[xmail] Re: Lockdown xMail
-Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 24/04/08 05:21 Objet: [xmail] Re: Lockdown xMail Dear Francis - Effectively, it seems the MailAuth feature does not take into account the 'WhiteList' parameter in the smtp.ipprop.tab file. But should it be the case as the smtp.ipprop.tab Whitelist is supposed to be used to change ip checks ? Davide is the one who suggested the smtp.ipprop.tab option to me as I did not really use this tab before. As programs are more and more complex when adding features, it is frequent to miss/forget some 'old' internal implementations details :) I originally tried adding entries to smtprelay.tab which did not work either. For now, Hal, I think you could use your firewall to block any 'external' attempts to go to you Postini dedicated xmail server ip and ports ;) The problem is that I use xMail as part of my ISP service therefore customers are using xMail as their outbound eMail MTA on Port 25 from all over the place on the net therefore it is not possible to block the port. Even if I could use my firewall to block access; Postini does not have a feature to change the forwarding IP Port for the Relay nor any kind of Authorization that I know of. Can you add another IP to your xmail server ? If so, add it to xmail inbound cmd line parameters, then for this ip add a rule in your firewall to block any traffic except postini server. (If postini is on the same server as xmail, you could add 127.0.0.1 to xmail inbound, then ask postini to send to ip 127.0.0.1. No firewall rules at all needed then.) IMOO another smtp.ipprop.tab parameter like MailAuth=0 should be created (to not change/mix 'ip checks' rules) IMOO I think of this as a Relay function so I think the smtprelay.tab is the place for the information. The docs define the purpose is to allow hosts or networks to use the server as relay. Yes it could be an alternative placement for this parameter for 'relay'. But, adding it also to ipprop could allow to accept specific clients without auth but with relay not allowed. MailAuth=0 in smtp.relay : accept this ip to relay without auth MailAuth=0 in smtp.ipprop : accept this ip without auth for local delivery only So the two implementations could be nice :) Agains the docs say using SmtpConfig-IP makes authentication require[d] to send mail to the server. Please note that by setting this value everything requires authentication, even for sending to local domains, and this is probably not what you want. However, I'm not sure why SmtpConfig-IP is locked down so hard? The problem is not in SmtpConfig-IP rules if you can use specific rules to 'open the door a little', the problem is that actually 'open the door a little' is missing in xmail (some MailAuth=0 in some places) :) (Notice that using some other ip and/or ports, and some firewall rules, you can do the job.) Maybe, another way to think about this is that a parameter needs to be added to SmtpConfig-IP to determine if the smtp.ipprop.tab or smtprelay.tab should override the MailAuth. For example: SmtpConfig-64.74.149.27,25 MailAuth ipprop SmtpConfig-64.74.149.27,25 MailAuth relay IMOO not enough secure, as the flags here will be valid for all the entries in the corresponding files. Using MailAuth=0 in the 'good' places (ipprop and relay) seems to be better. Any further suggestions Francis? I just can't believe that as popular as Postini has become that I'm the first one trying to get xMail integrate with it! Anyone done this before? Seems xmail users prefer alternative solutions :) (and many exist) Personnaly I use xmail with blacklists, then glst filter, then xmail with av filters. Simple to implement, and more than 95% spams and viruses down at first and second stage without 'big' filtering mecanisms/products/gaz machines :) Davide what is our next step? I could really use a patched version of xMail to test. Thanks, Hal Dell ePodWorks.net, Inc. Managing Partner - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMailServer 1.25 Memory Footprint
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On= Behalf Of Davide Libenzi Sent: 21 April 2008 21:54 To: xmail@xmailserver.org Subject: [xmail] Re: XMailServer 1.25 Memory Footprint On Mon, 21 Apr 2008, Vinny Wadding wrote: Hi guys, I have just installed XMail 1.25 and am not seeing some odd behaviour from it. It has taken me a while to try and track down what is happening, but here it is from what I can find. The new server is put live and works extremely well.After several hours, I get alerts saying that the system memory is exhausted.The memory footprint of XMail stays consistent at about 85mb - the rest of the system memory is all allocated to Buffers and Cache. There is virtually no swap space used, but a higher than expected load average on the system. I have taken the server offline so there is no traffic running to it. On a reboot the memory is released, but as soon XMail is restarted the Cache and Buffers climb back up and use all the memory again. That would eliminate an external influence on the server, and suggest something that is already on the XMail queue. I wiped all frozen spool from the server and restarted again. Same as above, the server released the memory but as soon as XMail started it started to grab all free memory for Cache and Buffers. This would suggest something that XMail is still trying to process? I trawled the spool queue and found several mails that appeared to be stuck. It would appear that XMail would repeatedly try and process these, it would not as I could see spool files being created and removed as it goes thorough the motions. I have downloaded the spool queues and had a look through them offline, it would appear that the mails that are causing an issue on this server are coming from badly set up domains. I ran these domains through dnsstuff to see how they were set up= .. One of the domains was set up with no MX record and no A records. Even when manually submitting test mail for this domain, it would be accepted and then causes XMail to overreact. The rest of the domains I saw on the spool queue had minor anomalies, but when submitting manual mails via telnet for these domains it did not seem to cause the same reaction as the domain with no zone information. Obviously wiping the spool queue and rebuilding it from the source example resolves the issue and the behaviour returns to normal. Is this a known behaviour or feature in 1.25? Has anyone else seen this happening? Is there any way of being able to stop this behaviour? I don't think so. The eat all the server's memory feature will not come out till 1.26 :) Which OS is that? Why don't you post one of your telnet transactions that are creating problems? Talking about some domains and some emails is a bit vague, since it does not allow anyone to replicate your box results. This is my XMail BTW: VSZ RSS 18676 5184 - Davide Damn, I was hoping I had missed an option in server.tab. ;-) I only mentioned the memory usage above to clarify that I didn't look like = it I was any leak in XMail itself. Obviously, this is a new server and at = the moment only test traffic is running though it before it goes fully live= .. When that happens the memory usage will, no doubt, go up accordingly. The server it is running on is a Fedora8 X64 Server, with 4gb of memory. I= have two perl filters running. A pre-smtp spf filter and an inbound/outb= ound virus scan. The telnet sessions to the server were just standard ones - no errors were = reported at all. The address I was seeing mails coming from and even when I submitted them d= irectly were: [EMAIL PROTECTED] The mails were being sent to an account that does not exist on my server, s= o would the process of trying to send the NDR have caused a loop given that= their dns seemed to be corrupt at the time? I have checked the domain again and it looks like they have fixed what ever= issues there were having. I have the reports from DNSstuff, I can send them direct to people or send = to the list (not sure if I can mass mail attachments to people) if people a= re interested in the errors from their domain. I didn't mention the emails or domains specifically before, as it seemed ba= d etiquette to just post it onto a forum and saying I was getting bad mails= from them. Registered in England and Wales. Registration Number: 3472519. Registered Office: 1 The Green, Richmond, Surrey, TW9 1PL, United Kingdom This e-mail and any attachment may contain confidential and privileged mate= rial intended for the addressee only. If you are not the addressee, you are= notified that no part of the e-mail or any attachment may be disclosed, co= pied or distributed, and that any other action related to this e-mail or at= tachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immedia= tely by return
[xmail] Re: multiple smtprelay servers for custdomains and 5xx er rors
On Tue, 22 Apr 2008, CLEMENT Francis wrote: Seems there was some post about this. The BIG figure is when the final domain have multiple mx servers. Suppose the final domain have two mx and one is misconfigured and return a 5xx. So if xmail tries first the 'bad' server, what to do next ? On a atomic try/retry cycle, you have two choices : 1 - don't try others mx and send back an NDR to the sender 2 - Try the others reminding MX for this try/retry cycle, and send back an NDR ONLY AND ONLY IF all mx return a 5xx, else schedule a normal retry cycle (that will retry on each mx). I think option 2 is better :) Could Davide tell us how xmail handles the 5xx with multiple mx ? As far as smtprelay goes, a failure (of whatever type), means try the next server in the list. - Davide - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
On Tue, 22 Apr 2008, Hal Dell wrote: Dear Clement Francis / Davide - First at all xmail doc for smtp.ipprop.tab syntax says : Address selection mask are formed by an IP address (network) plus the number of valid bits inside the network mask [...snip...] 96.227.65.4/32WhiteList=1 Yes, I was wondering if the parser would just assume that without the slash it figure out that was were referencing a single node. Well, I made the above change and it still does NOT work; in other words I still get the 551 Server use forbidden error message. OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. - Davide - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMailServer 1.25 Memory Footprint
On Thu, 24 Apr 2008, Vinny Wadding wrote: Damn, I was hoping I had missed an option in server.tab. ;-) I only mentioned the memory usage above to clarify that I didn't look like = it I was any leak in XMail itself. Obviously, this is a new server and at = the moment only test traffic is running though it before it goes fully live= .. When that happens the memory usage will, no doubt, go up accordingly. The server it is running on is a Fedora8 X64 Server, with 4gb of memory. I= have two perl filters running. A pre-smtp spf filter and an inbound/outb= ound virus scan. I assume you did verify that it was actually XMail using the memory, and not the filters (especially the AV one)? - Davide - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Dear Davide - OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. Thanks for getting to the bottom of this. Any chance I could get a test binary for Windows that I could use to make sure everything works. Otherwise, it could be a long wait for my customers who need spam filtering from postini yesterday because they are getting burried in SPAM. Any assistance would be appriectiated before the next release. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMailServer 1.25 Memory Footprint
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On= Behalf Of Davide Libenzi Sent: 24 April 2008 16:20 To: xmail@xmailserver.org Subject: [xmail] Re: XMailServer 1.25 Memory Footprint On Thu, 24 Apr 2008, Vinny Wadding wrote: Damn, I was hoping I had missed an option in server.tab. ;-) I only mentioned the memory usage above to clarify that I didn't look lik= e =3D it I was any leak in XMail itself. Obviously, this is a new server and a= t =3D the moment only test traffic is running though it before it goes fully li= ve=3D .. When that happens the memory usage will, no doubt, go up accordingly. The server it is running on is a Fedora8 X64 Server, with 4gb of memory. = I=3D have two perl filters running. A pre-smtp spf filter and an inbound/ou= tb=3D ound virus scan. I assume you did verify that it was actually XMail using the memory, and not the filters (especially the AV one)? - Davide - Absolutely... It seemed to make no difference if the filters were running o= r not. I tried it both ways around. Results were the same when submittin= g mails for that domain - the buffers/cache would immediately start increas= ing where as the memory that xmail was using did not significantly change. It ok when submitting mails for any other domain. Which is why I suspected= it might be something to do with this domains setup at the time. *shrugs* It was the only thing that seemed to make sense. Registered in England and Wales. Registration Number: 3472519. Registered Office: 1 The Green, Richmond, Surrey, TW9 1PL, United Kingdom This e-mail and any attachment may contain confidential and privileged mate= rial intended for the addressee only. If you are not the addressee, you are= notified that no part of the e-mail or any attachment may be disclosed, co= pied or distributed, and that any other action related to this e-mail or at= tachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immedia= tely by return e-mail, and delete this message. QSoft Consulting Ltd., its = subsidiaries and/or its employees shall not be liable for the incorrect or = incomplete transmission of this e-mail or any attachments, or responsible f= or any delay in receipt. Any opinions expressed in this message are those o= f the author only and do not necessarily represent the views of QSoft Consu= lting Ltd. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
If you need a quick temporary solution to your spam problems you should look into putting an Untangle server ( www.untangle.com ) in transparent mode between your mail server and the outside world. It's free and can be set to block most spam. Transparent mode is just as it sounds, you don't have to give it the IP address of your server and change your servers IP address and do relaying. It does get an IP address, but it's unrelated to your server and is just for management of the Untangle box and quarantine access if you use that feature. It does use a combination of black lists and spam signatures, so if any of your customers are connecting from black listed IP address that could be a problem unless you want to whitelist any problem addresses. Bill -- From: Hal Dell[SMTP:[EMAIL PROTECTED] Dear Davide - OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. Thanks for getting to the bottom of this. Any chance I could get a test binary for Windows that I could use to make sure everything works. Otherwise, it could be a long wait for my customers who need spam filtering from postini yesterday because they are getting burried in SPAM. Any assistance would be appriectiated before the next release. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: multiple smtprelay servers for custdomains and 5xx er rors
On Tue, 22 Apr 2008, CLEMENT Francis wrote: Seems there was some post about this. The BIG figure is when the final domain have multiple mx servers. Suppose the final domain have two mx and one is misconfigured and return a 5xx. So if xmail tries first the 'bad' server, what to do next ? On a atomic try/retry cycle, you have two choices : 1 - don't try others mx and send back an NDR to the sender 2 - Try the others reminding MX for this try/retry cycle, and send back an NDR ONLY AND ONLY IF all mx return a 5xx, else schedule a normal retry cycle (that will retry on each mx). I think option 2 is better :) Could Davide tell us how xmail handles the 5xx with multiple mx ? As far as smtprelay goes, a failure (of whatever type), means try the next server in the list. That's why I wrote a mail, because it makes no sense to continue in the case of a permanent error. Is there a way to configure XMail with multiple domains and stop when you get a permanent error? - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMailServer 1.25 Memory Footprint
On 24 Apr 2008 at 14:46, Vinny Wadding wrote: Damn, I was hoping I had missed an option in server.tab. ;-) I only mentioned the memory usage above to clarify that I didn't look like = it I was any leak in XMail itself. Obviously, this is a new server and at = the moment only test traffic is running though it before it goes fully live= .. When that happens the memory usage will, no doubt, go up accordingly. The server it is running on is a Fedora8 X64 Server, with 4gb of memory. I= have two perl filters running. A pre-smtp spf filter and an inbound/outb= ound virus scan. The telnet sessions to the server were just standard ones - no errors were = reported at all. Only a home user but several domains and host for a few friends. I've had issues indirectly from XMail and filters eating up memory but in first case it was too many instances of perl and most recently my AV filter causing load by false alarming on a particular message then due to same problem catching each warning email sent. First problem was resolved by limiting number of scripts running at same time to just two (above four caused a rapidly increasing load to 100%cpu when my batch of a dozen test emails hit the server). Second problem back in January wasn't investigated and I disabled AV scan, cleaned out the 30k+ emails in the queue and forgot about it. Later I cloned then reconfigured same setup onto another server but for another domain and had exact same problem when AV enabled. After clearing spool and update of AV the problem hasn't reappeared on either system. It may have been a corrupted AV update in first place. Another possibility is a race when scanning and AV update coincide so I modified both update and filter to minimise this (my perl skill is not good enough to eliminate rather than minimise). David - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Another possibility, as I said, is to use : - xmail CustMapList (I use spamhaust.org very good) - Davide glst for xmail (excluding auth users with eax setting in smtp-in filter) - some av filter for xmail With this solution, you stop more than 90% spams/viruses (for me it's actually more than 99% !) without complex setup, and all handled by xmail. Francis -Message d'origine- De: [EMAIL PROTECTED] A: 'xmail@xmailserver.org' Date: 24/04/08 18:07 Objet: [xmail] Re: Lockdown xMail If you need a quick temporary solution to your spam problems you should look into putting an Untangle server ( www.untangle.com ) in transparent mode between your mail server and the outside world. It's free and can be set to block most spam. Transparent mode is just as it sounds, you don't have to give it the IP address of your server and change your servers IP address and do relaying. It does get an IP address, but it's unrelated to your server and is just for management of the Untangle box and quarantine access if you use that feature. It does use a combination of black lists and spam signatures, so if any of your customers are connecting from black listed IP address that could be a problem unless you want to whitelist any problem addresses. Bill -- From: Hal Dell[SMTP:[EMAIL PROTECTED] Dear Davide - OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. Thanks for getting to the bottom of this. Any chance I could get a test binary for Windows that I could use to make sure everything works. Otherwise, it could be a long wait for my customers who need spam filtering from postini yesterday because they are getting burried in SPAM. Any assistance would be appriectiated before the next release. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
Cool :) Thanks Davide ! Francis -Message d'origine- De: [EMAIL PROTECTED] A: xmail@xmailserver.org Date: 24/04/08 17:17 Objet: [xmail] Re: Lockdown xMail On Tue, 22 Apr 2008, Hal Dell wrote: Dear Clement Francis / Davide - First at all xmail doc for smtp.ipprop.tab syntax says : Address selection mask are formed by an IP address (network) plus the number of valid bits inside the network mask [...snip...] 96.227.65.4/32WhiteList=1 Yes, I was wondering if the parser would just assume that without the slash it figure out that was were referencing a single node. Well, I made the above change and it still does NOT work; in other words I still get the 551 Server use forbidden error message. OK, I lied to you. Actually, I forgot about mailauth no being clear by ipprop. Note for self: Add an smtp.iprop.tab option to release the MailAuth constraint. - Davide - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: multiple smtprelay servers for custdomains and 5x x er rors
-Message d'origine- De: [EMAIL PROTECTED] A: 'xmail@xmailserver.org' Date: 24/04/08 17:04 Objet: [xmail] Re: multiple smtprelay servers for custdomains and 5xx er rors On Tue, 22 Apr 2008, CLEMENT Francis wrote: Seems there was some post about this. The BIG figure is when the final domain have multiple mx servers. Suppose the final domain have two mx and one is misconfigured and return a 5xx. So if xmail tries first the 'bad' server, what to do next ? On a atomic try/retry cycle, you have two choices : 1 - don't try others mx and send back an NDR to the sender 2 - Try the others reminding MX for this try/retry cycle, and send back an NDR ONLY AND ONLY IF all mx return a 5xx, else schedule a normal retry cycle (that will retry on each mx). I think option 2 is better :) Could Davide tell us how xmail handles the 5xx with multiple mx ? As far as smtprelay goes, a failure (of whatever type), means try the next server in the list. - Davide Ok, but what does xmail when all the servers in the smtprelay list return a 5xx code ? Retry later ? Same think 'retry later' when, in normal delivery (no smtprelay use) all the mx servers for the destination domain return a 5xx errors ? If yes, 'retry later', IMOO, it's not the good action to take as all reject with a fatal error. So, as xmail works now, if all return a 5xx, xmail will wait until all retries are done on all relays/mx before sending a ndr ? IMOO, in theses cases (all smtpgateways/mx return a 5xx) xmail should stop processing the mail and return an ndr to the sender. No ? (I will read rfc 2821 again to try to find the options availables on 5xx and multiple relays/mx cases in an unique retry cycle) Francis - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: multiple smtprelay servers for custdomains and 5x x er rors
After re-read rfc2821 I find this : 4.2.5 Reply Codes After DATA and the Subsequent CRLF.CRLF snip to last paragraph When an SMTP server returns a permanent error status (5yz) code after the DATA command is completely with CRLF.CRLF, it MUST NOT make any subsequent attempt to deliver the message. As with temporary error status codes, the SMTP client retains responsibility for the message, but SHOULD not again attempt delivery to the same server without user review and intervention of the message. It seems that the smtp client (xmail here when sending to smtp gateways or mx servers), when receiving a 5xx code SHOULD NOT again attempt to the same server. So Davide is right, xmail can try the other gateways/mx available in the list. But with the possible case (Oliver case here) that all the gateways/mxs return a 5xx error the smtp client have no more options to send the mail (because it SHOULD not again attempt delivery to the same server). So the smtp client (xmail here) have to send an ndr to ask/alert the sender what to do next (to comply with without user review and intervention of the message) :) Francis - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Lockdown xMail
xmail CustMapList (I use spamhaust.org very good) Davide glst for xmail (excluding auth users with eax setting in smtp-in filter) some av filter for xmail I used spamhaus.org at my Firewall and filter out 8-10K eMails per hour during the day and the SPAM keeps coming. Greylisting is not working as well as it used to... Verizon, Hotmail and Yahoo Mail seem to not re-send correctly when Graylisting is ON. I previously posted about this Finally, my Firewall eliminates all of if not most of the Virus and such... The right solution is to simply get xMail to work with Postini. Thanks, Hal Dell Managing Partner ePodWorks.net, Inc. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
