[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

smtp-policy.src syntax caveat


this morning I had a nasty surprise which was probably due to my own 
stupidity... however, less stupid people might as well be advised...

The syntax of the smtp-policy.src file, requires that every tag defined have 
some content... even if the content is merely a blank comment.

That is, if, for instance, "_rbl0" is used in the right hand side of a policy 
definition somewhere, then, the definition for "_rbl0" MUST NOT be blank, 
that is, a line like this:
is invalid and will bring you headaches (see below).

If you don't want any rbl to be checked (and don't want to edit every rule 
that includes the _rbl0 tag on the right hand side, edit the _rbl0 tag 
definition like this:
_rbl0  #
or, better yet:
_rbl0  # if you erase this comment, you'll regret it :-)

For the (not so) funny details: this morning I noticed that external 
connections to our server were established, but the 220 banner wasn't being 
issued (at least not in a reasonable time). Connections from our private 
network were working just fine.

Checking the logs I saw a lot of protocol timeouts (20 minutes), and saw the 
rbl checks. As I know that many RBL's (especially osirusoft) are suffering 
DoS attacks, I (correctly) supposed the delays had to do with that, so I 
decided that I'd eliminate RBL checking altogether.

I edited smtp-policy.src and modified the line that read
_rbl0  rcpt-dns-rbl    relays.osirusoft.com
with plain

(now I gues I should have put "_rbl0  rcpt-dns-rbl").

I run policy-builder.sh, but the DNS checks kept appearing in the logs... I 
restarted smtpserver to no avail.

Later I noticed that smtp-policy.db was older than smtp-policy.dat and that I 
had a newer smtp-policy-new.db...

I stupidly copied smtp-policy-new.db over smtp-policy.db and the RBL checks 
(and the timeouts) disappeared altogether...

Further investigating what had happened, I noted that in fact, the "makedb" 
near the end of policy-builder.sh hung, dumping core... my old RedHat 6.1 box 
shell didn't inform that (testing on newer RH7.x did scream to stderr that a 
command inside the shell script dumped core).

I couldn't understand exactly what happened... running strace didn't help me 
much... but at that moment I noticed that the smtp-policy-new.db that I had 
manually put in production was probably corrupted... I could confirm that 
when I was able to manually send a message from an outside IP to a non-
configured domain thru my server... I had created an open relay in my own 
server for about half an hour!!!!!!

At that same time I was making tests on a non-production server and noticed 
that the comment trick was working OK, so I added the comment, re-built the 
policy database and everything went fine...

Post analysis showed that the server was not abused (not even teased) during 
that time.

Anyway, it might be good to add a comment in the smtp-policy.src file (maybe 
at the top, when explaining the syntax) like:
#| Don't be stupid as Mariano and _do_ put something on the right hand
#| side when defining a _tag


Mariano Absatz
El Baby
To err is human. To moo, bovine.

To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi