Re: [SAtalk] Whitelist using LDAP server

2003-06-16 Thread Tony Earnshaw
Simon Byrnand wrote:

Huh ? Of course Sendmail can refuse mail for non-existant user accounts. :)

This happens automatically for the primary domain name the server is 
configured with, but if you're doing multiple virtual domains using the 
virtusertable file then you need a wildcard entry per domain that looks 
like:

@domain.com error:nouser User unknown

Which makes sure all addresses at that domain that don't have explicit 
virtusertable entries are rejected, rather than trying to fall through 
to local accounts of the same name
Another of those mailing lists where you learn a lot of unexpected 
things along the way. I'd never have dreamed I'd be pushed painlessly 
into learning the ins and outs of Sendmail by Simon and David.

Tony

--
Tony Earnshaw
Working to get a life

http://j-walk.com/blog/docs/conference.htm
http://www.billy.demon.nl
Mail: [EMAIL PROTECTED]


---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


Re: [SAtalk] Whitelist using LDAP server

2003-06-16 Thread Colin Dean
John Lederer wrote:

 I am extremely interested.

 We use Rolodap, an LDAP contacts directory .   Automatically whielisting
 email from anyone in tht would let us lower the threshold for spam
 generally.

 If you can post your code somewhere where I could link to it, I would
 make sure that Rolodap users generally knew of its availability.
No problem.  I've made my modifications available at:

  http://www.colinetrix.co.uk/resources/

Give it a try, and let me know how you get on.

Regards,

Colin



---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


Re: [SAtalk] Whitelist using LDAP server

2003-06-15 Thread Tony Earnshaw
Colin Dean wrote:

Sorry, in trying to be brief in my original posting, I probably wasn't
clear enough.
All you had to do is to explain why.

Before using SA, we'd set up a regular cron job to send the relevant
data from MySQL into an OpenLDAP directory so that we could then use
this easily as a shared address book from mail clients like Mozilla
Mail, e.g. to autocomplete addresses when composing.  Works well.
So the ldap directory is internal.

To avoid exposing our SMTP server to the outside world, we actually
pick up all incoming mail from our ISP relay using fetchmail in
multi-drop mode, and then pump it into our internal SMTP server
(sendmail).
Ah. Does this make any difference to putting your MTA in a 
proxy-forwarding DMZ? Don't know what provision Sendmail has for 
defeating dictionary attacks and suchlike, but both Postfix 2.0 and Exim 
4.20 can completely defeat them, so using Fetchmail isn't necessary. 
Also, both can be configured to refuse mail for non-existent user 
accounts. Which I don't believe Sendmail can. I don't know much about 
the innards of Fetchmail

The Fetchmail alternative wouldn't work for large orgs, or those which 
demand instant e-mail.

So, I could have constructed a whitelist_from list of 600 email
addresses, put that in SA's config file, and arrange somehow to keep
them in step, but that didn't seem very elegant.  So I figured it
might be better if I got SA to check the from addresses of incoming
mail directly against our LDAP server.  The latter basically contains
a schema of inetOrgPerson objects whose mail attribute is the email
address of the external contact.  Maybe I could have done the checks
directly against MySQL, but I figured querying the LDAP server might
be more lightweight.
ldap is a bottomless magic box.

My modifications to SA allow this LDAP-based whitelist-checking to
be performed immediately after the usual whitelist_from and
whitelist_from_rcvd processing, enabled in a minimal case by two
extra config lines, e.g.
whitelist_ldap_url  ldap://localhost:389
whitelist_ldap_base_dn  dc=example,dc=com
I don't know Sendmail at all, but as I said, both SA-Exim 4.20/3.0 and 
Postfix 2.0 could be configured to whitelist your ldap users without 
altering any SA code. SA-Exim would do that with inclusion in the 
exception rule, Postfix with a custom transport.

but with a few additional config options to allow specifying Bind DN
and password, and to cater for ldaps:// server CA cert checking.
I've also put in an additional filter option, so e.g. if the LDAP
entries were flagged with some other attribute saying whether a given
address should be whitelisted or not, that would be easily accommodated.
Both Exim 4 and Postfix 2.0 ldap routers/alias maps (respectively) could 
be configured to do this. A problem I have with Postfix at the moment, 
is getting it to use ldaps or starttls for ldap at all, though Exim can 
do that easily. Both can be configured to use CA certs for whatever they 
*can* do with tls (e.g. smtp starttls for Postfix 2.0)

My LDAP config options are in the spirit of those used by Mozilla Mail.
Yea!

Maybe this isn't a common problem, and there may well be other ways of
solving it, but we're happy now!
My only worry would be at the developers feeling they would have to 
modify SA code to do such a thing. As I pointed out, I have no idea how 
Sendmail works; for that matter Qmail or Smail neither. Maybe code 
changes would be necessary for the latter two.

Best,

Tony

--
Tony Earnshaw
- Deyr fé, deyr frendr
deyr sjálfr 'it sama
- ek veit ein aldrigi deyr
- dómr um dauðan hvern.
From Hávamál - what gods have said

http://j-walk.com/blog/docs/conference.htm
http://www.billy.demon.nl
Mail: [EMAIL PROTECTED]


---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


RE: [SAtalk] Whitelist using LDAP server

2003-06-15 Thread David Luyer
 Also, both can be configured to refuse mail for non-existent user
 accounts. Which I don't believe Sendmail can.

Of course it can.  sendmail can do anything.  Never believe anyone
who tells you there's something sendmail can't do.

It does it by default if it's the final delivery host, if it's not
then either use an existing set of rules to do rewrites or write
your own. 

Example (from a backup MX for many domains):

KPIuserdb btree /etc/pidata/piuserdb
KMIRAuserdb btree /etc/pidata/mirauserdb
KZIPuserdb btree /etc/zipdata/zipuserdb
F{PIdomains} /etc/pidata/pidomains
F{MIRAdomains} /etc/pidata/miradomains
F{ZIPdomains} /etc/zipdata/zipdomains

LOCAL_RULE_0
R$+@$={PIdomains}.$*  $: @P$(PIuserdb $1:maildrop$)$3
R$+@$={MIRAdomains}.$*$: @M$(MIRAuserdb [EMAIL PROTECTED]:maildrop$)$3
R$+@$={ZIPdomains}.$* $: @Z$(ZIPuserdb $1:maildrop$)$2$3
R@P[EMAIL PROTECTED]$*  $#esmtp $@ $2 $: $1@pacific.net.au.$3
R@M[EMAIL PROTECTED]@$+$*   $#esmtp $@ $3 $: $1@$2.$4
R@Z[EMAIL PROTECTED]$+$*  $#esmtp $@ $2 $: $1@$3.$4
R@$-$+:maildrop$*   $#error $: 553 User unknown to database

In this example:

  for domains in /etc/pidata/pidomains, /etc/pidata/piuserdb contains:
user:maildrop [EMAIL PROTECTED]
  and the domain 'pacific.net.au' is appended for delivery

  for domains in /etc/pidata/miradomains, /etc/pidata/mirauserdb contains:
[EMAIL PROTECTED]:maildrop [EMAIL PROTECTED]@realmailhost

  for domains in /etc/zipdata/zipdomains, /etc/zipdata/zipuserdb contains:
user:maildrop [EMAIL PROTECTED]
  and the original domain is preserved for delivery

...and users not in the database, but in the any of the domain lists,
are flat out refused.  Solves the problem of backup MXs accepting email
that the primaries have bounced, only to queue it up for days as it can't
bounce to the (spam) sender.

(and yes, the above could all have been done as per 'MIRAuserdb', it's
just that each data source has it's own export method and transport)
 
 I don't know Sendmail at all, but as I said, both SA-Exim 4.20/3.0 and
 Postfix 2.0 could be configured to whitelist your ldap users without
 altering any SA code. SA-Exim would do that with inclusion in the
 exception rule, Postfix with a custom transport.

It's always possible, the question is whether it's worth the complexity
when you could just do it in SA.  After all, SA has a whitelist feature,
I don't see a good reason it shouldn't support LDAP in it just because
you could do it at another layer - you could do the whole whitelist
feature at another layer if you wanted to, but it's still there.

David.



---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


Re: [SAtalk] Whitelist using LDAP server

2003-06-15 Thread Tony Earnshaw
David Luyer wrote:

Of course it can.  sendmail can do anything.  Never believe anyone
who tells you there's something sendmail can't do.
Well, well, well.

It does it by default if it's the final delivery host,
Good. So now I know that.

I don't know Sendmail at all, but as I said, both SA-Exim 4.20/3.0 and
Postfix 2.0 could be configured to whitelist your ldap users without
altering any SA code. SA-Exim would do that with inclusion in the
exception rule, Postfix with a custom transport.

It's always possible, the question is whether it's worth the complexity
when you could just do it in SA.

After all, SA has a whitelist feature,
I don't see a good reason it shouldn't support LDAP in it just because
you could do it at another layer
I'll do a trade with you (swap you this for that). You tell me how 
you'd whitelist a given ldap alias list with Sendmail, and I'll tell you 
how I'd do it with SA-Exim 4.20/3.0 and with Postfix 2.0.12 (dunno yet, 
cos I never tried, but it has to be possible.) The people who'll benefit 
are the developers, who would then know that they wouldn't have to 
change any code to do it. Mind you, there's still Qmail and Smail left - 
those people would have to do the same.

After all:

 sendmail can do anything.  Never believe anyone
 who tells you there's something sendmail can't do.
Best,

Tony

--
Tony Earnshaw
- Deyr fé, deyr frendr
deyr sjálfr 'it sama
- ek veit ein aldrigi deyr
- dómr um dauðan hvern.
From Hávamál - what gods have said

http://j-walk.com/blog/docs/conference.htm
http://www.billy.demon.nl
Mail: [EMAIL PROTECTED]


---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


Re: [SAtalk] Whitelist using LDAP server

2003-06-15 Thread David Luyer
On Sun, Jun 15, 2003 at 05:44:40PM +0200, Tony Earnshaw wrote:
 I'll do a trade with you (swap you this for that). You tell me how 
 you'd whitelist a given ldap alias list with Sendmail, and I'll tell you 
 how I'd do it with SA-Exim 4.20/3.0 and with Postfix 2.0.12 (dunno yet, 
 cos I never tried, but it has to be possible.)

Depends how your sendmail is routing via spamassassin.

Milter?  MailScanner?  procmail?  Is there an external routing host
or are you just filtering everything on the local host?

If you want something which works across _all_ designs you'd have to
do something like this:

HFrom: $CheckWhitelist
HX-Whitelist: $RejectIncomingWhitelist
HX-Whitelist: $(WhitelistLevel)

SCheckWhitelist
... set WhitelistLevel based on an LDAP map class, 0 if no match ...

SRejectIncomingWhitelist
R$* $#error 553 X-Whitelist must not be set on incoming mail

Then in SA, based on the whitelist header, subtract from the score.

 The people who'll benefit 
 are the developers, who would then know that they wouldn't have to 
 change any code to do it. Mind you, there's still Qmail and Smail left - 
 those people would have to do the same.

Just because you *can* do it in the MTA doesn't mean it *belongs* in
the MTA.

David.
-- 
David Luyer Phone:   +61 3 9674 7525
Network Development ManagerP A C I F I CFax: +61 3 9698 4825
Pacific Internet (Australia)  I N T E R N E T   Mobile:  +61 4  BYTE
http://www.pacific.net.au/  NASDAQ:  PCNTF


---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


Re: [SAtalk] Whitelist using LDAP server

2003-06-15 Thread Simon Byrnand
At 11:30 15/06/03 +0200, Tony Earnshaw wrote:

Ah. Does this make any difference to putting your MTA in a 
proxy-forwarding DMZ? Don't know what provision
Sendmail has for defeating dictionary attacks and suchlike, but both 
Postfix 2.0 and Exim 4.20 can completely
defeat them, so using Fetchmail isn't necessary. Also, both can be 
configured to refuse mail for non-existent
user accounts. Which I don't believe Sendmail can.

Huh ? Of course Sendmail can refuse mail for non-existant user accounts. :)

This happens automatically for the primary domain name the server is 
configured with, but if you're doing multiple virtual domains using the 
virtusertable file then you need a wildcard entry per domain that looks like:

@domain.com error:nouser User unknown

Which makes sure all addresses at that domain that don't have explicit 
virtusertable entries are rejected, rather than trying to fall through to 
local accounts of the same name


The Fetchmail alternative wouldn't work for large orgs, or those which 
demand instant e-mail.
Fetchmail just isn't a good route to follow anyway, the problem with mail 
bagging a whole domain using one pop account is that for many kinds of 
mail its impossible for fetchmail to know who the recipient was, so at the 
least you end up with that mail going to the postmaster who then has to 
manually forward it to the right person, (if they can figure out who that 
is) or if you're unlucky and you have fetchmail configured wrong, it can 
end up resending the mail and causing a mail loop, with mailing lists etc, 
much like the POP3 connector for MS Exchange does :/

Regards,
Simon


---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


Re: [SAtalk] Whitelist using LDAP server

2003-06-14 Thread Tony Earnshaw
Colin Dean wrote:

Using SpamAssassin, I want to whitelist every email address in the
LDAP directory address book our mail clients (Mozilla and Netscape)
use, without having a separate whitelist_from hard-wired into the
SpamAssassin config file.
So I've hacked some changes to SpamAssassin 2.55 so it can query the
LDAP server to do this (using Perl-LDAP 0.28).  Might have performance
implications if used with spamd on high-throughput mail server, but it
works fine for me (not using spamd).  Tested with OpenLDAP 1.2 and 2.0
servers on Red Hat Linux.
If anybody else is interested, and this hasn't been done already, I can
post my changes ...
I suppose it might be of interest to others if you told the list what 
users your ldap director[y|ies] contain(s). As well as your policy.

Like I don't want mail from my local users (100% Openldap 2.1.19 based) 
scanned, so both with my Postfix 2.0.x and SA-Exim 4.20/3.0 MTAs, I 
configure them such, that they don't scan mails from ldap-based local 
users. This is my policy and this is in fact what I do. I don't need to 
change any SA code at all to do it. If I only wanted certain local 
groups to be accepted, I could do that my way too.

So, suppose you explain why you have to. A good reason, for example, 
would be that you don't want external ldap users (Netscape, Bigfoot, you 
name it) to be vetted for spam. That wouldn't work with my method.

Best,

Tony

--
Tony Earnshaw
- Deyr fé, deyr frendr
deyr sjálfr 'it sama
- ek veit ein aldrigi deyr
- dómr um dauðan hvern.
From Hávamál - what gods have said

http://j-walk.com/blog/docs/conference.htm
http://www.billy.demon.nl
Mail: [EMAIL PROTECTED]


---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


Re: [SAtalk] Whitelist using LDAP server

2003-06-14 Thread Colin Dean
Tony Earnshaw wrote:

I suppose it might be of interest to others if you told the list what 
users your ldap director[y|ies] contain(s). As well as your policy.

Like I don't want mail from my local users (100% Openldap 2.1.19 based) 
scanned, so both with my Postfix 2.0.x and SA-Exim 4.20/3.0 MTAs, I 
configure them such, that they don't scan mails from ldap-based local 
users. This is my policy and this is in fact what I do. I don't need to 
change any SA code at all to do it. If I only wanted certain local 
groups to be accepted, I could do that my way too.
 
So, suppose you explain why you have to. A good reason, for example, 
would be that you don't want external ldap users (Netscape, Bigfoot, you 
name it) to be vetted for spam. That wouldn't work with my method.
Sorry, in trying to be brief in my original posting, I probably wasn't
clear enough.
We're a small organisation, and most of the email we receive is from
external addresses.  We have a Contacts Database in MySQL with a PHP
web front end, in which we keep details of names, addresses, phone
numbers, email addresses, etc, of external contacts.  There's about
600 external email addresses in it, from a variety of different
organisations.  The login database of our own internal users is held
in NIS, and not directly relevant to this discussion.
Before using SA, we'd set up a regular cron job to send the relevant
data from MySQL into an OpenLDAP directory so that we could then use
this easily as a shared address book from mail clients like Mozilla
Mail, e.g. to autocomplete addresses when composing.  Works well.
Having installed SA to rid us of unsolicited spam from people we'd
never heard of, we wanted a way of ensuring that we didn't miss
email from external people we do know as a result of SA possibly
classifying it as spam.  We're working on the basis that people we
know are trusted to send us only non-spam.
To avoid exposing our SMTP server to the outside world, we actually
pick up all incoming mail from our ISP relay using fetchmail in
multi-drop mode, and then pump it into our internal SMTP server
(sendmail).  Mail is then delivered for each internal user via
procmail (which is where we've plugged in SA) and picked up by the
user in Mozilla Mail using movemail.
So, I could have constructed a whitelist_from list of 600 email
addresses, put that in SA's config file, and arrange somehow to keep
them in step, but that didn't seem very elegant.  So I figured it
might be better if I got SA to check the from addresses of incoming
mail directly against our LDAP server.  The latter basically contains
a schema of inetOrgPerson objects whose mail attribute is the email
address of the external contact.  Maybe I could have done the checks
directly against MySQL, but I figured querying the LDAP server might
be more lightweight.
My modifications to SA allow this LDAP-based whitelist-checking to
be performed immediately after the usual whitelist_from and
whitelist_from_rcvd processing, enabled in a minimal case by two
extra config lines, e.g.
whitelist_ldap_url  ldap://localhost:389
whitelist_ldap_base_dn  dc=example,dc=com
but with a few additional config options to allow specifying Bind DN
and password, and to cater for ldaps:// server CA cert checking.
I've also put in an additional filter option, so e.g. if the LDAP
entries were flagged with some other attribute saying whether a given
address should be whitelisted or not, that would be easily accommodated.
My LDAP config options are in the spirit of those used by Mozilla Mail.
Maybe this isn't a common problem, and there may well be other ways of
solving it, but we're happy now!
Regards,

Colin



---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


Re: [SAtalk] Whitelist using LDAP server

2003-06-14 Thread John Lederer
I am extremely interested.

We use Rolodap, an LDAP contacts directory .   Automatically whielisting 
email from anyone in tht would let us lower the threshold for spam 
generally.

If you can post your code somewhere where I could link to it, I would 
make sure that Rolodap users generally knew of its availability.

Regards,
John Lederer
Colin Dean wrote:

Hi,

Using SpamAssassin, I want to whitelist every email address in the
LDAP directory address book our mail clients (Mozilla and Netscape)
use, without having a separate whitelist_from hard-wired into the
SpamAssassin config file.
So I've hacked some changes to SpamAssassin 2.55 so it can query the
LDAP server to do this (using Perl-LDAP 0.28).  Might have performance
implications if used with spamd on high-throughput mail server, but it
works fine for me (not using spamd).  Tested with OpenLDAP 1.2 and 2.0
servers on Red Hat Linux.
If anybody else is interested, and this hasn't been done already, I can
post my changes ...
Colin



---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk