Koozali.org: home of the SME Server

Email Whitelist-Blacklist Control

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Email Whitelist-Blacklist Control
« Reply #15 on: November 06, 2021, 06:58:39 PM »
Can yo check that the host IP starts with @?

As per the wiki page:

https://wiki.koozali.org/Email_Whitelist-Blacklist_Control#Black_Lists:_REJECT

Badmailfrom
@host or user@host


Also you can read the relevant plugin

cat /usr/share/qpsmtpd/badmailfrom


Quote
#!perl -w

=head1 NAME

check_badmailfrom - checks the badmailfrom config, with per-line reasons

=head1 DESCRIPTION

Reads the "badmailfrom" configuration like qmail-smtpd does.  From the
qmail-smtpd docs:

"Unacceptable envelope sender addresses. qmail-smtpd will reject every
recipient address for a message if the envelope sender address is
listed in badmailfrom. A line in badmailfrom may be of the form
@host, meaning every address at host."

You may include an optional message after the sender address (leave a space),
to be used when rejecting the sender.

=head1 CONFIGURATION

=head2 reject

  badmailfrom reject [ 0 | 1 | naughty ]

I<0> will not reject any connections.

I<1> will reject naughty senders.

I<connect> is the most efficient setting. It's also the default.

To reject at any other connection hook, use the I<naughty> setting and the
B<naughty> plugin.

=head1 PATTERNS

This plugin also supports regular expression matches. This allows
special patterns to be denied (e.g. FQDN-VERP, percent hack, bangs,
double ats).

Patterns are stored in the format pattern(\s+)response, where pattern
is a Perl pattern expression. Don't forget to anchor the pattern
(front ^ and back $) if you want to restrict it from matching
anywhere in the string.

 ^streamsendbouncer@.*\.mailengine1\.com$    Your right-hand side VERP doesn't fool me
 ^return.*@.*\.pidplate\.biz$                I don't want it regardless of subdomain
 ^admin.*\.ppoonn400\.com$



And here is the bit of code that does the matching.

Quote
sub is_match {
    my ($self, $from, $bad, $host) = @_;

    if ($bad =~ /[\/\^\$\*\+\!\%\?\\]/) {    # it's a regexp
        if ($from =~ /$bad/) {
            $self->log(LOGDEBUG, "badmailfrom pattern ($bad) match for $from");
            return 1;
        }
        return;
    }

    $bad = lc $bad;
    if ($bad !~ m/\@/) {
        $self->log(LOGWARN, "badmailfrom: bad config: no \@ sign in $bad");
        return;
    }
    if (substr($bad, 0, 1) eq '@') {             ############# <<<<<<<<<<< Note the @ here!!!!
        return 1 if $bad eq "\@$host";
        return;
    }
    return if $bad ne $from;
    return 1;
}


I think I did some test code for whitelists to check what was happening. When I get 5 minutes I can try and do a bit to test this as well but I think the key is adding the @ so try @1.2.3.4

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Fumetto

  • *
  • 874
  • +1/-0
Re: Email Whitelist-Blacklist Control
« Reply #16 on: November 07, 2021, 10:21:57 PM »
I tried with "@1.2.3.4" on "qpsmtpd badhelo" and "*@1.2.3.4" on "qmail badmailfrom" and "spamassassin blacklist_from" but but the email arrived anyway.

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Email Whitelist-Blacklist Control
« Reply #17 on: November 08, 2021, 02:43:51 AM »
you are free to tell me to go and do something abnormal if I am asking a kindergarten question BUT, did you add *@1.2.3.4 or a real ip address?
--
qui scribit bis legit

Offline Fumetto

  • *
  • 874
  • +1/-0
Re: Email Whitelist-Blacklist Control
« Reply #18 on: November 08, 2021, 02:47:57 AM »
Real...real... I'm noob, but not at this point... ^_^
Only "@123.123.123.123", no "*".

Offline Fumetto

  • *
  • 874
  • +1/-0
Re: Email Whitelist-Blacklist Control
« Reply #19 on: November 08, 2021, 03:20:43 AM »
The file to which something probably needs to be retouched is /usr/share/qpsmtpd/plugin/helo.
I notice a msg "I do not believe you are $host" under it, and this message is what I can see in the log when a email is blocked

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Email Whitelist-Blacklist Control
« Reply #20 on: November 08, 2021, 03:25:46 AM »
you are free to tell me to go and do something abnormal if I am asking a kindergarten question BUT, did you add *@1.2.3.4 or a real ip address?

:-) always best to ask
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Email Whitelist-Blacklist Control
« Reply #21 on: November 08, 2021, 10:49:09 AM »
I can't look today but I will tomorrow - I did test all this a long while ago when fixing the whitelist.

Quote
"I do not believe you are $host"

Don't conflate things. You are going down rabbit holes here. You really need to read each plugin,  see when it is used and the messages it throws.

I think this an error from whitelist helo plugin which is detecting a bad helo name. Not part of the black
list check. You can affect this with the whitelisthelo setting.

Note. The blacklist IP format does not use *

If you read the code in the plugin you will see it checks for a couple of things as I have mentioned. Read the errors & grep match them to the plugin files.

The code looks for an IP indicated by an @ symbol.

This bit below.

Quote
  return 1 if $bad eq "\@$host";

So far I don't see an error.

The only thing that possibly could be modified is the better help and syntax checking in the panel, but IIRC syntax checking is tricky.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Email Whitelist-Blacklist Control
« Reply #22 on: November 11, 2021, 10:41:48 AM »
OK, as per the bug once I finally remembered what is what then it was clear the wiki was in error, or misleading.

The Helo plugin is not designed to block specific IPs. It is the nature of the beast, and as per various RFCs on what you can and cannot accept in Helo information. The plugin is designed to stop miscreants abusing the Helo header, not to just block them outright.

In actual fact there is no qpmstpd black list plugin.

Yes, it would be possible to write one, and as pointed out by Jean Philippe it should be done at the connect stage of the transaction to save wasted processing and overhead. However, that is time and effort that we are short of.

Tools like fail2ban, xtgeoip & geoip blocking will block at the firewall level so won't even get to bother qpsmtpd.

https://wiki.koozali.org/Fail2ban
https://wiki.koozali.org/GeoIP
https://wiki.koozali.org/Xt_geoip

If you have a particularly annoying door knocker you can block them outright with some examples here:

https://wiki.koozali.org/Firewall

You can open a new feature request for a blacklist plugin but not sure when we'll get to look at it.

Hope that helps and sorry for the confusion.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Email Whitelist-Blacklist Control
« Reply #23 on: November 11, 2021, 02:00:39 PM »
to be clear the test your are doing and what you are trying to obtain are irrelevant and might lead to inconsistent results .  See rfc https://datatracker.ietf.org/doc/html/rfc5321

emails with ip after the @ should have the ip enclosed in square bracket or could be interpreted as domains.

some systems are tolerating the absence of brackets and some software (horde last time i checked) are even not able to handle the square bracket.

this one more point to just filter ip BEFORE getting to the smtp deamon.