Re: [courier-users] Whitelist filtering, including a draft patch

2013-01-25 Thread Alessandro Vesely
On Thu 24/Jan/2013 13:08:21 +0100 Sam Varshavchik wrote:
> 
> Just looking at the results of trying to meta-program the DNSBL lookup
> logic in couriertcpd, using pcre, doesn't look right to me. PCRE in
> couriertcpd would be ok, it's just all the rest of it looks overly
> complicated.

Yeah, it reminds me of Apache's mod_rewrite, somewhat.  I guess regex
programming tends to produce such kind of intricacies.

> Looking at what dnswl.org is doing, probably the best thing to do
> there is not to use BLOCK in conjunction with other DNSBLs, and just
> have a generic setting that records environment variables, and leave
> it up to a custom global mail filtering module to process all the
> lookups and figure out what to do with them.
> 
> And, looking at what dnswl.org, I have a healthy dose of skepticism
> about them, anyway.

IME, it's good for SPF:  Instead of ?all, one can end an SPF record
with ?exists:%{ir}.list.dnswl.org -all.  The latter brings much the
same gain as the former, without being overly permissive.  After all,
dnswl.org delivers a domain name, whose abuse team can be targeted.

Given what SPF is, the cost of delaying those rejections until the end
of data, so as to let the global filter handle them, seems to be
acceptable.

It would have been different if spamhausewhitelist had had a success
comparable to that of their BLs.  But the lack of participation in
this thread --except for your polite replies-- is itself a gauge of
the apathy that characterizes this subject.

-- 







































--
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Whitelist filtering, including a draft patch

2013-01-24 Thread Sam Varshavchik

Alessandro Vesely writes:


Global filters, however, cannot.  My initial idea was to use ctlfile
records to pass values to --and possibly among-- filters.  It's you
who said it's simpler to use the message header (there were traces of
that argument quoted in my previous message.)


Perhaps, but this was going way over into the other direction.


Yes, that was my initial approach as well.  Lists deliver their
content as A records in the 127.0.0.0/8 range, but each list has its
own encoding.  Dnswl.org, for example, encodes the score is the last
byte, valued 0-3.  After a few attempts at defining a suitable syntax,
I realized I was reinventing regular expressions, so I turned to the
real thing.  Some decisions, e.g. SPFALLOW, ought to be made that early.

Would PCRE unduly aggravate tcpd's footprint?  And how'd you compare
its cpu cost to the time/bandwidth cost of the query itself?


If that's the case, then this is something that better to be dealt with in  
the global filter itself. The result of the DNSBL lookup would only need to  
be preserved in the headers, and a global mail filter module would have the  
necessary domain knowledge to know how to process the results.


Just looking at the results of trying to meta-program the DNSBL lookup logic  
in couriertcpd, using pcre, doesn't look right to me. PCRE in couriertcpd  
would be ok, it's just all the rest of it looks overly complicated.


Looking at what dnswl.org is doing, probably the best thing to do there is  
not to use BLOCK in conjunction with other DNSBLs, and just have a generic  
setting that records environment variables, and leave it up to a custom  
global mail filtering module to process all the lookups and figure out what  
to do with them.


And, looking at what dnswl.org, I have a healthy dose of skepticism about  
them, anyway.


pgpuq9z4b_h_k.pgp
Description: PGP signature
--
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Whitelist filtering, including a draft patch

2013-01-24 Thread Alessandro Vesely
On Thu 24/Jan/2013 02:00:15 +0100 Sam Varshavchik wrote:
> Alessandro Vesely writes:
> 
>>   -allow=zone[,varspec]...
>>
>> [...]
>> Now for passing the results to global filters.  In 2010 we thought of
> 
> I still think -allow is ok, but I don't see much need to do anything
> with regards to the headers. If the purpose is to allow per-recipient
> mail filtering, then environment variables set by couriertcpd should
> be accessible in rcptfilter and smtpfilter-based scripts for that
> purpose, and it's better to do it there.

Global filters, however, cannot.  My initial idea was to use ctlfile
records to pass values to --and possibly among-- filters.  It's you
who said it's simpler to use the message header (there were traces of
that argument quoted in my previous message.)  An advantage, in large
systems, is that it makes it possible to pass values from a boundary
MTA to an internal MTA.  In addition, using a standardized header
would allow independently developed filters, e.g. SA, to reuse that
result rather than querying the list again on their own.

Oh, I forgot to mention to add, say, "opt BOFHARGUARDATOMS=2".  That
is the number of rightmost "atoms" to be kept from config-me:  The
lower the safer.  For example, if me is host.example.com, 2 yields
example.com, and an A-R header purportedly by whatever.example.com
gets renamed.  That's a possible implementation of RFC 5451.

> And I'd rather keep it simple, and avoid the need to bring in PCRE.
> I'm not even quite sure why that's necessary. A DNSBL that offers
> multiple results should do it by returning pseudo-IP addresses, which
> couriertcpd should be able to handle.

Yes, that was my initial approach as well.  Lists deliver their
content as A records in the 127.0.0.0/8 range, but each list has its
own encoding.  Dnswl.org, for example, encodes the score is the last
byte, valued 0-3.  After a few attempts at defining a suitable syntax,
I realized I was reinventing regular expressions, so I turned to the
real thing.  Some decisions, e.g. SPFALLOW, ought to be made that early.

Would PCRE unduly aggravate tcpd's footprint?  And how'd you compare
its cpu cost to the time/bandwidth cost of the query itself?

--
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Whitelist filtering, including a draft patch

2013-01-23 Thread Sam Varshavchik

Alessandro Vesely writes:


Hi Sam and All,

let me try and resume this:

  -allow=zone[,varspec]...

By example --so as to solicit comments from more people-- the change
enables to configure an additional variable in etc/esmtpd:

  WHITELISTS='-allow=swl.spamhaus.org'

The default behavior is to set an empty BLOCK= so that if one had set
BLACKLISTS='-block=...' with the same default variable, when the
former lookup succeeds, the latter lookup is preempt(i)ed, so to say.

Now for passing the results to global filters.  In 2010 we thought of


I still think -allow is ok, but I don't see much need to do anything with  
regards to the headers. If the purpose is to allow per-recipient mail  
filtering, then environment variables set by couriertcpd should be  
accessible in rcptfilter and smtpfilter-based scripts for that purpose, and  
it's better to do it there.


And I'd rather keep it simple, and avoid the need to bring in PCRE. I'm not  
even quite sure why that's necessary. A DNSBL that offers multiple results  
should to it by returning pseudo-IP addresses, which couriertcpd should be  
able to handle.





pgpyzUy7u09QI.pgp
Description: PGP signature
--
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Whitelist filtering, including a draft patch

2013-01-23 Thread Alessandro Vesely
Hi Sam and All,

let me try and resume this:

  -allow=zone[,varspec]...

By example --so as to solicit comments from more people-- the change
enables to configure an additional variable in etc/esmtpd:

  WHITELISTS='-allow=swl.spamhaus.org'

The default behavior is to set an empty BLOCK= so that if one had set
BLACKLISTS='-block=...' with the same default variable, when the
former lookup succeeds, the latter lookup is preempt(i)ed, so to say.

Now for passing the results to global filters.  In 2010 we thought of
inventing an X-DNSWL: header just for this purpose (see below).  That
is not needed, as there exists an Authentication-Results: header
designed for exactly this purpose.  It is to be added at border MTAs
and examined by downstream filters and even MUAs.  We just need to
define what values we may need to know for DNS lists.  We certainly
need a zone, albeit we can lookup a local copy of it, for example:

  WHITELISTS='-allow=dnswl.local,'
  WHITELISTS+='_A_R_DNSWL_ZONE=list.dnswl.org,' # always set this

That varspec sets the globally known name of the list.  However, we
need to examine the value that the list returns, in order to decide if
that is a pass or a neutral response.  Regular expressions can do
that, for example:

  WHITELISTS+='/[1-3]$/,'# match only low-hi scores
  WHITELISTS+='_A_R_DNSWL_RESULT:pass,'  # set "pass" if matched
  WHITELISTS+='//,'  # match anything
  WHITELISTS+='_A_R_DNSWL_RESULT:found,' # set "found" if matched
  WHITELISTS+='_A_R_DNSWL_RESULT=fail,'  # set "fail" otherwise

In the above examples, the assignments done with ':' require that the
record is found and the last regex matched, while '=' sets the
variable unconditionally, provided that it is not set already.

Of course, regex can also capture substrings.  By providing a name to
a captured string, it is possible to compose a variable name, like so:

  WHITELISTS+='_A_R_DNSWL/(?[0-9.]*)/,'
  WHITELISTS+=\
  '_A_R_DNSWL|(?[-a-z0-9.]+)\s*(?https?://\S*)|:t'

The last line exemplifies using a delimiter different from "/", so as
to avoid backslashes.  However, parentheses and question marks create
difficulties with the shell, and it may be simpler to leave them in
the environment.  The trailing ":t" is for requiring the TXT record.

I hope that is not overly complicated.  The patch attached is a draft,
in the sense that it should clarify any detail, but I haven't even
tried to compile it, although I function-wise tested some parts of it.
 The idea is that, given the above setting, couriertcpd will set, for
127.0.0.2:

  _A_R_DNSWL_ZONE=list.dnswl.org
  _A_R_DNSWL_RESULT=found
  _A_R_DNSWL=127.0.10.0
  _A_R_DNSWL_VALUE=127.0.10.0

Submit will recognize those particular variable names and write a line
like:

  Authentication-Results: host.example.com;
dnswl=found dns.zone=list.dnswl.org policy.value=127.0.10.0

Another variable I added to submit is SPFALLOW for whitelisted
senders.  (I set my site's SPF record that way, and it works great.
However, not all those who publish -all do so, which is why I need
SPFALLOW.)

In general, if we work out the few issues that remain, -allow can
result in an interesting alternative to -access, where rbldnsd or
similar tool would play a role equivalent to bdb.

What you think?

Sam, if you give me the green light, two specific issues are whether
to modify argparse, and whether we need rfc2047_encode (it seems only
Received: uses that).  For All, the properties of the new "dnswl"
authentication method:  They will have to be eventually added to
http://www.iana.org/assignments/email-auth/email-auth.xml


On Wed 29/Sep/2010 23:56:50 +0200 Sam Varshavchik wrote:
> Alessandro Vesely writes:
>> On 28/Sep/10 23:18, Sam Varshavchik wrote:
>>> Alessandro Vesely writes:
 An alternative is to define skiplists explicitly, e.g.

 -allow=swl.spamhaus.org,ALLOW \
 -block=zen.spamhaus.org,BLOCK,"550 Reject ip=@" \
 -block=some.other.example,BLOCK2 \
 -skipif=ALLOW,BLOCK,BLOCK2

 In this case "-allow" is exactly a synonym of "-block", because it
 feels ugly to say "block" for a whitelist.
>>>
>>> This looks more reasonable. [...]
>>>
>>> -skipif looks cleaner. Also, the lookup will be skipped anyway, if its
>>> environment variable is already set, so this is backwards compatible.
>>
>> That's also my opinion.  (It would be nice to hear some other user,
>> though.)
>>
 Do we need an additional comma to specify whether the list is
 (supposed to be) IPv6 capable?
>>>
>>> I don't think it will be necessary. IPv6 addresses should
>>> automatically format an IPv6 query. An IPv6-formatted query to an IPv4
>>> list will be quietly ignored, DNSBLs already get a lot of crap
>>> queries, and they should return an NXDOMAIN by default.
>>
>> Matthias Leisi said list.dnswl.org is also planning to do IPv6, "to
>> adapt to the changing landscape of whitelisting", and
>> "implementation should start towards the end of Q1/2011 the

Re: [courier-users] Whitelist filtering

2010-09-30 Thread Alessandro Vesely
On 29/Sep/10 23:56, Sam Varshavchik wrote:
> Alessandro Vesely writes:
>> Renaming can be done conveniently in submit, along with
>> "Old-Return-Path" and "Old-Received-SPF".
>
> Yes, I see that. This would mean that handling of the environment
> variables from couriertcpd would need to be done in submit rather than
> courieresmtpd, and arrangements will have to be made to preserve the
> environment variables for submit.

OTOH, if those lines are placed /before/ Courier's "Received", filters 
can be smart enough to discern their origin.  (The only difficulty 
--if local filtering is enabled-- is to skip any "Received: from 
localhost", for that determination.)

> It makes no sense to have similar functionality in two places, and
> to be consisted it would have to be Old-X-DNSBL.

The "X-" prefix itself is not needed.  That naming convention has been 
dropped in the passage from RFC 822 to RFC 2822.

-- 



--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Whitelist filtering

2010-09-29 Thread Sam Varshavchik

Alessandro Vesely writes:


On 28/Sep/10 23:18, Sam Varshavchik wrote:

Alessandro Vesely writes:

An alternative is to define skiplists explicitly, e.g.

-allow=swl.spamhaus.org,ALLOW \
-block=zen.spamhaus.org,BLOCK,"550 Reject ip=@" \
-block=some.other.example,BLOCK2 \
-skipif=ALLOW,BLOCK,BLOCK2

In this case "-allow" is exactly a synonym of "-block", because it
feels ugly to say "block" for a whitelist.


This looks more reasonable. [...]

-skipif looks cleaner. Also, the lookup will be skipped anyway, if its
environment variable is already set, so this is backwards compatible.


That's also my opinion.  (It would be nice to hear some other user, 
though.)



Do we need an additional comma to specify whether the list is
(supposed to be) IPv6 capable?


I don't think it will be necessary. IPv6 addresses should
automatically format an IPv6 query. An IPv6-formatted query to an IPv4
list will be quietly ignored, DNSBLs already get a lot of crap
queries, and they should return an NXDOMAIN by default.


Matthias Leisi said list.dnswl.org is also planning to do IPv6, "to 
adapt to the changing landscape of whitelisting", and "implementation 
should start towards the end of Q1/2011 the latest."


In order to avoid noise, we may assume as a rule --until a counter 
example arises-- that white lists do IPv6 while black ones don't, 
however coincidental it may be.  In any case, we cannot do IPv6 
queries until they publish their syntax.  (I've found an "ugly 
example" in http://tools.ietf.org/html/rfc5782#section-2.4)


Another difference between "-block" and "-allow" may be to change the 
default variable name to something different from BLOCK, just to avoid 
rude surprises.


The logical choice, of course, would be ALLOW.

In that case, the logical default for -skipif would be "BLOCK,ALLOW". I 
think this provides meaningful defaults and minimizes the number of settings 
for the most common use cases.




This would be syntactical sugar. couriertcpd doesn't know anything
about the daemon it spawns for each connection. couriertcpd would use
this to set a private list of environment variables:

_HEADER1="Blacklist: "
_HEADER2="Whitelist: "


"" is the content of the relevant environment variable, 
including substitution of '@' with the IP number, correct?


Yes, couriertcpd already constructs the message, either from the DNSBL 
itself or by providing a stock message of its own.



courieresmtpd can read these variables from the environment, prefix
each one's contents by "X-DNSBL-" and prefix it to every received
message. It would also need to take any existing "X-DNSBL-" header in
the received message and rename it to "X-Old-DNSBL-".


Renaming can be done conveniently in submit, along with 
"Old-Return-Path" and "Old-Received-SPF".


Yes, I see that. This would mean that handling of the environment variables 
from couriertcpd would need to be done in submit rather than courieresmtpd, 
and arrangements will have to be made to preserve the environment variables 
for submit. It makes no sense to have similar functionality in two places, 
and to be consisted it would have to be Old-X-DNSBL.




pgpGR9kU6aBcS.pgp
Description: PGP signature
--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Whitelist filtering

2010-09-29 Thread Alessandro Vesely
On 28/Sep/10 23:18, Sam Varshavchik wrote:
> Alessandro Vesely writes:
>> An alternative is to define skiplists explicitly, e.g.
>>
>> -allow=swl.spamhaus.org,ALLOW \
>> -block=zen.spamhaus.org,BLOCK,"550 Reject ip=@" \
>> -block=some.other.example,BLOCK2 \
>> -skipif=ALLOW,BLOCK,BLOCK2
>>
>> In this case "-allow" is exactly a synonym of "-block", because it
>> feels ugly to say "block" for a whitelist.
>
> This looks more reasonable. [...]
>
> -skipif looks cleaner. Also, the lookup will be skipped anyway, if its
> environment variable is already set, so this is backwards compatible.

That's also my opinion.  (It would be nice to hear some other user, 
though.)

>> Do we need an additional comma to specify whether the list is
>> (supposed to be) IPv6 capable?
>
> I don't think it will be necessary. IPv6 addresses should
> automatically format an IPv6 query. An IPv6-formatted query to an IPv4
> list will be quietly ignored, DNSBLs already get a lot of crap
> queries, and they should return an NXDOMAIN by default.

Matthias Leisi said list.dnswl.org is also planning to do IPv6, "to 
adapt to the changing landscape of whitelisting", and "implementation 
should start towards the end of Q1/2011 the latest."

In order to avoid noise, we may assume as a rule --until a counter 
example arises-- that white lists do IPv6 while black ones don't, 
however coincidental it may be.  In any case, we cannot do IPv6 
queries until they publish their syntax.  (I've found an "ugly 
example" in http://tools.ietf.org/html/rfc5782#section-2.4)

Another difference between "-block" and "-allow" may be to change the 
default variable name to something different from BLOCK, just to avoid 
rude surprises.

 2.
>>>
>>> I think that the best way is to record this metadata into an
>>> additional header, than the filter can check. Thinking it over in my
>>> ahead, I think this would be the easiest approach, and all the change
>>> can be bundled in courieresmtpd, so that the command line sendmail
>>> injection point, or the shared codepath between the two, does not need
>>> to be overengineered for that.
>>
>> At first glance courieresmtpd doesn't seem to delve into
>> distinguishing header from body.
>
> It doesn't. It only needs to write new headers to submit before it
> sends the original message body.

Ah, I hadn't thought about that.  That way, it will correctly place 
the new fields on the top (right after Courier's "Received", IIRC).

> It will need to mask off any existing headers with the same name,
> though. This is fairly easy and does not require complicated
> parsing.

Agreed, using a prefix makes it clear.

> I think that similar to -skipif, you can specify variable name/header
> name pairs by a new option:
>
> -header BLOCK,Blacklist \
> -header ALLOW,Whitelist
>
> This would be syntactical sugar. couriertcpd doesn't know anything
> about the daemon it spawns for each connection. couriertcpd would use
> this to set a private list of environment variables:
>
> _HEADER1="Blacklist: "
> _HEADER2="Whitelist: "

"" is the content of the relevant environment variable, 
including substitution of '@' with the IP number, correct?

> The environment variables would be named _HEADERn, beginning at 1.
>
> courieresmtpd can read these variables from the environment, prefix
> each one's contents by "X-DNSBL-" and prefix it to every received
> message. It would also need to take any existing "X-DNSBL-" header in
> the received message and rename it to "X-Old-DNSBL-".

Renaming can be done conveniently in submit, along with 
"Old-Return-Path" and "Old-Received-SPF".

> A global mail filter could then look for "X-DNSBL-" headers.

This looks fine to me.  The name will have to be confirmed in the 
filter's config file anyway.

For a nit, the "B" in "X-DNSBL-" is wrong.  RFC 5782 uses "DNSxL", but 
such term doesn't seem to be widely used outside the ASRG.

>> A more generic approach could be to dump the whole environment to
>> the ctlfile, in submit, just before closing it and only if filters
>> are enabled, prepending, say, COMCTLFILE_ENVVAR before each line.
>> This would also work for a bunch of corner cases, e.g. a filter
>> wondering whether an authsmtp message came in via the MSA port. This
>> may result in a size increase of around 1300 bytes, at mines; some
>> known variables (PATH, SHELL, SHLVL, PWD, _) may be omitted.
>
> The environment is sanitized before submit gets invoked.

Yup, that's why it may be cool to dump it.  Nevertheless, bash adds 
some variables for its own use.  I collected the parenthesized name 
list above from /proc//environ.

>>> I do not understand what the problem is. Wildcard DNS entries will
>>> work fine. You just put a wildcard record for the /64. End of story.
>>
>> IMHO, even assuming that such granularity is not too coarse, the
>> remaining 64 bits still provide for a too huge address space for the
>> whack-a-mole game.
>
> An ISP allocates a /64 for each customer. A /64 is a reasonable
> starting

Re: [courier-users] Whitelist filtering

2010-09-28 Thread Sam Varshavchik

Alessandro Vesely writes:

Hm... one possibility is to modify the "-block" syntax by appending a 
list of environment variables that prevent the lookup.  E.g.


   -block=zen.spamhaus.org,BLOCK,"550 Reject ip=@",ALLOW,ALLOW2 \
   -allow=swl.spamhaus.org,ALLOW

where "-allow" has the same syntax of "-block", but new entries are 
pushed onto the head of the list rather than appended to its tail.


An alternative is to define skiplists explicitly, e.g.

   -allow=swl.spamhaus.org,ALLOW \
   -block=zen.spamhaus.org,BLOCK,"550 Reject ip=@" \
   -block=some.other.example,BLOCK2 \
   -skipif=ALLOW,BLOCK,BLOCK2

In this case "-allow" is exactly a synonym of "-block", because it 
feels ugly to say "block" for a whitelist.


This looks more reasonable. Appending environment variables after the 
message string won't work very well. In some case the message string is not 
specified, and the one returned from DNS gets used. Furthermore, an explicit 
message string cannot contain commas. Quotes get parsed by the shell, the 
whole option setting is parsed as a single string, and there are plenty of 
message strings out there on the order of "550 Go away, and see 
http://whatever";. Banning a comma in the message strings will break many 
people.


-skipif looks cleaner. Also, the lookup will be skipped anyway, if its 
environment variable is already set, so this is backwards compatible.


service starting in 2011".  Do we need an additional comma to specify 
whether the list is (supposed to be) IPv6 capable?


I don't think it will be necessary. IPv6 addresses should automatically 
format an IPv6 query. An IPv6-formatted query to an IPv4 list will be 
quietly ignored, DNSBLs already get a lot of crap queries, and they should 
return an NXDOMAIN by default.





2. A mechanism to pass (some of) these variables to global filters.
(Values /from/ global filters can be set via header fields, but
variable-passing can also be devised to work both ways.)


I think that the best way is to record this metadata into an
additional header, than the filter can check. Thinking it over in my
ahead, I think this would be the easiest approach, and all the change
can be bundled in courieresmtpd, so that the command line sendmail
injection point, or the shared codepath between the two, does not need
to be overengineered for that.


At first glance courieresmtpd doesn't seem to delve into 
distinguishing header from body.


It doesn't. It only needs to write new headers to submit before it sends the 
original message body. It will need to mask off any existing headers with 
the same name, though. This is fairly easy and does not require complicated 
parsing.


 At any rate, yes, adding to the 
header may work for this specific case.  The additional field, say


   X-Whitelisted-By: swl.spamhaus.org

will remain attached to the message, and thus might also be used by 
client software to avoid discarding important messages.  However, this 
header field has to be guarded against cheats already present in the 
original message.  If the field name is specified on the command line, 
e.g. as


   -allow=swl.spamhaus.org,ALLOW,"X-Whitelisted-By: swl.spamhaus.org"

checking for cheats may become quite cumbersome.


I think that similar to -skipif, you can specify variable name/header name 
pairs by a new option:


 -header BLOCK,Blacklist \
 -header ALLOW,Whitelist

This would be syntactical sugar. couriertcpd doesn't know anything about the 
daemon it spawns for each connection. couriertcpd would use this to 
set a private list of environment variables:


_HEADER1="Blacklist: "
_HEADER2="Whitelist: "

The environment variables would be named _HEADERn, beginning at 1.

courieresmtpd can read these variables from the environment, prefix each 
one's contents by "X-DNSBL-" and prefix it to every received message. It 
would also need to take any existing "X-DNSBL-" header in the received 
message and rename it to "X-Old-DNSBL-".


A global mail filter could then look for "X-DNSBL-" headers.

A more generic approach could be to dump the whole environment to the 
ctlfile, in submit, just before closing it and only if filters are 
enabled, prepending, say, COMCTLFILE_ENVVAR before each line.  This 
would also work for a bunch of corner cases, e.g. a filter wondering 
whether an authsmtp message came in via the MSA port.  This may result 
in a size increase of around 1300 bytes, at mines; some known 
variables (PATH, SHELL, SHLVL, PWD, _) may be omitted.


The environment is sanitized before submit gets invoked.


I do not understand what the problem is. Wildcard DNS entries will
work fine. You just put a wildcard record for the /64. End of story.


IMHO, even assuming that such granularity is not too coarse, the 
remaining 64 bits still provide for a too huge address space for the 
whack-a-mole game.


An ISP allocates a /64 for each customer. A /64 is a reasonable starting 
point.





pgpAE4cOYEskn.pgp
Description: PGP sign

Re: [courier-users] Whitelist filtering

2010-09-28 Thread Alessandro Vesely
On 28/Sep/10 00:00, Sam Varshavchik wrote:
> Alessandro Vesely writes:
>> I think we may additionally need two things:
>>
>> 1. A mechanism to skip performing some lookups in case some other
>> ones already succeeded. Currently, only if a given variable is
>> already set, the corresponding lookup is skipped.
>
> This seems trivial. The lookup can also be skipped if some other
> variable is also already set. The whitelists can be arranged to be
> looked up first, followed by blacklists.

You mean "can be arranged" by properly setting the configuration file? 
  Blocklists are currently checked respecting the order they have been 
defined.

> The real challenge here is to come up with a sane syntax to specify
> all of this.

Hm... one possibility is to modify the "-block" syntax by appending a 
list of environment variables that prevent the lookup.  E.g.

   -block=zen.spamhaus.org,BLOCK,"550 Reject ip=@",ALLOW,ALLOW2 \
   -allow=swl.spamhaus.org,ALLOW

where "-allow" has the same syntax of "-block", but new entries are 
pushed onto the head of the list rather than appended to its tail.

An alternative is to define skiplists explicitly, e.g.

   -allow=swl.spamhaus.org,ALLOW \
   -block=zen.spamhaus.org,BLOCK,"550 Reject ip=@" \
   -block=some.other.example,BLOCK2 \
   -skipif=ALLOW,BLOCK,BLOCK2

In this case "-allow" is exactly a synonym of "-block", because it 
feels ugly to say "block" for a whitelist.

In the future, the SWL may have IPv6 capabilities --according to their 
techfaq, "IPv6 handling is not yet active.  Spamhaus estimates IPv6 
service starting in 2011".  Do we need an additional comma to specify 
whether the list is (supposed to be) IPv6 capable?

>> 2. A mechanism to pass (some of) these variables to global filters.
>> (Values /from/ global filters can be set via header fields, but
>> variable-passing can also be devised to work both ways.)
>
> I think that the best way is to record this metadata into an
> additional header, than the filter can check. Thinking it over in my
> ahead, I think this would be the easiest approach, and all the change
> can be bundled in courieresmtpd, so that the command line sendmail
> injection point, or the shared codepath between the two, does not need
> to be overengineered for that.

At first glance courieresmtpd doesn't seem to delve into 
distinguishing header from body.  At any rate, yes, adding to the 
header may work for this specific case.  The additional field, say

   X-Whitelisted-By: swl.spamhaus.org

will remain attached to the message, and thus might also be used by 
client software to avoid discarding important messages.  However, this 
header field has to be guarded against cheats already present in the 
original message.  If the field name is specified on the command line, 
e.g. as

   -allow=swl.spamhaus.org,ALLOW,"X-Whitelisted-By: swl.spamhaus.org"

checking for cheats may become quite cumbersome.

A more generic approach could be to dump the whole environment to the 
ctlfile, in submit, just before closing it and only if filters are 
enabled, prepending, say, COMCTLFILE_ENVVAR before each line.  This 
would also work for a bunch of corner cases, e.g. a filter wondering 
whether an authsmtp message came in via the MSA port.  This may result 
in a size increase of around 1300 bytes, at mines; some known 
variables (PATH, SHELL, SHLVL, PWD, _) may be omitted.


> I do not understand what the problem is. Wildcard DNS entries will
> work fine. You just put a wildcard record for the /64. End of story.

IMHO, even assuming that such granularity is not too coarse, the 
remaining 64 bits still provide for a too huge address space for the 
whack-a-mole game.  But then you're right that someone may still run 
an IPv6 DNSBL, and it seems wise to plan a syntax that would allow to 
use it.

> *.00.00.27.0c.03.05.01.20.blacklist.example.com TXT "Whatever"
>
> This presumes that, for consistency, hex is used at the octet-level
> granularity for IPv6. Decimal can be used equally well.

Probably that's the kind of decisions Spamhaus still has to make, 
since they have not given an IPv6 query example yet.


-- 



--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Whitelist filtering

2010-09-27 Thread Sam Varshavchik

Alessandro Vesely writes:


I think we may additionally need two things:

1. A mechanism to skip performing some lookups in case some other ones 
already succeeded.  Currently, only if a given variable is already 
set, the corresponding lookup is skipped.


This seems trivial. The lookup can also be skipped if some other variable is 
also already set. The whitelists can be arranged to be looked up first, 
followed by blacklists.


The real challenge here is to come up with a sane syntax to specify all of 
this.


2. A mechanism to pass (some of) these variables to global filters. 
(Values /from/ global filters can be set via header fields, but 
variable-passing can also be devised to work both ways.)


I think that the best way is to record this metadata into an additional 
header, than the filter can check. Thinking it over in my ahead, I think 
this would be the easiest approach, and all the change can be bundled in 
courieresmtpd, so that the command line sendmail injection point, or the 
shared codepath between the two, does not need to be overengineered for 
that.


Spamhaus have announced their whitelist as the dawn of a new era.  In 
facts, the IPv4 is on the ropes and DNSBL technology cannot go to IPv6 
as-is. (Let me quote just one phrase from John Levine, 26 Aug 2009:


   At one address per millisecond, it would take 500 million years to
   run through a /64.
  http://www.ietf.org/mail-archive/web/asrg/current/msg15743.html)


I do not understand what the problem is. Wildcard DNS entries will work 
fine. You just put a wildcard record for the /64. End of story.


Let's blacklist j.root-servers.net:

j.root-servers.net. 401788  IN  2001:503:c27::2:30

Expanding this gives 2001:0503:0c27:/64. I can't think of any reason why 
this cannot be recorded as


*.00.00.27.0c.03.05.01.20.blacklist.example.com TXT "Whatever"

This presumes that, for consistency, hex is used at the octet-level 
granularity for IPv6. Decimal can be used equally well.


I see no reason why this won't work.





pgpJY4gKWHAhO.pgp
Description: PGP signature
--
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users