Re: sieve sending vacation message from vm...@ns1.domain.tld

2016-10-13 Thread Bill Shirley 

I use dovecot-lda for delivery where the parms are:
-d ${user}@${domain} -a {recipient} -f ${sender} -m ${extension}

Perhaps they may work for /usr/libexec/dovecot/deliver

[0:root@elmo webmaster]$ rpm -q dovecot
dovecot-2.2.22-1.fc22.x86_64

Bill

On 10/12/2016 10:56 AM, Wietse Venema wrote:

Matthew Broadhead:

[vaction messages sent by DOVECOT have vmail as the sender]


I read somewhere it might have something to do with a line in master.cf
dovecot   unix  -   n   n   -   -   pipe
flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}

Maybe a question for the Dovecot list? After all the message is sent
by DOVECOT.

Wietse

Re: how to proper use content_filter

2016-10-13 Thread Wietse Venema 
Pawe? Grzesik:
> I think I can do the same in Ruby using IO.popen like:
> 
>   IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|
> 
> as I see in this case I don't even need to use my_str with \" \".
> 
> But I'm still confused about -f option in master.cf, and characters "--"
> between ${sender} and ${recipient}.
> Why is that?

Specify 

popen(["/usr/sbin/sendmail", "-G", "-i", "-f", sender, "--", my_str, "w")

The -- is needed to close a different security hole.

If you don't know about these bugs that go back to 1996 and earlier,
then please don't write code that handles network data.

Wietse

Re: how to proper use content_filter

2016-10-13 Thread Paweł Grzesik 
I think I can do the same in Ruby using IO.popen like:

  IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|

as I see in this case I don't even need to use my_str with \" \".

But I'm still confused about -f option in master.cf, and characters "--"
between ${sender} and ${recipient}.
Why is that?

Thanks,
Pawel

2016-10-13 21:24 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > Good point. I changed it to:
> >
> > IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
> >
> > So now it should be secure (same as using $@ instead of $*).
> > Am I right? or I'm still missing something?
>
> Sorry, that is still a shell command line. You need an API that
> passes a vector of arguments, not a command line.
>
> Such as Python's
>
> os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w").
>
> This bug is actually very old. An early publication is at
> https://www.cert.org/historical/advisories/CA-1996-06.cfm
>
> Wietse
>

Re: how to proper use content_filter

2016-10-13 Thread Wietse Venema 
Pawe? Grzesik:
> Good point. I changed it to:
> 
> IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
> 
> So now it should be secure (same as using $@ instead of $*).
> Am I right? or I'm still missing something?

Sorry, that is still a shell command line. You need an API that
passes a vector of arguments, not a command line.

Such as Python's

os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w").

This bug is actually very old. An early publication is at 
https://www.cert.org/historical/advisories/CA-1996-06.cfm

Wietse

Re: how to proper use content_filter

2016-10-13 Thread Paweł Grzesik 
Good point. I changed it to:

IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|

So now it should be secure (same as using $@ instead of $*).
Am I right? or I'm still missing something?

Thanks,
Pawel

2016-10-13 11:50 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|
>
> And there you have a giant security hole. What happens if an email
> address contains shell special characters? You specify flags=Rq in
> the pipe daemon command, but that quotes email addresses according
> to RFC822, not to make them resistant against shell command injection.
>
> (Note that the shell script example in FILTER_README does not
> have this issue becasue that does not re-parse its arguments).
>
> Wietse
>

Re: how to proper use content_filter

2016-10-13 Thread Wietse Venema 
Pawe? Grzesik:
> IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|

And there you have a giant security hole. What happens if an email
address contains shell special characters? You specify flags=Rq in
the pipe daemon command, but that quotes email addresses according
to RFC822, not to make them resistant against shell command injection.

(Note that the shell script example in FILTER_README does not
have this issue becasue that does not re-parse its arguments).

Wietse

how to proper use content_filter

2016-10-13 Thread Paweł Grzesik 
Hi All,

I'm trying to understand how content_filter works. According to the
documentation I can create a simple script and use content_filter to send
an e-mail to it.

That's my config of master.cf:

proxyunix  -   n   n   -   10  pipe
   flags=Rq user=filter null_sender=
   argv=/usr/local/bin/proxy -f ${sender} ${recipient}

smtp  inet  n   -   n   -   -   smtpd
  -o content_filter=proxy:dummy

So that's exactly the same as an example from to doc.

And now, my script is:

IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|
pipe.puts @mail_content
pipe.close_write
end

Where my_str is a string of all arguments (sender and recipients):

ARGV.each { |recipient| my_str.concat("#{recipient} ") }

which is basically:
"-f sender@mymail user1@mymail user2@mymail"

The point os using it that way is because I noticed that bcc e-mail is on
that list and in the same way it's not in the mail headers. So I'm sending
that list of all recipients to the sendmail so I can put an e-mail again to
the queue without changing anything (and not losing bcc).

It works fine but when I change it to the Golang and I did mostly the same:

func sendMail(recipients string, maildata []byte) int {
  cmd := exec.Command("/usr/sbin/sendmail", "-G", "-i", recipients)
  pipe, err := cmd.StdinPipe()

  if err != nil {
log.Fatal(err)
  }

  if err = cmd.Start(); err != nil {
log.Fatal(err)
  }

  fmt.Fprintf(pipe, "%s", maildata)
  err = pipe.Close()

  if err != nil {
log.Fatal(err)
  }
  return 0
}

So exactly like in Ruby I'm executing sendmail:
  /usr/sbin/sendmail -G -i (recipients from postfix ARGS)

but that does not work, on the logs I have:
  warning: -f option specified malformed sender: ...
and
  fatal: Recipient addresses must be specified on the command line or via
the -t option

I'm not really sure why is that. Why it works in Ruby and not in Go? I'm
calling it in exactly the same way and I have the same output on the
console. How I should handle it?

Can someone give me some hint?

Thanks,
Pawel

Re: so many warnings, are these spams?

2016-10-13 Thread Benny Pedersen 

On 2016-10-13 08:30, vod vos wrote:


Oct 12 14:38:50 postfix/smtpd[1877]: warning: hostname
4d1q192.urbanchipps.net does not resolve to address 104.200.137.192:
Name or service not known



are these spams, how can I do? thanks.


no its more just a badly configured mailserver that have not performed 
fully qualified dns reverse name for that ip


basic:

host 
dig 

does not match same ip vs ptr

and you cant do anything to it

so many warnings, are these spams?

2016-10-13 Thread vod vos 
Hello guys,



when I cat /var/log/mail.log | grep warn

It shows



Oct 12 14:20:55 postfix/smtpd[2431]: warning: hostname 
static-bbs-74-184-3-210-on-nets.com does not resolve to address 210.3.184.74: 
Name or service not known

Oct 12 14:38:50 postfix/smtpd[1877]: warning: hostname 4d1q192.urbanchipps.net 
does not resolve to address 104.200.137.192: Name or service not known



and many many of such logs.



are these spams, how can I do? thanks.


sincerely yours