On 2013-12-11 Wed 14:40 PM |, Bob Beck wrote: > If a users wants this they are free to add the IP address to alloweddomains, > > Most users have absolutely no desire to accept mail directed to an IP > address, so I don't > believe this is a serious issue, other an allowing in spam addressed > to the ip address. Users > of the alloweddomains file want explicitly only mail addressed to > whatevers in there. > > I will also take the oppotunity to remind you that spamd is *not* a > mail server. It's a layer 7 deep packet inspection device for smtp.. > :) >
....which can be easily inadvertently configured to trap legitimate abuse reports from ever reaching the mail server. It's possible that many alloweddomains users are unaware of the RFC requirement, so would not think to add their IPs. Maybe this could be limited to greylist a few configurable addresses, trapping unlisted junk. > On Wed, Dec 11, 2013 at 12:14 PM, <[email protected]> wrote: > >>Synopsis: spamd traps mail to postmaster@[i.p.a.dress] when ip is not > >>listed in spamd.alloweddomains. RFC 1123/2142/2821 violation > >>Category: user > >>Environment: > > System : OpenBSD 5.4 > > Details : OpenBSD 5.4 (GENERIC) #37: Tue Jul 30 12:05:01 MDT > > 2013 > > > > [email protected]:/usr/src/sys/arch/i386/compile/GENERIC > > > > Architecture: OpenBSD.i386 > > Machine : i386 > >>Description: > > > > RFC 1123/2142/2821 violation > > > > Mail servers are required to accept mail for postmaster@[i.p.a.dress], > > possibly also abuse@[i.p.a.dress], maybe hostmaster@ webmaster@, usenet@, > > ftp@, etc, etc. > > > > spamd does this, EXCEPT when used with spamd.alloweddomains, AND the host's > > ip addresses are not explicitly added to that file. (See the > > 'How-To-Repeat' and 'Fix' sections below.) > > > > Ideally, when spamd is using alloweddomains, also automatically add all ip > > addresses on which it is listening. > > > > > > > > *RFC 1123* > > > > Section 5.4 > > "Support "postmaster" | MUST" > > "Accept and recognize self domain literal(s) | MUST" > > > > Section 5.2.7 > > "A host that supports a receiver-SMTP MUST support the reserved mailbox > > "Postmaster"." > > > > Section 5.2.17 > > "An SMTP MUST accept and recognize a domain literal for any of its own IP > > addresses." > > > > > > *RFC 2142* > > > > Section 1. RATIONALE AND SCOPE > > > > "..requires the presence of a <POSTMASTER@domain> mailbox name on all hosts > > that have an SMTP server." > > > > Section 2. INVARIANTS > > > > "For example, if an Internet service provider's domain name is COMPANY.COM, > > then the <[email protected]> address must be valid and supported" > > > > Section 4. NETWORK OPERATIONS MAILBOX NAMES > > > > ABUSE@, NOC@, SECURITY@, > > > > Section 5. SUPPORT MAILBOX NAMES FOR SPECIFIC INTERNET SERVICES > > > > POSTMASTER@, HOSTMASTER@, USENET@, NEWS@, WEBMASTER@, WWW@, UUCP@, FTP@ > > > > > > > > *RFC 2821* > > > > Section 3.6 Domains > > > > "The reserved mailbox name "postmaster" may be used in a RCPT command > > without domain qualification (see section 4.1.1.3) and MUST be accepted if > > so used." > > > > Section 4.5.1 Minimum Implementation > > > > "Any system that includes an SMTP server supporting mail relaying or > > delivery MUST support the reserved mailbox "postmaster" as a > > case-insensitive local name..... SMTP systems are expected to make every > > reasonable effort to accept mail directed to Postmaster from any other > > system on the Internet." > > > > > >>How-To-Repeat: > > > > $ hostname > > palm.britvault.co.uk > > $ sudo /etc/rc.d/spamd stop > > $ sudo mv /var/db/spamd /var/db/spamd~ > > $ egrep -v '^$|^#' spamd.alloweddomains > > britvault.co.uk > > @hope-church-falkirk.org.uk > > @kepax.co.uk > > $ sudo /etc/rc.d/spamd start > > spamd(ok) > > Dec 11 17:51:38 palm spamd[32752]: listening for incoming connections. > > Dec 11 17:51:38 palm spamd[12277]: got suffix britvault.co.uk > > Dec 11 17:51:38 palm spamd[12277]: got suffix @hope-church-falkirk.org.uk > > Dec 11 17:51:38 palm spamd[12277]: got suffix @kepax.co.uk > > > > $ hostname > > oak.britvault.co.uk > > $ host palm > > palm.britvault.co.uk has address 78.33.153.147 > > $ echo blah | mail -s blah postmaster@[78.33.153.147] > > > > $ hostname > > palm.britvault.co.uk > > Dec 11 17:52:59 palm spamd[32752]: 78.33.153.149: connected (1/0) > > Dec 11 17:53:10 palm spamd[12277]: Trapping 78.33.153.149 for tuple > > 78.33.153.149 oak.britvault.co.uk <[email protected]> > > <postmaster@[78.33.153.147]> > > Dec 11 17:53:10 palm spamd[32752]: 78.33.153.149: disconnected after 11 > > seconds. > > Dec 11 17:53:10 palm spamd[12277]: new greytrap entry 78.33.153.149 from > > <[email protected]> to <postmaster@[78.33.153.147]>, helo > > oak.britvault.co.uk > > $ spamdb > > TRAPPED|78.33.153.149|1386870790 > > > > > >>Fix: > > Hack: Append all of the machine's ip addresses to spamd.alloweddomains. > > > > This does not consider spamd's '-l[isten]' flag > > > > Ideally, when spamd is using alloweddomains, also automatically add all ip > > addresses on which it is listening. > > > > $ hostname > > palm.britvault.co.uk > > $ sudo /etc/rc.d/spamd stop > > $ sudo mv /var/db/spamd /var/db/spamd~~ > > $ ifconfig -A | awk '/inet / { print "@["$2"]" }' >> > > /etc/mail/spamd.alloweddomains > > $ sudo /etc/rc.d/spamd start > > spamd(ok) > > Dec 11 18:01:23 palm spamd[18637]: listening for incoming connections. > > Dec 11 18:01:23 palm spamd[2151]: got suffix britvault.co.uk > > Dec 11 18:01:23 palm spamd[2151]: got suffix @hope-church-falkirk.org.uk > > Dec 11 18:01:23 palm spamd[2151]: got suffix @kepax.co.uk > > Dec 11 18:01:23 palm spamd[2151]: got suffix @[127.0.0.1] > > Dec 11 18:01:23 palm spamd[2151]: got suffix @[78.33.153.147] > > Dec 11 18:01:23 palm spamd[2151]: got suffix @[192.168.186.5] > > > > > > $ hostname > > oak.britvault.co.uk > > $ echo blah | mail -s blah postmaster@[78.33.153.147] > > > > > > $ hostname > > palm.britvault.co.uk > > Dec 11 18:03:08 palm spamd[18637]: 78.33.153.149: connected (1/0) > > Dec 11 18:03:19 palm spamd[2151]: new entry 78.33.153.149 from > > <[email protected]> to <postmaster@[78.33.153.147]>, helo > > oak.britvault.co.uk > > Dec 11 18:03:19 palm spamd[18637]: 78.33.153.149: disconnected after 11 > > seconds. > > > > $ spamdb > > GREY|78.33.153.149|oak.britvault.co.uk|<[email protected]>|<postmaster@[78.33.153.147]>|1386784999|1386957799|1386957799|1|0 > > > > Dec 11 18:08:26 palm spamd[18637]: 78.33.153.149: connected (1/0) > > Dec 11 18:08:37 palm spamd[18637]: 78.33.153.149: disconnected after 11 > > seconds. > > Dec 11 18:18:26 palm spamd[18637]: 78.33.153.149: connected (1/0) > > Dec 11 18:18:27 palm spamd[18637]: 78.33.153.149: connected (2/0) > > Dec 11 18:18:27 palm spamd[18637]: 78.33.153.149: connected (3/0) > > Dec 11 18:18:27 palm spamd[18637]: 78.33.153.149: connected (4/0) > > Dec 11 18:18:27 palm spamd[18637]: 78.33.153.149: connected (5/0) > > Dec 11 18:18:37 palm spamd[18637]: 78.33.153.149: disconnected after 11 > > seconds. > > Dec 11 18:18:38 palm last message repeated 4 times > > Dec 11 18:28:26 palm spamd[18637]: 78.33.153.149: connected (1/0) > > Dec 11 18:28:37 palm spamd[18637]: 78.33.153.149: disconnected after 11 > > seconds. > > Dec 11 18:29:24 palm spamd[19928]: queueing add of 78.33.153.149 > > Dec 11 18:29:24 palm spamd[19928]: whitelisting 78.33.153.149 in > > /var/db/spamd > > > > $ spamdb > > WHITE|78.33.153.149|||1386784999|1386786517|1389896964|6|0 > > > > Dec 11 18:38:27 palm postfix/smtpd[3495]: 3dfn2q2wMzz3tnY: > > client=oak.britvault.co.uk[78.33.153.149] > > Dec 11 18:38:27 palm postfix/cleanup[18201]: 3dfn2q2wMzz3tnY: > > message-id=<[email protected]> > > Dec 11 18:38:27 palm postfix/qmgr[28341]: 3dfn2q2wMzz3tnY: > > from=<[email protected]>, size=530, nrcpt=1 (queue active) > > Dec 11 18:38:28 palm postfix/smtp[23878]: 3dfn2q2wMzz3tnY: > > to=<[email protected]>, orig_to=<postmaster@[78.33.153.147]>, > > relay=smtp.britvault.co.uk[192.168.186.10]:25, delay=0.93, > > delays=0.15/0.12/0.31/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as > > 3dfn2r0bNLzBFP) > > Dec 11 18:38:28 palm postfix/qmgr[28341]: 3dfn2q2wMzz3tnY: removed > > > > > > > > > > > > dmesg: > > OpenBSD 5.4 (GENERIC) #37: Tue Jul 30 12:05:01 MDT 2013 > > [email protected]:/usr/src/sys/arch/i386/compile/GENERIC
