[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: open relay



On Thu, Jun 26, 2003 at 09:20:59AM +0200, Robert Kurjata wrote:
> Witaj Matti,
> W Twoim liście datowanym 25 czerwca 2003 (19:51:37) można przeczytać:
> MA> On Wed, Jun 25, 2003 at 07:00:40PM +0200, Robert Kurjata wrote:
> >> Cytowanie Matti Aarnio <mea@nic.funet.fi>:
> >> It is old. kernel 2.0.35 (1999 y.), gcc 2.7.2.1 :)
> 
> MA> That does not matter, I did have similar box way back..
> MA> I don't have it at hand anymore.
> 
> >> [Cut out a part]
> MA> ... 
> >> So it works, but: Zmailer is treating this as a local address and
> >> send bounce mail back which may be abused too. He still accepts mail
> >> (250 OK).
> >> Shouldn't he check it differently?? eg. returning
> >>           Relaying Denied or User Unknown
> 
> MA> That is generic problem in case of disjoint smtp receiver vs. routing.
> MA> Running fully interactive testing routing could be used to solve
> MA> the question, but it is rather heavy-handed approach.
> 
> I know. This one machine is rather light loaded, so it would not be
> the problem about load. But is it possible to do it that way.

It should be possible.  Lets see..    At the end of  aliases.cf  file
( $MAILSHARE/cf/aliases.cf ) I have currently following script:

        --------------------------------
#
#  Problem below is that '$(homedirectory )' function can't quite
#  be overridden in virtual-ISP mode, where "/etc/passwd" isn't
#  the real account database...
#

	if [ -z "$ROUTEUSER_IN_ABNORMAL_UNIX" ] ; then

# Ending case: If not POBOX, nor homedirectory defined, then
#              fall to "error" case below.

		case "${hashomedir}x$POBOX" in
		1x)	db add expansions "$key" local
			if [ -z "$localdoesdomain" ]; then
				domain=""
			fi
			quad=($chan "$host" "$user$plustail$domain" $attr)
			returns (($quad))
			;;
		esac

	else

# Ending case: If not POBOX, then fall to "error" case below.

		case "x$POBOX" in
		x)	db add expansions "$key" local
			if [ -z "$localdoesdomain" ]; then
				domain=""
			fi
			quad=($chan "$host" "$user$plustail$domain" $attr)
			returns (($quad))
			;;
		esac
	fi

	returns (((error nosuchuser "$user$plustail$domain" $attr)))
}
        --------------------------------


Weeding that our a bit,  not defining (or defining empty value)
for ZENV variable  ROUTEUSER_IN_ABNORMAL_UNIX=   does return
processed address quad, if user has a home-directory.
(Also, no POBOX mechanism is used..)

If user does not have a home directory, an 'error' channel result
is returned.

After adding that, what is also needed is activation of interactive router
in the smtpserver (several places to edit), at  smtpserver.conf:

a)  PARAM enable-router  (uncomment it)
b)  Add characters "f" and "t" to the "style-flags" at the end
    of the of the file; e.g.:
          *   999  veR     -->   *  999  ftveR
    there are possibly other patterns in there, too.

...
> MA> Now did you ?  Into which blacklist ?  I do think your case was due to
> MA> ssift/tsift  stripping double-quotes from around localpart addresses
> MA> in  canonicalize() function.
> 
> There were really 2 issues. I got on the blacklist because of those
> bounces and someone got nervous (just not reading what he got),
> mail-abuse.org checked my host and figured out that in one test
> the host accepted relay mail.
> So the second issue was stripping double quotes with which you
> succesfully helped. Now I'm trying to get off the blacklist :)
> 
> >> What do you think about it?
> 
> MA> (... presuming that really is about "forced bounces" ...)
> 
> MA> That whoever thought up that kind of listings should check
> MA> their head.  All firewalled sites with frontend MTA doing
> MA> inbound relaying without actual inside knowledge would then
> MA> be blacklisted...  Pick any site having multiple MX servers,
> MA> which never accepts email direct from the world, but gets
> MA> feed from ISP's backup MX MTA.
> 
> We will see now. I'm trying to get off the list. Even I, still not
> having full checking, won't pass their test #24. (But this time they
> souldn't get mail only the bounce)

I sure hope they want to see through going email, and not merely bounces,
or (worse), partial results from poorly thought up tests.

> >> Robert Kurjata     mailto:rkurjata@ire.pw.edu.pl
> -- 
> Pozdrowienia,
>  Robert                            mailto:rkurjata@ire.pw.edu.pl

-- 
/Matti Aarnio	<mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi