Spam on Wiki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all There's been a little bit of spam on the wiki of late - I reverted it and removed the spamming users. I note though that the Docuwiki version needs some updates and maybe some stronger anti-spam plugins installed. Just an FYI as I am not sure who is managing the wiki currently. Happy to help if needed. Regards James Turnbull - -- Author of: * Pro Linux System Administration (http://tinyurl.com/linuxadmin) * Pulling Strings with Puppet (http://tinyurl.com/pupbook) * Pro Nagios 2.0 (http://tinyurl.com/pronagios) * Hardening Linux (http://tinyurl.com/hardeninglinux) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS147syFa/lDkFHAyAQJydQgAm2ufSGvUHzJ1L7i2f+ig8l98QPQDpH31 SyN0/A9TJmCEJesc7SfzF312DGnzrvxQdxmtBA27HW4xRI7dyWYSWI/TDzPYCozH X8bahqMV+DmSAVGqcUNmseqZPzklROJLxligkUHnswdTND1pSnWtFsfKOgtiroDo YRNub8rMR/RF/AEDfXSy79KwL5C/+R59WkP+FOAW+xxj7++nlFZU4fqyxuHsKlla +5MJ/oVJ3Eci1Frrhe/eOe+eP2PIHXOxpEyiusCNXP9nwwOEGF8fkv1WQbrQQHxf tDTRhQ5ZfZLmaHX9oQM8gVEBrMxR4wYNcWXO/WO9MkACQXaZMqM63g== =MVqV -END PGP SIGNATURE-
Re: [qpsmtpd] Still looking: tcpserver startup for qpsmtpd-prefork 0.81
J wrote: Can we get this put into the wiki? Feel free to edit the wiki. It's open to all. Regards James Turnbull -- Author of: * Pro Linux Systems Administration (http://www.amazon.com/gp/product/1430219122/) * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/159059/)
Re: Wiki hosting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Holzt wrote: But fear not, hosting the wiki is not really much work. Spam is kept out by requiring prior account creation (this works surprisingly well). One problem it had for quite some time was that scripts looking for abusable web-contact-forms created lots of nonsense accounts, but this was mitigated by installing a captcha-plugin for user registration. So the work is mainly having an eye on it and keep it updated. While i personally dislike PHP, dokuwiki worked well so far. And of course - I'm happy to host it myself if Steve isn't able to. Regards James Turnbull - -- Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/159059/) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJkAXs9hTGvAxC30ARAlUHAJwK6TKfLV8IumdwfgHzOxK2FWcPYACeIPTI Xs0jF5BUqA83cNlpkFFg7NI= =eXQX -END PGP SIGNATURE-
Re: greylisting and relaying
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Garrigues wrote: I write my own greylisting plugin some time ago due to problems I had with the one included. I posted it on this list, but never got any comments on it. See http://www.trinsics.com/blog/?p=59 I've been using it on my firewalls since september with no problems at all. Chris Chris I had no comment on it but I am using it currently and am quite happy with it. Cheers James Turnbull - -- James Turnbull ([EMAIL PROTECTED]) Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/159059/) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFII4AR9hTGvAxC30ARAsXhAKCwd7H2fqHWETXm0nzqRTL09GN6YACeLdFw xtzCWNvqJhgxsC+J7oCqd2E= =lSO4 -END PGP SIGNATURE-
Release
Ask and Matt What's the current release status of qpsmtpd? The SVN is tagged 0.43 but the latest on the website seems to be 0.40. Time for a release and announce? Regards James -- James Turnbull ([EMAIL PROTECTED]) Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/159059/)
qpsmtpd and mailman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all Does anyone use qpsmtpd with Mailman? Is there a recommended way to do recipient checking? I use check_goodrcptto currently and can obviously add the addresses for lists into its config but is there a better way or does someone have a custom plug-in for this that they would be willing to share? Thanks James Turnbull - -- James Turnbull ([EMAIL PROTECTED]) - -- Author of: - - Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) - - Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) - - Hardening Linux (http://www.amazon.com/gp/product/159059/) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHpaoC9hTGvAxC30ARAo1nAKCxNqYetG2xrIz4JFYTRMF0I6tY3wCgj+QB GeKwSfcGQSUbJUcTP1ksCyQ= =vU4L -END PGP SIGNATURE-
Re: qpsmtpd and mailman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Juerd Waalboer wrote: | James Turnbull skribis 2008-02-03 22:48 (+1100): | Does anyone use qpsmtpd with Mailman? Is there a recommended way to do | recipient checking? I use check_goodrcptto currently and can obviously | add the addresses for lists into its config but is there a better way or | does someone have a custom plug-in for this that they would be willing | to share? | | If you use qmail, any level 3 or 4 solution listed in | http://search.cpan.org/~juerd/Qmail-Deliverable-1.03/lib/Qmail/Deliverable/Comparison.pod | can be used. I use Postfix rather than qmail. Regards James Turnbull - -- James Turnbull ([EMAIL PROTECTED]) - -- Author of: - - Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) - - Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) - - Hardening Linux (http://www.amazon.com/gp/product/159059/) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHpcb+9hTGvAxC30ARAvKPAKDBH6wS+crS1kKUbwack3I2sFu3tQCeOkoF u5FfAN84W+J5ttrF7/AZEZU= =Zy4f -END PGP SIGNATURE-
Re: queue/smtp-forward --- Does it queue when forward server is down?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Charlie Brady wrote: On Tue, 15 Jan 2008, Hanno Hecker wrote: There's no real queueing mechanism with the smtp-forward plugin, the mail will be rejected with a temporary error, which means the mail will stay in the client's queue and sent later again... well at least for most MTAs. Some are buggy that they don't get the difference between a hard failure and a temporary problem and will not retry. Really? Which? If there are any MTAs less than, say, 15 years old with such egregious behaviour, they should be shamed by public disclosure. There are quite a lot of badly coded applications that send email - they often don't handle error message well - I recently fixed a Ruby app that barfed on 4xx errors. Regards James Turnbull - -- James Turnbull ([EMAIL PROTECTED]) - -- Author of: - - Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) - - Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) - - Hardening Linux (http://www.amazon.com/gp/product/159059/) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHjq179hTGvAxC30ARAiIsAKC+1k3cDDPkfJx63CoHOsvl0Z7tUwCghL3r UW2Ro3H1OFAsOx9XQEVbcBg= =4xaJ -END PGP SIGNATURE-
Re: Overview of rcpt checkers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Juerd Waalboer wrote: For your convenience, This would make a great addition to the Wiki - http://wiki.qpsmtpd.org regards James Turnbull - -- Author of: - - Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) - - Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) - - Hardening Linux (http://www.amazon.com/gp/product/159059/) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHWJQ89hTGvAxC30ARAoMSAKCx/mcS9AkFdr0mRxBkwiVs4kZc5wCglhjM xBhZo0/Cea9Qb2qXIQ+OBVk= =Yv6o -END PGP SIGNATURE-
Re: qmail license change
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guy Hulbert wrote: On Fri, 2007-11-30 at 13:18 -0500, Matt Sergeant wrote: On 30-Nov-07, at 11:58 AM, Les Mikesell wrote: Is the license change on qmail likely to change the direction of qpsmtpd? Doubtful. Qpsmtpd wasn't written because of a dislike of the license. And there are quite a lot of us that don't run qmail at all. Personally I use qpsmtpd as it provides a powerful, central location to configure access, anti-spam and anti-virus controls. My backend is Postfix though and I don't use qmail anywhere. Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHUUxR9hTGvAxC30ARAuBcAJ418ZwNKgtCIYvigi07QotyKZEoywCgrwXF mWLvaOnAqZ9ob9ofQgdm6AA= =R7T/ -END PGP SIGNATURE-
Re: qmail license change
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Nicol wrote: I don't have any idea about Australia though. :) My understanding in Australia is that it is based on both precedence/actual use and registration. China and the EU don't recognise 'actual use' trademarks - they require registration. But since most Americans think our legal professionals ride to work on kangaroos the issue might be moot... :) Regards James Turnbull * * = not a lawyer - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHUdS79hTGvAxC30ARAsamAKDJj91Tz1KRRAflt7Gu1KrSCLraFACfbOOx pClm8rf0Qgr5gVcqIYsshkc= =JwLT -END PGP SIGNATURE-
Re: Hi, bug report/feature request
Chris Lewis wrote: I've hacked qpsmtpd-async to support daemonization and pid locking files. Rather than dig into SVN, who should I send the modified copy to? Matt? Chris Since no one else answered the question I'd recommend logging a ticket at http://code.google.com/p/smtpd/issues/list and attaching the patch there. Cheers James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: authnull plugin in config.sample/plugins enables relaying?
Angelo Brigante Jr. wrote: Would it not be a good idea to remove the authnull plugin from the default install to avoid this? It's been done - Ask removed it recently - see revision #793. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: DKIM plugin
Matthew Harrell wrote: I was just getting ready to write a plugin to create DKIM signatures for qpsmtpd but I thought I would check and see if anyone has already done it. What I'm looking for is something that will create the proper DKIM signature on properly relayed emails before they go out. A google search didn't show anything. While it's easy enough to integrate postfix with dkimproxy it looks like it would be a bit of a pain with qmail unless I want to write a qmail-queue replacement. Matthew Both John Peacock and myself had a stab at this a while ago but I never got libdkim to compile correctly - though from memory John might have - and so I ditched the idea. You can probably find our discussions in the mailing list archives. Be good to develop a plug-in that validates and signs... Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: PGP signature signature.asc Description: OpenPGP digital signature
Re: small problem regarding the File::DirCompare - Perl module
bhan wrote: Hi , My requirement is to compare two given directories.Inorder to achieve this i have used File::DirCompare perl module.And i have written the below program to get the output. Try [EMAIL PROTECTED] Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
Re: Ready for release
Robert Spier wrote: Perhaps a more formal TODO and/or a call for feature requests. Then place the TODO/requests on a dev plan - with some direction for 0.5 - 1.0? And lets _NOT_ target 1.0. It's just a number. We've got nice organic growth, no reason to ruin it. -R It was an arbitrary release number but I think it greatly helps users if some future direction is given - organic growth is good but vision also helps people to grasp where qpsmtpd is going, if anywhere ( :) ). Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Ready for release
Matt Sergeant wrote: I've updated the Changes file now. We should be ready to go. Ask: can you tag 0.33 and we'll do a release? We should put together a plan for the next release so that it's less ad-hoc. Perhaps a more formal TODO and/or a call for feature requests. Then place the TODO/requests on a dev plan - with some direction for 0.5 - 1.0? Not sure what suits you and Ask but I find that helps me... :) Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: blocking smtp connections based on age of domain?
Meng Weng Wong wrote:
On Jun 5, 2007, at 9:35 AM, m. allan noah wrote:
whois seems really slow, and the 'license' on the data seems to
prohibit it, but has anyone found a way to use that info to block
mails until the domain has been around for awhile?
i guess there must be a DNSBL for that somewhere?
btw, the registrar for these is usually enom.com.
Support Intelligence pubilshes the Day Old Bread RHSBL:
http://support-intelligence.com/dob/
It is in alpha. I would be keen to hear how it does for you.
I use it with SpamAssassin and I find it quite successful.
Below is the relevant section from my local.cf file.
#DOB - from
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200704.mbox/browser
header __RCVD_IN_DOB
eval:check_rbl('dob','dob.sibl.support-intelligence.net.', '255')
describe __RCVD_IN_DOB Received via relay in new domain (Day Old Bread)
tflags __RCVD_IN_DOBnet
score __RCVD_IN_DOB 0
header RCVD_IN_DOB eval:check_rbl_sub('dob','127.0.0.2')
describe RCVD_IN_DOBReceived via relay in new domain (Day Old Bread)
tflags RCVD_IN_DOB net
score RCVD_IN_DOB 1.667
header DNS_FROM_DOB
eval:check_rbl_envfrom('dob','dob.sibl.support-intelligence.net.')
describe DNS_FROM_DOB Sender from new domain (Day Old Bread)
tflags DNS_FROM_DOB net
score DNS_FROM_DOB 1.334
urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 127.0.0.2
body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
tflags URIBL_RHS_DOBnet
score URIBL_RHS_DOB 2.75
Regards
James Turnbull
--
James Turnbull [EMAIL PROTECTED]
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
Hardening Linux
(http://www.amazon.com/gp/product/159059/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
signature.asc
Description: OpenPGP digital signature
Release (Re: How to configure stunnel Ver. 4)
John Peacock wrote: The trunk version of qpsmtpd handles multiple ports (well, the forkserver code does anyway) for a while now, including SMTPS. You can either run trunk (I do and it tastes great!) or wait until the next official release... Give me an 'R'! Give me an 'E'! Give me an 'A'! etc, etc What does that spell? Release! :) Regards James signature.asc Description: OpenPGP digital signature
Re: Apache::Qpsmtpd
Joe Schaefer wrote: It's also a bit dated. At its peak apache.org was pulling in around 2.4 M messages per day, distributed between a primary/secondary mx config. The primary typically carries at least twice the load of the secondary, and is a dual 2.80GHz Xeon dell box equipped with 3GB ram. Typical CPU load was around 1. Disk performance doesn't seem to be a significant factor in how the machine performs, even tho we run spamassassin directly on the mx. Nowadays we only do about 750K / day - yes, spam volume is down by more than 50% at apache. Way to go qpsmtpd! Thanks - I'll update the Wiki with the more detailed information. Is there any more detail that might interest people - qpsmtpd's use at apache.org is an excellent tangible example of how powerful qpsmtpd is? Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: plugins page links are broken
Ask Bjørn Hansen wrote:
On May 23, 2007, at 9:40 AM, JT Moree wrote:
http://wiki.qpsmtpd.org/plugins
The links to some (most?) plugins from this page are not working. well
more precisely the svn that is linked to is not working. For example,
http://svn.perl.org/viewcvs/qpsmtpd/trunk/plugins/check_badmailfrom
That's odd.
Like this
http://svn.perl.org/viewcvs/qpsmtpd/trunk/plugins/check_badmailfrom?view=markuprev=HEAD
it works ...
Someone has disabled the CheckoutView view option in ViewVC. It needs
to be re-enabled.
SECURITY INFORMATION
ViewVC provides a feature which allows version controlled content to
be served to web browsers just like static web server content. So, if
you have a directory full of interrelated HTML files that is housed in
your version control repository, ViewVC can serve those files as HTML.
You'll see in your web browser what you'd see if the files were part
of your website, with working references to stylesheets and images and
links to other pages.
It is important to realize, however, that as useful as that feature
is, there is some risk security-wise in its use. Essentially, anyone
with commit access to the CVS or Subversion repositories served by
ViewVC has the ability to affect site content. If a discontented or
ignorant user commits malicious HTML to a version controlled file
(perhaps just by way of documenting examples of such), that malicious
HTML is effectively published and live on your ViewVC instance.
Visitors viewing those versioned controlled documents get the
malicious code, too, which might not be what the original author
intended.
If you wish to disable ViewVC's checkout view which implements this
feature, you can do so by editing lib/viewvc.py, and modifying the
function view_checkout() like so, adding the lines indicated:
def view_checkout(request):
raise debug.ViewVCException('Checkout view is disabled',
'403 Forbidden')
path, rev = _orig_path(request)
fp, revision = request.repos.openfile(path, rev)
Regards
James Turnbull
--
James Turnbull [EMAIL PROTECTED]
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
Hardening Linux
(http://www.amazon.com/gp/product/159059/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
signature.asc
Description: OpenPGP digital signature
Re: plugins page links are broken
Ask Bjørn Hansen wrote: On May 23, 2007, at 5:24 PM, James Turnbull wrote: Someone has disabled the CheckoutView view option in ViewVC. It needs to be re-enabled. Easier to just use the raw svn url then: http://svn.perl.org/qpsmtpd/trunk/plugins/check_badmailfrom Can someone update the wiki to use that URL and/or http://svn.perl.org/viewcvs/qpsmtpd/trunk/plugins/check_badmailfrom?view=markuprev=HEAD Updated the page to use the raw svn URL for all plug-ins referenced that way. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: issue notifications
Ask Bjørn Hansen wrote: Hi everyone, Should I just make the Google Code issue notifications go to this list? (New ones, changes etc). Or should we make a qpsmtpd-dev list for this stuff? (the cvs-qpsmtpd name is a little dumb anyway...) - ask I think a qpsmtpd-dev group is a good idea - with the commits and the notifications going into it. Regards James Turnbull
Re: New plugin to filter bounces of for mails I did not sent WasFilter bounce mails with forged domains
Werner Fleck wrote: Yes, you're right and I wanted to do this at first. But after reading some time about the plug-in template and the documented namespace standard I still have no clue how to do this. So I decided to post the plugin to the newsgroup instead of doing nothing and keeping it for myself. Added - http://wiki.qpsmtpd.org/plugins:spam:bounce_rcpt_regexp Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
Re: New plugin to filter bounces of for mails I did not sent Was Filter bounce mails with forged domains
Werner The best place for the plug-in is to add it to the Wiki - http://wiki.qpsmtpd.org/plugins#adding_your_plug-ins_to_the_wiki Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
New release?
Hi all I've just been reviewing the last bunch of SVN changes. Is it perhaps time for another release? Or is there a TODO list outstanding? Regards James Turnbull signature.asc Description: OpenPGP digital signature
Re: Could someone help me to write a PLUGIN FOR E-MAIL TO SMS!
On Wednesday, 11 April 2007 7:03 pm, Dilshan Perera wrote: The 160 characters will be immediately forwarded to a smsc (sms client) to forward it to the receiver, and then look in to the next 160 characters. The main idea is that not to keep any archive but to forward the requested no. of sms's and discard the mail after forwarding it to his mail box. How is it forwarded? Regards James Turnbull -- James Turnbull [EMAIL PROTECTED]
Re: Rejecting indentified spam / virus mails instead of bouncing
Jorn Argelo wrote: Yes I was aware that qpsmtpd is ment to replace the former SMTP daemon. Unfortunately, this is not possible in my current situation and we have to use it as a postfix content filter. Moving qtsmtpd to the front of the mail flow would mean I have to rebuild quite a lot, which I would prefer not to. Then I wouldn't use qpsmtpd for this - I'd look at something like amavisd-new (http://www.ijs.si/software/amavisd/). Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
Re: spf
Lucas -LandM- wrote: First of all, congratulations for your software. It´s great. We use it in a large numbers of servers and with different backends: primarly qmail, and exim. We need more information about spf. We configure spf, but we don´t understand the message in the header: Received-SPF: pass (landm.net: local policy) I suppose SPF check the sender domain, not my domain, isn´t it? We want to accept all messages and put more info in the header. Try here first: http://www.openspf.org/ Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
Re: Using auth_imap ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Peacock wrote: I sent Peter a tarball; I wonder if we could configure SVN::Notify::SnapShot on the repository, so that we are always able to produce a tarball for people. Of course, it would also be good for people to add files to MANIFEST when they add them to the repository... ;-) +1 Regards James Turnbull -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGBHSQ9hTGvAxC30ARAnN8AJ9+A7jadoEaibmxxXU0cvJk3jk6+ACeOolQ rCEoRPrMUe6YspQzN9S47HQ= =KiIp -END PGP SIGNATURE-
Re: Using auth_imap ?
Peter Eisch wrote: I'm trying to use auth_imap against 0.31. In the hook I'm only getting values passed for $self, $transaction and $mechanism (login). The rest of the values are empty. At what point did Auth get mature or are there any known issues? Peter What auth_imap are you using? The one from the Wiki? Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Using auth_imap ?
Peter Eisch wrote: Yes, the one straight off the wiki. I did strip back out the SSL bits (which I'll try to make an option once I get this working) but it is otherwise the wiki plugin. Yes I have been meaning to make that an option but tuits are limited. I don't have any issues using auth_imap with 0.33 so something in 0.31 is obviously different. You could try the previous version of the plug-in - http://wiw.org/~chris/auth_imap. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Dumb plugin question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Sergeant wrote: Is there a simple rcpt plugin to check against the qmail aliases directory and the qmail virtualdomains file? Um - this has trickled a memory somewhere - perhaps a variation on the check_delivery plug-in (http://www.redhotpenguin.com/check_delivery)? Or there was a post a while ago with a very simple plug-in for checking the alias directory: http://www.nntp.perl.org/group/perl.qpsmtpd/2004/09/msg2063.html Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF9O3R9hTGvAxC30ARAiehAKCpWqXbpHNYHGHeuMApzIvYvbvgLgCgzc/V sw6IB+VoGsGsXJBFNriABLM= =p8Rm -END PGP SIGNATURE-
Re: wiki issues inregards to fetching plugins
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It is a bit of a annoyance for getting something in the distfiles and I would like to avoid it. I have been thinking of just mirroring them on my site till the situation chances. This issue has been around for a while. There is the contrib section of the package that plug-ins can be added to. But how about a Sourceforge project for user-created qpsmtpd plug-ins? I'd be happy to set one up - and grant appropriate SVN access to all who wanted to contribute. I'd also be happy to migrate existing plug-ins from their disparate locations to Sourceforge. I think whatever happens there needs to be some central collection point for plug-ins - rather than the 7-8 locations (including the Wiki) that there are now. Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF8zL89hTGvAxC30ARAuMLAKCFxkj7zv7eCmP26T0efhvoGLF1VQCg0han BPuF/Jt3Xj2i8syiCCRW5wo= =RiV+ -END PGP SIGNATURE-
Re: Wherefore patches and plugins
On Fri, 23 Feb 2007 09:44:26 +1100, Gavin Carr [EMAIL PROTECTED] wrote: - what's the current procedure for submitting patches to the core? Discuss and submit via the mailing list, or discuss on list and submit via the bug tracker, or something else? IMHO I think a notice to the list and logging in the code/bug tracker seems like the best idea. - what's the current thinking on gathering third-party plugins? CPAN? The wiki? svn/contrib? I'd still like to see an SVN repo for plug-ins or something similar but until then we've made some changes to the Wiki to make it a little easier to add plug-ins in some order. It's not complete by a long shot but it's partially there. We've also consolidated as many of the external plug-in sites we can find and listed them into the Wiki. If anyone knows of others please feel free to update the Wiki with them. Regards James Turnbull
Re: better relay handling?
On Wed, 21 Feb 2007 08:21:51 +0100, Jens Weibler [EMAIL PROTECTED] wrote: My wish would be: I can configure inside the plugins-config which plugins where used normally and which are used while relaying. +1 on this. Also different plug-in runs for incoming mail on different ports or if AUTH is successful (submission port mail for example). I know there is a Wiki-entry that touches on this but it's a pretty manual and not overly elegant implementation of dual qpsmtpd instances (individually tweaking most plug-ins to do this is also possible but again - not overly elegant). Regards James Turnbull
Re: Feature: add custom notes to received-header
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Isn't TLS shown as Received: ... with ESMTPS, as in the patch which Michael Toren contributed recently after I asked for SMTPA: http://beta.nntp.perl.org/group/perl.qpsmtpd/2007/01/msg6065.html though unfortunately the list archives don't include attachments :-( Did it make it into svn yet ? I confess I've not had time to try the SMTPA bit of it out as I said I would. Will install it later on and check. It made it in - r703 of the 0.3x branch. Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFw7pn9hTGvAxC30ARAoV5AJ97enKQd1Sf63u9ZvbTYImolk280ACgwNH+ yfQz4vOvwb8KMIeI2L3GMKQ= =c7CV -END PGP SIGNATURE-
Re: s41t storm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I third that. +1 Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFw7y09hTGvAxC30ARArLGAKDRlmCpo5GqYQnwdPo0HqVM0fERbwCfbtVg ana7YjBCo9QfF7W2Wq/5jwI= =S8Py -END PGP SIGNATURE-
Re: s41t storm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Sergeant wrote: The qpsmtpd-async script exists in branches/0.3x, but the Danga::Client stuff does not (that's only in trunk). If I switch lib to trunk/ then I get failures because Qpsmtpd::DSN doesn't exist in trunk (that's only on the 0.3x branch). Did you forget to merges something??? Looks that way. Fixed now - sorry :-) The qpsmtpd-async only allows binding to one port/address unlike forkserver. Might be worth updating it to support the same options (where relevant) as forkserver. Cheers James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFxByN9hTGvAxC30ARArBVAJ9aipOuVdhrUuPB3JNEA7kKWZuarACfTcaJ m0ONwbZm1Pc45HmM70i1g84= =NTXO -END PGP SIGNATURE-
Re: auth_smtpd plugin without TLS
John Peacock wrote: But when I try to use auth_smtpd plugin, the users connaot get validation because TLS. (I think this is the cause). Where did you get the auth_smtpd plugin from (it's not part of the main distro)? Shouldn't you ask James Turnbull (the author of record on the plugin per the WIKI) first? A quick look at the plugin confirms that it uses Net::SMTP::TLS, so your suspicions are probably justified. Perhaps you can just replace that with Net::SMTP??? That'd be the quickest fix. I had been meaning to update it to only use TLS if configured to but my initial thought (admittedly very brief thought) was that the vast majority of people would use AUTH only in conjunction with TLS. All add this functionality to my rather long TODO list. Regards James -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: How to get started with qpsmtpd?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Holzt wrote: I have no knowledge about xinetd, but i guess there is a generic way in xinetd to tell it the port. Don't you have any other services in xinetd and can lookup how its done there? 4. Well, xinetd seems to be out of favor anyway, and this link http://wiki.qpsmtpd.org/inetd?DokuWiki=9f8ba8fcd90e3c53f6a715c256a51775do=revisions shows that there used to be an xinetd page in the wiki, but it was moved two weeks ago by jamtur01, and since then it has vanished. The last revision of the page can be seen here: http://wiki.qpsmtpd.org/deploy:inetd?rev=1168341647 See http://wiki.qpsmtpd.org/deploy:start I talks about x(inetd) and links to the patch provided to fix it at 0.32. Linked off the main page start page. Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFtkUx9hTGvAxC30ARAl8KAJ4tyb8nmgdu5RONPPEVPmbmHsjRpACgkd07 4xbLSUA6BP0F4uRImw0lPcQ= =tMvD -END PGP SIGNATURE-
xinetd page (Re: How to get started with qpsmtpd?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James Turnbull wrote: See http://wiki.qpsmtpd.org/deploy:start I talks about x(inetd) and links to the patch provided to fix it at 0.32. Linked off the main page start page. Sorry should wait for coffee to boil and get consumed before replying: What I meant to add was that the xinetd page got rolled into the deployment options summary - it seemed unnecessary to have a page dedicated to x(inetd) alone - the content of the page was changed to mention Peter's patch. I'll update the http://wiki.qpsmtpd.org/deploy:start page with the results of the current discussion. Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFtkt79hTGvAxC30ARAkB8AJ9LApncHNcmLKCqW3UzO22S86HhDwCgkM9G UdMyAIoeiEIAoo7ttetkM9o= =aP5e -END PGP SIGNATURE-
Re: xinetd page (Re: How to get started with qpsmtpd?)
Hans Salvisberg wrote: James Turnbull wrote: What I meant to add was that the xinetd page got rolled into the deployment options summary - it seemed unnecessary to have a page dedicated to x(inetd) alone - the content of the page was changed to mention Peter's patch. I'll update the http://wiki.qpsmtpd.org/deploy:start page with the results of the current discussion. I felt some pieces were missing, that's why I kept digging for the old page. I've added some comments to the page reflecting today's discussions. BTW, in many places there's talk about the RPM, but for the uninitiated it's difficult to find the RPMs -- Peter doesn't even have a link on his home page! As they seem to be considered another somewhat official distribution option, it would be helpful to have a link from http://smtpd.develooper.com/get.html I'll go through the Wiki and link references to the RPM. BTW2, in your very interesting book (I've barely scratched the surface) you advocate obfuscating the MTA banner and version. qpsmtpd's SMTP dialog is pretty cute if not downright frivolous. What's your stand here? Well. My opinion on this varies depending on the MTA. It's a minor advantage to obfuscate the MTA and version but sometimes every edge counts. I wrote a couple of tools several years ago to scan MTAs and return banners and sort by types and versions. The idea being to find vulnerable servers - this is especially true of Sendmail installations. In my experience a lot of attackers use similar methods to 'sweep' up vulnerable hosts. If they can't determine if you're vulnerable they just might pass you by. Of course, if they are specifically targeting you they'll just try every possible attack technique on your ports. Ultimately, it's a minor change and a minor advantage but I felt it was worth covering. I've not done it to my qpsmtpd installations but it's on the list somewhere. :) Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Per user configs with the Spamassassin plugin?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter J. Holzer wrote: I am quite sure that at the time I noticed it it was documented behaviour (since it obviously did work with spamc despite what I read in the docs I assumed that spamc sent an explicit TELL command, but I didn't check that). I can't find it now in the docs, but I notice that it does work with Spamassassin 3.1.4 on a Debian box, but doesn't with Spamassassin 3.1.3 on a Redhat box. Maybe there's something wrong with the Spamassassin installation on the Redhat box. I've used spamd with Bayes and autolearning on RHEL 3/4 and Fedora Core 4/5/6 since version 3.1.0 of SpamAssassin I think (currently 3.1.4 on RHEL4 and Fedora Core 6) with no issues. I had a poke through the doco and couldn't find mention of any issues. Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFqW/P9hTGvAxC30ARAmKNAJ9ubBoI3XzM42+D0cUiPiONUzFelgCdGF7s ohtdJNj8wZ9EOPYCdXBXU6E= =4AeA -END PGP SIGNATURE-
Changes to the Wiki
All I've undertaken some changes to the Wiki: 1. I've migrated the original pages into a new namespace structure, which can be seen at http://wiki.qpsmtpd.org/wiki:naming_std. This isn't complete and needs further work - especially in the installation, deployment and configuration namespaces. Most of the issue there is gaps in the documentation that make the structure incomplete. I will work toward adding some of these missing pieces and I'd welcome help in doing so. I've started with adding some of the Plug-in API documentation from the distribution itself into the Wiki. 2. I've left the plugins page (http://wiki.qpsmtpd.org/plugins) intact and in its current position due to the page's external links. I've checked Google and this (and the start page) seem to be pretty much the only pages referenced in external links. Hence I'll leave it there going forward (unless someone else has other plans for the page) and restructure it to make it more readable and easier to navigate. This will probably involve creating a summary page with links to sub-categories of plug-ins - authentication, logging, anti-spam, etc, etc. This does raise the issue of where plug-ins should live. The situation of some plug-ins on external websites, some in SVN and some in the Wiki would seem to be highly inefficient. 3. I've left the front page largely intact also. I intend (again unless someone else jumps in) to greatly simplify and clean it up the page. With this in mind one of the things I've noticed about 'catchy' projects/wikis is a graphic or symbol of some kind. Does anyone have one for qpsmtpd and/or is interested in creating one? Comments/criticism/gasps of horror naturally most welcome. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Wiki Outage, Upgrade, new Templates, editable Sidebar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The backlink problem is still there ... same message. I'll send a proper bug report to the docuwiki guys ... but if I find out how to fix it I'll let you know. I already logged a bug: http://bugs.splitbrain.org/?do=detailsid=1038 Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFForVU9hTGvAxC30ARAqZPAKCvBCQOKcpsNjpj2n+wEGcIrxWR7ACfbjQe //HAGGabiX63gEpCSalLGkk= =d+4w -END PGP SIGNATURE-
Re: Wiki Outage, Upgrade, new Templates, editable Sidebar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James Turnbull wrote: The backlink problem is still there ... same message. I'll send a proper bug report to the docuwiki guys ... but if I find out how to fix it I'll let you know. I already logged a bug: http://bugs.splitbrain.org/?do=detailsid=1038 Blast - sorry - wrong link: http://bugs.splitbrain.org/?do=detailsid=1040 Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFForYF9hTGvAxC30ARAk6AAJ9uyoDqlEBI0btotThfgUyOdF/feQCghm8J Ob2NqJyhNQpn0R1YdwYvn0I= =fyiR -END PGP SIGNATURE-
Proposed Wiki Namespace structure
All I've given some thought to a proposed Wiki namespace structure. A structure will allow us to better present the Wiki home page and allow structured growth of the documentation. The proposed namespaces are: Namespace: Description: api Pages about the Plug-in API (likely to expand) authPages about authentication configuration Pages about configuration and conf files deployment Pages about deployment types deployment:apache Pages about using qpsmtpd with Apache deployment:forkserver Pages about using qpsmtpd with the forkserver faq FAQ section installationPages about installing qpmstpd plugins Pages about plug-ins plugins:authPages about auth plug-ins plugins:logggingPages about logging plug-ins plugins:queue Pages about queue plug-ins plugins:virus Pages about anti-virus plug-ins resources Pages about additional qpsmtpd resources resources:articles Links to articles and news mentions resources:howtosLinks to howtos resources:plugins Links to other plug-ins wikiDefault wiki help pages users Registered users pages This is an initial cut and will probably expand with input and further review of the current wiki contents. Comment welcomed. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: any need for qmail-smtpd after qpsmtpd install?
Charlie Brady wrote: On Fri, 5 Jan 2007, [EMAIL PROTECTED] wrote: Now, i don't have any proof either, but calling /usr/sbin/sendmail is the standard way and this is certainly done by cron. I have qpsmtpd listening on *:25, and i haven't seen any local generated mail going through qpsmtpd. sendmail when used on the command line sends mail via qpsmtpd. I believe that to be a false (i.e. incorrect) statement. I don't know of any sendmail which injects mail into the local queue via SMTP. It's certainly not the case with the sendmail provided by qmail. Neither do I - Postfix for example drops mail from sendmail into the maildrop queue - not into the SMTP daemon. Unless you replaced sendmail with some other mechanism your sendmail binary should deposit mail into your MTA's local mail queue. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: any need for qmail-smtpd after qpsmtpd install?
Guy Hulbert wrote: sendmail when used on the command line sends mail via qpsmtpd. That is not what he said. He is referring to sending mail via /usr/sbin/sendmail on the command line but he did not say via port 25. You've snipped the part which he replied to where I was guessing that it might be the case based on my memory of the behaviour of the qmail package I installed ... but there were initially some weird problems due to permissions also. Sorry - he actually said 'sends mail via qpsmtpd' and referred to having qpsmtpd listen on port 25. Since qpsmtpd doesn't have a local mail queue and only listens on a network port then by default the implication is via an SMTP daemon. There *are* clients which use 'sendmail -bs' (for example, this behaviour by pine and some others is documented on cr.yp.to/qmail). There are also examples in mailing lists using 'sendmail -f', which you can find easily via google. Agreed. But it's not typical to see these used for general mail submission. Unless you replaced sendmail with some other mechanism your sendmail binary should deposit mail into your MTA's local mail queue. Yes it should. But your sendmail binary is often a sym-link to something else unless you are running sendmail and unless you check what it really does, you can't be sure. From my brief review the (replacement) binaries provided by the Sendmail, Postfix, Exim, and qmail MTAs all default to local mail queue submission. You have to manually override to get other behaviour. And whilst perhaps sym-linked in a few different places - on Red Hat, SuSE, Mandriva, Gentoo and the two BSD variants I have running - the sendmail binary seems to be designed to mimic default Sendmail configuration/behaviour. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Future of the wiki in 2007?
Michael Holzt wrote: As some of you might or might now know, i'm the holder of the qpsmtpd.org domain and also host the qpsmtpd wiki on wiki.qpsmtpd.org. Now while the wiki still seems to be a good idea, i've noticed that there have been next to no contributions to it lately. This is a bit of a shame, as qpsmtpd lacks good documentation and i hoped the wiki would solve that problem in a collaborating way. I hope to add to the Wiki this year (I've done a little editing on a page or two). I think it's worth keeping. IMHO It needs a bit of re-organisation - which I volunteer to do some of - and I believe someone else also volunteered to do some edits. I think if we can find a better structure for the content it should be more accessible and easier to update/maintain/expand. the page which is easily confused with a real navigation). So if one has better suggestions (i would also like to get rid of the security nightmare also known as php), i would like to hear about it. My preference is TWiki - stable, powerful, extensible and Perl rather than PHP. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Future of the wiki in 2007?
Johan Almqvist wrote: 1) a vBulleting-webboard, and 2) rsync so that all those that want to can have their set of plugins in use (check with the configfile, and only rsync the active ones) shared with the world. I don't feel either of these will be a good replacement for the current wiki. I agree that placing the plugin repository in the wiki wasn't the best idea (I just couldn't think of a better way of doing it at the time). Yes - the plug-ins in the wiki model is a little cumbersome - though sometimes useful if I want to peek at some code. Perhaps a SVN repo and have people submit a simple application to get check-in rights (much like Twiki do with their plug-ins) is an idea? You can link each plug-in in the Wiki to an SVN browser. However even if there was a separate plugin repository and a vBulletin, I'd still want the wiki to direct all the forum (and list) RTFM's to... Agreed. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Future of the wiki in 2007?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guy Hulbert wrote: I don't think this is inconsistent with what I said. You have now confirmed your decision to not host the wiki if it must be twiki and if that is the case then I am willing to try to pick it up. I will keep your opinions in mind while I evaluate it. At the very least - notwithstanding what Wiki software is chosen - we do need a test environment. Particularly to make any sweeping structure changes. It's always easier to sin in dev/test than potentially mess up the prod instance. :) If we can get a test environment up and running with the existing content I'd be happy to mock up a proposed new structure for comment. Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnWyp9hTGvAxC30ARAuVpAKCxocAZQmGrTS71suchqVTVHw2MJACeI9nc 7RkiebLUNCJk+ziGUnRQ06Y= =7GX7 -END PGP SIGNATURE-
Re: qpsmtpd and DIGEST-MD5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Peacock wrote: Yeah, not having any simple way to test it makes it kind of hard to implement... ;-) My initial testing has been done using swaks with Authen::Digest::MD5. Mostly seems to work. Why? Is there any evidence that CRAM-MD5 is insecure when used for ESMTP AUTH? Just because TBird wants to support DIGEST-MD5, doesn't mean we should leap to supporting it immediately. AFAIK, the following quote from: No evidence it's insecure. It is not so much insecurity as the potential for increased security that has perked my interest. In practice [CRAM-MD5 is] the only allowed and supported SASL-mechanism for ESMTPA without Transport Layer Security (TLS). We'd run it within TLS (as we do CRAM-MD5 now). But if I can also quote the RFC: Also, compared to CRAM-MD5, DIGEST-MD5 prevents chosen plaintext attacks, and permits the use of third party authentication servers, mutual authentication, and optimized reauthentication if a client has recently authenticated to a server. Reading through RFC-2831, it is clear that DIGEST-MD5 has a much more complicated implementation than CRAM-MD5, but it still requires the password be maintained in cleartext on the server side AFAICT. Agreed - hence my email - I started hacking something and then decided to ask before I duplicated what looks to be a painful road. The password is encoded but yes essentially plaintext. The server security doesn't bother me so much - locked down fairly tight. It's the transaction that does. Particularly in our SSO environment where that password might exist for multiple applications of varying risk levels. If it's not feasible (and it looks fairly tricky) and no one else has an interest I'll not devote too many tuits to it. I have plenty of other projects to undertake. But thought I'd ask the question. Regards James Turnbull - -- James Turnbull [EMAIL PROTECTED] - --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) - --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFmoZw9hTGvAxC30ARAvdtAJ9G6zQoZLc60uIAOBDPcHmZck6NTACfUOwy ghALa2qfpaXKS2t2q5+3wgs= =g3qf -END PGP SIGNATURE-
Re: qpsmtpd and DIGEST-MD5
John Peacock wrote:
There is an interesting hack in Dovecot that I was thinking of copying
for Qpsmtpd: a pasword scheme definition that includes the local (to
the server) encryption used. For example, {CRYPT}password would mean
that the plaintext password passed in (while TLS was in force) would be
crypt()'d and then compared with what is in the user database (ex.), see
http://wiki.dovecot.org/Authentication
for details.
This allows the plaintext password to be passed from the client inside a
TLS wrapper, and yet be encrypted on disk at all times. This is far
more secure than any of the challenge methods, which require storing the
plaintext password on the server...
Yes - I use Dovecot SASL on a couple of systems with back-end password
databases that contain encrypted password hashes created using dovecotpw.
I use Postfix - Dovecot SASL - Password-file on a mail relay host for
example. In its simplest form the password file looks something like:
james:{HMAC-MD5}6c431bcaeab7basdfgq4534tdfbvsdfgdaa2ba23357c7
But from memory you can also specify additional fields to be retrieved.
It's a good idea for a potential feature - though you do need to also
distribute some way for people to securely hash their passwords.
Regards
James Turnbull
--
James Turnbull [EMAIL PROTECTED]
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
Hardening Linux
(http://www.amazon.com/gp/product/159059/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
signature.asc
Description: OpenPGP digital signature
qpsmtpd and DIGEST-MD5
Hi (and Happy New Year) I had a look at Qpsmtpd::Auth and note DIGEST-MD5 authentication isn't available (I presume because of the tiny number of clients who support it). However, Thunderbird is apparently going to get DIGEST-MD5 authentication working. If they do we'd like to enable it for roving users. So my question - has anyone added DIGEST-MD5 support to qpsmtpd? It looks relatively easy to add another elseif to Auth.pm but I confess the DIGEST-MD5 syntax - is realm used?, qop etc etc has always confused me. Thanks in advance, James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: DKIM plugin
John Peacock wrote: the Makefile. There are also some Windows-only macros that need replacing. It's a complete bodge, if you ask me. Maybe I'll get something running tomorrow... John I am just contemplating starting work on this again (even have hopes of doing a DKIM signing plug-in also). Did you get any further with this? I lodged a bug with the libdkim people but got no response. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Apache - Qpsmtpd - TLS
Ed McLain wrote: and I get this in the apache error log: TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls line 98. I had similar problems and got an error message in the main Apache error_log of: [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context: Permission denied at /home/smtpd/plugins/tls line 79.\n No idea if it's related and haven't had a chance to debug. Anyone know where Apache creates the SSL context? Regards James Turnbull P.S. Also drop the last / on your PerlSetVar QpsmtpdDir statement - that's what's causing the // in the error line. -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Apache - Qpsmtpd - TLS
James Turnbull wrote: I had similar problems and got an error message in the main Apache error_log of: [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context: Permission denied at /home/smtpd/plugins/tls line 79.\n I fixed this issue - SSL debug revealed it was permissions on the keys - which is odd because the keys were owned by the smtpd user that Apache::Qpsmtpd is running as, which also has read permissions to the files. I had to also add group read permissions to get this to work. Not sure why those permissions would be needed. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Pollserver Branches
John Peacock wrote: I think we should bang out a real Makefile.PL/Build.PL (instead of just check this out where you like). I'd rather get what changes have happened in branches/0.3x since March 2006 into production in more places. I also have hopes to get all of the dangling bits that I want to work on (specifically rationalizing ESMTP extensions like AUTH) before we try to go gold on 1.0. Can I also suggest (and I fear I am short more than a few tuits myself so it might only be a suggestion rather than actual help) that one thing the Makefile.PL clears up is the location of the configuration files and the plug-ins. Or that the code is adjusted internally to do so. There doesn't seem to be a consistent approach in the mainline or the plug-ins to finding these locations. This makes packaging qpsmtpd difficult. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Pollserver Branches
Hi Just wondering what the plans were for the pollserver - will the unstable branch be merged into the 0.3x branch (or vice versa)? Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
DKIM plugin
Hi all, Does anyone know of a DKIM plugin? I found the DomainKeys plugin and am wondering if anyone has developed one for DKIM also? Thanks James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40)
Re: DKIM plugin
John Peacock wrote: I was starting to work on one, but I can't get the libdkim distro to compile with a modern GCC (I sent them an e-mail, but never heard back after the initial ACK). It's hard to write a plugin if you cannot generate a suitably signed message. I also have a [natural] bias that I won't spend [that much] time on something that I'm not willing/able to run myself. Yes - just discovered that little compilation problem. I'll raise it with them and see if I get a response. Thanks James Turnbull
