Re: [courier-users] Corrupted Pythonfilter greylist_NotPassed database
Gordon Messmer pisze: Paweł Tęcza wrote: Paweł Tęcza pisze: What Python module for PostgreSQL support do you use? ... Gordon uses python-pgsql module by Cristian Gafton. You can download it from following URL: http://people.rpath.com/~gafton/pgsql/ Sorry to leave you hanging like that, Paweł. You're correct about the python module, also available here: http://pypi.python.org/pypi/python-pgsql/ Hi Gordon, Thanks a lot for the reply! It's good to know you read my posts :) At some point in the future, I'll probably add support for the psycopg2 module, used by Zope and Django for PostgreSQL support. PostgreSQL is a terrific DB, but it could seriously use a well supported standard Python module. Yuck. Fortunately Debian has good package with psycopg2, so I don't need to debianize it :) Let me know if you run into issues with SQL support. I still consider it experimental. It was implemented to enable SMTP server clustering, but I haven't used it anywhere in production. OK, I'll write here about noticed problems. I'm going to put it into action soon. Have a nice day, P. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Corrupted Pythonfilter greylist_NotPassed database
Paweł Tęcza pisze: Gordon Messmer pisze: At some point in the future, I'll probably add support for the psycopg2 module, used by Zope and Django for PostgreSQL support. PostgreSQL is a terrific DB, but it could seriously use a well supported standard Python module. Yuck. Fortunately Debian has good package with psycopg2, so I don't need to debianize it :) Hello again, Is it very hard to add support for the psycopg2 module right now? I wrote that I want to debianize real python-pgsql module at Debian Python mailing list [1]. I heard in response that I could try to use psycopg2 module instead of python-pgsql. I did it, but unfortunately it seems that these modules haven't compatible API. Let me know if you run into issues with SQL support. I still consider it experimental. It was implemented to enable SMTP server clustering, but I haven't used it anywhere in production. OK, I'll write here about noticed problems. I'm going to put it into action soon. I'm running your Pythonfilter on one of our front-ends. It's working about 0.5h and haven't seen any issues :) pythonfilter= select count(*) from greylist_notpassed; count --- 57 (1 row) pythonfilter= select count(*) from greylist_passed; count --- 2 (1 row) Cheers, P. [1] http://lists.debian.org/debian-python/2008/12/msg00016.html -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] courier-authlib 0.62.0 released
Download: http://www.courier-mta.org/download.php#authlib This release adds support for additional hash functions, and an update to the Postgres driver that removes potentional SQL injection vulnerabilities in some circumstances. * authpgsqllib.c: Use PQescapeStringConn() instead of removing all apostrophes from query parameters. This fixes a potential SQL injection vulnerability if the Postgres database uses a non-Latin locale. * Added support for {SSHA}-encrypted passwords. Based on a patch by Zou bin z...@bisp.com. * Added support for {SHA512} hash function. pgp85klwhfXZS.pgp Description: PGP signature -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Backscatter black-listing causing problems for legitimate users
Sam Varshavchik wrote: K.R. (Randy) Lewis writes: Examining the logfiles on the smarthost ... where the un-authenticated smtp mail first arrives, I see instances where some bogus / spam / spoof crap has come in, and the server does not forward it to the user's account on the real mta. That's the good part. Define "does not forward". Explain exactly what mechanism you employ to reject unwanted mail. Yes, apologies about that. On the front-end 'smarthost' (ahead of courier) we are using OpenBSD's 'spamd' spam deferral daemon via 'pf' (packet filter). It's somewhat astounding to watch the 1,000's of bogus attempts to send mail into our servers through this system. Almost all (I mean 99% +) of the trapped smtp attempts are from what seem to be compromised machines. They just never come back for a legitimate 2nd attempt to send a message since they don't do a retry after they 'Temporary Failure' thrown by 'spamd' when it GREYLISTs such machines. Anyway, that part works great, and certainly lowers the load on the courier smarthost relay. On the other hand, if he sending system is a legitimate / properly configured estmp host - and knows all the rules - and complies - and retries a message after the GREYLIST hold off period imposed by 'spamd'; it will get relayed to the user account host(s) via the submission port (587) protected on each side by OpenBSD's 'pf' from outside intrusion. This too works great. However, that user will wind up in the 'LIST' and subsequent emails for him will get bounced with the good old "556 Address unavailable." And, he is in the blaclklist for at least the 2 hours spec'd in the docs. That means that the mechanism you've implemented involves filtering mail after it is already accepted for delivery to the recipient, and, if rejected by your mail filter, the message gets bounced. Since the message could not be delivered to the recipient, the recipient address gets put on the suppression list. Everything works on intended. This is not considered a proper way to filter mail. The correct way to implement mail filtering is to reject unwanted mail instead of accepting it and bouncing it after the fact. Courier has several different APIs by which incoming mail can be inspected or filtered before Courier accepts mail from the remote mail server, and, if unwanted, Courier then refuses to accept the message from the remote server. Just what exact combination of backscatter settings in 'couried' and in 'bofh' (as explained in the docs.) do folks use to minimize these false blacklisting of real users? If your mail filtering is implemented ex-post-facto, no combination of settings will work correctly, and you must turn it off completely. OK, I read and re-read you comments (above), then re-visited what I'm doing on the user accounts host(s) machines. Yes, I have been filtering via a long-standing 'maildroprc' file that has served quite well, especially BEFORE we went exclusively with the really 'smart' smarthost relay system combination of OpenBSD +'spamd' + courier relay. I can now see that some of the filter rules I had in place were possibly causing a non 'ZERO' exit code due to delivery refusal into a users Maildir. Because (now) most of the offenders are being fended off on the front-end system BEFORE being relayed to the user account hosts, I have decided to remove the maildroprc processing on the end user host(s) from the equation. The only thing 'maildrop' that's happening is running message deliveries through 'spamprobe' (via $HOME/.mailfilter) and deciding which user sub-maildir gets the message. A message will go into either 'Maildir/new' or 'Maildir/.spam/new' based on its score - but it WILL get delivered. There is no non-ZERO exit code that can find its way back upstream. Hopefully this change from the previous configuration will settle things out for my trusted users. Thanks for your great work. Randy -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- begin:vcard fn:K. Randy Lewis n:Lewis;K. Randy org:RTMX Networking, LLC adr;dom:;;PO Box 1030;Hillsborough;NC;27278 email;internet:ra...@rtmx.net title:Save Gas -- Telecommute with RTMX ! tel;work:919 644 7869 tel;fax:919 724 4439 x-mozilla-html:TRUE url:http://www.rtmx.net version:2.1 end:vcard -- SF.Net email is Sponsored by MIX09,
[courier-users] courier-pythonfilter - dialback module got me CBL blacklisted
Hi people. This is for those who use the courier-pythonfilter dialback module to verify the sender. Two days ago I have activated it and today I got blacklisted into the CBL DNS blacklist (http://cbl.abuseat.org/) This is apparently because of the way the dialback module connects to the DNS MX rr of the sender to verify if it can accept responses. Dialback module uses the smtp helo() method without parameters, so the remote smtp server see HELO localhost.localdomain in my case. 154 (code, reply) = smtpi.helo() To fix the problem it should be ok to use a valid FQDN, something like: 154 (code, reply) = smtpi.helo(mail.foo.bar) Should be nice if dialback passes the content of the file courier/etc/me to the helo() method to try to avoid such problems. # dialback.py _SNIPPET_ 153 try: 154 (code, reply) = smtpi.helo() 155 if code // 100 != 2: 156 # Save the error message. If no other servers are available, 157 # inform the sender, but don't save the sender as bad. 158 filterReply = '421 %s rejected the HELO command' % MX[1] 159 smtpi.close() 160 continue 161 except: Ciao, Dino Ciuffetti. REplat offre il nuovo servizio Ricerca Personale per le Agenzie Aderenti consultabile direttamente dall'area riservata e dal portale, alla voce Lavora con Noi. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] courier-pythonfilter - dialback module got me CBL blacklisted
Dino Ciuffetti wrote: Two days ago I have activated it and today I got blacklisted into the CBL DNS blacklist (http://cbl.abuseat.org/) This is apparently because of the way the dialback module connects to the DNS MX rr of the sender to verify if it can accept responses. Dialback module uses the smtp helo() method without parameters, so the remote smtp server see HELO localhost.localdomain in my case. To be fair, the pythonfilter didn't get you blacklisted any more than your failure to set your hostname did. The python smtplib.SMTP.helo() method uses the local host's FQDN when it isn't given one as an argument. Should be nice if dialback passes the content of the file courier/etc/me to the helo() method to try to avoid such problems. I'll try to add support for Courier's esmtphelo file. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Corrupted Pythonfilter greylist_NotPassed database
Paweł Tęcza wrote: Is it very hard to add support for the psycopg2 module right now? Probably not. I haven't checked on which variant of the DB-API it supports. Changes from the existing pgsql support will be very minor. At worst, the connect() function will take a different format argument, and the select queries will use a different character to indicate parameter replacement. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Backscatter black-listing causing problems for legitimate users
K.R. (Randy) Lewis writes: I can now see that some of the filter rules I had in place were possibly causing a non 'ZERO' exit code due to delivery refusal into a users Maildir. Because (now) most of the offenders are being fended off on the front-end system BEFORE being relayed to the user account hosts, I have decided to remove the maildroprc processing on the end user host(s) from the equation. The only thing 'maildrop' that's happening is running message deliveries through 'spamprobe' (via $HOME/.mailfilter) and deciding which user sub-maildir gets the message. A message will go into either 'Maildir/new' or 'Maildir/.spam/new' based on its score - but it WILL get delivered. There is no non-ZERO exit code that can find its way back upstream. Hopefully this change from the previous configuration will settle things out for my trusted users. This should prevent your problem from happening again. pgpRjDhOujVoo.pgp Description: PGP signature -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users