[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
smtp-policy.src syntax caveat
Hi,
this morning I had a nasty surprise which was probably due to my own
stupidity... however, less stupid people might as well be advised...
The syntax of the smtp-policy.src file, requires that every tag defined have
some content... even if the content is merely a blank comment.
That is, if, for instance, "_rbl0" is used in the right hand side of a policy
definition somewhere, then, the definition for "_rbl0" MUST NOT be blank,
that is, a line like this:
_rbl0
is invalid and will bring you headaches (see below).
If you don't want any rbl to be checked (and don't want to edit every rule
that includes the _rbl0 tag on the right hand side, edit the _rbl0 tag
definition like this:
_rbl0 #
or, better yet:
_rbl0 # if you erase this comment, you'll regret it :-)
For the (not so) funny details: this morning I noticed that external
connections to our server were established, but the 220 banner wasn't being
issued (at least not in a reasonable time). Connections from our private
network were working just fine.
Checking the logs I saw a lot of protocol timeouts (20 minutes), and saw the
rbl checks. As I know that many RBL's (especially osirusoft) are suffering
DoS attacks, I (correctly) supposed the delays had to do with that, so I
decided that I'd eliminate RBL checking altogether.
I edited smtp-policy.src and modified the line that read
_rbl0 rcpt-dns-rbl relays.osirusoft.com
with plain
_rbl0
(now I gues I should have put "_rbl0 rcpt-dns-rbl").
I run policy-builder.sh, but the DNS checks kept appearing in the logs... I
restarted smtpserver to no avail.
Later I noticed that smtp-policy.db was older than smtp-policy.dat and that I
had a newer smtp-policy-new.db...
I stupidly copied smtp-policy-new.db over smtp-policy.db and the RBL checks
(and the timeouts) disappeared altogether...
Further investigating what had happened, I noted that in fact, the "makedb"
near the end of policy-builder.sh hung, dumping core... my old RedHat 6.1 box
shell didn't inform that (testing on newer RH7.x did scream to stderr that a
command inside the shell script dumped core).
I couldn't understand exactly what happened... running strace didn't help me
much... but at that moment I noticed that the smtp-policy-new.db that I had
manually put in production was probably corrupted... I could confirm that
when I was able to manually send a message from an outside IP to a non-
configured domain thru my server... I had created an open relay in my own
server for about half an hour!!!!!!
At that same time I was making tests on a non-production server and noticed
that the comment trick was working OK, so I added the comment, re-built the
policy database and everything went fine...
Post analysis showed that the server was not abused (not even teased) during
that time.
Anyway, it might be good to add a comment in the smtp-policy.src file (maybe
at the top, when explaining the syntax) like:
#| Don't be stupid as Mariano and _do_ put something on the right hand
#| side when defining a _tag
Regards.
--
Mariano Absatz
El Baby
----------------------------------------------------------
To err is human. To moo, bovine.
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi