, $text, $code, $dsn) = md_check_against_smtp_server($sender, $recip, localhost, 192.168.1.10); I assume that you intent to use meaningfull variable names. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 25.03.2013 20:54, schrieb James Curtis: your filter_recipient could in fact be as simple as: sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, filter serverexternal DNS name, internal private address); } OK, so I tried this simple strip of code, just to get it to reject unknown users without logging. It still doesn't seem to be working. That doesn't match what I am observing. With my very similar setup I get log entries for all rejections. So whatever it is that rejects unknown users in your setup, I'm pretty sure it isn't that filter_recipient function. What exactly do you mean by reject unknown users without logging, anyway? What happens when a server attempts to deliver a mail message for an unknown user? What response does the sending server get? What does your server log? Nothing at all? That would be very odd. In my experience, Sendmail always logs at least the connection attempt. Please show an actual log excerpt. Should it be in a separate section of the code, it's own section of code. I have tried adding it to filter_begin, filter_end, and as it's own section of code directly after the } after all of the filter_begin. filter_recipient is a filter function of its own. It should not be stuffed inside one of the other filter functions. One other thing I forgot: MIMEdefang must actually be told that you want it to run a filter_recipient function, by starting it with the -t option. If you don't give that option it'll just ignore any filter_recipient function you might have in your filter script. Bit me more than once, that one. Could location be part of the equation that I'm missing? Well, of course where you place code makes all the difference. In programming, where you place a piece of code determines when it is run. If you are unsure how all of this hangs together, perhaps it would be best to post your mimedefang-filter script in its entirety so knowledgeable people can have a look at it. HTH T. signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
*Date: Mon, 25 Mar 2013 23:43:15 +0100 From: t.schmidt your filter_recipient could in fact be as simple as: sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; return md_check_against_smtp_server($sender, $recip, filter serverexternal DNS name, internal private address); } OK, so I tried this simple strip of code, just to get it to reject unknown users without logging. It still doesn't seem to beworking. That doesn't match what I am observing. With my very similar setup I get log entries for all rejections. So whatever it is that rejects unknown users in your setup, I'm pretty sure it isn't that filter_recipient function. What exactly do you mean by reject unknown users without logging, anyway? What happens when a server attempts to deliver a mail message for an unknown user? What response does the sending server get? What does your server log? Nothing at all? That would be very odd. In my experience, Sendmail always logs at least the connection attempt. Please show an actual log excerpt. I get the normal sendmail logs, but since my filter is a relay, it doesn't know what users exist, so it accepts the email, and then has to send a bounce message. when I said reject without logging, I meant md_graphdefang_log One other thing I forgot: MIMEdefang must actually be told that you want it to run a filter_recipient function, by starting it with the -t option. If you don't give that option it'll just ignore any filter_recipient function you might have in your filter script. Bit me more than once, that one. I modified the mimedefang init script as follows is this correct for what you meant? (previously the -t wasn't there): daemon $PROGDIR/$prog-multiplexor -t -p /var/spool/MIMEDefang/$prog-multiplexor.pid\ ps ax |grep mimedefang reports this: 32559 ?S 0:00 /usr/bin/mimedefang-multiplexor -t -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -m 2 -x 10 -y 0 -U defang -b 600 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock 32560 ?S 0:12 /usr/bin/perl /usr/bin/mimedefang.pl -server 32575 ?Sl 0:00 /usr/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -m /var/spool/MIMEDefang/mimedefang-multiplexor.sock -R -1 -U defang -q -p /var/spool/MIMEDefang/mimedefang.sock 32588 ?S 0:00 /usr/bin/perl /usr/bin/mimedefang.pl -server Could location be part of the equation that I'm missing? Well, of course where you place code makes all the difference. In programming, where you place a piece of code determines when it is run. If you are unsure how all of this hangs together, perhaps it would be best to post your mimedefang-filter script in its entirety so knowledgeable people can have a look at it. Is this forum a good place to post in entirety, or somewhere else? It really is simple mods to the stock mimedefang-filter. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 2013-03-25 at 17:00 -0700, kd6...@yahoo.com wrote: This is what I saw: if ($retval ne 'CONTINUE') { $sock-print(QUIT\r\n); Looks pretty conditional to me. If the return value is the continue literal, no quit is issued. I've now pulled mimedefang.pl.in from the 2.73 tarball off the website. Here's the function from HELO onwards: $sock-print(HELO $helo\r\n); $sock-flush(); ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); if ($retval ne 'CONTINUE') { $sock-print(QUIT\r\n); $sock-flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock-close(); return ($retval, $text, $code, $dsn); } $sock-print(MAIL FROM:$sender\r\n); $sock-flush(); ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); if ($retval ne 'CONTINUE') { $sock-print(QUIT\r\n); $sock-flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock-close(); return ($retval, $text, $code, $dsn); } $sock-print(RCPT TO:$recip\r\n); $sock-flush(); ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); $sock-print(QUIT\r\n); $sock-flush(); # Swallow return value get_smtp_return_code($sock, $recip, $server); $sock-close(); return ($retval, $text, $code, $dsn); Here, in the last chunk, is the unconditional QUIT. The other, conditional, QUIT commands handle error cases. If the whitespace was like this instead, it'd be easier to see: $sock-print(RCPT TO:$recip\r\n); $sock-flush(); ($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, $server); $sock-print(QUIT\r\n); ... -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Mon, 25 Mar 2013 13:53:34 -0700 (PDT) kd6...@yahoo.com wrote: Although this will issue a QUIT when an error is returned, it does NOT do so when the transaction succeeds to the point where 'DATA' is normally issued. There are at least two blacklisting DNSBLs that track systems that track callbacks and the failure to issue QUIT. This is a good way to get listed and therefore banned. Two comments: 1) Read the MIMEDefang source, not the purported source as published by a poster on this list. 2) md_check_against_smtp_server is intended to be used against servers you control. If you want to blacklist your own MIMEDefang relay... *shrug* -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Mon, 3/25/13, David F. Skoll d...@roaringpenguin.com wrote: On Mon, 25 Mar 2013 13:53:34 -0700 (PDT) kd6...@yahoo.com wrote: Although this will issue a QUIT when an error is returned, it does NOT do so when the transaction succeeds to the point where 'DATA' is normally issued. There are at least two blacklisting DNSBLs that track systems that track callbacks and the failure to issue QUIT. This is a good way to get listed and therefore banned. Two comments: 1) Read the MIMEDefang source, not the purported source as published by a poster on this list. I was responding directly to what was posted to the list, which has the defect. 2) md_check_against_smtp_server is intended to be used against servers you control. If you want to blacklist your own MIMEDefang relay... That may have been your intent for adding the function, but it can easily be abused to perform callbacks to random servers, especially when used to test the sender's address for validity as a return address. If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Date: Mon, 25 Mar 2013 20:35:53 -0700 From: kd6...@yahoo.com I was responding directly to what was posted to the list, which has the defect. The original post was a cut/paste from my /usr/bin/mimedefang.pl file (version 2.70-1) 2) md_check_against_smtp_server is intended to be used against servers you control. If you want to blacklist your own MIMEDefang relay... That may have been your intent for adding the function, but it can easily be abused to perform callbacks to random servers, especially when used to test the sender's address for validity as a return address. If it were to be limited to servers under one's control and enforced as such, the routine would have to obtain the recipient's MX-RRset internally and test all higher priority MTAs; thus it would not need the remote host address parameter. It would determine which host in the MX-RRset it is running on based on the macro variables passed in via the milter interface. ___ From what I have read of the documentation (man mimedefang-filter, Rejecting Unknown Users Early section), the md_check_against_smtp_server is meant to verify that the email address someone is sending to actually exists on the server they are trying to send to (through the filter server that is running mimedefang). To the best of my knowledge it doesn't check the sender to make sure that the sender exists on the domain that the sending email address. FILTERING BY RECIPIENT You can define a function called filter_recipient in your filter. This lets you reject messages to certain recipients, rather than waiting until the whole message has been sent. Note that for this check to take place, you must use the -t flag with mimedefang. Can someone verify that modifying the /etc/rc.d/init.d/mimedefang script daemon $PROGDIR/$prog-multiplexor -p /var/spool/MIMEDefang/$prog-multiplexor.pid -t \ OR daemon $PROGDIR/$prog-multiplexor -t -p /var/spool/MIMEDefang/$prog-multiplexor.pid \ OR am I misunderstanding what it means to run it with the -t option. I think this may be why my md_check_against_smtp_server doesn't appear to be working. -Bill Curtis ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 23.03.2013 01:43, schrieb James Curtis: # yea, I know that the DNSBL is more effecient in sendmail, but I want to know how many blocked for what user by blacklist. if ($result = (relay_is_blacklisted($RelayAddr, zen.spamhaus.org))) { md_graphdefang_log('spamhaus', $hits, $RelayAddr); return action_bounce(reject: mail from ($RelayHostname || $RelayAddr) rejected due to http://www.spamhaus.org/zen;); # the reject works, but graphdefang log shows the Subject instead of Relay address That's strange. Please show an example log entry. Sample log entry email from address listed on spamcop to an invalid user Mar 24 09:39:05 monitor mimedefang.pl[15805]: MDLOG,r2ODcuhx026963,spamcop,,217.29.152.157,b281eb9a10bb86...@bouncehere.com,luvme_mwa...@mydomain.com,Huge 79%25 discount for luvme_mwah13 email from address listed on spamhaus to an invalid user Mar 24 09:44:06 monitor mimedefang.pl[15805]: MDLOG,r2ODhv3a027039,spamhaus,,31.16.181.217,c20195935f81d7e31...@reass.co.uk,sandseatra...@mydomain.com,Huge 83%25 discount for sandseatravel Invalid user with low spam score Mar 22 18:46:23 monitor mimedefang.pl[29141]: MDLOG,r2MMkKhj002512,mail_in,2.344,88.43.32.209,thedix...@pathwaysunlimited.com,alice...@mydomain.com,hope valid user with low spam score Mar 22 20:11:52 monitor mimedefang.pl[29141]: MDLOG,r2N0Bolt004255,mail_in,0.939,23.19.31.184,langly.thomp...@gointohere.com,us...@mydomain.com,Relieve Your Tax Debt Today Invalid user with low spam score Mar 22 18:46:23 monitor mimedefang.pl[29141]: MDLOG,r2MMkKhj002512,mail_in,2.344,88.43.32.209,thedix...@pathwaysunlimited.com,alice...@mydomain.com,hope invalid user with high spam score Mar 24 02:01:01 monitor mimedefang.pl[15805]: MDLOG,r2O610nv008049,spam,17.521,118.179.250.162,ops_invo...@adp.com,ack_serpe...@mydomain.com,Huge 70%25 discount for ack_serpents sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; md_check_against_smtp_server($sender, $recip, filter serverexternal DNS name, internal private address); md_graphdefang_log('notuser', $recip, $sender); # graphdefang log doesn't log entry as 'notuser', eventually logs it as spam, or mail_in depending on score because of code that follows. return action_discard(); } This cannot work. You call md_check_against_smtp_server but never check the result. md_graphdefang_log and action_discard are called unconditionally. If this code was what your MIMEdefang actually runs, all messages would be logged with 'notuser' and discarded. So there must be something else wrong. Perhaps your MIMEdefang is not using the filter script you think it does. Perhaps filter_recipient is redefined later. Perhaps it's a simple copy/paste error or your sanitizing. I guess I need a mimedefang-filter and Perl for dummies book. Is there a place I can find such a document? It seems to be working, but not when I would like. I have gotten by with code snips from other configs, but adding functionality for features that aren't as documented as other features. How do I know what outputs a command will produce when called so I can base an if rule against it? I just now realized that the unknown user reports are because I had to enable the recipient filter on the internal server, so that explains why the bounces are going out. But I really want it to check before sending so it doesn't accept, instead of bounce. Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Sun, 3/24/13, James Curtis jameswcur...@hotmail.com wrote: # yea, I know that the DNSBL is more effecient in sendmail, but I want to know how many blocked for what user by blacklist. if ($result = (relay_is_blacklisted($RelayAddr, zen.spamhaus.org))) { md_graphdefang_log('spamhaus', $hits, $RelayAddr); ... # the reject works, but graphdefang log shows the Subject instead of Relay address Is the variable $hits empty at this point? That would explain why the subject (which is the field which follows the relay address) is being read instead of the address. The empty field may cause an omitted comma. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Date: Fri, 22 Mar 2013 21:49:31 -0700 From: kd6lvw --- On Fri, 3/22/13, James Curtis jameswcur...@hotmail.com wrote: I don't have any sendmail configuration that checks for bad users. If you're using the default provided rulesets, you do have a configuration that checks for bad users. I guess I should have mentioned, my mimedefang server is just a filter. It filters, then forwards to an internal server. Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 23.03.2013 05:49, schrieb kd6...@yahoo.com: --- On Fri, 3/22/13, James Curtis jameswcur...@hotmail.com wrote: I don't have any sendmail configuration that checks for bad users. If you're using the default provided rulesets, you do have a configuration that checks for bad users. Sendmail default rulesets only check for bad _local_ users. The OP was inquiring about SMTP call-ahead. Sendmail does not have a default ruleset for that. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Am 23.03.2013 01:43, schrieb James Curtis: # yea, I know that the DNSBL is more effecient in sendmail, but I want to know how many blocked for what user by blacklist. if ($result = (relay_is_blacklisted($RelayAddr, zen.spamhaus.org))) { md_graphdefang_log('spamhaus', $hits, $RelayAddr); return action_bounce(reject: mail from ($RelayHostname || $RelayAddr) rejected due to http://www.spamhaus.org/zen;); # the reject works, but graphdefang log shows the Subject instead of Relay address That's strange. Please show an example log entry. sub filter_recipient { my($recip, $sender, $ip, $host, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; md_check_against_smtp_server($sender, $recip, filter serverexternal DNS name, internal private address); md_graphdefang_log('notuser', $recip, $sender); # graphdefang log doesn't log entry as 'notuser', eventually logs it as spam, or mail_in depending on score because of code that follows. return action_discard(); } This cannot work. You call md_check_against_smtp_server but never check the result. md_graphdefang_log and action_discard are called unconditionally. If this code was what your MIMEdefang actually runs, all messages would be logged with 'notuser' and discarded. So there must be something else wrong. Perhaps your MIMEdefang is not using the filter script you think it does. Perhaps filter_recipient is redefined later. Perhaps it's a simple copy/paste error or your sanitizing. HTH T. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
On Fri, 22 Mar 2013 21:49:31 -0700 (PDT) kd6...@yahoo.com wrote: If you're using the default provided rulesets, you do have a configuration that checks for bad users. He's using Sendmail as a relay. No local users. -- David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Fri, 3/22/13, James Curtis jameswcur...@hotmail.com wrote: I'm trying to piece together a filter that logs and blocks traffic that is unnecessary. I can't get md_graphdefang_log to put in an entry for items that are refused because of 'User unknown' responses. The problem is that when Sendmail has already determined an error has occurred based on its rulesets, the corresponding milter function is NOT called - thus there will be no such log entry for the above error unless your MD filter code determines that the user is unknown, not sendmail. I don't know whether other MTAs (e.g. postfix) that have the milter interface behave similarly. This means that the only things that MD will get to log are things that passed the MTA's checks. In part, this makes sense in that there's no reason to call the milter if the MTA has already determined an error. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
Date: Fri, 22 Mar 2013 18:56:44 -0700 --- On Fri, 3/22/13, James Curtis jameswcur...@hotmail.com wrote: I'm trying to piece together a filter that logs and blocks traffic that is unnecessary. I can't get md_graphdefang_log to put in an entry for items that are refused because of 'User unknown' responses. The problem is that when Sendmail has already determined an error has occurred based on its rulesets, the corresponding milter function is NOT called - thus there will be no such log entry for the above error unless your MD filter code determines that the user is unknown, not sendmail. I don't have any sendmail configuration that checks for bad users. If I take out the md_check_against_smtp_server($sender, $recip, mail.hml.com, 192.168.1.10); it doesn't block any unknown users. -Bill ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log
--- On Fri, 3/22/13, James Curtis jameswcur...@hotmail.com wrote: I don't have any sendmail configuration that checks for bad users. If you're using the default provided rulesets, you do have a configuration that checks for bad users. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang