Re: [qmailtoaster] Re: SMTP attack
Nice, that's great! :) Just a little question: I don't get this HOST (I've also read the wiki but it's not clear) can you do an example, please? Thanks, Cheers! Il 05/03/2011 23:26, Sergio M ha scritto: Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ Nessun virus nel messaggio. Controllato da AVG - www.avg.com http://www.avg.com Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di rilascio: 03/03/2011 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
HOST is an alias for a regular expression to find the ip address. Which is defined in the code. Succes, Peter. Nice, that's great! :) Just a little question: I don't get this HOST (I've also read the wiki but it's not clear) can you do an example, please? Thanks, Cheers! Il 05/03/2011 23:26, Sergio M ha scritto: Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ Nessun virus nel messaggio. Controllato da AVG - www.avg.com http://www.avg.com Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di rilascio: 03/03/2011 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and
Re: BLS: Re: [qmailtoaster] Help me, my qmail can send but cant receive anything, urgent
okay lets discuss it off the list using bahasa Indonesia to prevent miss-comunication then if we solve the problem, I'll put the summary here On 08-Mar-11 13:13, I.Y. Andi Aji Kristian wrote: Yes, Hi juga pak ogah, saya Indonesia juga, lokasi saya di solo. Kebetulan saya ada beberapa problem di QmailToaster saya. Apakah pak ogah bersedia untuk membantu solusinya ? Terima kasih, Salam 2011/3/7 Pak Ogah pako...@pala.bo-tak.info mailto:pako...@pala.bo-tak.info Halo Ibanez Apakabar? from your domain, it seems you are Indonesian? would you like to discuss with me in bahasa to prevent miss-communication? can we see the folder permission on your domain? ls -ail /home/vpopmail/domains/mutugading.com http://mutugading.com On 05-Mar-11 0:44, iba...@aplussolution.co.id mailto:iba...@aplussolution.co.id wrote: I use centos includes qmailtoaster 5.5, I got fro buy your cd CentQMT5, regards, Ibanez -Pesan Asli- Dari: Jake Vickers Terkirim: 04/03/2011 8:58:10 PM Subjek: Re: [qmailtoaster] Help me, my qmail can send but cant receive anything, urgent On 03/04/2011 07:05 AM, I.Y. Andi Aji Kristian wrote: Hello, my qmailtoaster can send but can`t received anything. i got error : @40004d70d495340321d4 info msg 6835665: bytes 256284 from emgitekexpo...@mutugading.ntt.net.id mailto:emgitekexpo...@mutugading.ntt.net.id mailto:emgitekexpo...@mutugading.ntt.net.id mailto:emgitekexpo...@mutugading.ntt.net.id qp 14912 uid 89 @40004d70d4953438e38c starting delivery 18: msg 6835665 to local ajeyben...@mutugading.com mailto:ajeyben...@mutugading.commailto:ajeyben...@mutugading.com mailto:ajeyben...@mutugading.com @40004d70d4953438ef44 status: local 1/10 remote 0/60 @40004d70d4953438f714 starting delivery 19: msg 6835665 to local p...@mutugading.com mailto:p...@mutugading.commailto:p...@mutugading.com mailto:p...@mutugading.com @40004d70d4953438fafc status: local 2/10 remote 0/60 @40004d70d495343902cc starting delivery 20: msg 6835665 to local r...@mutugading.com mailto:r...@mutugading.commailto:r...@mutugading.com mailto:r...@mutugading.com @40004d70d49534390a9c status: local 3/10 remote 0/60 @40004d70d49534390e84 starting delivery 21: msg 6835665 to local sw...@mutugading.com mailto:sw...@mutugading.commailto:sw...@mutugading.com mailto:sw...@mutugading.com @40004d70d4953439414c status: local 4/10 remote 0/60 @40004d70d495347df33c delivery 18: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/ @40004d70d495347dfef4 status: local 3/10 remote 0/60 @40004d70d495347e02dc delivery 19: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/ @40004d70d495347e0aac status: local 2/10 remote 0/60 @40004d70d495348c4734 delivery 20: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/ @40004d70d495348c4f04 status: local 1/10 remote 0/60 @40004d70d495348c56d4 delivery 21: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/ @40004d70d495348c5ea4 status: local 0/10 remote 0/60 @40004d70d49535694184 bounce msg 6835665 qp 14921 the log indicates that your system thinks the address does not exist. Did you do the full install and give the correct permissions on the database? Are the permissions correct on the directory?
Re: [qmailtoaster] Re: SMTP attack
Hi. HOST matches either the Ip address or the hostname Cheers Finn On 08-03-2011 09:04, Digital Instruments wrote: Nice, that's great! :) Just a little question: I don't get this HOST (I've also read the wiki but it's not clear) can you do an example, please? Thanks, Cheers! Il 05/03/2011 23:26, Sergio M ha scritto: Eric Shubert escribió: Timing is good on this. :) http://wiki.qmailtoaster.com/index.php?title=Fail2Banaction=edit Have at it. I've added a link to this page under the Configuration- Security section. It's a start (albeit not much of one). Hey guys, I created a basic article, but have trouble with formatting. Can anyone take a look at it? this is how I meant it to look ;-) == '''Basic fail2ban installation and setup''' == fail2ban homepage: http://www.fail2ban.org. Please check [0] and [1] for more details. == 1. Installation. == Enable the EPEL repos [1] and then 'yum install fail2ban' == 2. Setup: == To work with Qmail/vpopmail, a filter and jail should be defined. '''a.''' # mcedit /etc/fail2ban/filter.d/vpopmail-fail.conf [Definition] #Looks for failed password logins to SMTP failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = '''b.''' # mcedit /etc/fail2ban/jail.conf (add this) [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=smtp, protocol=tcp] logpath = /var/log/maillog maxretry = 1 bantime = 604800 findtime = 3600 '''c. Test the filter file:''' # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/vpopmail-fail.conf Returns something like this, with n matches for the regex or 0 if no matches: Failregex |- Regular expressions: | [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST | `- Number of matches: [1] 123 match(es) '''d. Reload config:''' # fail2ban-client stop/start '''e. Check the status of a jail:''' # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 '''NOTE:''' Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But... when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So... what to do? - Before changes, do a '# service iptables save' and it will write them to a file, and after any change do '# service iptables restart' to make it load the saved set of rules; - Tune fail2ban to write IPs to /etc/fail2ban/ip.deny [3]. == 3.A little basic admin stuff == '''a. Check banned IPs:''' - by fail2ban:# fail2ban-client status vpopmail-fail - current iptables rules: # iptables -L -nv - To see IPs that fail2ban is saving for the next reload: # cat /etc/fail2ban/ip.deny '''b. How to unblock an IP:''' 1) Delete it from the current iptables rules: # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP 2) remove it from /etc/fail2ban/ip.deny (maybe listed several times). 3) remove it from /etc/sysconfig/iptables (maybe listed several times). == 4. References: == [0] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html [1] http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30551.html [2] http://fedoraproject.org/wiki/EPEL/FAQ#howtouse [3] http://n8wood.wordpress.com/2009/06/22/fail2ban-permanent-ssh-bans/ Nessun virus nel messaggio. Controllato da AVG - www.avg.com http://www.avg.com Versione: 10.0.1204 / Database dei virus: 1435/3480 - Data di rilascio: 03/03/2011 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP attack
On 07-Mar-11 21:49, Eric Shubert wrote: Great job, Pak. Thanks, Toma. Pak, will you get this incorporated into the wiki? TIA. Ok Eric, it's done but since I just copy-paste as is and re-formatting, I didn't know what that fail2ban meaning (I haven't tried it also) but, I saw something weird. So I would like to ask Sergio, Toma and other who understand fail2ban @Sergio, you create a filter named /etc/fail2ban/filter.d/vpopmail-fail.conf but the regex is searching for vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST and how come on action you blocking smtp port rather then pop3 port action = iptables[name=SMTP, port=smtp, protocol=tcp] @Toma, I have change logpath = /your/path/to/pop3/logs into logpath = /var/log/maillog because that is the log where I can find error vpopmail user not found on qmt system btw I have change action = shorewall into action = iptables[name=SMTP, port=smtp, protocol=tcp] and the question also same, why did you block smtp port for error in pop3 log I think we need standardize fail2ban rules for QMT - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: BLS: Re: Help me, my qmail can send but cant receive anything, urgent
All Fix now, i recreate domain with qcontrol and no problem, Thanks eric Regards, Ibanez 2011/3/5 Eric Shubert e...@shubes.net On 03/04/2011 10:44 AM, iba...@aplussolution.co.id wrote: Yes, i create domain with vqmail, but i create user with qcontrol -Pesan Asli- Dari: Eric Shubert Terkirim: 04/03/2011 8:54:42 PM Subjek: [qmailtoaster] Re: Help me, my qmail can send but cant receive anything, urgent Let me guess (since you haven't provided much information to go on). You used vqadmin to create the domain. Right or wrong? vqadmin has a problem with creating domains, which might be your problem. Please delete users and domain(s), then use qcontrol (or CLI and /home/vpopmail/bin/ commands) to create domain(s) and users. Do NOT use vqadmin to update anything. It's ok for inquiries though. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group ( www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- -- Regards, Ibanez Yusuf Andi Aji Kristian PT. A-Plus Solution Pratama Jl. Bhayangkara No 78 Surakarta Telp. 02717504146, HP. 081990925758, 085718895758, 081338545758, 08985385758 Sent from my Windows Mobile® phone Powered By Sinyal Kuat Indosat.
Re: [qmailtoaster] Re: SMTP attack
On 3/8/2011 11:18 AM, Pak Ogah wrote: On 07-Mar-11 21:49, Eric Shubert wrote: Great job, Pak. Thanks, Toma. Pak, will you get this incorporated into the wiki? TIA. Ok Eric, it's done but since I just copy-paste as is and re-formatting, I didn't know what that fail2ban meaning (I haven't tried it also) but, I saw something weird. So I would like to ask Sergio, Toma and other who understand fail2ban @Sergio, you create a filter named /etc/fail2ban/filter.d/vpopmail-fail.conf but the regex is searching for vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST and how come on action you blocking smtp port rather then pop3 port action = iptables[name=SMTP, port=smtp, protocol=tcp] @Toma, I have change logpath = /your/path/to/pop3/logs into logpath = /var/log/maillog because that is the log where I can find error vpopmail user not found on qmt system btw I have change action = shorewall into action = iptables[name=SMTP, port=smtp, protocol=tcp] and the question also same, why did you block smtp port for error in pop3 log I think we need standardize fail2ban rules for QMT - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com Hello, If your system have shorewall as firewall solution management we get 'action' statement from /etc/fail2ban/jail.conf --- [qmail-pop3] enable = true filter = qmail-pop3 action = shorewall sendmail[name=Qmail Pop3 user fail, dest=y...@yourdomain.com] logpath = /path/to/logfile maxretry = 3 bantime = 600 --- now action refer to a file from /etc/fail2ban/action.d shorewall.conf ( as shorewall from action line above ) and sendmail.conf ( as sendmail from action line above ) where we have: shorewall.conf --- [Definition] actionstart = actionstop = actioncheck = actionban = shorewall drop ip actionunban = shorewall allow ip - and sendmail.conf --- [Definition] actionstart = printf %%b Subject: [Fail2Ban] name: started From: Fail2Ban sender To: dest\n Hi,\n The jail name has been started successfully.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actionstop = printf %%b Subject: [Fail2Ban] name: stopped From: Fail2Ban sender To: dest\n Hi,\n The jail name has been stopped.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actioncheck = actionban = printf %%b Subject: [Fail2Ban] name: banned ip From: Fail2Ban sender To: dest\n Hi,\n The IP ip has just been banned by Fail2Ban after failures attempts against name.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actionunban = printf %%b Subject: [Fail2Ban] name: unbanned ip From: Fail2Ban sender To: dest\n Hi,\n The IP ip has just been unbanned by Fail2Ban Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest [Init] name = default dest = root sender = fail2ban - when used with shorewall the HOST is passet to shorewall as shorewall drop ip and the ip will be droped ( there is no use of port or protocol ) i never user iptables action on fail2ban, sorry, i have to do some tests...
[qmailtoaster] Address level routing
Hi all, Is it possible to route email which is coming into particular address onto another server. Ie I have two qmail servers one of which is the mx server for blueshoes.com the other is also setup to receive blueshoes.com but is NOT a mx server. This second server is configured for complai...@blueshoes.com. I would like the mx server to accept all email for it known addresses (not complaints), and to route the complaints email onto the second server for handling. The reason I want to use routing for this is that there is a requirement for this on several of my domains and the config 'feels' like it should be simple. Thanks in advance, Fin - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Address level routing
On 03/08/2011 09:05 AM, Edward Finlayson wrote: Hi all, Is it possible to route email which is coming into particular address onto another server. Ie I have two qmail servers one of which is the mx server for blueshoes.com the other is also setup to receive blueshoes.com but is NOT a mx server. This second server is configured for complai...@blueshoes.com. I would like the mx server to accept all email for it known addresses (not complaints), and to route the complaints email onto the second server for handling. The reason I want to use routing for this is that there is a requirement for this on several of my domains and the config 'feels' like it should be simple. Thanks in advance, Fin - I think you can do this, provided that the domain on the 2nd server is different. It can be a subdomain of blueshoes.com, such as suede.blueshoes.com, which can be set up as an alias domain for blueshoes on the 2nd server. Once you have the 2nd domain set up (as an alias or primary domain - doesn't matter) on the 2nd server, you can use smtproutes to send everything for the 2nd domain over to the 2nd server, without needing an MX for the 2nd domain. Then you can create a forward for complai...@blueshoes.com, sending it to complai...@suede.blueshoes.com. Be sure you don't have the suede.blueshoes.com domain defined on the primary server, or smtproutes won't kick in because local delivery will be attempted. smtproutes is only used for remote (non-local) delivery. That should get it there. If you have any further questions about this, don't hesitate to ask. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP TLS flaw
