[Mimedefang] Authenticated Users Filter modification (especially for POP BEFORE AUTH users) for SA & Blacklist issue

Kevin A. McGrail kmcgrail at pccc.com
Thu May 20 12:59:42 EDT 2004 

> Problem? AIUI, filter_initialize is called only once in the
> life of a slave, and DB_File doesn't check the timestamp of the
> on-disk DB when you use the contents of the hash. If a slave takes
> half an hour to process its allotted number of messages, then
> $popauthdb will be a half-hour out of date by the time the last
> message is processed, unless you are calling opendb_read before every
> check (in which case, why bother calling it in filter_init?) This
> means that someone potentially has to wait some non-trivial amount of
> time after checking mail to be sure of sending it without some risk of
> incurring the SA penalties you are trying to avoid. Maybe not a big
> deal, but probably not what you wanted.

I am convinced you are correct.  I re-read the man page and I think your
interpretation is correct.  My filter_initialize is wrong and I need to read
the database before each check.  Luckily, it's a pretty lightweight database
for 99.9% of the installs.

An updated solution is documented here
http://www.peregrinehw.com/downloads/MIMEDefang/contrib/POP_before_SMTP_modification

> So you're setting $popauth in filter_end() and using it in
> filter() ? Or is "your filter" above intended to refer loosely to the
> entire thing, with the understanding that you're calling SA from
> filter_end() also? Because mimedefang-filter(5) says:

Your filter is a reference to the entire subfilter.  I use the variable just
in filter_end().

>   # the DB used for popauth relay authentication
>   # MUST BE READABLE BY THE DEFANG USER (try
>   # "chgrp defang /etc/mail/access.db")
>   $popauthdbfile = "/etc/mail/access.db";

I think this part should be moved into filter_initialize for fear of
oddities that the embedded perl filter puts in place.  Not 100% certain
though but it is what I did.

>   sub popauthget ($) {
>   # read sendmail's access.db and look for ip RELAY
>     my ($ip) =@_;
>     my $popauthdb = &opendb_read($popauthdbfile);
>     if ($popauthdb->{$ip} =~ /RELAY/) {
> &closedb($popauthdb);
> return "popauth";
>     }
>     return 0;
>   }

Thanks for the code example.  I just open an close on my simple loop in
filter_end but it was a good idea to tie this into the forged/invalid HELO
check and make it a function.

Regards,
KAM

More information about the MIMEDefang mailing list