Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: chris burnat on October 20, 2006, 01:31:14 PM
-
Is there a way to defeat this security feature? I have a couple of instances where mail is not being accepted from MS mail servers:
203.47.55.nnn failed after I sent the message.
> Remote host said: 552 Mail with no Date header not accepted here
The problem is, I have no way of convincing the owner sof these (non-compliant) servers to rectify the problem on their end, and I/we need to receive their messages.
-
You either need to disable the "check_basicheaders" plugin for qpsmtpd, or enable the "whitelist_soft" plugin and create /var/service/qpsmtpd/config/whitelisthosts containing the IP address of the misbehaving mail server.
to disable "check_basicheaders":
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/
echo "#check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update
to add a white-listed host:
config setprop qpsmtpd RequireResolvableFromHost yes
pico /var/service/qpsmtpd/config/whitelisthosts
(add the IP addresses you want to whitelist, one per line)
signal-event email-update
(Turning on "RequireResolvableFromHost enables the "whitelist_soft" plugin. Also, there's no default template for "whitelisthosts" so your changes shouldn't disappear by themselves. Ultimately, this should probably be templated and should use the configuration database...)
More on "whitelist_soft": http://www.openfusion.com.au/labs/qpsmtpd/whitelist_soft
(Note: these recommendations have not been tested or verified)
-
Is there a way to defeat this security feature?
Search the bug tracker and you will find a workaround documented.
-
Is there a way to defeat this security feature?
Search the bug tracker and you will find a workaround documented.
And here is the Bug in case you can't find it ;)
http://bugs.contribs.org/show_bug.cgi?id=492
-
Thank you all for guidance. I am a little hesitant disabling check_basicheaders altogether - not sure what the impact will be on spams... Does anyone have an idea on this score? Perhaps allowing a specific hosts may be prudent given the increase in spams lately.. Regards, chris.
-
I have tried the methode mmccarn suggested, and it does not appear to help. Any other suggestions?
ps I also mentioned this in the bug-tracker
Bob
-
I have tried the methode mmccarn suggested, and it does not appear to help. Any other suggestions?
See my comment above - there is a workaround documented in the bug tracker.
-
It turns out that "check_basicheaders" doesn't pay any attention to any whitelisting mechanism, so my "whitelist_soft" suggestion won't work unless the "check_basicheaders" plugin is modified...
-
It turns out that "check_basicheaders" doesn't pay any attention to any whitelisting mechanism,
Many thanks for passing this infomation. I was just about to try it.... Rgds, chris.
-
I got this reply to a post on the qpsmtpd news list:
>
> Is it possible to modify check_basicheaders to ignore email from
> whitelisted sources? I'd like to use the plugin, but with the ability
> to whitelist some systems that send automated emails that otherwise
fail.
>
> Is it enough to add
> # Always allow relayclients and whitelisted hosts/senders
> return DECLINED if $self->qp->connection->relay_client();
> return DECLINED if $self->qp->connection->notes('whitelisthost');
> return DECLINED if $transaction->notes('whitelistsender');
>
> somewhere in the existing plugin?
Yes, right after this :
sub hook_data_post {
my ($self, $transaction) = @_;
Sydney.
Theoretically, then, you could create and use a customized version of check_basicheaders to pay attention to white-listed senders or hosts by:
pico -w /usr/share/qpsmtpd/plugins/check_basicheaders_wl
#!/usr/bin/perl
=head1 NAME
check_basicheaders - Make sure both From and Date headers are present, and
do optional range checking on the Date header
=head1 DESCRIPTION
Rejects messages that do not have a From or Date header or are completely
empty.
Can also reject messages where the date in the Date header is more than
some number of the days in the past or future.
=head1 CONFIGURATION
Takes one optional parameter, the number of days in the future or past
beyond which to reject messages. (The default is to not reject messages
based on the date.)
=head1 AUTHOR
Written by Jim Winstead Jr.
=head1 LICENSE
Released to the public domain, 26 March 2004.
=cut
use Date::Parse qw(str2time);
sub register {
my ($self, $qp, @args) = @_;
if (@args > 0) {
$self->{_days} = $args[0];
$self->log(LOGWARN, "WARNING: Ignoring additional arguments.") if (@args > 1);
}
}
sub hook_data_post {
my ($self, $transaction) = @_;
return DECLINED if $self->qp->connection->relay_client();
return DECLINED if $self->qp->connection->notes('whitelisthost');
return DECLINED if $transaction->notes('whitelistsender');
return (DENY, "You have to send some data first")
if $transaction->body_size == 0;
return (DENY, "Mail with no From header not accepted here")
unless $transaction->header->get('From');
my $date = $transaction->header->get('Date');
return (DENY, "Mail with no Date header not accepted here")
unless $date;
return (DECLINED) unless defined $self->{_days};
my $ts = str2time($date);
return (DECLINED) unless $ts;
return (DENY, "The Date in the header was too far in the past")
if $ts < time - ($self->{_days}*24*3600);
return (DENY, "The Date in the header was too far in the future")
if $ts > time + ($self->{_days}*24*3600);
return (DECLINED);
}
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
pico -w 17check_basicheaders{
$OUT = "check_basicheaders_wl";
# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';
$OUT .= " $days" if ($days);
}signal-event email-update
Note: I don't know PERL and have neither tried nor tested any of this.
To undo these changes, simply delete the two files created:
rm -f /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/17check_basicheaders
rm -f /usr/share/qpsmtpd/plugins/check_basicheaders_wl
signal-event email-update
-
This doesn't seem to work anymore with the latest release of 7.1
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/
touch 17check_basicheaders
How do you disable check_basicheaders, specifically for internal network clients
Regards
Dale
-
OK, I figured it out after reading up on the changes in Bug report.
Because there is now seperate settings for local and external , the 17check_basicheaders file has to be moved to
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/
and then siganl-event email-update
recap :
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
touch 17check_basicheaders
siganl-event email-update