sendmailX renamed to MeTA1

From Claus Assmann:

Here's the latest status update:

For various reasons, the software has been renamed to MeTA1.
The mailing lists will be renamed accordingly:

domain:
	sendmailx.org	-> MeTA1.org
localparts:
	smx-developers	-> MeTA1-developers
	smx-design	-> MeTA1-design

For now, I just copy all addresses from the old lists to the new
list. If you don't want to participate any longer, please contact
me directly.

As you probably noticed, I took some time off from working on the
MTA (only fixing bugs if a problem showed up), but now I'm back and
one of my current projects is to look into integrating Arena as
scripting language (see some earlier mails about this topic).

I will send out some more information "soon" on the new list,
hopefully you will adjust your filters by then.

More information about MeTA1 and the Arena scripting language.

Προς Έλληνες (email) spammers

(Πως λέμε “Προς Κορινθίους”;)

Το να στέλνετε το κείμενό σας στον MAILER-DAEMON (παπάκι αουτγκόινγκ τελεία τεέ τελεία τζι-αρ) δεν είναι ιδιαίτερα έξυπνο. Αν πάλι έχετε αγοράσει λίστα που περιέχει τέτοιες διευθύνσεις σας πιάσανε Κώτσους πιο πολύ από ότι εσείς θέλετε να πιάσετε τους υποψήφιους πελάτες σας.

Avoiding FEATURE(`nullclient’)

From the sendmail cf/README:

nullclient	This is a special case -- it creates a configuration file
		containing nothing but support for forwarding all mail to a
		central hub via a local SMTP-based network.  The argument
		is the name of that hub.
		The only other feature that should be used in conjunction
		with this one is FEATURE(`nocanonify').  No mailers
		should be defined.  No aliasing or forwarding is done.

However, you do not have to run sendmail¹ on a server unless it is your SMTP server. Sendmail has FEATURE(`nullclient’) for that. Qmail has something similar. But there is nothing simplest than this alternative:

Enter nullmailer:

This is nullmailer, a sendmail/qmail/etc replacement MTA for hosts which relay to a fixed set of smart relays. It is designed to be simple to configure, secure, and easily extendable.

Nullmailer is very easy to configure compared to any of the well known F/OSS SMTP servers. It is not an SMTP server. It is a /usr/lib/sendmail² replacement for your servers or unix shell machines.

Installing nullmailer on a Debian system simply means:

# apt-get install nullmailer
# dpkg-reconfigure nullmailer

and you are all set³. If you are on another system the worst case senario requires that you compile it by hand. However, this is not a difficult task even for the inexpirienced SysAdmin, since the code is compact and easy to read and the directions on how to compile / install fairly simple to follow.

[1] Or postfix, or exim, or qmail
[2] Yes, there was a time that the sendmail binary lived in /usr/lib
[3] Usually this is followed by a dpkg –purge exim4-base exim4-config

configuring sendmail for your unix desktop

Mulberry, (or Thunderbird,or any other GUI email client) needs an SMTP (“outgoing”) mail server which it uses to send your emails. Normally this is set to what your ISP (or administrator) has told you to be. However, sometimes your outgoing email server maybe unavailable¹ (which is furstrating, since most people expect email to be delivered instantly, or at least leave their system² instantly). So why not run a mail queue on your own and let your desktop route your email through the outgoing email server when it becomes available again? Here is a small sendmail.mc that should work with your desktop unix machine³:

VERSIONID(`2006/08/23/00')dnl
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl

define(`SMART_HOST', `[outgoing.example.com]')dnl
define(`confCW_FILE', `-o /etc/mail/local-host-names')dnl
FEATURE(`use_cw_file')dnl

FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Name=MTA-v4, Addr=127.0.0.1, Port=smtp')dnl
DAEMON_OPTIONS(`Name=MSP-v4, Addr=127.0.0.1, Port=submission')dnl

MAILER(`local')dnl
MAILER(`smtp')dnl

LOCAL_RULE_0
# LHS is separated from RHS with tabs, not whitespaces
R$- <@ $=w . >          john.doe < @ example.com. >

LOCAL_RULE_0 makes sure that any email sent from this machine is sent as john.doe@example.com. If this is not expected behavior delete LOCAL_RULE_0 or use FEATURE(nullclient).

[1] Unavailable does not mean neccessarily down. It may mean that some kind of rate-limiting is in place.
[2] Where system for such users is only their MUA (Mail User Agent).
[3] The example is Debian/Ubuntu-centric, but can be adapted to any system that runs sendmail

Mulberry is back!

Κάποτε ήταν ο μόνος λόγος για να χρησιμοποιώ Windows:

Hi folks,
Finally, after much effort, I have regained the rights to Mulberry and am making it available for free as of today. See:

<http://www.mulberrymail.com>

Some things to note:

1) It is free to anyone – no registration codes needed.

2) A new v4.0.5 version is available on the website. This simply removes the registration requirement and updates copyright notices etc.

3) There is no formal support for the product as there was before. Instead ‘community’ support via mailing lists and other resources will be used. I will make a best effort to respond in a timely fashion to issues, but see note (4) below.

4) This effort is purely a personal one on my part – all the work I do on this is being done in my (limited) spare time.

5) It is free but not open source. That’s an issue that we can discuss moving forward…

6) Also, major new features/revisions etc are out of the question right now (though I have a few pet projects that were being worked on before and which I will likely continue). Fixes to existing problems will be done as time allows. Hopefully if we find a way of dealing with issue (5) that may change – but that’s really going to depend on the level of interest from people willing to commit their own time to this as opposed to one of the other open source equivalents.

Hopefully those of you still using Mulberry and hoping to continue to do so for a while at least will find this good news.

—
Cyrus Daboo

Ίσως ο καλύτερος IMAP client που υπάρχει.-

grwhitelist.tee.gr

Αυτοί οι Ολλανδοί ISP είναι ωραίοι τύποι. Όχι μόνο έχουν φτιάξει μια ωραία DNSBL για να κόβουν μηχανές μολυσμένες με ιούς, αλλά έχουν φτιάξει και μια ακόμα καλύτερη whitelist για να διευκολύνουν την επικοινωνία ανάμεσα στους servers τους. Είναι η NL-whitelist.

Με την υποστήριξη του εργοδότη μου κατάφερα να υλοποιήσω μια αντίστοιχη λίστα η οποία είναι προσβάσιμη σαν grwhitelist.tee.gr. Έτσι μπορεί κάποιος να έχει υλοποιήσει φίλτρα για το antispam / antivirus control του που να χρησιμοποιούν είτε greylisting, είτε κάποια DNSBL και ταυτόχρονα να μην επιβαρύνει τους χρήστες του με καθυστέρηση του εισερχόμενου ηλεκτρονικού ταχυδρομείου από αποστολείς που χρησιμοποιούν Ελληνικούς ISP. Η χρήση της είναι αποδοτική γιατί η πλειονότητα των χρηστών ενός Ελληνικού ISP θα στείλει email σε άλλο Ελληνικό site. Παρόλο που το Ελληνικό (και το από “ελληνικά” IP εκκινώμενο) spam γνωρίζει σημαντική άνθηση, παρατηρώ πως χρησιμοποιώντας την grwhitelist.tee.gr σαν εξαίρεση από το greylisting[*] δεν υπάρχουν παράπονα για καθυστέρηση στην παράδοση του ηλεκτρονικού ταχυδρομείου σε συνδιασμό με ελάχιστα αυξημένο αριθμό false positives.

Ακόμα χειρότερα σκεφτείτε να μπει (παλαιότερα έχει συμβεί) κάποιος ISP με 100+Κ χρήστες σε μια DNSBL (π.χ. bl.spamcop.net, dsbl, spews, κοκ) και να μη μπορεί να στείλει τα email των χρηστών του σε άλλο αντίστοιχου μεγέθους Ελληνικό ISP που χρησιμοποιεί τη συγκεκριμένη DNSBL. Τουλάχιστον με την ύπαρξη και χρήση ενός nation-wide whitelist μπορεί να εξασφαλίσει την επικοινωνία μεταξύ των εγχώριων ISP (ακόμα και για το χρονικό διάστημα που θα απαιτηθεί για να γίνει το delisting). Φυσικά και υπάρχουν τρόποι να γίνει αυτό και “on a peer to peer basis”, YMMV.

Για την ώρα η grwhitelist.tee.gr περιέχει τους outgoing SMTP servers των μεγαλύτερων Ελληνικών ISP και μερικών Πανεπιστημίων.

[*] Χρησιμοποιώ το graymilter του Jeff Poskanzer από το http://www.acme.com/ . Είναι τόσο καλογραμμένο που το να γράψεις και να συντηρήσεις patch είναι πολύ εύκολο. Περισσότερα σε επόμενο post.

bogusmx.rfc-ignorant.org

RFCI publishes a number of usefull lists that can be used to effectively filter incoming email. One of the most usefull is bogusmx.rfc-ignorant.org which essentialy is a DNSBL that contains domain names with bogus MX servers (like localhost, 0.0.0.0 and so on):

” If any publicly listed MX record for domain contains a hostname which points to bogus IP address space, such as those documented in RFC 3330, or if the domain contains an MX RR that points to an IP address, in violation of RFC 1035 or if the domain has MX RRs which point to hostnames which themselves do not have an associated A record (including MXs which return an NXDOMAIN, or which are CNAMEs)”.

If you are a sendmail user,the trouble with bogusmx.rfc-ignorant.org is that you cannot use it with FEATURE(dnsbl). So you may need to write your own sendmail ruleset. Like this:

LOCAL_CONFIG
# Normally these should not be defined, since Kdnsbl does exactly what
# Kbmx_check does, and Kmacro does what Kbmx_macro does.
Kbmx_check dns -R A -a.FOUND -T.TMP
Kbmx_macro macro

LOCAL_RULESETS
SLocal_check_mail
R$*			$: $>canonify $1
R$* < @ $+ . > $*	$1 < @ $2 > $3
R$* < @ $+ > $*		$: $2
R$*			$: $(bmx_macro {Bmx} $@ $1 $) $1
# The next line is broken in two for readability
R$*			$: $(bmx_check $&{Bmx}.bogusmx.rfc-ignorant.org. $: $1.NOTFOUND $)
# The next line is broken in two for readability
R$* . FOUND		$#error $@ 5.7.1 $: Mail from $&{Bmx} refused.It is listed in bogusmx.rfc-ignorant.org.

You can grab the above sendmail code fragment from here. Always be careful if copy-pasting because sendmail uses tabs and not spaces to distinguish between LHS and RHS.

An alternative on how to use domain based blacklist zones is shown by RFCI here (and also has pointers for mail servers other than sendmail).

virbl.tee.gr

Actually my previous post, together with me using virbl.dnsbl.bit.nl made me think how one can share such data between many email servers under the same administrative domain. Well the answer is fairly easy:

Publish them using rbldnsd. Rbldnsd reads text files, so all you have to do is dump the B-Tree data to a text file of type ip4tset (read rbldnsd(8)):

makemap -u btree /var/cache/local/virbl/virbl.db | awk '{print $1}'

Then instruct sendmail / postfix / whatever email server you are using to use the zone you publish with rbldnsd as a DNSBL.

At this time we have a rate of blocking ~3500 connections daily from infected machines with no complaints by any user (ours or remote).

You may use virbl.tee.gr at your own risk. Machines are listed in and delisted from it automatically. Any machine that gets listed is delisted within an hour. Sending viral email to our mail servers results in relisting it. It’s governing policy is described at http://www.postmaster.tee.gr/ in Greek.

An interesting observation I have made is that (infected) machines that target one set of mail servers do not necessarily target another set (eg. your servers) within the hour. So instead of using virbl.tee.gr (if you find it a good idea) it might suit you better to implement a similar scheme for your servers.

MIMEDefang and virii

OK so you use MIMEDefang together with ClamAV[*] to check incoming messages for viral content. But given the fact that an infected machine will bomb you with many many messages, why should you check every message sent for a given time window? This is what I came up with:

The default mimedefang-filter(5) has the following check which discards viral messages:

if ($FoundVirus) {
  md_graphdefang_log('virus', $VirusName, $RelayAddr);
  md_syslog('warning', "Discarding because of virus $VirusName");
  return action_discard();
}

Changing it to:

if ($FoundVirus) {
  # OK log $RelayAddr
  # If you are on a Debian-like system you have to put
  # use DB_File in /etc/mail/mimedefang.pl.conf
  # otherwise you have to put it somewhere in mimedefang-filter
  my %vbl;
  my $now;
  tie %vbl, 'DB_File', "/var/cache/local/virbl/virbl.db", O_CREAT|O_RDWR, 0644, $DB_BTREE or die;
  $now = time;
  $vbl{$RelayAddr} = $now;
  untie %vbl;
  md_graphdefang_log('virus', $VirusName, $RelayAddr);
  md_syslog('warning', "Discarding because of virus $VirusName");
  return action_discard();
}

logs $RelayAddr (the IP address of the infected machine) together with a timestamp in a BerkeleyDB B-Tree. In our example this is /var/cache/local/virbl/virbl.db. You have to make this file writeable by the user that runs MIMEDefang on your system. And now using the following sendmail.mc code one can block this IP address prior to inspecting the message content:

LOCAL_CONFIG
# .db is appended by sendmail automagically
Kvirbl btree -a.FOUND /var/cache/local/virbl/virbl

LOCAL_RULESETS
# Always remember:  In sendmail the LHS and the RHS of the sendmail.mc/.cf is 
# separated with tabs and not spaces.  So do not copy-paste this fragment,
# type it.
SLocal_check_relay
R$*                     $: $&{client_addr}
R$*                     $: $(virbl $1 $: $1.NOTFOUND $)
# The next line broken in two for readability
R$* . FOUND             $#error $@ 5.7.1 $: You have sent us mail containing
           a virus and are blocked from our systems for an hour.

So now you need an expiration proccess. How long shall these IP addresses remain in your database? I keep them for one hour. It seems to be a reasonable default. A simple expiry script is the following perl snippet:

#!/usr/bin/perl
use DB_File;
$db = shift or die;
$threshold = shift or die;
tie %d, 'DB_File', $db, O_RDONLY, 0644, $DB_BTREE;
$now = time;
foreach $i (keys %d) {
        $diff = $now - $d{$i};
        if ($diff > $threshold) {
                delete $d{$i};
        }
}
untie %d;

You can run this script from cron every ten minutes or so. I’ve written my expiry program in C and run it every two minutes. If you also want to do this, you have to remember that the perl snippet on mimedefang-filter that logs $RelayAddr and the timestamp stores the timestamp as a string and not as an integer.

[*] There exist many HOWTOs on how to setup MIMEDefang to work with ClamAV. Just use Google.

secsup.org

Due to a customer having being stuck with a virus I found out this today:

http://www.secsup.org/complaints/

So I added these lines in our outgoing mail servers' sendmail.mc (for the future):

#Remember that sendmail distinguishes between LHS and RHS with TABS not spaces
LOCAL_CONFIG
F{MCI_DOMAINS} -o /etc/mail/mci-domains

LOCAL_RULESETS
SLocal_check_rcpt
R$*         $: $>canonify $1
R$- < @ $={MCI_DOMAINS} . > $*       $#error $@ 5.1.3 $: "Cannot send mail there.  See http://www.secsup.org/complaints/"

with /etc/mail/mci-domains containing:

mcimail.com
internetmci.com
networkmci.com
internetmci.net
networkmci.net