Mailing List Archive: SpamAssassin: users

use passwd file to control senders

Index | Next | Previous | View Threaded

brennerop at msn

Nov 12, 2009, 10:58 AM

Post #1 of 16 (1313 views)
Permalink

use passwd file to control senders

Hi, i've searching all over the net, yet I can't find a solution for the
problem I have. Let me explain it to you: Over the past months, our internal
mail server has encountered some unknown senders and we want to control them
by validating the users that are in the passwd file, can it be done? I'm
using SpamAssassin 3.2.3, milter-limit and sendmail and everything else has
run smoothly so far. Hope you can help ASAP

Thanks in advance,
Brennero Pardo

:working:
--
View this message in context: http://old.nabble.com/use-passwd-file-to-control-senders-tp26324411p26324411.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

evan at espphotography

Nov 12, 2009, 11:03 AM

Post #2 of 16 (1273 views)
Permalink

Re: use passwd file to control senders [In reply to]

At 10:58 AM 11/12/2009, neroxyr wrote:

>Hi, i've searching all over the net, yet I can't find a solution for the
>problem I have. Let me explain it to you: Over the past months, our internal
>mail server has encountered some unknown senders and we want to control them
>by validating the users that are in the passwd file, can it be done? I'm
>using SpamAssassin 3.2.3, milter-limit and sendmail and everything else has
>run smoothly so far. Hope you can help ASAP

You may want to try asking on a sendmail mailing list. This has
nothing to do with Spamassassin.

hoogendyk at bio

Nov 12, 2009, 11:21 AM

Post #3 of 16 (1269 views)
Permalink

Re: use passwd file to control senders [In reply to]

Evan Platt wrote:
> At 10:58 AM 11/12/2009, neroxyr wrote:
>
>> Hi, i've searching all over the net, yet I can't find a solution for the
>> problem I have. Let me explain it to you: Over the past months, our
>> internal
>> mail server has encountered some unknown senders and we want to
>> control them
>> by validating the users that are in the passwd file, can it be done? I'm
>> using SpamAssassin 3.2.3, milter-limit and sendmail and everything
>> else has
>> run smoothly so far. Hope you can help ASAP
>
> You may want to try asking on a sendmail mailing list. This has
> nothing to do with Spamassassin.

However, Yes, it can be done. You want to make sure you are not an open
relay, and you want your own users to have to authenticate to send mail
out. Typically, TLS or SSL over port 587 (submission port) rather than
port 25. Get details from the sendmail mailing list or from online
documentation for sendmail.

--
---------------

Chris Hoogendyk

-
O__ ---- Systems Administrator
c/ /'_ --- Biology & Geology Departments
(*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk [at] bio>

---------------

Erdös 4

antispam at khopis

Nov 12, 2009, 3:07 PM

Post #4 of 16 (1265 views)
Permalink

Re: use passwd file to control senders [In reply to]

Neroxyr started:
>>> our internal mail server has encountered some unknown senders
>>> and we want to control them by validating the users that are in
>>> the passwd file

Chris Hoogendyk wrote:
> make sure you are not an open relay, and you want your own users to
> have to authenticate to send mail out. Typically, TLS or SSL over
> port 587 (submission port) rather than port 25.

Neroxyr may have been asking something else. Is this regarding mail
*received* from unknown senders? Do you want to check for forged
senders? Do you want to check for invalid recipients?

Forgery can be mitigated with SPF* and/or DKIM while invalid
recipients has no easy solution. A plugin could conceivably check
against a passwd file (and aliases, virutal users, ...) to catch for
invalid users at the local domain(s) that appear in the message
headers, but I don't know of such a thing.

Note - I'd love to see a reversed whitelist_from_spf, matching an
address with the SPF failure rules, perhaps like:

blacklist_from_spf_fail *@my-domain.example.net
blacklist_from_spf_softfail *@my-other-domain.example.com # inclusive

Currently, the softfail version can be done (I think?) through:

# Assumes the scores USER_IN_BLACKLIST + USER_IN_SPF_WHITELIST = 0
# (the default is 100 + -100 = 0)
ifplugin Mail::SpamAssassin::Plugin::SPF
blacklist_from *@my-domain.example.net
whitelist_from_spf *@my-domain.example.net
endif

Notable problem: if for some reason the SPF plugin is loaded but
doesn't fire (which happens for me all the time), this has BIG problems.

Uglier but safer implementation:

ifplugin Mail::SpamAssassin::Plugin::SPF
header __LOCAL_SPF_BL From:addr =~ /\@my-domain.example.net$/i
meta BLACKLIST_FROM_SPF __LOCAL_SPF_BL && (SPF_FAIL||SPF_HELO_FAIL)
describe BLACKLIST_FROM_SPF From: address is in the SPF blacklist
tflags BLACKLIST_FROM_SPF userconf noautolearn
score BLACKLIST_FROM_SPF 100
endif

martin at gregorie

Nov 12, 2009, 4:19 PM

Post #5 of 16 (1263 views)
Permalink

Re: use passwd file to control senders [In reply to]

On Thu, 2009-11-12 at 18:07 -0500, Adam Katz wrote:
> Neroxyr may have been asking something else. Is this regarding mail
> *received* from unknown senders? Do you want to check for forged
> senders? Do you want to check for invalid recipients?
>
> Forgery can be mitigated with SPF* and/or DKIM while invalid
> recipients has no easy solution. A plugin could conceivably check
> against a passwd file (and aliases, virutal users, ...) to catch for
> invalid users at the local domain(s) that appear in the message
> headers, but I don't know of such a thing.
>
Do we know the OIP is using sendmail?

Postfix checks local recipients against /etc/passwd and /etc/aliases by
default. It can also be configured to apply the same checks to local
senders though the defajult is not to check.

I'd hope that other MTAs have the same capabilities.

Martin

evan at espphotography

Nov 12, 2009, 4:24 PM

Post #6 of 16 (1254 views)
Permalink

Re: use passwd file to control senders [In reply to]

At 04:19 PM 11/12/2009, you wrote:
>Do we know the OIP is using sendmail?

The OP has seem to just disappeared (nabble...) but from their post:

"using SpamAssassin 3.2.3, milter-limit and sendmail"

antispam at khopis

Nov 12, 2009, 4:32 PM

Post #7 of 16 (1256 views)
Permalink

Re: use passwd file to control senders [In reply to]

Martin Gregorie wrote:
> Do we know the OIP is using sendmail?

Yes. Here's a quote:
>> I'm using SpamAssassin 3.2.3, milter-limit and sendmail

> Postfix checks local recipients against /etc/passwd and /etc/aliases by
> default. It can also be configured to apply the same checks to local
> senders though the defajult is not to check.
>
> I'd hope that other MTAs have the same capabilities.

That's not what I was talking about. Obviously if a MTA can't find
the recipient, it won't deliver. I'm talking about the *other*
recipients, e.g.

To: Foo Bar <foo [at] example>
Cc: Foo Baz <fbaz [at] example>

If user foo exists but user fbaz does not, you should expect that an
MTA will reject fbaz but deliver that same message to foo. I'm
talking about a way to cause SpamAssassin (or something else,
whatever) to note the fact that a *different* recipient, fbaz, doesn't
exist, and to read it from the headers rather than the envelope
recipients (the way an MTA does).

terry at cnysupport

Nov 13, 2009, 9:00 AM

Post #8 of 16 (1236 views)
Permalink

Re: use passwd file to control senders [In reply to]

Adam Katz wrote:
> Martin Gregorie wrote:
>
>> Do we know the OIP is using sendmail?
>>
>
> Yes. Here's a quote:
>
>>> I'm using SpamAssassin 3.2.3, milter-limit and sendmail
>>>
>
>
>> Postfix checks local recipients against /etc/passwd and /etc/aliases by
>> default. It can also be configured to apply the same checks to local
>> senders though the defajult is not to check.
>>
>> I'd hope that other MTAs have the same capabilities.
>>
>
> That's not what I was talking about. Obviously if a MTA can't find
> the recipient, it won't deliver. I'm talking about the *other*
> recipients, e.g.
>
> To: Foo Bar <foo [at] example>
> Cc: Foo Baz <fbaz [at] example>
>
> If user foo exists but user fbaz does not, you should expect that an
> MTA will reject fbaz but deliver that same message to foo. I'm
> talking about a way to cause SpamAssassin (or something else,
> whatever) to note the fact that a *different* recipient, fbaz, doesn't
> exist, and to read it from the headers rather than the envelope
> recipients (the way an MTA does).
>
If your MTA is configured properly, SA will never see a message for a
non-existent recipient.

What are you trying to do?

Terry

kremels at kreme

Nov 13, 2009, 9:12 AM

Post #9 of 16 (1237 views)
Permalink

Re: use passwd file to control senders [In reply to]

On 13-Nov-2009, at 10:00, Terry Carmen wrote:

>> To: Foo Bar <foo [at] example>
>> Cc: Foo Baz <fbaz [at] example>
>>
>> If user foo exists but user fbaz does not, you should expect that an
>> MTA will reject fbaz but deliver that same message to foo. I'm
>> talking about a way to cause SpamAssassin (or something else,
>> whatever) to note the fact that a *different* recipient, fbaz, doesn't
>> exist, and to read it from the headers rather than the envelope
>> recipients (the way an MTA does).
>>
> If your MTA is configured properly, SA will never see a message for a non-existent recipient.
>
> What are you trying to do?

He is trying to get SA to score the mail for foo [at] example higher because the user fbaz [at] example does not exist.

--
I have a love child who sends me hate mail

jhardin at impsec

Nov 13, 2009, 9:15 AM

Post #10 of 16 (1235 views)
Permalink

Re: use passwd file to control senders [In reply to]

On Fri, 13 Nov 2009, Terry Carmen wrote:

> Adam Katz wrote:
>> Martin Gregorie wrote:
>>
>> > Do we know the OIP is using sendmail?
>>
>> Yes. Here's a quote:
>>
>> > > I'm using SpamAssassin 3.2.3, milter-limit and sendmail
>>
>> > Postfix checks local recipients

Folks, we're losing sight of the OP's request. Re-read the subject line,
and this quote from the OP:

neroxyr <brennerop [at] msn> wrote:
> Over the past months, our internal mail server has encountered some
> unknown _senders_ and we want to control them by validating the users
> that are in the passwd file

{emphasis mine}

The suggestion to use SMTP AUTH should mostly cover it. To be totally
sure, the MTA should also be configured to not accept un-authenticated
SMTP at all.

Is there a way to configure sendmail to also validate both the envelope
sender and message From: header against the local passwd file?

Side note: this MTA would not be suitable for _inbound_ mail, obviously.

If this thread is morphing into a discussion of _recipient_ verification,
please change the subject or start a new thread.

/nanny off

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #7: In ten years nobody will remember the
details of caliber, stance, or tactics. They will only remember who
lived.
-----------------------------------------------------------------------
35 days since President Obama won the Nobel "Not George W. Bush" prize

terry at cnysupport

Nov 13, 2009, 9:33 AM

Post #11 of 16 (1235 views)
Permalink

Re: use passwd file to control senders [In reply to]

LuKreme wrote:
>>> If user foo exists but user fbaz does not, you should expect that an
>>> MTA will reject fbaz but deliver that same message to foo. I'm
>>> talking about a way to cause SpamAssassin (or something else,
>>> whatever) to note the fact that a *different* recipient, fbaz, doesn't
>>> exist, and to read it from the headers rather than the envelope
>>> recipients (the way an MTA does).
>>>
>>>
>> If your MTA is configured properly, SA will never see a message for a non-existent recipient.
>>
>> What are you trying to do?
>>
>
> He is trying to get SA to score the mail for foo [at] example higher because the user fbaz [at] example does not exist.
>
That's a nice idea!

One option (definitely a hack) would be to get SA to pull the
message_id, then scan the maillog for rejected recipients.

Terry

dbfunk at engineering

Nov 13, 2009, 11:58 AM

Post #12 of 16 (1236 views)
Permalink

Re: use passwd file to control senders [In reply to]

On Fri, 13 Nov 2009, John Hardin wrote:

> Is there a way to configure sendmail to also validate both the envelope
> sender and message From: header against the local passwd file?

Checking the envelope sender (for local domain addresses) against the
local passwd file is straightforward. Checking the From: header is
do-able but would require writing custom rules. (there is a mechanism
for crafting explicit per-header rules.)

For either check you need to provide a broader scope to allow things
such as aliases (which usually aren't in your passwd file). Normally
you only do the local passwd file check at actual delivery time.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

jhardin at impsec

Nov 13, 2009, 12:08 PM

Post #13 of 16 (1243 views)
Permalink

Re: use passwd file to control senders [In reply to]

On Fri, 13 Nov 2009, David B Funk wrote:

> On Fri, 13 Nov 2009, John Hardin wrote:
>
>> Is there a way to configure sendmail to also validate both the envelope
>> sender and message From: header against the local passwd file?
>
> Checking the envelope sender (for local domain addresses) against the
> local passwd file is straightforward.

Got a URI for instructions? (for the OP's benefit)

> Checking the From: header is do-able but would require writing custom
> rules. (there is a mechanism for crafting explicit per-header rules.)
>
> For either check you need to provide a broader scope to allow things
> such as aliases (which usually aren't in your passwd file). Normally you
> only do the local passwd file check at actual delivery time.

I don't think you'd worry about aliases checking the _sender_ address.

We are getting into "ask on the sendmail list" territory now.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It is not the business of government to make men virtuous or
religious, or to preserve the fool from the consequences of his own
folly. -- Henry George
-----------------------------------------------------------------------
35 days since President Obama won the Nobel "Not George W. Bush" prize

martin at gregorie

Nov 13, 2009, 12:22 PM

Post #14 of 16 (1232 views)
Permalink

Re: use passwd file to control senders [In reply to]

On Fri, 2009-11-13 at 13:58 -0600, David B Funk wrote:
> On Fri, 13 Nov 2009, John Hardin wrote:
>
> > Is there a way to configure sendmail to also validate both the envelope
> > sender and message From: header against the local passwd file?
>
> Checking the envelope sender (for local domain addresses) against the
> local passwd file is straightforward. Checking the From: header is
> do-able but would require writing custom rules. (there is a mechanism
> for crafting explicit per-header rules.)
>
> For either check you need to provide a broader scope to allow things
> such as aliases (which usually aren't in your passwd file). Normally
> you only do the local passwd file check at actual delivery time.
>
Or switch to Postfix, which has a built-in ability to check local
senders against the password and aliases files.

However, the docs don't say whether its checking the envelope sender
and/or the From: header.

Martin

lists-general at cappella

Nov 13, 2009, 2:10 PM

Post #15 of 16 (1234 views)
Permalink

Re: use passwd file to control senders [In reply to]

FYI:

On 11/13/2009 12:22 PM, Martin Gregorie wrote:

> However, the docs don't say whether its checking the envelope sender
> and/or the From: header.
>

man 5 access:

DESCRIPTION
This document describes access control on remote SMTP client
information: host names, network addresses, and envelope sender
or recipient addresses; ^^^^^^^^
...
it is implemented by the Postfix SMTP server. See
header_checks(5) or body_checks(5) for access control on the
content of email messages.
--

Mike

brennerop at msn

Nov 14, 2009, 8:10 AM

Post #16 of 16 (1188 views)
Permalink

Re: use passwd file to control senders [In reply to]

Adam Katz-10 wrote:
>
> Neroxyr may have been asking something else. Is this regarding mail
> *received* from unknown senders? Do you want to check for forged
> senders? Do you want to check for invalid recipients?
>

Mails received are not the problem, i want to check for forged senders that
are not created by us, so that those may be considered as spam, if that's
the case. I'll try the methods you described and let u know if I encounter
some kind of problem. Thanks for the help you're giving me. I'll post the
results ASAP
--
View this message in context: http://old.nabble.com/use-passwd-file-to-control-senders-tp26324411p26351317.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads