From f at zz.de  Mon Apr 10 05:32:46 2023
From: f at zz.de (Florian Lohoff)
Date: Mon, 10 Apr 2023 11:32:46 +0200
Subject: [Mimedefang] HTML Mail / Active content filter
Message-ID: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>


Hi,
i'd like to drop/replace HTML attachments/mails which contain active
components like javascript/javascript external refs.


	<script language="javascript></script>

or

	<html><head>
		<script type="text/javascript" src="http://a.b.c.d"></script>
	</head></html>

Basically going through all text/html etc parts. I am unshure whether
i'd need to really decode HTML with HTML::Parse or the like to find it
or if simple "regex" matching would be sufficient. Currently i am 
dropping this by spamassassin with custom filters using regex.

Has anyone an example for this or experience which HTML perl module
is the most stable?

And while at it. I tried my luck to do this also with PDF with active
content, trying to parse PDF with CAM::PDF (or PDF::API2) to drop
PDFs with active content. So if anyone has suggestions here would
also be nice.

Flo
-- 
Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230410/0ba2136e/attachment.sig>

From giovanni at paclan.it  Tue Apr 11 05:49:39 2023
From: giovanni at paclan.it (giovanni at paclan.it)
Date: Tue, 11 Apr 2023 11:49:39 +0200
Subject: [Mimedefang] HTML Mail / Active content filter
In-Reply-To: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
Message-ID: <d6d0ff31-40c1-aabc-73f5-ffea4ac17352@paclan.it>

On 4/10/23 11:32, Florian Lohoff via MIMEDefang wrote:
> 
> Hi,
> i'd like to drop/replace HTML attachments/mails which contain active
> components like javascript/javascript external refs.
> 
> 
> 	<script language="javascript></script>
> 
> or
> 
> 	<html><head>
> 		<script type="text/javascript" src="http://a.b.c.d"></script>
> 	</head></html>
> 
> Basically going through all text/html etc parts. I am unshure whether
> i'd need to really decode HTML with HTML::Parse or the like to find it
> or if simple "regex" matching would be sufficient. Currently i am
> dropping this by spamassassin with custom filters using regex.
> 
> Has anyone an example for this or experience which HTML perl module
> is the most stable?
> 
it can be done using HTML::Parser, and then running Mail::MIMEDefang::Actions:action_rebuild().
In some cases it can be tricky because html attachments could be base64 encoded.

  Giovanni

> And while at it. I tried my luck to do this also with PDF with active
> content, trying to parse PDF with CAM::PDF (or PDF::API2) to drop
> PDFs with active content. So if anyone has suggestions here would
> also be nice.
> 
> Flo
> 
> 
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
> 
> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/df5f0760/attachment.sig>

From f at zz.de  Tue Apr 11 06:06:12 2023
From: f at zz.de (Florian Lohoff)
Date: Tue, 11 Apr 2023 12:06:12 +0200
Subject: [Mimedefang] HTML Mail / Active content filter
In-Reply-To: <d6d0ff31-40c1-aabc-73f5-ffea4ac17352@paclan.it>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
 <d6d0ff31-40c1-aabc-73f5-ffea4ac17352@paclan.it>
Message-ID: <20230411100612.wpq3rll43skknoo6@pax.zz.de>

On Tue, Apr 11, 2023 at 11:49:39AM +0200, giovanni--- via MIMEDefang wrote:
> On 4/10/23 11:32, Florian Lohoff via MIMEDefang wrote:
> > 
> > Hi,
> > i'd like to drop/replace HTML attachments/mails which contain active
> > components like javascript/javascript external refs.
> > 
> > 
> > 	<script language="javascript></script>
> > 
> > or
> > 
> > 	<html><head>
> > 		<script type="text/javascript" src="http://a.b.c.d"></script>
> > 	</head></html>
> > 
> > Basically going through all text/html etc parts. I am unshure whether
> > i'd need to really decode HTML with HTML::Parse or the like to find it
> > or if simple "regex" matching would be sufficient. Currently i am
> > dropping this by spamassassin with custom filters using regex.
> > 
> > Has anyone an example for this or experience which HTML perl module
> > is the most stable?
> > 
> it can be done using HTML::Parser, and then running Mail::MIMEDefang::Actions:action_rebuild().
> In some cases it can be tricky because html attachments could be base64 encoded.

Yeah - A customer of mine got bitten by this (Cleaning up the
ransomeware rubble for 3 weeks now. Massive base64 javascript encoded
chunk. Chrome 110 sandbox escape.) I rather block the mail or drop the
whole attachment/mimepart if any signs of "javascript"

From my quick analysis javascript in mails is pretty rare and in 99% of
the cases spam/ad stuff. I right now have a simple custom rule in
spamassassin scoring the above very high as spam and rejecting it. But
for my taste thats tooo simple. I'd rather walk through all individual
MIME parts.

Flo
-- 
Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/d4db1d87/attachment.sig>

From kmcgrail at pccc.com  Tue Apr 11 06:53:48 2023
From: kmcgrail at pccc.com (Kevin A. McGrail)
Date: Tue, 11 Apr 2023 06:53:48 -0400
Subject: [Mimedefang] HTML Mail / Active content filter
In-Reply-To: <20230411100612.wpq3rll43skknoo6@pax.zz.de>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
 <d6d0ff31-40c1-aabc-73f5-ffea4ac17352@paclan.it>
 <20230411100612.wpq3rll43skknoo6@pax.zz.de>
Message-ID: <f435af60-b572-2ee2-500b-142ae25dde97@pccc.com>

On 4/11/2023 6:06 AM, Florian Lohoff via MIMEDefang wrote:
>  From my quick analysis javascript in mails is pretty rare and in 99% of
> the cases spam/ad stuff. I right now have a simple custom rule in
> spamassassin scoring the above very high as spam and rejecting it. But
> for my taste thats tooo simple. I'd rather walk through all individual
> MIME parts.

 From my experience, there is a lot of javascript in emails from a lot 
of name brands.? However, MIMEDefang's origins are based on exactly this 
type of concept when DFS invented it.

There are a LOT of obuscation techniques but there are also real (but 
very stupid) banks that do things like email html files for instructions 
to their clients and things.

Do you have a sample of the file with the bad HTML and I can see if 
there are SA rules that hit it too?

Regards,

KAM



From f at zz.de  Tue Apr 11 07:34:01 2023
From: f at zz.de (Florian Lohoff)
Date: Tue, 11 Apr 2023 13:34:01 +0200
Subject: [Mimedefang] HTML Mail / Active content filter
In-Reply-To: <f435af60-b572-2ee2-500b-142ae25dde97@pccc.com>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
 <d6d0ff31-40c1-aabc-73f5-ffea4ac17352@paclan.it>
 <20230411100612.wpq3rll43skknoo6@pax.zz.de>
 <f435af60-b572-2ee2-500b-142ae25dde97@pccc.com>
Message-ID: <20230411113400.nbvmmiqcoqxckuuq@pax.zz.de>

Hi Kevin,

On Tue, Apr 11, 2023 at 06:53:48AM -0400, Kevin A. McGrail via MIMEDefang wrote:
> There are a LOT of obuscation techniques but there are also real (but very
> stupid) banks that do things like email html files for instructions to their
> clients and things.
> 
> Do you have a sample of the file with the bad HTML and I can see if there
> are SA rules that hit it too?

Normal Spamassassin did not match anything significant - I added these as custom
rules:

rawbody     ZZ_JS_MIME         /["']text\/javascript["']/i
describe    ZZ_JS_MIME         Javascript mimetype
score       ZZ_JS_MIME         4

rawbody     ZZ_JS_SCRIPT       /\<\s*script\s+.*src\s*=\s*["']\s*(https|http):/i
describe    ZZ_JS_SCRIPT       External javascript
score       ZZ_JS_SCRIPT       7.0 

rawbody     ZZ_JS_SCRIPT2      /javascript/i
describe    ZZ_JS_SCRIPT2      Only javascript string
score       ZZ_JS_SCRIPT2      0.1


HTML attachment part of the mail started like this. Then it had an image
as base64 and a div with hundrets of base64 snipped which - when merged - was
a long javascript. So i guess they included jquery for its base64
decoder and the other external script uri to jumpstart decoding and
running the JS code.

<html lang="en">
<head>
        <title>$customersname</title>
        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.3/jquery.min.js"></script>
        <script type="text/javascript" src="http://213.194.163.32/ZAHJI.php?i=472"></script>
        <style type="text/css">
[ ... ]
        </style>
</head>
<body>
        <div id="table"><p>KGZ1bmN0aW9uIChtaWR...</p><p>eXBlY3RpbmlicmFuY2goZ3JheXd ...
[ ... ]

Flo
-- 
Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/d35d00aa/attachment-0001.sig>

From dianne at skoll.ca  Tue Apr 11 07:59:09 2023
From: dianne at skoll.ca (Dianne Skoll)
Date: Tue, 11 Apr 2023 07:59:09 -0400
Subject: [Mimedefang] HTML Mail / Active content filter
In-Reply-To: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
Message-ID: <20230411075909.066b0c39@gato.skoll.ca>

On Mon, 10 Apr 2023 11:32:46 +0200
Florian Lohoff via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:

> i'd like to drop/replace HTML attachments/mails which contain active
> components like javascript/javascript external refs.

I think you'll find yourself blocking or damaging quite a lot of valid
email.

I think a better approach is to sanitize HTML parts by removing all tags
except for a specific set of allowed tags.  You may also want to remove
tag attributes except for a specific set of allowed attributes.

You could use a Perl module like HTML::Defang or HTML::Restrict or
HTML::Scrubber or HTML::Detoxifier or... well, you have many options. :)
Pick the one you like best.

You probably also want to avoid rebuilding the message unless the
HTML sanitizer actually made changes; there's no point in gratuitously
creating a new message and possibly breaking signatures if nothing was
changed.

If you do find HTML mail where the "body" is essentially a
document.write call on a function of a whole bunch of base64-encoded
content, then yeah... that's probably malicious and can be dropped.
Not exactly sure how to detect that, but IMO document.write in an HTML
mail is suspicious enough on its own to block.

Also, of course, plugging https://mailmunge.org/ :)  Can't resist.

Regards,

Dianne.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/66fd0624/attachment.sig>

From kmcgrail at pccc.com  Tue Apr 11 08:04:02 2023
From: kmcgrail at pccc.com (Kevin A. McGrail)
Date: Tue, 11 Apr 2023 08:04:02 -0400
Subject: [Mimedefang] [External] Re:  HTML Mail / Active content filter
In-Reply-To: <20230411113400.nbvmmiqcoqxckuuq@pax.zz.de>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
 <d6d0ff31-40c1-aabc-73f5-ffea4ac17352@paclan.it>
 <20230411100612.wpq3rll43skknoo6@pax.zz.de>
 <f435af60-b572-2ee2-500b-142ae25dde97@pccc.com>
 <20230411113400.nbvmmiqcoqxckuuq@pax.zz.de>
Message-ID: <7bf6c422-05cb-14b8-7b48-b06d24fff3f7@pccc.com>

On 4/11/2023 7:34 AM, Florian Lohoff wrote:
> On Tue, Apr 11, 2023 at 06:53:48AM -0400, Kevin A. McGrail via MIMEDefang wrote:
>> There are a LOT of obuscation techniques but there are also real (but very
>> stupid) banks that do things like email html files for instructions to their
>> clients and things.
>>
>> Do you have a sample of the file with the bad HTML and I can see if there
>> are SA rules that hit it too?
> Normal Spamassassin did not match anything significant - I added these as custom
> rules:

I would suggest you look at the KAM Ruleset from https://mcgrail.com and 
look at the rules based on the MIMEHeader plugin where you could trigger 
on html files being attached,

> HTML attachment part of the mail started like this. Then it had an image
> as base64 and a div with hundrets of base64 snipped which - when merged - was
> a long javascript. So i guess they included jquery for its base64
> decoder and the other external script uri to jumpstart decoding and
> running the JS code.

Yeah, definitely using MIMEDefang (or mailmunge) to remove Javascript 
tags is a good idea if you don't want to outright block html file 
attachments.

Regards,
KAM



From f at zz.de  Tue Apr 11 10:23:53 2023
From: f at zz.de (Florian Lohoff)
Date: Tue, 11 Apr 2023 16:23:53 +0200
Subject: [Mimedefang] HTML Mail / Active content filter
In-Reply-To: <20230411075909.066b0c39@gato.skoll.ca>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
 <20230411075909.066b0c39@gato.skoll.ca>
Message-ID: <20230411142353.qomzhfp7vrmbujnu@pax.zz.de>


Hi Dianne,

On Tue, Apr 11, 2023 at 07:59:09AM -0400, Dianne Skoll via MIMEDefang wrote:
> On Mon, 10 Apr 2023 11:32:46 +0200
> Florian Lohoff via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
> 
> > i'd like to drop/replace HTML attachments/mails which contain active
> > components like javascript/javascript external refs.
> 
> I think you'll find yourself blocking or damaging quite a lot of valid
> email.

Javascript in emails is sub 0.1% - Its basically not in use. All mails
i found in gigabytes of samples have been ads and crude stuff. I couldnt
find legitimate mail with javascript.

And after 3 Weeks of Downtime the mood is currently to even block
all Microsoft Formats (docx, pptx, xlsx and the like) which
we do right now.

So my biggest concern is Mail with Javascript (Which was the origin) and
PDF with active content.

> If you do find HTML mail where the "body" is essentially a
> document.write call on a function of a whole bunch of base64-encoded
> content, then yeah... that's probably malicious and can be dropped.
> Not exactly sure how to detect that, but IMO document.write in an HTML
> mail is suspicious enough on its own to block.

Flo
-- 
Florian Lohoff                                                     f at zz.de
  Any sufficiently advanced technology is indistinguishable from magic.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/8f8f1bca/attachment.sig>

From dianne at skoll.ca  Tue Apr 11 10:38:36 2023
From: dianne at skoll.ca (Dianne Skoll)
Date: Tue, 11 Apr 2023 10:38:36 -0400
Subject: [Mimedefang] HTML Mail / Active content filter
In-Reply-To: <20230411142353.qomzhfp7vrmbujnu@pax.zz.de>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
 <20230411075909.066b0c39@gato.skoll.ca>
 <20230411142353.qomzhfp7vrmbujnu@pax.zz.de>
Message-ID: <20230411103836.54836a71@gato.skoll.ca>

On Tue, 11 Apr 2023 16:23:53 +0200
Florian Lohoff <f at zz.de> wrote:

> Javascript in emails is sub 0.1% - Its basically not in use.

I just checked my inbox.  Email notifications from Airbnb use
Javascript. So you will definitely block valid (for some interpretation
of "valid") email if you block all email with Javascript.

However, if you want to do it, then blocking any HTML part with a
<script> tag in it should be all you need.  This can easily be done with
HTML::Parser

> And after 3 Weeks of Downtime the mood is currently to even block
> all Microsoft Formats (docx, pptx, xlsx and the like) which
> we do right now.

That would *definitely* be a problem for me, but if it works for your
organization, then go for it!

> So my biggest concern is Mail with Javascript (Which was the origin)
> and PDF with active content.

Detecting active content in PDF is much trickier than detecting it in
HTML.  I assume you could use PDF::API2 and rummage through the
objects in the PDF file, but I don't know how PDF::API2 returns
active content.  You'd need to experiment.

Regards,

Dianne.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/61b466eb/attachment-0001.sig>

From brennan at columbia.edu  Tue Apr 11 10:54:59 2023
From: brennan at columbia.edu (Joseph Brennan)
Date: Tue, 11 Apr 2023 10:54:59 -0400
Subject: [Mimedefang] HTML Mail / Active content filter
In-Reply-To: <20230411103836.54836a71@gato.skoll.ca>
References: <20230410093246.uso76bckwzwj5tm7@pax.zz.de>
 <20230411075909.066b0c39@gato.skoll.ca>
 <20230411142353.qomzhfp7vrmbujnu@pax.zz.de>
 <20230411103836.54836a71@gato.skoll.ca>
Message-ID: <CAMSGcLDO+4wttg-5dWTBMMYgeh19p8dkoAAgB4F6hRxcHbPXwA@mail.gmail.com>

Some types of "secure email"  from banks and healthcare providers have a
html-coded MIME part with javascript in it, which is, ironically, something
we might disable for security!


-- 
Joseph Brennan
Lead, Email and Systems Applications
Columbia University Information Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230411/6538d641/attachment.html>

From juergen.kleff at gmx.de  Mon Apr 17 09:03:13 2023
From: juergen.kleff at gmx.de (Juergen Kleff)
Date: Mon, 17 Apr 2023 15:03:13 +0200
Subject: [Mimedefang] HTML Mail / Active content filter
Message-ID: <202304171503.14077.juergen.kleff@gmx.de>

Am Dienstag April 11 2023 16:54 schrieb Joseph Brennan via MIMEDefang:
> Some types of "secure email"  from banks and healthcare providers
> have a html-coded MIME part with javascript in it, which is,
> ironically, something we might disable for security!

I go with a whitelist in these rare cases, where there is "valid" (and 
needed) content...

J?rgen


From ralph at naturalwireless.com  Fri Apr 21 15:46:17 2023
From: ralph at naturalwireless.com (Ralph Hayon)
Date: Fri, 21 Apr 2023 15:46:17 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
Message-ID: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>

Seeing if someone can help me with an issue I am running into when using 
md_dkim_verify()

Using mimedefang 3.3.

When I try calling md_dkim_verify() inside of filter_sender() in 
mimedefang-filter , it fails.

It also fails when I try callig md_dkim_verify() from 
filter_recipient(), with the same results.

Log file shows -

 >>>>>>>>>>>>>>> Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 
33LIabDQ152161: Could not open INPUTMSG in md_dkim_verify: No such file 
or directory

But later on when I use md_dkim_verify() from filter_begin() , 
md_dkim_verify() works as expected.

When I run fatrace, it seems on my system when mimedefang runs early to 
execute filter_sender() and filter_recipient(), the INPUTMSG file is not 
created.

The expected directory is being created as is the HEADERS and COMMANDS 
files, but not INPUTMSG, so md_dkim_verify() fails.

Seems that md_dkim_verify() uses the INPUTMSG file to get the header 
data it needs to analyze.

Is this a bug, or is there a restriction on using md_dkim_verify() from 
filter_sender() and filter_recipient()?

Or is their a flag in a config that that needs to be enabled to enforce 
the creation of INPUTMSG when using filter_sender() and filter_recipient().

Google searchs yields very little on this subject.

This place seems to be center earth for this subject.

Appreciate any assistance.



fatrace?? ############################################

14:36:37.854178 mimedefang(102214): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161
14:36:37.854178 mimedefang(102214): O 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/HEADERS
14:36:37.854178 mimedefang(102214): WO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/COMMANDS
14:36:37.855512 mimedefang.pl(150049): O 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/COMMANDS
14:36:37.855747 mimedefang.pl(150049): R 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/COMMANDS
14:36:37.856286 mimedefang.pl(150049): C 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/COMMANDS
14:36:37.861760 mimedefang(102214): W 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/COMMANDS
14:36:37.998352 mimedefang(102214): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161
14:36:37.998352 mimedefang(102214): WO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:37.998352 mimedefang(102214): W 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/HEADERS
14:36:37.999596 mimedefang(102214): W 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:37.999596 mimedefang(102214): W 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/HEADERS
14:36:37.999596 mimedefang(102214): W 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/COMMANDS
14:36:38.000352 mimedefang(102214): CW 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/HEADERS
14:36:38.000352 mimedefang(102214): W 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.001208 mimedefang(102214): CW 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/COMMANDS
14:36:38.001208 mimedefang(102214): CW 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.004358 mimedefang.pl(151713): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161
14:36:38.004358 mimedefang.pl(151713): RCO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/COMMANDS
14:36:38.004896 mimedefang.pl(151713): O 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.007239 mimedefang.pl(151713): R 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.011234 mimedefang.pl(151713): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp
14:36:38.011234 mimedefang.pl(151713): WO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp/TTSrRdoxg3
14:36:38.015252 mimedefang.pl(151713): R 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp/TTSrRdoxg3
14:36:38.016360 mimedefang.pl(151713): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work
14:36:38.016659 mimedefang.pl(151713): WO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work/msg-151713-3.txt
14:36:38.016659 mimedefang.pl(151713): R 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp/TTSrRdoxg3
14:36:38.017051 mimedefang.pl(151713): CW 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work/msg-151713-3.txt
14:36:38.017254 mimedefang.pl(151713): CW 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp/TTSrRdoxg3
14:36:38.017413 mimedefang.pl(151713): D 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp
14:36:38.018593 mimedefang.pl(151713): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp
14:36:38.018593 mimedefang.pl(151713): O 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp/OA2XsfAEVB
14:36:38.019004 mimedefang.pl(151713): W 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp/OA2XsfAEVB
14:36:38.021274 mimedefang.pl(151713): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work
14:36:38.021274 mimedefang.pl(151713): O 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work/msg-151713-4.html
14:36:38.021783 mimedefang.pl(151713): CW 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work/msg-151713-4.html
14:36:38.021783 mimedefang.pl(151713): D 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/tmp
14:36:38.022360 mimedefang.pl(151713): CO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.022490 mimedefang.pl(151713): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work
14:36:38.022490 mimedefang.pl(151713): O 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work/INPUTMBOX
14:36:38.023043 mimedefang.pl(151713): R 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.023317 mimedefang.pl(151713): C 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.023317 mimedefang.pl(151713): CW 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/Work/INPUTMBOX
14:36:38.023802 mimedefang.pl(151713): RO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.037256 mimedefang.pl(151713): RCO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.044051 mimedefang.pl(151713): C 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.045993 mimedefang.pl(151713): RO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.052461 mimedefang.pl(151713): C 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.053467 mimedefang.pl(151713): O 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.053669 mimedefang.pl(151713): RC 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/INPUTMSG
14:36:38.154079 mimedefang.pl(151713): + 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161
14:36:38.154079 mimedefang.pl(151713): O 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/RESULTS
14:36:38.155180 mimedefang.pl(151713): CW 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/RESULTS
14:36:38.155180 mimedefang(102214): RCO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161/RESULTS
14:36:38.155180 mimedefang(102214): RO 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161
14:36:38.155180 mimedefang(102214): D 
/var/spool/MIMEDefang/mdefang-33LIabDQ152161
###########################


maillog file 
##################################################################################

Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
Ralph 2 209.85.214.173 HELO mail-pl1-f173.google.com
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=helo, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-naturalwireless.com Hello mail-pl1-f173.google.com [209.85.214.173], 
pleased to meet you
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-ENHANCEDSTATUSCODES
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-PIPELINING
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-8BITMIME
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-SIZE 50000000
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-DSN
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-ETRN
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-AUTH GSSAPI LOGIN PLAIN
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250-DELIVERBY
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250 HELP
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: <-- 
MAIL FROM:<r at naturalwireless.com> SIZE=2575
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
Milter: sender: <r at naturalwireless.com>
Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
CWD=/var/spool/MIMEDefang/mdefang-33LIabDQ152161 , Ralph 3X 
sender=<r at naturalwireless.com> hostname=mail-pl1-f173.google.com HELO= 
mail-pl1-f173.google.com
Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
Ralph 333 Sender ESMTP arg: SIZE=2575
Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
Ralph 333X sendmailmacros mail_addr? = r

 >>>>>? ERROR >>>> Apr 21 14:36:37 naturalwireless 
mimedefang.pl[150049]: 33LIabDQ152161: Could not open INPUTMSG in 
md_dkim_verify: No such file or directory

Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
Ralph 8888 RESULT=? DOMAIN=? keysize=? btag=
Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
Ralph 4444 - entered naturalwireless.com sender testing? --- MATCH to 
proper domains
Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
Ralph 6666 - INVALID sendmail server for ralph
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=mail, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=mail, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250 2.1.0 <r at naturalwireless.com>... Sender ok
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: <-- 
RCPT TO:<ralph at naturalwireless.com>
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
Milter: rcpts: <ralph at naturalwireless.com>
Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
FILTER_RECIPENT - Ralph 3X Sender=<r at naturalwireless.com> 
HOST=mail-pl1-f173.google.com HELO= mail-pl1-f173.google.com

 >>>>>> ERROR >>>>Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 
33LIabDQ152161: Could not open INPUTMSG in md_dkim_verify: No such file 
or directory

Apr 21 14:36:37 naturalwireless mimedefang.pl[150049]: 33LIabDQ152161: 
FILTER_RECIPENT - Ralph XXXX? RESULT=? DOMAIN= keysize=? btag=
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=rcpt, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=rcpt, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250 2.1.5 <ralph at naturalwireless.com>... Recipient ok
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: <-- DATA
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=data, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
354 Enter mail, end with "." on a line by itself
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
from=<r at naturalwireless.com>, size=2526, class=0, nrcpts=1, 
msgid=<CAHr-dZdh6g461bZ=jCp1AvzrsFo6MaujGDPHVNvhTAuFz-ZBKA at mail.gmail.com>, 
proto=ESMTPS, daemon=MTA, relay=mail-pl1-f173.google.com [209.85.214.173]
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:37 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=eoh, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=mimedefang, action=body, continue

 >>>> WORKS OK >>>> Apr 21 14:36:38 naturalwireless 
mimedefang.pl[151713]: 33LIabDQ152161: FILTER_BEGIN- Ralph XXXX? RESULT= 
pass DOMAIN= naturalwireless.com keysize= 2048 btag= 
Fm/E2qVODbdisW4OBjZwRobw1lylgk+X3ZVYhRcG0W/gKH7MtM85k38Ztq6q65dgHN#015#012 
F0W/LyG7er3vavL8e+4OyNVyyX5OUsUPQhpQKiAcA1sADash3eOlMdTl+PLMQ05MzsFk#015#012 
eXUZOk2YWQf40LRKQUFeHYXu32zy38fBT1hTxuTDBMXUVI5Ga95sfo+j6hsYT9bL9pEH#015#012 
lPODId//hzEARNml895u7ixtfMWKKzxo6uA3E873Ju3h5irJIQ0C4pytqpt+6lZMVMvO#015#012 
cOxbylIOhGUifqWJHT+lXByAvjmS4GCRIHi7l2hvRbx9kqerHCYrgcrHOYXFUAiZsE5L#015#012 
sq2w==


Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
FILTER_BEGIN - Ralph 3X MIME::Entity=HASH(0x55eb80386178)? HELO
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
Ralph 100 _1 in filter? -> test hhhh
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
Ralph 100 _1 in filter, subject 1 -> test hhhh
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
Ralph 100 - XXXX? RESULT= pass DOMAIN= naturalwireless.com keysize= 2048 
btag= 
Fm/E2qVODbdisW4OBjZwRobw1lylgk+X3ZVYhRcG0W/gKH7MtM85k38Ztq6q65dgHN#015#012 
F0W/LyG7er3vavL8e+4OyNVyyX5OUsUPQhpQKiAcA1sADash3eOlMdTl+PLMQ05MzsFk#015#012 
eXUZOk2YWQf40LRKQUFeHYXu32zy38fBT1hTxuTDBMXUVI5Ga95sfo+j6hsYT9bL9pEH#015#012 
lPODId//hzEARNml895u7ixtfMWKKzxo6uA3E873Ju3h5irJIQ0C4pytqpt+6lZMVMvO#015#012 
cOxbylIOhGUifqWJHT+lXByAvjmS4GCRIHi7l2hvRbx9kqerHCYrgcrHOYXFUAiZsE5L#015#012 
sq2w==
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
Ralph 100 _1 in filter? before bad word tests
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
Ralph 100 _1 in filter? -> test hhhh
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
Ralph 100 _1 in filter, subject 1 -> test hhhh
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
Ralph 100 - XXXX? RESULT= pass DOMAIN= naturalwireless.com keysize= 2048 
btag= 
Fm/E2qVODbdisW4OBjZwRobw1lylgk+X3ZVYhRcG0W/gKH7MtM85k38Ztq6q65dgHN#015#012 
F0W/LyG7er3vavL8e+4OyNVyyX5OUsUPQhpQKiAcA1sADash3eOlMdTl+PLMQ05MzsFk#015#012 
eXUZOk2YWQf40LRKQUFeHYXu32zy38fBT1hTxuTDBMXUVI5Ga95sfo+j6hsYT9bL9pEH#015#012 
lPODId//hzEARNml895u7ixtfMWKKzxo6uA3E873Ju3h5irJIQ0C4pytqpt+6lZMVMvO#015#012 
cOxbylIOhGUifqWJHT+lXByAvjmS4GCRIHi7l2hvRbx9kqerHCYrgcrHOYXFUAiZsE5L#015#012 
sq2w==
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
Ralph 100 _1 in filter? before bad word tests
Apr 21 14:36:38 naturalwireless mimedefang.pl[151713]: 33LIabDQ152161: 
MDLOG,33LIabDQ152161,mail_in,,,<r at naturalwireless.com>,<ralph at naturalwireless.com>,test 
hhhh
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: Milter 
(mimedefang) delete (noop): header: X-Spam-Score
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: Milter 
(mimedefang) add: header: X-Scanned-By: MIMEDefang 3.3
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=header, continue
Apr 21 14:36:38 naturalwireless opendkim[102705]: 33LIabDQ152161: 
mail-pl1-f173.google.com [209.85.214.173] not internal
Apr 21 14:36:38 naturalwireless opendkim[102705]: 33LIabDQ152161: not 
authenticated
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=eoh, continue
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: 
milter=opendkim, action=body, continue
Apr 21 14:36:38 naturalwireless opendkim[102705]: 33LIabDQ152161: DKIM 
verification successful
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: Milter 
(opendkim) insert (1): header: Authentication-Results: 
naturalwireless.com;\n\tdkim=pass (2048-bit key, unprotected) 
header.d=naturalwireless.com header.i=@naturalwireless.com 
header.a=rsa-sha256 header.s=naturalwireless header.b=Fm/E2qVO
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: Milter 
(opendkim) insert (1): header: DKIM-Filter:? OpenDKIM Filter v2.11.0 
naturalwireless.com 33LIabDQ152161
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: Milter 
accept: message
Apr 21 14:36:38 naturalwireless sendmail[152161]: 33LIabDQ152161: --- 
250 2.0.0 33LIabDQ152161 Message accepted for delivery
Apr 21 14:36:38 naturalwireless sendmail[152164]: 33LIabDQ152161: 
forward <ralph at naturalwireless.com> => \\ralph
Apr 21 14:36:38 naturalwireless sendmail[152164]: 33LIabDQ152161: 
forward <ralph at naturalwireless.com> => ralph_iphone at naturalwireless.com
Apr 21 14:36:42 naturalwireless sendmail[152164]: 33LIabDQ152161: 
to=\\ralph, ctladdr=<r at naturalwireless.com> (1002/1002), delay=00:00:05, 
xdelay=00:00:04, mailer=local, pri=63123, dsn=2.0.0, stat=Sent
Apr 21 14:36:46 naturalwireless sendmail[152164]: 33LIabDQ152161: 
to=ralph_iphone at naturalwireless.com, ctladdr=<r at naturalwireless.com> 
(1002/1002), delay=00:00:09, xdelay=00:00:04, mailer=local, pri=63123, 
dsn=2.0.0, stat=Sent
Apr 21 14:36:46 naturalwireless sendmail[152164]: 33LIabDQ152161: done; 
delay=00:00:09, ntries=1


-- 
***************************************
Ralph Hayon
Natural Wireless

60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606

email: 	ralph at naturalwireless.com
www:	naturalwireless.com

office: 201-438-2865 x 403
fax:	201-438-1803
cell: 	201-315-7397

        Natural Wireless
An Ultra Internet Service Provider
***************************************



From dianne at skoll.ca  Fri Apr 21 16:25:19 2023
From: dianne at skoll.ca (Dianne Skoll)
Date: Fri, 21 Apr 2023 16:25:19 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
Message-ID: <20230421162519.0fe65ace@gato.skoll.ca>

On Fri, 21 Apr 2023 15:46:17 -0400
Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:

> When I try calling md_dkim_verify() inside of filter_sender() in 
> mimedefang-filter , it fails.

> It also fails when I try callig md_dkim_verify() from 
> filter_recipient(), with the same results.

You can't do DKIM tests until you have a message body.  So the earliest
you can do that is filter_begin()

Regards,

Dianne.


From ralph at naturalwireless.com  Fri Apr 21 16:41:43 2023
From: ralph at naturalwireless.com (Ralph Hayon)
Date: Fri, 21 Apr 2023 16:41:43 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <20230421162519.0fe65ace@gato.skoll.ca>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
Message-ID: <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>

Hi Dianne,

Ok, I could not find any documentation that states this. This was my 
guess based on my observations.

I am trying to easily get the domain extracted by DKIM to validate the 
sender's email domain.

I want to have a system that confirms that emails to my employees from 
other employees are valid and not faked.

Any suggestions how I can easily extract the arguments provided to 
filter_sender() in a filter function after filter_begin() so that I can 
use DKIM tests to assist with this?

Thank you for the information!

Thanks.

Ralph

On 4/21/2023 4:25 PM, Dianne Skoll via MIMEDefang wrote:
> On Fri, 21 Apr 2023 15:46:17 -0400
> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
>
>> When I try calling md_dkim_verify() inside of filter_sender() in
>> mimedefang-filter , it fails.
>> It also fails when I try callig md_dkim_verify() from
>> filter_recipient(), with the same results.
> You can't do DKIM tests until you have a message body.  So the earliest
> you can do that is filter_begin()
>
> Regards,
>
> Dianne.
>
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
>
> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org


-- 
***************************************
Ralph Hayon
Natural Wireless

60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606

email: 	ralph at naturalwireless.com
www:	naturalwireless.com

office: 201-438-2865 x 403
fax:	201-438-1803
cell: 	201-315-7397

        Natural Wireless
An Ultra Internet Service Provider
***************************************



From dianne at skoll.ca  Fri Apr 21 16:45:13 2023
From: dianne at skoll.ca (Dianne Skoll)
Date: Fri, 21 Apr 2023 16:45:13 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
Message-ID: <20230421164513.1e875520@gato.skoll.ca>

On Fri, 21 Apr 2023 16:41:43 -0400
Ralph Hayon <ralph at naturalwireless.com> wrote:

> Any suggestions how I can easily extract the arguments provided to 
> filter_sender() in a filter function after filter_begin() so that I
> can use DKIM tests to assist with this?

They should be in some global variables such as $Sender and
@Recipients.

If you are just beginning your MIMEDefang journey, I recommend
https://mailmunge.org/ instead, which is a fork with (IMO) a superior
Perl API.  In Mailmunge, everything is stored in a context object
$ctx, which is consistent across all callbacks.

Regards,

Dianne.


From ralph at naturalwireless.com  Fri Apr 21 16:55:10 2023
From: ralph at naturalwireless.com (Ralph Hayon)
Date: Fri, 21 Apr 2023 16:55:10 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <20230421164513.1e875520@gato.skoll.ca>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
 <20230421164513.1e875520@gato.skoll.ca>
Message-ID: <347a32b3-015d-9fb8-174f-52d77a2ed080@naturalwireless.com>

To confirm, with mailmunge, md_dkim_verify() should properly work with 
filter_sender() since mailmunge is consistent for all callbacks.

Is this a correct assumption?

Thanks.

Ralph

On 4/21/2023 4:45 PM, Dianne Skoll via MIMEDefang wrote:
> On Fri, 21 Apr 2023 16:41:43 -0400
> Ralph Hayon <ralph at naturalwireless.com> wrote:
>
>> Any suggestions how I can easily extract the arguments provided to
>> filter_sender() in a filter function after filter_begin() so that I
>> can use DKIM tests to assist with this?
> They should be in some global variables such as $Sender and
> @Recipients.
>
> If you are just beginning your MIMEDefang journey, I recommend
> https://mailmunge.org/ instead, which is a fork with (IMO) a superior
> Perl API.  In Mailmunge, everything is stored in a context object
> $ctx, which is consistent across all callbacks.
>
> Regards,
>
> Dianne.
>
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
>
> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org


-- 
***************************************
Ralph Hayon
Natural Wireless

60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606

email: 	ralph at naturalwireless.com
www:	naturalwireless.com

office: 201-438-2865 x 403
fax:	201-438-1803
cell: 	201-315-7397

        Natural Wireless
An Ultra Internet Service Provider
***************************************



From dianne at skoll.ca  Fri Apr 21 16:56:54 2023
From: dianne at skoll.ca (Dianne Skoll)
Date: Fri, 21 Apr 2023 16:56:54 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <347a32b3-015d-9fb8-174f-52d77a2ed080@naturalwireless.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
 <20230421164513.1e875520@gato.skoll.ca>
 <347a32b3-015d-9fb8-174f-52d77a2ed080@naturalwireless.com>
Message-ID: <20230421165654.77404486@gato.skoll.ca>

On Fri, 21 Apr 2023 16:55:10 -0400
Ralph Hayon <ralph at naturalwireless.com> wrote:

> To confirm, with mailmunge, md_dkim_verify() should properly work
> with filter_sender() since mailmunge is consistent for all callbacks.

No.  You can't do any DKIM-checking until you have the message body and
that can't happen until filter_begin at the earliest.

However, the way you get the sender is $ctx->sender in filter_sender,
filter_recipient, and filter_begin... the accessor is consistent across
all the callbacks.

Regards,

Dianne.


From ralph at naturalwireless.com  Fri Apr 21 17:47:59 2023
From: ralph at naturalwireless.com (Ralph Hayon)
Date: Fri, 21 Apr 2023 17:47:59 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <20230421165654.77404486@gato.skoll.ca>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
 <20230421164513.1e875520@gato.skoll.ca>
 <347a32b3-015d-9fb8-174f-52d77a2ed080@naturalwireless.com>
 <20230421165654.77404486@gato.skoll.ca>
Message-ID: <1156b4be-7dcc-e655-98f1-d34ed160ee87@naturalwireless.com>

Ok, thanks.

If that is the case, how can I do the same with mimedefang ?

Is there a way to easily extract the select fields I need from INPUTMSG 
(sender, host, etc) after filter_begin()?

Thanks.

Ralph

On 4/21/2023 4:56 PM, Dianne Skoll via MIMEDefang wrote:
> On Fri, 21 Apr 2023 16:55:10 -0400
> Ralph Hayon <ralph at naturalwireless.com> wrote:
>
>> To confirm, with mailmunge, md_dkim_verify() should properly work
>> with filter_sender() since mailmunge is consistent for all callbacks.
> No.  You can't do any DKIM-checking until you have the message body and
> that can't happen until filter_begin at the earliest.
>
> However, the way you get the sender is $ctx->sender in filter_sender,
> filter_recipient, and filter_begin... the accessor is consistent across
> all the callbacks.
>
> Regards,
>
> Dianne.
>
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
>
> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org


-- 
***************************************
Ralph Hayon
Natural Wireless

60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606

email: 	ralph at naturalwireless.com
www:	naturalwireless.com

office: 201-438-2865 x 403
fax:	201-438-1803
cell: 	201-315-7397

        Natural Wireless
An Ultra Internet Service Provider
***************************************



From mdlist-20140424 at billmail.scconsult.com  Fri Apr 21 17:59:33 2023
From: mdlist-20140424 at billmail.scconsult.com (Bill Cole)
Date: Fri, 21 Apr 2023 17:59:33 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
Message-ID: <C6EA776A-FBCF-476E-8C42-4B813E3C5AB0@billmail.scconsult.com>

On 2023-04-21 at 16:41:43 UTC-0400 (Fri, 21 Apr 2023 16:41:43 -0400)
Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org>
is rumored to have said:

> Hi Dianne,
>
> Ok, I could not find any documentation that states this. This was my 
> guess based on my observations.

The filter_* functions are called at the analogous stages in the SMTP 
transaction, so they only have the information known to the server at 
each stage.

> I am trying to easily get the domain extracted by DKIM to validate the 
> sender's email domain.

Until filter() you do not have ANY message headers or data, so you 
cannot validate DKIM until then. It is also worth noting that if you 
want to use DKIM with DMARC, you need to examine the address in the From 
header, NOT the envelope sender, which is what MD puts in the $Sender 
global. To get the From header address, you need to extract it from the 
$entity object that MD passes to the filter() subroutine.

> I want to have a system that confirms that emails to my employees from 
> other employees are valid and not faked.

If you are calling SpamAssassin 4.0 from MIMEDefang, you can use the 
existing rules and welcomelist/blocklist features in SA to do this, no 
coding needed. You would just add something like this to your local.cf:

    welcomelist_from_auth   *@example.com

    describe _FROM_EXAMPLE  From header has example.com domain
    header   _FROM_EXAMPLE  From ~= /\bexample.com\b/
    meta     FORGED_FROM_EXAMPLE   _FROM_EXAMPLE && !DKIM_VALID_AU
    score    FORGED_FROM_EXAMPLE   6

You could do the work in filter() or filter_end() yourself, if you don't 
want to use SA.

> Any suggestions how I can easily extract the arguments provided to 
> filter_sender() in a filter function after filter_begin() so that I 
> can use DKIM tests to assist with this?

The globals documented in the mimedefang-filter man page are accessible 
from filter() as is the MIME::Entity object $entity which holds the 
message. You could also access the HEADERS file directly to find the 
 From header.


>
> Thank you for the information!
>
> Thanks.
>
> Ralph
>
> On 4/21/2023 4:25 PM, Dianne Skoll via MIMEDefang wrote:
>> On Fri, 21 Apr 2023 15:46:17 -0400
>> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
>>
>>> When I try calling md_dkim_verify() inside of filter_sender() in
>>> mimedefang-filter , it fails.
>>> It also fails when I try callig md_dkim_verify() from
>>> filter_recipient(), with the same results.
>> You can't do DKIM tests until you have a message body.  So the 
>> earliest
>> you can do that is filter_begin()
>>
>> Regards,
>>
>> Dianne.
>>
>> _______________________________________________
>> NOTE: If there is a disclaimer or other legal boilerplate in the 
>> above
>> message, it is NULL AND VOID.  You may ignore it.
>>
>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org
>
>
> -- 
> ***************************************
> Ralph Hayon
> Natural Wireless
>
> 60 Saddle River Ave, Unit B
> South Hackensack, New Jersey 07606
>
> email: 	ralph at naturalwireless.com
> www:	naturalwireless.com
>
> office: 201-438-2865 x 403
> fax:	201-438-1803
> cell: 	201-315-7397
>
>        Natural Wireless
> An Ultra Internet Service Provider
> ***************************************
>
>
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
>
> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org


-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire


From mdlist-20140424 at billmail.scconsult.com  Fri Apr 21 18:13:08 2023
From: mdlist-20140424 at billmail.scconsult.com (Bill Cole)
Date: Fri, 21 Apr 2023 18:13:08 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <1156b4be-7dcc-e655-98f1-d34ed160ee87@naturalwireless.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
 <20230421164513.1e875520@gato.skoll.ca>
 <347a32b3-015d-9fb8-174f-52d77a2ed080@naturalwireless.com>
 <20230421165654.77404486@gato.skoll.ca>
 <1156b4be-7dcc-e655-98f1-d34ed160ee87@naturalwireless.com>
Message-ID: <0AD04F3F-A8C6-4619-A817-AAFCA4B9EDF4@billmail.scconsult.com>

On 2023-04-21 at 17:47:59 UTC-0400 (Fri, 21 Apr 2023 17:47:59 -0400)
Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org>
is rumored to have said:

> Ok, thanks.
>
> If that is the case, how can I do the same with mimedefang ?
>
> Is there a way to easily extract the select fields I need from 
> INPUTMSG (sender, host, etc) after filter_begin()?

See the section  "GLOBAL VARIABLES SET BY MIMEDEFANG.PL" in the man page 
for mimedefang-filter.

The filter_begin() function (as well as later functions) is passed a 
MIME::Entity object as an argument. See "perldoc MIME::Entity" and 
"perldoc MIME::Head" for details of how to extract the whole header 
block and specific header values.

If you are more comfortable working directly with text, you also have 
access to the INPUTMSG and HEADERS files in the mimedefang working 
directory.


>
> Thanks.
>
> Ralph
>
> On 4/21/2023 4:56 PM, Dianne Skoll via MIMEDefang wrote:
>> On Fri, 21 Apr 2023 16:55:10 -0400
>> Ralph Hayon <ralph at naturalwireless.com> wrote:
>>
>>> To confirm, with mailmunge, md_dkim_verify() should properly work
>>> with filter_sender() since mailmunge is consistent for all 
>>> callbacks.
>> No.  You can't do any DKIM-checking until you have the message body 
>> and
>> that can't happen until filter_begin at the earliest.
>>
>> However, the way you get the sender is $ctx->sender in filter_sender,
>> filter_recipient, and filter_begin... the accessor is consistent 
>> across
>> all the callbacks.
>>
>> Regards,
>>
>> Dianne.
>>
>> _______________________________________________
>> NOTE: If there is a disclaimer or other legal boilerplate in the 
>> above
>> message, it is NULL AND VOID.  You may ignore it.
>>
>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org
>
>
> -- 
> ***************************************
> Ralph Hayon
> Natural Wireless
>
> 60 Saddle River Ave, Unit B
> South Hackensack, New Jersey 07606
>
> email: 	ralph at naturalwireless.com
> www:	naturalwireless.com
>
> office: 201-438-2865 x 403
> fax:	201-438-1803
> cell: 	201-315-7397
>
>        Natural Wireless
> An Ultra Internet Service Provider
> ***************************************
>
>
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
>
> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org


-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire


From ralph at naturalwireless.com  Fri Apr 21 18:26:13 2023
From: ralph at naturalwireless.com (Ralph Hayon)
Date: Fri, 21 Apr 2023 18:26:13 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <C6EA776A-FBCF-476E-8C42-4B813E3C5AB0@billmail.scconsult.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
 <C6EA776A-FBCF-476E-8C42-4B813E3C5AB0@billmail.scconsult.com>
Message-ID: <9c3e28b5-3cfb-c093-f836-9526d80aba2e@naturalwireless.com>

OK, now I understand why no INPUTMSG for filter_sender(), it is testing 
early before all of the message has come in. Got it.

For your SpamAssassin example, what I really want is to extract from 
DKIM is the Domain in the signature which will be unique to my company 
(we are using gmail business and setup a company domain).

I am getting messages that have a DKIM, but a spoofed sender at 
@example.com. To prevent too many false positives on just rejecting 
invalid DKIMs, I want to extract the domain from the DKIM to check it 
against specific domains I know only come from me.

I had a situation where an employee got tricked with a fake email that 
they though came from another company employee.

I don't even want these to come in as SPAM. We had that email marked and 
that person just walked past that.

Thanks.,

Ralph


On 4/21/2023 5:59 PM, Bill Cole via MIMEDefang wrote:
> On 2023-04-21 at 16:41:43 UTC-0400 (Fri, 21 Apr 2023 16:41:43 -0400)
> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org>
> is rumored to have said:
>
>> Hi Dianne,
>>
>> Ok, I could not find any documentation that states this. This was my 
>> guess based on my observations.
>
> The filter_* functions are called at the analogous stages in the SMTP 
> transaction, so they only have the information known to the server at 
> each stage.
>
>> I am trying to easily get the domain extracted by DKIM to validate 
>> the sender's email domain.
>
> Until filter() you do not have ANY message headers or data, so you 
> cannot validate DKIM until then. It is also worth noting that if you 
> want to use DKIM with DMARC, you need to examine the address in the 
> From header, NOT the envelope sender, which is what MD puts in the 
> $Sender global. To get the From header address, you need to extract it 
> from the $entity object that MD passes to the filter() subroutine.
>
>> I want to have a system that confirms that emails to my employees 
>> from other employees are valid and not faked.
>
> If you are calling SpamAssassin 4.0 from MIMEDefang, you can use the 
> existing rules and welcomelist/blocklist features in SA to do this, no 
> coding needed. You would just add something like this to your local.cf:
>
> ?? welcomelist_from_auth?? *@example.com
>
> ?? describe _FROM_EXAMPLE? From header has example.com domain
> ?? header?? _FROM_EXAMPLE? From ~= /\bexample.com\b/
> ?? meta???? FORGED_FROM_EXAMPLE?? _FROM_EXAMPLE && !DKIM_VALID_AU
> ?? score??? FORGED_FROM_EXAMPLE?? 6
>
> You could do the work in filter() or filter_end() yourself, if you 
> don't want to use SA.
>
>> Any suggestions how I can easily extract the arguments provided to 
>> filter_sender() in a filter function after filter_begin() so that I 
>> can use DKIM tests to assist with this?
>
> The globals documented in the mimedefang-filter man page are 
> accessible from filter() as is the MIME::Entity object $entity which 
> holds the message. You could also access the HEADERS file directly to 
> find the From header.
>
>
>>
>> Thank you for the information!
>>
>> Thanks.
>>
>> Ralph
>>
>> On 4/21/2023 4:25 PM, Dianne Skoll via MIMEDefang wrote:
>>> On Fri, 21 Apr 2023 15:46:17 -0400
>>> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org> wrote:
>>>
>>>> When I try calling md_dkim_verify() inside of filter_sender() in
>>>> mimedefang-filter , it fails.
>>>> It also fails when I try callig md_dkim_verify() from
>>>> filter_recipient(), with the same results.
>>> You can't do DKIM tests until you have a message body.? So the earliest
>>> you can do that is filter_begin()
>>>
>>> Regards,
>>>
>>> Dianne.
>>>
>>> _______________________________________________
>>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>>> message, it is NULL AND VOID.? You may ignore it.
>>>
>>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org 
>>>
>>
>>
>> -- 
>> ***************************************
>> Ralph Hayon
>> Natural Wireless
>>
>> 60 Saddle River Ave, Unit B
>> South Hackensack, New Jersey 07606
>>
>> email:???? ralph at naturalwireless.com
>> www:??? naturalwireless.com
>>
>> office: 201-438-2865 x 403
>> fax:??? 201-438-1803
>> cell:???? 201-315-7397
>>
>> ?????? Natural Wireless
>> An Ultra Internet Service Provider
>> ***************************************
>>
>>
>> _______________________________________________
>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>> message, it is NULL AND VOID.? You may ignore it.
>>
>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org 
>>
>
>

-- 
***************************************
Ralph Hayon
Natural Wireless

60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606

email: 	ralph at naturalwireless.com
www:	naturalwireless.com

office: 201-438-2865 x 403
fax:	201-438-1803
cell: 	201-315-7397

        Natural Wireless
An Ultra Internet Service Provider
***************************************



From ralph at naturalwireless.com  Fri Apr 21 18:47:57 2023
From: ralph at naturalwireless.com (Ralph Hayon)
Date: Fri, 21 Apr 2023 18:47:57 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <0AD04F3F-A8C6-4619-A817-AAFCA4B9EDF4@billmail.scconsult.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
 <20230421164513.1e875520@gato.skoll.ca>
 <347a32b3-015d-9fb8-174f-52d77a2ed080@naturalwireless.com>
 <20230421165654.77404486@gato.skoll.ca>
 <1156b4be-7dcc-e655-98f1-d34ed160ee87@naturalwireless.com>
 <0AD04F3F-A8C6-4619-A817-AAFCA4B9EDF4@billmail.scconsult.com>
Message-ID: <c625cabc-a892-3e93-246d-21526c2e8bc6@naturalwireless.com>

Hi Bill,

Very good suggestions. I will play with this.

Thanks.

Ralph

On 4/21/2023 6:13 PM, Bill Cole via MIMEDefang wrote:
> On 2023-04-21 at 17:47:59 UTC-0400 (Fri, 21 Apr 2023 17:47:59 -0400)
> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org>
> is rumored to have said:
>
>> Ok, thanks.
>>
>> If that is the case, how can I do the same with mimedefang ?
>>
>> Is there a way to easily extract the select fields I need from 
>> INPUTMSG (sender, host, etc) after filter_begin()?
>
> See the section? "GLOBAL VARIABLES SET BY MIMEDEFANG.PL" in the man 
> page for mimedefang-filter.
>
> The filter_begin() function (as well as later functions) is passed a 
> MIME::Entity object as an argument. See "perldoc MIME::Entity" and 
> "perldoc MIME::Head" for details of how to extract the whole header 
> block and specific header values.
>
> If you are more comfortable working directly with text, you also have 
> access to the INPUTMSG and HEADERS files in the mimedefang working 
> directory.
>
>
>>
>> Thanks.
>>
>> Ralph
>>
>> On 4/21/2023 4:56 PM, Dianne Skoll via MIMEDefang wrote:
>>> On Fri, 21 Apr 2023 16:55:10 -0400
>>> Ralph Hayon <ralph at naturalwireless.com> wrote:
>>>
>>>> To confirm, with mailmunge, md_dkim_verify() should properly work
>>>> with filter_sender() since mailmunge is consistent for all callbacks.
>>> No.? You can't do any DKIM-checking until you have the message body and
>>> that can't happen until filter_begin at the earliest.
>>>
>>> However, the way you get the sender is $ctx->sender in filter_sender,
>>> filter_recipient, and filter_begin... the accessor is consistent across
>>> all the callbacks.
>>>
>>> Regards,
>>>
>>> Dianne.
>>>
>>> _______________________________________________
>>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>>> message, it is NULL AND VOID.? You may ignore it.
>>>
>>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org 
>>>
>>
>>
>> -- 
>> ***************************************
>> Ralph Hayon
>> Natural Wireless
>>
>> 60 Saddle River Ave, Unit B
>> South Hackensack, New Jersey 07606
>>
>> email:???? ralph at naturalwireless.com
>> www:??? naturalwireless.com
>>
>> office: 201-438-2865 x 403
>> fax:??? 201-438-1803
>> cell:???? 201-315-7397
>>
>> ?????? Natural Wireless
>> An Ultra Internet Service Provider
>> ***************************************
>>
>>
>> _______________________________________________
>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>> message, it is NULL AND VOID.? You may ignore it.
>>
>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org 
>>
>
>

-- 
***************************************
Ralph Hayon
Natural Wireless

60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606

email: 	ralph at naturalwireless.com
www:	naturalwireless.com

office: 201-438-2865 x 403
fax:	201-438-1803
cell: 	201-315-7397

        Natural Wireless
An Ultra Internet Service Provider
***************************************



From ralph at naturalwireless.com  Sat Apr 22 15:14:50 2023
From: ralph at naturalwireless.com (Ralph Hayon)
Date: Sat, 22 Apr 2023 15:14:50 -0400
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <0AD04F3F-A8C6-4619-A817-AAFCA4B9EDF4@billmail.scconsult.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
 <20230421164513.1e875520@gato.skoll.ca>
 <347a32b3-015d-9fb8-174f-52d77a2ed080@naturalwireless.com>
 <20230421165654.77404486@gato.skoll.ca>
 <1156b4be-7dcc-e655-98f1-d34ed160ee87@naturalwireless.com>
 <0AD04F3F-A8C6-4619-A817-AAFCA4B9EDF4@billmail.scconsult.com>
Message-ID: <ff64af2d-7a21-f15a-6103-875699b3fe8e@naturalwireless.com>

Got it. What I needed was set as Global variables - $Sender and 
$RelayHostname

This gave me what I needed for my test.

Thank you for the assistance!

Ralph

On 4/21/2023 6:13 PM, Bill Cole via MIMEDefang wrote:
> On 2023-04-21 at 17:47:59 UTC-0400 (Fri, 21 Apr 2023 17:47:59 -0400)
> Ralph Hayon via MIMEDefang <mimedefang at lists.mimedefang.org>
> is rumored to have said:
>
>> Ok, thanks.
>>
>> If that is the case, how can I do the same with mimedefang ?
>>
>> Is there a way to easily extract the select fields I need from 
>> INPUTMSG (sender, host, etc) after filter_begin()?
>
> See the section? "GLOBAL VARIABLES SET BY MIMEDEFANG.PL" in the man 
> page for mimedefang-filter.
>
> The filter_begin() function (as well as later functions) is passed a 
> MIME::Entity object as an argument. See "perldoc MIME::Entity" and 
> "perldoc MIME::Head" for details of how to extract the whole header 
> block and specific header values.
>
> If you are more comfortable working directly with text, you also have 
> access to the INPUTMSG and HEADERS files in the mimedefang working 
> directory.
>
>
>>
>> Thanks.
>>
>> Ralph
>>
>> On 4/21/2023 4:56 PM, Dianne Skoll via MIMEDefang wrote:
>>> On Fri, 21 Apr 2023 16:55:10 -0400
>>> Ralph Hayon <ralph at naturalwireless.com> wrote:
>>>
>>>> To confirm, with mailmunge, md_dkim_verify() should properly work
>>>> with filter_sender() since mailmunge is consistent for all callbacks.
>>> No.? You can't do any DKIM-checking until you have the message body and
>>> that can't happen until filter_begin at the earliest.
>>>
>>> However, the way you get the sender is $ctx->sender in filter_sender,
>>> filter_recipient, and filter_begin... the accessor is consistent across
>>> all the callbacks.
>>>
>>> Regards,
>>>
>>> Dianne.
>>>
>>> _______________________________________________
>>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>>> message, it is NULL AND VOID.? You may ignore it.
>>>
>>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org 
>>>
>>
>>
>> -- 
>> ***************************************
>> Ralph Hayon
>> Natural Wireless
>>
>> 60 Saddle River Ave, Unit B
>> South Hackensack, New Jersey 07606
>>
>> email:???? ralph at naturalwireless.com
>> www:??? naturalwireless.com
>>
>> office: 201-438-2865 x 403
>> fax:??? 201-438-1803
>> cell:???? 201-315-7397
>>
>> ?????? Natural Wireless
>> An Ultra Internet Service Provider
>> ***************************************
>>
>>
>> _______________________________________________
>> NOTE: If there is a disclaimer or other legal boilerplate in the above
>> message, it is NULL AND VOID.? You may ignore it.
>>
>> MIMEDefang mailing list MIMEDefang at lists.mimedefang.org
>> https://lists.mimedefang.org/mailman/listinfo/mimedefang_lists.mimedefang.org 
>>
>
>

-- 
***************************************
Ralph Hayon
Natural Wireless

60 Saddle River Ave, Unit B
South Hackensack, New Jersey 07606

email: 	ralph at naturalwireless.com
www:	naturalwireless.com

office: 201-438-2865 x 403
fax:	201-438-1803
cell: 	201-315-7397

        Natural Wireless
An Ultra Internet Service Provider
***************************************



From rlaager at wiktel.com  Sat Apr 22 17:51:13 2023
From: rlaager at wiktel.com (Richard Laager)
Date: Sat, 22 Apr 2023 16:51:13 -0500
Subject: [Mimedefang] mimedefang 3.3, filter_sender and md_dkim_verify()
In-Reply-To: <ff64af2d-7a21-f15a-6103-875699b3fe8e@naturalwireless.com>
References: <f187fa2c-35ea-850d-4818-0f3c7f5b9013@naturalwireless.com>
 <20230421162519.0fe65ace@gato.skoll.ca>
 <fad5412b-22a6-16d6-451f-ee49035a96ae@naturalwireless.com>
 <20230421164513.1e875520@gato.skoll.ca>
 <347a32b3-015d-9fb8-174f-52d77a2ed080@naturalwireless.com>
 <20230421165654.77404486@gato.skoll.ca>
 <1156b4be-7dcc-e655-98f1-d34ed160ee87@naturalwireless.com>
 <0AD04F3F-A8C6-4619-A817-AAFCA4B9EDF4@billmail.scconsult.com>
 <ff64af2d-7a21-f15a-6103-875699b3fe8e@naturalwireless.com>
Message-ID: <a99eef50-1c2f-6da2-58f9-76dd87fce48c@wiktel.com>

On 4/22/23 14:14, Ralph Hayon via MIMEDefang wrote:
> Got it. What I needed was set as Global variables - $Sender and 
> $RelayHostname 

As was already mentioned: $Sender is the envelope sender (from SMTP 
time), not the From: header address. DKIM uses the From: header

So keep that in mind.

For anti-spoofing purposes, you may want to check if either is in your 
domain. But keep in mind if any of your legitimate mail flows 
(especially automated messages) use mismatched addresses for any reason.

Also, keep in mind outbound mail, if it flows through the same filter. 
It won't be DKIM signed. You'll want to check that they authenticated 
(and if you're being strict, that they authenticated as that address).

-- 
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230422/a9520426/attachment.html>

From giovanni at paclan.it  Tue Apr 25 18:29:45 2023
From: giovanni at paclan.it (Giovanni Bechis)
Date: Wed, 26 Apr 2023 00:29:45 +0200
Subject: [Mimedefang] MIMEDefang 3.4 released
Message-ID: <ZEhUWU8NErqaEbP5@bigio.paclan.it>

Hi everyone,
a new release is available at https://mimedefang.org/download
* UTF-8 and Authentication-Results headers support has been improved.
* A email_is_blacklisted sub has been added to be able to check an email
address against an hashbl rbl.
* A new mimedefang-release(8) tool has been developed in order to easily
release emails from quarantine.

Thanks to all people involved.
  Best Regards
    Giovanni
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20230426/a5077b24/attachment.sig>