[Mimedefang] MIMEDefang 2.72 is Released

kd6lvw at yahoo.com kd6lvw at yahoo.com
Wed Oct 19 17:46:08 EDT 2011 

--- On Wed, 10/19/11, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
> On 9/26/11 3:59 AM, David F. Skoll wrote:
> > On Sun, 25 Sep 2011 23:27:39 -0700
> > Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
> >> It's been 2.5 years that we've been talking about how this feature
> >> needs to be implemented. Actually, it might be 3 already. I've lost
> >> track.
> > 
> >> Is it ever going to happen?
> > 
> > Probably not, since no-one else has asked for it.  And I would rather
> > spend time on features lots of people want or features that
> > customers are paying for.
> 
> One other note: I've dealt with ISP's that are less than
> diligent in pursuing SPAM (or SMTP DoS attack) complaints,
> and one of the requirements that they often call out as an
> obstacle to any investigation is a need to have the *source*
> port, source address, *destination port*, destination
> address (presumably because of SNATing) before they will
> investigate. One could argue it should be their
> responsibility to log such mappings, but that's a moot
> point: you can't make them do the right thing.
> 
> Why make it easier for them to bury their head in the sand?
> 
> We generate logs that look like:
> 
> Oct 19 14:11:05 mail mimedefang.pl[13275]: relay:
> [218.95.114.71] 218.95.114.71:3049 => 66.232.79.143:25
> Oct 19 14:11:05 mail mimedefang.pl[13275]: filter_relay
> rejected host 218.95.114.71 ([218.95.114.71])
> Oct 19 14:11:05 mail sendmail[13302]: p9JKB5vT013302:
> Milter: connect:
> host=71.114.95.218.broad.ja.jx.dynamic.163data.com.cn,
> addr=218.95.114.71, rejecting commands
> 
> and they absolutely can't hide behind any allegation of us
> failing to provide complete and concise logs.
> 
> (We run service on ports 25, 465, and 587 by the way and
> regularly see DoS attacks on all 3 ports.)

Then log it in the MTA if MD doesn't support it.

Here's the SIMPLE logging statement I use with sendmail:

SLocal_check_relay
R$*             $: $(log "Connection: "$&{if_addr}" ("$&{if_name}") "$&{daemon_port}" <- "$&{client_addr}" "$&{client_port}" C:"$&{client_connections}" R:"$&{client_rate} $) $1

As noted, I log also the interface name (since I have SMTP virtual hosting), connection count, and rate info too.  The client's name gets checked by another rule which occurs later, so it shows up a couple of lines following in my logs.  Therefore, I felt it was unnecessary.

Note:  check_relay runs before there's a queue ID generated, so all these messages will start with a literal "NOQUEUE: Connection: " string.

More information about the MIMEDefang mailing list