Re: Mail Server (seeking recommendations)
> >We have settled on > >what software to use for everything but the mail server. > > I'm reasonably happy using the Courier-MTA suite on OpenBSD. It's had > four reported vulnerabilities > (http://secunia.com/product/2557/?task=advisories), three DOS and one > remote-code-execution in a corner case (debug logging enabled). > This is a stupid measure.. He're my new MTA - it's super secure trust me. It has had no reported vulnerablilies - so it must be better than everything else. Use it. Of course I haven't yet decided if I'm going to replace sendmail with it. of course sendmail had so many vulnerablilites back when I was thin and had a mullet that this must be more secure. --8<- Super secure MTA 8<- #!/bin/sh echo "stmp stream tcp nowait root /bin/sh supersecuremail" >> /etc/inetd.conf pkill -HUP inetd --8<
Re: Mail Server (seeking recommendations)
On Fri, Apr 13, 2007 at 09:33:00PM -0400, Steven Presser wrote: > Hello, > I'm working for a small company which has settled on OpenBSD as its > server software (because the security is excellent). We have settled on > what software to use for everything but the mail server. I'd like to > request recommendations from the knowledgeable people of this > list. The priorities for the mail server are: > 1. Security > 2. Usability (for the end user - not everyone is technically skilled, > although the setup can be done for anyone who needs help) > 3. Ease of setup > 4. Scaleability > Obviously the first is by far the most important. The other three > are more perks than anything else. I'm going to go with the Postfix/Dovecot chorus here, which has worked very well for me, with one caveat: Dovecot doesn't like concurrent access to mailboxes. There were plans to fix this a while ago, but the sole batch of users who often use concurrent mailboxes are still unhappy about this. (Dovecot doesn't eat data or anything; it just drops the connection.) As to spam control, greylisting works very well; spamd or postgrey will be extremely helpful. Joachim -- TFMotD: dump (8) - filesystem backup
Re: using spamd to block outbound spam
On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote: > Hi Bob > > The webapp does talk to a real mail server: on localhost (IIS6 SMTP > service). When a spammers abuses the webapp the email is actually sent > via the local mail server and not directly from the webapp to all the > mail servers on the Internet. Rate limiting isn't an option because > emails must be out the door within a very short time frame from the > moment a set of events is triggered in the webapp. > Right now the only way I can think of is limit the SMTP service to > connect only to authorized remote SMTP servers that I will manage > manually (I'm in the process of checking how often I would have to > change the list to see if it's feasible). You wrote that I can do it > with spamd, how? > Another option I thought of is setting up a sendmail relay on another > computer and let that sendmail only relay specific emails according to a > set of criteria (that fit only valid emails). You are going about this all wrong. First step is finding a suitable blunt instrument and getting the developers to fix it. The second step is configuring rate limiting, along the lines of '1000 mails/hour'; this will allow a large batch of e-mail to get through immediately, but stop spammers. What you're planning now is both less effective and way more work. Joachim
Re: using spamd to block outbound spam
> You are going about this all wrong. First step is finding a suitable > blunt instrument and getting the developers to fix it. The second step > is configuring rate limiting, along the lines of '1000 mails/hour'; > this will allow a large batch of e-mail to get through immediately, but > stop spammers. What you're planning now is both less effective and way > more work. > exactly. spamd is not useful for this. just rate limit it. or better yet, rate limit the source connections into the web script, so one source can only make X many connections in 10 minutes or something - also easily doable with pf. -Bob
uxterm problem
I'm using a recent snapshot. I used to be able to type in unicode characters using vim-no_x11 or even using ed(1) under uxterm. It is no longer possible. The characters I was able to type was Turkish characters dotless i, g breve and s cedilla. I have the line "XkbLayout" "tr" in xorg.conf. I think the problem is related to uxterm. Send instant messages to your online friends http://uk.messenger.yahoo.com
Re: Mail Server (seeking recommendations)
On 4/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: On Fri, Apr 13, 2007 at 09:33:00PM -0400, Steven Presser wrote: > Hello, > I'm working for a small company which has settled on OpenBSD as its > server software (because the security is excellent). We have settled on > what software to use for everything but the mail server. I'd like to > request recommendations from the knowledgeable people of this > list. The priorities for the mail server are: > 1. Security > 2. Usability (for the end user - not everyone is technically skilled, > although the setup can be done for anyone who needs help) > 3. Ease of setup > 4. Scaleability > Obviously the first is by far the most important. The other three > are more perks than anything else. I'm going to go with the Postfix/Dovecot chorus here, which has worked very well for me, with one caveat: Dovecot doesn't like concurrent access to mailboxes. There were plans to fix this a while ago, but the sole batch of users who often use concurrent mailboxes are still unhappy about this. (Dovecot doesn't eat data or anything; it just drops the connection.) As to spam control, greylisting works very well; spamd or postgrey will be extremely helpful. My operation have just the most superficial resemblance of a "company" (it's years since I earned any money out of it), but the setup I have is sendfail+spamd on one box and dovecot on another, that works far better than I've ever dreamt of. Security: at least not much worse than the alternatives - Only stuuf in "base" + dovecot (which hasn't been laughed at too much security-wise, and it's got a security stance) Ease of setup: Quite. - Dovecot is in ports (v1.0.0 checked in yesterday) - The version I believe is in 4.1 (1.0.rc22) is the one I run (from a late february snapshot) hasn't failed me at all (but see the errata at http://dovecot.org/oldnews.html) - sendfail setup has never been easier than with the exquisite OpenBSD documentation - ditto spamd Scalability: I think so, but I might have fallen prey to a certail nevel of hype. Especially Dovecot seems to have a good track record. I don't know much about ease of use by end users. I find it easy but I don't think I'm typical. My few users (mainly in the family) asked me to set their mail up, but I do have the users I deserve... -- Eke Nordin, moose (a) {stacken.kth|enting|netia} (o) se
Re: using spamd to block outbound spam
Hi Kyle 1. Fixing the code is impossible :-( I already tried it, the developers keep saying that they're code is sound and safe. I've shown logs and statistics to the bosses of the company that owns the webapp, but the only response I got was: "fix it" (they aren't making the connection between the webapp and the spam emails). The only thing I can do to prove my point is exploit the webapp in front of them, but I don't know how to do that. 2. I currently don't have any suitable SMTP server that I can do 2 and see 1 above about changing the code. 3. Once the OpenBSD firewall will be in place I'll probably go with setting up rate limiting via sendmail, though I'd rather not run any servers on the firewall. TIA Paolo Kyle George wrote: On Fri, 13 Apr 2007, Paolo Supino wrote: The webapp does talk to a real mail server: on localhost (IIS6 SMTP service). When a spammers abuses the webapp the email is actually sent via the local mail server and not directly from the webapp to all the mail servers on the Internet. Rate limiting isn't an option because emails must be out the door within a very short time frame from the moment a set of events is triggered in the webapp. You could: 1) Make them fix the code 2) Uninstall the IIS SMTP service and make them change the code to send through a trusted host that can rate limit, filter, etc. 3) http://support.microsoft.com/kb/308161, see "smart host" (2) and (3) would let you configure an MTA to filter this mess. The best option is for them to fix their code AND use (2) or (3). It makes sense to have untrusted applications send through the network's MTA(s) and to put the machine behind pf blocking outgoing port 25. You don't want to get blacklisted. Also, code that's letting this happen likely has many other problems. I'd isolate it.
Re: using spamd to block outbound spam
* Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 08:43]: > Hi Kyle > > 1. Fixing the code is impossible :-( I already tried it, the developers > keep saying that they're code is sound and safe. I've shown logs and > statistics to the bosses of the company that owns the webapp, but the > only response I got was: "fix it" (they aren't making the connection > between the webapp and the spam emails). The only thing I can do to > prove my point is exploit the webapp in front of them, but I don't know > how to do that. Sounds like a problem best fixed by printing resumes. Problems with stupid people are not best solved by techincal means. -Bob
Re: using spamd to block outbound spam
* Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 16:43]: > 1. Fixing the code is impossible :-( I already tried it, the developers > keep saying that they're code is sound and safe. I've shown logs and > statistics to the bosses of the company that owns the webapp, but the > only response I got was: "fix it" (they aren't making the connection > between the webapp and the spam emails). The only thing I can do to > prove my point is exploit the webapp in front of them, but I don't know > how to do that. then you should obviously find out how to do the latter. you cannot fix this problem without fixing the buggy application. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
azalia0 sound
I am running 4.1-current on a Thinkpad X60S. I have searched the @misc archives and read the FAQ, but I have yet come across the method by which to increase the system's volume when using azalia0. The Volume buttons on my Thinkpad X60S work. If I try to advance beyond the end of a man page, for example, it emits a VERY loud beep. After I do that, I can then hear very faint sound when playing multimedia. However, if I reboot OpenBSD, startx, and xmms .mp3, I will hear nothing. When I try to use the volume buttons, I can increase the volume of the beeping noise that occurs when you try to advance beyond the end of a man page; I can also mute the warning beep. However, I cannot increase the sound when any multimedia files are being played by xmms or mplayer. Here is the output of mixerctl -a: outputs.dac02.source=hdaudio outputs.lineout.source=dac03 outputs.lineout.mute=off outputs.lineout=125,125 outputs.lineout=85,85 outputs.lineout.dir=output outputs.lineout.boost=off outputs.hp.source=dac03 outputs.hp.mute=off outputs.hp=125,125 outputs.hp.boost=off outputs.mono.mute=off outputs.mono=125 outputs.mic=85,85 outputs.linein.source=dac03 outputs.linein.mute=off outputs.linein=125,125 outputs.linein=85,85 outputs.linein.dir=output inputs.sel0b.source=dac03 inputs.beep.source=beep10 outputs.beep.mute=off outputs.beep=119 outputs.sel11.mute=off outputs.sel11=123,123 outputs.sel12.mute=off outputs.sel12=123,123 outputs.sel13.mute=off outputs.sel13=123,123 outputs.pow14.source=beep inputs.sel15.source=mix0c outputs.sel15.mute=off outputs.sel15=119,119 outputs.mic2.source=dac03 outputs.mic2.mute=off outputs.mic2=125,125 outputs.mic2=85,85 outputs.mic2.dir=input outputs.sel1a.mute=off outputs.sel1a=123,123 outputs.sel1b.mute=off outputs.sel1b=123,123 outputs.sel1c.mute=off outputs.sel1c=123,123 outputs.speaker.mute=off outputs.speaker=123,123 outputs.sel1e.mute=off outputs.sel1f.mute=off inputs.usingdac=03 Because there is no outputs.master is this why I cannot adjust the volume? Thanks for looking... Openbsdfan.
Re: using spamd to block outbound spam
Hi Joachim I know that right now I'm mostly going at it in the wrong way but I have to fix it quickly and without changing the infrastructure. I'm not a windows or layer 7 person but rather a layer 1 to layer 4 in my background, so I'm trying to find a solution in those layers. I work in an environment where I'm told: Fix it without spending money ... The webapp development was outsourced thus the developers aren't local. Blunt objects aren't an option :-( The legitimate email structure (subject and content) is pretty limited and steady. Will sendmail + procmail to filter emails be a solutions? I will try to implement rate limiting. TIA Paolo Joachim Schipper wrote: On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote: Hi Bob The webapp does talk to a real mail server: on localhost (IIS6 SMTP service). When a spammers abuses the webapp the email is actually sent via the local mail server and not directly from the webapp to all the mail servers on the Internet. Rate limiting isn't an option because emails must be out the door within a very short time frame from the moment a set of events is triggered in the webapp. Right now the only way I can think of is limit the SMTP service to connect only to authorized remote SMTP servers that I will manage manually (I'm in the process of checking how often I would have to change the list to see if it's feasible). You wrote that I can do it with spamd, how? Another option I thought of is setting up a sendmail relay on another computer and let that sendmail only relay specific emails according to a set of criteria (that fit only valid emails). You are going about this all wrong. First step is finding a suitable blunt instrument and getting the developers to fix it. The second step is configuring rate limiting, along the lines of '1000 mails/hour'; this will allow a large batch of e-mail to get through immediately, but stop spammers. What you're planning now is both less effective and way more work. Joachim
Re: using spamd to block outbound spam
* Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 17:16]: > I know that right now I'm mostly going at it in the wrong way but I > have to fix it quickly and without changing the infrastructure. I'm not > a windows or layer 7 person but rather a layer 1 to layer 4 in my > background, so I'm trying to find a solution in those layers. I work in > an environment where I'm told: Fix it without spending money ... I have a layer 1 solution for you: cut the cable. quick! -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: using spamd to block outbound spam
On Sat, Apr 14, 2007 at 11:06:43AM -0400, Paolo Supino wrote: > Hi Joachim > > I know that right now I'm mostly going at it in the wrong way but I > have to fix it quickly and without changing the infrastructure. I'm not > a windows or layer 7 person but rather a layer 1 to layer 4 in my > background, so I'm trying to find a solution in those layers. I work in > an environment where I'm told: Fix it without spending money ... > The webapp development was outsourced thus the developers aren't > local. Blunt objects aren't an option :-( > The legitimate email structure (subject and content) is pretty > limited and steady. Will sendmail + procmail to filter emails be a > solutions? > I will try to implement rate limiting. I don't do sendmail, but I'm certain it can be made to run outgoing mail through a filter of some sort. milter_regex or something similar might be a better fit than procmail, though. Joachim -- PotD: x11/915resolution - change resolution on available vbios modes for i8x5/9x5
Re: azalia0 sound
On 4/14/07, openbsd fan <[EMAIL PROTECTED]> wrote: outputs.speaker=123,123 Because there is no outputs.master is this why I cannot adjust the volume? did you try adjusting the speaker volume?
Re: using spamd to block outbound spam
Hi Henning From the technical aspect, I agree with you. But non technical people don't see (or understand) that :-( I wish I had time to sit down and find out how to exploit the webapp. I tried to bring in a company to do penetration testing, but I was refused the budget for it. I can't fix the problem completely, but I can put measures in place that will reduce the problem to an acceptable level. TIA Paolo Henning Brauer wrote: * Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 16:43]: 1. Fixing the code is impossible :-( I already tried it, the developers keep saying that they're code is sound and safe. I've shown logs and statistics to the bosses of the company that owns the webapp, but the only response I got was: "fix it" (they aren't making the connection between the webapp and the spam emails). The only thing I can do to prove my point is exploit the webapp in front of them, but I don't know how to do that. then you should obviously find out how to do the latter. you cannot fix this problem without fixing the buggy application.
Re: using spamd to block outbound spam
* Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 17:53]: > From the technical aspect, I agree with you. But non technical people > don't see (or understand) that :-( I wish I had time to sit down and > find out how to exploit the webapp. I tried to bring in a company to do > penetration testing, but I was refused the budget for it. > I can't fix the problem completely, but I can put measures in place > that will reduce the problem to an acceptable level. yeah, cut the cable. otherwise at least tell us the IP address (range) so we can all blacklist it. really, there is no solution (or even half reasonable band-aid) that is nbot "fix the application" -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: using spamd to block outbound spam
On Saturday 14 April 2007 10:06, Paolo Supino wrote: > Hi Joachim > >I know that right now I'm mostly going at it in the wrong way but > I have to fix it quickly and without changing the infrastructure. I'm > not a windows or layer 7 person but rather a layer 1 to layer 4 in my > background, so I'm trying to find a solution in those layers. I work > in an environment where I'm told: Fix it without spending money ... > The webapp development was outsourced thus the developers aren't > local. Blunt objects aren't an option :-( >The legitimate email structure (subject and content) is pretty > limited and steady. Will sendmail + procmail to filter emails be a > solutions? >I will try to implement rate limiting. Just a thought -- is it practical for you to have a white list? For example, I am wondering whether you could have a white-list table in pf and configure your openbsd firewall to allow email to go only to addresses in that white list from your app server. That may be easier and more elegant to do with OpenBSD than limiting the smtp service to connect to authorized remote servers using TCPIP settings on Windows. > > > > > > TIA > Paolo > > Joachim Schipper wrote: > > On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote: > >>Hi Bob > >> > >> The webapp does talk to a real mail server: on localhost (IIS6 > >> SMTP service). When a spammers abuses the webapp the email is > >> actually sent via the local mail server and not directly from the > >> webapp to all the mail servers on the Internet. Rate limiting > >> isn't an option because emails must be out the door within a very > >> short time frame from the moment a set of events is triggered in > >> the webapp. > >> Right now the only way I can think of is limit the SMTP service > >> to connect only to authorized remote SMTP servers that I will > >> manage manually (I'm in the process of checking how often I would > >> have to change the list to see if it's feasible). You wrote that I > >> can do it with spamd, how? > >>Another option I thought of is setting up a sendmail relay on > >> another computer and let that sendmail only relay specific emails > >> according to a set of criteria (that fit only valid emails). > > > > You are going about this all wrong. First step is finding a > > suitable blunt instrument and getting the developers to fix it. The > > second step is configuring rate limiting, along the lines of '1000 > > mails/hour'; this will allow a large batch of e-mail to get through > > immediately, but stop spammers. What you're planning now is both > > less effective and way more work. > > > > Joachim > > !DSPAM:1,4620f04c203471073733319! -- Vijay Sankar ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]
Re: using spamd to block outbound spam
On 4/14/07, Henning Brauer <[EMAIL PROTECTED]> wrote: * Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 16:43]: > 1. Fixing the code is impossible :-( I already tried it, the developers > keep saying that they're code is sound and safe. I've shown logs and > statistics to the bosses of the company that owns the webapp, but the > only response I got was: "fix it" (they aren't making the connection > between the webapp and the spam emails). The only thing I can do to > prove my point is exploit the webapp in front of them, but I don't know > how to do that. then you should obviously find out how to do the latter. you cannot fix this problem without fixing the buggy application. A word of caution: Don't get yourself fired in the process. Be very certain that you have written approval to "break in" when you demonstrate how the webapp can be misused by spammers. -- Eke Nordin, moose (a) {stacken.kth|enting|netia} (o) se
Re: azalia0 sound
On Sat, Apr 14, 2007 at 10:51:24AM -0400, openbsd fan wrote: > outputs.lineout=125,125 I have the same Card.. you have to do: mixerctl outputs.lineout=255,255 but it won't be very loud ;-) \s -- GnuPG: 5755FB64 Per aspera ad astra.
Re: Routerboards (was: Re: Routerboard 532 Bounty)
On Thu, Apr 12, 2007 at 10:44:10AM -0400, Bret Lambert scribbled: # So, a question to the list: besides soekris and WRAP boards (and the # specific board that began the thread), what tiny, non-PC machines are # out there and useful? I've been in contact for some time with the folks at AR Infotek in Taiwan. They're exceedingly nice people and offer some very cool products. I'm trying to get ahold of a small pile of their 3258-245 model to use as OpenBSD+carp firewalls and routers. The main issue with them is that they aren't a distributor of their product; they mainly sell to system integrators and the like. They do sell in small quantities for evaluation purposes, and OpenBSD has been ported to run on them. I was (just today) sent a press release from a while back about OpenBSD on their 3xxx series machines: http://www.arinfotek.com/news/news_d.asp?sty=2&pid=29 -- Jonathan Towne
Re: azalia0 sound
That did it! YOU ROCK!!! On 4/14/07, Simon Effenberg <[EMAIL PROTECTED]> wrote: > > On Sat, Apr 14, 2007 at 10:51:24AM -0400, openbsd fan wrote: > > outputs.lineout=125,125 > > I have the same Card.. > > you have to do: > > mixerctl outputs.lineout=255,255 > > but it won't be very loud ;-) > > \s > > -- > GnuPG: 5755FB64 > > Per aspera ad astra.
Re: Finding a ral(4) cardbus card
On Thu, 2007-04-12 at 19:33 -0700, Luke Eckley wrote: > I am having a hard time finding a ral(4) cardbus card for my laptop. I > recently bought a Hawking Tech HWC54G - which happens to be acx(4) - > thinking I was buying a Hawking Tech HWC54GR (which is listed as > supported by ral(4)). > > Searching ebay.com and pricewatch.com I am only turning up the Belkin > card. I am a little reluctant to purchase that one since ral(4) > states that it supports version 2 only - and dealers never seem to > know what version they are selling and I don't want to take another > gamble. > I used this site to find a vendor and chipset: http://ralink.rapla.net I thought it used to have more specific revision information but maybe my mind is playing tricks on me a year later. It should at least help expand your available card search. > Does anyone know of any place that sells a ral(4) supported card? > Where did everyone get theirs? > I use www.newegg.com for anything whenever possible. It's still going to be a minor gamble though. tom -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org | | BSD#http://www.mono-project.com/Mono:FreeBSD |
Re: Dynamic DNS (first setup, couple troubles)
--- Tim Judd <[EMAIL PROTECTED]> wrote: > Thanks for ANY help from all of you excellent people out there. Of > you > want a configuration file, they are available at: > http://usemy.homeunix.org:88/dhcpd.txt > http://usemy.homeunix.org:88/named.txt I was seeing if anybody was checking my problem out by viewing the access log on my server, and I found named.txt to be getting error 403 -- which I should have fixed by now. If you still want to address this and want to look at my files, please try again. thank you all! If opportunity doesn't knock, build a door. "I can" is a way of life. More and Bigger is not always Better. The road to success is always uphill. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: using spamd to block outbound spam
Hi Henning I appriciate your straight and forward replies :-) but the world isn't black and white and sometime you have to create work arounds to overcome other people's crap (well most of the time). Unfortunately cutting the cable isn't an acceptable solution (I'll get fired and someone else will come and reconnect it). The IP range 0.0.0.0/0 to 255.255.255.255/32 should cover it ;-) TIA Paolo Henning Brauer wrote: * Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 17:53]: From the technical aspect, I agree with you. But non technical people don't see (or understand) that :-( I wish I had time to sit down and find out how to exploit the webapp. I tried to bring in a company to do penetration testing, but I was refused the budget for it. I can't fix the problem completely, but I can put measures in place that will reduce the problem to an acceptable level. yeah, cut the cable. otherwise at least tell us the IP address (range) so we can all blacklist it. really, there is no solution (or even half reasonable band-aid) that is nbot "fix the application"
Re: Finding a ral(4) cardbus card
On 4/13/07, Luke Eckley <[EMAIL PROTECTED]> wrote: I am having a hard time finding a ral(4) cardbus card for my laptop. I recently bought a Hawking Tech HWC54G - which happens to be acx(4) - thinking I was buying a Hawking Tech HWC54GR (which is listed as supported by ral(4)). Try the Edimax EW-7108PCg (Ralink Rt2500 chipset). Scan (www.scan.co.uk) and Newegg are selling them. -- ach
Re: using spamd to block outbound spam
Hi Vijay In one of my replies I did write that I was checking what it means to manage a white list (I didn't use the term white list though) to block outgoing spam but since the new firewall isn't in place yet (and it will be a couple of weeks before I can install it) I thought of doing it in the IIS6 SMTP service (this isn't the place to discuss IIS6 SMTP configurations). TIA Paolo Vijay Sankar wrote: On Saturday 14 April 2007 10:06, Paolo Supino wrote: Hi Joachim I know that right now I'm mostly going at it in the wrong way but I have to fix it quickly and without changing the infrastructure. I'm not a windows or layer 7 person but rather a layer 1 to layer 4 in my background, so I'm trying to find a solution in those layers. I work in an environment where I'm told: Fix it without spending money ... The webapp development was outsourced thus the developers aren't local. Blunt objects aren't an option :-( The legitimate email structure (subject and content) is pretty limited and steady. Will sendmail + procmail to filter emails be a solutions? I will try to implement rate limiting. Just a thought -- is it practical for you to have a white list? For example, I am wondering whether you could have a white-list table in pf and configure your openbsd firewall to allow email to go only to addresses in that white list from your app server. That may be easier and more elegant to do with OpenBSD than limiting the smtp service to connect to authorized remote servers using TCPIP settings on Windows. TIA Paolo Joachim Schipper wrote: On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote: Hi Bob The webapp does talk to a real mail server: on localhost (IIS6 SMTP service). When a spammers abuses the webapp the email is actually sent via the local mail server and not directly from the webapp to all the mail servers on the Internet. Rate limiting isn't an option because emails must be out the door within a very short time frame from the moment a set of events is triggered in the webapp. Right now the only way I can think of is limit the SMTP service to connect only to authorized remote SMTP servers that I will manage manually (I'm in the process of checking how often I would have to change the list to see if it's feasible). You wrote that I can do it with spamd, how? Another option I thought of is setting up a sendmail relay on another computer and let that sendmail only relay specific emails according to a set of criteria (that fit only valid emails). You are going about this all wrong. First step is finding a suitable blunt instrument and getting the developers to fix it. The second step is configuring rate limiting, along the lines of '1000 mails/hour'; this will allow a large batch of e-mail to get through immediately, but stop spammers. What you're planning now is both less effective and way more work. Joachim !DSPAM:1,4620f04c203471073733319!
Re: Dynamic DNS (first setup, couple troubles)
On 14/04/07, Tim Judd <[EMAIL PROTECTED]> wrote: --- Tim Judd <[EMAIL PROTECTED]> wrote: > Thanks for ANY help from all of you excellent people out there. Of > you > want a configuration file, they are available at: > http://usemy.homeunix.org:88/dhcpd.txt > http://usemy.homeunix.org:88/named.txt I was seeing if anybody was checking my problem out by viewing the access log on my server, and I found named.txt to be getting error 403 -- which I should have fixed by now. If you still want to address this and want to look at my files, please try again. thank you all! As previous posters already noted, you need to have static leases outside of the dynamic range. Another thing is that for the dynamic updates you need to use the net/isc-dhcp port, the dhcpd in base doesn't have the required functionality. Otherwise than that, I think it looks ok. Mind you, for LANBOX and FATMAN I think you will need to define addresses by yourself in your zone. -- viq
Re: using spamd to block outbound spam
On Sat, Apr 14, 2007 at 05:58:52PM +0200, Henning Brauer wrote: > * Paolo Supino <[EMAIL PROTECTED]> [2007-04-14 17:53]: > > From the technical aspect, I agree with you. But non technical people > > don't see (or understand) that :-( I wish I had time to sit down and > > find out how to exploit the webapp. I tried to bring in a company to do > > penetration testing, but I was refused the budget for it. > > I can't fix the problem completely, but I can put measures in place > > that will reduce the problem to an acceptable level. > > yeah, cut the cable. > > otherwise at least tell us the IP address (range) so we can all > blacklist it. > > really, there is no solution (or even half reasonable band-aid) that is > nbot "fix the application" Henning brings up a good point: can't you explain to management the cost of fixing the application vs the effort of getting yourself off all blacklist that you soon will be on? Otherwise, try mod_security. Joachim -- TFMotD: top (1) - display and update information about the top CPU processes
Re: SSH/SFTP question
On Fri, Apr 13, 2007 at 09:37:14AM -0400, stuart van Zee wrote: > > I was under the impression that when using SFTP to transfer files they > were automatically treated as Binary files. i might totally be wrong, but i had the impression that sftp doesn't incorporate the 'legacy ftp' concept of 'binary' vs. 'ascii', but rather just transferred files without any regard to what they have in them. > CRLF to terminate lines, the downloaded file would have CRLF terminating > it's lines. So I have a vendor that has replaced his FTP with SSH/SFTP. > my code is written to expect CRLF because that is the way the files > were when using the old FTP system to download. have you tried scp instead of sftp? (if that is an option). sftp seems to be a bit of the bastard child of the openssh software family. > Now, when I use SFTP > the files just have the LF. that seems strange. i haven't used sftp nearly as much as scp, but i don't recall either ever having modified a file on me. i tried the following test: - made a test file (5 lines) using windows notepad, saved it to the openbsd box via a samba share. - opened up in vi and saw that it had '^M's at the end of it, quit out. - scp'd that file to another host on the network here - went to the other host, verified MD5s same - back on original host, sftp'd the file off of the remote host down to a new filename on the local host, verified MD5s the same. so in my case, sftp'ing a file from a remote host down locally didn't incur any CRLF->LF translation. maybe you are seeing a behaviour from something else and it just seems to be because of sftp(1) ? do you know for certain that the files, as they exist on the vendor's end, do indeed still have the CRLFs in them? > What I really need is an explanation or a pointer to where I can get an > explanation so that I really know what I am talking about when I talk > to this vendor (and KNOW that I know what I am talking about). might not need to go that far. if you know/trust that they have CRLFs on their end, but when you get the files from them, they have only LFs now, just test stuff on your end with your own remote sftp/ssh server like i did above. if you have a file that you know has CRLFs, and on this one "problem" host you can pull the file down over sftp from your remote test host, and it still has the CRLFs, that would seem to imply that your local system is not responsible for the translation. -- jared
Re: SSH/SFTP question
At 09:37 AM 4/13/07, stuart van Zee wrote: Sorry if this belongs elsewhere but I was sure someone here would know. I was under the impression that when using SFTP to transfer files they were automatically treated as Binary files. So if the remote file uses CRLF to terminate lines, the downloaded file would have CRLF terminating it's lines. So I have a vendor that has replaced his FTP with SSH/SFTP. my code is written to expect CRLF because that is the way the files were when using the old FTP system to download. Now, when I use SFTP the files just have the LF. The vendors answer is that we need to use ASCII mode to transfer the files to get the CRLF. I didn't know that there WAS an ASCII mode in SFTP let alone that using ASCII as opposed to Binary would change the line terminators. The files in question are technically ASCII text files but shouldn't I be getting an EXACT copy of the file when I use Binary mode (assuming that I am right and that is indeed the default with SFTP)? What I really need is an explanation or a pointer to where I can get an explanation so that I really know what I am talking about when I talk to this vendor (and KNOW that I know what I am talking about). FTP and SFTP clients will often have an option to send files as ASCII/BINARY/AUTO. This option controls how CRLF is handled when encountered in the source file. This option has nothing at all to do with the FTP/SFTP protocol itself; but is an option often included in client software. When transfer option is ASCII (or sometimes TEXT); a translation occurs. When copying from Windows to *BSD, CRLF changes to LF. When copying from *BSD to Windows, LF changes to CRLF. When transfer option is BINARY; no translation ever occurs. When transfer is AUTO; behaviour is either ASCII or BINARY depending on file extension. TXT, HTM, PHP, CGI, PL might all be considered text files; client software often allows this list to be configured. PSCP and WinSCP are two examples of windows software that support SFTP. PSCP does not convert CRLF to LF; WinSCP has a user option controlling this translation. Based on what your vendor says; it looks like the file originally contains only LF and not CRLF; so enabling ASCII transfer should convert LF to CRLF. If your transfer software doesn't have this option find another that does.
Re: using spamd to block outbound spam
On 2007/04/14 11:37, Paolo Supino wrote: > From the technical aspect, I agree with you. But non technical people > don't see (or understand) that :-( I wish I had time to sit down and > find out how to exploit the webapp. if you don't have time to work this out, you don't have time to get yourself off all the public and in-house blacklists. reliably getting mail into places like aol and hotmail can be challenging at the best of times, even without known vulnerabilities in your mail-sending setup. > I tried to bring in a company to do penetration testing, but I was > refused the budget for it. you can probably just read logs/tcpdump.
ccdconfig -g no more
as of a few days ago, ccdconfig -g doesn't work. it required the use of kvm, which is a bad thing, so this functionality was disabled (as part of some larger work). it is possible to re-add this functionality, but there are no present plans to do so.
Re: bio not working on dl380 g4 with newer ciss fw
--- Quoting Boris Golberg on 2007/04/13 at 08:07 -0500: > Hello Kalle, > > BM> Two logical drives. Not sure about the firmware version, but the > BM> "more than one logical drive" issue is in the caveats section of > BM> ciss(4). > > I've asked about that caveat in ciss recently, but no one really had > answered. Tried even to e-mail directly to [EMAIL PROTECTED] - no reply. > > I'm planning to get HP server myself. Could you give me some additional > information about your configuration and problem? What model of Smart Array > are you using? Do you have any problem with these two logical drives > besides bioctl not working properly? Does the lack of bio support causing > any real problem in your case? > Sorry for trying to kind of benefit from your problem, but answers will > be really appreciated. I recently installed an HP DL360g5 running OpenBSD 4.1. The hardware works great (man, it's a fast machine) but there is an issue with bio and ciss. The server has a HP E200i controller card in it that does not attach to bio(4). I gave mickey@ access to the box and he supposedly figured out the issue, but then some shit happened and now he's not around. Anyways, hope that's useful to you and maybe others. My dmesg is here: http://www.armorlogic.com/openbsd_information_server_compatibility_list.html .joel