I thought that I have seen this before, but I can't find it now. :)
I would like to have a spamfilterX_string_action filter that can
determine if a user is a member of a certain class/group.
For example ClamAV is integrated via libclamav as a
sourcespamfilterXoptin on the enqueuing channel, we want all mail to be
scanned, but certain accounts/addresses to accept messages that contain
malware like our "report-a-suspect" message address. So we basically
have two "virus" class of services. First, let us call it
"RECIPIENT_IS_VIRUS_OPT_IN" is the normal (99.999% of users) where a
message is scanned and rejected (refused) if it tests positive. Clean
messages get a header added with $U and passed on. The second class,
lets call it "RECIPIENT_IS_VIRUS_OPT_OUT" is where a message is scanned,
accepted, header added with $U and passed on. (Note that opt-in or
opt-out deals more with the action after a messages is scanned, not that
the user is opt'd-out or -in _for_ scanning. All messages are to be
scanned, so a per-user LDAP_OPTINX attribute and LDAP_SPARE_X within
ORIG_MAIL_ACCESS doesn't really do want we want....well unless someone
says otherwise. :)
So I have something like the following:
require ["editheader","refuse"];
if envelope :memberof "to" RECIPIENT_IS_VIRUS_OPT_IN {
addheader"WMU-Virus-Test" "$U";
if header :contains "WMU-Virus-Test" "True" {
refuse "Message rejected because it contained malware"
}
}
elsif envelope :memberof "to" RECIPIENT_IS_VIRUS_OPT_OUT {
addheader"WMU-Virus-Test" "$U";
}
What ways can I determine if a recipient is a member of one of the
classes? Do I have to use extlist or is something else available to
check if the recipient is a member of RECIPIENT_IS_VIRUS_OPT_IN or
RECIPIENT_IS_VIRUS_OPT_OUT? From an LDAP attribute side it would be
nice to be able to use an attribute on an entry to show if the recipient
is a member of which class.
I understand I have more work to do, like dealing with multi-recipient
messages, but right now I am trying to figure out if a I can make an if
clause evaluate some LDAP attribute value or some other data point
regarding the recipient. I know I could probably hard code the couple
of "opt-out" addresses, but don't want to push the
spamfilter2_string_action length limit. Also we might extend this to
our anti-spam side with letting users set their "reject" threshold. In
that case we could have 4-10 different classes.
Thanks.
--
--
***********************************************************************
Derek Diget Office of Information Technology
Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/
***********************************************************************
Old friends: Info-iMS@... was set up in March, 2002, to provide a stable place to discuss the succession of products descended from the iPlanet Messaging Server. There are currently over 350 subscribers and 100 Mbytes of archives from the last eleven years. However, I am further narrowing my Internet footprint in retirement, and specifically, will no longer operate Arnold.com, so I'd like to find a new place for the list. It's quite basic, really. Anyone with a list manager could do it. However, it would still need a coordinator to assist folks in managing subscriptions and culling bad addresses. The new list owner can either populate the list from the current subscriptions (recommended) or require new subscriptions. I've managed to keep the list clean over the years by deleting bad addresses. There is also the question of the archives. These are in 115 plain text files in message digest format, one file for each month. This is not as unreasonable as it seems, as the list has always permitted only plain text body parts. If folks find these to be useful, they could be stored for anonymous FTP. Arnold.com will be transferred no later than June 19. In the mean time, you may see forward and return addresses in my other domain, Arnold.US. When the domain is transfered the list will no longer be accessible, but I'll retain the subscriptions and archives for a few months in case there is late interest. Contact me directly to arrange the transfer if you're interested. Thank you! Regards, Steve Arnold, Fitchburg Alder, District 4, Seat 7 2530 Targhee Street, Fitchburg, Wisconsin 53711-5491 Telephone +1 608 278 7700 · Facsimile +1 608 278 7701 Steve.Arnold@... · http://www.Arnold.US
Je serai absent(e) du 11/13/2012 au 01/31/2014. Je ne suis plus employé chez Vidéotron. I am no longer an employee of Vidéotron Contactez Ross Beaudoin - please Contact Ross Beaudoin Remarque : ceci est une réponse automatique à votre message "Re: [Info-iMS] MTA fix MIME structure?" envoyé le 05/01/2013 9:15:47. C'est la seule notification que vous recevrez pendant l'absence de cette personne.
We've got an odd situation where our MTA (allegedly) is modifying the MIME structure of some incorrectly structured messages. Or maybe it's the milter doing it? Or maybe Any comments regarding the appropriateness of the MTA/milter fixing incorrectly structured MIME messages in transit? spamfilter1_library=...libmilter.so spamfilter1_config_file=...milter.opt spamfilter1_string_action=data:,$M spamfilter1_optional=0 spamfilter1_final=2 MTA version is 7u4-26.01 milter is PureMessage 5. As far as I can tell from the logs, PureMessage did not intentionally modify the message (strip a virus part, or whatever). Here is the message as received (modified form) by the recipient: <snip headers> MIME-version: 1.0 Content-type: multipart/alternative; boundary="Boundary_(ID_UgfE+cHbb0j1JWMh6bZdTg)"; charset=utf-8 <snip headers> --=======G88546249933746096= Content-Type: text/plain; charset"us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Your email client doesn't support HTML emails. Either change the configuration of your email client to display HTML messages, or change the email format to plain text in FormSmarts settings. --=======G88546249933746096= MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset"utf-8" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" <snip lots of html> --=======G88546249933746096=-- --Boundary_(ID_UgfE+cHbb0j1JWMh6bZdTg)-- Here is what the sending party (FormSmarts) said: " The inconsistency in message part boundaries mentioned by the wisc.edu administrator is indeed the main reason why the message appears blank (besides this, the HTML body was altered and rendered invalid). This is the outcome of the mail transfer agent (MTA), Oracle Communications Messaging Server on wmstore3pvt.pri.doit.wisc.edu changing the boundary in the Content-Type header. The original boundary "=======G88546249933746096=" was changed to "Boundary_(ID_UgfE+cHbb0j1JWMh6bZdTg". The MTA broke the original message boundary and HTML body by attempting to decode non-encoded data. It subsequently replaced the original boundary in the header, failing to do so within the message body. As per MIME 1.0 standards, the main body of multipart messages cannot be encoded (unlike individual parts) to prevent issues that would arise with multiple levels of encodings. So the MTA shouldn't attempt to decode messages. FormSmarts doesn't encode data at the message level, however due to a bug in the email library we use to generate messages, our software will add an encoding header, suggesting it does encode data at the message level. The bug in the messaging library was first reported in 2008 and the fix still hasn't yet made it to the production version of the library because it is basically harmless (besides being a violation of the standards). A well-know and honored principle in Internet software is to "be liberal in what you accept, and conservative in what you send" (Postel's Law). Accordingly, most MTAs will simply ignore the bogus encoding declaration. Oracle Communications Messaging Server fails by breaking the message, not even bothering backtracking once it has become clear that the message wasn't encoded in the first place since decoding leads to an empty-looking message. "
Hi everyone, just trying to do some due diligence. Our environment consists of messaging servers running a mix of 7u4-20.01, and 6.3-16.01, and NetApp filers for actual mailbox data storage. The current filers have OS v 7.X, but we are looking to upgrade to some faster heads. The new NetApp filer heads come with NetApp OS v 8.X. Oracle support says that they don't qualify filers with the messaging server, so they cannot tell me if there are any issues with this newer NetApp OS release. If any of you folks might already be using this combo in your own environment, I'd appreciate hearing about your experiences. Thanks! -Peter Kaldis
It appears that the reprocess channel inherits the transactionlimit setting from the original inbound channel. So, when it has a large queue it's processing, it can't actually finish processing all of the messages. Setting transactionlimit on the channel definition does not seem to override this behavior. Am I missing something? Oracle Communications Messaging Server 7u4-27.01(7.0.4.27.0) 64bit (built Aug 30 2012) Jesse
I have a user who wants to send a very large vacation reply message. 'Very Large' as in, about 10k bytes. It appears that the message gets truncated at 8k bytes. Exactly 8192 bytes. Is there a way to change the message size limit? Alan ------------------------------------------------------------ Capitan Holy Hippie Commander, Commune Ship LaPaz NCC170126-L
7u4 Solaris 10 SPARC with SUNWtls patch 125358-15 Sorry for the long post...I had tried some stuff before starting this message and then kept trying things as I wrote this post. :( It probably should be a blog post if I had one.... I am looking at the Certificate Based Authentication for Messaging Server web page at <https://wikis.oracle.com/display/CommSuite/Certificate+Based+Authentication+for+Messaging+Server> since it seems to be the place where a good deal of the NSS (SSL/TLS) stuff is documented. In looking at the Messaging Transfer Agent (MTA) SSL-related Channel Keywords section I am wondering if there is a way to log the SSL/TLS negotiation (especially the cipher suites offered with the SSL/TLS CLIENT_HELLO) for either an in-bound message to a slave debug or an out-bound message to a master debug file? Or, anywhere for that matter. Reason that I am asking is we have a site (hosting company so the destination domains we are sending to are unknown ahead of time) that our out-bound connection to them hangs after we give them STARTTLS. (I know about, what I think is called, the transport information in mail.log and/or connection log.) I have gotten an interesting answer back from the hosting company's tier-1 support via one of their clients/customers who host their domain - web/mail with them) and the support reply said they upgraded their minimum cipher suites on their email gateways for PCI reasons. (Does anyone else see the humor in their response? I about fell out of my chair when I read the forwarded email.) These messages are going out tcp_local and it has maytls on it. (Just noticed that the imta.cnf Channel Keywords table on this wiki page is missing maytls and musttls entries.) I have started to test with openssl's s_client command to see what I can gleam about what cipher suites they now support. If you have any suggestions there please let me know. ---- scratch that, I just saw and played with <msgsvr_base>/lib/sslconnect. When connecting to other sites, "sslconnect -v -r mail.example.org 25" shows me the enabled SSL/TLS cipher suites and STARTTLS just fine, but to this site I get S: 220-host289.example.com ESMTP Exim 4.80 #2 Thu, 14 Feb 2013 17:29:33 -0700 Unknown protocol When I telnet to port 25 and give the EHLO, they are replying with a multi-line 220 response. Just did the same to an AOL MX (with multi-line 220 response) and sslconnect gave the same error. Did I find an issue with sslconnect and mulit-line 220 responses? Guess I am back to openssl s_client. I found and modified a bash script that runs openssl s_client through a loop using a different cipher against the remote MTA and found that the remote site seems to only support RC4-SHA (which I thinks maps to SSL_RSA_WITH_RC4_128_SHA in NSS cipher suite terms). In the wiki page under the SSL/TLS Best Practices section it lists ssladjustciphersuites, but I see via configutil -H that at least for the MTA it is local.ssladjustciphersuites. (Note setting it and rebuilding the config didn't do anything for sslconnect - somewhat as expected since it has an -a argument. Just mentioning for documentation purposes. :) Does anyone know of a place that shows the different cipher "family" names for the NSS libraries? Does it even support them? (See the openssl ciphers(1SSL) man page.) I have found "-RC4", "WEAK+DES", "ALL" but "HIGH" and "MEDIUM" which are used by openssl don't seem to not recognized by sslconnect. What about the equivalent of <at> STRENGTH or <at> SPEED to sort the ciphers? Just found NSS's ssltap (in /usr/sfw/bin/ssltap on Solaris 10) and with that you can easily see what the client is offering for its cipher-suites. When running sslconnect (default ciphers) against our SUBMISSION server sslconnect seems to be only offering the following: cipher_suites[4] = { (0x00ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0004) SSL3/RSA/RC4-128/MD5 (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA } I can then do a sslconnect -a ALL and I get a whole bunch more :) with the ONE cipher the remote site supports now listed. Tomorrow I will start to play with ssltap and different settings for local.ssladjustciphersuites. Anyone have suggestions one what would be a good "value" for local.ssladjustciphersuites? Does local.ssladjustciphersuites apply to both tcp_smtp_server and smtp_client? Would you want the cipher suites to be different? What about being different between SUBMISSION with musttls and relaying with maytls? Thanks for reading this far! :) -- -- *********************************************************************** Derek Diget Office of Information Technology Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/ ***********************************************************************
Hi, all, running: Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011) libimta.so 7u4-24.01 64bit (built 10:55:13, Nov 17 2011) Using /usr/appl/comms/messaging/config/imta.cnf (compiled) Linux hostname 2.6.18-194.3.1.el5 #1 SMP Sun May 2 04:17:42 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux Suppose the system running iMS receives Internet mail from an intermediate system, which is located in a DMZ-like environment. This intermediate system cannot be changed, it is not managed by my customer, but by a 3rd party. The iMS system hosts two domains, domainA.example.com and domainB.example.com. One address within domainB.example.com:address@... resolves to two addresses on two different hosts within the intra network:address@... andaddress@... LDAP schema 2 is used; both domains are defined as associatedDomain in LDAP. The address@... address is currently implemented as an LDAP entry with a mailForwardingAddress attribute with two values. I also have experimented with the setup of a group with two mgrpRfc822MailMemb ers. I need to add one headerline 'X-Timestamp:' to mail that is sent toaddress@..., and the X-Timestamp: line in both copies (foraddress@... and foraddress@...) the requirement is, that both timestamp lines must always be identical. Furthermore: mail that comes from Internet for domainA.example.com should not get this headerline. So far so good: a sieve source filter on the inbound channel adding this header line works OK: looking at the detailed debug/log file I see only one place where the sieve filter is consulted so only one header line is added, before the message is being split for the two destination addresses. Q: is this conclusion correct? However, there's one more requirement: if I change the setup for domainB.example.com (for example adding a sieve filter) then there may be no impact on domainA.example.com. Every change in the filter (including first deployment of it) would mean there is a (possibly small) impact on both mail to domainA.example.com and domainB.example.com and the owner of domainA.example.com may veto the change for domainB.example.com. I have tried to solve this by creating two outbound channels for system1.example.com and system2.example.com, using a Sieve filter. This works OK, except for the fact that there's most of the time a small difference in timestamp (a few hundredth of a second difference) which may cause one copy to have a timestamp of one second earlier or later than the other. So timestamps can differ like: 01-Jan-1970 12:34:56 and 01-Jan-1970 12:34:57 (difference in seconds) but once in a while: 01-Jan-1970 12:34:59 and 01-Jan-1970 12:35:00 (difference in minutes and seconds) but sporadically: 01-Jan-1970 12:59:59 and 01-Jan-1970 13:00:00 (difference in hours, minutes and seconds) and even: 01-Jan-1970 23:59:59 and 02-Jan-1970 00:00:00 (difference in days, hours, minutes and seconds) et cetera The customer wants to have always identical timestamps in both copies of the message. Is it possible to achieve this and what would be the setup to implement this? /rolf
I seem to recall that metermaid does/will support state replication across multiple servers. I can't find any information about that. My goal would be so that clients who are being throttled or greylisted by metermaid on one MTA would get the appropriate handling when the subsequent attempts go to another MTA. Jesse
RSS Feed18 | |
|---|---|
10 | |
8 | |
10 | |
5 | |
32 | |
5 | |
4 | |
5 | |
7 | |
3 | |
9 | |
19 | |
37 | |
45 | |
31 | |
37 | |
28 | |
56 | |
9 | |
36 | |
28 | |
13 | |
47 | |
17 | |
71 | |
39 | |
46 | |
73 | |
27 | |
49 | |
59 | |
24 | |
84 | |
47 | |
31 | |
40 | |
70 | |
51 | |
76 | |
60 | |
54 | |
57 | |
112 | |
81 | |
87 | |
118 | |
81 | |
129 | |
82 | |
108 | |
112 | |
80 | |
69 | |
78 | |
79 | |
95 | |
124 | |
259 | |
144 | |
119 | |
125 | |
136 | |
118 | |
73 | |
77 | |
73 | |
103 | |
116 | |
100 | |
122 | |
156 | |
177 | |
250 | |
174 | |
163 | |
124 | |
164 | |
172 | |
142 | |
243 | |
329 | |
188 | |
285 |
