https://bugs.contribs.org/show_bug.cgi?id=10091
--- Comment #8 from Daniel B. <[email protected]> ---
(In reply to Jean-Philippe Pialasse from comment #6)
> > > helo whitelisting.
> >
> > I'd be in favor of not adding this. Is anyone really using helo whitelisting
> > ?
> we had this integrated in former dns plugin with a patch.
> John is, at least, using it, and I
Ok. It seems a bit dangerous to me to use it, but it's a trivial patch in
qpsmtpd (just check the whitelisthelo transaction note in is_immune), and as
long as the defaut conf is empty, it won't have any effect, so, OK for this
part.
> >
> > > -- whitelistsenders
> >
> > I don't undserstand. The existing is_immune function already checks for the
> > whitelistsender transaction note, which should be added by the whitelist
> > plugin. If this is not working, it must be investigated, but I see no reason
> > to patch qpsmtpd yet.
>
> this might not working because of the karma not set with old plugin or jsut
> because the transaction is reject before getting there, I will test it again
> today
karma shouldn't be involved here. The naughty plugin is. See below
>
>
>
> >
> > >
> > > 3- see what happen , then check if we really need to :
> > > 4- patch karma, earlytalker resolvable_fromhost (alternative system
> > > exist),
> > > naughty and badmailfrom with a is_immune() in rcpt and mail stages. only
> > > if
> > > previous step was not enough
> >
> > karma already checks is_immune in connect and data stages.
> but not at rcpt and mail stage see my calc sheet
But, as karma doesn't hook at the rcpt stage, it doesn't need to check for
immunity ;-)
> >
> > earlytalker already checks is_immune in connect and data stages too.
>
> but not at mail stage !this means that if it was not immune at the first
> step, it will have put a tag and will log and deny the mail even if the
> sender is whitelisted (at connect helo sender is not available, at data this
> is too late) !!
Ok, I understand the issue now. We can add an immunity check in earlytalker at
the mail stage (even if I doubt it'll be used, earlytalker should really only
triggers on real spammers)
> >
> > So, to me, it looks like this bug is only about:
> >
> > - Sender whitelisting not working, for some reason. We need to investigate
> > as from a quick look at the code, it should be supported
>
> it is not working because mail is reject before getting there.
Ok, after reading again your log, I get it. The problem exists because we use
the naughty plugin. The easiest fix is to check for immunity in the naughty
plugin, so, a simple
return DECLINED if $self->is_immune;
in /usr/share/qpsmtpd/plugins/naughty in the naughty function should fix it.
>
> >
> > - Helo whitelisting not working. I'm not sure if we really need this. It's
> > potentialy dangerous, as very easy to impersonate. If someone uses helo
> > whitelisting, please manifest yourself to prove I'm wrong ;-)
>
> this was present before, the reason to keep it is that currently
> whitelisthost only accept IP. Most hosts you will find as blacklisted have
> either dynamic IP either have multiple smpt servers. So whitelisting an IP
> is useless.
IP whitelisting is not always possible, but you can also whitelist based on
sender. Helo whitelisting would only be useful when all of this is true
- Remote server would get denied by one plugin if not whitelisted (dnsbl etc..)
- Remote server is using one or several dynamic IP
- You don't know in advance which sender domain will be used
The last point is my main concern: if you don't know the sending domain, it
seems a bit scary to whitelist the server. If you know the sending domains, you
can whitelist by using a sender regex.
But again, if it's useful to some, we can add it, it's a simple patch, and as
long as it's not enabled by default, I'm OK with that.
--
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
