[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: open relay

Witaj Matti,

W Twoim liście datowanym 26 czerwca 2003 (10:08:53) można przeczytać:

MA> On Thu, Jun 26, 2003 at 09:20:59AM +0200, Robert Kurjata wrote:
>> Witaj Matti,
>> W Twoim liście datowanym 25 czerwca 2003 (19:51:37) można przeczytać:
>> MA> On Wed, Jun 25, 2003 at 07:00:40PM +0200, Robert Kurjata wrote:
>> >> Cytowanie Matti Aarnio <mea@nic.funet.fi>:
>> >> It is old. kernel 2.0.35 (1999 y.), gcc :)
>> MA> That does not matter, I did have similar box way back..
>> MA> I don't have it at hand anymore.
>> >> [Cut out a part]
>> MA> ... 
>> >> So it works, but: Zmailer is treating this as a local address and
>> >> send bounce mail back which may be abused too. He still accepts mail
>> >> (250 OK).
>> >> Shouldn't he check it differently?? eg. returning
>> >>           Relaying Denied or User Unknown
>> MA> That is generic problem in case of disjoint smtp receiver vs. routing.
>> MA> Running fully interactive testing routing could be used to solve
>> MA> the question, but it is rather heavy-handed approach.
>> I know. This one machine is rather light loaded, so it would not be
>> the problem about load. But is it possible to do it that way.

MA> It should be possible.  Lets see..    At the end of  aliases.cf  file
MA> ( $MAILSHARE/cf/aliases.cf ) I have currently following script:

MA>         --------------------------------
MA> #
MA> #  Problem below is that '$(homedirectory )' function can't quite
MA> #  be overridden in virtual-ISP mode, where "/etc/passwd" isn't
MA> #  the real account database...
MA> #

MA>         if [ -z "$ROUTEUSER_IN_ABNORMAL_UNIX" ] ; then

MA> # Ending case: If not POBOX, nor homedirectory defined, then
MA> #              fall to "error" case below.

MA>                 case "${hashomedir}x$POBOX" in
MA>                 1x)     db add expansions "$key" local
MA>                         if [ -z "$localdoesdomain" ]; then
MA>                                 domain=""
MA>                         fi
MA>                         quad=($chan "$host" "$user$plustail$domain" $attr)
MA>                         returns (($quad))
MA>                         ;;
MA>                 esac

MA>         else

MA> # Ending case: If not POBOX, then fall to "error" case below.

MA>                 case "x$POBOX" in
MA>                 x)      db add expansions "$key" local
MA>                         if [ -z "$localdoesdomain" ]; then
MA>                                 domain=""
MA>                         fi
MA>                         quad=($chan "$host" "$user$plustail$domain" $attr)
MA>                         returns (($quad))
MA>                         ;;
MA>                 esac
MA>         fi

MA>         returns (((error nosuchuser "$user$plustail$domain" $attr)))
MA> }
MA>         --------------------------------

MA> Weeding that our a bit,  not defining (or defining empty value)
MA> for ZENV variable  ROUTEUSER_IN_ABNORMAL_UNIX=   does return
MA> processed address quad, if user has a home-directory.
MA> (Also, no POBOX mechanism is used..)

MA> If user does not have a home directory, an 'error' channel result
MA> is returned.

MA> After adding that, what is also needed is activation of interactive router
MA> in the smtpserver (several places to edit), at  smtpserver.conf:

MA> a)  PARAM enable-router  (uncomment it)
MA> b)  Add characters "f" and "t" to the "style-flags" at the end
MA>     of the of the file; e.g.:
MA>           *   999  veR     -->   *  999  ftveR
MA>     there are possibly other patterns in there, too.

I will chceck it later (machine is on leased 128kbit line so it is
stressing to work during the workday :)
But looks promising .....

MA> ...
>> MA> Now did you ?  Into which blacklist ?  I do think your case was due to
>> MA> ssift/tsift  stripping double-quotes from around localpart addresses
>> MA> in  canonicalize() function.
>> There were really 2 issues. I got on the blacklist because of those
>> bounces and someone got nervous (just not reading what he got),
>> mail-abuse.org checked my host and figured out that in one test
>> the host accepted relay mail.
>> So the second issue was stripping double quotes with which you
>> succesfully helped. Now I'm trying to get off the blacklist :)
>> >> What do you think about it?
>> MA> (... presuming that really is about "forced bounces" ...)
>> MA> That whoever thought up that kind of listings should check
>> MA> their head.  All firewalled sites with frontend MTA doing
>> MA> inbound relaying without actual inside knowledge would then
>> MA> be blacklisted...  Pick any site having multiple MX servers,
>> MA> which never accepts email direct from the world, but gets
>> MA> feed from ISP's backup MX MTA.
>> We will see now. I'm trying to get off the list. Even I, still not
>> having full checking, won't pass their test #24. (But this time they
>> souldn't get mail only the bounce)

MA> I sure hope they want to see through going email, and not merely bounces,
MA> or (worse), partial results from poorly thought up tests.

We'll see :)

>> >> Robert Kurjata     mailto:rkurjata@ire.pw.edu.pl
>> -- 
>> Pozdrowienia,
>>  Robert                            mailto:rkurjata@ire.pw.edu.pl

 Robert                            mailto:rkurjata@ire.pw.edu.pl

To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi