We're running a mail processing service for external customers. As a means of preventing spammers from relaying through our first hop (CentOS 6.6, Postfix 2.11.3), I want to check for the presence of an SPF record. I'm able to accomplish that with pypolicyd-spf (https://launchpad.net/pypolicyd-spf/).
The issue is that pypolicyd-spf will not reject mail from messages with MAIL FROM domains that don't have an SPF record. That is, if a spammer attempts to relay from a domain that doesn't have an SPF record, pypolicyd-spf shows:
Jan 6 22:38:54 DVR01 postfix/smtpd[31777]: connect from 118-160-214-49.dynamic.hinet.net[118.160.214.49]
Jan 6 22:38:55 DVR01 policyd-spf[31781]: None; identity=helo; client-ip=118.160.214.49; helo=144.202.242.201; envelope-from=dsobmxjdmtqlk#yam.com; receiver=brian772071#yahoo.com.tw
Jan 6 22:38:55 DVR01 policyd-spf[31781]: None; identity=mailfrom; client-ip=118.160.214.49; helo=144.202.242.201; envelope-from=dsobmxjdmtqlk#yam.com; receiver=brian772071#yahoo.com.tw
Jan 6 22:38:55 DVR01 postfix/smtpd[31777]: 89B191C03D0: client=118-160-214-49.dynamic.hinet.net[118.160.214.49]
Jan 6 22:39:00 DVR01 postfix/cleanup[31782]: 89B191C03D0: message-id=
Jan 6 22:39:00 DVR01 postfix/qmgr[31775]: 89B191C03D0: from=, size=7053, nrcpt=19 (queue active)
Jan 6 22:39:00 DVR01 postfix/smtp[31783]: 89B191C03D0: to=, relay=RLY01.DEV.MS.LOCAL[192.168.111.117]:25, delay=5.9, delays=5.9/0/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 52C4D1C04DB)
For reference, an SPF FAIL looks like this:
Jan 7 17:18:22 DVR01 postfix/smtpd[45867]: connect from unknown[221.5.48.181]
Jan 7 17:18:22 DVR01 policyd-spf[45870]: None; identity=helo; client-ip=221.5.48.181; helo=cgtisxj; envelope-from=uuuuuu#posteli.com; receiver=xulong.ping#163.com
Jan 7 17:18:22 DVR01 policyd-spf[45870]: Fail; identity=mailfrom; client-ip=221.5.48.181; helo=cgtisxj; envelope-from=uuuuuu#posteli.com; receiver=xulong.ping#163.com
Jan 7 17:18:22 DVR01 postfix/smtpd[45867]: NOQUEUE: reject: RCPT from unknown[221.5.48.181]: 550 5.7.1 : Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=uuuuuu#posteli.com;ip=221.5.48.181;r=xulong.ping#163.com; from= to= proto=ESMTP helo=
Effectively, I want to reject the NONE result.
Normally, this would be a bad idea; not everyone has implemented SPF records for their domains. But we're going to require it of our customers so we don't care to receive mail from domains that don't have SPF records.
So, the question: using at least some of what I have in place (I'd rather stick with CentOS and Postfix,) how can I accept only "Pass; identity=mailfrom"?
Thanks,
Nathan
Can you just use DMARC? It can be configured to be SPF only, and the alignment requirement will take care of your 'identity=mailfrom' desire. Here's a Postfix implementation of the DMARC standard - http://www.trusteddomain.org/opendmarc/ .
If you can require that your customers have SPF, can't you also require them to have DMARC?
Related
Ubuntu 18/Varnish 4.x
I'm not sure what I'm missing.
The documentation (http://manpages.ubuntu.com/manpages/xenial/en/man7/varnish-cli.7.html) seems to suggest:
...
backend.list [-p] [<backend_expression>]
List backends.
...
Backend Expression
A backend expression can be a backend name or a combination of backend name, IP address
and port in "name(IP address:port)" format.
...
However, I don't know if I'm missing something because I can't pass an IP address or port seemingly in Ubuntu 18 to list or set to auto/sick:
varnish> backend.list *www*
200
Backend name Admin Probe Last updated
xxx-www-5 probe Healthy 5/5 Fri, 22 Oct 2021 08:36:34 GMT
xxx-www-5http probe Healthy (no probe) Sat, 16 Oct 2021 18:52:41 GMT
varnish> backend.list *10.105*
200
Backend name Admin Probe Last updated
varnish>
Other relevant information:
Varnish config:
...
backend xxx-www-5 {
.host = "xxxweb05";
.port = "xxx443";
...
}
backend xxx-www-5http {
.host = "xxxweb05";
.port = "xxx80";
...
}
...
$ nslookup xxxweb05
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: xxxweb05.xxx.com
Address: 10.105.xxx.xxx
I tried filtering on IP address and port myself on an Ubuntu Trusty Docker container on which I installed Varnish 4.1.
It didn't work and I only managed to filter on the backend name.
However, Varnish 4 is dead and burried. It's EOL, doesn't offer any more support and bugfixes and has some known security issues.
Please use Varnish 6: either the 6.0 LTS version or any of the new feature releases.
That being said, the more recent documentation for this feature no longer lists IP addresses or ports. See http://varnish-cache.org/docs/6.0/reference/varnish-cli.html#backend-pattern.
I guess this feature is no longer supported in recent version and didn't seem to work well on Varnish 4 either.
My advice: install Varnish 6.0 LTS as described on https://www.varnish-software.com/developers/tutorials/installing-varnish-ubuntu/ and forget the IP/port filter for backend.list ever existed.
I have openstack wallaby running in two vm in VBox with Ubuntu 20.04, Controller and compute1. Everything runs without issues in provider network flat type except the dhcp.
For example, I have a network created in the range of 192.168.8.20-192.168.8.30. I selected to have a DHCP.
The instance gets an ip and runs, but when running it I can't get a response from the DHCP, like it did not exist. I mean, the port is attached to the DCHP with the ip 192.168.8.20.
I can even connect to it running ip netns.
root#controller:/home/stack# ip netns list
qdhcp-36c8f4db-ccfc-483b-a5ff-868185dcce0f (id: 0)
When i try to ping the instance ip from the DHCP to the instance using netns the dhcp server did not get any response from the instance or any device in the network. The network works, because if I setup the ip manually in the instance I can get access to the gateway. But it didn't see the DHCP server, sending DHCP_DISCOVER without any response.
Address -> 192.168.8.0/24 36c8f4db-ccfc-483b-a5ff-868185dcce0f
Subnet -> 192.168.8.120,192.168.8.130 09c143c9-0225-4951-bd9c-61846b8078a1
DHCP -> 192.168.8.120 f4b2f7ba-c9e8-493d-a010-852e72f46ef7
Instance -> 192.168.8.22 53316673-b6eb-4880-866f-91b1613aa17c
The process:
root#controller:/home/stack# ps aux | grep dnsmasq
nobody 3616 0.0 0.0 12144 364 ? S 18:11 0:00 dnsmasq --no-hosts --no-resolv --pid-file=/var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/host --addn-hosts=/var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/opts --dhcp-leasefile=/var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/leases --dhcp-match=set:ipxe,175 --dhcp-userclass=set:ipxe6,iPXE --local-service --bind-dynamic --dhcp-range=set:subnet-09c143c9-0225-4951-bd9c-61846b8078a1,192.168.8.0,static,255.255.255.0,86400s --dhcp-option-force=option:mtu,1500 --dhcp-lease-max=256 --conf-file=/dev/null --domain=openstacklocal
root 6278 0.0 0.0 6380 2380 pts/1 S+ 18:59 0:00 grep --color=auto dnsmasq
And the log from /var/log/syslog
Nov 6 19:05:10 controller dnsmasq-dhcp[3616]: DHCPRELEASE(ns-f4b2f7ba-c9) 192.168.8.128 fa:16:3e:24:74:93
Nov 6 19:05:10 controller dnsmasq[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/addn_hosts - 1 addresses
Nov 6 19:05:10 controller dnsmasq-dhcp[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/host
Nov 6 19:05:10 controller dnsmasq-dhcp[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/opts
Nov 6 19:05:30 controller dnsmasq[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/addn_hosts - 2 addresses
Nov 6 19:05:30 controller dnsmasq-dhcp[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/host
Nov 6 19:05:30 controller dnsmasq-dhcp[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/opts
Nov 6 19:05:30 controller dnsmasq[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/addn_hosts - 2 addresses
Nov 6 19:05:30 controller dnsmasq-dhcp[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/host
Nov 6 19:05:30 controller dnsmasq-dhcp[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/opts
Nov 6 19:05:30 controller dnsmasq[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/addn_hosts - 2 addresses
Nov 6 19:05:30 controller dnsmasq-dhcp[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/host
Nov 6 19:05:30 controller dnsmasq-dhcp[3616]: read /var/lib/neutron/dhcp/36c8f4db-ccfc-483b-a5ff-868185dcce0f/opts
We are a group of uni students and we're currently developing a project involving the creation of a private tor network.
So far we have created 2 server authorities successfully and we want to create a middle node to check if the consensus can be generated, but we have a problem that we cannot solve and we seem to not find any documentation about:
Nov 21 18:17:34.000 [warn] Bad v3 identity digest 'v3ident=8ExA7smGhHOiDwEttS04pkINWRh72YBMJB7XOMaF7ww' on DirAuthority line
Nov 21 18:17:34.000 [warn] Bad v3 identity digest 'v3ident=3i+SLxtN6rKnEjLVBLy23BrX9e9YrqrMKdFYSaUShGc' on DirAuthority line
those 2 lines are from the middle node's log file, and refer to the two identity servers that we have specified in the torrc file of the middle node, the mentioned file is:
UseDefaultFallbackDirs 0
DirAuthority alejandro orport=6969 v3ident=8ExA7smGhHOiDwEttS04pkINWRh72YBMJB7XOMaF7ww 172.31.22.112:9050 C71F 48D4 36BC E2BD FD74 521A F6DF F76F 1805 CF6E
DirAuthority marti orport=6969 v3ident=3i+SLxtN6rKnEjLVBLy23BrX9e9YrqrMKdFYSaUShGc 172.31.25.34:9050 23D2 7887 9F7C E57C 6ABC 60B7 6F9F F662 AF4F 5425
DirAllowPrivateAddresses 1
TestingTorNetwork 1
ExtendAllowPrivateAddresses 1
EnforceDistinctSubnets 0
AssumeReachable 1
ORPort 172.31.20.85:6969
DirPort 172.31.20.85:9050
All the elements of the tor network are inside a private network and we have tested the connectivity between the machines.
I have device that i want to autorize to using TACACS+ server.
I have TACACS version: tac_plus version F4.0.4.26
I have tacacs server with next configuration
accounting file = /var/log/tac_plus.acct
key = testing123
default authentication = file /etc/passwd
user = sf {
default service = permit
login = cleartext 1234
}
user = DEFAULT {
# login = PAM
service = ppp protocol = ip {}
}
on device i have NSS with config:
/etc/nsswitch.conf
passwd: files rf
group: files
shadow: files
hosts: files dns
networks: files dns
protocols: files
services: files
ethers: files
rpc: files
and pam.d with sshd file in it
# SERVER 1
auth required /lib/security/pam_rf.so
auth [success=done auth_err=die default=ignore] /lib/security/pam_tacplus.so server=172.18.177.162:49 secret=testing123 timeout=5
account sufficient /lib/security/pam_tacplus.so server=172.18.177.162:49 service=ppp protocol=ip timeout=5
session required /lib/security/pam_rf.so
session sufficient /lib/security/pam_tacplus.so server=172.18.177.162:49 service=ppp protocol=ip timeout=5
password required /lib/security/pam_rf.so
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
auth include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Standard Un*x authorization.
account include common-account
# Set the loginuid process attribute.
session required pam_loginuid.so
# Standard Un*x session setup and teardown.
session include common-session
# Standard Un*x password updating.
password include common-password
and the problem, while i connect to device first time vie TeraTerm, i see that inputed user name was added in session start to /etc/passwd and /etc/shadow
but logging not succeed and in tacacs server i see in logs
Mon Dec 17 19:00:05 2018 [25418]: session.peerip is 172.17.236.2
Mon Dec 17 19:00:05 2018 [25418]: forked 5385
Mon Dec 17 19:00:05 2018 [5385]: connect from 172.17.236.2 [172.17.236.2]
Mon Dec 17 19:00:05 2018 [5385]: Found entry for alex in shadow file
Mon Dec 17 19:00:05 2018 [5385]: verify
IN $6$DUikjB1i$4.cM87/pWRZg2lW3gr3TZorAReVL7JlKGA/2.BRi7AAyHQHz6bBenUxGXsrpzXkVvpwp0CrtNYAGdQDYT2gaZ/
Mon Dec 17 19:00:05 2018 [5385]:
IN encrypts to $6$DUikjB1i$AM/ZEXg6UAoKGrFQOzHC6/BpkK0Rw4JSmgqAc.xJ9S/Q7n8.bT/Ks73SgLdtMUAGbLAiD9wnlYlb84YGujaPS/
Mon Dec 17 19:00:05 2018 [5385]: Password is incorrect
Mon Dec 17 19:00:05 2018 [5385]: Authenticating ACLs for user 'DEFAULT' instead of 'alex'
Mon Dec 17 19:00:05 2018 [5385]: pap-login query for 'alex' ssh from 172.17.236.2 rejected
Mon Dec 17 19:00:05 2018 [5385]: login failure: alex 172.17.236.2 (172.17.236.2) ssh
after that if i close TeraTerm and opening it again and trying to connect, connection established successfully, after that if i close TeraTerm and open again, the same problem appears each seccond try.
what may be a problem with it, i am driving crazy already
after deeply discovering problem, i fount out that iit was my fault, i compiled my name service using g++ instead of gcc.
Because of name service using
#include <pwd.h>
that defines interface for functions like nss_service_getpwnam_r and others, that was written in C, therefore i was must to:
extern "C" {
#include <pwd.h>
}
or to compile my program using GCC, hope in once someone will face same problem it will help him / her. good luck
I'm currently using the Chilkat HTTP ActiveX control (version 9.3.2.0) with VB6... One of the servers where I download files from is switching over to https, but I can't get it to work... Using http it works perfectly, but when I change the URL to https it returns 0.
Here is the result of Http.LastErrorText:
ChilkatLog:
Download:
DllDate: Aug 5 2012
UnlockPrefix: **********
Username: BILL-DESKTOP:Bill
Architecture: Little Endian; 32-bit
Language: ActiveX
VerboseLogging: 0
backgroundThread: 0
url: https://nomads.ncep.noaa.gov/cgi-bin/filter_gfs_0p25.pl?file=gfs.t12z.pgrb2.0p25.f000&lev_10_m_above_ground=on&lev_2_m_above_ground=on&lev_entire_atmosphere=on&lev_entire_atmosphere_%5C%28considered_as_a_single_layer%5C%29=on&lev_mean_sea_level=on&lev_surface=on&var_APCP=on&var_PRMSL=on&var_TCDC=on&var_TMP=on&var_UGRD=on&var_VGRD=on&leftlon=0&rightlon=360&toplat=90&bottomlat=-90&dir=%2Fgfs.2018120712
toLocalPath: C:\Progra~1\PCGrADS\gfs\grib\gfs_pgrbf_000.grib2
localFileAlreadyExists: 0
QuickGetToOutput_Download:
qGet_1:
simpleHttpRequest_3:
httpMethod: GET
requestUrl: https://nomads.ncep.noaa.gov/cgi-bin/filter_gfs_0p25.pl?file=gfs.t12z.pgrb2.0p25.f000&lev_10_m_above_ground=on&lev_2_m_above_ground=on&lev_entire_atmosphere=on&lev_entire_atmosphere_%5C%28considered_as_a_single_layer%5C%29=on&lev_mean_sea_level=on&lev_surface=on&var_APCP=on&var_PRMSL=on&var_TCDC=on&var_TMP=on&var_UGRD=on&var_VGRD=on&leftlon=0&rightlon=360&toplat=90&bottomlat=-90&dir=%2Fgfs.2018120712
Connecting to web server...
httpServer: nomads.ncep.noaa.gov
port: 443
Using HTTPS.
ConnectTimeoutMs_1: 10000
calling ConnectSocket2
IPV6 enabled connect with NO heartbeat.
connectingTo: nomads.ncep.noaa.gov
dnsCacheLookup: nomads.ncep.noaa.gov
Resolving domain name (IPV4)
GetHostByNameHB_ipv4: Elapsed time: 140 millisec
myIP_1: 192.168.1.38
myPort_1: 55564
connect successful (1)
clientHelloMajorMinorVersion: 3.1
buildClientHello:
majorVersion: 3
minorVersion: 1
numRandomBytes: 32
sessionIdSize: 0
numCipherSuites: 10
numCompressionMethods: 1
--buildClientHello
TlsAlert:
level: fatal
descrip: handshake failure
--TlsAlert
Closing connection in response to fatal error.
Failed to read incoming handshake messages. (1)
Client handshake failed. (3)
Failed to connect to HTTP server.
connectElapsedMs: 640
--simpleHttpRequest_3
--qGet_1
--QuickGetToOutput_Download
bFileDeleted: 1
totalElapsedMs: 672
ContentLength: 0
Failed.
--Download
--ChilkatLog
What am I doing wrong?
Regards,
Bill
You were using an old version from 2012, which did not yet implement TLS 1.2. Chilkat has since added support for TLS 1.2 (for many years now) and the latest version should work fine.