Re: Customize log messages?

2016-12-04 Thread Wietse Venema 
@ lbutlr:
> On 12/4/16 8:17 AM, Wietse Venema wrote:
> > @ lbutlr:
> >> On 12/3/16 2:57 PM, Wietse Venema wrote:
> >>> Proof of concept:
> >>>
> >>>   MAIL FROM<" >>> type='text/javascript'>alert('xss');"@example.com>
> >>
> >> That result in "501 5.5.4 Syntax: MAIL FROM:"
> >
> > OK, so insert a the missing ':'
> >
> > MAIL FROM:" > type='text/javascript'>alert('xss');"@example.com>
> > 250 2.1.0 Ok
> 
> Fair enough. But the script strips out < and > (and [] and ,), so I'm 
> still not seeing an issue.
> 
> bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' | grep 
> -v "Protocol error" | grep -v "$EXCLUDE" | sort -u | sed 's/from= tr -d '>,[]:' | grep -v rejected
> 
> I guess the sed only strips the enclosing <, so spurious opening 
> brakcets could be left behind, but the tr -d will take out all the 
> closing >'s. I've added '<' to the tr list just in case, so no <> from 
> the log file will remain.

Good. I think that we have now agreement that some logfile content
is under control by untrusted users.

Wietse

Re: Let's Encrypt + Postfix TLS + iOS Mail

2016-12-04 Thread Dusan Obradovic 
If the fullchain.pem file is the result of the acme client cert-bot, this file 
includes Let's Encrypt intermediate certificate and your server certificate.

smtpd_tls_cert_file = /path/to/fullchain.pem
smtpd_tls_key_file = /path/to/privkey.pem

> On Nov 15, 2016, at 03:08, Steve Jenkins  wrote:
> 
> I've had TLS working great on my Postfix servers for years, and I recently 
> tried switching one of my boxes to a Let's Encrypt certificate. A Gmail test 
> account using TLS on port 587 works fine, but the iOS mail client complains 
> about the certificate being untrusted. Further digging shows it doesn't like 
> the CA.
> 
> I added the fullchain.pem file to the '/etc/postfix/ssl/cacert.pem' I use for 
> 'smtpd_tls_CAfile' but that doesn't fix anything.
> 
> Has anyone been able to get an iOS mail client to use a Postfix SMTP server 
> with TLS?
> 
> Here are my current (working) TLS-related entries in main.cf:
> 
> # postconf -n | grep tls
> smtp_tls_CAfile = $smtpd_tls_CAfile
> smtp_tls_loglevel = 1
> smtp_tls_security_level = may
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt
> smtpd_tls_key_file = /etc/pki/tls/private/example.com.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> 
> It breaks (on iOS) if I change the smtpd_tls_cert_file and smtpd_tls_key_file 
> to the Let's Encrypt cert and key.
> 
> Thanks,
> 
> SteveJ

Re: Customize log messages?

2016-12-04 Thread 

On 12/4/16 8:17 AM, Wietse Venema wrote:

@ lbutlr:

On 12/3/16 2:57 PM, Wietse Venema wrote:

Proof of concept:

  MAIL FROM<"alert('xss');"@example.com>


That result in "501 5.5.4 Syntax: MAIL FROM:"


OK, so insert a the missing ':'

MAIL FROM:"alert('xss');"@example.com>
250 2.1.0 Ok


Fair enough. But the script strips out < and > (and [] and ,), so I'm 
still not seeing an issue.


bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' | grep 
-v "Protocol error" | grep -v "$EXCLUDE" | sort -u | sed 's/from=tr -d '>,[]:' | grep -v rejected


I guess the sed only strips the enclosing <, so spurious opening 
brakcets could be left behind, but the tr -d will take out all the 
closing >'s. I've added '<' to the tr list just in case, so no <> from 
the log file will remain.

Re: Customize log messages?

2016-12-04 Thread Wietse Venema 
@ lbutlr:
> On 12/3/16 2:57 PM, Wietse Venema wrote:
> > Proof of concept:
> >
> >   MAIL FROM<" > type='text/javascript'>alert('xss');"@example.com>
> 
> That result in "501 5.5.4 Syntax: MAIL FROM:"

OK, so insert a the missing ':'

MAIL FROM:"alert('xss');"@example.com>
250 2.1.0 Ok

Instead of an alert, a real attacker would provide more nefarious
code.  This code runs without the user even having to click a link.

Wietse

Re: Customize log messages?

2016-12-04 Thread Benning, Markus 

On 2016-12-02 15:10, Michael Munger wrote:

This is a great idea. This is a spam filter that is integrated into a
CRM system, so I needed to parse and dump the information so it could 
be

sucked up later.

Here's what I ultimately created. It still needs some work (mainly
because it re-reads the whole file every time, and I should use
timestamps and a half-interval search algorithm to find the
last-processed time stamp. I am relying on log rotate to make it
not-too-terribly-big).

https://github.com/mjmunger/postfix-log-parser


Maybe you want to take a look at my saftpresse project:

https://github.com/benningm/saftpresse

Its a event pipe/log analyzer.
Its modular and the Postfix plugin is based on refactured
code of the pflogsum script:

https://github.com/benningm/saftpresse/blob/master/lib/Log/Saftpresse/Plugin/Postfix.pm

It has a syslog and systemd-journald input and could output to 
elasticsearch.

It may be easier to query an elasticsearch index than parsing logs.
Or you just click together some reports with kibana.
I remeber that somewhere there was a plugin or PDF generator for it.

 Markus
--
https://markusbenning.de/