On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP TLS flaw
On 3/8/2011 10:43 AM, Eric Shubert wrote: On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. Eric S., Depends on your spamdyke configuration settings, but if it's 'stock' (tls-level=smtp), then it is. Is the setting 'tls-level=smtp supposed to be in /etc/spamdyke/spamdyke.conf ??? It wasn't on my server. I added it with the same results. Eric B. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP TLS flaw
On 03/08/2011 11:33 AM, Eric Broch wrote: On 3/8/2011 10:43 AM, Eric Shubert wrote: On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. Eric S., Depends on your spamdyke configuration settings, but if it's 'stock' (tls-level=smtp), then it is. Is the setting 'tls-level=smtp supposed to be in /etc/spamdyke/spamdyke.conf ??? It wasn't on my server. I added it with the same results. Eric B. It's in the present qtp-install-spamdyke script. You must've upgraded to v4.x between 8/08 and 11/09, when I added the TLS parameters to spamdyke's config. Which spamdyke version are you running? You really should have the latest (4.0.10). qtp-install-spamdyke will upgrade your existing version. To have it create new configuration files, remove your existing spamdyke binary file before running the script (and rename/backup your configuration directory). You'll need to do that with qmail stopped. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: simscan not scanning
Thanks Eric, that did the trick. But how do I get it to actually delete spam instead of just marking it? My simcontrol file looks like this: :clam=yes,spam=yes,spam_hits=5,attach=.mp3:.src:.bat:.pif But spam with scores higher than 5 is still coming in and being market spam. -- Kind regards, Dieter Febel -Original Message- From: Eric Shubert e...@shubes.net Reply-to: qmailtoaster-list@qmailtoaster.com To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: simscan not scanning Date: Fri, 04 Mar 2011 06:34:22 -0700 On 03/04/2011 01:10 AM, Dieter Febel wrote: Hi all, I have a problem with simscan not scanning, there are no entries in /var/log/qmail/smtp/current for simscan. My qmailctl stat shows: authlib: up (pid 4067) 1294 seconds clamd: up (pid 4050) 1294 seconds imap4: up (pid 4058) 1294 seconds imap4-ssl: up (pid 4092) 1294 seconds pop3: up (pid 4074) 1294 seconds pop3-ssl: up (pid 4055) 1294 seconds send: up (pid 4052) 1294 seconds smtp: up (pid 4070) 1294 seconds spamd: up (pid 4051) 1294 seconds submission: up (pid 4069) 1294 seconds authlib/log: up (pid 4068) 1294 seconds clamd/log: up (pid 4077) 1294 seconds imap4/log: up (pid 4054) 1294 seconds imap4-ssl/log: up (pid 4071) 1294 seconds pop3/log: up (pid 4072) 1294 seconds pop3-ssl/log: up (pid 4076) 1294 seconds send/log: up (pid 4056) 1294 seconds smtp/log: up (pid 4073) 1294 seconds spamd/log: up (pid 4053) 1294 seconds submission/log: up (pid 4075) 1294 seconds My /etc/tcprules.d/tcp.smtp 27.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private,RBLSMTPD=,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIGN=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 Could someone please help. -- Kind regards, Dieter Febel What's in your /var/qmail/control/simcontrol file? Have you done # qmailctl cdb after changing it?
[qmailtoaster] Re: simscan not scanning
Please show an example from your smtp log. -- -Eric 'shubes' On 03/08/2011 12:34 PM, Dieter Febel wrote: Thanks Eric, that did the trick. But how do I get it to actually delete spam instead of just marking it? My simcontrol file looks like this: :clam=yes,spam=yes,spam_hits=5,attach=.mp3:.src:.bat:.pif But spam with scores higher than 5 is still coming in and being market spam. -- Kind regards, Dieter Febel -Original Message- *From*: Eric Shubert e...@shubes.net mailto:eric%20shubert%20%3c...@shubes.net%3e *Reply-to*: qmailtoaster-list@qmailtoaster.com *To*: qmailtoaster-list@qmailtoaster.com mailto:qmailtoaster-list@qmailtoaster.com *Subject*: [qmailtoaster] Re: simscan not scanning *Date*: Fri, 04 Mar 2011 06:34:22 -0700 On 03/04/2011 01:10 AM, Dieter Febel wrote: Hi all, I have a problem with simscan not scanning, there are no entries in /var/log/qmail/smtp/current for simscan. My qmailctl stat shows: authlib: up (pid 4067) 1294 seconds clamd: up (pid 4050) 1294 seconds imap4: up (pid 4058) 1294 seconds imap4-ssl: up (pid 4092) 1294 seconds pop3: up (pid 4074) 1294 seconds pop3-ssl: up (pid 4055) 1294 seconds send: up (pid 4052) 1294 seconds smtp: up (pid 4070) 1294 seconds spamd: up (pid 4051) 1294 seconds submission: up (pid 4069) 1294 seconds authlib/log: up (pid 4068) 1294 seconds clamd/log: up (pid 4077) 1294 seconds imap4/log: up (pid 4054) 1294 seconds imap4-ssl/log: up (pid 4071) 1294 seconds pop3/log: up (pid 4072) 1294 seconds pop3-ssl/log: up (pid 4076) 1294 seconds send/log: up (pid 4056) 1294 seconds smtp/log: up (pid 4073) 1294 seconds spamd/log: up (pid 4053) 1294 seconds submission/log: up (pid 4075) 1294 seconds My /etc/tcprules.d/tcp.smtp 27.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private,RBLSMTPD=,NOP0FCHECK=1 :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=50,CHKUSER_WRONGRCPTLIMIT=10,QMAILQUEUE=/var/qmail/bin/simscan,DKSIGN=/var/qmail/control/domainkeys/%/private,NOP0FCHECK=1 Could someone please help. -- Kind regards, Dieter Febel What's in your /var/qmail/control/simcontrol file? Have you done # qmailctl cdb after changing it? - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP TLS flaw
On 3/8/2011 11:51 AM, Eric Shubert wrote: On 03/08/2011 11:33 AM, Eric Broch wrote: On 3/8/2011 10:43 AM, Eric Shubert wrote: On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. Eric S., Depends on your spamdyke configuration settings, but if it's 'stock' (tls-level=smtp), then it is. Is the setting 'tls-level=smtp supposed to be in /etc/spamdyke/spamdyke.conf ??? It wasn't on my server. I added it with the same results. Eric B. It's in the present qtp-install-spamdyke script. You must've upgraded to v4.x between 8/08 and 11/09, when I added the TLS parameters to spamdyke's config. Which spamdyke version are you running? You really should have the latest (4.0.10). qtp-install-spamdyke will upgrade your existing version. To have it create new configuration files, remove your existing spamdyke binary file before running the script (and rename/backup your configuration directory). You'll need to do that with qmail stopped. OK, I removed the spamdyke binary, rename the spamdyke directory, and reinstalled spamdyke. It made no difference the error was the same. Eric - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP TLS flaw
On 03/08/2011 12:49 PM, Eric Broch wrote: On 3/8/2011 11:51 AM, Eric Shubert wrote: On 03/08/2011 11:33 AM, Eric Broch wrote: On 3/8/2011 10:43 AM, Eric Shubert wrote: On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. Eric S., Depends on your spamdyke configuration settings, but if it's 'stock' (tls-level=smtp), then it is. Is the setting 'tls-level=smtp supposed to be in /etc/spamdyke/spamdyke.conf ??? It wasn't on my server. I added it with the same results. Eric B. It's in the present qtp-install-spamdyke script. You must've upgraded to v4.x between 8/08 and 11/09, when I added the TLS parameters to spamdyke's config. Which spamdyke version are you running? You really should have the latest (4.0.10). qtp-install-spamdyke will upgrade your existing version. To have it create new configuration files, remove your existing spamdyke binary file before running the script (and rename/backup your configuration directory). You'll need to do that with qmail stopped. OK, I removed the spamdyke binary, rename the spamdyke directory, and reinstalled spamdyke. It made no difference the error was the same. Eric - Good (that it's the same, not that it's there to begin with). I've posted to the spamdyke list, so we'll see what Sam has to say. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: Re: [qmailtoaster] Re: SMTP attack
Pak Ogah escribió: div class=moz-text-flowed style=font-family: -moz-fixedOn 07-Mar-11 21:49, Eric Shubert wrote: Great job, Pak. Thanks, Toma. Pak, will you get this incorporated into the wiki? TIA. Ok Eric, it's done but since I just copy-paste as is and re-formatting, I didn't know what that fail2ban meaning (I haven't tried it also) but, I saw something weird. So I would like to ask Sergio, Toma and other who understand fail2ban @Sergio, you create a filter named /etc/fail2ban/filter.d/vpopmail-fail.conf but the regex is searching for vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST and how come on action you blocking smtp port rather then pop3 port action = iptables[name=SMTP, port=smtp, protocol=tcp] @Toma, I have change logpath = /your/path/to/pop3/logs into logpath = /var/log/maillog because that is the log where I can find error vpopmail user not found on qmt system btw I have change action = shorewall into action = iptables[name=SMTP, port=smtp, protocol=tcp] and the question also same, why did you block smtp port for error in pop3 log I think we need standardize fail2ban rules for QMT /div Hi Pak, I created the filter to block IPs that try to log into the SMTP, guessing passwords. Thats why I use a regex that searches for 'password fail' and blocks SMTP and not POP3. I think there's a standard fail2ban filter that blocks POP3 logins, but could not make it work. Regards, Sergio PS: Thanks for the formatting BTW! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: simscan not scanning
Hi Eric, CHKUSER accepted rcpt: from henry.jill...@gmail.com:: remote mail.dosco.de:unknown:217.6.150.34 rcpt sa...@sagateway.com : found existing recipient policy_check: remote henry.jill...@gmail.com - local sa...@sagateway.com (UNAUTHENTICATED SENDER) spamdyke[32707]: ALLOWED from: henry.jill...@gmail.com to: sa...@sagateway.com origin_ip: 217.6.150.34 origin_rdns: mail.dosco.de auth: (unknown) encryption: (none) simscan:[32762]:CLEAN (0.10/6.00):0.8747s:SPAM(16.5) business/medical/consumer mailing lists:217.6.150.34:henry.jill...@gmail.com:sa...@sagateway.com -- Kind regards, Dieter Febel SA-Gateway Tel: 086 110 2062 Fax: 086 650 1026 url: http://www.sagateway.com -Original Message- From: Eric Shubert e...@shubes.net Reply-to: qmailtoaster-list@qmailtoaster.com To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: simscan not scanning Date: Tue, 08 Mar 2011 12:49:30 -0700 Please show an example from your smtp log.
[qmailtoaster] Re: simscan not scanning
Please post contents of /etc/mail/spamassassin/local.cf On 03/08/2011 01:26 PM, Dieter Febel wrote: Hi Eric, CHKUSER accepted rcpt: from henry.jill...@gmail.com mailto:henry.jill...@gmail.com:: remote mail.dosco.de:unknown:217.6.150.34 rcpt sa...@sagateway.com : found existing recipient policy_check: remote henry.jill...@gmail.com mailto:henry.jill...@gmail.com - local sa...@sagateway.com (UNAUTHENTICATED SENDER) spamdyke[32707]: ALLOWED from: henry.jill...@gmail.com mailto:henry.jill...@gmail.com to: sa...@sagateway.com origin_ip: 217.6.150.34 origin_rdns: mail.dosco.de auth: (unknown) encryption: (none) simscan:[32762]:CLEAN (0.10/6.00):0.8747s:SPAM(16.5) business/medical/consumer mailing lists:217.6.150.34:henry.jill...@gmail.com mailto:henry.jill...@gmail.com:sa...@sagateway.com -- Kind regards, Dieter Febel SA-Gateway Tel: 086 110 2062 Fax: 086 650 1026 url: http://www.sagateway.com -Original Message- *From*: Eric Shubert e...@shubes.net mailto:eric%20shubert%20%3c...@shubes.net%3e *Reply-to*: qmailtoaster-list@qmailtoaster.com *To*: qmailtoaster-list@qmailtoaster.com mailto:qmailtoaster-list@qmailtoaster.com *Subject*: [qmailtoaster] Re: simscan not scanning *Date*: Tue, 08 Mar 2011 12:49:30 -0700 Please show an example from your smtp log. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP TLS flaw
On 3/8/2011 10:43 AM, Eric Shubert wrote: On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. I wrote a 'C++' program to test this issue but the output was different than it was when testing with the openssl package. I'm not sure what would be wrong with my program, if anything (I'm open to suggestions). Anyway, here's the output from my 'C++' program for both scenarios and the program below. Build/Run g++ -o test text.cpp ./test (server ip) (port) STARTTLS 220 poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo 250-poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250 AUTH LOGIN PLAIN CRAM-MD5 STARTTLS 220 Proceed. STARTTLS/RSET 220 poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo 250-poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250 AUTH LOGIN PLAIN CRAM-MD5 STARTTLS RSET 220 Proceed. # test.cpp #include sys/types.h #include sys/socket.h #include netinet/in.h #include netdb.h #include unistd.h #include arpa/inet.h #include iostream #include string.h #include string.h #include errno.h #include fcntl.h #define buflen 512 signed int portno = 25; char hostname[] = mail.whitehorsetc.com; char buf[buflen]; int main(int argc, char * argv[]) { int sd = socket(AF_INET, SOCK_STREAM, 0); /* init socket descriptor */ struct sockaddr_in sin; struct hostent * host; char buf[buflen]; sin.sin_family = AF_INET; if (argc == 3) { printf(Proceeding with 2 arguments %s/%s\n, argv[1],argv[2]); host = gethostbyname(argv[1]); signed int myport = (signed int)atoi(argv[2]); sin.sin_port = htons(myport); } else { printf(Proceeding with no arguments %s/%d\n, hostname,portno); host = gethostbyname(hostname); sin.sin_port = htons(portno); } memcpy(sin.sin_addr.s_addr, host-h_addr, host-h_length); if (connect(sd, (struct sockaddr *)sin, sizeof(sin)) 0) { perror(connecting); exit(1); } /* ** Wait after connection before readiing from socket */ sleep(1); /* ** Read from socket and and send to terminal so client/server ** interaction can be seen */ int len = buflen+1; memset(buf,'\0',buflen); len = read(sd,buf,buflen); write(1,buf,len); /* ** Send 'ehlo' to smtp server and send to terminal so client/server ** interaction can be seen */ memset(buf,'\0',buflen); strcpy(buf,ehlo\r\n); write(1,buf,strlen(buf)); len = write(sd,buf,strlen(buf)); memset(buf,'\0',buflen); /* ** Wait for reply */ sleep(1); /* ** Read result of 'ehlo' and send to terminal so client/server ** interaction can be seen */ len = read(sd,buf,buflen); write(1,buf,len); /* ** Send 'starttls' with/without 'rset' and send to terminal so client/server ** interaction can be seen */ memset(buf,'\0',buflen); //len = sprintf(buf,STARTTLS%c%c,'\r','\n'); len = sprintf(buf,STARTTLS%c%cRSET%c%c,'\r','\n','\r','\n'); len = write(sd,buf,len); write(1,buf,len); memset(buf,'\0',buflen); /* ** Wait for reply */ sleep(1); /* ** Read response for 'starttls' and send to terminal so client/server ** interaction can be seen */ len = read(sd,buf,buflen); write(1,buf,len); len = read(sd,buf,buflen); write(1,buf,len); /* ** Close socket */ sleep(5); close(sd); } - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit
[qmailtoaster] Re: SMTP TLS flaw
I think your program's fine. I don't think the other tests with openssl really showed the bug. I think this does. Now, can you run your program against port 587 as well as 25? P.S. Spamdyke Sam replied to my post. While he doesn't think this is necessarily a vulnerability (and I tend to agree with him), it does appear to be an RFC violation, and he'll looking into fixing spamdyke. -- -Eric 'shubes' On 03/08/2011 01:50 PM, Eric Broch wrote: I wrote a 'C++' program to test this issue but the output was different than it was when testing with the openssl package. I'm not sure what would be wrong with my program, if anything (I'm open to suggestions). Anyway, here's the output from my 'C++' program for both scenarios and the program below. Build/Run g++ -o test text.cpp ./test (server ip) (port) STARTTLS 220 poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo 250-poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250 AUTH LOGIN PLAIN CRAM-MD5 STARTTLS 220 Proceed. STARTTLS/RSET 220 poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo 250-poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250 AUTH LOGIN PLAIN CRAM-MD5 STARTTLS RSET 220 Proceed. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP TLS flaw
On 3/8/2011 10:43 AM, Eric Shubert wrote: On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. I also tried another 'trick' to test this issue. I opened two putty sessions to my server. In one session I merely opened a file (vi test) and typed STARTTLS on the first line, hit enter (\r\n), then typed RSET and hit enter (\r\n) again. I copied this file's contents into the buffer (highlight and mouse left click) in the manner of 'Putty' (I used notepad to create this entry also). In the second session I entered 'telnet localhost 25' at the prompt and after receiving the server welcome pasted my buffer from the first session (or notepad) into the second putty session's smtp conversation. Here's the output: [root@poweredgeT105 ~]# telnet mail.whitehorsetc.com 25 Trying 192.168.9.2... Connected to mail.whitehorsetc.com (192.168.9.2). Escape character is '^]'. 220 poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP STARTTLS RSET 220 Proceed. If any one sees flaws in this procedure, let me know. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP TLS flaw
On 3/8/2011 2:23 PM, Eric Shubert wrote: I think your program's fine. I don't think the other tests with openssl really showed the bug. I think this does. Now, can you run your program against port 587 as well as 25? P.S. Spamdyke Sam replied to my post. While he doesn't think this is necessarily a vulnerability (and I tend to agree with him), it does appear to be an RFC violation, and he'll looking into fixing spamdyke. [root@poweredgeT1052 exp]# ./test 192.168.9.6 587 Proceeding with 2 arguments 192.168.9.6/587 220 poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP ehlo 250-poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250 AUTH LOGIN PLAIN CRAM-MD5 STARTTLS RSET 220 ready for tls - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: SMTP TLS flaw
On 03/08/2011 02:36 PM, Eric Broch wrote: On 3/8/2011 10:43 AM, Eric Shubert wrote: On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. I also tried another 'trick' to test this issue. I opened two putty sessions to my server. In one session I merely opened a file (vi test) and typed STARTTLS on the first line, hit enter (\r\n), then typed RSET and hit enter (\r\n) again. I copied this file's contents into the buffer (highlight and mouse left click) in the manner of 'Putty' (I used notepad to create this entry also). In the second session I entered 'telnet localhost 25' at the prompt and after receiving the server welcome pasted my buffer from the first session (or notepad) into the second putty session's smtp conversation. Here's the output: [root@poweredgeT105 ~]# telnet mail.whitehorsetc.com 25 Trying 192.168.9.2... Connected to mail.whitehorsetc.com (192.168.9.2). Escape character is '^]'. 220 poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP STARTTLS RSET 220 Proceed. If any one sees flaws in this procedure, let me know. - I think this is fine. Now, since you know a little C++, would you care to delve into qmail-smtpd, with the 2 patches used in QMT, and figure out how to clear the buffer after TLS has started, so the RSET doesn't come through? Let's take this over to the devel list to work it out. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SMTP TLS flaw
On 3/8/2011 3:14 PM, Eric Shubert wrote: On 03/08/2011 02:36 PM, Eric Broch wrote: On 3/8/2011 10:43 AM, Eric Shubert wrote: On 03/07/2011 11:24 PM, Eric Broch wrote: On 3/7/2011 3:09 PM, Eric Shubert wrote: Would someone like to test to see if QMT's implementation of SMTP/TLS is succeptable to this flaw? http://marc.info/?l=postfix-usersm=129952854117623w=2 This has been discussed on the dovecot list recently, and Timo reports that dovecot does not have this problem. Eric S, Here's the output. It may not look good. [root@poweredgeT1052 apps]# ./openssl s_client -quiet -starttls smtp -connect localhost:25 250 AUTH LOGIN PLAIN CRAM-MD5 250 flushed Eric B. - EricB and has done some further testing as well, and it appears that both spamdyke and qmail-smtpd suffer from this ailment. Is there anyone here with any C savvy? If you do and you'd like to have a stab at this, please chime in. I'm going to post this on the spamdyke list, and see what Sam has to say about it. I expect he'll be getting it fixed fairly quickly. I also tried another 'trick' to test this issue. I opened two putty sessions to my server. In one session I merely opened a file (vi test) and typed STARTTLS on the first line, hit enter (\r\n), then typed RSET and hit enter (\r\n) again. I copied this file's contents into the buffer (highlight and mouse left click) in the manner of 'Putty' (I used notepad to create this entry also). In the second session I entered 'telnet localhost 25' at the prompt and after receiving the server welcome pasted my buffer from the first session (or notepad) into the second putty session's smtp conversation. Here's the output: [root@poweredgeT105 ~]# telnet mail.whitehorsetc.com 25 Trying 192.168.9.2... Connected to mail.whitehorsetc.com (192.168.9.2). Escape character is '^]'. 220 poweredgeT105.whitehorsetc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server ESMTP STARTTLS RSET 220 Proceed. If any one sees flaws in this procedure, let me know. - I think this is fine. Now, since you know a little C++, would you care to delve into qmail-smtpd, with the 2 patches used in QMT, and figure out how to clear the buffer after TLS has started, so the RSET doesn't come through? Let's take this over to the devel list to work it out. Sounds good. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: simscan not scanning
/etc/mail/spamassassin/local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. ok_locales all skip_rbl_checks 1 required_score 5 report_safe 0 rewrite_header Subject ***SPAM*** use_pyzor 1 use_auto_whitelist 1 use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 -- Kind regards, Dieter Febel SA-Gateway Tel: 086 110 2062 Fax: 086 650 1026 url: http://www.sagateway.com -Original Message- From: Eric Shubert e...@shubes.net Reply-to: qmailtoaster-list@qmailtoaster.com To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: simscan not scanning Date: Tue, 08 Mar 2011 13:30:40 -0700 /etc/mail/spamassassin/local.cf
Re: [qmailtoaster] Re: SMTP attack
okay thank you for your explanation On 08-Mar-11 19:43, Toma Bogdan wrote: Hello, If your system have shorewall as firewall solution management we get 'action' statement from /etc/fail2ban/jail.conf --- [qmail-pop3] enable = true filter = qmail-pop3 action = shorewall sendmail[name=Qmail Pop3 user fail, dest=y...@yourdomain.com] logpath = /path/to/logfile maxretry = 3 bantime = 600 --- now action refer to a file from /etc/fail2ban/action.d shorewall.conf ( as shorewall from action line above ) and sendmail.conf ( as sendmail from action line above ) where we have: shorewall.conf --- [Definition] actionstart = actionstop = actioncheck = actionban = shorewall drop ip actionunban = shorewall allow ip - and sendmail.conf --- [Definition] actionstart = printf %%b Subject: [Fail2Ban] name: started From: Fail2Ban sender To: dest\n Hi,\n The jail name has been started successfully.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actionstop = printf %%b Subject: [Fail2Ban] name: stopped From: Fail2Ban sender To: dest\n Hi,\n The jail name has been stopped.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actioncheck = actionban = printf %%b Subject: [Fail2Ban] name: banned ip From: Fail2Ban sender To: dest\n Hi,\n The IP ip has just been banned by Fail2Ban after failures attempts against name.\n Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest actionunban = printf %%b Subject: [Fail2Ban] name: unbanned ip From: Fail2Ban sender To: dest\n Hi,\n The IP ip has just been unbanned by Fail2Ban Regards,\n Fail2Ban | /usr/sbin/sendmail -f sender dest