Menu
▾
▴
batv-milter-discuss — batv-milter project discussion
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
(7) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(6) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Lars N. <Lar...@mc...> - 2009-06-24 15:21:49
|
On Wednesday 24 June 2009 10:48:39 Lars Nordin wrote: > On Tuesday 23 June 2009 18:16:24 SM wrote: > > Did you start batv-filter with -m MSP-v4? > > Thanks for the reply. > > I just tried adding what you suggested but it did not work. > > FYI, here is the full argument list of how batv-filter is running: > /usr/bin/batv-filter -u batv-filter -P /var/run/batv-filter/batv-filter.pid > -p /var/run/batv-filter/batv-filter.sock -l -S -k /etc/mail/batv.key -m > MSP-v4 Answering my own question here, I ended up creating /etc/mail/batv.localhosts (Ubuntu scheme) for the "-i" arg for batv-filter. I put the IP network of my PC where I'm running Thunderbird from. Now messages sent from my PC thru sendmail are BATV signed. |
|
From: SM <sm...@re...> - 2009-06-24 15:15:12
|
At 07:48 24-06-2009, Lars Nordin wrote: >On Tuesday 23 June 2009 18:16:24 SM wrote: >I just tried adding what you suggested but it did not work. > >FYI, here is the full argument list of how batv-filter is running: >/usr/bin/batv-filter -u batv-filter -P >/var/run/batv-filter/batv-filter.pid -p >/var/run/batv-filter/batv-filter.sock -l -S -k /etc/mail/batv.key -m MSP-v4 Can you post the mail log extract of the message submission? Regards, -sm |
|
From: Lars N. <Lar...@mc...> - 2009-06-24 14:49:37
|
On Tuesday 23 June 2009 18:16:24 SM wrote: > > Did you start batv-filter with -m MSP-v4? Thanks for the reply. I just tried adding what you suggested but it did not work. FYI, here is the full argument list of how batv-filter is running: /usr/bin/batv-filter -u batv-filter -P /var/run/batv-filter/batv-filter.pid -p /var/run/batv-filter/batv-filter.sock -l -S -k /etc/mail/batv.key -m MSP-v4 |
|
From: SM <sm...@re...> - 2009-06-23 22:17:01
|
At 11:56 23-06-2009, Lars Nordin wrote: >I am having problems with BATV milter and sendmail not signing relayed mail. >There is some thing that I have not configured correctly and it probably with >sendmail. > >Here is what I am running: >- Sendmail Version 8.14.3 >- BATV milter v0.5.0 (I compiled myself) >- Ubuntu Linux v9.04 > >I can send mail via login (i.e. mailx) and the messages are signed but when I >send messages thru submission (port 587), those messages are not signed. Did you start batv-filter with -m MSP-v4? Regards, -sm |
|
From: Lars N. <Lar...@mc...> - 2009-06-23 18:57:10
|
I am having problems with BATV milter and sendmail not signing relayed mail. There is some thing that I have not configured correctly and it probably with sendmail. Here is what I am running: - Sendmail Version 8.14.3 - BATV milter v0.5.0 (I compiled myself) - Ubuntu Linux v9.04 I can send mail via login (i.e. mailx) and the messages are signed but when I send messages thru submission (port 587), those messages are not signed. Any help would be appreciated - it has been quite a while since I have administered sendmail. Here is my sendmail.mc file: define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.14.3-6 2008-12-06 22:15:17 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= FEATURE(`no_default_msa')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp')dnl DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea')dnl define(`confPRIVACY_FLAGS',dnl `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl define(`confCONNECTION_RATE_THROTTLE', `15')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl FEATURE(`use_cw_file')dnl FEATURE(`access_db', , `skip')dnl FEATURE(`greet_pause', `1000')dnl 1 seconds FEATURE(`delay_checks', `friend', `n')dnl define(`confBAD_RCPT_THROTTLE',`3')dnl FEATURE(`conncontrol', `nodelay', `terminate')dnl FEATURE(`ratecontrol', `nodelay', `terminate')dnl include(`/etc/mail/m4/dialup.m4')dnl include(`/etc/mail/m4/provider.m4')dnl include(`/etc/mail/tls/starttls.m4')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A p y')dnl INPUT_MAIL_FILTER(`batv-filter', `S=/var/run/batv-filter/batv-filter.sock') FEATURE(`always_add_domain')dnl MASQUERADE_AS(`sendmail1.lars.ctqa.net')dnl FEATURE(`allmasquerade')dnl FEATURE(`masquerade_envelope')dnl MAILER_DEFINITIONS MAILER(`local')dnl MAILER(`smtp')dnl |
|
From: Hirohisa Y. <um...@gm...> - 2009-06-03 23:57:00
|
Hi, I'm new here. A few things. 1. I got warning the same as we experienced in dkim-filter: cc -O -I. -I../../include -I/usr/include -DWITHOUT_SMSTRING -D_THREAD_SAFE -DXP_MT -c batv-filter.c batv-filter.c: In function 'main': batv-filter.c:3467: warning: comparison is always true due to limited range of data type batv-filter.c:3467: warning: comparison is always true due to limited range of data type 2. There might be some people who does not want to use sm_strl*() while their OS already have them. I attach a patch for them. Btw, is there any ongoing work for standardizing BATV now? draft-levine-smtp-batv looks to be expired. Regards, -- Hirohisa Yamaguchi um...@gm... |
|
From: SM <sm...@re...> - 2008-02-28 21:01:49
|
Hi Todd, At 12:29 28-02-2008, Todd Lyons wrote: >I applied the patch. It builds and it runs, but I get timeouts when >sendmail is talking to the milter. Apply the attached patch. >Almost the whole patch was just whitespace changes except for two parts. Sorry about that; it was a quick fix. >The first part was just a s/strlcpy/sm_strlcpy/, so that makes perfect >sense. But this part uses a different variable. Is that right? > > >@@ -958,8 +958,8 @@ > > buf[1] = sig[1]; > > buf[2] = sig[2]; > > buf[3] = sig[3]; > >- strlcat(buf, orcpt, sizeof buf); > >- strlcat(buf, key, sizeof buf); > >+ sm_strlcat(buf, orcpt, sizeof buf); > >+ sm_strlcat(buf, key, sizeof buf); We are doing s/strlcat/sm_strlcat/ here. Regards, -sm |
|
From: Todd L. <tl...@iv...> - 2008-02-28 20:29:28
|
On Thu, Feb 28, 2008 at 10:57:08AM -0800, SM wrote: >> batv-filter.o: In function `mlfi_envrcpt': >> batv-filter.c:(.text+0x1557): undefined reference to `strlcpy' > That's not needed. Replace strlcpy in the source with sm_strlcpy and > strlcat with sm_strlcat or apply the attached patch. I applied the patch. It builds and it runs, but I get timeouts when sendmail is talking to the milter. sendmail.mc: INPUT_MAIL_FILTER(`batv',`S=inet:10038@localhost, F= T=C:1m;S:60s;R:2m') /usr/bin/batv-filter -l -h -p inet:10038 -P /var/run/batv-milter.pid -a /etc/mail/batv-allow -i /etc/mail/batv-sign-ips -k /etc/mail/domainkeys/test.pem -n -d mrball.net Results in this: Feb 28 12:16:16 mail sm-mta[9869]: m1SKG4Cq009869: Milter (batv): timeout before data read, where=body Feb 28 12:16:16 mail sm-mta[9869]: m1SKG4Cq009869: Milter (batv): to error state Feb 28 12:16:16 mail sm-mta[9869]: m1SKG4Cq009869: Milter: data, reject=451 4.3.2 Please try again later Feb 28 12:16:16 mail sm-mta[9869]: m1SKG4Cq009869: to=<to...@mr...>, delay=0 0:00:11, pri=35220, stat=Please try again later Almost the whole patch was just whitespace changes except for two parts. The first part was just a s/strlcpy/sm_strlcpy/, so that makes perfect sense. But this part uses a different variable. Is that right? >@@ -958,8 +958,8 @@ > buf[1] = sig[1]; > buf[2] = sig[2]; > buf[3] = sig[3]; >- strlcat(buf, orcpt, sizeof buf); >- strlcat(buf, key, sizeof buf); >+ sm_strlcat(buf, orcpt, sizeof buf); >+ sm_strlcat(buf, key, sizeof buf); > > SHA1_Init(&sha1); > SHA1_Update(&sha1, buf, strlen(buf)); Thanks for the very quick patch, BTW! -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.22-14-generic load average: 0.00, 0.01, 0.00 |
|
From: SM <sm...@re...> - 2008-02-28 20:04:04
|
Hi Murray, At 11:46 28-02-2008, Murray S. Kucherawy wrote: >libsm is not part of the batv distribution yet, so those symbols will also >be unresolved. strcpy and strcat could be replaced with the g_ variant meanwhile as a workaround. Regards, -sm |
|
From: Murray S. K. <ms...@se...> - 2008-02-28 19:57:50
|
On Thu, 28 Feb 2008, Todd Lyons wrote: > WDYT? Someone opened a bug against batv-milter earlier this week about the same issue. The solution for dk-milter and dkim-milter was to include libsm from the open source sendmail distribution which has our own implementations of those functions (i.e. sm_strlcpy() and sm_strlcat()). I'm inclined to do that for batv-milter as well since that seems to be the simplest and most universal solution. |
|
From: Murray S. K. <ms...@se...> - 2008-02-28 19:46:21
|
On Thu, 28 Feb 2008, SM wrote: > That's not needed. Replace strlcpy in the source with sm_strlcpy and > strlcat with sm_strlcat or apply the attached patch. libsm is not part of the batv distribution yet, so those symbols will also be unresolved. |
|
From: SM <sm...@re...> - 2008-02-28 18:58:10
|
Hi Todd, At 09:29 28-02-2008, Todd Lyons wrote: >Hi Murray, while reading a post in NANOG, I stumbled across Sendmail's >milter implemenation of batv, so I downloaded and tried to build it, but >I get this: [snip] >batv-filter.o: In function `mlfi_envrcpt': >batv-filter.c:(.text+0x1557): undefined reference to `strlcpy' >In reading some mailing list posts, it seems like the GNU libc >maintainers won't put them in libc as shown in: > http://en.wikipedia.org/wiki/Strlcpy > http://sources.redhat.com/ml/libc-alpha/2000-08/msg00053.html > http://sources.redhat.com/ml/libc-alpha/2002-01/msg00001.html > >What solutions do I have for getting this to work on my Linux machines? >I see an inference that on GNU systems it should be provided by glib and >are named g_strlcpy and g_strlcat. It does appear to be that way on my >system: That's not needed. Replace strlcpy in the source with sm_strlcpy and strlcat with sm_strlcat or apply the attached patch. Regards, -sm |
|
From: Todd L. <tl...@iv...> - 2008-02-28 17:29:49
|
Hi Murray, while reading a post in NANOG, I stumbled across Sendmail's milter implemenation of batv, so I downloaded and tried to build it, but I get this: make[1]: Entering directory `/root/src/batv-milter-0.2.0/obj.Linux.2.6.22-gentoo-r8.i686/batv-filter' cc -O2 -I. -I../../include -UNIS -DSTARTTLS -D_REENTRANT -DXP_MT -c -o batv-filter.o batv-filter.c cc -o batv-filter -lpthread batv-filter.o -lmilter -ldb -lresolv -lcrypt -lnsl -ldl -lssl -lcrypto -lssl -lcrypto batv-filter.o: In function `mlfi_envrcpt': batv-filter.c:(.text+0x1557): undefined reference to `strlcpy' batv-filter.c:(.text+0x17ca): undefined reference to `strlcpy' batv-filter.c:(.text+0x19cc): undefined reference to `strlcat' batv-filter.c:(.text+0x19e6): undefined reference to `strlcat' batv-filter.o: In function `mlfi_envfrom': batv-filter.c:(.text+0x2109): undefined reference to `strlcat' batv-filter.c:(.text+0x2130): undefined reference to `strlcat' collect2: ld returned 1 exit status make[1]: *** [batv-filter] Error 1 make[1]: Leaving directory `/root/src/batv-milter-0.2.0/obj.Linux.2.6.22-gentoo-r8.i686/batv-filter' make: *** [all] Error 2 In reading some mailing list posts, it seems like the GNU libc maintainers won't put them in libc as shown in: http://en.wikipedia.org/wiki/Strlcpy http://sources.redhat.com/ml/libc-alpha/2000-08/msg00053.html http://sources.redhat.com/ml/libc-alpha/2002-01/msg00001.html What solutions do I have for getting this to work on my Linux machines? I see an inference that on GNU systems it should be provided by glib and are named g_strlcpy and g_strlcat. It does appear to be that way on my system: mail batv-milter-0.2.0 # nm -D /usr/lib/libglib-2.0.so | grep strlc 0004e320 T g_strlcat 0004df20 T g_strlcpy And from /usr/include/glib-2.0/glib/gstrfuncs.h: gsize g_strlcpy (gchar *dest, const gchar *src, gsize dest_size); gsize g_strlcat (gchar *dest, const gchar *src, gsize dest_size); So for a linux box which doesn't have strl* provided either manually by downloading the source from ftp.openbsd.org or specifically by a patched GNU libc, then it could set some #DEFINE. And that setting could make it read in a header that wraps g_strl* around strl*. (I guess the biggest issue here is _what_ to do to actually detect that the OS needs to use one or the other.) WDYT? -- Regards... Todd The greatest shortcoming of the human race is our inability to understand the exponential function. --Albert Bartlett, physicist Linux kernel 2.6.22-14-generic load average: 0.12, 0.11, 0.09 |
|
From: Murray S. K. <ms...@se...> - 2007-08-29 22:50:55
|
On Wed, 29 Aug 2007, Andy Fiddaman wrote: > if (sigexpire < SIGLIFETIME && daynum >= 1000 - SIGLIFETIME) > daynum -= 1000; > if (daynum > sigexpire) > /* expired */ Ah yes, that's simpler. I'd forgotten that I was using signed quantities there rather than unsigned ones. Nicely done! I'll put a new version out soon. |
|
From: Andy F. <ba...@fi...> - 2007-08-29 22:18:35
|
On Wed, 29 Aug 2007, Murray S. Kucherawy wrote:
; The attached patch fixes that and one other problem related to processing the
; "-i" list. I'll post v0.2.0 soon unless you find issues with these.
Just a query about the expiry check..
It's currently:
daynum = (now / 86400) % 1000;
if (!(sigexpire > daynum ||
(daynum <= 1000 && sigexpire > daynum + 1000)))
but (daynum <= 1000) is always true and
(sigexpire > daynum + 1000) is always false.
so it doesn't appear to handle the wraparound case properly.
How about something like the following?
if (sigexpire < SIGLIFETIME && daynum >= 1000 - SIGLIFETIME)
daynum -= 1000;
if (daynum > sigexpire)
/* expired */
Andy
|
|
From: Murray S. K. <ms...@se...> - 2007-08-29 17:56:08
|
On Thu, 23 Aug 2007, Andy Fiddaman wrote: > so based on this I would expect the days in the inserted key to be based > on: > (now / 86400) % 1000 + KEY_LIFETIME Actually it should be: (now / 86400 + KEY_LIFETIME) % 1000 ...but basically you're right. The attached patch fixes that and one other problem related to processing the "-i" list. I'll post v0.2.0 soon unless you find issues with these. |
|
From: SM <sm...@re...> - 2007-08-28 19:18:00
|
Hi Andy,
At 07:39 23-08-2007, Andy Fiddaman wrote:
>I've been looking at the batv milter implementation along with the
>draft-levine-batv-03 specification and I've got a question about how the
>key lifetime is implemented in the milter.
>
>In the draft, the three digit day number (DDD) is defined as
> ; ... low three digits of
> ; the number of days since 1970
> ; when the address will expire
>
>so based on this I would expect the days in the inserted key to be based
>on:
> (now / 86400) % 1000 + KEY_LIFETIME
>
>and the validator would then just compare DDD against the current day.
>
>The milter currently implements this in reverse - DDD is populated
>as the current day and the validation component checks that DDD < current
>day + KEY_LIFETIME.
>
>I appreciate that if the same implementation is used for both signing and
>verifying then the end result is the same but is my reading of the
>standard correct or is the milter correct as implemented?
DDD is expiry day. We have expiry if
DDD < (days from 1970 % 1000)
The source code does:
(void) time(&now);
daynum = (now / 86400) % 1000;
if (!(sigdaynum + SIGLIFETIME > daynum ||
(daynum <= 1000 &&
sigdaynum + SIGLIFETIME > daynum + 1000)))
{
I don't see why we have SIGLIFETIME in there as we only need that
when computing the expiry days for signing.
Regards,
-sm
|
|
From: Andy F. <ba...@fi...> - 2007-08-23 14:39:53
|
I've been looking at the batv milter implementation along with the draft-levine-batv-03 specification and I've got a question about how the key lifetime is implemented in the milter. In the draft, the three digit day number (DDD) is defined as ; ... low three digits of ; the number of days since 1970 ; when the address will expire so based on this I would expect the days in the inserted key to be based on: (now / 86400) % 1000 + KEY_LIFETIME and the validator would then just compare DDD against the current day. The milter currently implements this in reverse - DDD is populated as the current day and the validation component checks that DDD < current day + KEY_LIFETIME. I appreciate that if the same implementation is used for both signing and verifying then the end result is the same but is my reading of the standard correct or is the milter correct as implemented? Thanks, Andy |
1 message has been excluded from this view by a project administrator.