[Mimedefang] Access to sendmail marco client_addr
Hello We use MIMEdefang in conjunction with postfix. Postfix does not set a macro if_addr. According to the Postfix Milter documentation, all milters should use client_addr instead. According to the MIMEDefang documentation, read_commands_file would populate if_addr but does not populate client_addr. Is there a way to tell MIMEDefang to also pull client_addr? Of could someone tell me a better solution for that situation? We keep a history of the users which authenticated via smtp during the last hour and look at how many ip addresses are involved. If the number of different ip addresses is over a thereshold, we disable the user because of suspected phished password. Now we also have users using our webmail. The webmail uses the users credential for smtp auth, but comes from one specific IP address. We don't notice if a botnet starts abusing our webmail. But the webmail adds an extra header telling the IP of the HTTP client. I would like to do something like this in filter_begin: read_commands_file; if ($SendmailMacros{client_addr} eq $webmailip) { open(./HEADERS); look for the IP that sent that email via HTTP; insert into LoginHistory (tstamp, auth_user, HTTP_ip); } Wo how can I access the client_ip from within filter_begin? Mit freundlichen GrĂ¼ssen Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Access to sendmail marco client_addr
Well, after some more RTFM and stumbling over a thread about documentation issues with global variables: http://lists.roaringpenguin.com/pipermail/mimedefang/2010-May/035763.html I constate that $RelayAddr is available in filter_begin but read_commands_file is not. Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Access to sendmail marco client_addr
On 2014-5-5 13:07 , Benoit Panizzon wrote: Well, after some more RTFM and stumbling over a thread about documentation issues with global variables: http://lists.roaringpenguin.com/pipermail/mimedefang/2010-May/035763.html I constate that $RelayAddr is available in filter_begin but read_commands_file is not. read_commands_file() isn't necessary in filter_begin, it is implicitly called and all global variables and all sendmail macros are available already. In fact, $RelayAddr is always available, you don't need to call read_commands_file at all (and it contains the value that is in sendmail macro ${client_addr} ) -- Jan-Pieter Cornet If you're doing nothing wrong, you have nothing to hide from the giant surveillance apparatus the government's been hiding. -- Stephen Colbert signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Access to sendmail marco client_addr
I did the same thing here, for exactly the same reasons. Here are my notes about which filter function I ended up using: # # If the current connection is using auth, determine if that user has # sent from too many different IPs recently. # # This has to be done in filter_sender because: # # * In filter_relay() (the obvious choice), no access to SendmailMacros # * filter_begin() is called too late(!) after the message is accepted # * filter_recipient() is potentially called multiple times # We've found that this approach works and is valuable, although it has been tricky to determine what a safe number of IPs is to allow. In particular, smartphones roaming around the city tend to look like they are connecting from many IPs. We eventually changed the comparrison to consider the number of /24 subnets the IPs were from, which helped. (I.e. 172.14.89.2, 172.14.89.12, and 172.14.89.119, all count as being from a single subnet). Of course it lowers the chance of catching someone who is exploiting a small server farm to send spam, but in practical use it seems to be working OK). Oh, and for webmail, we're applying the same logic to something that watches the webmail's logfiles. Thanks, Mark On Mon, May 05, 2014 at 01:07:42PM +0200, Benoit Panizzon wrote: Well, after some more RTFM and stumbling over a thread about documentation issues with global variables: http://lists.roaringpenguin.com/pipermail/mimedefang/2010-May/035763.html I constate that $RelayAddr is available in filter_begin but read_commands_file is not. Benoit Panizzon -- I m p r o W a r e A G- __ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 PrattelnFax +41 61 826 93 02 Schweiz Web http://www.imp.ch __ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Mark Costlow| Southwest Cyberport | Fax: +1-505-232-7975 che...@swcp.com | Web: www.swcp.com | Voice: +1-505-232-7992 Mail Minder - Intelligent Push Notifications for Email on the iPhone http://mailminderapp.com/download or in the App Store ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Get the name of the AV scanning engine used
I have been trawling through mimedefang.pl and I can see where it enumerates the AV engines list. But I would like to be able to identify the actual engine used that detected the virus. I can't see that its in the $Scanner object that is used to actually run the scan. Can anyone guide me please is this even possible or does MD discard the name of the engine? I have just discovered that I do not actually have clamscan on my server, I have only got clamdscan and that would appear to mean that clamd is being used. Features also tells me it is: Archive::Zip : yes HTML::Parser : yes Net::DNS : yes Path:CONFDIR : yes (/etc) Path:QUARANTINEDIR: yes (/var/spool/MIMEDefang) Path:SENDMAIL : yes (/usr/sbin/sendmail) Path:SPOOLDIR : yes (/var/spool/MIMEDefang) Virus:CLAMD : yes (/usr/sbin/clamd) But I would really like to know the name of the scan engine from MD so that I can stamp my email with the engine used todetect a virus. I'd really appreciate it if someone could help me with this posting to please? Thanks all, jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] md_syslog not working Mimedefang 2.71
On Mon, 28 Apr 2014, Jon Rowlan wrote: Clamdscan works fine at the command line, its just that I am struggling to get the clam scan of any kind working via the socket. Did you configure MIMEdefang somehow to use that socket? This is my /etc/mail/mimedefang.pl.conf on a debian server: - 8 --- # Mimedefang configuration file # This file is a perl file which gets 'require'd from mimedefang # You can set the virus-scanner paths etc. # See mimedefang.pl $Features{'Path:QUARANTINEDIR'} = '/var/spool/MD-Quarantine'; $Features{'Virus:CLAMAV'} = '/usr/bin/clamscan'; $Features{'Virus:CLAMD'} = 1; $ClamdSock = '/var/run/clamav/clamd.ctl'; # DO NOT delete the next line, or Perl will complain. 1; - 8 --- Debian modified /usr/bin/mimedefang.pl to 'require' this file. I have just discovered that I do not have clamscan on my server but clamdscan appears to work from the command line. So I think that means that I have a correctly configured daemonised clam install and clamdscan will using the socket I presume? Thanks Kees, jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Access to sendmail marco client_addr
On Mon, 2014-05-05 at 11:03 -0600, Mark Costlow wrote: We've found that this approach works and is valuable, although it has been tricky to determine what a safe number of IPs is to allow. In particular, smartphones roaming around the city tend to look like they are connecting from many IPs. We eventually changed the comparrison to consider the number of /24 subnets the IPs were from, which helped. (I.e. 172.14.89.2, 172.14.89.12, and 172.14.89.119, all count as being from a single subnet). Thanks to both you and the OP for sharing this interesting idea. I'll definitely keep this in mind. Here's a bit on a technique we've used: To quarantine phished accounts, we've implemented something that tracks the number of new recipients a given sender sends mail to. If that exceeds a limit over the last (i.e. rolling window of ) 72 hours, then we lock out the account. This works remarkably well. I don't think we've ended up on a block list since, and there have been very few false positives. We've hit a few people sending to 200 recipients from Outlook. We've been able to address that by moving them to a mailing list system, which I think is the right answer for that anyway. -- Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang