Re: Question about OpenSMTPD and Debian package and filters/spam filtering
> On 21 Aug 2019, at 13:58, Gilles Chehade wrote: > > On Wed, Aug 21, 2019 at 12:50:10PM +0200, Michiel van Es wrote: >> Hi! >> > > Hi, > > >> I am running a small VPS with 1 GB memory with Debian 10 amd64 with >> OpenSMTPD (6.0.3) for private email and am looking what my best options are >> to limit spam. >> I know there are some filters from Joerg >> (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not >> sure if these will work with my version of OpenSMTPD (I get a syntax error >> when trying the old filter syntax). >> >> I can also relay everything to Amavisd/SpamAssassin but then email won???t >> get blocked at the SMTP level, also ASSP or Rspamd is an option but they are >> pretty resource intensive and will eat all my VPS memory ;) >> >> What would be my best option? >> > > 6.0.3 is a fairly old version and there aren't many options available. > > if you're forced to stick with that version, which suffers from at least > one denial of service as far as I know, your best option is to relay via > something like SpamPD so it can interface with SpamAssassin, but this is > not going to operate at SMTP level, it will happen at delivery time. That’s interesting since Debian has a good track record of back porting security fixes in their stable packages. I will ask the maintainer if he applied the patch or upgraded the package to latest version. For now I use spampd which works fine for bayesian spam detection. > > there will be no way of blocking at SMTP level before next release 6.6.0 > that is going to happen in a few weeks, during October, so any option is > going to be post delivery: either as a custom MDA, or as a relay via for > some smtp proxy that will reinject in smtpd like the dkimproxy stuff. I will wait for 6.6.0 ;) > > your best option would really be to build from source 6.4.2: it will not > block at SMTP level but will provide mechanisms to ease interfacing with > spamassassin or rspamd for post-SMTP handling. > > if you're not too easily scared, running the development version is good > too because it's very close to release now, very stable and will not get > much changes until October as I'm busy busy these days ;-) Might give that a try, thanks :) > > >> I like to do some DNSBL and SpamAsssassin checks if possible. >> >> My config if that is to any use to give some insights: >> >> pki server.pragmasec.nl certificate >> "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem" >> pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem" >> listen on localhost >> listen on eth0 port 25 tls pki server.pragmasec.nl hostname >> server.pragmasec.nl auth-optional >> listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname >> server.pragmasec.nl auth >> table vdomains file:/etc/mail/domains >> table vusers file:/etc/mail/vusers >> expire 7d >> limit mta inet4 >> accept from any for domain virtual deliver to mda >> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" >> accept from local for any relay >> >> Cheers, >> >> Michiel >> >> >> > > -- > Gilles Chehade @poolpOrg > > https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Question about OpenSMTPD and Debian package and filters/spam filtering
Hi! I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD (6.0.3) for private email and am looking what my best options are to limit spam. I know there are some filters from Joerg (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not sure if these will work with my version of OpenSMTPD (I get a syntax error when trying the old filter syntax). I can also relay everything to Amavisd/SpamAssassin but then email won’t get blocked at the SMTP level, also ASSP or Rspamd is an option but they are pretty resource intensive and will eat all my VPS memory ;) What would be my best option? I like to do some DNSBL and SpamAsssassin checks if possible. My config if that is to any use to give some insights: pki server.pragmasec.nl certificate "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem" pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem" listen on localhost listen on eth0 port 25 tls pki server.pragmasec.nl hostname server.pragmasec.nl auth-optional listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname server.pragmasec.nl auth table vdomains file:/etc/mail/domains table vusers file:/etc/mail/vusers expire 7d limit mta inet4 accept from any for domain virtual deliver to mda "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" accept from local for any relay Cheers, Michiel
question about procmail and delimiter
Hi, I am using OpenSMTPD (6.0.2) on Debian Stretch and want to pass the delimiter values via procmail to dovecot sieve. My smtpd.conf: pki server.pragmasec.nl certificate "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem" pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem" listen on localhost listen on ens3 port 25 tls pki server.pragmasec.nl hostname server.pragmasec.nl auth-optional listen on ens3 port 587 tls-require pki server.pragmasec.nl hostname server.pragmasec.nl auth-optional table vdomains file:/usr/local/etc/vdomains table vusers file:/usr/local/etc/vusers expire 7d limit mta inet4 accept from any for domain virtual deliver to mda "/usr/bin/procmail -f -" accept from local for any relay My .procmailrc: SHELL=/usr/local/bin/bash VERBOSE=yes DELIVER=/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" #DELIVER=/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -a %{rcpt} LOGFILE=/var/log/procmail.log DEFAULT=$HOME/Maildir/ ORGMAIL=$HOME/Maildir/ #DROPPRIVS=yes DEBUG=YES # ### virus scanning # :0fw | /usr/local/procmail2virustotal/checkvirus.py :0 * ^X-Virus-Flag: YES $DEFAULT/.Virus/new :0 w | $DELIVER :0 $DEFAULT The thing is, when I am using postfix and use '/usr/bin/procmail -p’ it proxies the username+det...@domain.com nicely to procmail which then delivers it to dovecot sieve and it finally filters the delimiter nicely. If I change to OpenSMTPD and use the same procmail command the detail is cut of by OpenSMTPD: procmail: Assigning "DEFAULT=/home/mve/Maildir/" procmail: Assigning "ORGMAIL=/home/mve/Maildir/" procmail: Assigning "DEBUG=YES" procmail: Executing "/usr/local/procmail2virustotal/checkvirus.py" procmail: [12334] Mon Aug 28 11:47:43 2017 procmail: No match on "^X-Virus-Flag: YES" procmail: Executing "/usr/lib/dovecot/dovecot-lda" procmail: Assigning "LASTFOLDER=/usr/lib/dovecot/dovecot-lda" procmail: Notified comsat: "mve@:/usr/lib/dovecot/dovecot-lda" Subject: sd Folder: /usr/lib/dovecot/dovecot-lda Notice the comsat line where mve@ is passed and not mve+detail@ to dovecot sieve. My question: what kind of command do I have to use in smtpd.conf to pass these values to procmail? I’ve got it working with dovecot-lda directly by using: deliver to mda "/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -a %{rcpt}” but when changing this to deliver to mda “/usr/bin/procmail -f %{sender} -a %{rcpt}” it does not work. Also tried the -p option and -f - but all options seem not to pass the user+detail@ to procmail when using OpenSMTPD. Not saying this is because of OpenSMTPD and mostly my own config error but I am just trying to figure out if someone got it working with procmail preserving the user+detail@ with procmail. Thanks for any help. regards, Michiel -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
question about CentOS 7 and OpenSMTPD-Extras
Hello, I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with the OpenSMTPD-Extras setup. I have 2 questions: - I don’t see the clamav, spam assassin, etc filters not anymore, are they now default installed? If not how do I install them? - When trying to compile the OpenSMTPD-Extras git repo on my CentOS 7 64 bit machine I get: ../../../api/rfc2822.c: In function ‘rfc2822_header_callback’: ../../../api/rfc2822.c:221:45: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer) ^ ../../../api/rfc2822.c: In function ‘rfc2822_missing_header_callback’: ../../../api/rfc2822.c:249:45: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer) ^ make[4]: *** [../../../api/rfc2822.o] Error 1 make[4]: Leaving directory `/usr/local/OpenSMTPD-extras/extras/filters/filter-stub' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/usr/local/OpenSMTPD-extras/extras/filters' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/local/OpenSMTPD-extras/extras' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/OpenSMTPD-extras' make: *** [all] Error 2 How can I fix this? Thanks for the help. Cheers, Michiel -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
> On 08 Apr 2016, at 17:08, Joerg Jung <m...@umaxx.net> wrote: > > > >> Am 08.04.2016 um 16:56 schrieb Michiel van Es <m...@pragmasec.nl>: >> >>> On Fri, Apr 08, 2016 at 04:29:55PM +0200, Michiel van Es wrote: >>> On Fri, Apr 08, 2016 at 03:44:16PM +0200, Joerg Jung wrote: >>> >>>>> >>>>> >>>> >>>> For now I’m out of ideas how to solve the EAI_NODATA -5 vs -2 problem and >>>> where it exactly comes from. >>>> I need to install Ubuntu myself to figure out. Maybe I find some time on >>>> Weekend to do so. >>>> >>>> As hacky-whacky-workaround-bad-idea-but-quick-hack you can add the >>>> following in line 43: >>>> >>>> #define MY_EAI_NODATA -5 >>>> >>>> and then use it one line later like this: >>>> >>>> if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME && >>>> ar->ar_gai_errno != MY_EAI_NODATA) { >>> >>> Sorry, I lost track of to add this which file, which file should be >>> altered? :) >> Added the entries to filter_dnsbl.c and recompiled. >>> >>>> … >>>> >>>> This should really make the filter work for you, but is a very ugly hack. >>>> >>>> You opened a bug report already anyways, I will try to resolve this with a >>>> good solution. >>> >>> Ok, I will use the ugly hack for now to stop the spam mess and git pull the >>> new change later on and recompile. >> Ok, I am now getting: >> >> Apr 8 16:54:57 server filter-dnsbl-surriel[17901]: warn: DEBUG: >> ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, gai_strerror=‘No address >> associated with hostname' >> Apr 8 16:54:57 server filter-dnsbl-spamhaus[17900]: warn: DEBUG: >> ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, gai_strerror=‘No address >> associated with hostname' >> >> This is correct? > > Yes, and the mail goes through now, right!? Yes. > > You can of course remove the additional DEBUG > log right before the if statement now, this was > just for me to see the error number(s) I will remove it later. I do get also the following: Apr 8 17:58:55 server smtpd[17896]: smtp-in: New session 7dc7202ec8c95247 from host 218.241.238.141 [218.241.238.141] Apr 8 17:59:01 server filter-dnsbl-surriel[17901]: warn: DEBUG: ar_gai_errno=0, EAI_NODATA=-2, EAI_NONAME=-2, gai_strerror=‘Unknown error' Apr 8 17:59:01 server filter-dnsbl-surriel[17901]: warn: session 7dc7202ec8c95247: event_dispatch: REJECT address ar_gai_errno=0 Apr 8 17:59:01 server smtpd[17896]: smtp-in: Failed command on session 7dc7202ec8c95247: "" => 554 5.7.1 Address in DNSBL and Apr 8 17:41:27 server filter-dnsbl-spamhaus[17900]: warn: DEBUG: ar_gai_errno=0, EAI_NODATA=-2, EAI_NONAME=-2, gai_strerror=‘Unknown error' Apr 8 17:41:27 server filter-dnsbl-spamhaus[17900]: warn: session 7dc7202ac46f75ad: event_dispatch: REJECT address ar_gai_errno=0 Apr 8 17:41:27 server smtpd[17896]: smtp-in: Failed command on session 7dc7202ac46f75ad: "" => 554 5.7.1 Address in DNSBL Apr 8 17:41:27 server smtpd[17896]: smtp-in: Closing session 7dc7202ac46f75ad I would expect something like: hit or true instead of Unknown error. These mails are blocked but I am wondering if it is correct and that just the error message is just not so ‘correct’. I can confirm that the ip’s are listed in either psbl.surriel.com or zen.spamhaus.org so I think everything goes by the book :) Thanks for your help and let me/us know when you officially fixed it (I will check my github issue off course). Cheers, Michiel > >>> -- >>> You received this mail because you are subscribed to misc@opensmtpd.org >>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >> >> -- >> You received this mail because you are subscribed to misc@opensmtpd.org >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >> > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
On Fri, Apr 08, 2016 at 04:29:55PM +0200, Michiel van Es wrote: > On Fri, Apr 08, 2016 at 03:44:16PM +0200, Joerg Jung wrote: > > > > > > > but got the same error: > > > > > > debug: smtp: new client on listener: 0x1bc3110 > > > smtp-in: New session e7ba7643bb567563 from host pro-mail-smtp-001.bol.com > > > [185.14.168.222] > > > filter: post-event event=EVENT_CONNECT filter=dnsbl > > > filter: new query QUERY_CONNECT > > > filter: filter_drain_query e7ba7644f7858c96[QUERY_CONNECT=178.21.114.197 > > > <-> > > > 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1bb2010[datalen=0,eom=(nil),ofile=(nil)]] > > > filter: running filter filter:dnsbl[hooks=0x,flags=0x] for > > > query e7ba7644f7858c96[QUERY_CONNECT=178.21.114.197 <-> > > > 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1bb2010[datalen=0,eom=(nil),ofile=(nil)]] > > > filter: waiting for running query > > > e7ba7644f7858c96[QUERY_CONNECT=178.21.114.197 <-> > > > 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1bb2010[datalen=0,eom=(nil),ofile=(nil)]] > > > dnsbl[8693]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com. > > > dnsbl[8693]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, > > > gai_strerror=‘No address associated with hostname’ > > > > For now I’m out of ideas how to solve the EAI_NODATA -5 vs -2 problem and > > where it exactly comes from. > > I need to install Ubuntu myself to figure out. Maybe I find some time on > > Weekend to do so. > > > > As hacky-whacky-workaround-bad-idea-but-quick-hack you can add the > > following in line 43: > > > >#define MY_EAI_NODATA -5 > > > > and then use it one line later like this: > > > >if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME && > > ar->ar_gai_errno != MY_EAI_NODATA) { > > Sorry, I lost track of to add this which file, which file should be altered? > :) Added the entries to filter_dnsbl.c and recompiled. > > >… > > > > This should really make the filter work for you, but is a very ugly hack. > > > > You opened a bug report already anyways, I will try to resolve this with a > > good solution. > > > > Ok, I will use the ugly hack for now to stop the spam mess and git pull the > new change later on and recompile. Ok, I am now getting: Apr 8 16:54:57 server filter-dnsbl-surriel[17901]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, gai_strerror=‘No address associated with hostname' Apr 8 16:54:57 server filter-dnsbl-spamhaus[17900]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, gai_strerror=‘No address associated with hostname' This is correct? > > > > > > > > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
On Fri, Apr 08, 2016 at 03:44:16PM +0200, Joerg Jung wrote: > > > > but got the same error: > > > > debug: smtp: new client on listener: 0x1bc3110 > > smtp-in: New session e7ba7643bb567563 from host pro-mail-smtp-001.bol.com > > [185.14.168.222] > > filter: post-event event=EVENT_CONNECT filter=dnsbl > > filter: new query QUERY_CONNECT > > filter: filter_drain_query e7ba7644f7858c96[QUERY_CONNECT=178.21.114.197 > > <-> > > 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1bb2010[datalen=0,eom=(nil),ofile=(nil)]] > > filter: running filter filter:dnsbl[hooks=0x,flags=0x] for > > query e7ba7644f7858c96[QUERY_CONNECT=178.21.114.197 <-> > > 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1bb2010[datalen=0,eom=(nil),ofile=(nil)]] > > filter: waiting for running query > > e7ba7644f7858c96[QUERY_CONNECT=178.21.114.197 <-> > > 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1bb2010[datalen=0,eom=(nil),ofile=(nil)]] > > dnsbl[8693]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com. > > dnsbl[8693]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2, EAI_NONAME=-2, > > gai_strerror=‘No address associated with hostname’ > > For now I’m out of ideas how to solve the EAI_NODATA -5 vs -2 problem and > where it exactly comes from. > I need to install Ubuntu myself to figure out. Maybe I find some time on > Weekend to do so. > > As hacky-whacky-workaround-bad-idea-but-quick-hack you can add the following > in line 43: > >#define MY_EAI_NODATA -5 > > and then use it one line later like this: > >if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME && > ar->ar_gai_errno != MY_EAI_NODATA) { Sorry, I lost track of to add this which file, which file should be altered? :) >… > > This should really make the filter work for you, but is a very ugly hack. > > You opened a bug report already anyways, I will try to resolve this with a > good solution. > Ok, I will use the ugly hack for now to stop the spam mess and git pull the new change later on and recompile. > > > > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
> On 07 Apr 2016, at 14:40, Joerg Jung <m...@umaxx.net> wrote: > > >> On 07 Apr 2016, at 13:13, Michiel van Es <m...@pragmasec.nl> wrote: >>> On 07 Apr 2016, at 12:59, Joerg Jung <m...@umaxx.net> wrote: >>> >>> Ok... that makes sense now. >>> -2 seems to be EAI_NONAME which seems to be the error code specific on >>> Ubuntu libc for NXDOMAIN replies, instead of EAI_NODATA. >>> >>> These error codes and related RFCs are subject to a lot of discussions. >>> See here to get an idea: >>> https://sourceware.org/bugzilla/show_bug.cgi?id=15726 >>> Especially, note the cross references to Ubuntu bugs ... >>> >>> Instead of trying to fit all distribution specific changes, >>> the easiest might be to change the logic here and check for the returned >>> address not being empty -- instead of errno. >>> >>> I'll try to come up with a proper diff to fix this, but give me some time >>> as >>> I'm very busy currently. >>> >>> As quick fix: you can just change the if statement to: >>> if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME) { >> >> like this? => > > yes. > >> dnsbl_event_dispatch(struct asr_result *ar, void *arg) >> { >> uint64_t *q = arg; >> >> if (ar->ar_addrinfo) >> freeaddrinfo(ar->ar_addrinfo); >> log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d", >> ar->ar_gai_errno, EAI_NODATA); >> if (ar->ar_gai_errno != EAI_NODATA && ar->ar_gai_errno != EAI_NONAME) { >> log_warnx("warn: session %016"PRIx64": event_dispatch: REJECT >> address ar_gai_errno=%d", *q, ar->ar_gai_errno); >> filter_api_reject_code(*q, FILTER_CLOSE, 554, "5.7.1 Address >> in DNSBL"); >> } else >> filter_api_accept(*q); >> free(q); >> } >> >>> ... and it should start working as expected. Can you confirm that, please? >> >> if above is correct, it did not work: >> >> dnsbl[26098]: warn: DEBUG: ar_gai_errno=-5, EAI_NODATA=-2 >> dnsbl[26098]: warn: session de57c06bd67994d3: event_dispatch: REJECT address >> ar_gai_errno=-5 >> filter: imsg IMSG_FILTER_RESPONSE from procfilter >> dnsbl[hooks=0x,flags=0x] >> filter: filter_drain_query de57c06c3dc0ecca[QUERY_CONNECT=178.21.114.197 <-> >> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1588030[datalen=0,eom=(nil),ofile=(nil)]] >> filter: filter_end_query de57c06c3dc0ecca[QUERY_CONNECT=178.21.114.197 <-> >> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1588030[datalen=0,eom=(nil),ofile=(nil)]] >> filter: query de57c06c3dc0ecca done: status=FILTER_CLOSE code=554 >> response="5.7.1 Address in DNSBL" >> smtp-in: Failed command on session de57c06bd67994d3: "" => 554 5.7.1 Address >> in DNSBL >> smtp-in: Closing session de57c06bd67994d3 >> debug: smtp: 0x1655cf0: deleting session: done >> filter: post-event event=EVENT_DISCONNECT filter=dnsbl >> ^Cinfo: queue handler exiting >> info: scheduler handler exiting >> info: ca agent exiting >> warn: control -> queue: pipe closed >> warn: lka -> queue: pipe closed >> strace: Process 26091 detached >> > > Ok can change the added DEBUG line right before the if statement once again > to: > > log_warnx("warn: DEBUG: ar_gai_errno=%d, EAI_NODATA=%d, EAI_NONAME=%d, > gai_strerror=‘%s'", ar->ar_gai_errno, EAI_NODATA, EAI_NONAME, > gai_strerror(ar->ar_gai_errno)); > > … and show me output? debug: smtp: new client on listener: 0x1a90130 smtp-in: New session 1dc609e7cb3551c5 from host pro-mail-smtp-001.bol.com [185.14.168.222] filter: post-event event=EVENT_CONNECT filter=dnsbl filter: new query QUERY_CONNECT filter: filter_drain_query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]] filter: running filter filter:dnsbl[hooks=0x,flags=0x] for query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]] filter: waiting for running query 1dc609e878b913e8[QUERY_CONNECT=178.21.114.197 <-> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x1a7f030[datalen=0,eom=(nil),ofile=(nil)]] dnsbl[27129]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com. dnsbl[27129]: warn: DEBUG: a
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
> On 07 Apr 2016, at 12:59, Joerg Jung <m...@umaxx.net> wrote: > > >> Am 07.04.2016 um 11:51 schrieb Michiel van Es <m...@pragmasec.nl>: >> >> oops, forgot to reply-all (and miss m...@opesmtpd.org), send again -> >> >>> On 07 Apr 2016, at 11:30, Joerg Jung <m...@umaxx.net> wrote: >>> >>> >>>>> On 07 Apr 2016, at 10:17, Michiel van Es <m...@pragmasec.nl> wrote: >>>>> >>>>> >>>>> On 07 Apr 2016, at 10:02, Joerg Jung <m...@umaxx.net> wrote: >>>>> >>>>> >>>>>>> On 07 Apr 2016, at 08:47, Michiel van Es <m...@pragmasec.nl> wrote: >>>>>>> On 07 Apr 2016, at 08:41, Joerg Jung <m...@umaxx.net> wrote: >>>>>>> >>>>>>>>> What asr version have you installed? Recent one? >>>>>>>>> >>>>>>>>> You can also do a tcpdump please, to see what >>>>>>>>> exactly goes over the wire (and comes back)? >>>>>>>>> >>>>>>>>> Also please temporarily disable all other filters, to >>>>>>>>> rule-out chain problems. >>>>>>>> >>>>>>>> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to >>>>>>>> ensure the latest version. >>>>>>>> >>>>>>>> I use the following config to only use dnsbl: >>>>>>>> >>>>>>>> filter dnsbl dnsbl "-h" "psbl.surriel.com" >>>>>>>> filter filter-clamav clamav >>>>>>>> filter all chain dnsbl >>>>>>>> filter sub chain filter-clamav >>>>>>>> pki server.pragmasec.nl key >>>>>>>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem" >>>>>>>> pki server.pragmasec.nl certificate >>>>>>>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem" >>>>>>>> listen on lo >>>>>>>> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki >>>>>>>> server.pragmasec.nl >>>>>>>> listen on ens3 port 587 filter sub hostname server.pragmasec.nl >>>>>>>> tls-require pki server.pragmasec.nl auth mask-source >>>>>>>> expire 7d >>>>>>>> table vdomains "/usr/local/etc/vdomains" >>>>>>>> table vusers "/usr/local/etc/vusers" >>>>>>>> accept from any for domain virtual deliver to mda >>>>>>>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" >>>>>>>> accept from local for any relay >>>>>>>> >>>>>>>> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the >>>>>>>> traffic is only dns and goes to the forwarders via my dnsmasq local >>>>>>>> cache) >>>>>>>> tcpdump -i any | grep ’74.92.59.67' >>>>>>>> >>>>>>>> *nothing* >>>>>>>> >>>>>>>> the error with strace and running with smtpd -d -v -T filter: >>>>>>>> >>>>>>>> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0 >>>>>>>> smtp-in: New session 71768b23cba98cf7 from host >>>>>>>> pro-mail-smtp-001.bol.com [185.14.168.222] >>>>>>>> filter: post-event event=EVENT_CONNECT filter=dnsbl >>>>>>>> filter: new query QUERY_CONNECT >>>>>>>> filter: filter_drain_query >>>>>>>> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >>>>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >>>>>>>> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for >>>>>>>> query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >>>>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >>>>>>>> filter: waiting for running query >>>>>>>> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >>>>>>>> 185.14.168.222(pro-mail-sm
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
oops, forgot to reply-all (and miss m...@opesmtpd.org), send again -> > On 07 Apr 2016, at 11:30, Joerg Jung <m...@umaxx.net> wrote: > > >> On 07 Apr 2016, at 10:17, Michiel van Es <m...@pragmasec.nl> wrote: >> >>> >>> On 07 Apr 2016, at 10:02, Joerg Jung <m...@umaxx.net> wrote: >>> >>> >>>> On 07 Apr 2016, at 08:47, Michiel van Es <m...@pragmasec.nl> wrote: >>>>> On 07 Apr 2016, at 08:41, Joerg Jung <m...@umaxx.net> wrote: >>>>> >>>>>>> What asr version have you installed? Recent one? >>>>>>> >>>>>>> You can also do a tcpdump please, to see what >>>>>>> exactly goes over the wire (and comes back)? >>>>>>> >>>>>>> Also please temporarily disable all other filters, to >>>>>>> rule-out chain problems. >>>>>> >>>>>> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to ensure >>>>>> the latest version. >>>>>> >>>>>> I use the following config to only use dnsbl: >>>>>> >>>>>> filter dnsbl dnsbl "-h" "psbl.surriel.com" >>>>>> filter filter-clamav clamav >>>>>> filter all chain dnsbl >>>>>> filter sub chain filter-clamav >>>>>> pki server.pragmasec.nl key >>>>>> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem" >>>>>> pki server.pragmasec.nl certificate >>>>>> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem" >>>>>> listen on lo >>>>>> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki >>>>>> server.pragmasec.nl >>>>>> listen on ens3 port 587 filter sub hostname server.pragmasec.nl >>>>>> tls-require pki server.pragmasec.nl auth mask-source >>>>>> expire 7d >>>>>> table vdomains "/usr/local/etc/vdomains" >>>>>> table vusers "/usr/local/etc/vusers" >>>>>> accept from any for domain virtual deliver to mda >>>>>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" >>>>>> accept from local for any relay >>>>>> >>>>>> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the >>>>>> traffic is only dns and goes to the forwarders via my dnsmasq local >>>>>> cache) >>>>>> tcpdump -i any | grep ’74.92.59.67' >>>>>> >>>>>> *nothing* >>>>>> >>>>>> the error with strace and running with smtpd -d -v -T filter: >>>>>> >>>>>> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0 >>>>>> smtp-in: New session 71768b23cba98cf7 from host >>>>>> pro-mail-smtp-001.bol.com [185.14.168.222] >>>>>> filter: post-event event=EVENT_CONNECT filter=dnsbl >>>>>> filter: new query QUERY_CONNECT >>>>>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 >>>>>> <-> >>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >>>>>> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for >>>>>> query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >>>>>> filter: waiting for running query >>>>>> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >>>>>> dnsbl[22353]: debug: on_connect: checking >>>>>> 222.168.14.185.psbl.surriel.com. >>>>>> dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT >>>>>> address >>>>>> filter: imsg IMSG_FILTER_RESPONSE from procfilter >>>>>> dnsbl[hooks=0x,flags=0x] >>>>>> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 >>>>>> <-> >>>>>> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >>>>>> filter: f
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
> On 07 Apr 2016, at 08:41, Joerg Jung <m...@umaxx.net> wrote: > > >> On 07 Apr 2016, at 07:54, Michiel van Es <m...@pragmasec.nl> wrote: >>> On 07 Apr 2016, at 01:19, Joerg Jung <m...@umaxx.net> wrote: >>> >>> Nope, but you can try adding some more debug >>> logs in the filter source. > > I fear we need to take this route now, I hope you are ready ;) hehe I am :) If you give me some pointers ;) > >>> What asr version have you installed? Recent one? >>> >>> You can also do a tcpdump please, to see what >>> exactly goes over the wire (and comes back)? >>> >>> Also please temporarily disable all other filters, to >>> rule-out chain problems. >> >> I installed libasr, opensmtpd and OpenSMTPD-Extras from github to ensure the >> latest version. >> >> I use the following config to only use dnsbl: >> >> filter dnsbl dnsbl "-h" "psbl.surriel.com" >> filter filter-clamav clamav >> filter all chain dnsbl >> filter sub chain filter-clamav >> pki server.pragmasec.nl key >> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem" >> pki server.pragmasec.nl certificate >> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem" >> listen on lo >> listen on ens3 port 25 filter all hostname server.pragmasec.nl tls pki >> server.pragmasec.nl >> listen on ens3 port 587 filter sub hostname server.pragmasec.nl tls-require >> pki server.pragmasec.nl auth mask-source >> expire 7d >> table vdomains "/usr/local/etc/vdomains" >> table vusers "/usr/local/etc/vusers" >> accept from any for domain virtual deliver to mda >> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" >> accept from local for any relay >> >> tcpdump of any traffic to psbl.surriel.org: (this seems useless as the >> traffic is only dns and goes to the forwarders via my dnsmasq local cache) >> tcpdump -i any | grep ’74.92.59.67' >> >> *nothing* >> >> the error with strace and running with smtpd -d -v -T filter: >> >> epoll_wait(3, debug: smtp: new client on listener: 0x79d0c0 >> smtp-in: New session 71768b23cba98cf7 from host pro-mail-smtp-001.bol.com >> [185.14.168.222] >> filter: post-event event=EVENT_CONNECT filter=dnsbl >> filter: new query QUERY_CONNECT >> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >> filter: running filter filter:dnsbl[hooks=0x,flags=0x] for query >> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >> filter: waiting for running query >> 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >> dnsbl[22353]: debug: on_connect: checking 222.168.14.185.psbl.surriel.com. >> dnsbl[22353]: warn: session 71768b23cba98cf7: event_dispatch: REJECT address >> filter: imsg IMSG_FILTER_RESPONSE from procfilter >> dnsbl[hooks=0x,flags=0x] >> filter: filter_drain_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >> filter: filter_end_query 71768b247df9084f[QUERY_CONNECT=178.21.114.197 <-> >> 185.14.168.222(pro-mail-smtp-001.bol.com),filter_session@0x795bc0[datalen=0,eom=(nil),ofile=(nil)]] >> filter: query 71768b247df9084f done: status=FILTER_CLOSE code=554 >> response="5.7.1 Address in DNSBL" >> smtp-in: Failed command on session 71768b23cba98cf7: "" => 554 5.7.1 Address >> in DNSBL >> smtp-in: Closing session 71768b23cba98cf7 >> debug: smtp: 0x859c80: deleting session: done >> filter: post-event event=EVENT_DISCONNECT filter=dnsbl >> >> dnsmasq logging: >> >> Apr 7 07:48:41 server dnsmasq[6018]: query[A] >> 222.168.14.185.psbl.surriel.com from 127.0.0.1 >> Apr 7 07:48:41 server dnsmasq[6018]: forwarded >> 222.168.14.185.psbl.surriel.com to 95.85.9.86 >> Apr 7 07:48:41 server dnsmasq[6018]: reply 222.168.14.185.psbl.surriel.com >> is NXDOMAIN >> >> any more pointers what could go wrong? > > To me, this really looks like a bug/problem in libasr now (Ubuntu specific). The libasr is from github (I tried 14.04 and 16.04) but can try
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
> On 06 Apr 2016, at 16:58, Michiel van Es <m...@pragmasec.nl> wrote: > > >> On 06 Apr 2016, at 13:52, Michiel van Es <m...@pragmasec.nl> wrote: >> >> >>> On 06 Apr 2016, at 13:38, Joerg Jung <m...@umaxx.net> wrote: >>> >>> >>> >>>> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>: >>>> >>>> Hello, >>>> >>>> I also posted this as an issue to the OpenSMTPD github repo but somebody >>>> told me that the mailinglist would be more accurate to post this question >>>> to (I will remove the github issue if preferred). >>>> >>>> it seems whenever I use filter-dnbl with several hostnames, the lookups >>>> always fail. >>>> I tried using ipv6 lookups (although this is something opensmtpd does >>>> right?) and have the latest version of the master branch of >>>> OpenSMTPD-Extras (where this ipv4/ipv6 problem was solved with an earlier >>>> similar issue?). >>> >>> All v6 addresses are just accepted by filter-dnsbl. >>> There is no lookup happening for v6 addresses >>> (just not implemented). >> >> ok, then I won’t use IPv6 for now :) >> >>> >>>> The error I get is: >>>> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com >>>> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5 >>>> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking >>>> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: >>>> session 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed >>>> command on session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL >>>> smtp-in: Closing session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting >>>> session: done >>> >>> This looks legit. >>> Have you tried to lookup/verify the IP manually >>> at the time this happened, was it listed? >> >> No and I know this ip (its the MX for my company and they/we do checks via >> Nagios on most DNSBL’s) >> A lookup shows: >> >> 185.14.168.222 is not listed in the SBL >> 185.14.168.222 is not listed in the PBL >> 185.14.168.222 is not listed in the XBL >> >> or PTR >> >> 222.168.14.185.zen.spamhaus.org is not listed in the DBL >> >> I tried this config with the Google DNS servers and using a caching >> localhost dns (with forwarders to OpenNIC servers) - no difference > > Also tried with some more debugging and now tried the default SORBS dnsbl, > the result (with strace and smtpctl trace all): > > r_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] > mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL > filter: waiting for running query > 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> > 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] > filter-pause[9835]: debug: on_connect: sleeping 5 > filter: imsg IMSG_FILTER_RESPONSE from procfilter > filter-pause[hooks=0x,flags=0x] > filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> > 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] > filter: running filter filter:filter-regex[hooks=0x,flags=0x] for > query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> > 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] > mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL > filter: waiting for running query > 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> > 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] > filter: imsg IMSG_FILTER_RESPONSE from procfilter > filter-regex[hooks=0x,flags=0x] > filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> > 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] > filter: running filter > filter:filter-dnsbl-sorbs[hooks=0x,flags=0x] for query > 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> > 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] > mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL > filter: waiting for running query > 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> > 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
> On 06 Apr 2016, at 13:52, Michiel van Es <m...@pragmasec.nl> wrote: > > >> On 06 Apr 2016, at 13:38, Joerg Jung <m...@umaxx.net> wrote: >> >> >> >>> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>: >>> >>> Hello, >>> >>> I also posted this as an issue to the OpenSMTPD github repo but somebody >>> told me that the mailinglist would be more accurate to post this question >>> to (I will remove the github issue if preferred). >>> >>> it seems whenever I use filter-dnbl with several hostnames, the lookups >>> always fail. >>> I tried using ipv6 lookups (although this is something opensmtpd does >>> right?) and have the latest version of the master branch of >>> OpenSMTPD-Extras (where this ipv4/ipv6 problem was solved with an earlier >>> similar issue?). >> >> All v6 addresses are just accepted by filter-dnsbl. >> There is no lookup happening for v6 addresses >> (just not implemented). > > ok, then I won’t use IPv6 for now :) > >> >>> The error I get is: >>> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com >>> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5 >>> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking >>> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: session >>> 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed command on >>> session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL smtp-in: Closing >>> session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting session: done >> >> This looks legit. >> Have you tried to lookup/verify the IP manually >> at the time this happened, was it listed? > > No and I know this ip (its the MX for my company and they/we do checks via > Nagios on most DNSBL’s) > A lookup shows: > > 185.14.168.222 is not listed in the SBL > 185.14.168.222 is not listed in the PBL > 185.14.168.222 is not listed in the XBL > > or PTR > > 222.168.14.185.zen.spamhaus.org is not listed in the DBL > > I tried this config with the Google DNS servers and using a caching localhost > dns (with forwarders to OpenNIC servers) - no difference Also tried with some more debugging and now tried the default SORBS dnsbl, the result (with strace and smtpctl trace all): r_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter-pause[9835]: debug: on_connect: sleeping 5 filter: imsg IMSG_FILTER_RESPONSE from procfilter filter-pause[hooks=0x,flags=0x] filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: running filter filter:filter-regex[hooks=0x,flags=0x] for query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: imsg IMSG_FILTER_RESPONSE from procfilter filter-regex[hooks=0x,flags=0x] filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: running filter filter:filter-dnsbl-sorbs[hooks=0x,flags=0x] for query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] mproc: pony -> filter-proc : 100 IMSG_CTL_FAIL filter: waiting for running query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter-dnsbl-sorbs[9834]: debug: on_connect: checking 222.169.14.185.dnsbl.sorbs.net. filter-dnsbl-sorbs[9834]: warn: session 511e5d1ea5ee10d1: event_dispatch: REJECT address filter: imsg IMSG_FILTER_RESPONSE from procfilter filter-dnsbl-sorbs[hooks=0x,flags=0x] filter: filter_drain_query 511e5d1fe40dcd9c[QUERY_CONNECT=178.21.114.197 <-> 185.14.169.222(pro-mail-smtp-002.bol.com),filter_session@0x1fc28a0[datalen=0,eom=(nil),ofile=(nil)]] filter: filter_end
Re: Some DNSBL questions and other spam filtering options in OpenSMTPD
> On 06 Apr 2016, at 13:38, Joerg Jung <m...@umaxx.net> wrote: > > > >> Am 06.04.2016 um 13:08 schrieb Michiel van Es <m...@pragmasec.nl>: >> >> Hello, >> >> I also posted this as an issue to the OpenSMTPD github repo but somebody >> told me that the mailinglist would be more accurate to post this question to >> (I will remove the github issue if preferred). >> >> it seems whenever I use filter-dnbl with several hostnames, the lookups >> always fail. >> I tried using ipv6 lookups (although this is something opensmtpd does >> right?) and have the latest version of the master branch of OpenSMTPD-Extras >> (where this ipv4/ipv6 problem was solved with an earlier similar issue?). > > All v6 addresses are just accepted by filter-dnsbl. > There is no lookup happening for v6 addresses > (just not implemented). ok, then I won’t use IPv6 for now :) > >> The error I get is: >> smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com >> [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5 >> filter-dnsbl-spamhaus[1336]: debug: on_connect: checking >> 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: session >> 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed command on >> session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL smtp-in: Closing >> session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting session: done > > This looks legit. > Have you tried to lookup/verify the IP manually > at the time this happened, was it listed? No and I know this ip (its the MX for my company and they/we do checks via Nagios on most DNSBL’s) A lookup shows: 185.14.168.222 is not listed in the SBL 185.14.168.222 is not listed in the PBL 185.14.168.222 is not listed in the XBL or PTR 222.168.14.185.zen.spamhaus.org is not listed in the DBL I tried this config with the Google DNS servers and using a caching localhost dns (with forwarders to OpenNIC servers) - no difference > >> My (sniplet of relevant) config is: >> >> # filters >> filter filter-pause pause >> filter filter-regex regex >> #filter filter-dnsbl-sorbs dnsbl >> #filter filter-dnsbl-surriel dnsbl "-dv" "-h psbl.surriel.com" >> #filter filter-dnsbl-spamhaus dnsbl "-h" "zen.spamhaus.org" >> filter filter-spamassassin spamassassin "-s accept" >> filter filter-clamav clamav >> #filter all chain filter-pause filter-regex filter-dnsbl-surriel >> filter-dnsbl-spamhaus filter-spamassassin filter-clamav >> filter all chain filter-pause filter-regex filter-spamassassin filter-clamav >> #filter all chain filter-pause filter-regex filter-dnsbl-spamhaus >> filter-spamassassin filter-clamav >> filter sub chain filter-pause filter-spamassassin filter-clamav >> # pki/ssl/certs >> pki server.pragmasec.nl key >> "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem" >> pki server.pragmasec.nl certificate >> "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem" >> # listen >> listen on lo >> listen on eth0 port 25 filter all hostname server.pragmasec.nl tls pki >> server.pragmasec.nl >> listen on eth0 port 587 filter sub hostname server.pragmasec.nl tls-require >> pki server.pragmasec.nl auth mask-source >> # queue expiry >> expire 7d >> # virtual domains and users >> table vdomains "/usr/local/etc/vdomains" >> table vusers "/usr/local/etc/vusers" >> # our accepted relays >> accept from any for domain virtual deliver to mda >> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" >> accept from local for any relay >> >> Using Ubuntu 14.04.3 LTS with git branch of opensmtpd (OpenSMTPD 5.9.1p1) >> >> What can I do to troubleshoot or further investigate this? > > Validate manually with a listed and non-listed IP. > Try to rule-out local resolving problems. It seems everything is listed through the filter rule..even using Gmail or other big mail servers. > >> Are there any other spam filters that I can use or might be handy to follow >> RFC’s? for example I do use some HELO checks but I think there might be more >> then the ones I have: >> >> # reject helo with leading or trailing dot, and without dots (non-FQDN) >> # skipping address literals >> helo ! ^\[ >> helo ^\. >> helo \.$ >> helo ^[^\.]*$ > > In general OpenSMTPD is RFC conform. > This helo check is just an additional hard restriction. > > There are other restrictions possible like enforcing > line lengths or forcing valid reverse lookups, but > these might not help but likely break legit mails. Hmm then I keep it as is, thanks for the feedback! > >> Michiel >> -- >> You received this mail because you are subscribed to misc@opensmtpd.org >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >> > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Some DNSBL questions and other spam filtering options in OpenSMTPD
Hello, I also posted this as an issue to the OpenSMTPD github repo but somebody told me that the mailinglist would be more accurate to post this question to (I will remove the github issue if preferred). it seems whenever I use filter-dnbl with several hostnames, the lookups always fail. I tried using ipv6 lookups (although this is something opensmtpd does right?) and have the latest version of the master branch of OpenSMTPD-Extras (where this ipv4/ipv6 problem was solved with an earlier similar issue?). The error I get is: smtp-in: New session 81cf3e1a4d9ef916 from host pro-mail-smtp-001.bol.com [185.14.168.222] filter-pause[1337]: debug: on_connect: sleeping 5 filter-dnsbl-spamhaus[1336]: debug: on_connect: checking 222.168.14.185.zen.spamhaus.org. filter-dnsbl-spamhaus[1336]: warn: session 81cf3e1a4d9ef916: event_dispatch: REJECT address smtp-in: Failed command on session 81cf3e1a4d9ef916: "" => 554 5.7.1 Address in DNSBL smtp-in: Closing session 81cf3e1a4d9ef916 debug: smtp: 0x24460a0: deleting session: done My (sniplet of relevant) config is: # filters filter filter-pause pause filter filter-regex regex #filter filter-dnsbl-sorbs dnsbl #filter filter-dnsbl-surriel dnsbl "-dv" "-h psbl.surriel.com" #filter filter-dnsbl-spamhaus dnsbl "-h" "zen.spamhaus.org" filter filter-spamassassin spamassassin "-s accept" filter filter-clamav clamav #filter all chain filter-pause filter-regex filter-dnsbl-surriel filter-dnsbl-spamhaus filter-spamassassin filter-clamav filter all chain filter-pause filter-regex filter-spamassassin filter-clamav #filter all chain filter-pause filter-regex filter-dnsbl-spamhaus filter-spamassassin filter-clamav filter sub chain filter-pause filter-spamassassin filter-clamav # pki/ssl/certs pki server.pragmasec.nl key "/etc/letsencrypt/archive/server.pragmasec.nl/privkey1.pem" pki server.pragmasec.nl certificate "/etc/letsencrypt/archive/server.pragmasec.nl/fullchain1.pem" # listen listen on lo listen on eth0 port 25 filter all hostname server.pragmasec.nl tls pki server.pragmasec.nl listen on eth0 port 587 filter sub hostname server.pragmasec.nl tls-require pki server.pragmasec.nl auth mask-source # queue expiry expire 7d # virtual domains and users table vdomains "/usr/local/etc/vdomains" table vusers "/usr/local/etc/vusers" # our accepted relays accept from any for domain virtual deliver to mda "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" accept from local for any relay Using Ubuntu 14.04.3 LTS with git branch of opensmtpd (OpenSMTPD 5.9.1p1) What can I do to troubleshoot or further investigate this? Are there any other spam filters that I can use or might be handy to follow RFC’s? for example I do use some HELO checks but I think there might be more then the ones I have: # reject helo with leading or trailing dot, and without dots (non-FQDN) # skipping address literals helo ! ^\[ helo ^\. helo \.$ helo ^[^\.]*$ Michiel -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Filtering spam with spamassassin
On 01/10/2014 06:37 PM, Martin Kropfinger wrote: Hi there! Hi! I have my OpenSMTPd running and use deliver to lmtp to use dovecots lmtp for putting the mails into the maildir. Now I'd like to add some spam-filtering-ability. I thought about using spamassassin, but could not find any documentation for this combination. Is it possible to use spamassassin in conjunction with OpenSMTPd and dovecot without the use of Amavis? There are multiple ways: One simple and flexible way is to use the MDA procmail and forward all mail for every user or per user to procmail and call spamassassin/clamav from the procmail config. I also create something using clamsmtpd and clam without using procmail, see this thread: https://www.mail-archive.com/misc@opensmtpd.org/msg00420.html Thank you! Martin Michiel -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Opensmtpd official Fedora/RHEL packages
On 01/05/2014 11:16 AM, Denis Fateyev wrote: Hello everyone, Hi Denis, Glad to announce that the `opensmtpd` package is recently available in the official Fedora repository, and in EPEL repository for RedHat Enterprise Linux, as well. https://apps.fedoraproject.org/packages/opensmtpd All Fedora/RHEL users are encouraged to test packages and leave feedback. I get an error with Postfix installed: Transaction Check Error: file /usr/share/man/man8/smtpd.8.gz from install of opensmtpd-5.4.1p1-1.el6.x86_64 conflicts with file from package postfix-2:2.6.6-2.2.el6_1.x86_64 Is this package installed with the pam auth package so I can use it for submission? --- wbr, Denis. Cheers, Michiel -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Opensmtpd official Fedora/RHEL packages
Hi Denis, How do I force an install with yum? I am only aware of the rpm commands like --nodeps etc but not the yum equivalent. Regards, Michiel On 01/09/2014 02:44 PM, Denis Fateyev wrote: Thanks for the report, will be fixed soon. This man-file was missed from 'alternatives' indeed. Meanwhile you can do force install, or skip it during installation - non-critical since involves a single man-page only. As for pam, the package is built with pam support, and comes with a pam-file which complies system requirements. I haven't checked it with submission, so you can try and report. --- wbr, Denis. On Thu, Jan 9, 2014 at 6:40 PM, Michiel van Es m...@protegam.nl mailto:m...@protegam.nl wrote: Glad to announce that the `opensmtpd` package is recently available in the official Fedora repository, and in EPEL repository for RedHat Enterprise Linux, as well. https://apps.fedoraproject.__org/packages/opensmtpd https://apps.fedoraproject.org/packages/opensmtpd All Fedora/RHEL users are encouraged to test packages and leave feedback. I get an error with Postfix installed: Transaction Check Error: file /usr/share/man/man8/smtpd.8.gz from install of opensmtpd-5.4.1p1-1.el6.x86_64 conflicts with file from package postfix-2:2.6.6-2.2.el6_1.x86___64 Is this package installed with the pam auth package so I can use it for submission? Cheers, Michiel -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about OpenSMTP and Clam
On Tue, October 22, 2013 3:41 pm, Gilles Chehade wrote: On Tue, Oct 22, 2013 at 01:53:55PM -, Michiel van Es wrote: Hello, Ohai, I am using OpenSMTPD 5.3.3p1 portable release on Ubuntu 64 bit. I am trying to set up Clamav with OpenSMTPD following: https://poolp.org/0x765d/OpenSMTPD:-LDAP-support-selectable-source--DKIM-and-Goodies But I am stuck with my own setup. The setup is as follows: [...] Now all mail is catched by the 'accept from any for domain vdomains virtual vusers deliver to mda procmail -f -' rule. Yup, since we perform first match, then if a mail comes for a domain part of your vdomains table, it will necessarily match that rule. How can I ensure that all incoming and TLS+AUTH smtp sessions are setup via the proxy (smtp://127.0.0.1:10026 = ClamSMTP) ? Wouldn't the following do the job ? accept for local alias aliases deliver to mda procmail -f - accept tagged CLAM from any for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM for any relay accept for any relay via smtp://127.0.0.1:10026 The config would be like this then right? listen on lo listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname mail.pragmasec.nl listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname mail.pragmasec.nl expire 7d table vdomains /usr/local/etc/vdomains table vusers /usr/local/etc/users table aliases db:/usr/local/etc/aliases.db # the works listen on lo port 10025 tag CLAM accept for local alias aliases deliver to mda procmail -f - accept tagged CLAM from any for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM for any relay accept for any relay via smtp://127.0.0.1:10026 I get the following message: debug: session_start_ssl: switching to SSL smtp-in: Started TLS on session ef04b129: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Client certificate verification succeeded on session ef04b129 smtp-in: Failed command on session ef04b129: RCPT TO:m...@pragmasec.nl = 550 Invalid recipient smtp-in: Closing session ef04b129 debug: smtp: 0x1874310: deleting session: done Somehow the vusers lookup goes wrong and my config is not working. Do you know what I might be missing? Regards, Michiel -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about OpenSMTP and Clam
On Wed, October 23, 2013 7:47 am, Michiel van Es wrote: On Wed, October 23, 2013 7:42 am, Michiel van Es wrote: On Tue, October 22, 2013 3:41 pm, Gilles Chehade wrote: On Tue, Oct 22, 2013 at 01:53:55PM -, Michiel van Es wrote: Hello, Ohai, I am using OpenSMTPD 5.3.3p1 portable release on Ubuntu 64 bit. I am trying to set up Clamav with OpenSMTPD following: https://poolp.org/0x765d/OpenSMTPD:-LDAP-support-selectable-source--DKIM-and-Goodies But I am stuck with my own setup. The setup is as follows: [...] Now all mail is catched by the 'accept from any for domain vdomains virtual vusers deliver to mda procmail -f -' rule. Yup, since we perform first match, then if a mail comes for a domain part of your vdomains table, it will necessarily match that rule. How can I ensure that all incoming and TLS+AUTH smtp sessions are setup via the proxy (smtp://127.0.0.1:10026 = ClamSMTP) ? Wouldn't the following do the job ? accept for local alias aliases deliver to mda procmail -f - accept tagged CLAM from any for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM for any relay accept for any relay via smtp://127.0.0.1:10026 The config would be like this then right? listen on lo listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname mail.pragmasec.nl listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname mail.pragmasec.nl expire 7d table vdomains /usr/local/etc/vdomains table vusers /usr/local/etc/users table aliases db:/usr/local/etc/aliases.db # the works listen on lo port 10025 tag CLAM accept for local alias aliases deliver to mda procmail -f - accept tagged CLAM from any for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM for any relay accept for any relay via smtp://127.0.0.1:10026 I get the following message: debug: session_start_ssl: switching to SSL smtp-in: Started TLS on session ef04b129: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Client certificate verification succeeded on session ef04b129 smtp-in: Failed command on session ef04b129: RCPT TO:** = 550 Invalid recipient smtp-in: Closing session ef04b129 debug: smtp: 0x1874310: deleting session: done is it possible that clamsmtp (a clam proxy for smtp - mostly used by Postfix) is not working accepting the connection? I see it should be possible with clamav when reading http://comments.gmane.org/gmane.mail.opensmtpd.general/279 but I am interested if this statement is really true and if so with which setup? Clamav directly? Clamsmtp or clamav-milter or such? Clamsmtp would be the most obvious as it uses an input and output address to pass all the mails through. Any tips would be much appreciated :) Somehow the vusers lookup goes wrong and my config is not working. Do you know what I might be missing? Regards, Michiel -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about OpenSMTP and Clam
On Wed, October 23, 2013 12:50 pm, Gilles Chehade wrote: On Wed, Oct 23, 2013 at 07:42:41AM -, Michiel van Es wrote: The config would be like this then right? listen on lo listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname mail.pragmasec.nl listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname mail.pragmasec.nl expire 7d table vdomains /usr/local/etc/vdomains table vusers /usr/local/etc/users table aliases db:/usr/local/etc/aliases.db # the works listen on lo port 10025 tag CLAM accept for local alias aliases deliver to mda procmail -f - accept tagged CLAM from any for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM for any relay accept for any relay via smtp://127.0.0.1:10026 If you're accepting mail from the outside, then the last should be: accept from any for any relay via smtp://127.0.0.1:10026 This makes a lot of sense! Doh! I get the following message: debug: session_start_ssl: switching to SSL smtp-in: Started TLS on session ef04b129: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp-in: Client certificate verification succeeded on session ef04b129 smtp-in: Failed command on session ef04b129: RCPT TO:m...@pragmasec.nl = 550 Invalid recipient smtp-in: Closing session ef04b129 debug: smtp: 0x1874310: deleting session: done Somehow the vusers lookup goes wrong and my config is not working. Do you know what I might be missing? Can you run 'smtpd -dv -T lookup -T expand -T rules' and provide output log as you reproduce the issue ? It works with the proposed from any for any rule! Thanks a lot! Michiel -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about OpenSMTP and Clam
On Wed, October 23, 2013 12:56 pm, Gilles Chehade wrote: On Wed, Oct 23, 2013 at 12:17:06PM -, Michiel van Es wrote: is it possible that clamsmtp (a clam proxy for smtp - mostly used by Postfix) is not working accepting the connection? I see it should be possible with clamav when reading http://comments.gmane.org/gmane.mail.opensmtpd.general/279 but I am interested if this statement is really true and if so with which setup? Yup, Eric and I made the testing together so we know for sure it works. Clamav directly? Clamsmtp or clamav-milter or such? Clamsmtp would be the most obvious as it uses an input and output address to pass all the mails through. Any tips would be much appreciated :) I'm not a Clamav user and we did the testing about over 6 months ago, so I can't recall the exact components that were used. Basically, there's a Clamav component that knows how to speak smtp and that will forward back the mail to a configured smtp server after analysis. We used that and it was as simple to setup as dkim-proxy, we used the exact same config. I have it working. For people who want to use this: 1) install clamsmtp - it is a clam smtp proxy which accepts incoming and then outgoing connections (putting a message back in the queue) 2) use something similar as setup - adjust to your own needs: table vdomains /usr/local/etc/vdomains table vusers /usr/local/etc/users listen on lo port 10025 tag CLAM accept tagged CLAM from any for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM for any relay accept from any for any relay via smtp://127.0.0.1:10026 Works like a charm! Thanks to Gilles! :) Michiel -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about OpenSMTP and Clam
On Wed, October 23, 2013 1:48 pm, Gilles Chehade wrote: On Wed, Oct 23, 2013 at 01:40:40PM -, Michiel van Es wrote: On Wed, October 23, 2013 1:12 pm, Gilles Chehade wrote: On Wed, Oct 23, 2013 at 01:03:32PM -, Michiel van Es wrote: I have it working. For people who want to use this: 1) install clamsmtp - it is a clam smtp proxy which accepts incoming and then outgoing connections (putting a message back in the queue) 2) use something similar as setup - adjust to your own needs: table vdomains /usr/local/etc/vdomains table vusers /usr/local/etc/users listen on lo port 10025 tag CLAM accept tagged CLAM from any for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM for any relay accept from any for any relay via smtp://127.0.0.1:10026 The above is working but as an open-relay, you will want to adjust the ruleset, something along the lines of: listen on lo port 10025 tag CLAM_IN listen on lo port 10027 tag CLAM_OUT accept tagged CLAM_IN for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM_OUT for any relay accept from local for any relay via smtp://127.0.0.1:10026 # will reinject in CLAM_IN accept from any for any relay via smtp://127.0.0.1:10028 # will reinject in CLAM_OUT There may be better/other ways, that's just from the top of my head Hmm I see the open relay problem with my setup as default everything matches the relay option which is not a vuser/vdomain. But I don't get the route any more :( OpenSMTPD listens on 10025 and 10027 clamstmpd listens on 10026 In the example above you'd have clamsmtpd listen on two different ports, one for scanning incoming mails and one for scanning outgoing mails. ie: internet - smtpd - clamsmtpd:10026 - smtpd:10025 (CLAM_IN) internal - smtpd - clamsmtpd:10028 - smtpd:10027 (CLAM_OUT) and so the relay rule would only match for internal connections whereas the mails coming from internet only match the accept rules for your local domains So my config would look like this? = listen on lo listen on eth0 tls certificate mail.pragmasec.nl auth-optional hostname mail.pragmasec.nl listen on eth0 port 587 tls certificate mail.pragmasec.nl auth hostname mail.pragmasec.nl expire 7d table vdomains /usr/local/etc/vdomains table vusers /usr/local/etc/users listen on lo port 10025 tag CLAM_IN listen on lo port 10027 tag CLAM_OUT accept tagged CLAM_IN for domain vdomains virtual vusers deliver to mda procmail -f - accept tagged CLAM_OUT for any relay accept from local for any relay via smtp://127.0.0.1:10026 # will reinject in CLAM_IN accept from any for any relay via smtp://127.0.0.1:10028 # will reinject in CLAM_OUT It still is an open relay. but I dont understand what it will do if does not match the above rules? it will go to CLAM OUT ? and opensmtpd rejects it? (I have to change 10028 to 10027 then). When no rule is matched, envelope is rejected. The best way to understand is to run with -T rules as it will display the rule that matched an envelope, this way you can test with local mails and mails from the public interface I will test it with the -t rules option Sorry for all the questions and thanks for all the help! :) NP, also I suspect you're not the only one willing to use ClamAV given how many times I received private mails on that topic ;-) Hehe..well I hope I can contribute something (not an open relay :( ;) ) -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org