[prev in list] [next in list] [prev in thread] [next in thread]
List: listar-support
Subject: [ESupp] Old problems - Solved?
From: W B Hacker <wbh () conducive ! org>
Date: 2006-09-24 22:37:35
Message-ID: 451708AF.9040705 () conducive ! org
[Download RAW message or body]
A while back, there was a thread on Ecartis being unable to send with qmail.
Having just worked through a similar issue with Exim, there seems to be a
generic problem, one to whch I have a workaround, but still seek a more elegant
solution.
Meanwhile, while fine-tuning a fix and documentation:
Background:
- Ecartis gets its MTA-agnosticism by emulating a peer MTA over (usually)
localhost, performing the same connect, HELO/EHLO, etc. handshakes, as would any
other MTA when submitting traffic. It does not use the 'mail', 'sendmail' etc.
executables.
That was all well and good in times gone by when any 'entity' on-box could make
essentially unrestricted use of the MTA w/o being considered a relay attempt.
No more!
As a result of spam that ID's as, and HELO's as, the target victim's own box,
not to mention PHP, formmail, and other rude on-box and cgi script hacks and
carelessness, the 'modern' MTA may - or may not - still allow use of the 'mail',
'sendmail' (emulated), or exim <options> scripts, but more commonly with each
passing month has several settings to prevent local-residents, or their hacked
emulations, from utilizing the MTA, *especially* for transit to off-box
destinations.
Symptoms:
So long as I had Ecartis 'aimed' at 'localhost', all I could see was:
~/exim/mainlog: the message arriving from the external test box, being
handed-off to the correct router/transport set I have set up for it in Exim [1],
reporting delivery completion.
~/ecartis/ecartis.log: all expected settings being loaded, message file being
created and torn down in the spool, but not a peep about smtp success, failure,
or sidegodlin'ism, module unload, and normal exit.
Per Exim, the message went into the exim pipe command, but was never
re-submitted for outbound (remote_smtp) delivery, and none of the daemons
bitched about that (except me!)
Once Ecartis was 'aimed' at the smtp entrance with a fqdn, eyes popped open:
~/exim/mainlog showed the messages of ecartis HELO'ing as (one of) ourselves in
an acl that drops the connection when that happens.
~/ecartis/ecartis.log showed the steps and responses of the smtp progression,
displaying the rude error messages Exim sends to fools who think they are us,
showed retry activity, then wait-forever (Exim had dropped the other end - but
WTH - we are inside the IP stack, not really over the wire...)
The BFBI fix (so far):
- going ahead and using a fqdn for Ecartis MTA 'target', but 'exempting' it from
acl checks within Exim that would interfere with it.
*Note* that having Exim listen on 'localhost', adding OR removing the fqdn
Ecartis was 'HELOing' as to Exim's 'relay_from_hosts' and/or 'local_domains' did
not solve the problem. As similar stps had not for the qmail user....
The 'elegant' fix:
As the smtp sequence is already coded-in, why not do this:
- add (restore?) the 'smtp-port' variable so as to allow pointing Ecartis at
both an off-box MTA by fqdn/IP, AND to the submission port of same.
- provide for a username & password so Ecartis can authenticate.
Optionally provide for Ecartis to use TLS to auth and submit.
The 'silver lining' in this fix, is that it not only insures the ability to work
as a trusted submitter to the 'local' MTA, preserving and enhancing
MTA-agnosticism, but it should permit use of *any* MTA that permits passing the
traffic via the subscribed account.
With some other minor tweaking, this could further reduce the need of
sysadmin/mailadmin help to install aliases, etc. [2]
More after I have had some sleep.... [3]
Bill Hacker
[1] tested both with the 'traditional' ~/etc/aliases pipe entries and
~/ecartis/lists structure, AND with a modified version of a virtual-domain set
of Exim customizations published here:
http://www.aagh.net/files/ecartis.txt
..by Thomas Hurst <freaky@aagh.net>
Where 'modified' vs his approach, will accomodate BOTH ordinary accounts AND
lists for the same virtual domain sets. Or not. (PostgreSQL controlled).
[2] Ultimately, our settings will be DB-resident, so rights to the DB may be
totally unrelated to shell accounts, etc. - even set on a differnt box, then
exported.
[3] Lest I forget, the snippet of exim code on the current Ecartis docs is a an
obsolete, and now harmful, example of a 'director' left over from Exim 3.X days.
Badly needs removing. Will try to re-write that section.
--
Ecartis Support Mailing List <ecartis-support@ecartis.org>
To unsubscribe:
<mailto:ecartis-support-request@ecartis.org?Subject=unsubscribe>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic