CentOS - Mar 2005 - mimedefang & milter-greylist packages

I mentioned mimedefang couple of days ago.  If anybody needs it, can be found
at:

http://www.milivojevic.org/linux/rhel4/

For mimedefang, there are couple of dependencies on packages from Dag''s
repository:

perl-MIME-tools
perl-IO-stringy
perl-MailTools

I''d recommend adding these too:

perl-File-Scan
perl-Archive-Zip
perl-Net-DNS

To hook ClamAV (RPMs can be found in Dag''s repo), add something like
this to
global section of mimedefang-filter file:

#***********************************************************************
# Define AntiVirus used.
#***********************************************************************
$Features{''Virus:CLAMD''} = 1;
$ClamdSock = "/var/run/clamav/clamd.sock";

Note that to use it this way, default ClamAV config needs to be changed to allow
using Unix domain sockets.  Also, clamav user must be added to defang group (so
that clamd can scan files owned by defang user&group).

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

that link is broken

:-(


Aleksandar Milivojevic wrote:
>I mentioned mimedefang couple of days ago.  If anybody needs it, can be
found at:
>
>http://www.milivojevic.org/linux/rhel4/
>
>For mimedefang, there are couple of dependencies on packages from
Dag''s repository:
>
>perl-MIME-tools
>perl-IO-stringy
>perl-MailTools
>
>I''d recommend adding these too:
>
>perl-File-Scan
>perl-Archive-Zip
>perl-Net-DNS
>
>To hook ClamAV (RPMs can be found in Dag''s repo), add something
like this to
>global section of mimedefang-filter file:
>
>#***********************************************************************
># Define AntiVirus used.
>#***********************************************************************
>$Features{''Virus:CLAMD''} = 1;
>$ClamdSock = "/var/run/clamav/clamd.sock";
>
>Note that to use it this way, default ClamAV config needs to be changed to
allow
>using Unix domain sockets.  Also, clamav user must be added to defang group
(so
>that clamd can scan files owned by defang user&group).
>
>
>

Quoting Peter Farrow <peter@farrows.org>
Date: Sun, 13 Mar 2005 13:08:20
> Aleksandar Milivojevic wrote:
>
> > I mentioned mimedefang couple of days ago.  If anybody needs it, can
be
> > found at:
> >
> >http://www.milivojevic.org/linux/rhel4/
>
> that link is broken
Ups, my error.  I''ve placed it in wrong directory.  It is fixed now,
and this
time I actually checked that the link works ;-)

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

On Sun, 2005-03-13 at 00:11 -0600, Aleksandar Milivojevic
wrote:
> I mentioned mimedefang couple of days ago.  If anybody needs it, can be
found at:
>
> http://www.milivojevic.org/linux/rhel4/
>
> For mimedefang, there are couple of dependencies on packages from
Dag''s repository:
>
> perl-MIME-tools
> perl-IO-stringy
> perl-MailTools
>
> I''d recommend adding these too:
>
> perl-File-Scan
> perl-Archive-Zip
> perl-Net-DNS
>
> To hook ClamAV (RPMs can be found in Dag''s repo), add something
like this to
> global section of mimedefang-filter file:
>
> #***********************************************************************
> # Define AntiVirus used.
> #***********************************************************************
> $Features{''Virus:CLAMD''} = 1;
> $ClamdSock = "/var/run/clamav/clamd.sock";
>
> Note that to use it this way, default ClamAV config needs to be changed to
allow
> using Unix domain sockets.  Also, clamav user must be added to defang group
(so
> that clamd can scan files owned by defang user&group).
----
once again, you are ahead of me (hardly surprising) but I just put up a
new mail server online this weekend and was going to start with this -
and viola, here you are and timely...

But I am using Postfix (you need to switch MTA''s  ;-)

so the milter-greylist ain''t gonna work.

but mime-defang is kind of handy, I was going to go amavis route but
this seems much better.

Thanks

Craig

On Sun, 2005-03-13 at 21:39, Craig White wrote:
> But I am using Postfix (you need to switch MTA''s  ;-)
Hardly - at least not until other mailers support a milter-like
interface that lets scanners run concurrently under different
user id''s.

--
  Les Mikesell
    les@futuresource.com

On Mon, 2005-03-14 at 00:49 -0600, Les Mikesell wrote:
> On Sun, 2005-03-13 at 21:39, Craig White wrote:
>
> > But I am using Postfix (you need to switch MTA''s  ;-)
>
> Hardly - at least not until other mailers support a milter-like
> interface that lets scanners run concurrently under different
> user id''s.
----
yeah - I do like sendmail miltering

I also like postfix too - perhaps a little more than sendmail -
especially when I''ve got more than one domain.

I had to resort to ''MailScanner'' as mime-defang is really a
sendmail
add-on

Craig

On Mon, 2005-03-14 at 01:24, Craig White wrote:
> >
> > > But I am using Postfix (you need to switch MTA''s  ;-)
> >
> > Hardly - at least not until other mailers support a milter-like
> > interface that lets scanners run concurrently under different
> > user id''s.
> ----
> yeah - I do like sendmail miltering
>
> I also like postfix too - perhaps a little more than sendmail -
> especially when I''ve got more than one domain.
I never understood why all the mailers that make a big deal out
of being more secure than sendmail by splitting the jobs and using
separate uids for their processes left out the part you really need,
which is a hook to scan content before accepting at the smtp level.

--
  Les Mikesell
   les@futuresource.com

Les Mikesell wrote:
> I never understood why all the mailers that make a big deal out
> of being more secure than sendmail by splitting the jobs and using
> separate uids for their processes left out the part you really need,
> which is a hook to scan content before accepting at the smtp level.
Actually, it is not a sendmail''s fault that it runs as root.  You can
have sendmail running as non-priv user too.  If you don''t need to
support kludges such as .forward files, it is easier to configure.  If
you need to support kludges such as .forward files, than it is harder
(but not impossible) task.

If you noticed that /var/spool/mail files are historically owned by
group mail, mode 660, well, they were setup that way so that MTA and LDA
do not need to be running as root.  Of course, sendmail running as
non-priv user will not have some functioanlity that aliases and dot
forward files provide, however IMO, this is something you can live
without (or implement in different way).  And really, most of the stuff
you loose by not running MTA as root isn''t something that MTA should be
doing in the first place.  That''s why we made separation to MTA and
LDA.

Sendmail/Cyrus combination, where .forward files are usually not
present, and equivalent functionality is handled by LDA (using Sieve),
should be relatively simple to configure that way.  This is because in
Cyrus, the idea of providng the user''s with functionality of .forward
files was implemented the right way.  And really, sendmail (as MTA)
shouldn''t be concerned with local users or mailboxes.  It should only
perform task of transporting the email (for which, no root privileges
are needed, apart for binding to port 25 at startup time).

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

On Mon, Mar 14, 2005 at 09:43:43AM -0600, Les Mikesell wrote:
  >
  > I never understood why all the mailers that make a big deal out
  > of being more secure than sendmail by splitting the jobs and using
  > separate uids for their processes left out the part you really need,
  > which is a hook to scan content before accepting at the smtp level.

  I didn''t follow this thread but I do think postfix supports filtering
  at the time you want. You can do body/headers checks at smtp time and
  you can hook in stuff like virusscanners both after and before queueing.

  Cheers,

--
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2535278                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

On Tue, 2005-03-15 at 02:40, Henk van Lingen wrote:
> On Mon, Mar 14, 2005 at 09:43:43AM -0600, Les Mikesell wrote:
>   >
>   > I never understood why all the mailers that make a big deal out
>   > of being more secure than sendmail by splitting the jobs and using
>   > separate uids for their processes left out the part you really need,
>   > which is a hook to scan content before accepting at the smtp level.
>
>   I didn''t follow this thread but I do think postfix supports
filtering
>   at the time you want. You can do body/headers checks at smtp time and
>   you can hook in stuff like virusscanners both after and before queueing.
To be useful, it needs to be done before the SMTP accept is done -
that is, concurrent with the conversation, and preferable running
under a different uid than anything else.

--
  Les Mikesell
   les@futuresource.com

On Tue, Mar 15, 2005 at 09:36:58AM -0600, Les Mikesell wrote:
  > >
  > >   I didn''t follow this thread but I do think postfix
supports filtering
  > >   at the time you want. You can do body/headers checks at smtp time
and
  > >   you can hook in stuff like virusscanners both after and before
queueing.
  >
  > To be useful, it needs to be done before the SMTP accept is done -
  > that is, concurrent with the conversation, and preferable running
  > under a different uid than anything else.

  Yes, and I state you can do that with postfix: (what is
''useful''?)

  http://www.postfix.org/documentation.html

  Whether it is wise is another thing. I do virusscanning after smtp-accept,
  to prevent load surprises. As long as you don''t join those idiots
that
  bounce virus errors...

  Cheers,

--
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2535278                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

Henk van Lingen wrote:
>   Whether it is wise is another thing. I do virusscanning after
smtp-accept,
>   to prevent load surprises. As long as you don''t join those
idiots that
>   bounce virus errors...
What do you exactly mean by "bouncing virus errors":
   - accepting virus, and than generating bounce (with virus included)?
   - accepting virus, and than generating bounce (no virus included)?
   - generating 5xx error after DATA and dot?
   - not accepting notifications from AV about detected viruses?
   - something else?

IMO, the cleanest way to deal with viruses is generating 5xx after ''dot
on the line by itself'' on SMTP level.  You tell the other side you are
not accepting the email.  You do not generate bounce (the other side
might).  Most viruses use their own SMTP engine, so there''s no bounce
generated when delivery fails.

If there is a bounce generated by somebody in the middle, the virus had
to get faked address from somewhere (infected user''s addressbook in
99.999% cases).  So there will be a virus flying to faked sender anyhow.
  You are not protecting anybody from infection by preventing bounce
generation.  Moreover, faked sender is likely to know who real sender
was (he was in his addressbook, to start with), and upon seeing the
bounce can warn him that he is infected.  Or he can forward the bounce
to ISP''s abuse address, and they''ll do the right thing.

Also, if the virus is of the type that might trigger bounce generation,
there will be some bounces generated anyhow.  Basically, for every
address in infected user''s addressbook that doesn''t exist
anymore.
Average user has a nice collection of those too.

I don''t believe in "let''s hide the problem"
phylosophy.  Hopefully, that
doesn''t put me in your "idiots" category ;-)

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

On Tue, Mar 15, 2005 at 11:23:15AM -0600, Aleksandar Milivojevic wrote:
  > Henk van Lingen wrote:
  > >  Whether it is wise is another thing. I do virusscanning after
  > >  smtp-accept,
  > >  to prevent load surprises. As long as you don''t join those
idiots that
  > >  bounce virus errors...

  I didn''t intend a MTA-war or whatever, just had to correct some fud
  about postfix :-) Having said that,

  > What do you exactly mean by "bouncing virus errors":
  >   - accepting virus, and than generating bounce (with virus included)?
  >   - accepting virus, and than generating bounce (no virus included)?
  >   - generating 5xx error after DATA and dot?
  >   - not accepting notifications from AV about detected viruses?
  >   - something else?

  I meant sending stuff to fake senders. Which however applies more
  to spamstuff, but offcourse virusses are also used for spamming today.
  Anyway: I agree that you can 5xx a virus after the single dot. But not
  at any time later. Personnaly, i don''t do it because off said
performance
  risks for larger sites. So i drop them silently, after all false positives
  are not a serious issue with virusscanning (ClamAV in my case)

  > IMO, the cleanest way to deal with viruses is generating 5xx after
''dot
  > on the line by itself'' on SMTP level.  You tell the other side
you are
  > not accepting the email.  You do not generate bounce (the other side
  > might).  Most viruses use their own SMTP engine, so there''s no
bounce
  > generated when delivery fails.

  Fine with me.

  > If there is a bounce generated by somebody in the middle, the virus had
  > to get faked address from somewhere (infected user''s addressbook
in
  > 99.999% cases).  So there will be a virus flying to faked sender anyhow.
  >  You are not protecting anybody from infection by preventing bounce
  > generation.  Moreover, faked sender is likely to know who real sender
  > was (he was in his addressbook, to start with), and upon seeing the
  > bounce can warn him that he is infected.  Or he can forward the bounce
  > to ISP''s abuse address, and they''ll do the right thing.

  Maybe faked senders mostly don''t understand a bit of bounce messages.

  > I don''t believe in "let''s hide the problem"
phylosophy.  Hopefully, that
  > doesn''t put me in your "idiots" category ;-)

  No. But "let''s make the problem bigger" also
doesn''t help. I just reject
  RBL etc. stuff, I tag spam as such and I drop virusses. Do what you like,
  as long as you don''t send stuff back to people who didn''t
send something
  in the first place.

  Cheers,

--
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2535278                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

On Tue, 2005-03-15 at 10:05, Henk van Lingen wrote:
> On Tue, Mar 15, 2005 at 09:36:58AM -0600, Les Mikesell wrote:
>   > >
>   > >   I didn''t follow this thread but I do think postfix
supports filtering
>   > >   at the time you want. You can do body/headers checks at smtp
time and
>   > >   you can hook in stuff like virusscanners both after and
before queueing.
>   >
>   > To be useful, it needs to be done before the SMTP accept is done -
>   > that is, concurrent with the conversation, and preferable running
>   > under a different uid than anything else.
>
>   Yes, and I state you can do that with postfix: (what is
''useful''?)
Useful is being able to run MimeDefang.  It splits out attachments and
runs your choice of spam and virus tests with a small piece of perl
code controlling the actions.   It is a long-running program that
sendmail uses through the milter interface and it in turn can use
daemon-mode scanners like clamd through a socket interface without
starting new processes.
>   http://www.postfix.org/documentation.html
>   Whether it is wise is another thing. I do virusscanning after
smtp-accept,
>   to prevent load surprises.
I don''t see anything in there about being able to chat over a socket
with concurrently running scanning programs.  If you have to start and
initialize your scanners for every message with a pipe-to-program
interface it is not surprising that you have load problems.
>  As long as you don''t join those idiots that
>   bounce virus errors...
I silently drop known viruses since virtually all of them for the last
few years have forged the sending address, but I reject spam that
scores very high values with a 5xx and a moderately polite message
to allow the sender to reword and resend if the scanner happens to
be wrong.

--
  Les Mikesell
   les@futuresource.com

On Tue, Mar 15, 2005 at 05:49:55PM -0600, Les Mikesell wrote:
  >
  > I don''t see anything in there about being able to chat over a
socket
  > with concurrently running scanning programs.  If you have to start and
  > initialize your scanners for every message with a pipe-to-program
  > interface it is not surprising that you have load problems.

  Yes, i know. I use clamd for this. Implemented with
''clamsmtp'' running
  on an extra postfix interface as documented on:

  http://www.postfix.org/FILTER_README.html#advanced_filter

  You can also plug in Amavisd-new there, but I don''t need that as I
only
  use ClamAV, and not a bunch of scanners in a row.

  You can also use clamd before the ''dot on a single line''.
The performance
  questions I meant are these:

  http://www.postfix.org/SMTPD_PROXY_README.html#pros_cons

  > >  As long as you don''t join those idiots that
  > >   bounce virus errors...
  >
  > I silently drop known viruses since virtually all of them for the last
  > few years have forged the sending address,

  Great, I do the same. (However, some may think this is ''hiding the
  problem'' :-)). BTW: if you just drop, why do you care about before
  or after smtp-time?

  Cheers,

  PS: Lots of viruses don''t reach my virusscanner as I reject (5xx)
mail with
  (exe|com|vbs|... etc ) attachments. Done via header/body checks, i.e.
  before the ''dot on a single line''.

--
Henk van Lingen, Systems & Network Administrator              (o-      -+
Dept. of Computer Science, Utrecht University.                /\        |
phone: +31-30-2535278                                        v_/_
http://henk.vanlingen.net/             http://www.tuxtown.net/netiquette/

On Wed, 2005-03-16 at 04:17, Henk van Lingen wrote:
>   >
>   > I silently drop known viruses since virtually all of them for the
last
>   > few years have forged the sending address,
>
>   Great, I do the same. (However, some may think this is ''hiding
the
>   problem'' :-)). BTW: if you just drop, why do you care about
before
>   or after smtp-time?
I used to reject them with 5xx SMTP errors which would normally cause
them to be dropped anyway when sent directly by a virus-infected box.
However, now some send through relays and those would be obligated by
the rejection to construct and return a bounce message.  I''m in favor
of
hiding problems - especially from people who can''t solve them...

For spam, though, I want the option of a 5xx reject after the scan. You
really don''t want to have to construct your own bounces and let them
clog the outbound queue for those.  Also, temp-failing messages with a
4xx response at a certain spam-score threshold from previously unknown
senders on the first attempt is probably the best defense against spam
right now.  I just haven''t had time to set it up to do that yet.

The http://www.mimedefang.org/ site and mailing list cover a lot of the
load issues and the scale that some places are handling with it.

--
  Les Mikesell
   les@futuresource.com