Re: tls plugin and SSL version

[Matt Simerson]

Here's a chunk of code from one of my projects:

A config file setting allows an admin to choose from; all, high, medium, or 
pci. 

my $s = $ciphers eq 'all'? 'ALL'
: $ciphers eq 'high'   ? 'HIGH:!SSLv2'
: $ciphers eq 'medium' ? 'HIGH:MEDIUM:!SSLv2'
: $ciphers eq 'pci'? 'DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM'
:'DEFAULT';

Then you set SSL_cipher_list in the call to IO::Socket::SSL::SSL_Context-new. 

Matt

PS: IIRC, I pulled the high, medium, low settings out of the openssl docs. 

On Jul 22, 2010, at 7:29 PM, Charlie Brady wrote:

 
 I've seen some reports that qpsmtp fails some PCI compliance testing 
 because it can be accessed via SSLv2.
 
 http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
 
 http://bugs.contribs.org/show_bug.cgi?id=6141
 
 Here's a simple, and untested, patch - someone might care to do something 
 more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately 
 IO::Socket::SSL doesn't seem to allow disable of just SSLv2).
 
 --- qpsmtpd-0.83/plugins/tls.orig 2010-07-22 22:04:00.0 -0400
 +++ qpsmtpd-0.83/plugins/tls  2010-07-22 22:09:35.0 -0400
 @@ -80,6 +80,7 @@
 local $^W; # this bit is very noisy...
 my $ssl_ctx = IO::Socket::SSL::SSL_Context-new(
 SSL_use_cert = 1,
 +SSL_version = 'TLSv1',
 SSL_cert_file = $self-tls_cert,
 SSL_key_file = $self-tls_key,
 SSL_ca_file = $self-tls_ca,
 @@ -176,6 +177,7 @@
 my $tlssocket = IO::Socket::SSL-new_from_fd(
 fileno(STDIN), '+',
 SSL_use_cert = 1,
 +SSL_version = 'TLSv1',
 SSL_cert_file = $self-tls_cert,
 SSL_key_file = $self-tls_key,
 SSL_ca_file = $self-tls_ca,
 

Re: [BUG] Default search path used in require_resolvable_fromhost

[Robert Spier]

I've committed this as ab7c2601f0740fac1c3c117e7e5c0a5690348194.

I'm not 100% sure it's a good idea, but I think it's mostly a good
thing.

Charlie - It would be great if you could send patches instead of
suggestions.

-R


Charlie Brady wrote:
 
 
 http://bugs.contribs.org/show_bug.cgi?id=5808
 
  Jesper Knudsen  2010-03-01 01:29:10 MST 
 
 When using the require_resolvable_fromhost plugin for qpsmtpd I noticed 
 that mails from u...@localhost.localdomain was actually getting through 
 this filter. I finally found out that the plugin has a bug that causes it 
 to insert default search path if it cannot find the domain. This means in 
 my case that localhost.localdomain was then tried resolved as 
 localhost.localdomain.swerts-knudsen.dk and since I have a wilcard CNAME 
 was resolved as my public IP.
 
 Since this plugin is only enabled for public interface the fix is to set 
 the dnsrch flag when creating the Net::DNS object.
 
 In require_resolvable_fromhost:
 my $res = Net::DNS::Resolver-new (
dnsrch = 0
);

Re: rpm packaging bug - smtpd user created with shell not /bin/false

[Robert Spier]

Fix committed as 9348539ed7aa03b438905f953771db14fcb4c1ea

Once again, a patch would have been great.

I haven't tested this, so any RPM users, please do.

-R

Charlie Brady wrote:
 
 
 http://bugs.contribs.org/show_bug.cgi?id=6025
 
 if ! id smtpd /dev/null 21
 then
 # need to create smtpd user.
 if perl -e 'exit ! defined(getgrnam(postdrop))'
 then
 # if postfix is installed, we will probably use
 # queue/postfix, which will need this:
 supp=-G postdrop
 fi
 useradd -r -m $supp smtpd
 fi
 
 qpsmtpd needs a user smtpd, but should not create a home directory or 
 give access to a shell.
 
 

Re: tls plugin and SSL version

[Robert Spier]

Matt,

  Could you integrate this kind of config into the tls plugin?  That's
  definitely nicer than hardcoding a cipher.

  Thanks!

-R

Matt Simerson wrote:
 
 
 Here's a chunk of code from one of my projects:
 
 A config file setting allows an admin to choose from; all, high, medium, or 
 pci. 
 
 my $s = $ciphers eq 'all'? 'ALL'
 : $ciphers eq 'high'   ? 'HIGH:!SSLv2'
 : $ciphers eq 'medium' ? 'HIGH:MEDIUM:!SSLv2'
 : $ciphers eq 'pci'? 'DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM'
 :'DEFAULT';
 
 Then you set SSL_cipher_list in the call to 
 IO::Socket::SSL::SSL_Context-new. 
 
 Matt
 
 PS: IIRC, I pulled the high, medium, low settings out of the openssl docs. 
 
 On Jul 22, 2010, at 7:29 PM, Charlie Brady wrote:
 
  
  I've seen some reports that qpsmtp fails some PCI compliance testing 
  because it can be accessed via SSLv2.
  
  http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
  
  http://bugs.contribs.org/show_bug.cgi?id=6141
  
  Here's a simple, and untested, patch - someone might care to do something 
  more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately 
  IO::Socket::SSL doesn't seem to allow disable of just SSLv2).
  
  --- qpsmtpd-0.83/plugins/tls.orig   2010-07-22 22:04:00.0 -0400
  +++ qpsmtpd-0.83/plugins/tls2010-07-22 22:09:35.0 -0400
  @@ -80,6 +80,7 @@
  local $^W; # this bit is very noisy...
  my $ssl_ctx = IO::Socket::SSL::SSL_Context-new(
  SSL_use_cert = 1,
  +SSL_version = 'TLSv1',
  SSL_cert_file = $self-tls_cert,
  SSL_key_file = $self-tls_key,
  SSL_ca_file = $self-tls_ca,
  @@ -176,6 +177,7 @@
  my $tlssocket = IO::Socket::SSL-new_from_fd(
  fileno(STDIN), '+',
  SSL_use_cert = 1,
  +SSL_version = 'TLSv1',
  SSL_cert_file = $self-tls_cert,
  SSL_key_file = $self-tls_key,
  SSL_ca_file = $self-tls_ca,
  
 

Re: Rewritten URIBL plugin

[Robert Spier]

 - Introduces support for URIBL services that may not have worked right, at
 least out of the box, before.  Defines the subtle differences between
 various known URIBL services in order to maximize compatibility. 

Is it worth pulling some of this config out of the code and putting it
into some sort of config file?  

 - Uses Net::DNS::Async to simplify the code, and also to ensure the
 afore-mentioned A and NS lookups will prompt new URIBL lookups in an
 efficient and simple manner via callbacks

Does the code still work with the async qpsmtpd cores?


 Attached also is tld_lists.pl, a companion file that needs to be dropped
 in lib/Qpsmtpd/ which provides the list of first, second, and third level
 TLDs that we care about.  It's derived from our URIBL datafeed as well as

Do the owners of that data care about it being used this way?  You may
be violating any agreement with them.  Would they be ok if this was
released as an independent CPAN module?Either way, can we
structure this as an API instead of just an include file?

 There are some disadvantages to this code.  MIME::Parser is probably heavy
 in terms of resource usage compared to just scanning the message body
 line-by-line.  This would probably not be that difficult to revert again
 if desired, although I think the advantages of M::P outweigh the
 disadvantages.  

It would be cool if it was configurable (i.e. use MIME::Parser or not.)

 code, etc.  At any rate, I've worked hard on this code and am thankful to
 Devin and the rest of the QP contributors for the starting point, so I
 hope that someone manages to find this useful and perhaps massage it into
 upstream :)

I don't have time to test or massage it, but the uribl plugin is quite
important, so if someone is willing to test, benchmark, and massage,
it would be cool to get a more powerful version into core.

-R

[PATCH 1/2] corrected email address

[Matt Simerson]

---
 plugins/greylisting |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/plugins/greylisting b/plugins/greylisting
index ebdec8f..7860b13 100644
--- a/plugins/greylisting
+++ b/plugins/greylisting
@@ -133,7 +133,7 @@ use something like File::NFSLock instead.
 
 Written by Gavin Carr ga...@openfusion.com.au.
 
-Added p0f section mattsimer...@cpan.org (2010-05-03)
+Added p0f section msimer...@cpan.org (2010-05-03)
 
 =cut
 
-- 
1.7.1.1

[PATCH 2/2] increased default TLS security setting

[Matt Simerson]

switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. 
Added note for how to set the minimum level of security necessary for PCI 
compliance.
---
 config.sample/tls_ciphers |8 +++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/config.sample/tls_ciphers b/config.sample/tls_ciphers
index e889731..7bb0204 100644
--- a/config.sample/tls_ciphers
+++ b/config.sample/tls_ciphers
@@ -1,4 +1,10 @@
 # Override default security using suitable string from available ciphers at 
 # Lhttp://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
 # See plugins/tls for details.
-HIGH
+#
+# HIGH is a reasonable default that should satisfy most installations
+HIGH:!SSLv2
+#
+# if you have legacy clients that require less secure connections,
+# consider using this less secure, but PCI compliant setting:
+#DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM
-- 
1.7.1.1

Re: [PATCH 1/2] corrected email address

[Robert Spier]

Applied: d0c9b7cbe5ec615e2e23b91072781019ad59ee19


Matt Simerson wrote:
 
 ---
  plugins/greylisting |2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)
 
 diff --git a/plugins/greylisting b/plugins/greylisting
 index ebdec8f..7860b13 100644
 --- a/plugins/greylisting
 +++ b/plugins/greylisting
 @@ -133,7 +133,7 @@ use something like File::NFSLock instead.
  
  Written by Gavin Carr ga...@openfusion.com.au.
  
 -Added p0f section mattsimer...@cpan.org (2010-05-03)
 +Added p0f section msimer...@cpan.org (2010-05-03)
  
  =cut
  
 -- 
 1.7.1.1
 

Re: [PATCH 2/2] increased default TLS security setting

[Robert Spier]

Applied: 3a7f46aa3e75988686ef9fcae5158fc29f6a86f6


Matt Simerson wrote:
 
 switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. 
 Added note for how to set the minimum level of security necessary for PCI 
 compliance.
 ---
  config.sample/tls_ciphers |8 +++-
  1 files changed, 7 insertions(+), 1 deletions(-)
 
 diff --git a/config.sample/tls_ciphers b/config.sample/tls_ciphers
 index e889731..7bb0204 100644
 --- a/config.sample/tls_ciphers
 +++ b/config.sample/tls_ciphers
 @@ -1,4 +1,10 @@
  # Override default security using suitable string from available ciphers at 
  # Lhttp://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
  # See plugins/tls for details.
 -HIGH
 +#
 +# HIGH is a reasonable default that should satisfy most installations
 +HIGH:!SSLv2
 +#
 +# if you have legacy clients that require less secure connections,
 +# consider using this less secure, but PCI compliant setting:
 +#DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM
 -- 
 1.7.1.1
 

[PATCH] add test name to test output

[Matt Simerson]

---
 t/plugin_tests/check_badrcptto |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/t/plugin_tests/check_badrcptto b/t/plugin_tests/check_badrcptto
index 9f7b9c9..b9a986d 100644
--- a/t/plugin_tests/check_badrcptto
+++ b/t/plugin_tests/check_badrcptto
@@ -5,5 +5,5 @@ sub register_tests {
 }
 
 sub test_check_badrcptto_ok {
-ok(1);
+ok(1, 'badrcptto, ok');
 }
-- 
1.7.1.1

[PATCH] give badrcptto a reasonable name

[Matt Simerson]

renamed check_badrcptto test from foo to test_check_badrcptto_ok
---
 t/plugin_tests/check_badrcptto |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/t/plugin_tests/check_badrcptto b/t/plugin_tests/check_badrcptto
index d10f992..9f7b9c9 100644
--- a/t/plugin_tests/check_badrcptto
+++ b/t/plugin_tests/check_badrcptto
@@ -1,9 +1,9 @@
 
 sub register_tests {
 my $self = shift;
-$self-register_test(foo, 1);
+$self-register_test(test_check_badrcptto_ok, 1);
 }
 
-sub foo {
+sub test_check_badrcptto_ok {
 ok(1);
 }
-- 
1.7.1.1

Re: [PATCH] add test name to test output

[Robert Spier]

Thanks, Applied: 0c4a76ffe75190a82010dca5dd7e2bd4bdbe14cb

Matt Simerson wrote:
 
 ---
  t/plugin_tests/check_badrcptto |2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)
 
 diff --git a/t/plugin_tests/check_badrcptto b/t/plugin_tests/check_badrcptto
 index 9f7b9c9..b9a986d 100644
 --- a/t/plugin_tests/check_badrcptto
 +++ b/t/plugin_tests/check_badrcptto
 @@ -5,5 +5,5 @@ sub register_tests {
  }
  
  sub test_check_badrcptto_ok {
 -ok(1);
 +ok(1, 'badrcptto, ok');
  }
 -- 
 1.7.1.1
 

Re: [PATCH] give badrcptto a reasonable name

[Robert Spier]

Thanks, Applied!

d11b87e0509e1482e6c76f203d0d9cacd581db5e

Matt Simerson wrote:
 
 renamed check_badrcptto test from foo to test_check_badrcptto_ok
 ---
  t/plugin_tests/check_badrcptto |4 ++--
  1 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/t/plugin_tests/check_badrcptto b/t/plugin_tests/check_badrcptto
 index d10f992..9f7b9c9 100644
 --- a/t/plugin_tests/check_badrcptto
 +++ b/t/plugin_tests/check_badrcptto
 @@ -1,9 +1,9 @@
  
  sub register_tests {
  my $self = shift;
 -$self-register_test(foo, 1);
 +$self-register_test(test_check_badrcptto_ok, 1);
  }
  
 -sub foo {
 +sub test_check_badrcptto_ok {
  ok(1);
  }
 -- 
 1.7.1.1
 

[smtpd/qpsmtpd] 803a32: ignore search path in DNS lookups

[noreply]

Branch: refs/heads/master
Home:   http://github.com/smtpd/qpsmtpd

Commit: 803a320127f372fa1b6333155da7134a8efef619

http://github.com/smtpd/qpsmtpd/commit/803a320127f372fa1b6333155da7134a8efef619
Author: Robert rsp...@pobox.com
Date:   2010-07-25 (Sun, 25 Jul 2010)

Changed paths:
  M Changes
  M plugins/require_resolvable_fromhost

Log Message:
---
ignore search path in DNS lookups

   2.  If the name doesn't end in a dot then append each item in the search 
list to the name.
   This is only done if dnsrch is true.

triggered by..

From: Charlie Brady charlieb-qpsm...@budge.apana.org.au
Subject: [BUG] Default search path used in require_resolvable_fromhost
Date: Sat, 17 Jul 2010 16:24:42 -0400 (EDT)
Message-ID:
 pine.lnx.4.64.1007171623040.17...@e-smith.charlieb.ott.istop.com

http://bugs.contribs.org/show_bug.cgi?id=5808

 Jesper Knudsen  2010-03-01 01:29:10 MST

When using the require_resolvable_fromhost plugin for qpsmtpd I noticed
that mails from u...@localhost.localdomain was actually getting through
this filter. I finally found out that the plugin has a bug that causes it
to insert default search path if it cannot find the domain. This means in
my case that localhost.localdomain was then tried resolved as
localhost.localdomain.swerts-knudsen.dk and since I have a wilcard CNAME
was resolved as my public IP.

Since this plugin is only enabled for public interface the fix is to set
the dnsrch flag when creating the Net::DNS object.

In require_resolvable_fromhost:
my $res = Net::DNS::Resolver-new (
   dnsrch = 0
   );


Commit: 9348539ed7aa03b438905f953771db14fcb4c1ea

http://github.com/smtpd/qpsmtpd/commit/9348539ed7aa03b438905f953771db14fcb4c1ea
Author: Robert rsp...@pobox.com
Date:   2010-07-25 (Sun, 25 Jul 2010)

Changed paths:
  M packaging/rpm/qpsmtpd.spec.in

Log Message:
---
don't create homedir in RPM

based on..

From: Charlie Brady charlieb-qpsm...@budge.apana.org.au
Subject: rpm packaging bug - smtpd user created with shell not /bin/false
Date: Sat, 17 Jul 2010 18:17:49 -0400 (EDT)
Message-ID:
 pine.lnx.4.64.1007171816230.19...@e-smith.charlieb.ott.istop.com

http://bugs.contribs.org/show_bug.cgi?id=6025

if ! id smtpd /dev/null 21
then
# need to create smtpd user.
if perl -e 'exit ! defined(getgrnam(postdrop))'
then
# if postfix is installed, we will probably use
# queue/postfix, which will need this:
supp=-G postdrop
fi
useradd -r -m $supp smtpd
fi

qpsmtpd needs a user smtpd, but should not create a home directory or
give access to a shell.

[smtpd/qpsmtpd] d0c9b7: corrected email address

[noreply]

Branch: refs/heads/master
Home:   http://github.com/smtpd/qpsmtpd

Commit: d0c9b7cbe5ec615e2e23b91072781019ad59ee19

http://github.com/smtpd/qpsmtpd/commit/d0c9b7cbe5ec615e2e23b91072781019ad59ee19
Author: Matt Simerson m...@tnpi.net
Date:   2010-07-25 (Sun, 25 Jul 2010)

Changed paths:
  M plugins/greylisting

Log Message:
---
corrected email address


Commit: 3a7f46aa3e75988686ef9fcae5158fc29f6a86f6

http://github.com/smtpd/qpsmtpd/commit/3a7f46aa3e75988686ef9fcae5158fc29f6a86f6
Author: Matt Simerson m...@tnpi.net
Date:   2010-07-25 (Sun, 25 Jul 2010)

Changed paths:
  M config.sample/tls_ciphers

Log Message:
---
increased default TLS security setting

switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. 
Added note for how to set the minimum level of security necessary for PCI 
compliance.

Signed-off-by: Robert rsp...@pobox.com