Re: Asking about heartbleed
On Wed, Apr 09, 2014 at 11:01:05PM +, Viktor Dukhovni wrote: I'd like to 'hear' Wietse's and Victor's opinion on how could this nasty bug affect a TLS service like submission? In pretty much the same way that it applies to web services. Note that the leak can also take place from a vulnerable TLS client to a malicious TLS server. Therefore, even if you're using Postfix TLS only outbound, you still need to apply the fix. SMTP TLS clients typically don't use TLS certs (I always recommend: # empty smtp_tls_cert_file = but some clients need certs, and in any case various other sensitive data can leak. -- Viktor.
Re: Asking about heartbleed
Zitat von Viktor Dukhovni postfix-us...@dukhovni.org: On Wed, Apr 09, 2014 at 05:54:33PM -0400, Victoriano Giralt wrote: I'd like to 'hear' Wietse's and Victor's opinion on how could this nasty bug affect a TLS service like submission? In pretty much the same way that it applies to web services. * SSL/TLS Private keys may be compromised. * GSSAPI SASL Kerberos keys may be compromised. * User passwords may be compromised. * SSL session keys may be compromised. * Recently received email messages whose (partial?) content is still in memory may be compromised. * ... It is interesting to note that Postfix always wipes memory as it is released (de-allocated) back to the heap. So, one might think that Postfix is safe, but the plaintext buffers that Postfix reads from OpenSSL are allocated and deallocated by OpenSSL, not Postfix. OpenSSL by default uses the C library malloc/free functions without generally wiping memory passed to free(). So anything read from a remote client may be available via this attack to a different client. But this only applies to clients connecting to the same smtpd/process, no? So a attacker is not able to get sensitive data from *any* client also connected, but only from clients which have connected to the same smtpd instance in the past or global data like the private key? I still wonder why OpenSSL does not use the memory wipe before free, is it a performance killer or a feature? Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Asking about heartbleed
On 10 Apr 2014, at 08:14, lst_ho...@kwsoft.de wrote: I still wonder why OpenSSL does not use the memory wipe before free, is it a performance killer or a feature? I imagine the OpenSSL developers didn't think this was necessary when they first started on the code 10-15 years ago and that institutional memory (excuse the pun) took hold for future releases. It may well be a different story now.
DKIM, DMARC, Original-Authentication-Results
Hi Folks, I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). Which leads to a question: Any suggestions for how to validate a DKIM signature, and apply an Original-Authentication-Results header, at the MTA level (specifically Postfix)? (And/or, any operational experience that this is a viable way to address the problem.) Thanks very much, Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DKIM, DMARC, Original-Authentication-Results
Am 10.04.2014 12:03, schrieb Miles Fidelman: Hi Folks, I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). yes with listserver mailman, had to upgrade to version 2.1.16 and change configs perhaps see https://sys4.de/de/blog/2013/08/11/dkim-konforme-mailinglisten/ https://sys4.de/de/blog/2013/08/11/mailman-dmarc-konform-betreiben/ sorry german ( but images are english ) Which leads to a question: Any suggestions for how to validate a DKIM signature, and apply an Original-Authentication-Results header, at the MTA level (specifically Postfix)? (And/or, any operational experience that this is a viable way to address the problem.) Thanks very much, Miles Fidelman its a general mail forward problem, spf etc breaks classical forwarding as well as strict dmarc at servers which honor this, i dont think you should/could fix this with plain postfix only one option maybe send orig mail as attach... or use alternate style forwarding via imap pop3toimap from http://code.google.com/p/imaputils/downloads/list does this Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: DKIM, DMARC, Original-Authentication-Results
Am 10.04.2014 12:47, schrieb Robert Schetterer: Am 10.04.2014 12:03, schrieb Miles Fidelman: Hi Folks, I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). yes with listserver mailman, had to upgrade to version 2.1.16 and change configs perhaps see https://sys4.de/de/blog/2013/08/11/dkim-konforme-mailinglisten/ https://sys4.de/de/blog/2013/08/11/mailman-dmarc-konform-betreiben/ sorry german ( but images are english ) Which leads to a question: Any suggestions for how to validate a DKIM signature, and apply an Original-Authentication-Results header, at the MTA level (specifically Postfix)? (And/or, any operational experience that this is a viable way to address the problem.) Thanks very much, Miles Fidelman its a general mail forward problem, spf etc breaks classical forwarding as well as strict dmarc at servers which honor this, i dont think you should/could fix this with plain postfix only one option maybe send orig mail as attach... or use alternate style forwarding via imap pop3toimap from http://code.google.com/p/imaputils/downloads/list does this Best Regards MfG Robert Schetterer forgot to add , some mailprovider use a forward service to solve the problem then sender is like forwar...@mailforward.com but there are problems with this too, like different antispam setting, so i sometimes get bounces from the forwarder *g Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Asking about heartbleed
The Heartbleed bug allows a remote attacker to read chunks of memory from a vulnerable TLS CLIENT PROCESS (e.g., smtp(8)) or TLS SERVER PROCESS (e.g., smtpd(8)). OpenSSL versions prior to 1.0.1 don't have the hearbeat feature and have never been affected by this bug. You can use forward secrecy to mitigate the impact of TLS server private key compromise. http://www.postfix.org/FORWARD_SECRECY_README.html Wietse
Outgoing spam problem
Hello, We run a free accounts mail server (like gmail) and we struggle with the outgoing spam problem. Spammers abuse our service by creating accounts and then sending out spam. It is very easy and free to create an account and we want it to stay that way so blocking or removing spammers accounts is not a solition - they can easily create many new accounts. They use tens of different IP addresses and send from different locations and countries so per IP limits really don't work. Many of their IPs aren't listed on any RBL at all. I feel it would be hard to filter them by message contents - they avoid patterns by changing headers (even an encoding), message texts or links if they add any. How can we fight this? How other free mail service providers block this? Best regards -- Marcin Szymonik szymoni...@gmail.com
Re: Invoking procmail with suid root
On Thu, Apr 10, 2014 at 12:14 AM, James Cloos cl...@jhcloos.com wrote: AD == Arthur Dent arthurdent.lon...@gmail.com writes: AD I don't want postfix to do anything other than deliver to procmail. Postfix works fine here for that. I use, in main.cf: mailbox_command = /usr/bin/procmail -pt and, in .fetchmailrc: defaults mda /usr/sbin/sendmail -i -f %F -- %T OK Thanks to all. A final mail from me before I check out. The mistake I was making was that I didn't realise that fetchmail needed an mda command for each entry (I assumed that simply having mda formail -s procmail in my .fetchmailrc file somewhere would be enough). Having worked that out, fetchmail delivers to procmail which delivers to dovecot. Happy! I still have the problem that it has to be run as root but, as I no longer even have postfix on my machine, this is clearly not a postfix issue and therefore OT here. So long and thanks for all the fish! Mark
Re: Outgoing spam problem
On 10/04/2014 14:58, Marcin Szymonik wrote: Hello, We run a free accounts mail server (like gmail) and we struggle with the outgoing spam problem. Spammers abuse our service by creating accounts and then sending out spam. It is very easy and free to create an account and we want it to stay that way so blocking or removing spammers accounts is not a solition - they can easily create many new accounts. They use tens of different IP addresses and send from different locations and countries so per IP limits really don't work. Many of their IPs aren't listed on any RBL at all. I feel it would be hard to filter them by message contents - they avoid patterns by changing headers (even an encoding), message texts or links if they add any. How can we fight this? How other free mail service providers block this? Best regards -- Marcin Szymonik szymoni...@gmail.com I imagine most freemail providers keep a close eye on their abuse mailboxes, limit the amount of mail that can be sent from any account in a period of time (and the number of recipients in a single message), and more than likely run some sort of bayesian (any sort of learning algo would do) outgoing filter, as well as their incoming ones. I'd personally stop allowing people to relay through you (unless they have proven themselves through some arbitrary period of not sending spam), and by default allow only sending from inside your webmail application. That's only a place to start, imho. Nick __ This email is confidential and subject to Krescendo's Email Usage and Information Classification Policies.
Re: Outgoing spam problem
As accounts are free and you can easily create tens of them, per account limits don't solve the problem. Most free mail service providers allow their users to send through SMTP and we would prefer to do that as well. Content based filtering may be the way to go indeed - thank you for pointing it. Many thanks -- Marcin Szymonik szymoni...@gmail.com I imagine most freemail providers keep a close eye on their abuse mailboxes, limit the amount of mail that can be sent from any account in a period of time (and the number of recipients in a single message), and more than likely run some sort of bayesian (any sort of learning algo would do) outgoing filter, as well as their incoming ones. I'd personally stop allowing people to relay through you (unless they have proven themselves through some arbitrary period of not sending spam), and by default allow only sending from inside your webmail application. That's only a place to start, imho. Nick
Re: DKIM, DMARC, Original-Authentication-Results
On Thu, Apr 10, 2014 at 06:03:51AM -0400, Miles Fidelman wrote: I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). One option is to do what the Postfix-users list does: * Does not attach any footers or otherwise modify the message body. * Does not modify (tag) the message subject. Rather, the Postfix list only: * Sets a new envelope sender * Adds a Sender: header * Adds List-mumble: headers None of these should break DKIM signatures, and so my guess is that the Postfix-users list continues to work for yahoo.com posters. Some people are fond of subject tags and footers, but we seem to get along just fine without them. -- Viktor.
Re: Aliases cause policyd to miscount the number of message a user@domain sends
On Apr 9, 2014, at 9:17 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Thu, Apr 10, 2014 at 02:38:32AM +, Rob Tanner wrote: The policyd daemon is a perfect tool for setting quotas (i.e., number of message per hour, day, etc). The problem is that we depend heavily of Postfix's extraordinary ability to do LDAP based aliasing of groups and when it each resulting message get counting against the sender. Is there some nice trick I can do so that the check_policy_service runs only once, before the lists are exploded? You can run the relevant policy check from smtpd_data_restrictions instead of smtpd_recipient_restrictions. The alias expansion clearly takes place upstream since policyd processing in smtpd(8) preceeds virtual alias expansion in cleanup(8). Changed the main.cf, removing the check_policy_service parameter from smtpd_recipient_restrictions and moved it to smtpd_data_restrictions as following: smtpd_data_restrictions = check_policy_service inet:127.0.0.1:10031 smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 The result was that policyd never saw any messages. There were no cbpolicyd log entries in the maillog. I put the check_policy_service parameter back under smtpd_recipient_restrictions and policyd immediately began tracking the quotas again. Something else must be required. I’m open to any and all suggestions. ~ Rob smtpd_recipient_restrictions = hash:/etc/postfix/protected_destinations,proxy:ldap:limittag check_client_access hash:/etc/postfix/client_checks check_policy_service inet:127.0.0.1:10031 permit_mynetworks reject_unauth_destination reject_invalid_hostname reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 This is both too early and too late. Apply the relevant check in smtpd_data_restrictions, however you won't see each recipient in turn. It may also be possible to detect multiple recipients for the same envelope in a policy request and consildate the counts. -- Viktor.
Re: Outgoing spam problem
On 10 Apr 2014, at 07:58 , Marcin Szymonik szymoni...@gmail.com wrote: Hello, We run a free accounts mail server (like gmail) and we struggle with the outgoing spam problem. Spammers abuse our service by creating accounts and then sending out spam. It is very easy and free to create an account and we want it to stay that way so blocking or removing spammers accounts is not a solition - they can easily create many new accounts. They use tens of different IP addresses and send from different locations and countries so per IP limits really don't work. Many of their IPs aren't listed on any RBL at all. I feel it would be hard to filter them by message contents - they avoid patterns by changing headers (even an encoding), message texts or links if they add any. How can we fight this? Require a valid email address to send a confirmation for account sign up. Restrict new accounts to sending email only to one destination address. Restrict new accounts to a few dozen emails a day and restrict ALL accounts to something like 100 a day maximum unless they request an increase and seem legit (this requires human intervention). The alternative is to have your system blacklisted as a spam source. Keep in mind that many mail admins will have their own blacklists, so even if you don’t get on RBLs or get cleaned up and off RBLs, you may never get off a particular mail-server’s blacklist. How other free mail service providers block this? Some implement Captchas, but as a user I find these horribly annoying and it often takes me 4 or 5 attempts to ‘solve’ them. I also don’t think they are at all effective as the botnets and spammers have networks of people solving them for them. -- If you could do a sort of relief map of sinfulness, wickedness and all-round immorality, rather like those representations of the gravitational field around a Black Hole, then even in Ankh-Morpork the Shades would be represented by a shaft. In fact the Shades was remarkably like the aforesaid well-known astrological phenomenon: it had a certain strong attraction, no light escaped from it, and it could indeed become a gateway to another world. The next one.
Re: DKIM, DMARC, Original-Authentication-Results
On 10 Apr 2014, at 09:08 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Thu, Apr 10, 2014 at 06:03:51AM -0400, Miles Fidelman wrote: I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). One option is to do what the Postfix-users list does: * Does not attach any footers or otherwise modify the message body. * Does not modify (tag) the message subject. Which, IM(ns)HO is what every list should not do. I actually have procmail recipes to untagged subject lines and remove footers on some lists. That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn’t be an issue. -- Today the road all runners come/Shoulder high we bring you home. And set you at your threshold down/Townsman of a stiller town.
Re: DKIM, DMARC, Original-Authentication-Results
Am 11.04.2014 00:53, schrieb LuKreme: On 10 Apr 2014, at 09:08 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Thu, Apr 10, 2014 at 06:03:51AM -0400, Miles Fidelman wrote: I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). One option is to do what the Postfix-users list does: * Does not attach any footers or otherwise modify the message body. * Does not modify (tag) the message subject. Which, IM(ns)HO is what every list should not do. I actually have procmail recipes to untagged subject lines and remove footers on some lists. That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn’t be an issue the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop list-footers seems to be worthless, otherwise you would not have every day on several lists unsubscribe me mails
Re: DKIM, DMARC, Original-Authentication-Results
On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn?t be an issue No, the DKIM spec makes no allowance for signature delimiters. If the body is modified beyond adding removing whitespace (with relaxed canonicalization) the DKIM check fails. the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop DKIM also signs message headers. -- Viktor.
Local network MX for newsletters and high volume mailing questions
Believe me, this is everything but spam-related. It's mostly .org and .edu/.gov kind of mailings (non-profit), but quite a lot of them at one time. I've seen postfix moments like this quite a lot recently: Incoming: 6991 Active: 2 Deferred: 7897 Bounced: 2319 Hold: 0 Corrupt: 0 I had to employ special output limits for delivery to the hotmail/live mail-addresses, since we suffered bounces due to hotmail/live servers not tolerating the rate at which my postfix was sending them mail. smtp_destination_concurrency_limit = 4 smtp_destination_rate_delay = 1s smtp_extra_recipient_limit = 10 seemed to solve that problem. Microsoft's servers stopped bouncing mail, accepted the rate at which it got mail from our server. But this created a new problem: Other normal local user's mail got delayed by ~30 minutes whenever postfix had to deal with sending out such newsletters. This is not something they're happy with. We decided to create a special MX for just the bulk mailings within our IP-block, the datacentre network we maintain. Here's where my questions arise: The setup is as follows: - We have many servers within the same range, 10.20.30.x (I'll use IPv4 only for ease now), some of them have websites and/or are shared hosting servers that are using a SaaS home-made mailing-GUI for their newsletters and similar high volume recipient list mails. - Our primary MX that needs to send out the bulk for them all is 10.20.30.7 - Is there a way to NOT have to tell postfix to allow the sending domain names, but just the server's IP-addresses that hold those who'd like to send out those mails via 10.20.30.7 ? I would basically like them to use any (valid domain's) from-field they want, and postfix would have to allow it because the source is one of our own servers. Below is my config, it does not want to relay mail from those local servers and I'm not sure why. Do I really have to note down all from-field domains as allowed or what is the best way to accomplish this? I have commented out a lot in this config, because I'm working on getting it as perfect as possible for our purpose. Thanks in advance for any and all feedback on this config, feel free to add improvements: [root@somemailer~]# cat /etc/postfix/main.cf smtpd_banner = $myhostname ESMTP $mail_name #relay_domains = $mydestination, somemailer.net #relay_recipient_maps = #relayhost = #transport_maps = hash:/etc/postfix/transport debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 alias_maps = hash:/etc/aliases sendmail_path = /usr/sbin/sendmail.postfix #newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man readme_directory = /usr/share/doc/postfix-2.8.14/README_FILES inet_protocols = ipv4 # :-/ inet_protocols = all inet_interfaces = 10.20.30.7, 127.0.0.1 smtp_bind_address = mynetworks = 127.0.0.0/8 [::1]/128 192.168.2.0/24, 10.20.30.0/24 smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128 192.168.2.0/24 10.20.30.0/24 smtp_send_xforward_command = yes mydomain = somemailer.net myhostname = bulk.somemailer.net myorigin = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mailer.$mydomain recipient_delimiter = + # tempfailed adapted to 3 minutes: queue_run_delay = 180s minimal_backoff_time = 180s maximal_backoff_time = 3601s disable_vrfy_command = yes biff = no default_process_limit = 1000 trigger_timeout = 1 # ? in_flow_delay = 1s smtpd_delay_reject = yes smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/sender_access, permit smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining, permit smtpd_client_restrictions = permit_mynetworks smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated smtpd_recipient_restrictions = reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_client_access hash:/etc/postfix/whitelist, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client bl.spamcop.net, reject_rbl_client hosts.rbl.zonnet.net, reject_rbl_client virbl.dnsbl.bit.nl, reject_rbl_client bl.shlink.de, reject_rbl_client bl.blocklist.de, reject_rbl_client spamguard.leadmon.net, reject_rbl_client mail-abuse.blacklist.jippg.org, permit default_destination_concurrency_limit = 0 smtp_connect_timeout = 30 smtp_destination_rate_delay = 1s smtp_extra_recipient_limit = 10 smtpd_timeout = 3600s smtpd_proxy_timeout = 3600s smtpd_error_sleep_time = 2s smtpd_soft_error_limit = 8 smtpd_hard_error_limit = 18 smtpd_recipient_limit = 120 smtpd_reject_unlisted_recipient = yes smtpd_reject_unlisted_sender = yes smtpd_reject_footer = For assistance, contact us at
Re: Outgoing spam problem
A few things you can do: 1. Many spammers can switch their IP address but you should blacklist any ip that signs up for an account and spam, it will slow them down at least 2. The 100 cap per day is a good idea but I'd lower it to 5 messages a day, increasing by a couple messages cap per week. They will then likely have to build up time before they will waste the account, but this gives you time to build a log in history of ips. Block anyone who's ip changes often or at least watch those accounts 3. Block certain countries that cause the most spam, china and Russia to start 4. Content filtering helps but keep in mind most spammers are already tricking most common filters since they want to also trick major ISPs like yahoo to accept their mail. Instead, or in addition to a standard filter, start looking for common patterns in their links and images, as well as headers and HTML signature 5. Force a back up email address or phone number as part of sign up. You may want it to be easy to sign up but since you can't really stop a deticated spam team, your goal is to make using your system annoying enough to make them move on to someone else Just some ideas to get you thinking, expect this problem to be ongoing, providers like yahoo spend millions of dollars fighting this problem, there's no quick fix Sent from my iPhone On Apr 10, 2014, at 6:49 PM, LuKreme krem...@kreme.com wrote: On 10 Apr 2014, at 07:58 , Marcin Szymonik szymoni...@gmail.com wrote: Hello, We run a free accounts mail server (like gmail) and we struggle with the outgoing spam problem. Spammers abuse our service by creating accounts and then sending out spam. It is very easy and free to create an account and we want it to stay that way so blocking or removing spammers accounts is not a solition - they can easily create many new accounts. They use tens of different IP addresses and send from different locations and countries so per IP limits really don't work. Many of their IPs aren't listed on any RBL at all. I feel it would be hard to filter them by message contents - they avoid patterns by changing headers (even an encoding), message texts or links if they add any. How can we fight this? Require a valid email address to send a confirmation for account sign up. Restrict new accounts to sending email only to one destination address. Restrict new accounts to a few dozen emails a day and restrict ALL accounts to something like 100 a day maximum unless they request an increase and seem legit (this requires human intervention). The alternative is to have your system blacklisted as a spam source. Keep in mind that many mail admins will have their own blacklists, so even if you don’t get on RBLs or get cleaned up and off RBLs, you may never get off a particular mail-server’s blacklist. How other free mail service providers block this? Some implement Captchas, but as a user I find these horribly annoying and it often takes me 4 or 5 attempts to ‘solve’ them. I also don’t think they are at all effective as the botnets and spammers have networks of people solving them for them. -- If you could do a sort of relief map of sinfulness, wickedness and all-round immorality, rather like those representations of the gravitational field around a Black Hole, then even in Ankh-Morpork the Shades would be represented by a shaft. In fact the Shades was remarkably like the aforesaid well-known astrological phenomenon: it had a certain strong attraction, no light escaped from it, and it could indeed become a gateway to another world. The next one.
Re: DKIM, DMARC, Original-Authentication-Results
On 10 Apr 2014, at 17:01 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn?t be an issue No, the DKIM spec makes no allowance for signature delimiters. If the body is modified beyond adding removing whitespace (with relaxed canonicalization) the DKIM check fails. That seems like a bug in the implementation of DKIM. the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop DKIM also signs message headers. Certain headers, not all of them. -- Last night - you were unhinged. You were like some desperate, howling demon. You frightened me. - Do it again!
Re: DKIM, DMARC, Original-Authentication-Results
On April 10, 2014 7:24:54 PM EDT, LuKreme krem...@kreme.com wrote: On 10 Apr 2014, at 17:01 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn?t be an issue No, the DKIM spec makes no allowance for signature delimiters. If the body is modified beyond adding removing whitespace (with relaxed canonicalization) the DKIM check fails. That seems like a bug in the implementation of DKIM. It was a deliberate design choice. The signature wouldn't mean much if adding arbitrary text to the message didn't invalidate the signature. It would open the protocol up to replay attacks. There is a virtually unused L tag to embed the length of signed content into the signature, but its use is strongly disrecommended. the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop DKIM also signs message headers. Certain headers, not all of them. Yes, but subject is generally signed (I don't recall seeing a case where it wasn't). Scott K
Re: Asking about heartbleed
Wietse Venema wrote: OpenSSL versions prior to 1.0.1 don't have the hearbeat feature and have never been affected by this bug. ii openssl 0.9.8o-4squeeze14 Secure Socket Layer (SSL) binary and related cryptographic tools Never change a running system :D
Re: Outgoing spam problem
Limit the number of destinations (recipients) allowed in an e-mail. Limit the number of e-mails per minute or half minute or whatever frequency you observe as their pattern. Put in a SPAM filter on outgoing mail and drop SPAM. Block repeated violations from from 1 IP. Just lock them out for a couple of hours. That may stop them from trying to use your services. On 10/04/2014 7:14 PM, AFCommerce wrote: A few things you can do: 1. Many spammers can switch their IP address but you should blacklist any ip that signs up for an account and spam, it will slow them down at least 2. The 100 cap per day is a good idea but I'd lower it to 5 messages a day, increasing by a couple messages cap per week. They will then likely have to build up time before they will waste the account, but this gives you time to build a log in history of ips. Block anyone who's ip changes often or at least watch those accounts 3. Block certain countries that cause the most spam, china and Russia to start 4. Content filtering helps but keep in mind most spammers are already tricking most common filters since they want to also trick major ISPs like yahoo to accept their mail. Instead, or in addition to a standard filter, start looking for common patterns in their links and images, as well as headers and HTML signature 5. Force a back up email address or phone number as part of sign up. You may want it to be easy to sign up but since you can't really stop a deticated spam team, your goal is to make using your system annoying enough to make them move on to someone else Just some ideas to get you thinking, expect this problem to be ongoing, providers like yahoo spend millions of dollars fighting this problem, there's no quick fix Sent from my iPhone On Apr 10, 2014, at 6:49 PM, LuKreme krem...@kreme.com wrote: On 10 Apr 2014, at 07:58 , Marcin Szymonik szymoni...@gmail.com wrote: Hello, We run a free accounts mail server (like gmail) and we struggle with the outgoing spam problem. Spammers abuse our service by creating accounts and then sending out spam. It is very easy and free to create an account and we want it to stay that way so blocking or removing spammers accounts is not a solition - they can easily create many new accounts. They use tens of different IP addresses and send from different locations and countries so per IP limits really don't work. Many of their IPs aren't listed on any RBL at all. I feel it would be hard to filter them by message contents - they avoid patterns by changing headers (even an encoding), message texts or links if they add any. How can we fight this? Require a valid email address to send a confirmation for account sign up. Restrict new accounts to sending email only to one destination address. Restrict new accounts to a few dozen emails a day and restrict ALL accounts to something like 100 a day maximum unless they request an increase and seem legit (this requires human intervention). The alternative is to have your system blacklisted as a spam source. Keep in mind that many mail admins will have their own blacklists, so even if you don’t get on RBLs or get cleaned up and off RBLs, you may never get off a particular mail-server’s blacklist. How other free mail service providers block this? Some implement Captchas, but as a user I find these horribly annoying and it often takes me 4 or 5 attempts to ‘solve’ them. I also don’t think they are at all effective as the botnets and spammers have networks of people solving them for them. -- If you could do a sort of relief map of sinfulness, wickedness and all-round immorality, rather like those representations of the gravitational field around a Black Hole, then even in Ankh-Morpork the Shades would be represented by a shaft. In fact the Shades was remarkably like the aforesaid well-known astrological phenomenon: it had a certain strong attraction, no light escaped from it, and it could indeed become a gateway to another world. The next one. -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102