[xmail] another batch of source comments
Thanks for the reply on my first mail. Here's a few more notes. SMAILUtils.cpp The function USmlExtractToAddress() is not used at all. SMTPSvr.cpp In the function SMTPFilterMessage() a fflush() is performed before the fclose(). I think this is unncessary as fclose() implies a fflush() according to the manpage: The fclose() function will flush the stream pointed to by fp (writing any buffered output data using fflush(3)) and close the underlying file descriptor. SvrUtils.cpp The declaration of SvrAllocConfig() is lacking the pszProfilePath parameter. SMTPSvr.cp The default value for DefaultSmtpPerms differs between the source (MR) and the exmaple configuration (MRVZ). ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
[xmail] Multiple from inside mail headers
Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: Return-Path: munitio...@soulofthejedi.net Delivered-To: r...@fullmetalpacket.com Received: from dsldevice.lan ([92.18.93.37]:49281) by mail with [XMail 1.26 ESMTP Server] id SA34818 for r...@fullmetalpacket.com from munitio...@soulofthejedi.net; Wed, 14 Oct 2009 11:50:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on spamshield.fullmetalpacket.com X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE, MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4, URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287 autolearn=no version=3.2.4 Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46 + Message-ID: 000d01ca4ce4$b2b7b9c0$6400a...@munitionb9 From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com To: r...@fullmetalpacket.com Subject: The settings for the r...@fullmetalpacket.com mailbox were changed Date: Wed, 14 Oct 2009 16:40:46 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01CA4CE4.B2B7B9C0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300 This guy is sending email like this with links to spread his malware. My filter is analyzing Return-Path: munitio...@soulofthejedi.net instead of From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com Is there any way to analyze the faked from? Thanks -fred ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
Hello Fred As this is a filter, the choice made to use 'return-path' in place of 'from' is filter specific, not related to xmail To help you we need to know more about this filter, how it works, parameters, ... Self-written filter or found on the net ? Do you have source code for this filter (or can we get it somewhere) ? Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]de la part de fred Envoyé : mercredi 14 octobre 2009 17:56 À : 'XMail Users Mailing List' Objet : [xmail] Multiple from inside mail headers Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: Return-Path: munitio...@soulofthejedi.net Delivered-To: r...@fullmetalpacket.com Received: from dsldevice.lan ([92.18.93.37]:49281) by mail with [XMail 1.26 ESMTP Server] id SA34818 for r...@fullmetalpacket.com from munitio...@soulofthejedi.net; Wed, 14 Oct 2009 11:50:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on spamshield.fullmetalpacket.com X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE, MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4, URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287 autolearn=no version=3.2.4 Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46 + Message-ID: 000d01ca4ce4$b2b7b9c0$6400a...@munitionb9 From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com To: r...@fullmetalpacket.com Subject: The settings for the r...@fullmetalpacket.com mailbox were changed Date: Wed, 14 Oct 2009 16:40:46 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01CA4CE4.B2B7B9C0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300 This guy is sending email like this with links to spread his malware. My filter is analyzing Return-Path: munitio...@soulofthejedi.net instead of From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com Is there any way to analyze the faked from? Thanks -fred ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
Hi Francis, Thanks for your reply. This is a self-written script that get the following arguments from filter.post-data.tab !aex /mailsrv/MailRoot/filters/spfcheck/spfcheck.php @@FROM @@CRCPT @@REMOTEADDR @@FILE The @@FROM is the actual variable that is checked by this linux command (from within a PHP script): exec(spfquery --name . $this-_spfServer . -sender= . $this-_from . -ip= . $this-_remoteAddress . -helo= . $this-_helo, $output, $return); $this-_from == @@FROM Spfquery return a digit as the return code which is what I use for either dropping the email or let it go throught. Thanks -fred -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of CLEMENT Francis Sent: 14 octobre 2009 12:13 To: 'XMail Users Mailing List' Subject: Re: [xmail] Multiple from inside mail headers Hello Fred As this is a filter, the choice made to use 'return-path' in place of 'from' is filter specific, not related to xmail To help you we need to know more about this filter, how it works, parameters, ... Self-written filter or found on the net ? Do you have source code for this filter (or can we get it somewhere) ? Francis -Message d'origine- De : xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org]de la part de fred Envoyé : mercredi 14 octobre 2009 17:56 À : 'XMail Users Mailing List' Objet : [xmail] Multiple from inside mail headers Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: Return-Path: munitio...@soulofthejedi.net Delivered-To: r...@fullmetalpacket.com Received: from dsldevice.lan ([92.18.93.37]:49281) by mail with [XMail 1.26 ESMTP Server] id SA34818 for r...@fullmetalpacket.com from munitio...@soulofthejedi.net; Wed, 14 Oct 2009 11:50:35 -0400 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on spamshield.fullmetalpacket.com X-Spam-Status: No, score=-87.3 required=9.0 tests=BAYES_50,HTML_MESSAGE, MIME_QP_LONG_LINE,NO_RELAYS,SPAMMY_XMAILER,TVD_RCVD_IP,TVD_RCVD_IP4, URIBL_BLACK,USER_IN_WHITELIST,XMAILER_MIMEOLE_OL_91287 autolearn=no version=3.2.4 Received: from 92.18.93.37 by soulofthejedi.net; Wed, 14 Oct 2009 16:40:46 + Message-ID: 000d01ca4ce4$b2b7b9c0$6400a...@munitionb9 From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com To: r...@fullmetalpacket.com Subject: The settings for the r...@fullmetalpacket.com mailbox were changed Date: Wed, 14 Oct 2009 16:40:46 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01CA4CE4.B2B7B9C0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.2300 This guy is sending email like this with links to spread his malware. My filter is analyzing Return-Path: munitio...@soulofthejedi.net instead of From: notificati...@fullmetalpacket.com notificati...@fullmetalpacket.com Is there any way to analyze the faked from? Thanks -fred ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
On Wed, 14 Oct 2009, fred wrote: Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: OK guys, XMail is an MTA and could care less of the envelope From: header. Wherever you see FROM inside XMail, that the return-path (that is the address passed in the 'MAIL FROM:...' SMTP transaction. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] another batch of source comments
On Wed, 14 Oct 2009, Oliver Stöneberg wrote: Thanks for the reply on my first mail. Here's a few more notes. SMAILUtils.cpp The function USmlExtractToAddress() is not used at all. Right, by it stays. SMTPSvr.cpp In the function SMTPFilterMessage() a fflush() is performed before the fclose(). I think this is unncessary as fclose() implies a fflush() according to the manpage: The fclose() function will flush the stream pointed to by fp (writing any buffered output data using fflush(3)) and close the underlying file descriptor. I know that, but I don't remember ATM why I split the two operations. I changed it now, and hopefully there was no real reason behind. SvrUtils.cpp The declaration of SvrAllocConfig() is lacking the pszProfilePath parameter. Fixed. As you might have noticed, I'm working through the XMail code to gradually drop all the static pre-declarations (when possible). SMTPSvr.cp The default value for DefaultSmtpPerms differs between the source (MR) and the exmaple configuration (MRVZ). MRVZ it is. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
I understand Davide, I knew this wasn't XMail fault, I only wanted to find a solution to prevent these types of forged froms. I will have to add code into my script to parse the message header and look for the From: line, compare this from with the one in the SMTP transaction, if they are different do something. What do you guys think? -fred -Original Message- From: xmail-boun...@xmailserver.org [mailto:xmail-boun...@xmailserver.org] On Behalf Of Davide Libenzi Sent: 14 octobre 2009 13:01 To: XMail Users Mailing List Subject: Re: [xmail] Multiple from inside mail headers On Wed, 14 Oct 2009, fred wrote: Hello guys, This is not really XMail specific but I am a bit confused there and I need help from experts. Here is the problem, I am using a filter that works with SPF, everything is working fine except one thing. Sometimes forged froms pass through the filter because the filter is getting the return-path instead of a faked from, see this example: OK guys, XMail is an MTA and could care less of the envelope From: header. Wherever you see FROM inside XMail, that the return-path (that is the address passed in the 'MAIL FROM:...' SMTP transaction. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] Multiple from inside mail headers
On Wed, 14 Oct 2009, fred wrote: I understand Davide, I knew this wasn't XMail fault, I only wanted to find a solution to prevent these types of forged froms. I will have to add code into my script to parse the message header and look for the From: line, compare this from with the one in the SMTP transaction, if they are different do something. What do you guys think? Can work, but you need a post-data filter for it. - Davide ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] another batch of source comments
On Wed, 14 Oct 2009, Oliver Stöneberg wrote: Thanks for the reply on my first mail. Here's a few more notes. SMAILUtils.cpp The function USmlExtractToAddress() is not used at all. Right, by it stays. Like the others just FYI. SMTPSvr.cpp In the function SMTPFilterMessage() a fflush() is performed before the fclose(). I think this is unncessary as fclose() implies a fflush() according to the manpage: The fclose() function will flush the stream pointed to by fp (writing any buffered output data using fflush(3)) and close the underlying file descriptor. I know that, but I don't remember ATM why I split the two operations. I changed it now, and hopefully there was no real reason behind. Maybe a faulty implementation on some distribution out there. I have read about some nasty fsync() bugs, so nothing is out of the question. Any ETA on the first 1.27pre version? ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail