Re: [policyd-users] Quota on ports 465/587 [TLS]

Nigel Kukard Mon, 31 Jan 2011 21:40:25 -0800

>>> Quota, policies, limits set with the webui interface are effectively
>>> applied on usual port:25 smtpd mails, but users connected on ports 587
>>> and 465 using TLS seem to  bypass the cbpolicyd rules.
>>> It looks a lot like this recent thread:
>>>
>>> http://lists.policyd.org/pipermail/users/2011-January/003238.html
>>>
>>> so I tried to apply the same recipe, without being successful...
>>>
>>> Should I also tweak the master.cf config file?
>>> Thanks a lot for any hint.
>> Can you enable full debugging and paste?
>>
>> Regards
>> Nigel
>>
> Hello Nigel,
>
> here is  a sample of /var/log/cbpolicyd.log
>
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE: Process Backgrounded
> [2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: Policyd v2 / 
> Cluebringer - v2.0.10
> [2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: Initializing system 
> modules.
> [2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: System modules 
> initialized.
> [2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: Module load started...
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => AccessControl: enabled
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => CheckHelo: enabled
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => CheckSPF: enabled
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => Greylisting: enabled
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => Quotas: enabled
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => Protocol(Postfix): enabled
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => Protocol(Bizanga): enabled
> [2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: Module load done.
> [2011/01/31-15:22:06 - 16105] [CBPOLICYD] DEBUG: Opening syslog, 
> destination = 'unix', facility = 'mail'.
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE: 2011/01/31-15:22:06 cbp 
> (type Net::Server::PreFork) starting! pid(16105)
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE: Using default listen value 
> of 128
> [2011/01/31-15:22:06 - 16105] [CORE] NOTICE: Binding to TCP port 10031 
> on host *
> [2011/01/31-15:22:06 - 16105] [CORE] WARNING: Group Not Defined. 
> Defaulting to EGID '0 0 1 2 3 4 6 10'
> [2011/01/31-15:22:06 - 16105] [CORE] WARNING: User Not Defined. 
> Defaulting to EUID '0'
> [2011/01/31-15:22:06 - 16105] [CORE] INFO: Setting up serialization via 
> flock
> [2011/01/31-15:22:06 - 16105] [CORE] INFO: Beginning prefork (4 processes)
> [2011/01/31-15:22:06 - 16105] [CORE] INFO: Starting "4" children
> [2011/01/31-15:22:06 - 16108] [CORE] DEBUG: Child Preforked (16108)
> [2011/01/31-15:22:06 - 16108] [CBPOLICYD] DEBUG: Starting up caching engine
> [2011/01/31-15:22:06 - 16109] [CORE] DEBUG: Child Preforked (16109)
> [2011/01/31-15:22:06 - 16109] [CBPOLICYD] DEBUG: Starting up caching engine
> [2011/01/31-15:22:06 - 16110] [CORE] DEBUG: Child Preforked (16110)
> [2011/01/31-15:22:06 - 16110] [CBPOLICYD] DEBUG: Starting up caching engine
> [2011/01/31-15:22:06 - 16105] [CORE] DEBUG: Parent ready for children.
> [2011/01/31-15:22:06 - 16111] [CORE] DEBUG: Child Preforked (16111)
> [2011/01/31-15:22:06 - 16111] [CBPOLICYD] DEBUG: Starting up caching engine
> [2011/01/31-15:22:34 - 16105] [CORE] INFO: Starting "1" children
> [2011/01/31-15:22:34 - 16108] [CORE] INFO: 2011/01/31-15:22:34 CONNECT 
> TCP Peer: "127.0.0.1:35905" Local: "127.0.0.1:10031"
> [2011/01/31-15:22:34 - 16146] [CORE] DEBUG: Child Preforked (16146)
> [2011/01/31-15:22:34 - 16146] [CBPOLICYD] DEBUG: Starting up caching engine
> [2011/01/31-15:22:35 - 16109] [CORE] INFO: 2011/01/31-15:22:35 CONNECT 
> TCP Peer: "127.0.0.1:35906" Local: "127.0.0.1:10031"
> [2011/01/31-15:23:05 - 16105] [CORE] INFO: Killing "1" children
> [2011/01/31-15:23:05 - 16146] [CBPOLICYD] DEBUG: Shutting down caching 
> engine (16146)
> [2011/01/31-15:23:35 - 16105] [CORE] INFO: Starting "1" children
> [2011/01/31-15:23:35 - 16110] [CORE] INFO: 2011/01/31-15:23:35 CONNECT 
> TCP Peer: "127.0.0.1:41388" Local: "127.0.0.1:10031"
> [2011/01/31-15:23:35 - 16247] [CORE] DEBUG: Child Preforked (16247)
> [2011/01/31-15:23:35 - 16247] [CBPOLICYD] DEBUG: Starting up caching engine
> [2011/01/31-15:23:36 - 16111] [CORE] INFO: 2011/01/31-15:23:36 CONNECT 
> TCP Peer: "127.0.0.1:41390" Local: "127.0.0.1:10031"
>
> [same message repeated 10 times]
>
> [2011/01/31-15:25:15 - 16105] [CORE] INFO: Killing "1" children
> [2011/01/31-15:25:15 - 16111] [CBPOLICYD] DEBUG: Shutting down caching 
> engine (16111)
> [2011/01/31-15:25:51 - 16109] [CORE] INFO: 2011/01/31-15:25:51 CONNECT 
> TCP Peer: "127.0.0.1:41512" Local: "127.0.0.1:10031"
> [2011/01/31-15:25:51 - 16105] [CORE] INFO: Starting "1" children
>
> [above messages repeated]
>
> [2011/01/31-15:28:35 - 16247] [CBPOLICYD] ERROR: Protocol data 
> validation error, required parameter 'sender' was not found or invalid 
> format
> [2011/01/31-15:28:36 - 16789] [CORE] INFO: 2011/01/31-15:28:36 CONNECT 
> TCP Peer: "127.0.0.1:41977" Local: "127.0.0.1:10031"
>
>
>
> and here are a few lines of  postfix log concerning policyd, (the rest 
> of the logs looks the same), only connections on port:25, messages sent 
> through port 587 or 465 are ignored:
>
> Jan 31 15:29:30 nilus cbpolicyd[16537]: module=Quotas, mode=update, 
> host=193.49.225.82, helo=mx02.univ-lille1.fr, 
> [email protected], [email protected], 
> reason=quota_update, policy=6, quota=3, limit=4, 
> track=Sender:[email protected], counter=MessageCount, 
> quota=1/30 (3.3%)
> Jan 31 15:31:10 nilus cbpolicyd[16537]: module=Quotas, mode=update, 
> host=193.49.225.19, helo=smtp01.univ-lille1.fr, 
> [email protected], [email protected], 
> reason=quota_update, policy=6, quota=3, limit=4, 
> track=Sender:[email protected], counter=MessageCount, 
> quota=1/30 (3.3%)
>
>
> for instance this message I've just sent :
>
> Jan 31 16:06:42 nilus postfix/smtpd[19518]: SSL_accept:SSLv3 read finished A
> Jan 31 16:06:42 nilus postfix/smtpd[19518]: SSL_accept:SSLv3 write 
> change cipher spec A
> Jan 31 16:06:42 nilus postfix/smtpd[19518]: SSL_accept:SSLv3 write 
> finished A
> Jan 31 16:06:42 nilus postfix/smtpd[19518]: SSL_accept:SSLv3 flush data
> Jan 31 16:06:42 nilus postfix/smtpd[19518]: TLS connection established 
> from tretus.univ-lille1.fr[134.206.80.237]: TLSv1 with cipher AES256-SHA 
> (256/256 bits)
> Jan 31 16:06:42 nilus postfix/smtpd[19518]: 4DC8E981EA: 
> client=tretus.univ-lille1.fr[134.206.80.237], sasl_method=PLAIN, 
> sasl_username=xxxx
> Jan 31 16:06:42 nilus postfix/cleanup[19519]: 4DC8E981EA: 
> message-id=<[email protected]>
>
> is not intercepted by the policy service.


Its not a matter of policyd intercepting mail, its a matter of Postfix
making a policy request to policyd.

Could you paste your postfix config again.

Regards
Nigel


> Does sasl_username have something to do with this issue?
>
> I grabbed the Book Of Postfix, but still have no clue...
>
> Many thanks for your help
>
> regards,
>
> sebastien

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Users mailing list
[email protected]
http://lists.policyd.org/mailman/listinfo/users

Re: [policyd-users] Quota on ports 465/587 [TLS]

Reply via email to