Re: Customize log messages?
@ lbutlr: > On 12/4/16 8:17 AM, Wietse Venema wrote: > > @ lbutlr: > >> On 12/3/16 2:57 PM, Wietse Venema wrote: > >>> Proof of concept: > >>> > >>> MAIL FROM<" >>> type='text/javascript'>alert('xss');"@example.com> > >> > >> That result in "501 5.5.4 Syntax: MAIL FROM:" > > > > OK, so insert a the missing ':' > > > > MAIL FROM:" > type='text/javascript'>alert('xss');"@example.com> > > 250 2.1.0 Ok > > Fair enough. But the script strips out < and > (and [] and ,), so I'm > still not seeing an issue. > > bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' | grep > -v "Protocol error" | grep -v "$EXCLUDE" | sort -u | sed 's/from= tr -d '>,[]:' | grep -v rejected > > I guess the sed only strips the enclosing <, so spurious opening > brakcets could be left behind, but the tr -d will take out all the > closing >'s. I've added '<' to the tr list just in case, so no <> from > the log file will remain. Good. I think that we have now agreement that some logfile content is under control by untrusted users. Wietse
Re: Let's Encrypt + Postfix TLS + iOS Mail
If the fullchain.pem file is the result of the acme client cert-bot, this file includes Let's Encrypt intermediate certificate and your server certificate. smtpd_tls_cert_file = /path/to/fullchain.pem smtpd_tls_key_file = /path/to/privkey.pem > On Nov 15, 2016, at 03:08, Steve Jenkins wrote: > > I've had TLS working great on my Postfix servers for years, and I recently > tried switching one of my boxes to a Let's Encrypt certificate. A Gmail test > account using TLS on port 587 works fine, but the iOS mail client complains > about the certificate being untrusted. Further digging shows it doesn't like > the CA. > > I added the fullchain.pem file to the '/etc/postfix/ssl/cacert.pem' I use for > 'smtpd_tls_CAfile' but that doesn't fix anything. > > Has anyone been able to get an iOS mail client to use a Postfix SMTP server > with TLS? > > Here are my current (working) TLS-related entries in main.cf: > > # postconf -n | grep tls > smtp_tls_CAfile = $smtpd_tls_CAfile > smtp_tls_loglevel = 1 > smtp_tls_security_level = may > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt > smtpd_tls_key_file = /etc/pki/tls/private/example.com.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > > It breaks (on iOS) if I change the smtpd_tls_cert_file and smtpd_tls_key_file > to the Let's Encrypt cert and key. > > Thanks, > > SteveJ
Re: Customize log messages?
On 12/4/16 8:17 AM, Wietse Venema wrote: @ lbutlr: On 12/3/16 2:57 PM, Wietse Venema wrote: Proof of concept: MAIL FROM<"alert('xss');"@example.com> That result in "501 5.5.4 Syntax: MAIL FROM:" OK, so insert a the missing ':' MAIL FROM:"alert('xss');"@example.com> 250 2.1.0 Ok Fair enough. But the script strips out < and > (and [] and ,), so I'm still not seeing an issue. bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' | grep -v "Protocol error" | grep -v "$EXCLUDE" | sort -u | sed 's/from=tr -d '>,[]:' | grep -v rejected I guess the sed only strips the enclosing <, so spurious opening brakcets could be left behind, but the tr -d will take out all the closing >'s. I've added '<' to the tr list just in case, so no <> from the log file will remain.
Re: Customize log messages?
@ lbutlr: > On 12/3/16 2:57 PM, Wietse Venema wrote: > > Proof of concept: > > > > MAIL FROM<" > type='text/javascript'>alert('xss');"@example.com> > > That result in "501 5.5.4 Syntax: MAIL FROM:" OK, so insert a the missing ':' MAIL FROM:"alert('xss');"@example.com> 250 2.1.0 Ok Instead of an alert, a real attacker would provide more nefarious code. This code runs without the user even having to click a link. Wietse
Re: Customize log messages?
On 2016-12-02 15:10, Michael Munger wrote: This is a great idea. This is a spam filter that is integrated into a CRM system, so I needed to parse and dump the information so it could be sucked up later. Here's what I ultimately created. It still needs some work (mainly because it re-reads the whole file every time, and I should use timestamps and a half-interval search algorithm to find the last-processed time stamp. I am relying on log rotate to make it not-too-terribly-big). https://github.com/mjmunger/postfix-log-parser Maybe you want to take a look at my saftpresse project: https://github.com/benningm/saftpresse Its a event pipe/log analyzer. Its modular and the Postfix plugin is based on refactured code of the pflogsum script: https://github.com/benningm/saftpresse/blob/master/lib/Log/Saftpresse/Plugin/Postfix.pm It has a syslog and systemd-journald input and could output to elasticsearch. It may be easier to query an elasticsearch index than parsing logs. Or you just click together some reports with kibana. I remeber that somewhere there was a plugin or PDF generator for it. Markus -- https://markusbenning.de/