[courier-users] Looped DSNs when empty sender and broken user's forward
Hello Sam,
I would like to ask you about setting SENDER=$FROM in user's mailfilter
file when SENDER variable is empty (please see
maildir_filter_saverules() function in maildir/maildirfilter.c file):
import SENDER
if ($SENDER eq )
{
SENDER=$FROM
}
Unfortunately, that maildrop filter code can be dangerous for a mail
server if a user has broken forward and he received a message from
empty address.
Recently we have had that situation in our mail system. Courier server
couldn't deliver a message to user's external account, so it was trying
to deliver DSN to our user, because the maildrop filter code has set
his internal address as a return address. The DSN message wasn't
delivered too, because user's forward didn't work, etc, etc. In result
we had looped DSNs from MAILDER-DAEMON...
I noticed it watching mail queue peak on our Munin graph. Fortunately
we have strong servers, so it wasn't noticeable for the rest our users.
So, my question is: why don't you set SENDER='[EMAIL PROTECTED]'
or SENDER='[EMAIL PROTECTED]' or something similar if SENDER
variable is empty?
In that case, if user's forward is broken, then Courier is trying
to deliver a DSN message to a postmaster, not to a user with not
working forward. I think it's reasonable solution, because information
about broken user's forward is valuable for mail system administrator.
What's your opinion?
My best regards,
Pawel
signature.asc
Description: This is a digitally signed message part
-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Looped DSNs when empty sender and broken user's forward
Double-bounces aren't usually a problem. Courier already detects the situation that a message can't be delivered, and the DSN can't be delivered either. Those bounces go to the postmaster. If your postmaster account is the one bouncing mail, then I suggest you set up a postmaster address that doesn't use mailfilters that are prone to breaking. Just create a dot-courier file in your home directory and specify a delivery rule that indicates a Maildir path. alias: postmaster: ptecza-postmaster /home/ptecza/.courier-postmaster: ./Maildir/.Postmaster/. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] courier-authlib and courier-imap 20080629
I'm happy to announce experimental support for SSL certificate-based authentication. Hmm. This announcement as well as the remark in the config files always confused me. Client-certificate-authentication has been working for me for years (esmtpd-ssl, imapd-ssl and in ancient times pop3d-ssl as well.) Can you explain which part of certifcate-based auth is new? n. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] imapd 4.3.1 no data, no error
I updated imapd and imapd-ssl from 4.3.0 (IIRC) to 4.3.1 today, and it stopped working in a weird manner: 1. My client (thunderbird) behaved as if there were just no new mails in any folders. (SSL handshake successful.) 2. TB has index files to cache the subject lines of known mails, so I could klick on mails known to be present on the server. I was presended an empty page. 3. I could not save any messages anymore. I believe, the IMAP-server just did not reply with any data, and therefore not produce an error either. I did not get any error messages in logfiles or from TB. No hints, no nothing. It was just - well, blank. I downgraded imapd and imapd-ssl to 4.1.1. and everything is fine again. As I used the new config file and filled in my personal settings from the old one, I don't think I had a problem with my configuration. I use SSL and REQUIREPEER, so it is quite hard to analyze problems like this in detail. Is there any way I can make courier more talkative next time I have a problem like this? (Which is actually quite often.) Does anybody else have problems like this? To me it looks like in every third or second version which makes it into debian testing something is broken. n. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Looped DSNs when empty sender and broken user's forward
Paweł Tęcza writes: So, my question is: why don't you set SENDER='[EMAIL PROTECTED]' or SENDER='[EMAIL PROTECTED]' or something similar if SENDER variable is empty? In that case, if user's forward is broken, then Courier is trying to deliver a DSN message to a postmaster, not to a user with not working forward. I think it's reasonable solution, because information about broken user's forward is valuable for mail system administrator. What's your opinion? Yes, I think that's reasonable. The original reason for resetting the return address would be to be notified if forwarded mail bounces. I expected people to set up forwarding rules carefully, and take care not to indiscriminantly forward all mail, rather only ones that match narrow filtering criteria. But I suppose that's too much to expect, from people, so I guess this will have to change. I'll change the return address on forwarded mail to a null address, which will bounce to the postmaster's mailbox automatically. pgp8TF13IRkyd.pgp Description: PGP signature - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] courier-authlib and courier-imap 20080629
niclas writes: I'm happy to announce experimental support for SSL certificate-based authentication. Hmm. This announcement as well as the remark in the config files always confused me. Client-certificate-authentication has been working for me for years (esmtpd-ssl, imapd-ssl and in ancient times pop3d-ssl as well.) Can you explain which part of certifcate-based auth is new? Well, the only thing you could've done, up to now, is force any valid certificate to be presented by SSL/TLS client. Essentially, allow SSL/TLS connections to require a valid client certificate, by setting TLS_VERIFYPEER=REQUIREPEER. If you have TLS_VERIFYPEER=PEER now, that doesn't really do anything, because the client is not required to offer a certificate. I don't see what you've gotten from requiring certificates for esmtpd. If some mail server wanted to deliver something to your mailboxes, and tried to STARTTLS, since it did not have a certificate to present it'll fail. There was some value-added in imap or pop3's case, if you required SSL for IMAP or POP3 access, and you also required a client certificate. Now, you will be able to present a client SSL certificate for authentication purposes. Courier will read the client's certificate's subject. If, for example, the client's subject has [EMAIL PROTECTED], then this is sufficient to establish the client's identity. The server will then advertise the SASL AUTH=EXTERNAL capability. The client may then issue the AUTH EXTERNAL command. In IMAP or POP3's case, this will log the server into the mailbox. In SMTP's case, the client receives relaying privileges (and the client's subject gets recorded in relayed messages' headers). The client still has the option of traditional authentication, by providing the appropriate login and password. The client certificate is offered as an option. OpenSSL or GnuTLS will verify that the client's certificate is signed by your certificate authority, and Courier will just grab the certificate's subject, and use it to authorize the client. pgp7TNFQqA5RS.pgp Description: PGP signature - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] imapd 4.3.1 no data, no error
niclas writes: I updated imapd and imapd-ssl from 4.3.0 (IIRC) to 4.3.1 today, and it stopped working in a weird manner: 1. My client (thunderbird) behaved as if there were just no new mails in any folders. (SSL handshake successful.) 2. TB has index files to cache the subject lines of known mails, so I could klick on mails known to be present on the server. I was presended an empty page. 3. I could not save any messages anymore. I believe, the IMAP-server just did not reply with any data, and therefore not produce an error either. I did not get any error messages in logfiles or from TB. No hints, no nothing. It was just - well, blank. I downgraded imapd and imapd-ssl to 4.1.1. and everything is fine again. Remove explicit TLS_PROTOCOL and TLS_STARTTLS_PROTOCOL settings from all config files. Leave them unset. pgp7IljdrMQAh.pgp Description: PGP signature - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
