Re: pre-queue spam check
On Wed, Apr 08, 2015 at 04:10:22PM +0200, Joerg Jung wrote: The longer I think about it (while looking at the existing filter code), the more I come to the conclusion that I just should sit down tonight and write this missing SA filter. Based on the existing filters in -extras and the code from http://www.benzedrine.ch/milter-spamd.html a SA filter should be straightforward to implement. So, unfortunately I had not much time tonight, hence I started with a rather simple filter as finger exercise: a pause on connect, wait some seconds before the initial 220. Idea borrowed from Sendmails greet_pause feature [1] which I think is worthwhile to keep (some) spammers away. Diff below attached, slightly tested in a local filter chain setup. I do not have a github account on purpose, so no pull request from me. Feel free to commit the patch. I will see if I find some time by the end of the week to write the missing SpamAssassin and ClamAV filter. Thanks, Regards, Joerg [1] http://www.deer-run.com/~hal/sysadmin/greet_pause.html diff --git a/extras/filters/Makefile b/extras/filters/Makefile index c62a112..2b7698b 100644 --- a/extras/filters/Makefile +++ b/extras/filters/Makefile @@ -4,6 +4,7 @@ SUBDIR += filter-dkim-signer SUBDIR += filter-dnsbl #SUBDIR+= filter-lua SUBDIR += filter-monkey +SUBDIR += filter-pause SUBDIR += filter-perl SUBDIR += filter-python SUBDIR += filter-stub diff --git a/extras/filters/filter-pause/Makefile b/extras/filters/filter-pause/Makefile new file mode 100644 index 000..658cdb2 --- /dev/null +++ b/extras/filters/filter-pause/Makefile @@ -0,0 +1,4 @@ +PROG= filter-pause +SRCS= filter_pause.c + +.include bsd.prog.mk diff --git a/extras/filters/filter-pause/filter_pause.c b/extras/filters/filter-pause/filter_pause.c new file mode 100644 index 000..7f8a3f0 --- /dev/null +++ b/extras/filters/filter-pause/filter_pause.c @@ -0,0 +1,78 @@ +/* $OpenBSD$ */ + +/* + * Copyright (c) 2015 Joerg Jung j...@openbsd.org + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include sys/types.h + +#include inttypes.h +#include stdio.h +#include unistd.h + +#include smtpd-defines.h +#include smtpd-api.h +#include log.h + +static unsigned int pause_seconds = 5; + +static int +pause_on_connect(uint64_t id, struct filter_connect *conn) +{ + unsigned int r; + + log_debug(debug: filter-pause: sleeping %u, pause_seconds); + + if ((r = sleep(pause_seconds)) != 0) + log_warnx(filter-pause: wakeup %u seconds too early, r); + + return filter_api_accept(id); +} + +int +main(int argc, char **argv) +{ + int ch; + const char *errstr, *s = NULL; + log_init(-1); + + while ((ch = getopt(argc, argv, s:)) != -1) { + switch (ch) { + case 's': + s = optarg; + break; + default: + log_warnx(warn: filter-pause: bad option); + return (1); + /* NOTREACHED */ + } + } + argc -= optind; + argv += optind; + + if (s) { /* RFC 5321 4.5.3.2 Initial 220 Message: 5 Minutes */ + pause_seconds = strtonum(s, 1, 300, errstr); + if (errstr) + fatalx(filter-pause: seconds option is %s: %s, errstr, s); + } + + log_debug(debug: filter-pause: starting...); + + filter_api_on_connect(pause_on_connect); + filter_api_loop(); + log_debug(debug: filter-pause: exiting); + + return (1); +} -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Slight correction on Does anyone else have an issue establishing a starttls to this host.
On Wed, 08 Apr 2015 13:27:48 -0700 Seth wrote: Do you have a test email address we can try sending something to which uses that server? Sent privately Also, whether this hangs /usr/bin/openssl s_client -connect mx5.demon.co.uk:25 -starttls smtp -CAfile /etc/ssl/cert.pem Starttls.info gives it a crappy score BTW Protocol Supports SSLV2. More info. Supports SSLV3. That probably explains a lot and makes me feel better too, Thanks -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: pre-queue spam check
On Wed, Apr 08, 2015 at 11:44:04AM +0200, Joerg Jung wrote: Hi, Hi, [...] I know about clamsmtp, spampd etc. which check/tag *after* queuing. But since I prefer not to annoy my users with quarantine (web-interfaces), ***SPAM*** subjects, spam folders, or similar things I want to ask: Is there any chance to filter/check for spam *before* queueing with opensmtpd? Well, one way would be to put spampd in front of OpenSMTPD and have it process all mail before passing it to the MTA. Side note: It looks like some lawyers say, once it is queued one is not allowed to delete (silently). Yes, the goal of opensmtpd is to take all necessary steps to ensure that mails don't get lost so once in queue, it HAS to be delivered somewhere, or a mailer daemon has to be generated. With my old milter setup (spam) mail is blocked by sendmail if spamassassin/clamav says so and *not* queued. Well, you could write a filter to reject the message if the body contains a header set by spamassassin/clamav and achieve the same. I do not need to stick with spamassassin, switching to dspam, mailscanner, rspamd, whatever would be okay, as long as I find an easy way to scan before queueing. In fact I played with dspam as it does not rely on additional daemons like clamsmtp and spampd and can speak LMTP directly with opensmtpd (while also calling clamav on its own). Thus this would really simplify the setup. But for the queueing I need something like: accept from any for domain domains virtual users no queue relay via lmtp://127.0.0.1:2525 while returning the error code of LMTP session back to sender... I guess this is not possible? Side question: it is not possible to relay via LMTP to local unix domain socket instead of IP socket, right? e.g.: ... relay via lmtp:///var/dspam/dspam.sock only when using deliver to lmtp (see man smtpd.conf) I know about opensmtpd-extras and have seen the filters, but these are not yet enabled and ready for production, right? Writing my own filter to check spam (similar as milter does) seems to be possible and I think I have the C skills to handle this. But since this is a production server I need something stable, e.g. can not rewrite the filter every n months to adjust the needs for the (not yet enabled) unstable API. true I also know about spamd, but that is not really an option for now as the server speaks v6 and STARTTLS, moreover I have legacy users which AUTH on port 25 as well. This does not play well with spamd. I also scan outgoing mails, as I really do not trust the users. Any hints and insights are welcome, maybe someone has a similar setup? I don't ;-) -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
pre-queue spam check
Hi, I'm in the middle of migrating a rather large existing openbsd setup with sendmail+milter, spamassassin, clamav, and dovecot as well as virtual users to a similar opensmtpd setup. Now I stuck a bit with the spam/virus checking. I know about clamsmtp, spampd etc. which check/tag *after* queuing. But since I prefer not to annoy my users with quarantine (web-interfaces), ***SPAM*** subjects, spam folders, or similar things I want to ask: Is there any chance to filter/check for spam *before* queueing with opensmtpd? Side note: It looks like some lawyers say, once it is queued one is not allowed to delete (silently). With my old milter setup (spam) mail is blocked by sendmail if spamassassin/clamav says so and *not* queued. I do not need to stick with spamassassin, switching to dspam, mailscanner, rspamd, whatever would be okay, as long as I find an easy way to scan before queueing. In fact I played with dspam as it does not rely on additional daemons like clamsmtp and spampd and can speak LMTP directly with opensmtpd (while also calling clamav on its own). Thus this would really simplify the setup. But for the queueing I need something like: accept from any for domain domains virtual users no queue relay via lmtp://127.0.0.1:2525 while returning the error code of LMTP session back to sender... I guess this is not possible? Side question: it is not possible to relay via LMTP to local unix domain socket instead of IP socket, right? e.g.: ... relay via lmtp:///var/dspam/dspam.sock I know about opensmtpd-extras and have seen the filters, but these are not yet enabled and ready for production, right? Writing my own filter to check spam (similar as milter does) seems to be possible and I think I have the C skills to handle this. But since this is a production server I need something stable, e.g. can not rewrite the filter every n months to adjust the needs for the (not yet enabled) unstable API. I also know about spamd, but that is not really an option for now as the server speaks v6 and STARTTLS, moreover I have legacy users which AUTH on port 25 as well. This does not play well with spamd. I also scan outgoing mails, as I really do not trust the users. Any hints and insights are welcome, maybe someone has a similar setup? Thanks, Regards, Joerg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPd Headache
On Tue, Apr 07, 2015 at 07:38:51PM +0200, Antoine Michard wrote: Hi all, I'm Antoine, from France and I try to be good in sysadmin on Freebsd Since yesterday, I try to configure my fresh OpenSMTPd daemon :) New server, new configuration (lastest use Postfix + MySQL) First, OpenSMTPd (and email allmost) is not very easy to understand, and every app have their headache style... So, just for begining, I've try successfully to make a local relay, here my config: cat /usr/local/etc/mail/aliases root:m...@myotherdomain.com admin:m...@myotherdomain.com icinga:m...@myotherdomain.com #cat /usr/local/etc/mail/smtpd.conf listen on lo0 listen on bge0 hostname mx.mydomain.net table aliases file:/usr/local/etc/mail/aliases accept from any for domain mydomain.net alias aliases deliver to maildir accept for local alias aliases deliver to maildir accept for any relay Everything work fine, except all email from shell will send with my own user (me). With root, with other user, with icinga user except for cron (root user). This is from root: # echo test | mail -v -s OpenSMTPd Test ad...@mydomain.net 220 mydomain.net ESMTP OpenSMTPD EHLO localhost 250-mydomain.net Hello localhost [local], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250 HELP MAIL FROM:m...@mydomain.net 250 2.0.0: Ok RCPT TO:ad...@mydomain.net 250 2.1.5 Destination address valid: Recipient ok DATA 354 Enter mail, end with . on a line by itself . 250 2.0.0: d29a31ef Message accepted for delivery QUIT 221 2.0.0: Bye From Icinga user: # su -m icinga % echo test | mail -v -s OpenSMTPd Test ad...@mydomain.net 220 mydomain.net ESMTP OpenSMTPD EHLO localhost 250-mydomain.net Hello localhost [local], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250 HELP MAIL FROM:m...@mydomain.net 250 2.0.0: Ok RCPT TO:ad...@mydomain.netr 250 2.1.5 Destination address valid: Recipient ok DATA 354 Enter mail, end with . on a line by itself . 250 2.0.0: 308fd296 Message accepted for delivery QUIT 221 2.0.0: Bye I receive correctly the email to my alias mail ( m...@myotherdomain.com ) but with wrong email ( m...@mydomain.net instead of root or icinga) And I really, really don't know why !! My personal nightmare... I search on Google, on Freebsd Handbook, on OpenSMTPd manual, etc... I search how mail choose user to use for mailfrom. I found nothing !!! :'( Icinga daemon alert me with my own email :-/ And for no reason (it is not the purpose of this mail), but php mailer don't work :-/ I found just one thing, how define default domain ( /usr/local/etc/mail/mailname ) Since, every mail will send with @mydomain.net instead of localhost. Great, I made it ! Can you help me to resolve this mystery ??? :) Because later, I would like to make ssl/tls smtp, with auth and Dovecot/lmp and if I can't resolve this... I think I can't resolve all mystery will be come... Can you open a bug report on https://github.com/OpenSMTPD/OpenSMTPD ? Make sure to mention which version of OpenSMTPD you are using. There is no mistery, a bug was introduced, then fixed, but since I don't know which version you are running, I don't know if you are running with this bug or if you found a new one. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPd Headache
For your information: # smtpd -vd debug: init ssl-tree info: OpenSMTPD 5.4.4p1 starting I will make a bug report on GitHub soon Thx for help 2015-04-08 10:12 GMT+02:00 Gilles Chehade gil...@poolp.org: On Tue, Apr 07, 2015 at 07:38:51PM +0200, Antoine Michard wrote: Hi all, I'm Antoine, from France and I try to be good in sysadmin on Freebsd Since yesterday, I try to configure my fresh OpenSMTPd daemon :) New server, new configuration (lastest use Postfix + MySQL) First, OpenSMTPd (and email allmost) is not very easy to understand, and every app have their headache style... So, just for begining, I've try successfully to make a local relay, here my config: cat /usr/local/etc/mail/aliases root:m...@myotherdomain.com admin:m...@myotherdomain.com icinga:m...@myotherdomain.com #cat /usr/local/etc/mail/smtpd.conf listen on lo0 listen on bge0 hostname mx.mydomain.net table aliases file:/usr/local/etc/mail/aliases accept from any for domain mydomain.net alias aliases deliver to maildir accept for local alias aliases deliver to maildir accept for any relay Everything work fine, except all email from shell will send with my own user (me). With root, with other user, with icinga user except for cron (root user). This is from root: # echo test | mail -v -s OpenSMTPd Test ad...@mydomain.net 220 mydomain.net ESMTP OpenSMTPD EHLO localhost 250-mydomain.net Hello localhost [local], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250 HELP MAIL FROM:m...@mydomain.net 250 2.0.0: Ok RCPT TO:ad...@mydomain.net 250 2.1.5 Destination address valid: Recipient ok DATA 354 Enter mail, end with . on a line by itself . 250 2.0.0: d29a31ef Message accepted for delivery QUIT 221 2.0.0: Bye From Icinga user: # su -m icinga % echo test | mail -v -s OpenSMTPd Test ad...@mydomain.net 220 mydomain.net ESMTP OpenSMTPD EHLO localhost 250-mydomain.net Hello localhost [local], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250 HELP MAIL FROM:m...@mydomain.net 250 2.0.0: Ok RCPT TO:ad...@mydomain.netr 250 2.1.5 Destination address valid: Recipient ok DATA 354 Enter mail, end with . on a line by itself . 250 2.0.0: 308fd296 Message accepted for delivery QUIT 221 2.0.0: Bye I receive correctly the email to my alias mail ( m...@myotherdomain.com ) but with wrong email ( m...@mydomain.net instead of root or icinga) And I really, really don't know why !! My personal nightmare... I search on Google, on Freebsd Handbook, on OpenSMTPd manual, etc... I search how mail choose user to use for mailfrom. I found nothing !!! :'( Icinga daemon alert me with my own email :-/ And for no reason (it is not the purpose of this mail), but php mailer don't work :-/ I found just one thing, how define default domain ( /usr/local/etc/mail/mailname ) Since, every mail will send with @mydomain.net instead of localhost. Great, I made it ! Can you help me to resolve this mystery ??? :) Because later, I would like to make ssl/tls smtp, with auth and Dovecot/lmp and if I can't resolve this... I think I can't resolve all mystery will be come... Can you open a bug report on https://github.com/OpenSMTPD/OpenSMTPD ? Make sure to mention which version of OpenSMTPD you are using. There is no mistery, a bug was introduced, then fixed, but since I don't know which version you are running, I don't know if you are running with this bug or if you found a new one. -- Gilles Chehade https://www.poolp.org @poolpOrg -- Antoine Michard
Slight correction on Does anyone else have an issue establishing a starttls to this host.
http://marc.info/?l=openbsd-miscm=142842356024311w=2 When I looked at the actual traffic it appeared that it gets one step further and the connection actually stops at OpenSMTPD sending a client hello via STARTTLS with no further response from the other side. If someone can say it happens to them too but not to any/many other hosts then I'd be glad to chalk it down to a bad implementation on their side? I haven't found any others like this yet. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Slight correction on Does anyone else have an issue establishing a starttls to this host.
On Wed, 08 Apr 2015 12:16:49 -0700, Kevin Chadwick m8il1i...@gmail.com wrote: http://marc.info/?l=openbsd-miscm=142842356024311w=2 When I looked at the actual traffic it appeared that it gets one step further and the connection actually stops at OpenSMTPD sending a client hello via STARTTLS with no further response from the other side. If someone can say it happens to them too but not to any/many other hosts then I'd be glad to chalk it down to a bad implementation on their side? I haven't found any others like this yet. Do you have a test email address we can try sending something to which uses that server? Starttls.info gives it a crappy score BTW https://starttls.info/check/mx5.demon.co.uk Does your mail server support STARTTLS? If you care about privacy, it should. Read more in the blog. Results for: mx5.demon.co.uk Mail server Result mx5.demon.co.uk Grade: E (31.6%) Certificate The certificate is not valid for the server's hostname. There are validity issues for the certificate. Certificates are seldom verified for SMTP servers, so this doesn't mean that STARTTLS won't be used. Generally speaking it's a bad practice not to have a valid certificate, and an even worse practice not to verify them. Any attempted encrypted communication is left all but wide open to Man-in-the-Middle attacks. Protocol Supports SSLV2. More info. Supports SSLV3. Supports TLSV1. Key exchange Anonymous Diffie-Hellman is accepted. This is suspectible to Man-in-the-Middle attacks. Key size is 2048 bits; that's good. Cipher Weakest accepted cipher: 0. Strongest accepted cipher: 256. Click the score for details. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org