previous settings were reasonable for a well trained dspam. After starting with a fresh dspam, the settings were not optimal for the amount of naive that a default dspam is.
skip earlytalker checks for positive senders
limit negative karma senders to 1 concurrent connection (hosts_allow)
added karma::hook_pre_connection, to make hosts_allow change possible
added karma score to log entries
if p0f cannot connect, provide a more descriptive error message. Particularly useful for a p0f plugin developer that runs both p0f v2 and v3 at the same time.
immunity check was disabled by default, as it wasn't a good policy. OTOH, a naughty check is a sensible default, as we can skip processing on messages we already decided to reject.
process_backticks now writes the entire message (headers + body) to a temp file and had dspam read that. Previously, dspam only read the body. With the new "process, then train on error" method, dspam didn't have access to the DSPAM signature (in the headers).
replaced open2 with open3. Same results. Works part of the time, but not consistent, and I haven't been able to figure out why.
dspam transaction note is now a hashref (was a string)
parsing of dspam response via substring (was regexp)
rather than deferring until RCPT. This greatly improves efficiency, since most connections will get marked naughty much sooner, having run fewer tests.
consolidate the two data_post methods into one (more linear, simpler)
more informative log message
add new headers to top of headers (not bottom (consistent MTA behavior))
helo - validate a HELO message delivered from a connecting host.
Includes the following tests:
is_in_badhelo
invalid_localhost
is_plain_ip
is_address_literal [N.N.N.N]
is_forged_literal
is_not_fqdn
no_forward_dns
no_reverse_dns
no_matching_dns
in apr_*_handler subs, return DECLINED when connection is not available to read (like during tests)
added 23 tests
deprecate action argument
'action log' did nothing, better logging controls available with loglevel
'action deny' -> reject 1
'action denysoft' => reject 1 reject_type temp
POD
use head2 for config options (instead of over, item, back)
added loglevel section
updated for replacement of action with reject options
consolidated POD at top of file
added example options to reject_type POD head
added an example loglevel entry
consolidated DENY[SOFT|DISCONNECT] logic into get_reject_type
added tests for get_reject_type
the previous DK commit moved the 'use Mail::DomainKeys::*' stuff into an eval. The right idea, but tests still fail because I forgot to remove the bare 'use' lines.
added POD description of spfquery note
changed spf_deny -> reject (and offered 4 more options, see POD for reject)
backwards compatible with old config settings
replicates qmail-smtpd SPF patch behavior
improved logging (again)
uses a stringy eval 'use Mail::SPF' in the register sub. If missing, warn and log the error, and don't register any hooks. This is much nicer error than the current, "*** Remote host closed connection unexpectedly." broken mail server that results from enabling the SPF plugin without Mail::SPF installed.
background: I noticed I was deferring valid emails with the SPF plugin at 'spf_deny 1', and without changing the code, there wasn't a way to change how ~all records were handled. This provides that flexibility.
instead of a positional arguments, used named arguments (backwards compatible)
added a couple log message prefixes
removed some trailing whitespace
updated POD
minor changes to facilitate testing
improved error reporting of several failures
added p0f v2 compatibility to p0f v3 results: in addition to all the newer values, also report the old ones too.
These 3 auth plugins all have a data store they fetch the reference
password or hash from. They then match the attemped password or hash
against the reference. This consolidates the latter portion (validating
the password/hash) into Auth.pm.
* less duplicated code in the plugins.
* Pass validation consistently handled for these 3 plugins.
* less work to create new auth plugins
Also caches the CRAM-MD5 ticket. It could also cache user/pass info if
this was desirable.
fixed the vestiges of old plugin name 'denysoft_greylisting'
added ability to bypass greylisting based on geoip
deprecated 'mode [denysoft | testonly | off]
off wasn't useful
testonly & denysoft replaced by reject [ 0 | 1 ]
renamed DB from denysoft_greylist to greylist.dbm. Will use existing/legacy DB if present.
added DB pruning feature. Automatically prune the DB when qpsmtpd registers the plugin. Perhaps this should be a config option to enable?
added DB upgrade feature. Convert dotted quad IP addresses in DB to integers. Makes greylisting IPv6 compatible, since DB records are colon delimited.
exempt TLS connections from greylisting. The vast majority (perhaps all) of the SMTP clients that request encryption to my server are legit. We could add a config option for this, but this plugin already has a multitude of config options.
refactored much of the greylisting method into discreet subs
added 30 tests
added additional DEBUG level logging for p0f matches
POD changes:
replaced over, item N, back, with head2 (better formatted output)
better describe the current behavior of the plugin (some past behaviors no longer exist)
added TRIPLET section with example
added loglevel section
had single positional argument for loglevel,
switched to named args which inherits the more flexible loglevel
shortened logging line
before: connection_time: Connection time from 66.118.151.187: 3.046 sec.
after: connection_time: 3.046 s.
removed auth method from return calls in all auth plugins. The caller knows the mechanism already. In the code, the difference looks like this:
before:
or return (DENY, "authcvm/$method");
after:
or return (DENY, "authcvm");
Added debug level log entries in auth_vpopmaild
Conflicts:
plugins/auth/auth_vpopmail_sql
expanded POD
cleaned up stray EOL spaces
added lots of logging, with standardized [ pass | fail | skip ] prefixes
added reject_type option
use split for parsing dspam headers
use SA note instead of parsing headers
added reject = agree option
store & fetch dspam results in a note
refactored into small subs with unit tests.
parse SA header with split instead of regexp (more reliable)
store SA results in a 'spamassassin' transaction note
add strict and warnings pragma
renamed reject_threshold -> reject (backwards compatible)
added relayclient skip option and POD. Skips SA processing when relayclient is set
added MULTIPLE RECIPIENT BEHAVIOR topic to POD
unit tests for new methods are in t/auth.t
added PLAIN and LOGIN tests in auth_flat_file
Most tests are disabled unless an interactive terminal is detected and $ENV{QPSMTPD_DEVELOPER} is set.
backwards compatible with previous warn_only option.
added additional logging
refactored out a couple new subs.
minor changes: added strictures, warnings, moved 'use' statements to top of code
so log entries look like this:
86553 (connect) ident::geoip: US, United States
86553 (connect) ident::p0f: Windows 7 or 8
86553 (connect) check_earlytalker: remote host said nothing spontaneous, proceeding
instead of this:
86553 ident::geoip: (connect): US, United States
86553 ident::p0f: (connect) Windows 7 or 8
86553 check_earlytalker: (connect): remote host said nothing spontaneous, proceeding
Conflicts:
plugins/logging/warn
With a DENYSOFT (450) the sender will keep trying to deliver the e-mail.
It makes no sense.
This commit also makes it compatible again with the plugin from before commit:
02912 [rewrote sender_permitted_from]
on files in plugins dir:
fixed a number of POD errors
formatted some # comments into POD
removed bare 1; (these are plugins, not perl modules)
most instances of this were copy/pasted from a previous plugin that had it
removed instances of # vim ts=N ...
they weren't consistent, many didn't match .perltidyrc
on modules that failed perl -c tests, added 'use Qpsmtpd::Constants;'
Conflicts:
plugins/async/check_earlytalker
plugins/async/dns_whitelist_soft
plugins/async/dnsbl
plugins/async/queue/smtp-forward
plugins/async/require_resolvable_fromhost
plugins/async/rhsbl
plugins/async/uribl
plugins/auth/auth_checkpassword
plugins/auth/auth_cvm_unix_local
plugins/auth/auth_flat_file
plugins/auth/auth_ldap_bind
plugins/auth/auth_vpopmail
plugins/auth/auth_vpopmail_sql
plugins/auth/authdeny
plugins/check_badmailfromto
plugins/check_badrcptto_patterns
plugins/check_bogus_bounce
plugins/check_earlytalker
plugins/check_norelay
plugins/check_spamhelo
plugins/connection_time
plugins/dns_whitelist_soft
plugins/dnsbl
plugins/domainkeys
plugins/greylisting
plugins/hosts_allow
plugins/http_config
plugins/logging/adaptive
plugins/logging/apache
plugins/logging/connection_id
plugins/logging/transaction_id
plugins/logging/warn
plugins/milter
plugins/queue/exim-bsmtp
plugins/queue/maildir
plugins/queue/postfix-queue
plugins/queue/smtp-forward
plugins/quit_fortune
plugins/random_error
plugins/rcpt_map
plugins/rcpt_regexp
plugins/relay_only
plugins/require_resolvable_fromhost
plugins/rhsbl
plugins/sender_permitted_from
plugins/spamassassin
plugins/tls
plugins/tls_cert
plugins/uribl
plugins/virus/aveclient
plugins/virus/bitdefender
plugins/virus/clamav
plugins/virus/clamdscan
plugins/virus/hbedv
plugins/virus/kavscanner
plugins/virus/klez_filter
plugins/virus/sophie
plugins/virus/uvscan
Apparently the format of vpopmaild responses has been expanded and the responses
are conditional.
* Replaced the 'sometimes works' eq comparison with a regexp that always works.
* added tests for all 3 vpopmail plugins
* added cram-md5 auth support to auth_vpopmaild.
The mail hook sets a transaction note 'temp_resolver_failed', but the
rcpt hook queried a connection note of the same name (which didn't
exist, of course).
Now it queries the transaction note.
Check recipients from a postfix style map. The valid return codes are of course
qpsmtpd constants. By storing the addresses in a %hash, this is much faster
for fixed addresses than using the rcpt_regexp plugin just with fixed strings.
This plugin handles only one domain per plugin instance. Use the :N suffix for
the plugin if you need several domains mapped.
The current postfix-queue plugin allows the administrator to set a
single path to a local postfix cleanup socket file from the plugin
'command line'. This adds a 'cleanup_sockets' configuration directive
that can contain a list of paths as well as host/port combinations
pointing to postfix cleanup services, which will be tried in the order
that they appear. Not yet tested.
2. If the name doesn't end in a dot then append each item in the search list to the name.
This is only done if dnsrch is true.
triggered by..
From: Charlie Brady <charlieb-qpsmtpd@budge.apana.org.au>
Subject: [BUG] Default search path used in require_resolvable_fromhost
Date: Sat, 17 Jul 2010 16:24:42 -0400 (EDT)
Message-ID:
<Pine.LNX.4.64.1007171623040.17109@e-smith.charlieb.ott.istop.com>
http://bugs.contribs.org/show_bug.cgi?id=5808
Jesper Knudsen 2010-03-01 01:29:10 MST
When using the require_resolvable_fromhost plugin for qpsmtpd I noticed
that mails from user@localhost.localdomain was actually getting through
this filter. I finally found out that the plugin has a bug that causes it
to insert default search path if it cannot find the domain. This means in
my case that localhost.localdomain was then tried resolved as
localhost.localdomain.swerts-knudsen.dk and since I have a wilcard CNAME
was resolved as my public IP.
Since this plugin is only enabled for public interface the fix is to set
the "dnsrch" flag when creating the Net::DNS object.
In require_resolvable_fromhost:
my $res = Net::DNS::Resolver->new (
dnsrch => 0
);
(updated patch against rspier/qpsmtpd)
The p0f plugin defaulted to binding to TCPLOCALIP, which doesn't work
when the mail server is running behind a firewall with a private IP. If
the local_ip option is set in the config file, it overrides TCPLOCALIP.
Added POD documentation for local_ip option and p0f general usage
Signed-off-by: Robert <rspier@pobox.com>
(patch remade against latest rspier/qpsmtpd)
added remote_port, local_ip, local_port, and local_host to $qp->connection, as the p0f plugin relies on it.
added notes to TcpServer.pm and the p0f plugin noting the dependence, and the lack of support for models other than tcpserver.
Signed-off-by: Robert <rspier@pobox.com>
rewrote the plugin using Mail::SPF, which is the replacement for Mail::SPF::Query (by the same author). The two plugins are mutually exclusive and SpamAssassin expects to have Mail::SPF available.
Signed-off-by: Robert <rspier@pobox.com>
added auth_vpopmail plugin, using the perl-vpopmail module
added VPOPMAIL auth methods description to docs/authentication
added SEE ALSO section to each module, noting the VPOPMAIL description
Signed-off-by: Robert <rspier@pobox.com>
updates to auth_vpopmail_sql module
- moved vpopmail database parameters into config files
- added LIMITATIONS section to POD, noting no support for alias domains
- renamed sub from authsql (too generic) to auth_vmysql
Signed-off-by: Robert <rspier@pobox.com>
The current status file, in git, has the following entry:
-plugin to reject mails from <> if it has multiple recipients.
I hereby submit my plugin to handle this case for possible inclusion,
under the same terms as the current qpsmtpd release.
The plugin is available here:
http://www.steve.org.uk/Software/qpsmtpd/check_bogus_bounce/
Please find patch against git head below, adding the file and removing
the TODO line from the status file.
Signed-off-by: Robert <rspier@pobox.com>