Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Joerg Jung 
On Thu, Apr 07, 2016 at 04:41:57PM +0200, Michiel van Es wrote:
> > On 07 Apr 2016, at 16:37, Michiel van Es  wrote:
> >> On 07 Apr 2016, at 16:05, Joerg Jung  wrote:
> >>> On 07 Apr 2016, at 14:47, Michiel van Es  wrote:
>  On 07 Apr 2016, at 14:40, Joerg Jung  wrote:
>  
>  Ok can change the added DEBUG line right before the if statement once 
>  again to:
>  
>  log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d, EAI_NONAME=%d, 
>  gai_strerror=‘%s'", ar->ar_gai_errno, EAI_NODATA, EAI_NONAME, 
>  gai_strerror(ar->ar_gai_errno));

Keep that change please.

> >> Wow… what a mess, I think this is what is happening:
> >> 
> >> - EAI_NODATA is usually -5 aka "No address associated with hostname".
> >> 
> >> - Ubuntu eglibc seems to guard EAI_NODATA behind a #ifdef _GNU_SOURCE in 
> >> netdb.h, 
> >> so you may do not have it defined at all.
> >> (- Nevertheless the error string is given with gai_strerror() anyway, no 
> >> matter that EAI_NODATA is not there.)
> >> 
> >> - in case EAI_NODATA is not defined opensmtpd-extras defines EAI_NODATA == 
> >> EAI_NONAME == -2 in configure.ac
> >> -> I think this is wrong and should be done as last resort. The better 
> >> solution should be to define _GNU_SOURCE to
> >> receive EAI_NODATA from standard netdb.h. Can you try the following please:
> >> 
> >> Add the following CFLAGS line to filter-dnsbl Makefile.am line 10: 
> >> https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/wip/filters/filter-dnsbl/Makefile.am
> >> 
> >> CFLAGS += -D_GNU_SOURCE
> >> 
> >> Rebuild everything — it’s important to clear the whole configure cache and 
> >> re-run sh bootstrap fully, so that this _GNU_SOURCE ends up in the 
> >> Makefile.
> >> 
> >> Let me know if this helps and fixes the issue.

Ok, I was wrong here. _GNU_SOURCE is already defined via
openbsd-compat/includes.h

So you can drop that Makefile addition, it's useless and too late
anyway, sorry. 
 
> did a make uninstall after adding the Makefile.am line as instructed, 
> ./bootstrap;./configure —with-filter-*;make;make install
> retested but still no go:
> 
> debug: smtp: new client on listener: 0xebd0f0
> smtp-in: New session 141e1ab081a9e56f from host pro-mail-smtp-002.bol.com 
> [185.14.169.222]
> filter: post-event event=EVENT_CONNECT filter=dnsbl
> filter: new query QUERY_CONNECT
> filter: filter_drain_query 141e1ab15e6c4024[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0xeabff0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for query 
> 141e1ab15e6c4024[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0xeabff0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: waiting for running query 
> 141e1ab15e6c4024[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0xeabff0[datalen=0,eom=(nil),ofile=(nil)]]
> dnsbl[2010]: debug: on_connect: checking 222.169.14.185.psbl.surriel.com.
> dnsbl[2010]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, 
> gai_strerror=‘No address associated with hostname'

I fail to understand, where the EAI_NODATA=-2 comes from.  With
GNU_SOURCE defined as mentioned above it should come from netdb.h header 
with -5 instead of -2.

Can you try to remove/comment the whole #ifndef EAI_NODATA in 
openbsd-compat/defines.h line 205-213?

Hopefully, EAI_NODATA is -5 afterwards and things will start to work?

> dnsbl[2010]: warn: session 141e1ab081a9e56f: event_dispatch: REJECT address 
> ar_gai_errno=-5
> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
> dnsbl[hooks=0x,flags=0x]
> filter: filter_drain_query 141e1ab15e6c4024[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0xeabff0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: filter_end_query 141e1ab15e6c4024[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0xeabff0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: query 141e1ab15e6c4024 done: status=FILTER_CLOSE code=554 
> response="5.7.1 Address in DNSBL"
> smtp-in: Failed command on session 141e1ab081a9e56f: "" => 554 5.7.1 Address 
> in DNSBL
> smtp-in: Closing session 141e1ab081a9e56f
> debug: smtp: 0xf79cb0: deleting session: done
> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
> 
> > 
> >> 
> >> However as written earlier, all this is just quick-fix. Better solution 
> >> would be IMHO to NOT rely on gai errno at all.
> >> I’ll try to come up with a better fix soon.

I changed my mind and think the quick fix is the only way to go to
distinguish between different resolve errors.  But we still need to find
out where the EAI_NODATA=-2 comes from on Ubuntu. 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to:

Re: Authentication using certificates

2016-04-07 Thread Kai Wirt 
On Wed, Apr 06, 2016 at 10:13:42AM -0500, Edgar Pettijohn wrote:
> 
> 
> Sent from my iPhone
> 
> > On Apr 6, 2016, at 4:01 AM, Kai Wirt  wrote:
> > 
> > 
> > 
> > Hi,
> > 
> > when i used sendmail i allowed my clients to relay mail if they 
> > authenticated via SMTPAUTH or if they could present a valid certificate 
> > with STARTTLS.
> > I'm trying to do the same with OpenSMTPD. I understand, that I can have two 
> > different listeners. One which accepts SMTPAUTH. And one which has 
> > tls-require verify. But from what I could tell from the man pages there is 
> > no way to have tls-require and auth as alternatives on one listener.
> > 
> > My use case is that I have clients
> 
> By client to you mean a person logging in with a mail client. Or another 
> server using you as a relay?


To be more precise i prefer authentication using client certificates. This 
works fine with most of
the mail software i use. However i have a few mobile devices which don't 
support client certificates.
For these i use SMTPAUTH. Currently i use two different listeners on two 
different ports for this.
What i would like to achieve is to have only one listener on the submission 
port and then accept
mails either if the client authenticated using SMTPAUTH _or_ if the client was 
able to present a
valid certificate.

If i am not mistaken having auth and tls-require verify enforces both. The 
solution in sendmail was,
that clients were treated as local in both cases.



> 
> > which don't have certificates and should be allowed to relay with SMTPAUTH. 
> > And I have other mailservers which use OpenSMTPD as smarthost and which 
> > have certificates. For the latter I don't like to configure credentials.
> > 
> 
> This sounds possible. You may have to get clever with tagging. 
>

This is what i currently do. The listener with tls-require verify tags with a 
keyword and i accept
mail from local (this is the smtpauth part) and mail tagged with the keyword.



Kai 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Joerg Jung 

> On 07 Apr 2016, at 14:47, Michiel van Es  wrote:
> 
> 
>> On 07 Apr 2016, at 14:40, Joerg Jung  wrote:
>> 
>> 
>>> On 07 Apr 2016, at 13:13, Michiel van Es  wrote:
 On 07 Apr 2016, at 12:59, Joerg Jung  wrote:
 
 Ok... that makes sense now.
 -2 seems to be EAI_NONAME which seems to be the error code specific on 
 Ubuntu libc for NXDOMAIN replies, instead of EAI_NODATA.
 
 These error codes and related RFCs are subject to a lot of discussions.
 See here to get an idea: 
 https://sourceware.org/bugzilla/show_bug.cgi?id=15726
 Especially, note the cross references to Ubuntu bugs ...
 
 Instead of trying to fit all distribution specific changes,
 the easiest might be to change the logic here and check for the returned 
 address not being empty -- instead of errno.
 
 I'll try to come up with a proper diff to fix this, but give me some time 
 as 
 I'm very busy currently.
 
 As quick fix: you can just change the if statement to:
 if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME) {
>>> 
>>> like this? =>
>> 
>> yes.
>> 
>>> dnsbl_event_dispatch(struct asr_result *ar, void *arg)
>>> {
>>>  uint64_t *q = arg;
>>> 
>>>  if (ar->ar_addrinfo)
>>>  freeaddrinfo(ar->ar_addrinfo);
>>>  log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d", 
>>> ar->ar_gai_errno, EAI_NODATA);
>>>  if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME) {
>>>  log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT 
>>> address ar_gai_errno=%d", *q, ar->ar_gai_errno);
>>>  filter_api_reject_code(*q, FILTER_CLOSE, 554, "5.7.1 Address 
>>> in DNSBL");
>>>  } else
>>>  filter_api_accept(*q);
>>>  free(q);
>>> }
>>> 
 ... and it should start working as expected. Can you confirm that, please?
>>> 
>>> if above is correct, it did not work:
>>> 
>>> dnsbl[26098]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2
>>> dnsbl[26098]: warn: session de57c06bd67994d3: event_dispatch: REJECT 
>>> address ar_gai_errno=-5
>>> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
>>> dnsbl[hooks=0x,flags=0x]
>>> filter: filter_drain_query de57c06c3dc0ecca[QUERY_CONNECT=178.21.114.197 
>>> <-> 
>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1588030[datalen=0,eom=(nil),ofile=(nil)]]
>>> filter: filter_end_query de57c06c3dc0ecca[QUERY_CONNECT=178.21.114.197 <-> 
>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1588030[datalen=0,eom=(nil),ofile=(nil)]]
>>> filter: query de57c06c3dc0ecca done: status=FILTER_CLOSE code=554 
>>> response="5.7.1 Address in DNSBL"
>>> smtp-in: Failed command on session de57c06bd67994d3: "" => 554 5.7.1 
>>> Address in DNSBL
>>> smtp-in: Closing session de57c06bd67994d3
>>> debug: smtp: 0x1655cf0: deleting session: done
>>> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
>>> ^Cinfo: queue handler exiting
>>> info: scheduler handler exiting
>>> info: ca agent exiting
>>> warn: control -> queue: pipe closed
>>> warn: lka -> queue: pipe closed
>>> strace: Process 26091 detached
>>> 
>> 
>> Ok can change the added DEBUG line right before the if statement once again 
>> to:
>> 
>> log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d, EAI_NONAME=%d, 
>> gai_strerror=‘%s'", ar->ar_gai_errno, EAI_NODATA, EAI_NONAME, 
>> gai_strerror(ar->ar_gai_errno));
>> 
>> … and show me output?
> 
> debug: smtp: new client on listener: 0x1a90130
> smtp-in: New session 1dc609e7cb3551c5 from host pro-mail-smtp-001.bol.com 
> [185.14.168.222]
> filter: post-event event=EVENT_CONNECT filter=dnsbl
> filter: new query QUERY_CONNECT
> filter: filter_drain_query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for query 
> 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
> filter: waiting for running query 
> 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
> dnsbl[27129]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com.
> 
> dnsbl[27129]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, 
> gai_strerror=‘No address associated with hostname'
> dnsbl[27129]: warn: session 1dc609e7cb3551c5: event_dispatch: REJECT address 
> ar_gai_errno=-5
> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
> dnsbl[hooks=0x,flags=0x]
> filter: filter_drain_query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
> filter: filter_end_query

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Michiel van Es 

> On 07 Apr 2016, at 14:40, Joerg Jung  wrote:
> 
> 
>> On 07 Apr 2016, at 13:13, Michiel van Es  wrote:
>>> On 07 Apr 2016, at 12:59, Joerg Jung  wrote:
>>> 
>>> Ok... that makes sense now.
>>> -2 seems to be EAI_NONAME which seems to be the error code specific on 
>>> Ubuntu libc for NXDOMAIN replies, instead of EAI_NODATA.
>>> 
>>> These error codes and related RFCs are subject to a lot of discussions.
>>> See here to get an idea: 
>>> https://sourceware.org/bugzilla/show_bug.cgi?id=15726
>>> Especially, note the cross references to Ubuntu bugs ...
>>> 
>>> Instead of trying to fit all distribution specific changes,
>>> the easiest might be to change the logic here and check for the returned 
>>> address not being empty -- instead of errno.
>>> 
>>> I'll try to come up with a proper diff to fix this, but give me some time 
>>> as 
>>> I'm very busy currently.
>>> 
>>> As quick fix: you can just change the if statement to:
>>> if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME) {
>> 
>> like this? =>
> 
> yes.
> 
>> dnsbl_event_dispatch(struct asr_result *ar, void *arg)
>> {
>>   uint64_t *q = arg;
>> 
>>   if (ar->ar_addrinfo)
>>   freeaddrinfo(ar->ar_addrinfo);
>>   log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d", 
>> ar->ar_gai_errno, EAI_NODATA);
>>   if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME) {
>>   log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT 
>> address ar_gai_errno=%d", *q, ar->ar_gai_errno);
>>   filter_api_reject_code(*q, FILTER_CLOSE, 554, "5.7.1 Address 
>> in DNSBL");
>>   } else
>>   filter_api_accept(*q);
>>   free(q);
>> }
>> 
>>> ... and it should start working as expected. Can you confirm that, please?
>> 
>> if above is correct, it did not work:
>> 
>> dnsbl[26098]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2
>> dnsbl[26098]: warn: session de57c06bd67994d3: event_dispatch: REJECT address 
>> ar_gai_errno=-5
>> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
>> dnsbl[hooks=0x,flags=0x]
>> filter: filter_drain_query de57c06c3dc0ecca[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1588030[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: filter_end_query de57c06c3dc0ecca[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1588030[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: query de57c06c3dc0ecca done: status=FILTER_CLOSE code=554 
>> response="5.7.1 Address in DNSBL"
>> smtp-in: Failed command on session de57c06bd67994d3: "" => 554 5.7.1 Address 
>> in DNSBL
>> smtp-in: Closing session de57c06bd67994d3
>> debug: smtp: 0x1655cf0: deleting session: done
>> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
>> ^Cinfo: queue handler exiting
>> info: scheduler handler exiting
>> info: ca agent exiting
>> warn: control -> queue: pipe closed
>> warn: lka -> queue: pipe closed
>> strace: Process 26091 detached
>> 
> 
> Ok can change the added DEBUG line right before the if statement once again 
> to:
> 
> log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d, EAI_NONAME=%d, 
> gai_strerror=‘%s'", ar->ar_gai_errno, EAI_NODATA, EAI_NONAME, 
> gai_strerror(ar->ar_gai_errno));
> 
> … and show me output?

debug: smtp: new client on listener: 0x1a90130
smtp-in: New session 1dc609e7cb3551c5 from host pro-mail-smtp-001.bol.com 
[185.14.168.222]
filter: post-event event=EVENT_CONNECT filter=dnsbl
filter: new query QUERY_CONNECT
filter: filter_drain_query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 
185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
filter: running filter filter:dnsbl[hooks=0x,flags=0x] for query 
1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 
185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
filter: waiting for running query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 
<-> 
185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
dnsbl[27129]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com.

dnsbl[27129]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, 
gai_strerror=‘No address associated with hostname'
dnsbl[27129]: warn: session 1dc609e7cb3551c5: event_dispatch: REJECT address 
ar_gai_errno=-5
filter: imsg IMSG_FILTER_RESPONSE from procfilter 
dnsbl[hooks=0x,flags=0x]
filter: filter_drain_query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 
185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
filter: filter_end_query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 
185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]]
filter: query 1dc609e878b913e8 done: status=FILTER_CLOSE code=554

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Joerg Jung 

> On 07 Apr 2016, at 13:13, Michiel van Es  wrote:
>> On 07 Apr 2016, at 12:59, Joerg Jung  wrote:
>> 
>> Ok... that makes sense now.
>> -2 seems to be EAI_NONAME which seems to be the error code specific on 
>> Ubuntu libc for NXDOMAIN replies, instead of EAI_NODATA.
>> 
>> These error codes and related RFCs are subject to a lot of discussions.
>> See here to get an idea: 
>> https://sourceware.org/bugzilla/show_bug.cgi?id=15726
>> Especially, note the cross references to Ubuntu bugs ...
>> 
>> Instead of trying to fit all distribution specific changes,
>> the easiest might be to change the logic here and check for the returned 
>> address not being empty -- instead of errno.
>> 
>> I'll try to come up with a proper diff to fix this, but give me some time as 
>> I'm very busy currently.
>> 
>> As quick fix: you can just change the if statement to:
>> if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME) {
> 
> like this? =>

yes.

> dnsbl_event_dispatch(struct asr_result *ar, void *arg)
> {
>uint64_t *q = arg;
> 
>if (ar->ar_addrinfo)
>freeaddrinfo(ar->ar_addrinfo);
>log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d", 
> ar->ar_gai_errno, EAI_NODATA);
>if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME) {
>log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT 
> address ar_gai_errno=%d", *q, ar->ar_gai_errno);
>filter_api_reject_code(*q, FILTER_CLOSE, 554, "5.7.1 Address 
> in DNSBL");
>} else
>filter_api_accept(*q);
>free(q);
> }
> 
>> ... and it should start working as expected. Can you confirm that, please?
> 
> if above is correct, it did not work:
> 
> dnsbl[26098]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2
> dnsbl[26098]: warn: session de57c06bd67994d3: event_dispatch: REJECT address 
> ar_gai_errno=-5
> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
> dnsbl[hooks=0x,flags=0x]
> filter: filter_drain_query de57c06c3dc0ecca[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1588030[datalen=0,eom=(nil),ofile=(nil)]]
> filter: filter_end_query de57c06c3dc0ecca[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1588030[datalen=0,eom=(nil),ofile=(nil)]]
> filter: query de57c06c3dc0ecca done: status=FILTER_CLOSE code=554 
> response="5.7.1 Address in DNSBL"
> smtp-in: Failed command on session de57c06bd67994d3: "" => 554 5.7.1 Address 
> in DNSBL
> smtp-in: Closing session de57c06bd67994d3
> debug: smtp: 0x1655cf0: deleting session: done
> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
> ^Cinfo: queue handler exiting
> info: scheduler handler exiting
> info: ca agent exiting
> warn: control -> queue: pipe closed
> warn: lka -> queue: pipe closed
> strace: Process 26091 detached
> 

Ok can change the added DEBUG line right before the if statement once again to:

log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d, EAI_NONAME=%d, 
gai_strerror=‘%s'", ar->ar_gai_errno, EAI_NODATA, EAI_NONAME, 
gai_strerror(ar->ar_gai_errno));

… and show me output?



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Michiel van Es 

> On 07 Apr 2016, at 12:59, Joerg Jung  wrote:
> 
> 
>> Am 07.04.2016 um 11:51 schrieb Michiel van Es :
>> 
>> oops, forgot to reply-all (and miss m...@opesmtpd.org), send again ->
>> 
>>> On 07 Apr 2016, at 11:30, Joerg Jung  wrote:
>>> 
>>> 
> On 07 Apr 2016, at 10:17, Michiel van Es  wrote:
> 
> 
> On 07 Apr 2016, at 10:02, Joerg Jung  wrote:
> 
> 
>>> On 07 Apr 2016, at 08:47, Michiel van Es  wrote:
>>> On 07 Apr 2016, at 08:41, Joerg Jung  wrote:
>>> 
> What asr version have you installed? Recent one?
> 
> You can also do a tcpdump please, to see what 
> exactly  goes over the wire (and comes back)?
> 
> Also please temporarily disable all other filters, to 
> rule-out chain problems.
 
 I installed libasr, opensmtpd and OpenSMTPD-Extras from github to 
 ensure the latest version.
 
 I use the following config to only use dnsbl:
 
 filter dnsbl dnsbl "-h" "psbl.surriel.com"
 filter filter-clamav clamav
 filter all chain dnsbl
 filter sub chain filter-clamav
 pki server.pragmasec.nl key 
 "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
 pki server.pragmasec.nl certificate 
 "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
 listen on lo
 listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki 
 server.pragmasec.nl
 listen on ens3 port 587 filter sub hostname server.pragmasec.nl 
 tls-require pki server.pragmasec.nl auth mask-source
 expire 7d
 table vdomains "/usr/local/etc/vdomains"
 table vusers "/usr/local/etc/vusers"
 accept from any for domain  virtual  deliver to mda 
 "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
 accept from local for any relay
 
 tcpdump of any traffic to psbl.surriel.org: (this seems useless as the 
 traffic is only dns and goes to the forwarders via my dnsmasq local 
 cache)
 tcpdump -i any | grep ’74.92.59.67'
 
 *nothing*
 
 the error with strace and running with smtpd -d -v -T filter:
 
 epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0
 smtp-in: New session 71768b23cba98cf7 from host 
 pro-mail-smtp-001.bol.com [185.14.168.222]
 filter: post-event event=EVENT_CONNECT filter=dnsbl
 filter: new query QUERY_CONNECT
 filter: filter_drain_query 
 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
 filter: running filter filter:dnsbl[hooks=0x,flags=0x] for 
 query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
 filter: waiting for running query 
 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
 dnsbl[22353]: debug: on_connect: checking 
 222.168.14.185.psbl.surriel.com.
 dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT 
 address
 filter: imsg IMSG_FILTER_RESPONSE from procfilter 
 dnsbl[hooks=0x,flags=0x]
 filter: filter_drain_query 
 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
 filter: filter_end_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
 <-> 
 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
 filter: query 71768b247df9084f done: status=FILTER_CLOSE code=554 
 response="5.7.1 Address in DNSBL"
 smtp-in: Failed command on session 71768b23cba98cf7: "" => 554 5.7.1 
 Address in DNSBL
 smtp-in: Closing session 71768b23cba98cf7
 debug: smtp: 0x859c80: deleting session: done
 filter: post-event event=EVENT_DISCONNECT filter=dnsbl
 
 dnsmasq logging:
 
 Apr  7 07:48:41 server dnsmasq[6018]: query[A] 
 222.168.14.185.psbl.surriel.com from 127.0.0.1
 Apr  7 07:48:41 server dnsmasq[6018]: forwarded 
 222.168.14.185.psbl.surriel.com to 95.85.9.86
 Apr  7 07:48:41 server dnsmasq[6018]: reply 
 222.168.14.185.psbl.surriel.com is NXDOMAIN
 
 any more pointers what could go wrong?
>>> 
>>> To me, this really looks like a bug/problem in libasr now (Ubuntu 
>>> specific).

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Michiel van Es 
oops, forgot to reply-all (and miss m...@opesmtpd.org), send again ->

> On 07 Apr 2016, at 11:30, Joerg Jung  wrote:
> 
> 
>> On 07 Apr 2016, at 10:17, Michiel van Es  wrote:
>> 
>>> 
>>> On 07 Apr 2016, at 10:02, Joerg Jung  wrote:
>>> 
>>> 
 On 07 Apr 2016, at 08:47, Michiel van Es  wrote:
> On 07 Apr 2016, at 08:41, Joerg Jung  wrote:
> 
>>> What asr version have you installed? Recent one?
>>> 
>>> You can also do a tcpdump please, to see what 
>>> exactly  goes over the wire (and comes back)?
>>> 
>>> Also please temporarily disable all other filters, to 
>>> rule-out chain problems.
>> 
>> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to ensure 
>> the latest version.
>> 
>> I use the following config to only use dnsbl:
>> 
>> filter dnsbl dnsbl "-h" "psbl.surriel.com"
>> filter filter-clamav clamav
>> filter all chain dnsbl
>> filter sub chain filter-clamav
>> pki server.pragmasec.nl key 
>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
>> pki server.pragmasec.nl certificate 
>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
>> listen on lo
>> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki 
>> server.pragmasec.nl
>> listen on ens3 port 587 filter sub hostname server.pragmasec.nl 
>> tls-require pki server.pragmasec.nl auth mask-source
>> expire 7d
>> table vdomains "/usr/local/etc/vdomains"
>> table vusers "/usr/local/etc/vusers"
>> accept from any for domain  virtual  deliver to mda 
>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>> accept from local for any relay
>> 
>> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the 
>> traffic is only dns and goes to the forwarders via my dnsmasq local 
>> cache)
>> tcpdump -i any | grep ’74.92.59.67'
>> 
>> *nothing*
>> 
>> the error with strace and running with smtpd -d -v -T filter:
>> 
>> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0
>> smtp-in: New session 71768b23cba98cf7 from host 
>> pro-mail-smtp-001.bol.com [185.14.168.222]
>> filter: post-event event=EVENT_CONNECT filter=dnsbl
>> filter: new query QUERY_CONNECT
>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
>> <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for 
>> query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: waiting for running query 
>> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> dnsbl[22353]: debug: on_connect: checking 
>> 222.168.14.185.psbl.surriel.com.
>> dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT 
>> address
>> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
>> dnsbl[hooks=0x,flags=0x]
>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
>> <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: filter_end_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
>> <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: query 71768b247df9084f done: status=FILTER_CLOSE code=554 
>> response="5.7.1 Address in DNSBL"
>> smtp-in: Failed command on session 71768b23cba98cf7: "" => 554 5.7.1 
>> Address in DNSBL
>> smtp-in: Closing session 71768b23cba98cf7
>> debug: smtp: 0x859c80: deleting session: done
>> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
>> 
>> dnsmasq logging:
>> 
>> Apr  7 07:48:41 server dnsmasq[6018]: query[A] 
>> 222.168.14.185.psbl.surriel.com from 127.0.0.1
>> Apr  7 07:48:41 server dnsmasq[6018]: forwarded 
>> 222.168.14.185.psbl.surriel.com to 95.85.9.86
>> Apr  7 07:48:41 server dnsmasq[6018]: reply 
>> 222.168.14.185.psbl.surriel.com is NXDOMAIN
>> 
>> any more pointers what could go wrong?
> 
> To me, this really looks like a bug/problem in libasr now (Ubuntu 
> specific).  
 
 The libasr is from github (I tried 14.04 and 16.04) but can try a 
 different distro to check if others also have this issue?
>>> 
>>> Others, e.g. FreeBSD and OpenBSD and some Linux (Debian/Alpine?) are known 
>>> to work.
>>> For example, I use filter-dnsbl in production on OpenBSD.
>> 
>> Hmm Ubuntu should be a derivative from Debian but I

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Joerg Jung 

> On 07 Apr 2016, at 10:17, Michiel van Es  wrote:
> 
>> 
>> On 07 Apr 2016, at 10:02, Joerg Jung  wrote:
>> 
>> 
>>> On 07 Apr 2016, at 08:47, Michiel van Es  wrote:
 On 07 Apr 2016, at 08:41, Joerg Jung  wrote:
 
>> What asr version have you installed? Recent one?
>> 
>> You can also do a tcpdump please, to see what 
>> exactly  goes over the wire (and comes back)?
>> 
>> Also please temporarily disable all other filters, to 
>> rule-out chain problems.
> 
> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to ensure 
> the latest version.
> 
> I use the following config to only use dnsbl:
> 
> filter dnsbl dnsbl "-h" "psbl.surriel.com"
> filter filter-clamav clamav
> filter all chain dnsbl
> filter sub chain filter-clamav
> pki server.pragmasec.nl key 
> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
> pki server.pragmasec.nl certificate 
> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
> listen on lo
> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki 
> server.pragmasec.nl
> listen on ens3 port 587 filter sub hostname server.pragmasec.nl 
> tls-require pki server.pragmasec.nl auth mask-source
> expire 7d
> table vdomains "/usr/local/etc/vdomains"
> table vusers "/usr/local/etc/vusers"
> accept from any for domain  virtual  deliver to mda 
> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
> accept from local for any relay
> 
> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the 
> traffic is only dns and goes to the forwarders via my dnsmasq local cache)
> tcpdump -i any | grep ’74.92.59.67'
> 
> *nothing*
> 
> the error with strace and running with smtpd -d -v -T filter:
> 
> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0
> smtp-in: New session 71768b23cba98cf7 from host pro-mail-smtp-001.bol.com 
> [185.14.168.222]
> filter: post-event event=EVENT_CONNECT filter=dnsbl
> filter: new query QUERY_CONNECT
> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
> <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for 
> query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: waiting for running query 
> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> dnsbl[22353]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com.
> dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT 
> address
> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
> dnsbl[hooks=0x,flags=0x]
> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
> <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: filter_end_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
> <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: query 71768b247df9084f done: status=FILTER_CLOSE code=554 
> response="5.7.1 Address in DNSBL"
> smtp-in: Failed command on session 71768b23cba98cf7: "" => 554 5.7.1 
> Address in DNSBL
> smtp-in: Closing session 71768b23cba98cf7
> debug: smtp: 0x859c80: deleting session: done
> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
> 
> dnsmasq logging:
> 
> Apr  7 07:48:41 server dnsmasq[6018]: query[A] 
> 222.168.14.185.psbl.surriel.com from 127.0.0.1
> Apr  7 07:48:41 server dnsmasq[6018]: forwarded 
> 222.168.14.185.psbl.surriel.com to 95.85.9.86
> Apr  7 07:48:41 server dnsmasq[6018]: reply 
> 222.168.14.185.psbl.surriel.com is NXDOMAIN
> 
> any more pointers what could go wrong?
 
 To me, this really looks like a bug/problem in libasr now (Ubuntu 
 specific).  
>>> 
>>> The libasr is from github (I tried 14.04 and 16.04) but can try a different 
>>> distro to check if others also have this issue?
>> 
>> Others, e.g. FreeBSD and OpenBSD and some Linux (Debian/Alpine?) are known 
>> to work.
>> For example, I use filter-dnsbl in production on OpenBSD.
> 
> Hmm Ubuntu should be a derivative from Debian but I can also try that oner 
> later on.
> BSD’s are not an option yet because of docker I am using for some containers 
> (I do see the FreeBSD docker option, might try that later ;) )
> 
>> 
 Despite the NXDOMAIN reply, this condition seems to become true for

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Joerg Jung 

> On 07 Apr 2016, at 08:47, Michiel van Es  wrote:
>> On 07 Apr 2016, at 08:41, Joerg Jung  wrote:
>> 
 What asr version have you installed? Recent one?
 
 You can also do a tcpdump please, to see what 
 exactly  goes over the wire (and comes back)?
 
 Also please temporarily disable all other filters, to 
 rule-out chain problems.
>>> 
>>> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to ensure 
>>> the latest version.
>>> 
>>> I use the following config to only use dnsbl:
>>> 
>>> filter dnsbl dnsbl "-h" "psbl.surriel.com"
>>> filter filter-clamav clamav
>>> filter all chain dnsbl
>>> filter sub chain filter-clamav
>>> pki server.pragmasec.nl key 
>>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
>>> pki server.pragmasec.nl certificate 
>>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
>>> listen on lo
>>> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki 
>>> server.pragmasec.nl
>>> listen on ens3 port 587 filter sub hostname server.pragmasec.nl tls-require 
>>> pki server.pragmasec.nl auth mask-source
>>> expire 7d
>>> table vdomains "/usr/local/etc/vdomains"
>>> table vusers "/usr/local/etc/vusers"
>>> accept from any for domain  virtual  deliver to mda 
>>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>>> accept from local for any relay
>>> 
>>> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the 
>>> traffic is only dns and goes to the forwarders via my dnsmasq local cache)
>>> tcpdump -i any | grep ’74.92.59.67'
>>> 
>>> *nothing*
>>> 
>>> the error with strace and running with smtpd -d -v -T filter:
>>> 
>>> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0
>>> smtp-in: New session 71768b23cba98cf7 from host pro-mail-smtp-001.bol.com 
>>> [185.14.168.222]
>>> filter: post-event event=EVENT_CONNECT filter=dnsbl
>>> filter: new query QUERY_CONNECT
>>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
>>> <-> 
>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for 
>>> query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>> filter: waiting for running query 
>>> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>> dnsbl[22353]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com.
>>> dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT address
>>> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
>>> dnsbl[hooks=0x,flags=0x]
>>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 
>>> <-> 
>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>> filter: filter_end_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>>> filter: query 71768b247df9084f done: status=FILTER_CLOSE code=554 
>>> response="5.7.1 Address in DNSBL"
>>> smtp-in: Failed command on session 71768b23cba98cf7: "" => 554 5.7.1 
>>> Address in DNSBL
>>> smtp-in: Closing session 71768b23cba98cf7
>>> debug: smtp: 0x859c80: deleting session: done
>>> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
>>> 
>>> dnsmasq logging:
>>> 
>>> Apr  7 07:48:41 server dnsmasq[6018]: query[A] 
>>> 222.168.14.185.psbl.surriel.com from 127.0.0.1
>>> Apr  7 07:48:41 server dnsmasq[6018]: forwarded 
>>> 222.168.14.185.psbl.surriel.com to 95.85.9.86
>>> Apr  7 07:48:41 server dnsmasq[6018]: reply 222.168.14.185.psbl.surriel.com 
>>> is NXDOMAIN
>>> 
>>> any more pointers what could go wrong?
>> 
>> To me, this really looks like a bug/problem in libasr now (Ubuntu specific). 
>>  
> 
> The libasr is from github (I tried 14.04 and 16.04) but can try a different 
> distro to check if others also have this issue?

Others, e.g. FreeBSD and OpenBSD and some Linux (Debian/Alpine?) are known to 
work.
For example, I use filter-dnsbl in production on OpenBSD.

>> Despite the NXDOMAIN reply, this condition seems to become true for you:
>> https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/wip/filters/filter-dnsbl/filter_dnsbl.c#L44
>> 
>> The question is why does it become true und what is the value of: 
>> ar->ar_gai_errno (and why has it this value).
>> Can you add/print the value to the log line please? For example:
>> log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT address 
>> ar_gai_errno=%d", *q, ar->ar_gai_errno);
> 
> where do I need to add it? in which file? to 
> /extras/wip/filters/filter-dnsbl/filter_dnsbl.c and recompile the 
> OpenSMTPD-Extras?

Yes, the log_warnx() from line 45

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Michiel van Es 

> On 07 Apr 2016, at 08:41, Joerg Jung  wrote:
> 
> 
>> On 07 Apr 2016, at 07:54, Michiel van Es  wrote:
>>> On 07 Apr 2016, at 01:19, Joerg Jung  wrote:
>>> 
>>> Nope, but you can try adding some more debug
>>> logs in the filter source.
> 
> I fear we need to take this route now, I hope you are ready ;)

hehe I am :)
If you give me some pointers ;)

> 
>>> What asr version have you installed? Recent one?
>>> 
>>> You can also do a tcpdump please, to see what 
>>> exactly  goes over the wire (and comes back)?
>>> 
>>> Also please temporarily disable all other filters, to 
>>> rule-out chain problems.
>> 
>> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to ensure the 
>> latest version.
>> 
>> I use the following config to only use dnsbl:
>> 
>> filter dnsbl dnsbl "-h" "psbl.surriel.com"
>> filter filter-clamav clamav
>> filter all chain dnsbl
>> filter sub chain filter-clamav
>> pki server.pragmasec.nl key 
>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
>> pki server.pragmasec.nl certificate 
>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
>> listen on lo
>> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki 
>> server.pragmasec.nl
>> listen on ens3 port 587 filter sub hostname server.pragmasec.nl tls-require 
>> pki server.pragmasec.nl auth mask-source
>> expire 7d
>> table vdomains "/usr/local/etc/vdomains"
>> table vusers "/usr/local/etc/vusers"
>> accept from any for domain  virtual  deliver to mda 
>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>> accept from local for any relay
>> 
>> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the 
>> traffic is only dns and goes to the forwarders via my dnsmasq local cache)
>> tcpdump -i any | grep ’74.92.59.67'
>> 
>> *nothing*
>> 
>> the error with strace and running with smtpd -d -v -T filter:
>> 
>> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0
>> smtp-in: New session 71768b23cba98cf7 from host pro-mail-smtp-001.bol.com 
>> [185.14.168.222]
>> filter: post-event event=EVENT_CONNECT filter=dnsbl
>> filter: new query QUERY_CONNECT
>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for query 
>> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: waiting for running query 
>> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> dnsbl[22353]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com.
>> dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT address
>> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
>> dnsbl[hooks=0x,flags=0x]
>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: filter_end_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
>> filter: query 71768b247df9084f done: status=FILTER_CLOSE code=554 
>> response="5.7.1 Address in DNSBL"
>> smtp-in: Failed command on session 71768b23cba98cf7: "" => 554 5.7.1 Address 
>> in DNSBL
>> smtp-in: Closing session 71768b23cba98cf7
>> debug: smtp: 0x859c80: deleting session: done
>> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
>> 
>> dnsmasq logging:
>> 
>> Apr  7 07:48:41 server dnsmasq[6018]: query[A] 
>> 222.168.14.185.psbl.surriel.com from 127.0.0.1
>> Apr  7 07:48:41 server dnsmasq[6018]: forwarded 
>> 222.168.14.185.psbl.surriel.com to 95.85.9.86
>> Apr  7 07:48:41 server dnsmasq[6018]: reply 222.168.14.185.psbl.surriel.com 
>> is NXDOMAIN
>> 
>> any more pointers what could go wrong?
> 
> To me, this really looks like a bug/problem in libasr now (Ubuntu specific).  

The libasr is from github (I tried 14.04 and 16.04) but can try a different 
distro to check if others also have this issue?

> Despite the NXDOMAIN reply, this condition seems to become true for you:
> https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/wip/filters/filter-dnsbl/filter_dnsbl.c#L44
> 
> The question is why does it become true und what is the value of: 
> ar->ar_gai_errno (and why has it this value).
> Can you add/print the value to the log line please? For example:
> log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT address 
> ar_gai_errno=%d", *q, ar->ar_gai_errno);

where do I need to add it? in which file? to 
/extras/wip/filters/filter-dnsbl/filter_dnsbl.c and recompile the 
OpenSMTPD-Extras?


> 
> You may also want to

Re: Some DNSBL questions and other spam filtering options in OpenSMTPD

2016-04-07 Thread Joerg Jung 

> On 07 Apr 2016, at 07:54, Michiel van Es  wrote:
>> On 07 Apr 2016, at 01:19, Joerg Jung  wrote:
>> 
>> Nope, but you can try adding some more debug
>> logs in the filter source.

I fear we need to take this route now, I hope you are ready ;)

>> What asr version have you installed? Recent one?
>> 
>> You can also do a tcpdump please, to see what 
>> exactly  goes over the wire (and comes back)?
>> 
>> Also please temporarily disable all other filters, to 
>> rule-out chain problems.
> 
> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to ensure the 
> latest version.
> 
> I use the following config to only use dnsbl:
> 
> filter dnsbl dnsbl "-h" "psbl.surriel.com"
> filter filter-clamav clamav
> filter all chain dnsbl
> filter sub chain filter-clamav
> pki server.pragmasec.nl key 
> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem"
> pki server.pragmasec.nl certificate 
> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem"
> listen on lo
> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki 
> server.pragmasec.nl
> listen on ens3 port 587 filter sub hostname server.pragmasec.nl tls-require 
> pki server.pragmasec.nl auth mask-source
> expire 7d
> table vdomains "/usr/local/etc/vdomains"
> table vusers "/usr/local/etc/vusers"
> accept from any for domain  virtual  deliver to mda 
> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
> accept from local for any relay
> 
> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the 
> traffic is only dns and goes to the forwarders via my dnsmasq local cache)
> tcpdump -i any | grep ’74.92.59.67'
> 
> *nothing*
> 
> the error with strace and running with smtpd -d -v -T filter:
> 
> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0
> smtp-in: New session 71768b23cba98cf7 from host pro-mail-smtp-001.bol.com 
> [185.14.168.222]
> filter: post-event event=EVENT_CONNECT filter=dnsbl
> filter: new query QUERY_CONNECT
> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for query 
> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: waiting for running query 
> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> dnsbl[22353]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com.
> dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT address
> filter: imsg IMSG_FILTER_RESPONSE from procfilter 
> dnsbl[hooks=0x,flags=0x]
> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: filter_end_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> 
> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]]
> filter: query 71768b247df9084f done: status=FILTER_CLOSE code=554 
> response="5.7.1 Address in DNSBL"
> smtp-in: Failed command on session 71768b23cba98cf7: "" => 554 5.7.1 Address 
> in DNSBL
> smtp-in: Closing session 71768b23cba98cf7
> debug: smtp: 0x859c80: deleting session: done
> filter: post-event event=EVENT_DISCONNECT filter=dnsbl
> 
> dnsmasq logging:
> 
> Apr  7 07:48:41 server dnsmasq[6018]: query[A] 
> 222.168.14.185.psbl.surriel.com from 127.0.0.1
> Apr  7 07:48:41 server dnsmasq[6018]: forwarded 
> 222.168.14.185.psbl.surriel.com to 95.85.9.86
> Apr  7 07:48:41 server dnsmasq[6018]: reply 222.168.14.185.psbl.surriel.com 
> is NXDOMAIN
> 
> any more pointers what could go wrong?

To me, this really looks like a bug/problem in libasr now (Ubuntu specific).  
Despite the NXDOMAIN reply, this condition seems to become true for you:
https://github.com/OpenSMTPD/OpenSMTPD-extras/blob/master/extras/wip/filters/filter-dnsbl/filter_dnsbl.c#L44

The question is why does it become true und what is the value of: 
ar->ar_gai_errno (and why has it this value).
Can you add/print the value to the log line please? For example:
log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT address 
ar_gai_errno=%d", *q, ar->ar_gai_errno);

You may also want to print further members of struct asr_result to see what is 
going on.
 
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org