Menu
▾
▴
Re: [Assp-test] UnknownLocalSender / SpoofedSender for non-local domain
|
From: Zrin Z. <zri...@zi...> - 2018-01-30 23:16:45
|
Q: Is it safe to clear ldaplistdb? Q: What is the best way to do it? I see very old entries, like ti...@zi...|::|[2016-11-22,13:03:12] VRFY Q: Shouldn't such entries get deleted automatically? Settings: DoVRFY: on ldaplistdb: DB: LDAPcrossCheckInterval: 24 MaxLDAPlistDays: 30 VRFYforceRCPTTO: <empty> On forceLDAPcrossCheck, ASSP does not use VRFY, although it is available: ... 220 mx1.safemail.at ESMTP Postfix EHLO mx1.safemail.at 250-mx1.safemail.at 250-PIPELINING 250-SIZE 31457280 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN HELP 502 5.5.2 Error: command not recognized MAIL FROM:<pos...@mx...> 250 2.1.0 Ok RCPT TO:<lin...@zi...> 250 2.1.5 Ok QUIT 221 2.0.0 Bye ... Anyway, when Postfix answers to VRFY with 252 2.0.0 bla...@we... it means "I don't know whether the address is valid" and perhaps "it doesn't look invalid" ASSP should not assume that the address is local! Same, of course, when using "RCPT TO" - Postfix has to accept any address that looks valid - not just local addresses. Checking the logs, I've found this (and similar entries, some with domains containing line breaks in the name (!?!)): :2018/01/29 12:01:22 [Worker_10000] Info: localdomains was changed - removed the now not matching temporary local domain entry '@web.de' from ldaplistdb Q: What is "temporary local domain"? Q: How does a domain get listed as "temporary local"? Thank you, best regards, Zrin Ziborski Am 30.01.2018 um 11:13 schrieb Thomas Eckardt: >>252 2.0.0 bla...@we... > > This is the wrong answer from your postfix. If assp sees this reply, it > will cache 'web.de' as local domain for a while. Because, if > bla...@we... valid, web.de must be a local domain. > > Thomas > > > > > > Von: "Zrin Ziborski" <zri...@zi...> > An: ass...@li... > Datum: 30.01.2018 10:43 > Betreff: Re: [Assp-test] UnknownLocalSender / SpoofedSender for > non-local domain > ------------------------------------------------------------------------ > > > > Did check that - there was no "web.de" anywhere to find. > > Is it safe to empty the ldaplistdb? > > Is it normal that some entries in it contain line breaks? > Example: > @ziborski.net|::|[2018-01-30,06:24:27] > @ziborski.net > |::|[2018-01-30,08:03:05] VRFY > @ziborski.net> > |::|[2018-01-30,06:24:27] > > I've checked all of those: > https://assp.my.net:55555/edit?file=DB-ldaplistdb¬e=1 > https://assp.my.net:55555/edit?file=DB-LDAPShowDB¬e=8 > (I guess it's the very same content) > ./database/ldaplist > ./ldaplist > ./mysql/dbbackup/ldaplist* > > Couldn't find "web.de" there. > > Several weeks ago I did have a route (transport setting in postfix) for > outgoing e-mails to web.de through another server, but that shouldnt > touch local domains (?) > > BTW, when manually testung VRFY on the internal port for ASSP->Postfix I > get following: > > 220 mx1.safemail.at ESMTP Postfix > EHLO localhost > 250-mx1.safemail.at > 250-PIPELINING > 250-SIZE 31457280 > 250-VRFY > 250-ETRN > 250-AUTH PLAIN LOGIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > VRFY postmaster > 252 2.0.0 postmaster > VRFY pos...@sa... > 252 2.0.0 pos...@sa... > VRFY pos...@go... > 252 2.0.0 pos...@go... > VRFY pos...@we... > 252 2.0.0 pos...@we... > VRFY blahblah > 550 5.1.1 <blahblah>: Recipient address rejected: User unknown in local > recipient table > VRFY bla...@we... > 252 2.0.0 bla...@we... > QUIT > 221 2.0.0 Bye > > > Thank you, > best regards, > Zrin > > > Am 30.01.2018 um 09:18 schrieb Thomas Eckardt: >> check the content of 'ldaplistdb' and remove all nolocal domain entries. >> >> eg. >> @web.de >> >> Thomas >> >> >> >> >> Von: "Zrin Ziborski" <zri...@zi...> >> An: "ASSP development mailing list" <ass...@li...> >> Datum: 29.01.2018 16:24 >> Betreff: [Assp-test] UnknownLocalSender / SpoofedSender for non-local >> domain >> ------------------------------------------------------------------------ >> >> >> >> ASSP version 2.5.5(17223) >> >> Helo all, >> >> I've noticed [UnknownLocalSender] and [SpoofedSender] in the log for an >> external incoming e-mail that has non-local from address: >> >> 2018/01/03 20:47:08 08828-29715 [Worker_1] [TLS-in] 212.227.15.4 >> <xx...@we...> info: found message size announcement: 9.62 kByte >> 2018/01/03 20:47:08 08828-29715 [Worker_1] [TLS-in] [UnknownLocalSender] >> 212.227.15.4 <xx...@we...> [monitoring] (Invalid Local Sender >> 'xx...@we...') >> 2018/01/03 20:47:08 08828-29715 [Worker_1] [TLS-in] [SpoofedSender] >> 212.227.15.4 <xx...@we...> [scoring] (No Spoofing Allowed >> 'xx...@we...' in 'mailfrom') >> 2018/01/03 20:47:08 08828-29715 [Worker_1] [TLS-in] 212.227.15.4 >> <xx...@we...> Message-Score: added 37 (slValencePB) for No Spoofing >> Allowed 'xx...@we...' in 'mailfrom', total score for this message is >> now 37 >> 2018/01/03 20:47:09 08828-29715 [Worker_1] [TLS-in] 212.227.15.4 >> <xx...@we...> to: rr...@de... info: remove IP-score from >> 212.227.15.4 - this mail passed the SPF check >> 2018/01/03 20:47:09 08828-29715 [Worker_1] [TLS-in] 212.227.15.4 >> <xx...@we...> to: rr...@de... Message-Score: added -5 >> (spfpValencePB) for SPF pass, total score for this message is now 32 >> >> Settings: >> >> LocalAddresses_Flat: <empty> >> localDomains: file:files/localdomains.txt > <file://files/localdomains.txt><file://files/localdomains.txt> >> DoVRFY: on >> >> files/localdomains.txt does NOT contain "web.de". >> >> LDAP is not used there. >> >> What can cause this behavior? >> What can I do to debug that? >> >> Thank you in advance, >> Zrin |
