Re: tls plugin and SSL version
Here's a chunk of code from one of my projects: A config file setting allows an admin to choose from; all, high, medium, or pci. my $s = $ciphers eq 'all'? 'ALL' : $ciphers eq 'high' ? 'HIGH:!SSLv2' : $ciphers eq 'medium' ? 'HIGH:MEDIUM:!SSLv2' : $ciphers eq 'pci'? 'DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM' :'DEFAULT'; Then you set SSL_cipher_list in the call to IO::Socket::SSL::SSL_Context-new. Matt PS: IIRC, I pulled the high, medium, low settings out of the openssl docs. On Jul 22, 2010, at 7:29 PM, Charlie Brady wrote: I've seen some reports that qpsmtp fails some PCI compliance testing because it can be accessed via SSLv2. http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard http://bugs.contribs.org/show_bug.cgi?id=6141 Here's a simple, and untested, patch - someone might care to do something more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately IO::Socket::SSL doesn't seem to allow disable of just SSLv2). --- qpsmtpd-0.83/plugins/tls.orig 2010-07-22 22:04:00.0 -0400 +++ qpsmtpd-0.83/plugins/tls 2010-07-22 22:09:35.0 -0400 @@ -80,6 +80,7 @@ local $^W; # this bit is very noisy... my $ssl_ctx = IO::Socket::SSL::SSL_Context-new( SSL_use_cert = 1, +SSL_version = 'TLSv1', SSL_cert_file = $self-tls_cert, SSL_key_file = $self-tls_key, SSL_ca_file = $self-tls_ca, @@ -176,6 +177,7 @@ my $tlssocket = IO::Socket::SSL-new_from_fd( fileno(STDIN), '+', SSL_use_cert = 1, +SSL_version = 'TLSv1', SSL_cert_file = $self-tls_cert, SSL_key_file = $self-tls_key, SSL_ca_file = $self-tls_ca,
Re: [BUG] Default search path used in require_resolvable_fromhost
I've committed this as ab7c2601f0740fac1c3c117e7e5c0a5690348194. I'm not 100% sure it's a good idea, but I think it's mostly a good thing. Charlie - It would be great if you could send patches instead of suggestions. -R Charlie Brady wrote: http://bugs.contribs.org/show_bug.cgi?id=5808 Jesper Knudsen 2010-03-01 01:29:10 MST When using the require_resolvable_fromhost plugin for qpsmtpd I noticed that mails from u...@localhost.localdomain was actually getting through this filter. I finally found out that the plugin has a bug that causes it to insert default search path if it cannot find the domain. This means in my case that localhost.localdomain was then tried resolved as localhost.localdomain.swerts-knudsen.dk and since I have a wilcard CNAME was resolved as my public IP. Since this plugin is only enabled for public interface the fix is to set the dnsrch flag when creating the Net::DNS object. In require_resolvable_fromhost: my $res = Net::DNS::Resolver-new ( dnsrch = 0 );
Re: rpm packaging bug - smtpd user created with shell not /bin/false
Fix committed as 9348539ed7aa03b438905f953771db14fcb4c1ea Once again, a patch would have been great. I haven't tested this, so any RPM users, please do. -R Charlie Brady wrote: http://bugs.contribs.org/show_bug.cgi?id=6025 if ! id smtpd /dev/null 21 then # need to create smtpd user. if perl -e 'exit ! defined(getgrnam(postdrop))' then # if postfix is installed, we will probably use # queue/postfix, which will need this: supp=-G postdrop fi useradd -r -m $supp smtpd fi qpsmtpd needs a user smtpd, but should not create a home directory or give access to a shell.
Re: tls plugin and SSL version
Matt, Could you integrate this kind of config into the tls plugin? That's definitely nicer than hardcoding a cipher. Thanks! -R Matt Simerson wrote: Here's a chunk of code from one of my projects: A config file setting allows an admin to choose from; all, high, medium, or pci. my $s = $ciphers eq 'all'? 'ALL' : $ciphers eq 'high' ? 'HIGH:!SSLv2' : $ciphers eq 'medium' ? 'HIGH:MEDIUM:!SSLv2' : $ciphers eq 'pci'? 'DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM' :'DEFAULT'; Then you set SSL_cipher_list in the call to IO::Socket::SSL::SSL_Context-new. Matt PS: IIRC, I pulled the high, medium, low settings out of the openssl docs. On Jul 22, 2010, at 7:29 PM, Charlie Brady wrote: I've seen some reports that qpsmtp fails some PCI compliance testing because it can be accessed via SSLv2. http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard http://bugs.contribs.org/show_bug.cgi?id=6141 Here's a simple, and untested, patch - someone might care to do something more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately IO::Socket::SSL doesn't seem to allow disable of just SSLv2). --- qpsmtpd-0.83/plugins/tls.orig 2010-07-22 22:04:00.0 -0400 +++ qpsmtpd-0.83/plugins/tls2010-07-22 22:09:35.0 -0400 @@ -80,6 +80,7 @@ local $^W; # this bit is very noisy... my $ssl_ctx = IO::Socket::SSL::SSL_Context-new( SSL_use_cert = 1, +SSL_version = 'TLSv1', SSL_cert_file = $self-tls_cert, SSL_key_file = $self-tls_key, SSL_ca_file = $self-tls_ca, @@ -176,6 +177,7 @@ my $tlssocket = IO::Socket::SSL-new_from_fd( fileno(STDIN), '+', SSL_use_cert = 1, +SSL_version = 'TLSv1', SSL_cert_file = $self-tls_cert, SSL_key_file = $self-tls_key, SSL_ca_file = $self-tls_ca,
Re: Rewritten URIBL plugin
- Introduces support for URIBL services that may not have worked right, at least out of the box, before. Defines the subtle differences between various known URIBL services in order to maximize compatibility. Is it worth pulling some of this config out of the code and putting it into some sort of config file? - Uses Net::DNS::Async to simplify the code, and also to ensure the afore-mentioned A and NS lookups will prompt new URIBL lookups in an efficient and simple manner via callbacks Does the code still work with the async qpsmtpd cores? Attached also is tld_lists.pl, a companion file that needs to be dropped in lib/Qpsmtpd/ which provides the list of first, second, and third level TLDs that we care about. It's derived from our URIBL datafeed as well as Do the owners of that data care about it being used this way? You may be violating any agreement with them. Would they be ok if this was released as an independent CPAN module?Either way, can we structure this as an API instead of just an include file? There are some disadvantages to this code. MIME::Parser is probably heavy in terms of resource usage compared to just scanning the message body line-by-line. This would probably not be that difficult to revert again if desired, although I think the advantages of M::P outweigh the disadvantages. It would be cool if it was configurable (i.e. use MIME::Parser or not.) code, etc. At any rate, I've worked hard on this code and am thankful to Devin and the rest of the QP contributors for the starting point, so I hope that someone manages to find this useful and perhaps massage it into upstream :) I don't have time to test or massage it, but the uribl plugin is quite important, so if someone is willing to test, benchmark, and massage, it would be cool to get a more powerful version into core. -R
[PATCH 1/2] corrected email address
--- plugins/greylisting |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/plugins/greylisting b/plugins/greylisting index ebdec8f..7860b13 100644 --- a/plugins/greylisting +++ b/plugins/greylisting @@ -133,7 +133,7 @@ use something like File::NFSLock instead. Written by Gavin Carr ga...@openfusion.com.au. -Added p0f section mattsimer...@cpan.org (2010-05-03) +Added p0f section msimer...@cpan.org (2010-05-03) =cut -- 1.7.1.1
[PATCH 2/2] increased default TLS security setting
switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. Added note for how to set the minimum level of security necessary for PCI compliance. --- config.sample/tls_ciphers |8 +++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/config.sample/tls_ciphers b/config.sample/tls_ciphers index e889731..7bb0204 100644 --- a/config.sample/tls_ciphers +++ b/config.sample/tls_ciphers @@ -1,4 +1,10 @@ # Override default security using suitable string from available ciphers at # Lhttp://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS # See plugins/tls for details. -HIGH +# +# HIGH is a reasonable default that should satisfy most installations +HIGH:!SSLv2 +# +# if you have legacy clients that require less secure connections, +# consider using this less secure, but PCI compliant setting: +#DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM -- 1.7.1.1
Re: [PATCH 1/2] corrected email address
Applied: d0c9b7cbe5ec615e2e23b91072781019ad59ee19 Matt Simerson wrote: --- plugins/greylisting |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/plugins/greylisting b/plugins/greylisting index ebdec8f..7860b13 100644 --- a/plugins/greylisting +++ b/plugins/greylisting @@ -133,7 +133,7 @@ use something like File::NFSLock instead. Written by Gavin Carr ga...@openfusion.com.au. -Added p0f section mattsimer...@cpan.org (2010-05-03) +Added p0f section msimer...@cpan.org (2010-05-03) =cut -- 1.7.1.1
Re: [PATCH 2/2] increased default TLS security setting
Applied: 3a7f46aa3e75988686ef9fcae5158fc29f6a86f6 Matt Simerson wrote: switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. Added note for how to set the minimum level of security necessary for PCI compliance. --- config.sample/tls_ciphers |8 +++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/config.sample/tls_ciphers b/config.sample/tls_ciphers index e889731..7bb0204 100644 --- a/config.sample/tls_ciphers +++ b/config.sample/tls_ciphers @@ -1,4 +1,10 @@ # Override default security using suitable string from available ciphers at # Lhttp://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS # See plugins/tls for details. -HIGH +# +# HIGH is a reasonable default that should satisfy most installations +HIGH:!SSLv2 +# +# if you have legacy clients that require less secure connections, +# consider using this less secure, but PCI compliant setting: +#DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM -- 1.7.1.1
[PATCH] add test name to test output
--- t/plugin_tests/check_badrcptto |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/t/plugin_tests/check_badrcptto b/t/plugin_tests/check_badrcptto index 9f7b9c9..b9a986d 100644 --- a/t/plugin_tests/check_badrcptto +++ b/t/plugin_tests/check_badrcptto @@ -5,5 +5,5 @@ sub register_tests { } sub test_check_badrcptto_ok { -ok(1); +ok(1, 'badrcptto, ok'); } -- 1.7.1.1
[PATCH] give badrcptto a reasonable name
renamed check_badrcptto test from foo to test_check_badrcptto_ok --- t/plugin_tests/check_badrcptto |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/t/plugin_tests/check_badrcptto b/t/plugin_tests/check_badrcptto index d10f992..9f7b9c9 100644 --- a/t/plugin_tests/check_badrcptto +++ b/t/plugin_tests/check_badrcptto @@ -1,9 +1,9 @@ sub register_tests { my $self = shift; -$self-register_test(foo, 1); +$self-register_test(test_check_badrcptto_ok, 1); } -sub foo { +sub test_check_badrcptto_ok { ok(1); } -- 1.7.1.1
Re: [PATCH] add test name to test output
Thanks, Applied: 0c4a76ffe75190a82010dca5dd7e2bd4bdbe14cb Matt Simerson wrote: --- t/plugin_tests/check_badrcptto |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/t/plugin_tests/check_badrcptto b/t/plugin_tests/check_badrcptto index 9f7b9c9..b9a986d 100644 --- a/t/plugin_tests/check_badrcptto +++ b/t/plugin_tests/check_badrcptto @@ -5,5 +5,5 @@ sub register_tests { } sub test_check_badrcptto_ok { -ok(1); +ok(1, 'badrcptto, ok'); } -- 1.7.1.1
Re: [PATCH] give badrcptto a reasonable name
Thanks, Applied! d11b87e0509e1482e6c76f203d0d9cacd581db5e Matt Simerson wrote: renamed check_badrcptto test from foo to test_check_badrcptto_ok --- t/plugin_tests/check_badrcptto |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/t/plugin_tests/check_badrcptto b/t/plugin_tests/check_badrcptto index d10f992..9f7b9c9 100644 --- a/t/plugin_tests/check_badrcptto +++ b/t/plugin_tests/check_badrcptto @@ -1,9 +1,9 @@ sub register_tests { my $self = shift; -$self-register_test(foo, 1); +$self-register_test(test_check_badrcptto_ok, 1); } -sub foo { +sub test_check_badrcptto_ok { ok(1); } -- 1.7.1.1
[smtpd/qpsmtpd] 803a32: ignore search path in DNS lookups
Branch: refs/heads/master Home: http://github.com/smtpd/qpsmtpd Commit: 803a320127f372fa1b6333155da7134a8efef619 http://github.com/smtpd/qpsmtpd/commit/803a320127f372fa1b6333155da7134a8efef619 Author: Robert rsp...@pobox.com Date: 2010-07-25 (Sun, 25 Jul 2010) Changed paths: M Changes M plugins/require_resolvable_fromhost Log Message: --- ignore search path in DNS lookups 2. If the name doesn't end in a dot then append each item in the search list to the name. This is only done if dnsrch is true. triggered by.. From: Charlie Brady charlieb-qpsm...@budge.apana.org.au Subject: [BUG] Default search path used in require_resolvable_fromhost Date: Sat, 17 Jul 2010 16:24:42 -0400 (EDT) Message-ID: pine.lnx.4.64.1007171623040.17...@e-smith.charlieb.ott.istop.com http://bugs.contribs.org/show_bug.cgi?id=5808 Jesper Knudsen 2010-03-01 01:29:10 MST When using the require_resolvable_fromhost plugin for qpsmtpd I noticed that mails from u...@localhost.localdomain was actually getting through this filter. I finally found out that the plugin has a bug that causes it to insert default search path if it cannot find the domain. This means in my case that localhost.localdomain was then tried resolved as localhost.localdomain.swerts-knudsen.dk and since I have a wilcard CNAME was resolved as my public IP. Since this plugin is only enabled for public interface the fix is to set the dnsrch flag when creating the Net::DNS object. In require_resolvable_fromhost: my $res = Net::DNS::Resolver-new ( dnsrch = 0 ); Commit: 9348539ed7aa03b438905f953771db14fcb4c1ea http://github.com/smtpd/qpsmtpd/commit/9348539ed7aa03b438905f953771db14fcb4c1ea Author: Robert rsp...@pobox.com Date: 2010-07-25 (Sun, 25 Jul 2010) Changed paths: M packaging/rpm/qpsmtpd.spec.in Log Message: --- don't create homedir in RPM based on.. From: Charlie Brady charlieb-qpsm...@budge.apana.org.au Subject: rpm packaging bug - smtpd user created with shell not /bin/false Date: Sat, 17 Jul 2010 18:17:49 -0400 (EDT) Message-ID: pine.lnx.4.64.1007171816230.19...@e-smith.charlieb.ott.istop.com http://bugs.contribs.org/show_bug.cgi?id=6025 if ! id smtpd /dev/null 21 then # need to create smtpd user. if perl -e 'exit ! defined(getgrnam(postdrop))' then # if postfix is installed, we will probably use # queue/postfix, which will need this: supp=-G postdrop fi useradd -r -m $supp smtpd fi qpsmtpd needs a user smtpd, but should not create a home directory or give access to a shell.
[smtpd/qpsmtpd] d0c9b7: corrected email address
Branch: refs/heads/master Home: http://github.com/smtpd/qpsmtpd Commit: d0c9b7cbe5ec615e2e23b91072781019ad59ee19 http://github.com/smtpd/qpsmtpd/commit/d0c9b7cbe5ec615e2e23b91072781019ad59ee19 Author: Matt Simerson m...@tnpi.net Date: 2010-07-25 (Sun, 25 Jul 2010) Changed paths: M plugins/greylisting Log Message: --- corrected email address Commit: 3a7f46aa3e75988686ef9fcae5158fc29f6a86f6 http://github.com/smtpd/qpsmtpd/commit/3a7f46aa3e75988686ef9fcae5158fc29f6a86f6 Author: Matt Simerson m...@tnpi.net Date: 2010-07-25 (Sun, 25 Jul 2010) Changed paths: M config.sample/tls_ciphers Log Message: --- increased default TLS security setting switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. Added note for how to set the minimum level of security necessary for PCI compliance. Signed-off-by: Robert rsp...@pobox.com