[Mimedefang] Authenticated Users Filter modification (especially for POP BEFORE AUTH users) for SA & Blacklist issue
Kevin A. McGrail
kmcgrail at pccc.com
Thu May 20 12:59:42 EDT 2004
> Problem? AIUI, filter_initialize is called only once in the
> life of a slave, and DB_File doesn't check the timestamp of the
> on-disk DB when you use the contents of the hash. If a slave takes
> half an hour to process its allotted number of messages, then
> $popauthdb will be a half-hour out of date by the time the last
> message is processed, unless you are calling opendb_read before every
> check (in which case, why bother calling it in filter_init?) This
> means that someone potentially has to wait some non-trivial amount of
> time after checking mail to be sure of sending it without some risk of
> incurring the SA penalties you are trying to avoid. Maybe not a big
> deal, but probably not what you wanted.
I am convinced you are correct. I re-read the man page and I think your
interpretation is correct. My filter_initialize is wrong and I need to read
the database before each check. Luckily, it's a pretty lightweight database
for 99.9% of the installs.
An updated solution is documented here
http://www.peregrinehw.com/downloads/MIMEDefang/contrib/POP_before_SMTP_modification
> So you're setting $popauth in filter_end() and using it in
> filter() ? Or is "your filter" above intended to refer loosely to the
> entire thing, with the understanding that you're calling SA from
> filter_end() also? Because mimedefang-filter(5) says:
Your filter is a reference to the entire subfilter. I use the variable just
in filter_end().
> # the DB used for popauth relay authentication
> # MUST BE READABLE BY THE DEFANG USER (try
> # "chgrp defang /etc/mail/access.db")
> $popauthdbfile = "/etc/mail/access.db";
I think this part should be moved into filter_initialize for fear of
oddities that the embedded perl filter puts in place. Not 100% certain
though but it is what I did.
> sub popauthget ($) {
> # read sendmail's access.db and look for ip RELAY
> my ($ip) =@_;
> my $popauthdb = &opendb_read($popauthdbfile);
> if ($popauthdb->{$ip} =~ /RELAY/) {
> &closedb($popauthdb);
> return "popauth";
> }
> return 0;
> }
Thanks for the code example. I just open an close on my simple loop in
filter_end but it was a good idea to tie this into the forged/invalid HELO
check and make it a function.
Regards,
KAM
More information about the MIMEDefang
mailing list