Re: Connection notes and TLS (was: Re: Creating global DB connection)
On Wed, 21 May 2008, Hanno Hecker wrote: On Wed, 21 May 2008 10:39:37 -0400 (EDT) Charlie Brady <[EMAIL PROTECTED]> wrote: On Wed, 21 May 2008, Hanno Hecker wrote: - if you use the tls plugin, all connection notes are lost after the TLS setup is complete Why? Isn't that a bug in the tls plugin? When TLS is negotiated, the transaction notes should be cleared (then TLS status added), but the connection notes should still be valid - it's the same connection still. Yes and no :) IMO at least some of the notes are still valid, but see this thread: http://www.nntp.perl.org/group/perl.qpsmtpd/2006/08/msg5371.html I don't see anything in the thread which identifies which notes might and might not be valid post-starttls. John Peacock says: I think that sounds appropriate, as TLS essentially starts a new connection. It's a required part of the RFC, see RFC-2487 Section 5.2: Upon completion of the TLS handshake, ... [t]he server MUST discard any knowledge obtained from the client... I don't dispute what the RFC says, but I don't see that all connection notes are "knowledge obtained from the client". Some is knowledge obtained from the TCP connection. I think we can even take "any knowledge obtained from the client must be discarded", with a grain of salt in our case. If the spammer says something pre-tls which makes it very obvious to us that he is a spammer, do we forget that information once tls is negotiated? Ditto for "reset" - do we allow a spammer to try again with a clear slate by sending "reset"? I don't think so. No, we just need to clear our SMTP transaction state machine, helo hostname and envelope address lists when TLS is negotiated. That should be sufficient for RFC protocol compliance.
Re: Connection notes and TLS (was: Re: Creating global DB connection)
On Wed, 21 May 2008, Hanno Hecker wrote: On Wed, 21 May 2008 10:39:37 -0400 (EDT) Charlie Brady <[EMAIL PROTECTED]> wrote: On Wed, 21 May 2008, Hanno Hecker wrote: - if you use the tls plugin, all connection notes are lost after the TLS setup is complete Why? Isn't that a bug in the tls plugin? When TLS is negotiated, the transaction notes should be cleared (then TLS status added), but the connection notes should still be valid - it's the same connection still. Yes and no :) IMO at least some of the notes are still valid, but see this thread: http://www.nntp.perl.org/group/perl.qpsmtpd/2006/08/msg5371.html Keeping notes across the TLS setup is a simple patch, but I won't commit it until all agree that we want to keep all notes What connection notes might exist at starttls which shouldn't be kept? I'd say that if there are any, they should be transaction notes and not connection notes (e.g. helo host is SMTP transaction metadata, not TCP connection metadata). (but: why do we need connection->clone() then? ;-)) I didn't say that we did need it :-) Another approach would be to add a "starttl-post" hook and let all plugins set the connection notes they need/want again in there (think of dnsbl, which will not block clients if the start with TLS, currently). I don't see any need for another approach. It seems straightforward to me that the connection exists from when it is created to when it is broken, and any connection notes should apply to the connection, and not to the data stream which passes over the connection. Plugins should be able to add and query notes about the connection, and the connection notes should not be discarded until the connection goes away. ... and to add some more new hooks: http://ankh-morp.org/~vetinari/tmp/new_command.diff is what I'm currently working on (The hardest part of this patch is still to do: the AUTH* commands): any plugin can add new hooks / commands. Adding a starttls-post hook in there would be easy. Hanno
Connection notes and TLS (was: Re: Creating global DB connection)
On Wed, 21 May 2008 10:39:37 -0400 (EDT) Charlie Brady <[EMAIL PROTECTED]> wrote: > On Wed, 21 May 2008, Hanno Hecker wrote: > > - if you use the tls plugin, all connection notes are lost after the > > TLS setup is complete > > Why? Isn't that a bug in the tls plugin? When TLS is negotiated, the > transaction notes should be cleared (then TLS status added), but the > connection notes should still be valid - it's the same connection still. Yes and no :) IMO at least some of the notes are still valid, but see this thread: http://www.nntp.perl.org/group/perl.qpsmtpd/2006/08/msg5371.html Keeping notes across the TLS setup is a simple patch, but I won't commit it until all agree that we want to keep all notes (but: why do we need connection->clone() then? ;-)) Another approach would be to add a "starttl-post" hook and let all plugins set the connection notes they need/want again in there (think of dnsbl, which will not block clients if the start with TLS, currently). ... and to add some more new hooks: http://ankh-morp.org/~vetinari/tmp/new_command.diff is what I'm currently working on (The hardest part of this patch is still to do: the AUTH* commands): any plugin can add new hooks / commands. Adding a starttls-post hook in there would be easy. Hanno
Re: Creating global DB connection
On Wed, 21 May 2008, Hanno Hecker wrote: On Tue, 20 May 2008 17:18:50 -0400 Matt Sergeant <[EMAIL PROTECTED]> wrote: On 20-May-08, at 12:33 PM, Nighthawk wrote: Hi, I am trying to write plugin that does DB lookup and want to use the same db connection in more than 1 plugins. Somwhere I read that we can save DB connection in qp->config(). But it is not working in my case. Store it in $qp->connection->notes() in the same way you've done - >config. Two small notes: - if you use the tls plugin, all connection notes are lost after the TLS setup is complete Why? Isn't that a bug in the tls plugin? When TLS is negotiated, the transaction notes should be cleared (then TLS status added), but the connection notes should still be valid - it's the same connection still.
Re: Creating global DB connection
Nighthawk wrote on 20.05.2008 18:33: I am trying to write plugin that does DB lookup and want to use the same db connection in more than 1 plugins. Somwhere I read that we can save DB connection in qp->config(). But it is not working in my case. Please have a look at my db/suite http://dienstleistung-kultur.de/qpsmtpd/ for a concrete implementation of a DBI connection stored in $qp->connection->notes() (MEMO to self: check this out with the TLS-problem...) On http://dienstleistung-kultur.de/qpsmtpd/db_common.shtml#inheritance you'll find a skeleton for an own plugin inheriting from db/common, which provides all the database handling stuff. Just say in /etc/qpsmtpd/plugins db/base db/your_plugin and in db/your_plugin you can easily access your database defined in /etc/qpsmtpd/db_base via the methods provided by db/common. See also the discussion at http://www.nntp.perl.org/group/perl.qpsmtpd/2007/08/msg7144.html Ernesto
Re: Creating global DB connection
Hanno Hecker escribió:
- if you use the tls plugin, all connection notes are lost after the
TLS setup is complete (we should add a hook here, so we can re-run
stuff done in the hook_connect)
[note to self: add this to the docs/plugins.pod]
If you use TLS plugin and connect with DBD::mysql from within another
plugin, set SIG{'PIPE'} to do what qpsmtpd expects it to do. Maybe this
should be in the docs too (as a note).
More info in:
http://www.nntp.perl.org/group/perl.qpsmtpd/2008/04/msg7949.html
Jose Luis Martinez
[EMAIL PROTECTED]
CAPSiDE
Re: Creating global DB connection
On Tue, 20 May 2008 17:18:50 -0400
Matt Sergeant <[EMAIL PROTECTED]> wrote:
> On 20-May-08, at 12:33 PM, Nighthawk wrote:
>
> > Hi,
> > I am trying to write plugin that does DB lookup and want to use the
> > same db connection in more than 1 plugins.
> > Somwhere I read that we can save DB connection in qp->config(). But
> > it is not working in my case.
>
> Store it in $qp->connection->notes() in the same way you've done -
> >config.
Two small notes:
- if you use the tls plugin, all connection notes are lost after the
TLS setup is complete (we should add a hook here, so we can re-run
stuff done in the hook_connect)
[note to self: add this to the docs/plugins.pod]
- don't open the connection in hook_pre_connect (even if this works for
text notes in -async and -forkserver) you will run into trouble...
What about adding a post-fork hook for -prefork? We could open a db
connection there and just pass the open fh from $self->{_db_fh} to
a connection note.
Hanno
Re: Creating global DB connection
On 20-May-08, at 12:33 PM, Nighthawk wrote: Hi, I am trying to write plugin that does DB lookup and want to use the same db connection in more than 1 plugins. Somwhere I read that we can save DB connection in qp->config(). But it is not working in my case. Store it in $qp->connection->notes() in the same way you've done - >config.
Creating global DB connection
Hi,
I am trying to write plugin that does DB lookup and want to use the same db
connection in more than 1 plugins.
Somwhere I read that we can save DB connection in qp->config(). But it is
not working in my case.
Here is what I did:
##
#create db connection
1. my $db_data = DBI->connect('DBI:mysql:qpsmtp', 'db_qpsmtpd', '');
2. $self->qp->config('db_data_conn', $db_data);
3. $db_data = $self->qp->config('db_data_conn');
###
$db_data is null at this point. I guess it is not the right way to use
qp->config().
If I skip line 2 and 3 then db query works, but what I am trying to do here
is save the db conn for further use in another plugin. May be it is not the
right way to do it.
Can someone please tell what I am missing here.
thanks :)
