Re: [Mimedefang] [External] Re: A rose by any other name... Renaming MIMEDefang. What's your idea for a name?

2019-12-10 Thread Richard Laager 
On 12/10/19 11:22 AM, Mark Costlow wrote:
> I realize I'm too late, but I'm just going to throw this out:
> 
>   Maildefang

I thought I had suggested that too. It's a good option and keeps the
"MD" abbreviation and e.g. the defang user, so it's nice for
compatibility. I do question if it's different enough for trademark reasons.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] A rose by any other name... Renaming MIMEDefang. What's your idea for a name?

2019-12-09 Thread Richard Laager 
On 12/9/19 5:16 PM, Jobst Schmalenbach wrote:
> Why not use a descriptive name what it actually does?
> That way people who do not know about it will immediately understand.
> 
> It obeserves/checks/looks at the Mime of mail messages and then  
> deletes/cans/removes a dangerous part

That description is a bit too specific to the default filter.

PerlMilter would clarify exactly what it does, but might be too generic.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] REVISED: postfix/mimedefang socket

2018-07-23 Thread Richard Laager 
I have attached updated systemd service files, with the PID file
directly in /run, which I have tested with 2.84. This change also
requires specifying a lock file in $SPOOLDIR.

If you prefer a diff rather than new files, I also attached a diff
against 2.84.

This includes and builds upon my last changes:

On 12/09/2017 05:45 PM, Richard Laager wrote:
> I ran into a problem with my systemd units for MIMEDefang. There is a
> race condition between mimedefang-multiplexor creating the socket and
> mimedefang trying to access it. If the multiplexor doesn't create the
> socket in time, mimedefang fails on startup.
> 
> This is happening because Type=simple services are assumed to be running
> immediately. This is documented in systemd.service(5), which says, "In
> this mode, if the process offers functionality to other processes on the
> system, its communication channels should be installed before the daemon
> is started up (e.g. sockets set up by systemd, via socket activation),
> as systemd will immediately proceed starting follow-up units."
> 
> I have attached updated versions to correct this. These change to
> Type=forking and drop the -D flag. With the change to Type=forking, I
> have also brought back pid files. Since systemd requires the pid file
> path to be hardcoded (as the argument to PIDFile), I put it in /run
> rather than the $SPOOLDIR (which the administrator can change).

This part no longer applies, as of MIMEDefang 2.83, because it writes
the PID files as root:

> It can't
> be directly in /run, as the daemon writes the pidfile after dropping
> privileges, so we have to create a /run/mimedefang subdirectory owned by
> $MX_USER. This requires some indirection, as $MX_USER can also be
> customized by the administrator. I only create this directory for
> mimedefang-multiplexor.service (and not mimedefang.service), as
> mimedefang.service is already ordered after mimedefang-multiplexor.service.
-- 
Richard


[Unit]
Description=MIMEDefang E-mail Filter
Documentation=man:mimedefang(8)
Before=multi-user.target
Before=postfix.service
Before=sendmail.service
After=remote-fs.target
After=systemd-journald-dev-log.socket
BindsTo=mimedefang-multiplexor.service
After=mimedefang-multiplexor.service
PropagatesReloadTo=mimedefang-multiplexor.service

[Service]
Type=forking
PIDFile=/run/mimedefang.pid
Restart=on-failure
TimeoutStopSec=30s
# LC_ALL=C may not be necessary for mimedefang, but it is for
# mimedefang-multiplexor, so upstream prefers it here also to be consistent.
Environment=LC_ALL=C 
MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock MX_USER=defang 
SPOOLDIR=/var/spool/MIMEDefang SOCKET=/var/spool/MIMEDefang/mimedefang.sock
EnvironmentFile=-/etc/default/mimedefang
ExecStartPre=/bin/rm -f $SOCKET
ExecStart=/bin/sh -c 'exec /usr/bin/mimedefang \
`[ -n "$LOOPBACK_RESERVED_CONNECTIONS" ] && echo "-R 
$LOOPBACK_RESERVED_CONNECTIONS"` \
-m $MX_SOCKET \
-z $SPOOLDIR \
-o $SPOOLDIR/mimedefang.lock \
`[ -n "$MX_USER" ] && echo "-U $MX_USER"` \
`[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
`[ "$MX_RELAY_CHECK" = "yes" ] && echo "-r"` \
`[ "$MX_HELO_CHECK" = "yes" ] && echo "-H"` \
`[ "$MX_SENDER_CHECK" = "yes" ] && echo "-s"` \
`[ "$MX_RECIPIENT_CHECK" = "yes" ] && echo "-t"` \
`[ "$KEEP_FAILED_DIRECTORIES" = "yes" ] && echo "-k"` \
`[ "$MD_EXTRA" != "" ] && echo $MD_EXTRA` \
`[ "$MD_SKIP_BAD_RCPTS" = "yes" ] && echo "-N"` \
"`[ -n "$X_SCANNED_BY" ] && \
  ( [ "$X_SCANNED_BY" = "-" ] && \
echo "-X" || echo "-x$X_SCANNED_BY" )`" \
`[ "$MD_ALLOW_GROUP_ACCESS" = "yes" ] && echo "-G"` \
`[ "$ALLOW_NEW_CONNECTIONS_TO_QUEUE" = "yes" ] && echo "-q"` \
-p $SOCKET -P /run/mimedefang.pid'
ExecStopPost=/bin/rm -f $SOCKET
# Make this service eligible for a reload, so we can propagate it to
# mimedefang-multiplexor.service.
ExecReload=/bin/true

[Install]
WantedBy=multi-user.target
[Unit]
Description=MIMEDefang E-mail Filter (Multiplexor)
Documentation=man:mimedefang-multiplexor(8)
After=remote-fs.target
After=systemd-journald-dev-log.socket
PartOf=mimedefang.service

[Service]
Type=forking
PIDFile=/run/mimedefang-multiplexor.pid
Restart=on-failure
TimeoutStopSec=30s
KillMode=mixed
# Locale should be set to "C" for generating valid date headers
Environment=LC_ALL=C MX_BUSY=600 MX_LOG=yes MX_MAXIMUM=10 MX_MINIMUM=2 
MX_SOCKET=/var/spool/MIM

Re: [Mimedefang] DKIM and boilerplate conflict

2018-02-23 Thread Richard Laager 
On 02/22/2018 09:16 PM, Randy Candy wrote:
>     my $signature = $dkim->signature()->as_string();
>     $signature =~ s/^DKIM-Signature:\s+//i;
>     action_add_header('DKIM-Signature', $signature);

On a related note... I just implement DKIM signing a few days ago, and I
got broken messages until I stripped the CRs from the signature. See the
third line below:

my $signature = $dkim->signature()->as_string();
$signature =~ s/^DKIM-Signature:\s+//i;
$signature =~ s/\015//g;
action_add_header('DKIM-Signature', $signature);

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] REVISED: postfix/mimedefang socket

2017-12-09 Thread Richard Laager 
I ran into a problem with my systemd units for MIMEDefang. There is a
race condition between mimedefang-multiplexor creating the socket and
mimedefang trying to access it. If the multiplexor doesn't create the
socket in time, mimedefang fails on startup.

This is happening because Type=simple services are assumed to be running
immediately. This is documented in systemd.service(5), which says, "In
this mode, if the process offers functionality to other processes on the
system, its communication channels should be installed before the daemon
is started up (e.g. sockets set up by systemd, via socket activation),
as systemd will immediately proceed starting follow-up units."

I have attached updated versions to correct this. These change to
Type=forking and drop the -D flag. With the change to Type=forking, I
have also brought back pid files. Since systemd requires the pid file
path to be hardcoded (as the argument to PIDFile), I put it in /run
rather than the $SPOOLDIR (which the administrator can change). It can't
be directly in /run, as the daemon writes the pidfile after dropping
privileges, so we have to create a /run/mimedefang subdirectory owned by
$MX_USER. This requires some indirection, as $MX_USER can also be
customized by the administrator. I only create this directory for
mimedefang-multiplexor.service (and not mimedefang.service), as
mimedefang.service is already ordered after mimedefang-multiplexor.service.

Long term, the ideal answer is to use systemd's socket activation. This
would allow the services to startup in parallel. Another alternative
would be to use Type=notify. Either requires changes to the mimedefang C
code.

-- 
Richard
[Unit]
Description=MIMEDefang E-mail Filter
Documentation=man:mimedefang(8)
Before=multi-user.target
Before=postfix.service
Before=sendmail.service
After=remote-fs.target
After=systemd-journald-dev-log.socket
BindsTo=mimedefang-multiplexor.service
After=mimedefang-multiplexor.service
PropagatesReloadTo=mimedefang-multiplexor.service

[Service]
Type=forking
PIDFile=/run/mimedefang/mimedefang.pid
Restart=on-failure
TimeoutStopSec=30s
# LC_ALL=C may not be necessary for mimedefang, but it is for
# mimedefang-multiplexor, so upstream prefers it here also to be consistent.
Environment=LC_ALL=C 
MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock MX_USER=defang 
SOCKET=/var/spool/MIMEDefang/mimedefang.sock
EnvironmentFile=-/etc/default/mimedefang
ExecStartPre=/bin/rm -f $SOCKET
ExecStart=/bin/sh -c 'exec /usr/bin/mimedefang \
`[ -n "$LOOPBACK_RESERVED_CONNECTIONS" ] && echo "-R 
$LOOPBACK_RESERVED_CONNECTIONS"` \
-m $MX_SOCKET \
`[ -n "$SPOOLDIR" ] && echo "-z $SPOOLDIR"` \
`[ -n "$MX_USER" ] && echo "-U $MX_USER"` \
`[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
`[ "$MX_RELAY_CHECK" = "yes" ] && echo "-r"` \
`[ "$MX_HELO_CHECK" = "yes" ] && echo "-H"` \
`[ "$MX_SENDER_CHECK" = "yes" ] && echo "-s"` \
`[ "$MX_RECIPIENT_CHECK" = "yes" ] && echo "-t"` \
`[ "$KEEP_FAILED_DIRECTORIES" = "yes" ] && echo "-k"` \
`[ "$MD_EXTRA" != "" ] && echo $MD_EXTRA` \
`[ "$MD_SKIP_BAD_RCPTS" = "yes" ] && echo "-N"` \
"`[ -n "$X_SCANNED_BY" ] && \
  ( [ "$X_SCANNED_BY" = "-" ] && \
echo "-X" || echo "-x$X_SCANNED_BY" )`" \
`[ "$MD_ALLOW_GROUP_ACCESS" = "yes" ] && echo "-G"` \
`[ "$ALLOW_NEW_CONNECTIONS_TO_QUEUE" = "yes" ] && echo "-q"` \
-p $SOCKET -P /run/mimedefang/mimedefang.pid'
ExecStopPost=/bin/rm -f $SOCKET
# Make this service eligible for a reload, so we can propagate it to
# mimedefang-multiplexor.service.
ExecReload=/bin/true

[Install]
WantedBy=multi-user.target
[Unit]
Description=MIMEDefang E-mail Filter (Multiplexor)
Documentation=man:mimedefang-multiplexor(8)
After=remote-fs.target
After=systemd-journald-dev-log.socket
PartOf=mimedefang.service

[Service]
Type=forking
PIDFile=/run/mimedefang/mimedefang-multiplexor.pid
Restart=on-failure
TimeoutStopSec=30s
KillMode=mixed
# Locale should be set to "C" for generating valid date headers
Environment=LC_ALL=C MX_BUSY=600 MX_LOG=yes MX_MAXIMUM=10 MX_MINIMUM=2 
MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock MX_USER=defang
EnvironmentFile=-/etc/default/mimedefang
ExecStartPre=/bin/rm -f $MX_SOCKET
ExecStartPre=/bin/sh -c '/usr/bin/install -d \
`[ -n "$MX_USER" ] && echo "-o $MX_USER"` \
/run/mimedefang'
ExecStart=/bin/sh -c 'HOME=${SPOOLDIR:=/var/spool/MIMEDefang} \
exec /usr/bin/mimedefang-multiplexor \
`[ "$MX_EMBED_PERL" = "yes" ] && echo "-E"` \
`[ -n "$SPOOLDIR" ] && echo "-z $SPOOLDIR"` \
`[ -n "$FILTER" ] && echo "-f $FILTER"` \
`[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
`[ -n "$SUBFILTER" ] && echo "-F $SUBFILTER"` \
`[ -n "$MX_MINIMUM" ] && echo "-m $MX_MINIMUM"` \
`[ -n "$MX_MAXIMUM" ] && echo "-x $MX_MAXIMUM"` \
`[ -n "$MX_MAP_SOCKET" ] && echo "-N $MX_MAP_SOCKET"` \
`[ -n "$MX_LOG_SLAVE_STATUS_INTERVAL" ] && echo "-L 
$MX_LOG_SLAVE_STATUS_INTERVAL"`

Re: [Mimedefang] Error with mimedefang + clamd

2017-11-24 Thread Richard Laager 
Does your system have apparmor or SELinux that could be blocking access
separately from filesystem permissions?

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] REVISED: postfix/mimedefang socket

2017-10-04 Thread Richard Laager 
On 09/28/2017 11:11 PM, Richard Laager wrote:
> I have attached fully split, native, Type=simple (not forking) unit
> files, which I have tested on Ubuntu 16.04.

I have submitted the slightly updated versions to Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877663

Dianne, you may want to ship these (or similar) upstream, but that's
obviously up to you. It doesn't make any difference to me personally,
since I use the downstream packaging.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Reload doesnt work

2017-10-03 Thread Richard Laager 
On 10/03/2017 02:18 AM, Bill Cole wrote:
> This is platform-specific. If your platform uses systemd, the command
> "systemctl reload mimedefang"  doesn't reload the mimedefang-filter

"systemctl reload mimedefang" should reload the filter by way of
/etc/init.d/mimedefang, but maybe that's not setup on your system. My
version of systemd-sysv-gennerator (Ubuntu 16.04) sets:
ExecReload=/etc/init.d/mimedefang reload

Alternatively, if you use the native systemd unit files I posted a few
days ago (or the slightly updated versions attached here), reload
definitely works correctly.

> it only reloads the systemd definition of the mimedefang service

This is definitely not true. To reload the service definitions, you use
"systemctl daemon-reload".

-- 
Richard
[Unit]
Description=MIMEDefang E-mail Filter
Documentation=man:mimedefang(8)
Before=multi-user.target
Before=postfix.service
Before=sendmail.service
After=remote-fs.target
After=systemd-journald-dev-log.socket
BindsTo=mimedefang-multiplexor.service
After=mimedefang-multiplexor.service
PropagatesReloadTo=mimedefang-multiplexor.service

[Service]
Type=simple
Restart=on-failure
TimeoutStopSec=30s
# LC_ALL=C may not be necessary for mimedefang, but it is for
# mimedefang-multiplexor, so upstream prefers it here also to be consistent.
Environment=LC_ALL=C 
MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock MX_USER=defang 
SOCKET=/var/spool/MIMEDefang/mimedefang.sock
EnvironmentFile=-/etc/default/mimedefang
ExecStartPre=/bin/rm -f $SOCKET
ExecStart=/bin/sh -c 'exec /usr/bin/mimedefang -D \
`[ -n "$LOOPBACK_RESERVED_CONNECTIONS" ] && echo "-R 
$LOOPBACK_RESERVED_CONNECTIONS"` \
-m $MX_SOCKET \
`[ -n "$SPOOLDIR" ] && echo "-z $SPOOLDIR"` \
`[ -n "$MX_USER" ] && echo "-U $MX_USER"` \
`[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
`[ "$MX_RELAY_CHECK" = "yes" ] && echo "-r"` \
`[ "$MX_HELO_CHECK" = "yes" ] && echo "-H"` \
`[ "$MX_SENDER_CHECK" = "yes" ] && echo "-s"` \
`[ "$MX_RECIPIENT_CHECK" = "yes" ] && echo "-t"` \
`[ "$KEEP_FAILED_DIRECTORIES" = "yes" ] && echo "-k"` \
`[ "$MD_EXTRA" != "" ] && echo $MD_EXTRA` \
`[ "$MD_SKIP_BAD_RCPTS" = "yes" ] && echo "-N"` \
"`[ -n "$X_SCANNED_BY" ] && \
  ( [ "$X_SCANNED_BY" = "-" ] && \
echo "-X" || echo "-x$X_SCANNED_BY" )`" \
`[ "$MD_ALLOW_GROUP_ACCESS" = "yes" ] && echo "-G"` \
`[ "$ALLOW_NEW_CONNECTIONS_TO_QUEUE" = "yes" ] && echo "-q"` \
-p $SOCKET'
ExecStopPost=/bin/rm -f $SOCKET
# Make this service eligible for a reload, so we can propagate it to
# mimedefang-multiplexor.service.
ExecReload=/bin/true

[Install]
WantedBy=multi-user.target
[Unit]
Description=MIMEDefang E-mail Filter (Multiplexor)
Documentation=man:mimedefang-multiplexor(8)
After=remote-fs.target
After=systemd-journald-dev-log.socket
PartOf=mimedefang.service

[Service]
Type=simple
Restart=on-failure
TimeoutStopSec=30s
KillMode=mixed
# Locale should be set to "C" for generating valid date headers
Environment=LC_ALL=C MX_BUSY=600 MX_LOG=yes MX_MAXIMUM=10 MX_MINIMUM=2 
MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock MX_USER=defang
EnvironmentFile=-/etc/default/mimedefang
# This can be removed with MIMEDefang 2.82:
SuccessExitStatus=1
ExecStart=/bin/sh -c 'HOME=${SPOOLDIR:=/var/spool/MIMEDefang} \
exec /usr/bin/mimedefang-multiplexor -D \
`[ "$MX_EMBED_PERL" = "yes" ] && echo "-E"` \
`[ -n "$SPOOLDIR" ] && echo "-z $SPOOLDIR"` \
`[ -n "$FILTER" ] && echo "-f $FILTER"` \
`[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
`[ -n "$SUBFILTER" ] && echo "-F $SUBFILTER"` \
`[ -n "$MX_MINIMUM" ] && echo "-m $MX_MINIMUM"` \
`[ -n "$MX_MAXIMUM" ] && echo "-x $MX_MAXIMUM"` \
`[ -n "$MX_MAP_SOCKET" ] && echo "-N $MX_MAP_SOCKET"` \
`[ -n "$MX_LOG_SLAVE_STATUS_INTERVAL" ] && echo "-L 
$MX_LOG_SLAVE_STATUS_INTERVAL"` \
`[ -n "$MX_USER" ] && echo "-U $MX_USER"` \
`[ -n "$MX_IDLE" ] && echo "-i $MX_IDLE"` \
`[ -n "$MX_BUSY" ] && echo "-b $MX_BUSY"` \
`[ -n "$MX_REQUESTS" ] && echo "-r $MX_REQUESTS"` \
`[ -n "$MX_SLAVE_DELAY" ] && echo "-w $MX_SLAVE_DELAY"` \
`[ -n "$MX_MIN_SLAVE_DELAY" ] && echo "-W $MX_MIN_SLAVE_DELAY"` \
`[ -n "$MX_MAX_RSS" ] && echo "-R $MX_MAX_RSS"` \
`[ -n "$MX_MAX_AS" ] && echo "-M $MX_MAX_AS"` \
`[ "$MX_LOG" = "yes" ] && echo "-l"` \
`[ "$MX_STATS" = "yes" ] && echo "-t /var/log/mimedefang/stats"` \
`[ "$MX_STATS" = "yes" -a "$MX_FLUSH_STATS" = "yes" ] && echo "-u"` \
`[ "$MX_STATS_SYSLOG" = "yes" ] && echo "-T"` \
`[ "$MD_ALLOW_GROUP_ACCESS" = "yes" ] && echo "-G"` \
`[ "$MX_STATUS_UPDATES" = "yes" ] && echo "-Z"` \
`[ -n "$MX_QUEUE_SIZE" ] && echo "-q $MX_QUEUE_SIZE"` \
`[ -n "$MX_QUEUE_TIMEOUT" ] && echo "-Q $MX_QUEUE_TIMEOUT"` \
`[ -n "$MX_NOTIFIER" ] && echo "-O $MX_NOTIFIER"` \
`[ -n "$MX_RECIPOK_PERDOMAIN_LIMIT" ] && echo "-y 
$MX_RECIPOK_PERDOMAIN_LIMIT"` \
-s $MX_SOCKET'
ExecStartPre=/bin/rm -f $MX_SOCKET

Re: [Mimedefang] REVISED: postfix/mimedefang socket

2017-09-28 Thread Richard Laager 
I have attached fully split, native, Type=simple (not forking) unit
files, which I have tested on Ubuntu 16.04.

They honor the settings in /etc/default/mimedefang. This includes the
MX_USER setting (i.e. systemd does not directly control the service user).

They are configured such that if you do start/stop/reload/restart the
mimedefang service (as before), the actions propagate to
mimedefang-multiplexor appropriately.

Some questions (for Dianne?):

1) Is it necessary to rm $SOCKET and $MX_SOCKET *before starting*?

2) Is it necessary to rm $SOCKET and $MX_SOCKET *after stopping*?

3) The init script (at least on Ubuntu) says, '# Locale should be set to
"C" for generating valid date headers'. I see a strftime() in
mimedefang-multiplexor.c. Plus, the Perl code inherits from the
multiplexor, so I can understand this. Is setting LC_ALL=C necessary for
the mimedefang process too, or just mimedefang-multiplexor?

4) The mimedefang-multiplexor process exits with status 1 on SIGTERM. I
am absolutely sure (because I'm doing it by hand for testing) that I am
only sending a SIGTERM, and only to the main mimedefang-multiplexor
process (not the children). It logs 'Received SIGTERM: Stopping slaves
and terminating' and then reaps the slaves as expected; there are no
errors in the log. Is that exit status expected?

I have built the unit files assuming the following answers:
1) Yes.
2) Yes.
3) Not necessary for mimedefang, only mimedefang-multiplexor.
4) "Yes", as this happens (whether expected or not).

-- 
Richard
[Unit]
Description=MIMEDefang E-mail Filter
Documentation=man:mimedefang(8)
Before=multi-user.target
Before=postfix.service
Before=sendmail.service
After=remote-fs.target
After=systemd-journald-dev-log.socket
BindsTo=mimedefang-multiplexor.service
After=mimedefang-multiplexor.service
PropagatesReloadTo=mimedefang-multiplexor.service

[Service]
Type=simple
Restart=on-failure
TimeoutStopSec=30s
Environment=MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock 
MX_USER=defang SOCKET=/var/spool/MIMEDefang/mimedefang.sock
EnvironmentFile=-/etc/default/mimedefang
ExecStartPre=/bin/rm -f $SOCKET
ExecStart=/bin/sh -c 'exec /usr/bin/mimedefang -D \
`[ -n "$LOOPBACK_RESERVED_CONNECTIONS" ] && echo "-R 
$LOOPBACK_RESERVED_CONNECTIONS"` \
-m $MX_SOCKET \
`[ -n "$SPOOLDIR" ] && echo "-z $SPOOLDIR"` \
`[ -n "$MX_USER" ] && echo "-U $MX_USER"` \
`[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
`[ "$MX_RELAY_CHECK" = "yes" ] && echo "-r"` \
`[ "$MX_HELO_CHECK" = "yes" ] && echo "-H"` \
`[ "$MX_SENDER_CHECK" = "yes" ] && echo "-s"` \
`[ "$MX_RECIPIENT_CHECK" = "yes" ] && echo "-t"` \
`[ "$KEEP_FAILED_DIRECTORIES" = "yes" ] && echo "-k"` \
`[ "$MD_EXTRA" != "" ] && echo $MD_EXTRA` \
`[ "$MD_SKIP_BAD_RCPTS" = "yes" ] && echo "-N"` \
"`[ -n "$X_SCANNED_BY" ] && \
  ( [ "$X_SCANNED_BY" = "-" ] && \
echo "-X" || echo "-x$X_SCANNED_BY" )`" \
`[ "$MD_ALLOW_GROUP_ACCESS" = "yes" ] && echo "-G"` \
`[ "$ALLOW_NEW_CONNECTIONS_TO_QUEUE" = "yes" ] && echo "-q"` \
-p $SOCKET'
ExecStopPost=/bin/rm -f $SOCKET
# Make this service eligible for a reload, so we can propagate it to
# mimedefang-multiplexor.service.
ExecReload=/bin/true

[Install]
WantedBy=multi-user.target
[Unit]
Description=MIMEDefang E-mail Filter (Multiplexor)
Documentation=man:mimedefang-multiplexor(8)
After=remote-fs.target
After=systemd-journald-dev-log.socket
PartOf=mimedefang.service

[Service]
Type=simple
Restart=on-failure
TimeoutStopSec=30s
KillMode=mixed
# Locale should be set to "C" for generating valid date headers
Environment=LC_ALL=C MX_BUSY=600 MX_LOG=yes MX_MAXIMUM=10 MX_MINIMUM=2 
MX_SOCKET=/var/spool/MIMEDefang/mimedefang-multiplexor.sock MX_USER=defang
EnvironmentFile=-/etc/default/mimedefang
SuccessExitStatus=1
ExecStart=/bin/sh -c 'HOME=${SPOOLDIR:=/var/spool/MIMEDefang} \
exec /usr/bin/mimedefang-multiplexor -D \
`[ "$MX_EMBED_PERL" = "yes" ] && echo "-E"` \
`[ -n "$SPOOLDIR" ] && echo "-z $SPOOLDIR"` \
`[ -n "$FILTER" ] && echo "-f $FILTER"` \
`[ -n "$SYSLOG_FACILITY" ] && echo "-S $SYSLOG_FACILITY"` \
`[ -n "$SUBFILTER" ] && echo "-F $SUBFILTER"` \
`[ -n "$MX_MINIMUM" ] && echo "-m $MX_MINIMUM"` \
`[ -n "$MX_MAXIMUM" ] && echo "-x $MX_MAXIMUM"` \
`[ -n "$MX_MAP_SOCKET" ] && echo "-N $MX_MAP_SOCKET"` \
`[ -n "$MX_LOG_SLAVE_STATUS_INTERVAL" ] && echo "-L 
$MX_LOG_SLAVE_STATUS_INTERVAL"` \
`[ -n "$MX_USER" ] && echo "-U $MX_USER"` \
`[ -n "$MX_IDLE" ] && echo "-i $MX_IDLE"` \
`[ -n "$MX_BUSY" ] && echo "-b $MX_BUSY"` \
`[ -n "$MX_REQUESTS" ] && echo "-r $MX_REQUESTS"` \
`[ -n "$MX_SLAVE_DELAY" ] && echo "-w $MX_SLAVE_DELAY"` \
`[ -n "$MX_MIN_SLAVE_DELAY" ] && echo "-W $MX_MIN_SLAVE_DELAY"` \
`[ -n "$MX_MAX_RSS" ] && echo "-R $MX_MAX_RSS"` \
`[ -n "$MX_MAX_AS" ] && echo "-M $MX_MAX_AS"` \
`[ "$MX_LOG" = "yes" ] && echo "-l"` \
`[ "$MX_STATS" = "yes" ] && echo "-t

Re: [Mimedefang] REVISED: postfix/mimedefang socket

2017-09-28 Thread Richard Laager 
For those of you that don't use systemd, you can just ignore this. None
of this affects the SysV init scripts in any way.

Here's a first run at the diff from the generated unit to a manual unit
to fix the issue. The relevant change is making ExecStop use "stop wait"
instead of just "stop".

The init script (at least on my system, which is Ubuntu 16.04) does not
do a "wait" on stop, but only on restart. That arguably seems fine in
the SysV world.

The other changes I made in the [Service] section weren't required for
this particular problem, but seem like things we'd want.

This fixes the problem for me.

I think a more correct solution for systemd is to make this two units,
one for mimedefang and one for mimedefang-multiplexor. I'm going to work
on that next, before submitting anything to Debian.

--- /run/systemd/generator.late/mimedefang.service  2017-09-16 
01:25:06.77200 -0500
+++ /lib/systemd/system/mimedefang.service  2017-09-28 18:41:38.651481894 
-0500
@@ -1,10 +1,5 @@
-# Automatically generated by systemd-sysv-generator
-
 [Unit]
-Documentation=man:systemd-sysv-generator(8)
-SourcePath=/etc/init.d/mimedefang
-Before=multi-user.target
-Before=multi-user.target
+Documentation=man:mimedefang(8)
 Before=multi-user.target
 Before=graphical.target
 Before=shutdown.target
@@ -14,12 +9,11 @@
 
 [Service]
 Type=forking
-Restart=no
+Restart=on-failure
 TimeoutSec=5min
-IgnoreSIGPIPE=no
-KillMode=process
+KillMode=control-group
 GuessMainPID=no
 RemainAfterExit=yes
 ExecStart=/etc/init.d/mimedefang start
-ExecStop=/etc/init.d/mimedefang stop
+ExecStop=/etc/init.d/mimedefang stop wait
 ExecReload=/etc/init.d/mimedefang reload


-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] REVISED: postfix/mimedefang socket

2017-09-25 Thread Richard Laager 
On 09/25/2017 12:14 AM, Bill Cole wrote:
> A service definition in a unit file has an ExecStart definition
> and maybe an ExecStop definition

ExecStop must not return until the service has actually stopped:
https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStop=

There are a couple ways to address this. As discussed, the init script
can be changed to always wait on stop. Then the automatic mapping in
systemd should Just Work.

Otherwise, as discussed, we need to create a unit file.

For a temporary measure, if one is willing to depend on the SysV init
script, it should be possible to do something simple like:
ExecStop=/etc/init.d/mimedefang stop ; /etc/init.d/mimedefang wait

The fully native approach would be to include (either directly, or in a
small helper script) the wait loop (but not the status nor the killing
bits, as systemd handles those things).

Unless someone beats me to it, I'll whip up a systemd unit file in the
next few days, test it, and submit a patch to Debian.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] REVISED: postfix/mimedefang socket

2017-09-22 Thread Richard Laager 
On 09/22/2017 12:47 PM, Michael Fox wrote:
> Option 3:  Use unix socket in Postfix chroot jail

This looks to be what I do. I'm running Postfix and MIMEDefang on
Ubuntu, both from packages. Postfix runs as the postfix user, and
there's a defang group. I run Postfix in a chroot.

These appear to be the relevant parts of my install script:

adduser --quiet postfix defang

install -d -o defang -g defang -m 750 \
/var/spool/postfix/var/spool/MIMEDefang

chown -R defang:defang \
/var/lib/MIMEDefang \
/var/spool/MIMEDefang \
/var/spool/postfix/var/spool/MIMEDefang

sed -i 's|^\(# 
\)\?\(SOCKET\)=.*|\2=/var/spool/postfix/var/spool/MIMEDefang/mimedefang.sock|' \
/etc/default/mimedefang

I believe we have some sort of trouble if one of the daemons is
restarted, but not the other, or if it's done in the wrong order or
something. I don't have a lot of specifics off the top of my head. In
practice, we hardly ever restart one or the other. It's usually either
stopping both (and starting MIMEDefang first, to give slaves a chance to
spin up), or rebooting the server.

I hope this helps. If you have specific questions, I'll try to dig into
my config if I can. I'm currently out of the office, though.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Message-ID

2017-09-14 Thread Richard Laager 
On 09/14/2017 07:44 PM, Joseph Brennan wrote:
> So, back to where we started. What will be in that generated Message-ID?

See mimedefang.pl:

sub gen_msgid_header {
my ($ss, $mm, $hh, $mday, $mon, $year, $wday, $yday, $isdst) =
localtime(time);

# Generate a "random" message ID that looks
# similiar to sendmail's for SpamAssassin comparing
# Received / MessageID QueueID
return sprintf("Message-ID: <%04d%02d%02d%02d%02d.%s\@%s>\n",
$year + 1900,
$mon  + 1,
$mday,
$hh,
$mm,
($QueueID eq 'NOQUEUE' ? rand() : $QueueID),
get_host_name()
);
}

> Would my mail host's name, the one that received the message, be in it?

Yes:

sub get_host_name {
# Use cached value if we have it
return $PrivateMyHostName if defined($PrivateMyHostName);

# Otherwise execute "hostname"
$PrivateMyHostName = hostname;

$PrivateMyHostName = "localhost" unless defined($PrivateMyHostName);

# Now make it FQDN
my($fqdn) = gethostbyname($PrivateMyHostName);
$PrivateMyHostName = $fqdn if (defined $fqdn) and length($fqdn) >
length($PrivateMyHostName);

return $PrivateMyHostName;
}

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Message-ID

2017-09-11 Thread Richard Laager 
On 09/11/2017 03:30 PM, Dianne Skoll wrote:
> On Mon, 11 Sep 2017 16:26:38 -0400
> Joseph Brennan  wrote:
> 
>> When a message comes in with no Message-ID header, and MD passes it to
>> SpamAssassin, what is in the Message-ID that SA sees?
> 
> Nothing at all.  There's no Message-ID header in the message that gets passed
> to SpamAssassin.

Are you sure?

spam_assassin_mail() calls gen_msgid_header().

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [postfix] $QueueId not defined

2017-05-25 Thread Richard Laager 
Make sure you have this set in your Postfix configuration:
smtpd_delay_open_until_valid_rcpt = no

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Get recipients

2017-04-12 Thread Richard Laager 
On 04/12/2017 04:12 AM, Stagiair 2. Cisa wrote:
> Could this be the result of using an EFA-server?  
> (https://efa-project.org/about/)
> It uses postfix instead of sendmail.  

I use postfix.

The first argument to filter_recipient() is the recipient. The same
value is also put into the first element of @Recipients.

Add these three lines, exactly, to filter_recipient():

sub filter_recipient()
{
my $a = $_[0];
my $b = $Recipients[0];
md_syslog('info', "a = $a ; b = $b");
}

See what that outputs. My output looks like this:
a =  ; b = 

If you get something like that, then whatever code you wrote to look at
@Recipients is wrong. Start with the working code and you should be able
to figure it out.

If that exact code outputs:
a = ; b =
then the recipient value really is the empty string, and I have no idea why.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Get recipients

2017-04-11 Thread Richard Laager 
On 04/11/2017 10:09 AM, Stagiair 2. Cisa wrote:
> I've checked on capitals and this was fine. It looked like a non-existing or 
> empty array.
> 
> After some testing I've found out the array actually really exists and I can 
> access it.
> The only problem is that the values (the different recipients addresses) are 
> empty in the array.
> 
> When I send to 3 recipients, it actually sees that there are 3 recipients but 
> instead of giving me the addresses it returns an empty string.
> So I think the array is like
>   @Recipients = ("", "", "");
> 
> Same for 2 recipients, it sees there are 2 but returns empty strings.
>   @Recipients = ("", "");
> 
> I tried using foreach to get the recipients out of the array.
> I've also tried using #Recipients[i], but no success either.

Please keep your replies on-list, not just to me individually.

I don't know why you'd be seeing that. I use @Recipients extensively in
my filter and it works fine.

I'd probably try sticking some syslog calls in mimedefang.pl (the actual
mimedefang code) where it sets @Recipients. Then trace from there.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Get recipients

2017-04-07 Thread Richard Laager 
On 04/07/2017 03:25 AM, Stagiair 2. Cisa wrote:
> I've tried getting the recipients out of the @recipients array but it seems 
> to be empty.

Note the first letter is capitalized. It's @Recipients, not @recipients.

> Should I call it on a specific time or in a specific function?

It is available at filter_begin() through filter_end() time, with all of
the recipients. From `man mimedefang-filter`, "In filter_recipient, it
is set to the single recipient currently under consideration."

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Anti-spam breakthrough from Roaring Penguin

2017-04-07 Thread Richard Laager 
On 04/07/2017 08:59 AM, Dianne Skoll wrote:
> The part about reaching into Dovecot
> to move the message is slightly worrying; it implies that the scanning
> process has significant privileges.

It could be limited. For the simplest example, assume the same
machine... The defang user could have a sudo rule that allows it to call
one particular script as the vmail/dovecot user. That script would take
arguments of the account (email address) and a Message-ID. It would move
the message with that ID from Junk (and only Junk) to Inbox. In this
way, defang wouldn't have arbitrary access to IMAP mailboxes.

> An enhancement would be to automatically train messages in Junk as spam
> if they've been there for at least 5 days.

We were doing something like that for a while. When a message was
expired (deleted) from Junk, we would train it as spam. In our case,
that was 14 days.

We were doing global (not per-user) Bayesian filtering, so it was a mess
accuracy-wise and we quit Bayesian filtering entirely.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Anti-spam breakthrough from Roaring Penguin

2017-04-05 Thread Richard Laager 
On 04/05/2017 04:20 AM, Jan-Pieter Cornet wrote:
> Funny thing is, this method of both accepting AND rejecting

Speaking of both accepting and rejecting...

On a serious note, I wonder if anyone has built this:

if (greylisting says to tempfail)
{
# add a header, such that this message will be delivered to the
# user's Junk folder

resend_message();

# store some data so we can find the message later

action_tempfail();
}
else
{
if (we accepted this message before)
{
# reach out to Dovecot, move the message from Junk to Inbox
# (possibly if and only if it is still unread)

action_discard();
}
}

This pseudo-code assumes stream_by_recipient() or enhancements for users
with different filtering preferences. This also requires greylisting to
happen at DATA, not RCPT.


We would accept the message (but deliver it to the Junk folder) while
reporting a tempfail to the sender. If the sender retries correctly, we
move the message from Junk into Inbox.

This means my Inbox gets all the advantages of greylisting. I also get
every message delivered immediately; if I need a "password reset" email
or something from a new sender on the phone, I can look in my Junk folder.

-- 
Richard



signature.asc
Description: OpenPGP digital signature
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Get recipients

2017-03-20 Thread Richard Laager 
On 03/20/2017 10:52 AM, Stagiair 2. Cisa wrote:
> Now coming to the point: I always had a fixed value for the email adress
> to test my functions but now I want to get the email address(es) from
> the incoming mails.

Look at the @Recipients array.

Obviously, a single message may have multiple recipients, so you need to
deal with that accordingly. For example, if you have one recipient who
wants the attachment replaced and one who does not, what do you do? The
details of how you want to handle that depend on the situation. If you
want to honor both, you will need to do something involving resending
the message--see resend_message(). See also stream_by_recipient().

See `man mimedefang-filter` for more details.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] action_drop_with_warning with recipient depending message

2017-01-06 Thread Richard Laager 
You have to understand that MIMEDefang is operating on one message. It
may have multiple recipients, but anything you do happens to that message.

If you want different per-recipient behavior for the same message,
somewhere along the line you need to resend the message. You can do this
up-front all the time with stream_by_recipient() or you can do it as
needed with resend_message().

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Block internal messages

2016-12-26 Thread Richard Laager 
On 12/26/2016 03:35 PM, Marcelo Machado wrote:
> I am new to Mimedefang and I would like to know if it is possible to
> block internal messages, (from my domain to my domain) if the number
> of recipients is greater than 10.

Anything is possible if you write the custom Perl code required. What
you have described wouldn't be too terribly hard. No, that's not an
offer to write it. Look at the @Recipients array. In there, you can
determine if some recipients are local, and how many. The $Sender
variable is how you'd determine if the sender is local.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Sender Address Verification

2016-12-09 Thread Richard Laager 
On 11/23/2016 12:22 PM, Richard Laager wrote:
> On 11/22/2016 12:55 PM, Bill Cole wrote:
>> the SAV rule was never decisive in a correct SA 'spam' determination
> 
> Thanks for sharing. This is good information.
> 
> I've made a note to re-evaluate my SAV rules after the holiday. I have
> some test harnesses to determine whether an individual rule "made a
> difference" in the outcome of the spam decision.

I looked at 6 full days of my results. About 3.7% of the messages that
make it to SpamAssassin scoring (RBLs, attachment extension checks, and
ClamAV are earlier) were blocked *only* because of sender address
verification. That is, they were over the threshold with SAV, but under
the threshold without SAV.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Sender Address Verification

2016-11-23 Thread Richard Laager 
On 11/22/2016 12:55 PM, Bill Cole wrote:
> the SAV rule was never decisive in a correct SA 'spam' determination

Thanks for sharing. This is good information.

I've made a note to re-evaluate my SAV rules after the holiday. I have
some test harnesses to determine whether an individual rule "made a
difference" in the outcome of the spam decision. If it turns out it's
useless for me, I can rip out my SAV code, which is a win regardless of
one's viewpoint on whether it is abusive.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Sender Address Verification

2016-11-23 Thread Richard Laager 
We have been doing sender address verification for years.

Looking through the code...

We use custom MIMEDefang code around DNS::Resolver and
md_check_against_smtp_server(). We wrap the md check in a block and use
alarm() to timeout, as MD's timeout doesn't always work (e.g. if the
server is intentionally or unintentionally tarpitting where TCP responds
quickly but SMTP is slow). We do our callback from the NULL sender
address. We do not perform the check if the sender to us is the NULL sender.

If we get a TEMPFAIL result, but the message matches /gr[ae]ylist/i, we
treat the address as valid.

We exempt *.bounces.google.com because they fail verification and we
don't want the score increase from it. We special-case *@charter.net, as
they (at least at one time) reject the NULL sender completely! We accept
MXes that point to CNAMEs, even though that is an RFC violation.

We cache invalid results for 1 hour and valid results for 7 days. We add
1.5 points for a tempfail and 3 points for a reject. None of these
values were exhaustively optimized.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] conditionally add boilerplate in message with more than one recipient

2016-09-22 Thread Richard Laager 
On 09/22/2016 11:54 AM, Vieri Di Paola wrote:
>> From: "Richard Laager" <rlaa...@wiktel.com>
>>> It's a typo, I presume? In my example, u...@domain.com wants the 
>>> boilerplate and u...@domain.org doesn't. So I guess you meant "resend to 
>>> u...@domain.com, 
>>> delete_recipient(u...@domain.org) and add boilerplate", right?
>>
>> No, I don't think so? If ORG does NOT WANT boilerplate, then you resend
>> to ORG and delete ORG, as resending sends the original, unmodified, no
>> boilerplate message. Then you add boilerplate for the remaining
>> recipient, which is COM, who WANTS the boilerplate.
> 
> OK, got it. However, I want all the filtering stuff in the filter*() 
> functions to be applied to the "resent" message to ORG, except the 
> boilerplate. I guess it's not possible because resend_message resends the 
> ORIGINAL message and won't be processed.

When the message is resent, you'll see it again in another run of the
filter. That's your opportunity to do what you need for the ORG
recipient. Craft your filter very careful in light of this!

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] conditionally add boilerplate in message with more than one recipient

2016-09-22 Thread Richard Laager 
On 09/21/2016 05:13 PM, Vieri Di Paola wrote:
>> From: "Richard Laager" <rlaa...@wiktel.com>
>> So in your case, you would resent to u...@domain.org,
>> delete_recipient(u...@domain.org), and then add the boilerplate.
> 
> It's a typo, I presume? In my example, u...@domain.com wants the boilerplate 
> and u...@domain.org doesn't. So I guess you meant "resend to u...@domain.com, 
> delete_recipient(u...@domain.org) and add boilerplate", right?

No, I don't think so? If ORG does NOT WANT boilerplate, then you resend
to ORG and delete ORG, as resending sends the original, unmodified, no
boilerplate message. Then you add boilerplate for the remaining
recipient, which is COM, who WANTS the boilerplate.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] conditionally add boilerplate in message with more than one recipient

2016-09-21 Thread Richard Laager 
On 09/21/2016 09:09 AM, Vieri Di Paola wrote:
>> You can stream_by_recipient() so MIMEDefang resends the message for each
>> recipient. In this way, your filter code can handle recipients
>> differently. Note the warnings in the mimedefang-filter man page, though.
> 
> The man page isn't too extensive on this. At a first glance it seems that 
> calling stream_by_recipient in filter_begin does not trigger the code in 
> filter_end, for instance. So if  stream_by_recipient is true then only 
> filter() is run?

I don't use stream_by_recipient() and never have. Here's my
understanding, though... If stream_by_recipient() returns false, there
was only one user, so stream_by_recipient() did nothing and the filter
runs as normal. If there are multiple recipients, then
stream_by_recipient() resends the original message to each recipient
individually, and your filter should terminate. You'll then see the new
messages in separate invocations of your filter.

>> Alternatively, you can do all the work yourself, and only selectively
>> resend when necessary. This is what I do (not for boilerplate insertion,
>> but other things).
> 
> How do you do that?
> Do you use resend_message()? (but that resends immediately the ORIGINAL 
> message)

Until a few weeks ago, yes. We were adding a header in some cases. So
what we did was: if everyone wants the header, add it, and we're done.
If some recipients want the header and some don't, resend the (original)
message to those who *don't*, remove them with delete_recipient(), and
add the header.

So in your case, you would resent to u...@domain.org,
delete_recipient(u...@domain.org), and then add the boilerplate.

We're now doing more extensive modifications, so I have re-implemented
resend_message() with my own code to modify the message as appropriate.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] conditionally add boilerplate in message with more than one recipient

2016-09-21 Thread Richard Laager 
On 09/21/2016 07:16 AM, Vieri Di Paola wrote:
> Suppose I have an email that's being sent To: u...@domain.org, 
> u...@domain.com.
> 
> @Recipients will hold both addresses.
> I'd like mimedefang to add a boilerplate only for the message being sent to 
> u...@domain.com.
> 
> Is that possible?
> If so, how?

You can stream_by_recipient() so MIMEDefang resends the message for each
recipient. In this way, your filter code can handle recipients
differently. Note the warnings in the mimedefang-filter man page, though.

Alternatively, you can do all the work yourself, and only selectively
resend when necessary. This is what I do (not for boilerplate insertion,
but other things).

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] clamav-unofficial-sigs and pyzor

2016-09-19 Thread Richard Laager 
On 09/19/2016 01:48 AM, Marcus Schopen wrote:
> Did you activate all signatures
> or just e.g. sanesecurity sigs? I read activating all signatures turns
> clamav into an evil memory monster, while only activating sanesecurity
> sigs catches most and doesn't need that much resources.

I don't adjust the defaults. I don't use anything that requires signing
up. I just looked into those, but they're for non-commercial use, which
is why they require a sign-up.

> What about pyzor or razor integration? Do they help or just burn
> performance?

I think I tried Pyzor a long time ago and found it worthless, but I have
no idea what it's like now.

We have Razor enabled. Historically, that's been very effective, though
I haven't actually double-checked recently.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] clamav-unofficial-sigs and pyzor

2016-09-19 Thread Richard Laager 
On 09/19/2016 12:46 AM, Marcus Schopen wrote:
> my be a little bit off topic, but are there any experience with the
> efficiency of pyzor and clamav-unofficial-sigs

We use clamav-unofficial-sigs. If clamd triggers, it's a hard fail for
us, regardless of whether it was a virus or spam rule. We do
differentiate them for logging and SMTP rejection messages.

I can't say how much spam would have been blocked anyway by later
processing (e.g. SpamAssassin), but we have very few (but non-zero over
the years) false positives. And in our filter, whitelisting does not
bypass this test; maybe it should, but that's the current setup.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] reread mimedefang after sa-update

2016-09-14 Thread Richard Laager 
On 09/14/2016 11:12 AM, Marcus Schopen wrote:
> Am Mittwoch, den 14.09.2016, 11:51 -0400 schrieb Dianne Skoll:
>> On Wed, 14 Sep 2016 17:46:07 +0200
>> Marcus Schopen  wrote:
>>
>>> Sep 14 17:39:55 scansrv mimedefang-multiplexor[24029]: Cannot destroy
>>> and recreate a Perl interpreter safely on this platform.  Filter rules
>>> will NOT be reread.
>>
>> Huh!  That is very weird.  I don't get anything like that on Debian Jessie.
> 
> Hmmm, I get this error on Ubuntu 12.04 LTS too, mimedefang 2.71, perl
> 5.14.2.
> 
>> If you get that message, then you'll need to do restart instead of reread.
> 
> Okay, but this might harm a mail which is in process. Any ideas how to
> fix above error?

I'm digging into it right now. The problem seems to be that Perl outputs
-lpthread as a required LDFLAG, but gcc needs -pthread (with no "l"), or
else it fails linking to the symbol pthread_setspecific.

Since the SAFE_EMBED_PERL configure test then fails to compile,
MIMEDefang thinks it can't do a reread on this platform.

-- 
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Sendmail SOCKETMAP

2016-04-27 Thread Richard Laager 

I don't use either feature.

On 04/27/2016 02:20 PM, Dianne Skoll wrote:

I most likely won't delete the features.  It's the curse of software
development... published APIs must live forever. :(


If killing the features is the right move, just call it MIMEDefang 3. 
Seriously! Don't be afraid of bumping the major version.


--
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Permissions on /varspool/MIMEDefang

2016-02-10 Thread Richard Laager 

On 02/10/2016 11:01 PM, Bill Maidment wrote:

Hi
After your most recent release I have had problems with the permissions on 
/var/spool/MIMEDefang being reset to 0750 after a reboot.
I need the permission to be 0770 to allow for clamd scanner to use the 
directory.
I eventually discovered this line in /usr/lib/tmpfiles.d/mimedefang.conf
z /var/spool/MD-Quarantine 0750 defang defang - -


`grep -r tmpfiles.d mimedefang-2.78` returns nothing for me. Are you 
sure this isn't coming from your distro's package of MIMEDefang?


Also, /var/spool/MIMEDefang and /var/spool/MD-Quarantine aren't the same 
thing.


And in any event, why would clamd need to write to /var/spool/MIMEDefang?

--
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Any way to get MD to accept a Postfix queue ID at RCPT time?

2015-04-28 Thread Richard Laager 

On 04/28/2015 02:53 PM, Dianne Skoll wrote:

Actually, this is a more thought-through patch.  I don't use Postfix, but
if any Postfix users would care to give this a try, I'd appreciate it.


I can confirm this patch, plus smtpd_delay_open_until_valid_rcpt = no 
result in $MsgID having a real value (rather than NOQUEUE) in 
filter_recipient().


--
Richard
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan

2014-10-14 Thread Richard Laager 
I think you should make sure mimedefang is actually being started with
the -G option. Like, look at output from `ps`. Also, stick a sleep(60)
in the filter or something to slow it down. That way, you can catch the
Work directories live and see what their permissions look like. If the
directory is 700 instead of 750 (or similiar) or the files are 600
instead of 640, then mimedefang's umask is the issue. Otherwise, as was
noted, maybe clamd isn't picking up the group membership somehow.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan

2014-10-13 Thread Richard Laager 
On Mon, 2014-10-13 at 17:00 -0500, Cliff Hayes wrote:
 Did what you said and I can't touch a new temp file in 
 /var/spool/MIMEDefang ... permission denied ... but clamd appears to be 
 running as clamav

Your tests below should be expected to fail. mimedefang.pid is not
group-readable. And the directory is not group-writable.

Try reading mimedefang-multiplexor.pid which is group-readable:
su -s /bin/bash clamav
cd /var/spool/MIMEDefang
cat mimedefang-multiplexor.pid

 su -s /bin/bash clamav
 bash-4.1$ cd /var/spool/MIMEDefang
 bash-4.1$ ls -l
 total 8
 -rw-r- 1 defang defang 5 Oct 13 16:50 mimedefang-multiplexor.pid
 srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang-multiplexor.sock
 -rw--- 1 defang defang 5 Oct 13 16:50 mimedefang.pid
 srwxrwx--- 1 defang defang 0 Oct 13 16:50 mimedefang.sock
 bash-4.1$ vi mimedefang.pid
 bash-4.1$ touch temp
 touch: cannot touch `temp': Permission denied

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan

2014-10-12 Thread Richard Laager 
On Sun, 2014-10-12 at 14:18 -0500, Cliff Hayes wrote:
 I tried your idea.
 I updated the following in clamd.conf:
 LocalSocket /var/run/clamav/clamd.socket
 PidFile /var/run/clamav/clamd.pid
 User clamav
 
 Now I get this error when starting clamd:
 ERROR: Can't open/parse the config file /usr/local/etc/clamd.conf
 I am starting as root as instructed in clamd.conf
 I have gotten that error before ... it usually means there is a user 
 issue.  When I go back to running as root it knows to look in /etc/ for 
 clamd.conf

I have no idea why your clamd is looking in /usr/local/etc instead
of /etc.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Fwd: Re: clamav vs clamd vs clamscan

2014-10-10 Thread Richard Laager 
If you still have problems, make sure you run MIMEDefang with the -G
option. If your MIMEDefang is packaged like mine, set
MD_ALLOW_GROUP_ACCESS=yes in /etc/default/mimedefang.

This causes MIMEDefang to use a umask that allows group readability.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Relayed emails can't be filter!

2014-06-13 Thread Richard Laager 
On Fri, 2014-06-13 at 14:35 +0700, Cương Bùi wrote:
 submit.mc has this line (ubuntu distro default). I've commented out it. 

Don't comment it out. You want that line.

-- 
Richard

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Access to sendmail marco client_addr

2014-05-05 Thread Richard Laager 
On Mon, 2014-05-05 at 11:03 -0600, Mark Costlow wrote:
 We've found that this approach works and is valuable, although it has
 been tricky to determine what a safe number of IPs is to allow.  In
 particular, smartphones roaming around the city tend to look like they
 are connecting from many IPs.  We eventually changed the comparrison to
 consider the number of /24 subnets the IPs were from, which helped.
 (I.e. 172.14.89.2, 172.14.89.12, and 172.14.89.119, all
 count as being from a single subnet).

Thanks to both you and the OP for sharing this interesting idea. I'll
definitely keep this in mind. Here's a bit on a technique we've used:

To quarantine phished accounts, we've implemented something that tracks
the number of new recipients a given sender sends mail to. If that
exceeds a limit over the last (i.e. rolling window of ) 72 hours, then
we lock out the account.

This works remarkably well. I don't think we've ended up on a block list
since, and there have been very few false positives. We've hit a few
people sending to 200 recipients from Outlook. We've been able to
address that by moving them to a mailing list system, which I think is
the right answer for that anyway.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] )What AV scanners do you use? (was Re: Any Sophie users out there?

2014-03-20 Thread Richard Laager 
On Thu, 2014-03-20 at 15:04 -0400, David F. Skoll wrote:
 Post-Cisco, ClamAV seems to have greatly declined in usefulness.
 It catches hardly anything anymore... anyone else experiencing this?

Are you using clamav-unofficial-signatures? We are.

I have no idea how much we should be catching. But here's a dump of what
we're doing, in case it's helpful to anyone. If I'm doing something
stupid or not doing something smart, I welcome feedback.

We outright reject files with these extensions:
my $bad_exts = '(ade|adp|app|asd|bas|bat|chm|cmd|com|cpl|crt|exe|fxp|
hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mde|mim|msc|msp|mst|ocx|pcd|
pif|prg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmd|wms|wsc|wsf|wsh|\{[^
\}]+\})';
my $bad_filename_regex = '\.' . $bad_exts . '\.*$';

We outright reject encrypted zip files.

We ignore official or unofficial signatures with virus names that
match: /^(AAPL|Application|PUA|SPR)\./

We handle the phishing and spam signatures differently, and exempt mail
going to our helpdesk or a variety of phishing-reporting addresses (at
banks, etc.):

/^((email)?(abuse|fraud|phish(ing)?|(report_)?spam|spoof)\@.*|.*\@(abuse
\.net|spam\.spamcop\.net)|aollegal\@aol\.com|askvisa(usa)?\@visa\.com|
enforcement\@sec\.gov|fraud_help\@usbank\.com|mail-spoof\@cc\.yahoo-inc
\.com|phishing-report\@us-cert\.gov|reports\@habeas\.com|stop-spoofing
\@amazon\.com|reportphish\@wellsfargo\.com)$/

I'm skeptical that reporting phishing scams to major banks actually does
any good, but some of our customers want to be able to do so. We ignore
the Heuristics.Phishing.Email.SpoofedDomain test because of false
positives. Maybe we could score it, but we don't currently.

Viruses from the Internet are silently discarded to avoid generating
backscatter. Viruses from our customers are rejected (so they get an
error in their mail client if there's a false positive). Phishing/spam
mail detected by clamav is rejected on the spot; unlike SpamAssassin, we
apply this regardless of user settings and whitelisting does not apply.
In other words, the false positive rate is very, very low.

The encrypted zip and filename extensions are separate error messages
from each other and separate from spam and virus messages. We
special-case .lnk blocking with an error message that says they should
mail the file itself, not the shortcut to it.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Perl DBI problem stops mimedefang from loading?

2013-12-06 Thread Richard Laager 
On Fri, 2013-12-06 at 07:44 -0500, Scott Galambos wrote:
 I was using these on an older 32 bit single processor 
 server without a problem for years.  I'm now trying to migrate to a 64 
 bit SMP server and I can't specify these max values without it failing 
 with the following error.

64 bits  32 bits. Every pointer is larger, so applications take more
memory. We had a similar issue (not with DBI, but with the max memory
settings all of a sudden being too small) when we upgraded our
MIMEDefang systems from 32 to 64 bits.

Retest to find new appropriate values for your 64 bit systems.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Debugging MIME Parsing Errors

2013-10-14 Thread Richard Laager 
We have a user who is forwarding a Delta airlines email. They've
forwarded it several times for testing. Sometimes it gets bounced with
the Message contained too many MIME parts. message, while other times
it goes through.

I have $MaxMIMEParts set to 100.

I've looked at the code and it seems to me that when parsing fails, it
is *assumed* to be due to having too many parts. Unless parse() returns
undef for too many parts and something else that's false for other
parser failures? But if that's the case, why the check that
$MaxMIMEParts  0? So I'm not sure if this is really because of too many
MIME parts or not.

Here's the MIMEDefang code I'm referring to:

push_status_tag(Parsing Message);
$entity = $parser-parse(\*FILE);
pop_status_tag();
close FILE;

if (!defined($entity)  $MaxMIMEParts  0) {
# Message is too complex; bounce it
action_bounce(Message contained too many MIME parts.  We do not accept 
such complicated messages.);
signal_unchanged();
signal_complete();
return;
}

if (!$entity) {
fatal($MsgID: Couldn't parse MIME in $file: $!);
signal_complete();
return -1;
}

What's the best way to debug this? It seems like I need to keep a copy
of the raw message from a time when it failed. Would
KEEP_FAILED_DIRECTORIES=yes apply here, or is this not a case of the
filter failing (since the filter didn't actually crash)?

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] How to change envelope sender?

2013-05-07 Thread Richard Laager 
How are you getting on the Spamcop block list?

Are you doing any outbound filtering?

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] md_check_against_smtp_server() returned an empty response

2013-03-27 Thread Richard Laager 
This is unrelated to the other thread.

I'm troubleshooting an issue where md_check_against_smtp_server()
intermittently hangs for 5 minutes. It's *always* 300 seconds exactly
(ignoring sub-second precision).

The error is always the returned an empty response from
get_smtp_return_code().

I'm using this function for doing callbacks against the sender's
address. I look up the MX records using Net::DNS. Before you hate me too
much, I cache positive responses for 7 days and negative responses for 1
hour. The delays discussed above are around the actual
md_check_against_smtp_server() call and *nothing else*. To get this far,
I had to instrument my filter with logging before and after every
non-trivial block of code.

Does anyone have any idea why the 15 second IO::Socket::INET timeout
isn't applying in these cases?

Thanks,
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log

2013-03-27 Thread Richard Laager 
On Wed, 2013-03-27 at 19:45 +0100, Tilman Schmidt wrote:
 Am 27.03.2013 15:59, schrieb Matt Garretson:
Note that md_graphdefang_log should not be used in filter_relay,
filter_sender or filter_recipient.  The global variables it relies
on are not valid in that context.
[...]
 
 Although I checked the manpage several times in the course of this
 thread I never noticed that paragraph. Well, you live and learn.

This is a silly restriction that I wish was lifted. Yes, the subject
will be blank if you call it earlier, but that's unavoidable. I don't
actually use graphdefang, though. So that may be coloring my thinking.

In my filter, I have code that does more-or-less the same thing but
without this restriction. It works great.

-- 
Richard

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log

2013-03-25 Thread Richard Laager 
On Mon, 2013-03-25 at 13:53 -0700, kd6...@yahoo.com wrote:
 Although this will issue a QUIT when an error is returned, it does NOT
 do so when the transaction succeeds to the point where 'DATA' is
 normally issued.

I'm not seeing that. I have MIMEDefang 2.71-2build1 on Ubuntu Precise. I
see code to issue a QUIT unconditionally after the RCPT TO command.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] md_check_against_smtp_server and md_graphdefang_log

2013-03-25 Thread Richard Laager 
On Mon, 2013-03-25 at 17:00 -0700, kd6...@yahoo.com wrote:
 This is what I saw:
   if ($retval ne 'CONTINUE') {
   $sock-print(QUIT\r\n);
 
 Looks pretty conditional to me.  If the return value is the continue literal, 
 no quit is issued.

I've now pulled mimedefang.pl.in from the 2.73 tarball off the website.
Here's the function from HELO onwards:

$sock-print(HELO $helo\r\n);
$sock-flush();

($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, 
$server);
if ($retval ne 'CONTINUE') {
$sock-print(QUIT\r\n);
$sock-flush();
# Swallow return value
get_smtp_return_code($sock, $recip, $server);
$sock-close();
return ($retval, $text, $code, $dsn);
}

$sock-print(MAIL FROM:$sender\r\n);
$sock-flush();

($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, 
$server);
if ($retval ne 'CONTINUE') {
$sock-print(QUIT\r\n);
$sock-flush();
# Swallow return value
get_smtp_return_code($sock, $recip, $server);
$sock-close();
return ($retval, $text, $code, $dsn);
}

$sock-print(RCPT TO:$recip\r\n);
$sock-flush();

($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, 
$server);
$sock-print(QUIT\r\n);
$sock-flush();
# Swallow return value
get_smtp_return_code($sock, $recip, $server);
$sock-close();
return ($retval, $text, $code, $dsn);

Here, in the last chunk, is the unconditional QUIT. The other,
conditional, QUIT commands handle error cases. If the whitespace was
like this instead, it'd be easier to see:

$sock-print(RCPT TO:$recip\r\n);
$sock-flush();
($retval, $code, $dsn, $text) = get_smtp_return_code($sock, $recip, 
$server);

$sock-print(QUIT\r\n);
...

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Email injection and the android 'email' app

2013-03-05 Thread Richard Laager 
On Tue, 2013-03-05 at 17:59 -0500, David F. Skoll wrote:
 There's no way you should break your setup to comply with a brain-dead
 Android app.

As a result of this thread, we discussed and tested this in-house (on
just one phone). I believe we did get a notification that the message
didn't send, so that's good. However, the fact that we had to switch it
into airplane mode to be able to delete from the outbox was very
annoying.

That aside, is Android behaving any differently than Thunderbird, or
many other mail clients? Getting a 5xx status code from the outgoing
mail server seems to pop up a dialog and then leave the message in the
outbox on the ones we tested.

This leads to inconsistent behavior between local and remote
destinations. It's arguably good for local destinations, as you can fix
the address typo before sending (thus avoiding breakage when people hit
Reply to All, for example). But I don't think it'd be reasonable for the
outgoing mail server to check the remote addresses at the RCPT TO stage
so that it could (attempt to) provide the consistent behavior of
(nearly) always rejecting at RCPT TO. So if you want consistency,
accepting all recipients for authenticated senders (and then later
generating bounces) seems to be the only option.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Like action_replace_with_url(), but not quite

2012-08-30 Thread Richard Laager 
On Thu, 2012-08-30 at 13:39 -0600, Philip Prindeville wrote:
 I can't use stream_by_recipient() because I don't know which
 attachments need to be removed until I hit filter() and not
 filter_begin().

I don't use the function, but I think the point of stream_by_recipient()
is to ensure that @Recipients only has one address. (It does this by
resending the message locally.) If you do that, you can munge things
directly in filter(), as you never have a case of some recipients
getting the attachments and some not.

However, if this isn't efficient enough for you, you might just want to
save state in filter() and do the streaming in filter_end if and only if
you have recipients that need different handling.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] [OT?] Random Word Spam

2012-02-08 Thread Richard Laager 
On Wed, 2012-02-08 at 10:03 +0100, Juergen Kleff wrote:
 Do you use greylisting?

Yes.

 Do the mails indeed come from real mailservers or do they come from 
 compromised dial-in computers?

Real mail servers

 Feeding the mails to spamassassin's bayes database could perhaps help, in 
 spite of the random words. But you should keep an eye on it for the risk of 
 false positives.
 
 Everything in the headers is different? Nothing common in them?

As far as I could tell, nothing was common. They were incredibly
minimal. The X-Mailer field was full of random (real mail client)
values.

-- 
Richard

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] [OT?] Random Word Spam

2012-02-07 Thread Richard Laager 
We've got a customer who is receiving 1 message per second! that
consists solely of random English words stuck together (both subject and
body). This has been happening for 24-36 hours.

As far as I can see, it's coming from hijacked accounts all over the
place (hundreds or thousands of servers) with varying sender addresses.

Is anyone else seeing this sort of thing?

Any idea how I might combat this?

I'd love to bulk submit these messages and report them back to the
admins of the compromised servers, if that might do some good.

-- 
Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mimedefang+postfix on debian lenny

2009-11-10 Thread Richard Laager 
On Tue, 2009-11-10 at 13:00 -0500, David F. Skoll wrote:
 ADNET Ghislain wrote:
 
  strange, resintalling postfix does not remove sendmail completly..
  anyway it seems to work that way
 
 Please file a bug with the Debian mimedefang maintainer.  Installing
 MIMEDefang should never force the removal of Postfix.

(I'm not the package maintainer, nor affiliated with him.)

The mimedefang package [1] in Debian, regardless of which version of
Debian you're running, doesn't depend on sendmail, it only recommends
it. Thus, you should be able to have it installed without sendmail.

Is MIMEDefang useful in any way without either sendmail or postfix
installed? It seems to me that the package should say: Depends:
sendmail | postfix.

Richard

[1] http://packages.debian.org/search?keywords=mimedefang


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mimedefang+postfix on debian lenny

2009-11-10 Thread Richard Laager 
On Tue, 2009-11-10 at 13:35 -0500, David F. Skoll wrote:
 I think that's a bug.  It should be suggests, because AFAIK apt-get
 now pulls in recommends packages unless you tell it otherwise.

As an aside, I was never a fan of this change, as it seems to lead to
exactly this.

 There are at least two good reasons to want to run MIMEDefang on a machine
 that isn't also running Sendmail, so the Debian policy should change.

One of those is that you'd want to use Postfix, Recommends: sendmail |
postfix (or even Depends, from my last email) should address that one.

What's the other use?

Is it to run watch-mimedefang? If that's the case, maybe that should
just be split out into a separate package. I see there's already an open
bug suggesting that.

Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mimedefang+postfix on debian lenny

2009-11-10 Thread Richard Laager 
On Tue, 2009-11-10 at 22:30 +0100, ADNET Ghislain wrote:
 i will try to contact him. I run also in another issue. Postfix runs as 
 the user posfix and i do not found any way to configure mimedefang to 
 have a socket that let the postfix user to communicate with it.  Is 
 there any parameters i missed for this ?  adding some sleep 10; chmod 
 770 and chgrp postfix to the socket seems...weird to me :)

Does this solve the problem:
sudo adduser postfix defang

Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Greylisting post-data (was Re: [PATCH] filter_data implementation)

2009-05-29 Thread Richard Laager 
On Thu, 2009-05-28 at 13:17 -0700, - wrote:
 Then again, I kill messages that have improperly formatted Received:
 header lines.  (Those that claim with *smtp*(wildcarded) must
 conform to 5321 instead of the looser syntax in 5322 and as such, they
 must have from and by clauses that are domain names (or address
 literals).  If they don't, I reject them as malformed spam.

Would you be willing to share this code?

Thanks,
Richard

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] PGP encyption of outging email

2009-05-07 Thread Richard Laager 
On Thu, 2009-05-07 at 09:17 +0100, Paul Murphy wrote:
 Steffan wrote:
 
  I wonder why you don't want to encrypt/sign in the MUA. It is more 
  flexible and, well, works most of the time.
 
 Because users are incapable of getting it right, and the time they forget to
 encrypt the message may also be the time they send company B's confidential
 data to company A.

You might want to consider checking that the message is encrypted and
rejecting if it is not. That's probably WAY simpler and has the
side-effect of educating users on your policy.

Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Rejecting Cyrillic

2009-04-16 Thread Richard Laager 
On Wed, 2009-03-25 at 12:46 -0700, Kenneth Porter wrote:
 I've noticed a lot of spam lately in codepage Windows-1251 (Cyrillic). I'd 
 like to reject it with a Cyrillic not understood; please resubmit as 
 Unicode. Is there a canonical MIMEDefang idiom for doing that?

I wanted to do largely the same thing and finally found the time to
write it. I was concerned only with Cyrillic subjects as the indicator
of spam. I put the code below in filter_end(), except for the use
statements, which I put at the top with the others. In my filter, I
added points to the SpamAssassin score, but you could call
action_bounce() if you wanted.

I don't know if it's strictly necessary to call decode with us-ascii.
I did it because I was concerned about Perl's internal handling of bytes
vs. characters.

Any feedback on this code would be greatly appreciated.

Richard



use Encode;
use MIME::Words;

if ($Subject =~ m/=\?.+\?.+\?.+\?=/)
{
my $decoded_subject = ;
foreach my $pair (MIME::Words::decode_mimewords($Subject))
{
if (defined($pair-[1])  $pair-[1] ne )
{
$decoded_subject .= decode($pair-[1], $pair-[0]);
}
else
{
$decoded_subject .= decode(us-ascii, $pair-[0]);
}
}

if ($decoded_subject =~ m/\p{Cyrillic}/)
{
# DO SOMETHING HERE: REJECT, ETC.
}
}


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Greylisting netmask

2007-02-03 Thread Richard Laager 
On Sat, 2007-02-03 at 21:48 -0500, Jeff Rife wrote:
 Of course, I do use a whitelist for the 
 well-known large providers (Yahoo, AOL, MSN, etc.).

Would you be willing to share this whitelist?

Richard



signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] regex filter unwanted words

2007-01-23 Thread Richard Laager 
On Tue, 2007-01-23 at 08:51 -0500, [EMAIL PROTECTED] wrote:
 John Rudd wrote on 01/22/2007 06:17:48 PM:
 
  As many as you can fit.  But I would be very careful about it.  Plus, I 
  would make sure to use \b around the words, so that you're not getting 
 
  sub-string matches.  For example:
  
  \bsex\b  will match sex but not match Wesex.
 
 I can't second this strongly enough!  I had a very *IRATE* user 
 complaining about not receiving email from his boss.  Turns out he had 
 created a rule in his mail client to block a certain four letter word and 
 forgot about it.  The problem started when he added his title Programmer 
 Analyst to his signature block and he stopped getting replies to his 
 messages.

The best one I ever ran into went like this: A user calls in to complain
that large attachments are being blocked. Smaller attachments work, but
at some unknown point when the messages become too big, they are
blocked. We eventually narrowed it down to a filter on sex (as well as
some others for 4-letter words) anywhere in the message body. My theory
was that as messages with attachments got larger and larger, the
probability of them containing sex in the base-64 encoded data
approached one. We disabled that filter rule, and everything worked
great again.

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MIMEDefang 2.59-BETA-2 is Available

2007-01-18 Thread Richard Laager 
On Fri, 2007-01-19 at 11:21 +1000, Bill Maidment wrote:
 2. Entering the ssh passwords for multiple servers is a bit confusing. I work 
 around it
 by starting only one server initially and then adding the others one by one.

Use public key authentication and the ssh-agent.

Richard



signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Overcoming RPM stupidity

2006-12-19 Thread Richard Laager 
On Sun, 2006-12-17 at 20:46 -0500, Jeff Rife wrote:
 In the Fedora 6 RPM for MIMEDefang, mimedefang.pl was created using no 
 Features at all.  For most of them, this isn't a big deal, as I can 
 put $Features{'whatever'} = 1 in mimedefang-filter and it works.
 
 But, this isn't true for Unix::Syslog (or at least I haven't found a 
 way to overcome it).

I've been following the rest of this thread, but seriously, the subject
captures the problem. The Fedora 6 MIMEDefang RPM has a bug. Report it
to the Fedora people to get a fixed RPM. If you need a faster solution,
fix the RPM yourself and install that, then send them the patch.

Any workarounds in the filter are going to be hacky. I think David's on
the right track trying to have MIMEDefang detect them at run-time, but
unless and until that happens, fixing the RPM is the right course of
action here.

Richard



signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] OT: RBL checking in Sendmail

2006-12-15 Thread Richard Laager 
Currently, we check a couple of RBLs right away in filter_sender(). I've
been thinking that it'd be nice to move those checks from MIMEDefang
into Sendmail, for the following two reasons:

1) If the message ends up being blocked, we avoid a milter call and all
of MIMEDefang's setup overhead.

2) If the message is not blocked, we save some time by having a Sendmail
child waiting on the DNS query instead of a MIMEDefang child. The amount
of time here may be so small as to be irrelevant, though.

I know I could just use the dnsbl rule in my sendmail.mc, but this has
some problems. First, we need to exclude local and authenticated senders
from the RBL tests. Excluding local senders saves useless lookups and
excluding authenticated senders is necessary because users roaming on
other networks may get an IP that was previously being abused.

The only easy way I've found to do this so far is to turn on Sendmail's
delay_checks. However, I think this will cause the following issues:

1. Milter calls are not delayed, so Sendmail will call MIMEDefang (i.e.
for filter_sender) *BEFORE* the RBL checks, completely defeating the
point.

2. Even if I were to re-arrange my filter and make MIMEDefang not call
filter_sender, I think I'd run into a situation where the RBL tests
would be called multiple times, once for each RCPT. I may be wrong,
though.

Ideally, I just want to call the RBL from Sendmail at the MAIL command
stage, before milters are called. Does anyone know how to do that? It
seems I need to add something to do the call from Local_check_mail if
and only if the sender is not local or authenticated.

Thanks,
Richard



signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] URIBL/SURBL support

2006-11-27 Thread Richard Laager 
On Tue, 2006-11-21 at 10:13 -0500, Joseph Brennan wrote:
 
 --On Monday, November 20, 2006 12:56 -0800 Kelsey Cummings 
 [EMAIL PROTECTED] wrote:
 
  Has anyone written up generic URIBL or SURBL specific support for MD
  outside of using SpamAssassin?  Mind sharing?
 
 
 First you have to parse the URL out of text.  That's fun.  This
 works most of the time for plain text parts.

I use SpamAssassin's URL parsing for this. It's possible to do that
without running the SpamAssassin tests. While complex, this makes a huge
difference in terms of CPU power required.

However, why not just run the SURBL stuff via SpamAssassin?

Richard



signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] sendmail and filter_helo interaction

2006-11-09 Thread Richard Laager 
On Thu, 2006-11-09 at 23:06 -0500, Dirk the Daring wrote:
   # Check #3
   # HELO should not contain localhost

How effective is this for you? Do you run into false positives?

   # Check #4
   # If the HELO is an FQDN, the index and rindex of . will not 
 be the same
   # This catches the spammer using domain.tld (which will slip
   #   by Check #2)

I check that the HELO must have a ., but I haven't gone any further
than that. Does this work well for you? Any false positives?

Richard



signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MIMEDefang 2.57 is Released

2006-06-25 Thread Richard Laager 
On Sun, 2006-06-25 at 11:04 -0700, Gary Funck wrote:
 gcc -ansi -pedantic-errors -Wall -Werror t.c

 t.c: In function 'main':
 t.c:8: error: ISO C90 forbids mixed declarations and code

Here -Wdeclaration-after-statement is useful. It's not supported by all
versions of GCC, so it might not be a bad idea to check for it in
a ./configure. (It's been so long since I've build MIMEDefang by hand, I
don't even remember if it uses autoconf.)

Richard



signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] MIMEDefang 2.57 is Released

2006-06-20 Thread Richard Laager 
On Tue, 2006-06-20 at 10:48 -0400, David F. Skoll wrote:
 The main change from 2.56 is a new scheduling algorithm that tries
 to reuse the same set of slaves for a given command.  That is, it
 will do it's best to run all filter_relays on one set of slaves,
 filter_senders on another, etc.

Does this mean it'd be a good idea to initialize SpamAssassin at the
first use, rather than in filter_initialize()?

It seems like if a bunch of slaves are going to end up processing only
filter_sender or filter_relay, then initializing SpamAssassin in
filter_initialize() is a waste of memory (given previously mentioned
facts about reference counting, Perl, and copy-on-write).

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] milter smorgas board

2006-05-01 Thread Richard Laager 
On Mon, 2006-05-01 at 10:29 -0700, Gary Funck wrote:
 http://www.snertsoft.com/solutions.php
 
 Above, a list of milters, many of them open source, some not.
 Thought it might be useful for ideas of add-ons/improvements
 to MdF.

Here's one I thought interesting:

http://www.snertsoft.com/sendmail/milter-7bit/

This Sendmail mail filter will tag or reject email with invalid message
content transfer encodings as given by RFC 2045. For example a message
that is declared to use MIME 7-bit encoding, but contains an 8-bit
octet, NUL byte, and/or unpaired CR or LF characters, would be
considered invalid and tagged/rejected. Variations of these checks are
performed for MIME parts with 8-bit or binary encodings.

-

MIMEDefang already does the NUL and CR/LF checks as suspicious
character checks. But, I'm wondering if the 8-bit check would be
useful.


Here's another:

http://www.snertsoft.com/sendmail/milter-date/

This Sendmail mail filter verifies the conformance of the date-time
strings found in the Received:, Resent-Date:, and Date: headers with
respect to RFC 2822 section 3.3 Date  Time Specification. The milter
also checks that the date-time strings in the previously mentioned
headers have coherent relationships betweeen themselves and the current
mail hop. Mail can be tagged, rejected, or discarded accordingly, if the
date-time strings have invalid syntax, semantics, or are incoherent.

-

How much of this does SpamAssassin do?


Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] milter smorgas board

2006-05-01 Thread Richard Laager 
On Mon, 2006-05-01 at 14:12 -0400, Jeff Rife wrote:
 The milter-sender description reminded me...
...
 Does anybody have any experiences with this sort of callback check?

We use it, including a database cache to lighten the load.

Since we do reject on it, I can't say how efficient it is compared to
other tests. From a quick log search, I see this test rejects about
38,000 messages per week, after things like RBLs and HELO checks (which
block about 15,74,000 messages per week.)

In general, my philosophy is that anything which can prevent a
SpamAssassin run is good. Running SA on a message is very CPU intensive
and involves lots of network queries as well.

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Image validator/OCR SA plugin

2006-04-14 Thread Richard Laager 
On Fri, 2006-04-14 at 18:42 +0200, Martin Blapp wrote:
 Anyone interested should keep an eye on it - it really helps
 with the image only spam we get today. But problably the spammers
 will soon change their tricks to different images which are more
 difficult to read :-(

Interesting... What's the performance like with this? How many messages
do you scan per day with it?

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] New to MIMEDEFANG

2006-03-28 Thread Richard Laager 
On Wed, 2006-03-29 at 10:19 +0530, R.Linga Reddy wrote:
 I am new to MIMEDEFANG, I am planing to install on FEDORA CORE 3 or 
 CORE 4, will it support, and is there any problem,

It'll work fine. I run it on Fedora Core 4. The only piece of advice
that comes to mind immediately is to make sure you change your locale so
it's not a UTF-8 locale or SpamAssassin will be incredibly slow.

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Mimedefang 2.56 and SA 3.1.1 - Idle slaves

2006-03-15 Thread Richard Laager 
On Wed, 2006-03-15 at 14:28 -0500, David F. Skoll wrote:
 (Oh, and by the way:  If any SpamAssassin developers are on the list, could
 you please fire whoever wrote this in Dns.pm:
 
 package Mail::SpamAssassin::Dns;
 1;
 package Mail::SpamAssassin::PerMsgStatus;
 
 Thanks!)

Has this been filed in SpamAssassin's Bugzilla?

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: Don't let this happen to you

2006-02-21 Thread Richard Laager 
On Thu, 2006-02-16 at 11:50 -0800, Atanas wrote:
 a sendmail log monitoring script that shuts down web sites 
 immediately (notifying both parties - the web site owner and the shared 
 server administrator) in case a web site starts sending suspicious 
 amounts of outgoing emails for a given period of time.
[ snipped ]
 I'm running 
 it through a modified version of mod_fastcgi that forks dynamic 
 PHP-fastcgi workers on demand and runs them with the privileges of the 
 script owner.

Are either of these available online -- especially the modified
mod_fastcgi?

Thanks,
Richard

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Double From: lines in email

2006-02-21 Thread Richard Laager 
On Tue, 2006-02-21 at 11:08 +0100, Sleeuwenhoek J. wrote:
 This doesn't stop emails with double From: headers from forging internal 
 emailaddresses. Does anyone know of a method to stop this from happening. 
 Currently I'm preventing this with a custom spamassassin rule, but I like to 
 log this with MD.

Open the HEADERS file and run over all the lines. It's one header per
line, guaranteed (so you don't need to handle the wrapping yourself). If
you find a From: header, do your filtering.

This makes me thing... Are double From: headers a good indicator of
spam?

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Anyone noticing...

2006-01-17 Thread Richard Laager 
On Tue, 2006-01-17 at 17:30 +, Paul Murphy wrote:
 For more background, search the mailing list archives for Blocking spam
 senders using IPTables?.

Before I spend a lot of time searching... Did you post the script, or
just notes on the idea?

Thanks,
Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Patch to mimedefang...

2006-01-13 Thread Richard Laager 
On Fri, 2006-01-13 at 15:54 -0700, Philip Prindeville wrote:
 I'd like to propose the following patch, as a prequel to the
 posting of an amended mimedefang-filter on the Wiki...

If your changes are only going on the Wiki, then adding a Requires to
the mimedefang package is incorrect.

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Patch for Clam 0.88

2006-01-11 Thread Richard Laager 
On Wed, 2006-01-11 at 12:36 -0500, David F. Skoll wrote:
 So I found my way out of the twisty passasges.  The following patch
 appears to fix ClamAV 0.88 so it works properly on deflate64-compressed
 ZIP files, if you have UNIX unzip installed.

Cool! Have you submitted this to the ClamAV folks?

Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Please review: new Spamc feature

2005-10-25 Thread Richard Laager 
On Tue, 2005-10-25 at 11:01 -0700, [EMAIL PROTECTED] wrote:
 I do all sorts of things w/ MIMEDefang besides spam-scan,
 and while the MIMEDefang threads are doing all these things,
 that SpamAssassin module is sitting there idle, but taking
 up space.

Use the embedded Perl feature of MIMEDefang and use compile_now() from
SpamAssassin. That way, the SpamAssassin initialization is done once.
fork() on Linux (and Unix in general, I believe) is very lightweight.
The SpamAssassin stuff in memory will be shared by all the threads.

I do this, and ... unless I'm very confused ;) ... it saves TONS of
memory.

Richard


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Adding footers or signatures to all outgoing email

2005-07-08 Thread Richard Laager 
On Fri, 2005-07-08 at 22:03 -0400, Lisa Casey wrote:
 I'm also open to ideas about drawbacks to this idea (i.e., why I shouldn't 
 do it!).

It's obnoxious.

Also, as e-mails are replied to and forwarded, they acquire many copies
of the message.

Richard Laager


___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] PING - PONG support for mimedefang socket

2005-04-13 Thread Richard Laager 
On Wed, 2005-04-13 at 16:26 +0200, Martin Blapp wrote:
 What about this little nice patch :-) ?

What is PING/PONG support useful for?

Richard Laager


___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] use strict

2005-04-13 Thread Richard Laager 
On Wed, 2005-04-13 at 16:29 -0700, John Nemeth wrote:
  I was thinking of sticking 'use strict;' in my filter in order to
 make sure that it is written cleanly and is less likely to have bugs (I
 realise that 'use strict;' is not a panacea).  Is this likely to cause
 any problems with mimedefang.pl?

Nope. I have use strict and use warnings in my filter.

-- 
Richard Laager [EMAIL PROTECTED]
Wikstrom Telecom Internet


signature.asc
Description: This is a digitally signed message part
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] resend_message fails

2005-04-06 Thread Richard Laager 
resend_message has been failing lately in my filter, it seems. I get the
following error message:

sendmail non-zero exit status in resend_message: 16384

Any thoughts on what this might be?

-- 
Richard Laager [EMAIL PROTECTED]
Wikstrom Telecom Internet

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] resend_message fails

2005-04-06 Thread Richard Laager 
On Wed, 2005-04-06 at 13:47 -0400, David F. Skoll wrote:
 Could it be that you're trying to re-mail to an address that begins
 with - so Sendmail is misinterpreting it as a command-line
 option?  If so, I will get you a fix.

I highly doubt it, given the information I know.

Can you suggest a way that I could log what command MIMEDefang is
running so I could check the syntax?

-- 
Richard Laager [EMAIL PROTECTED]
Wikstrom Telecom Internet

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: New Sendmail spam block

2005-03-25 Thread Richard Laager 
On Fri, 2005-03-25 at 16:42 -0600, Les Mikesell wrote:
 On Thu, 2005-03-24 at 18:34, Richard Laager wrote:
 
  If he's blocking because the domain you're sending *doesn't resolve to
  the IP address of your machine*, he's broken. You *might* also be
  broken.
 
 Or you might be multi-homed and not changing your name to match
 the interface for each conversation.

Or you might be behind a NAT or PAT device. That's why I said might.

-- 
Richard Laager [EMAIL PROTECTED]
Wikstrom Telecom Internet

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: New Sendmail spam block

2005-03-24 Thread Richard Laager 
On Thu, 2005-03-24 at 16:46 -0500, James Ebright wrote:
 The only issue with that is all if the broken/misconfigured MTAs out there
 M$ exchange servers OFTEN send:
 
 EXCHANGE.servernetbiosname.local as their HELO

That's acceptable damage. We have manual whitelisting and automatic
whitelisting in place to mitigate this. Also, under the example you've
provided, I'd only be adding SpamAssassin points, not blocking outright.
This helps limit the problem, especially since users set their own spam
filtering level.

I've only heard of a couple cases where messages are eventually being
rejected by SpamAssassin because of the 5 points I add for failing this
test. After contacting the administrators, this usually gets fixed
immediately.

 MS outlook express PCs often send their NETBIOS names as the HELO

I don't perform these checks for local machines or clients who have SMTP
authenticated. MUAs do a lot of stupid things, so I have a lot of
exceptions for local users.

-- 
Richard Laager [EMAIL PROTECTED]
Wikstrom Telecom Internet

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: New Sendmail spam block

2005-03-24 Thread Richard Laager 
On Thu, 2005-03-24 at 16:17 -0600, Ben Kamen wrote:
 The person I've been having the problems with is quoting RFC821, but 
 forgetting he's breaking RFC1123 which is the amendment to 821.

What are you sending as your HELO argument? Here are some sample forms:

foo
foo.example.com (which doesn't resolve)
foo123.example.com (which doesn't match the reverse DNS of the server)

If it's anything but the last form, he's not breaking the letter of the
RFCs. You could argue that it's violating the be liberal in what you
accept philosophy but that's no worse than you violating the be
conservative in what you send philosophy. How much that philosophy
applies in today's hostile Internet (especially with regard to e-mail)
is a question for another day.

-- 
Richard Laager [EMAIL PROTECTED]
Wikstrom Telecom Internet

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] OT: New Sendmail spam block

2005-03-24 Thread Richard Laager 
On Thu, 2005-03-24 at 16:47 -0600, Ben Kamen wrote:
 It's a norton anti-virus gateway sitting behind a firewall. Right now, it 
 just 
 hands out it's hostname to the server it's talking to.

If the server is handing out its hostname, then it's fine. You just need
to set a proper hostname (fully-qualified and one that exists in DNS).

Also, FYI, Norton anti-virus gateways need to be sandwiched between two
regular servers. They can not handle MUAs or Internet MTAs on either
side. This is one of the major reasons we switched off our Norton
filtering solution a couple years ago.

 I pointed out to him that it does indeed break RFC1123... we'll see how it 
 goes from there.

If he's blocking because the domain you're sending *isn't fully
qualified*, he's fine. You're broken.

If he's blocking because the domain you're sending *doesn't resolve*,
he's fine. You're broken.

If he's blocking because the domain you're sending *doesn't resolve to
the IP address of your machine*, he's broken. You *might* also be
broken.

-- 
Richard Laager [EMAIL PROTECTED]
Wikstrom Telecom Internet

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Scary... Filtering on the outbound.

2005-02-21 Thread Richard Laager 
On Mon, 2005-02-21 at 13:33 -0500, David F. Skoll wrote:
 Actually, I see that as a huge issue.  If the key is ever compromised,
 then every piece of e-mail you've ever sent out is vulnerable to
 decryption.  That makes the MIMEDefang machine a very tempting target.

This can be mitigated by creating several encryption subkeys up front.
(This would be done on a secure, unconnected machine.) Each key would be
valid for a specific chunk of time. Then, only install the first on the
server.

Near the expiration date, add the second subkey. A little while after
the expiration date, remove the first. Repeat this as the subkeys
expire. In this way, a compromise would only affect the messages from
one chunk of time (or two in the worst-case scenario when it's
compromised during the overlap around the expiration date). This does
assume that you catch the compromise in a timely fashion. If you wanted
to be absolutely sure about that, you could switch the mail server
functions over to a freshly installed and patched machine every time you
switched subkeys.

The messages could be archived in encrypted form. Assuming you use the
commercial version of PGP, the secret sharing stuff could be used to
ensure that the archived messages could only be read when authorized by
the appropriate person(s). If you're using GnuPG or something else, then
secret sharing isn't really available, but there are other ways of
accomplishing much the same thing.

Richard Laager



signature.asc
Description: This is a digitally signed message part
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] add boilerplate not working as expected

2004-10-02 Thread Richard Laager 
On Sat, 2004-10-02 at 16:35, J.D. Bronson wrote:
  if ($RelayAddr =~ ^192\.168\.1 or ^127\.0\.0\.1) {

Try this instead:
if ($RelayAddr =~ ^192\.168\.1 or $RelayAddr eq 127.0.0.1) {

The error is that or binds two conditional statements. In your
example, it was seeing this as:

statement 1: $RelayAddr =~ ^192\.168\.1
OR
statement 2: ^127\.0\.0\.1

Richard



signature.asc
Description: This is a digitally signed message part
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] roaringpenguin.com is listed in rfc-ignorant

2004-09-28 Thread Richard Laager 
On Tue, 2004-09-28 at 20:00, David F. Skoll wrote:
 I defy anyone to show me an RFC that says an SMTP implementation
 MUST accept mail from  to [EMAIL PROTECTED]

From my e-mails to the admin of rfc-ignorant.org, I believe the stance
is that postmaster (case-insensitive with or without the domain) must
accept mail from anyone. The basis cited for this is RFC 2821,
specifically section 4.5.1:

   SMTP systems are expected to make every reasonable effort to accept
   mail directed to Postmaster from any other system on the Internet.
   In extreme cases --such as to contain a denial of service attack or
   other breach of security-- an SMTP server may block mail directed to
   Postmaster.  However, such arrangements SHOULD be narrowly tailored
   so as to avoid blocking messages which are not part of such attacks.

I said DSNs were the *most common* (emphasis added here so the quote
below makes sense) usage of the null sender and I speculated that you
(David) did not send mail from postmaster, and thus had no reason to
expect DSNs for that address. I imagine you put the block in place to
stop bounces from joe jobs. The rfc-ignorant.org admin said:

   most common != only.

Richard Laager



signature.asc
Description: This is a digitally signed message part
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Deadline for SPF records

2004-08-10 Thread Richard Laager 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Put a price tag on that. If you are selling a product, how many
 dollars worth of orders are you willing to discard because the
 potential customer sent a request for information through a
 public access point instead of their own ISP?

If a potential customer sends you a message through a public access
point and their domain has SPF enabled and doesn't list that access
point as a valid relay, is that you fault? No, it's their
administrator's fault for setting up restrictive SPF without properly
configuring their employee's/user's laptops.

Example:

Let's say that I work for a hypothetical ACME Widgets, Inc. My e-mail
address is [EMAIL PROTECTED] A potential customer,
[EMAIL PROTECTED], tries to send me an e-mail message from his laptop
using a public access point in his hotel. The network he's on is not
listed as an allowed relay for example.com, according to their SPF
record. My administrator (at acmewidgets.com) is honoring SPF
records. What happens?

If the people at example.com have setup their SPF record to say that
mail from unlisted networks should be bounced, the message will be
bounced. If they've said it should be subject to additional checks,
but not outright rejected, it will be accepted and the SpamAssassin
score increased. The behavior is exactly per their setup.

Richard Laager
Wikstrom Telecom Internet

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQRkdsm31OrleHxvOEQKW+gCg09o78crSght3oPnLeNrkStYeSVoAoKRM
ohcAK9K0LqS9HGqHRwinnVkc
=xuhF
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Deadline for SPF records

2004-08-09 Thread Richard Laager 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Can't
 someone still forge the user name as long as the domain
 name is correct for the originating IP address or will that
 take yet another change in all MTA's to enforce before this
 one is very useful?

Let's say that the SPF record for futuresource.com says that the
allowed relay is mail.futuresource.com. This means that mail coming
from mail.futuresource.com (as the relay) is legitimate and that all
other mail is likely to be forged. Now, why would
mail.futuresource.com allow someone to spoof the envelope sender from
its own domain? For example, my mail server has been configured to
check all envelope sender addresses which are from local domains.
Therefore, I can't send a message with an envelope sender of
[EMAIL PROTECTED] If SPF was widely adopted, these two
measures would effectively stop forgery of all wiktel.com addresses.

On the other hand, if you simply want to be able to tell if a given
address is valid, that's easy enough to check. Simply connect back to
the MX records for the sending domain and do: MAIL FROM: RCPT
TO:[EMAIL PROTECTED] Code for this has been posted on the list
before. This allows you to drop completely invalid addresses.

Richard Laager
Wikstrom Telecom Internet

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQRgPY231OrleHxvOEQLVvACg6r68vySTWULpxAWhEAghQ94yHJoAnRB3
Enn6ldflDqBL4/xP9Sc9w9r9
=q69y
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Using Mail::GPG in filter to examine PGPattachmentsand messagebody

2004-07-06 Thread Richard Laager 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Any ideas on my implementation problem?

I don't have any ideas on the Perl MIME issues. I know more about the
MIMEDefang API and PGP encryption in general than the details of the
Perl MIME stuff.

Richard Laager

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQOt3gW31OrleHxvOEQLBOwCfWAPKP+Uz2KgxQ9bU9bJnfCbYhIgAn3s7
Pp3KT8vj43RVc/R3v87y8qY5
=Ahan
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Using Mail::GPG in filter to examine PGP attachments and messagebody

2004-07-05 Thread Richard Laager 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 $pass=PASS;
 my $gpg = Mail::GPG-new(default_key_id='4B771017', 
 default_passphrase=$pass,
   debug=1,
   gnupg_hash_init={ armor   = 1,
  batch   = 1,
  homedir = '/home/defang'} );

Are you really sure you want to do this? The whole point of
end-to-end encryption is to protect from attacks along the way. If
you have the private key and passphrase available on the mail server,
it becomes a single point of failure that would break the encryption
on all of the messages, past and future.

I would recommend that you simply check that the message was
encrypted to the corporate key. Don't actually decrypt it. This does
mean that someone could edit the PGP data to make it look like the
message was encrypted to the corporate key when it wasn't. If this
happens, what is lost? The original recipient can still read the
message, you simply can't decrypt it later with the corporate key.
This may or may not be a problem in your situation.

By the way, E3AA17BD actually looks more like the corporate key (by
its name and the fact that it can revoke your key). For either key,
you've got one subkey setup -- size 2048, never expires. Especially
for a long-life corporate key, you should setup multiple encryption
subkeys with expiration dates. That way, the compromise of one subkey
will only compromise messages that were encrypted to that subkey.


Richard Laager

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQOm/Tm31OrleHxvOEQJ7FwCg2YPuTb/p3xZGa3ZS0BgnOJbEvLEAoKhU
qdbzlcw8IUvOs4C6PuAZHLO/
=QpMk
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MIMEDefang embedded perl stability issues

2004-06-25 Thread Richard Laager 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Add:
 
 use strict;
 
 to your mimedefang filter and the problem will stop after you 
 have fixed all
 the error messages.

This is not true in all cases. This is the same problem I'm having. I
can't do a reread. I've been using use strict in my filter as long
as I remember.

David, I still haven't gotten around to running the gdb commands you
suggested in the other thread a few days back. I hope to get to that
soon if I have time.

Richard Laager

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQNyAn231OrleHxvOEQKfRACgj5TPGIzWaCxGWxh70+zjfwChHwIAmwWe
UtEhskBtvRFI+dFgAnnrDUM3
=Q1lK
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MXCommand: read: Connection reset by peer

2004-06-22 Thread Richard Laager 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 Are you constrained by memory?  What OS are you running?

Fedora Core 1 (Linux 2.4.22-1.2188.nptlsmp kernel)
Dual Pentium III 1.2 GHz
2.5 GB memory, 1 GB swap

/var/spool/MIMEDefang is on a 1.3 GB tmpfs partition.

I'm currently using about 1.7 GB of physical memory and no swap.

I'm running the embedded perl interpreter with 50 slaves set as the
MX_MINIMUM. I have MX_MAXIMUM set to 110. (By the way, what do you
think of these values?)

Richard Laager
Wikstrom Telecom Internet

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQNfMWm31OrleHxvOEQIyhACggLCiJ+Jf/uKgiDId4h2ay9UPvcAAmgOB
EnQf14T0CyNdyZonhZq7MLTq
=Ze+8
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] MXCommand: read: Connection reset by peer

2004-06-22 Thread Richard Laager 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 They seem reasonable for your hardware configuration.  So for some
 reason, the multiplexor is dying?  This is really hard to pin down.
 I think you'll need to attach gdb to the multiplexor and wait for
 it to die.  Do this:

I think I found the problem. I had a script that would force a filter
reread. Doing a reread seems to kill the multiplexor. I've fixed
the problem by changing the script to do a full restart of
MIMEDefang. I know what you've said about the Perl internals, so this
is probably as good as it gets. Is there any fix for the reread
problems? I'm running version 2.43.

Richard Laager
Wikstrom Telecom Internet

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQNjOxG31OrleHxvOEQKrrwCg7DmerSksokdbKLOBvHqMTA05YVkAn0R2
0cWy0Q/H7+/oGc6lpKM2c8QP
=+IlS
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] surbl

2004-04-12 Thread Richard Laager 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 It looks interesting, but I'm wondering if anyone else has tried
 this with MIMEDefang?  Will it work with MIMEDefang calling
 SpamAssassin by way of its modules?

It depends what you mean by tried this with MIMEDefang. So, I'll
respond out of order. In response to your second question, if
SpamAssassin supports something by itself, MIMEDefang calling
SpamAssassin will utilize such a filtering technique.

On a related note, this thought of a URI blacklist is an idea I've
had (and shared with others) for a while. We'll see the same problem
as we did for Bayesian filtering... Spammers will start including
bogus URIs to avoid the filtering (or as a joe job). This is not to
say it's useless, just as Bayesian filtering is still useful.

URI filtering can be quite handy. I recently implemented code that
would check a message for URIs and then run those URIs through our
pornography filtering database. I called SpamAssassin to do the
actual URI parsing and I did the porn checks from within our
MIMEDefang filter. In this way, I was able to leverage the
SpamAssassin code and avoid reinventing the wheel. Because of the way
I coded, we only run full SpamAssassin checks if the customer wants
full spam filtering. If the customer only wants porn filtering, we
only need to run the URI parsing portion of the SpamAssassin code,
greatly saving CPU power. (If the customer wants neither, we do pass
the mail through unscanned.) So, it's possible to do URI filtering by
itself if desired.

There's no way a spammer can get around this sort of filtering by
padding a message with extra URIs since in this case a single case of
a URI is enough to trip the test. (Contrast this with approaches that
would check the percentage of bad URIs. I'm not sure if this SUBL
stuff does that or not.) And, the URIs aren't going into a database
based off messages, so there is no danger of joe jobs.

Richard Laager
Wikstrom Telecom Internet

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQHtdkG31OrleHxvOEQIPkwCg5KDHynym0btADSNuJOIyx/rm+BIAoIbx
VKIYVICtf9byij9ye8zQbuMr
=T2oO
-END PGP SIGNATURE-

___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

  1   2   >