Menu
▾
▴
Re: [Assp-test] UnknownLocalSender / SpoofedSender for non-local domain
|
From: Thomas E. <Tho...@th...> - 2018-01-31 07:52:28
|
>Q: Is it safe to clear ldaplistdb? yes >Q: What is the best way to do it? GUI, database tools ?? >Q: Shouldn't such entries get deleted automatically? Is the entry wrong? Does the age matters anyway? >On forceLDAPcrossCheck, ASSP does not use VRFY, although it is available: set 'VRFYLog' to diagnostic >HELP >502 5.5.2 Error: command not recognized A mail server that does not support the HELP command. Makes this sense? >Anyway, when Postfix answers to VRFY with >252 2.0.0 bla...@we... The replies are checked against '$vrfyOKRE'. The default value is $vrfyOKRE = qr/^25[01]$/; so - 252 will not match - means it is not OK - means invalid address/domain >On forceLDAPcrossCheck, ASSP does not use VRFY, although it is available: "RCPT TO" is used as failover, if VRFY is not announced or rejected by the MTA >Same, of course, when using "RCPT TO" - Postfix has to accept any >address that looks valid - not just local addresses. And why you use postfix to validate your local mail addresses, if it is unable to validate them ? >:2018/01/29 12:01:22 [Worker_10000] Info: localdomains was changed - >removed the now not matching temporary local domain entry '@web.de' from >ldaplistdb ldapcrosscheck removes such entries of "temporary local domain" >Q: What is "temporary local domain"? >Q: How does a domain get listed as "temporary local"? ASSP got OK from postfix for a ...@web.de address - @web.de is than added to local domains temporary - it is not in the list of localdomais but valid Check your setting of 'LDAPFail'! AGAIN: If your postfix is unable to validate local addresses as valid and all other addresses as invalid locals - DO NOT use it to verify local mail addresses for assp! Thomas Von: "Zrin Ziborski" <zri...@zi...> An: ass...@li... Datum: 31.01.2018 00:17 Betreff: Re: [Assp-test] UnknownLocalSender / SpoofedSender for non-local domain Q: Is it safe to clear ldaplistdb? Q: What is the best way to do it? I see very old entries, like ti...@zi...|::|[2016-11-22,13:03:12] VRFY Q: Shouldn't such entries get deleted automatically? Settings: DoVRFY: on ldaplistdb: DB: LDAPcrossCheckInterval: 24 MaxLDAPlistDays: 30 VRFYforceRCPTTO: <empty> On forceLDAPcrossCheck, ASSP does not use VRFY, although it is available: ... 220 mx1.safemail.at ESMTP Postfix EHLO mx1.safemail.at 250-mx1.safemail.at 250-PIPELINING 250-SIZE 31457280 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN HELP 502 5.5.2 Error: command not recognized MAIL FROM:<pos...@mx...> 250 2.1.0 Ok RCPT TO:<lin...@zi...> 250 2.1.5 Ok QUIT 221 2.0.0 Bye ... Anyway, when Postfix answers to VRFY with 252 2.0.0 bla...@we... it means "I don't know whether the address is valid" and perhaps "it doesn't look invalid" ASSP should not assume that the address is local! Same, of course, when using "RCPT TO" - Postfix has to accept any address that looks valid - not just local addresses. Checking the logs, I've found this (and similar entries, some with domains containing line breaks in the name (!?!)): :2018/01/29 12:01:22 [Worker_10000] Info: localdomains was changed - removed the now not matching temporary local domain entry '@web.de' from ldaplistdb Q: What is "temporary local domain"? Q: How does a domain get listed as "temporary local"? Thank you, best regards, Zrin Ziborski Am 30.01.2018 um 11:13 schrieb Thomas Eckardt: >>252 2.0.0 bla...@we... > > This is the wrong answer from your postfix. If assp sees this reply, it > will cache 'web.de' as local domain for a while. Because, if > bla...@we... valid, web.de must be a local domain. > > Thomas > > > > > > Von: "Zrin Ziborski" <zri...@zi...> > An: ass...@li... > Datum: 30.01.2018 10:43 > Betreff: Re: [Assp-test] UnknownLocalSender / SpoofedSender for > non-local domain > ------------------------------------------------------------------------ > > > > Did check that - there was no "web.de" anywhere to find. > > Is it safe to empty the ldaplistdb? > > Is it normal that some entries in it contain line breaks? > Example: > @ziborski.net|::|[2018-01-30,06:24:27] > @ziborski.net > |::|[2018-01-30,08:03:05] VRFY > @ziborski.net> > |::|[2018-01-30,06:24:27] > > I've checked all of those: > https://assp.my.net:55555/edit?file=DB-ldaplistdb¬e=1 > https://assp.my.net:55555/edit?file=DB-LDAPShowDB¬e=8 > (I guess it's the very same content) > ./database/ldaplist > ./ldaplist > ./mysql/dbbackup/ldaplist* > > Couldn't find "web.de" there. > > Several weeks ago I did have a route (transport setting in postfix) for > outgoing e-mails to web.de through another server, but that shouldnt > touch local domains (?) > > BTW, when manually testung VRFY on the internal port for ASSP->Postfix I > get following: > > 220 mx1.safemail.at ESMTP Postfix > EHLO localhost > 250-mx1.safemail.at > 250-PIPELINING > 250-SIZE 31457280 > 250-VRFY > 250-ETRN > 250-AUTH PLAIN LOGIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > VRFY postmaster > 252 2.0.0 postmaster > VRFY pos...@sa... > 252 2.0.0 pos...@sa... > VRFY pos...@go... > 252 2.0.0 pos...@go... > VRFY pos...@we... > 252 2.0.0 pos...@we... > VRFY blahblah > 550 5.1.1 <blahblah>: Recipient address rejected: User unknown in local > recipient table > VRFY bla...@we... > 252 2.0.0 bla...@we... > QUIT > 221 2.0.0 Bye > > > Thank you, > best regards, > Zrin > > > Am 30.01.2018 um 09:18 schrieb Thomas Eckardt: >> check the content of 'ldaplistdb' and remove all nolocal domain entries. >> >> eg. >> @web.de >> >> Thomas >> >> >> >> >> Von: "Zrin Ziborski" <zri...@zi...> >> An: "ASSP development mailing list" <ass...@li...> >> Datum: 29.01.2018 16:24 >> Betreff: [Assp-test] UnknownLocalSender / SpoofedSender for non-local >> domain >> ------------------------------------------------------------------------ >> >> >> >> ASSP version 2.5.5(17223) >> >> Helo all, >> >> I've noticed [UnknownLocalSender] and [SpoofedSender] in the log for an >> external incoming e-mail that has non-local from address: >> >> 2018/01/03 20:47:08 08828-29715 [Worker_1] [TLS-in] 212.227.15.4 >> <xx...@we...> info: found message size announcement: 9.62 kByte >> 2018/01/03 20:47:08 08828-29715 [Worker_1] [TLS-in] [UnknownLocalSender] >> 212.227.15.4 <xx...@we...> [monitoring] (Invalid Local Sender >> 'xx...@we...') >> 2018/01/03 20:47:08 08828-29715 [Worker_1] [TLS-in] [SpoofedSender] >> 212.227.15.4 <xx...@we...> [scoring] (No Spoofing Allowed >> 'xx...@we...' in 'mailfrom') >> 2018/01/03 20:47:08 08828-29715 [Worker_1] [TLS-in] 212.227.15.4 >> <xx...@we...> Message-Score: added 37 (slValencePB) for No Spoofing >> Allowed 'xx...@we...' in 'mailfrom', total score for this message is >> now 37 >> 2018/01/03 20:47:09 08828-29715 [Worker_1] [TLS-in] 212.227.15.4 >> <xx...@we...> to: rr...@de... info: remove IP-score from >> 212.227.15.4 - this mail passed the SPF check >> 2018/01/03 20:47:09 08828-29715 [Worker_1] [TLS-in] 212.227.15.4 >> <xx...@we...> to: rr...@de... Message-Score: added -5 >> (spfpValencePB) for SPF pass, total score for this message is now 32 >> >> Settings: >> >> LocalAddresses_Flat: <empty> >> localDomains: file:files/localdomains.txt > <file://files/localdomains.txt><file://files/localdomains.txt> >> DoVRFY: on >> >> files/localdomains.txt does NOT contain "web.de". >> >> LDAP is not used there. >> >> What can cause this behavior? >> What can I do to debug that? >> >> Thank you in advance, >> Zrin ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Assp-test mailing list Ass...@li... https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* |
