Re: filter bug?
On 02/01/20 11:08, Reio Remma wrote: Hello! The token|session id in v0.4 of the filter protocol were swapped to the more sensible session id|token order in v0.5. I believe the docs are still being worked on and will apply to the v0.5 protocol. Thought I was going crazy. I was reading docs for .5 and testing on a system running .4 so as usual the fault lies with myself. Thanks! Edgar For example filter-rspamd was recently updated to work with both versions, switching the argument order as needed. Good luck, Reio On 01.02.2020 4:18, Edgar Pettijohn wrote: Not sure if its a documentation bug or not, but smtpd-filters.7 states the following: For all phases, excepted "data-line", the responses must follow the same construct, a message type "filter-result", followed by the unique session id, the opaque token, a decision and optional decision-specific parameters: filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope For my filter I had to send: filter-result|$token|$sid|proceed It also shows the following for connect: connect: rdns fcrdns src dest This request is emitted after connection, before the banner is displayed. I'm only seeing 9 fields though and expected 11. mail$ uname -a OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64 # Not thoroughly tested, but if you want to use it pretend there is the ISC # license here. #!/usr/bin/awk -f function logit(msg) { system("logger -p mail.info " msg) } function die(msg) { system("logger -p mail.err -s " msg) exit 1 } BEGIN { ARGC = 0 FS = "|" OFS = FS version = 0.4 allowed = 3 logit("filter-authban: starting...") } "config|ready" == $0 { print "register|report|smtp-in|link-connect" print "register|report|smtp-in|link-disconnect" print "register|report|smtp-in|link-auth" print "register|filter|smtp-in|connect" print "register|ready" next } "link-connect" == $5 { if (NF < 10) die("invalid input for link-connect") if ($2 != version) die("version mismatch") sid = $6 src = $9 state[sid] = src } "link-auth" == $5 { if (NF < 8) die("invalid input for link-auth") if ($2 != version) die("version mismatch") sid = $6 user = $7 result = $8 if (state[sid]) { split(state[sid], ip, ":") addr = ip[1] if (result == "fail") { logit("auth failure for " user " from " addr) state[addr] += 1 } if (state[addr] >= allowed) banned[addr] = 1 } } "link-disconnect" == $5 { if (NF < 6) die("invalid input for link-disconnect") if ($2 != version) die("version mismatch") sid = $6 delete state[sid] } "connect" == $5 { if ($2 != version) die("version mismatch") sid = $6 token = $7 src = $9 if (banned[src]) { logit("rejecting connection from: " src) print "filter-result|" token "|" sid "|reject|550 go away" } else { print "filter-result|" token "|" sid "|proceed" } } END { logit("filter-authban: stopping...") } Thanks, Edgar
Re: filter bug?
Hello! The token|session id in v0.4 of the filter protocol were swapped to the more sensible session id|token order in v0.5. I believe the docs are still being worked on and will apply to the v0.5 protocol. For example filter-rspamd was recently updated to work with both versions, switching the argument order as needed. Good luck, Reio On 01.02.2020 4:18, Edgar Pettijohn wrote: Not sure if its a documentation bug or not, but smtpd-filters.7 states the following: For all phases, excepted "data-line", the responses must follow the same construct, a message type "filter-result", followed by the unique session id, the opaque token, a decision and optional decision-specific parameters: filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope For my filter I had to send: filter-result|$token|$sid|proceed It also shows the following for connect: connect: rdns fcrdns src dest This request is emitted after connection, before the banner is displayed. I'm only seeing 9 fields though and expected 11. mail$ uname -a OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64 # Not thoroughly tested, but if you want to use it pretend there is the ISC # license here. #!/usr/bin/awk -f function logit(msg) { system("logger -p mail.info " msg) } function die(msg) { system("logger -p mail.err -s " msg) exit 1 } BEGIN { ARGC = 0 FS = "|" OFS = FS version = 0.4 allowed = 3 logit("filter-authban: starting...") } "config|ready" == $0 { print "register|report|smtp-in|link-connect" print "register|report|smtp-in|link-disconnect" print "register|report|smtp-in|link-auth" print "register|filter|smtp-in|connect" print "register|ready" next } "link-connect" == $5 { if (NF < 10) die("invalid input for link-connect") if ($2 != version) die("version mismatch") sid = $6 src = $9 state[sid] = src } "link-auth" == $5 { if (NF < 8) die("invalid input for link-auth") if ($2 != version) die("version mismatch") sid = $6 user = $7 result = $8 if (state[sid]) { split(state[sid], ip, ":") addr = ip[1] if (result == "fail") { logit("auth failure for " user " from " addr) state[addr] += 1 } if (state[addr] >= allowed) banned[addr] = 1 } } "link-disconnect" == $5 { if (NF < 6) die("invalid input for link-disconnect") if ($2 != version) die("version mismatch") sid = $6 delete state[sid] } "connect" == $5 { if ($2 != version) die("version mismatch") sid = $6 token = $7 src = $9 if (banned[src]) { logit("rejecting connection from: " src) print "filter-result|" token "|" sid "|reject|550 go away" } else { print "filter-result|" token "|" sid "|proceed" } } END { logit("filter-authban: stopping...") } Thanks, Edgar
filter bug?
Not sure if its a documentation bug or not, but smtpd-filters.7 states the following: For all phases, excepted "data-line", the responses must follow the same construct, a message type "filter-result", followed by the unique session id, the opaque token, a decision and optional decision-specific parameters: filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope For my filter I had to send: filter-result|$token|$sid|proceed It also shows the following for connect: connect: rdns fcrdns src dest This request is emitted after connection, before the banner is displayed. I'm only seeing 9 fields though and expected 11. mail$ uname -a OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64 # Not thoroughly tested, but if you want to use it pretend there is the ISC # license here. #!/usr/bin/awk -f function logit(msg) { system("logger -p mail.info " msg) } function die(msg) { system("logger -p mail.err -s " msg) exit 1 } BEGIN { ARGC = 0 FS = "|" OFS = FS version = 0.4 allowed = 3 logit("filter-authban: starting...") } "config|ready" == $0 { print "register|report|smtp-in|link-connect" print "register|report|smtp-in|link-disconnect" print "register|report|smtp-in|link-auth" print "register|filter|smtp-in|connect" print "register|ready" next } "link-connect" == $5 { if (NF < 10) die("invalid input for link-connect") if ($2 != version) die("version mismatch") sid = $6 src = $9 state[sid] = src } "link-auth" == $5 { if (NF < 8) die("invalid input for link-auth") if ($2 != version) die("version mismatch") sid = $6 user = $7 result = $8 if (state[sid]) { split(state[sid], ip, ":") addr = ip[1] if (result == "fail") { logit("auth failure for " user " from " addr) state[addr] += 1 } if (state[addr] >= allowed) banned[addr] = 1 } } "link-disconnect" == $5 { if (NF < 6) die("invalid input for link-disconnect") if ($2 != version) die("version mismatch") sid = $6 delete state[sid] } "connect" == $5 { if ($2 != version) die("version mismatch") sid = $6 token = $7 src = $9 if (banned[src]) { logit("rejecting connection from: " src) print "filter-result|" token "|" sid "|reject|550 go away" } else { print "filter-result|" token "|" sid "|proceed" } } END { logit("filter-authban: stopping...") } Thanks, Edgar