Barricade MX
smtpf/2.6
|
| out1.pool1.example.com | 192.0.2.1 |
| out2.pool1.example.com | 192.0.2.2 |
| out3.pool1.example.com | 192.0.2.3 |
| out4.pool1.example.com | 192.0.2.4 |
Using the original grey-list key set, the first time the sending site connects, the receiver will record:
{ 192.0.2.3, fred@example.com, john@receiver.com }
and temporarily reject the mail. When the sending site retries, the receiver will likely see a different connecting IP address and record a new grey-list key:
{ 192.0.2.1, fred@example.com, john@receiver.com }
and temporarily reject the mail. This process can repeat itself for as many times as there are machines in the sending pool of servers, resulting in excessive mail delivery delays.
Using our optimisation, if the sender connects from IP address 192.0.2.3 which has a PTR of
out3.pool1.example.com, then the receiver would use the trimmed PTR information to record the following
grey-list key the first time the sender attempts to deliver the message:
{ pool1.example.com, fred@example.com, john@receiver.com }
and temporarily reject the message. The next time the sending site connects to the receiver, no matter from which machine within the same pool, the trimmed PTR information will match the previously cached record and result in the mail being passed through grey-listing.
The second optimisation concerns the objective of grey-listing as an anti-spam technique, which is essentially: does the remote mail server implement a retry queue? The assumption here being that spam sources do not bother with retry queues for speed. Many trivial grey-listing implementations record each and every unique { ip, sender, recipient } set, only allowing repeat visits from the same key set to passed without delay. However, once it is determined that a remote mail server implements a retry queue, new mail from the same host, but from different senders and/or to different recipients will result in additional and redundant grey-listing delays.
So in order to improve mail throughput, once a host or pool of hosts is known to implement a retry queue and if the grey-key specifies either the key set members IP or PTR, then we create a new cache record with a shortened key using only the IP or trimmed PTR information and allow all subsequent mail from that IP or trimmed PTR group to pass unhindered.
For example the first time an unknown SMTP client attempts to send a message, smtpf records:
{ pool1.example.com, fred@example.com, john@receiver.com }
When the sending site later retries to send the message, smtpf will find the above cached record and shorten that record key to be:
{ pool1.example.com }
Now when the sending site connects again in the future, smtpf will first look for the shortened key using either the SMTP client's trimmed PTR information or IP address and if it finds the record, passes the mail regardless of who the sender and recipients are, since we know that the hosts in question implement a retry mail queue. If the shortened key is not present, we look for the regular grey-list cache record and handle as before.
By default grey-key="ptr,mail,rcpt" takes advantage of both optimisations. The original grey-list method can be used by specifying grey-key="ip,mail,rcpt", though the second optimisation is still applied. To disable grey-listing specify an empty value grey-key="".
The grey-content option provides a variant on grey-listing. When an unknown key set is seen, a cache entry is created with the MD5 hash of the message content, and it is temporarily rejected. Subsequent attempts to deliver the message result in a temporary rejection until the grey-temp-fail-period has expired, at which point a MD5 hash of the message content is generated and compared with that previously saved within the cache. If the compared hashes are equal, then the message is allowed to proceed. Otherwise messages from this key set continue to be temporarily rejected until the originally message is seen once again.
The grey-content technique is effective against spamware that changes the content of their junk messages regularly in an effort to defeat Bayes analysis, distributed checksums, and/or simple pattern scanners. If the spammers do not change their text, then they will pass this test only to be caught most likely by something else like URI filtering or SpamAssassin.
The HELO argument is suppose to be a FQDN or it may be a IP-domain literal, which is technically not allowed by RFC 2821, but is a commonly accepted convention. The option rfc2821-strict-helo will reject and drop a connection, if the HELO argument is a bare unqualified name.
When reject-rfc2606 is enabled and
the SMTP client is not one of our relays nor
a RFC 3330 private LAN address, then
smtpf with reject the command and drop the connection if the HELO argument
is a reserved domain name as defined by RFC 2606
or similar such as .localdomain.
If helo-ip-mismatch is enabled and the HELO argument is an IP-domain-literal, then it must match that of the SMTP client IP address, otherwise the command is rejected and the connection dropped. RFC 3330 private LAN addresses are excluded.
Another interesting HELO test is helo-claims-us where the connected client is neither one of our relays nor a RFC 3330 private LAN address, yet specifies a HELO argument that claims to be from a domain we are responsible for, in which case the command is rejected and the connection dropped.
Finally if uri-bl-helo is enabled and uri-bl and/or uri-dns-bl are specified, then the HELO argument is tested against one or more URI black lists, rejecting the command and dropping the connection if true.
When specifying an IPv6 address with a port number, the address
must appear within square brackets, [ and ], for example
"[2001:DB8::1234]:25". Using an IPv4 address within the square
brackets is also supported, eg. "[192.0.2.1]:25", in addition to
the traditional IPv4 dot-colon notation, eg. "192.0.2.1:25".
Probably the most important set of RFC documents pertain to how mail travels using SMTP (RFC 2821) and the structure of mail messages (RFC 2822).
RFC 2821 documents several limits that SMTP servers must be able to support
and that messages must not exceed, such as the maximum length of the parts that appear before
(rfc2821-local-length) and after
(rfc2821-domain-length) the at-sign
(@) of an mail address, and the maximum length of
a message line (rfc2821-line-length) can be.
When enabled, these length related options will reject mail addresses or messages
that exceed the documented limits.
While exceeding these lengths are often a sign of spam or mail born viruses, there are also some legitimate, yet badly written mail software throughout the Internet, that also exceed them. Therefore the above length controls should be used with caution as they could result in legitimate mail being rejected.
SMTP is a protocol that has a well defined grammar and syntax, particularly for specifying mail addresses as arguments to the MAIL FROM: and RCPT TO: commands. When rfc2821-angle-brackets is enabled, then mail addresses that don't adhere to this syntax are rejected.
Sendmail is a very popular MTA, that uses a
plus-sign (+) in the local part
before the at-sign (@) to delimit the mail box name from a folder or tag
attributed by the mail box user. When
rfc2821-literal-plus
is disabled, then any plus-detail appearing in a mail
address is removed before performing various
access-map or
route-map lookups. When enabled, the entire
local-part is used unmodified.
The option rfc2821-strict-helo enforces the requirement that the HELO argument be a FQDN, ie. has two or more labels or is an IP-domain-literal. Anything else would be rejected.
The end of the DATA state and message transfer is suppose to be denoted by a CRLF-DOT-CRLF sequence, ie. a line consisting only of a single period. Enabling rfc2821-strict-dot option enforces this, since accepting other newline dot combinations could inadvertently terminate the message transfer early and subsequent unknown command errors. When disabled, other newline combinations are accepted, such as LF-DOT-LF, CRLF-DOT-LF, and LF-DOT-CRLF. Unfortunately, while typically a sign of spam software, there are some badly written mail applications that are careless in their handling of newlines and the final dot.
Mail messages, in particular the headers, are not suppose to contain unencoded 8-bit data, since how those values are interpreted when scanned can vary based on regional language and they can cause legacy mail systems to fail. With rfc2822-7bit-headers set, if the message headers are not 7-bit ASCII printable, then the message is rejected.
There are several domains, as described by RFC
2606, reserved for documentation and special local uses.
They are the top level domains .test, .example, .invalid, .localhost, and the second level domain .example using any
TLD.
These domains should never appear in domain names from the public Internet. If
rfc2606-special-domains is enabled,
then various tests are applied at different stages to the SMTP client name, HELO argument,
sender and recipients. The appearance of a reserved domain will cause a rejection, unless the
SMTP client is from the LAN or a relay. While not part of RFC 2606,
.localdomain and .local are also included in the restricted list.
chroot jail if run-jailed is set.
Once initialised, the smtpf process drops root privileges and becomes
the user and group specified by run-user and run-group respectively.
The run-open-file-limit is used to specify the maximum number of open files for the smtpf process. When approximately half this number is reached, smtpf will start to refuse SMTP connections on the assumption that each SMTP client needs at least two file descriptors in order to process the session.
server-min-threads sets the lower bound on the number of server threads to keep in circulation. server-new-threads specifies the number of new servers threads to create when there a no available server threads to handle new connections. The smtp-accept-timeout option specifies how long a server thread will wait for a new connection before it times out and is possibly terminated.
A reputation service will return a score between 0 and 100. If you want to reject a message with a low score, then set the siq-score-reject threshold to something between 0 and 99 (-1 to disable). Scores less than or equal to this threshold are rejected.
Similarly the siq-score-tag can be set to the value below which the message's Subject header would be prefixed with the siq-subject-tag.
It is possible to use both siq-score-reject and siq-score-tag so that clearly dubious message sources are rejected, while messages sources with a less definitive score would only be tagged as suspect and continue to be delivered. A SIQ-Report header containing a summary of any SIQ result is always added.
When an SMTP client connects, it is supposed to wait for the SMTP 220 response and welcome message. Some spam software will often assume that the ESMTP pipelining is used and simply blast out one or more message transactions, ignoring any responses from the server. One or more GreetPause: tags, which specify a delay in milliseconds, can be added to the access-map. If the client sends any data before this delay expires, then the connection will be dropped.
An SMTP client that successfully connects is sent a 220 status code along with the SMTP server host name and a welcome message. smtp-welcome-file can be used to supply a custom welcome message and it is the file path to a file containing one or more lines of text. The 220 status code will be automatically prepended to each line. It is recommended that this message be two or more lines as this has been found to foil some spam software that fail to handle multiline responses. If an empty string is given, a hard coded default is used.
The CommandPause: tag used in the access-map is similar in principal to GreetPause:. It specifies the number of milliseconds to pause before processing a SMTP command. If more input arrives before the delay passes then the command is rejected and the connection dropped. If a CommandPause: lookup returns a value of zero (0), then smtpf will allow RFC 2920 SMTP Pipelining after a successful EHLO command.
It is possible to drop a client connection after a certain number of unsuccessful SMTP commands with smtp-drop-after.
The smtp-drop-unknown can be used to reject and drop a connection that issues an unknown SMTP command. This option should be used with care, because it has been seen that Cisco Pix firewalls with SMTP filtering enabled, will for some silly reason obfuscate an EHLO command and thus trigger this test. Use with caution.
smtpf provides a very simple form of tar pitting when smtp-reject-delay is set. For any negative SMTP responses, exponentially delay sending the responses to the client. After several temporary failures or rejects, the client connection will timeout and be dropped. Particularly interesting in combating dictionary harvesting attacks.
The smtp-connect-timeout in seconds is used when smtpf attempts to make a connection to a FORWARD: host. While the smtp-command-timeout in seconds controls how long smtpf will wait for the next client command or server response. Finally the smtp-data-line-timeout in seconds controls how long to wait for the next message line from the client. If a client takes too long, the connection will be dropped.
The smtp-enable-esmtp option when disabled causes some badly written spam software that fails to fall-back to regular SMTP to disconnect or become out-of-sync (see the ehlo-no-helo counter). Regular mail software is unaffected and falls-back correctly. Other spam software will send an EHLO and when the command is rejected, send a HELO, but using a different host/domain argument to the EHLO that was previously sent; smtpf will reject and drop these connections (see the helo-schizophrenic counter).
savdid installed and chose to scan message content as it passes through smtpf, then
specify the host:port of the savdid server with the
savdid-socket option.
Make sure that the savdid process owner, if running as something other than root,
must be a member of the same group that smtpf is running as,
else it will not be able to read any message files; see
run-group.
When the savdid-socket is specified, all messages will be virus scanned, no exceptions possible. Those servers that use MailScanner may prefer to skip virus scanning in smtpf.
Also check the default settings for savdid-timeout option.
If a virus is found, then the default setting of savdid-policy
is to reject the message, other choices being to discard the message or take no action (ignoring a virus infected
message is a bad idea). If there is an I/O error between smtpf and savdid, probably caused by
savdid being restarted, then the message is temporarily rejected and a legitimate SMTP client will retry
later retry sending the message.
Also be sure to check the default settings for spamd-timeout and spamd-max-size options.
When scanning message content with spamd, the default
spamd-command is to simply CHECK
and report the score and a yes/no answer. The other commands possible are
SYMBOLS, REPORT, and REPORT_IFSPAM, which provide more
detailed logging if the verbose spamd flag is set.
As of smtpf 2.0 it is now possible to tag the Subject: header with a custom
prefix given by spamd-subject-tag.
The Subject: tag is applied when the score returned by SpamAssassin is greater than or equal to
the required_score defined in the SpamAssassin configuration and less than
the value given by spamd-score-reject.
In addition
X-Spam-Flag,
X-Spam-Status,
X-Spam-Level, and
X-Spam-Report headers may be added depending on the result.
The X-Spam-Report varies depending on the
spamd-command applied.
Some sending sites include X-Spam-Flag: YES
and/or X-Spam-Status headers that indicate that they already
thought the message was spam. In such case when the X-Spam-Status
score exceeds our spamd-score-reject,
we reject the message. Or if there is only a X-Spam-Flag
header that states YES (regardless of case), then we reject the
message. Otherwise we discard previous X-Spam-* headers and content
filtering proceeds as per usual.
It is possible to specify a specific SpamAssassin configuration file to use through the use of spamd: tag. If the message is addressed to a single recipient, then a Spamd:mail lookup is done. If the message is for more than one recipient, all of whom are within the same domain, then a Spamd:domain lookup is done. Otherwise the Spamd: default configuration is used. The right hand side must be a user name or address to pass to spamd. It can be a pattern list. If the special user name OK is used, then the message is not processed by spamd.
Many mail systems have no SPF record or have syntax errors, so when there is no SPF pass result from the SPF check, the spf-best-guess-txt option can perform a second SPF using the supplied string (for example "v=spf1 a/24 mx/24 ptr") to see if that would yield a pass result. Otherwise the result of the first SPF check is retained.
The enhanced grey-listing and client-is-mx options will take the SPF results into account. When spf-received-spf-headers is set, then Received-SPF headers detailing the results will be added to a message's headers.
CLIENTS, SENDERS, RECIPIENTS, and MESSAGES.
The percentages are computed by dividing a counter by the counter of the category it appears in.
Note that multiple statistics counters can be incremented during the lifetime of the SMTP connection.
By default the stats-map is disabled. When enabling statistics, the SQLite database is the recommended format. Also note that it becomes the responsibility of the statistics gathering software to age and remove old statistics from the stats-map as it will grow over time.
The stats-map consists of key-value pairs where the key is given by a string of digits indicating the current hour according to "YYYYMMDDHH". The value is a space separated list of hex values. The special key "fields:$VERSION", where $VERSION is the smtpf version number. The fields key is used to obtain the field names and the order they are saved in, since this can change between versions of smtpf.
It is possible to observe the raw statistics while smtpf is running. See the SMTP STAT extension.
By enabling uri-sub-domains it is possible to check sub-domains against all the URI black lists servers specified by uri-bl and/or uri-dns-bl. Note though that most URI black lists currently only list the top level domains, therefore enabling this option will generate more DNS traffic with little result.
Sometimes spammers will use the same domain that appears in their spam content for the their host name or as the domain that appears in either the HELO or MAIL FROM: arguments and so it is sometimes possible to catch spam early in the SMTP transaction. By enabling uri-bl-ptr, uri-bl-helo, or uri-bl-mail options the SMTP client host name, HELO argument, or MAIL FROM: arguments repectively are checked against the URI black list services given by uri-bl and/or uri-dns-bl.
Some messages, be them spam or HTML formatted news letters for example, will include a lot of URI throughout. The uri-max-test option will limit the number of unique URI domains that are checked in order to avoid possible denial of service situations from looking up too many URI, while the uri-max-limit counts how many URI are present and if over a given threshold a message would be rejected.
Some spam messages intentionally add broken or circular web page links. By specifying a uri-links-policy other than none, each web link will be tested using an HTTP HEAD request to see if a link is broken or generates a circular loop of HTTP redirects. If true the selected policy is applied. The http-timeout option specifies how long to wait in seconds before giving up testing a link.
verbose='error,info' is typically sufficient.
Note too that the logging level can be adjusted at runtime without having to restart
the server. See the SMTP VERB extension.
- TOP -