https://bugs.contribs.org/show_bug.cgi?id=10091
--- Comment #6 from Jean-Philippe Pialasse <[email protected]> ---
(In reply to Daniel B. from comment #5)
> (In reply to Jean-Philippe Pialasse from comment #2)
> > so what I plan to do :
> > 1-change to whitelist plugin
>
> Makes sens if they are almost the same, as whitelist is the upstream one.
>
> >
> > 2- patch lib/Qpsmtpd/Plugin.pm is_immune to add the other whitelist not
> > already used...
> > -- whitelisthelo (will not be done upstream :
> > https://github.com/smtpd/qpsmtpd/issues/226) alternatively we could drop the
> > helo whitelisting.
>
> I'd be in favor of not adding this. Is anyone really using helo whitelisting
> ?
we had this integrated in former dns plugin with a patch.
John is, at least, using it, and I
>
> > -- whitelistsenders
>
> I don't undserstand. The existing is_immune function already checks for the
> whitelistsender transaction note, which should be added by the whitelist
> plugin. If this is not working, it must be investigated, but I see no reason
> to patch qpsmtpd yet.
this might not working because of the karma not set with old plugin or jsut
because the transaction is reject before getting there, I will test it again
today
>
> >
> > 3- see what happen , then check if we really need to :
> > 4- patch karma, earlytalker resolvable_fromhost (alternative system exist),
> > naughty and badmailfrom with a is_immune() in rcpt and mail stages. only if
> > previous step was not enough
>
> karma already checks is_immune in connect and data stages.
but not at rcpt and mail stage see my calc sheet
>
> earlytalker already checks is_immune in connect and data stages too.
but not at mail stage !this means that if it was not immune at the first step,
it will have put a tag and will log and deny the mail even if the sender is
whitelisted (at connect helo sender is not available, at data this is too late)
!!
>
> resolvable_fromhost already checks is_immune at the mail stage (the only
> stage hooked)
my bad I miss this one.
>
> naughty is not checking is_immune. But this is because naughty is
> particular. It's not doing any check by itself, it's just a helper to defer
> rejection at a later stage. All the plugins which are setting the naughty
> transaction note already honor is_immune I think, so it shouldn't be a
> problem
ok with that
>
> badmailfrom already checks is_immune at the mail stage (the only stage
> hooked)
indeed miss this one too.
>
> So, to me, it looks like this bug is only about:
>
> - Sender whitelisting not working, for some reason. We need to investigate
> as from a quick look at the code, it should be supported
it is not working because mail is reject before getting there. also because
>
> - Helo whitelisting not working. I'm not sure if we really need this. It's
> potentialy dangerous, as very easy to impersonate. If someone uses helo
> whitelisting, please manifest yourself to prove I'm wrong ;-)
this was present before, the reason to keep it is that currently whitelisthost
only accept IP. Most hosts you will find as blacklisted have either dynamic IP
either have multiple smpt servers. So whitelisting an IP is useless.
as to paraphrase an intervention on the qpsmtpd bug tracker : yes it could be,
but you could too for senders, and still it is there. Also to impersonate the
few servers you have in your whitelsit is a very hard guess, and mean you are a
precise target.
if you find it not usefull for you just avoid to use it, anyway it will need
this contrib to enable it, but needs the core to be updated to work.
--
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
