Milter-greylist

Rudy Eschauzier <reschauzier@...> wrote:

> 1. Introduce a new keyword, e.g 'skipdacl'
>
> 2. Only have messages that get greylisted by a racl command pass through
> the dacl stage. All globally whitelisted messages (through auth or global
> spf for example) whill skip dacl, as will auto-white listed messages.
>
> 3. Base the precedence of dacl over racl commands on the line number.

I have concerns with options 2 and 3 because they modify the way
existing setups work. skipdacl looks better to me (I disklike the name,
though, but this is not a big concern)"


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Currently, the way milter-greylist processes data stage commands (dacl lines in greylist.conf) is less than optimal.

Data stage commands are commands that activate during the body stage of the milter and are useful for content scanning (e.g. Spamassasin) and message signing and verification (e.g. DomainKeys and Dkim).

Dacl commands are expensive, in that the entire message (up to maxpeek, if defined) is filtered through the milter. Racl commands, on the other hand, base their decisions on connection information only and are light on the CPU.

In the current setup, milter-greylist will process the dacl commands after the racl ones and send all messages that do not get rejected (blacklist) by a racl command through the dacl filter. Even messages that get whitelisted by a racl line, will have their contents inspected. On top of that, auto-white listed messages and messages that got globally whitelisted, such as messages from authenticated users, go through this CPU intensive task.

I have had some email exchange with Emmanuel, and we both agree there is room for improvement. It is not clear, however, how this improvement should be implemented. Here are a couple of options:

1. Introduce a new keyword, e.g 'skipdacl'. Placing this keyword in a racl line, will cause the dacl commands to be skipped if the racl line is matched.

2. Only have messages that get greylisted by a racl command pass through the dacl stage. All globally whitelisted messages (through auth or global spf for example) whill skip dacl, as will auto-white listed messages.

This is based on the premise that racl lines will only blacklist or whitelist a message if the matching rule guarantees nearly 100% certainty that the message is either ham or spam. Otherwise the result of the line will be either false positives or false negatives. Only in case of doubt, will a greylist line be matched. These are the cases that will be forwarded for further evaluation by the dacl lines.

3. Base the precedence of dacl over racl commands on the line number. Currently, the order of racl lines determines the precedence of one line over the other. The first matching line gets executed, all others skipped. By putting whitelist lines before greylist lines, we can make sure that messages of which it is certain they are ham get accepted directly, for example.

Dacl lines get processed after racl lines, even if they come first in the conf file. This is related to the order in which Sendmail invokes the milter subroutines. It is not very intuitive from a user point of view, however.
Why not have to order of the racl and dacl commands determine if a dacl stage command needs to be executed? In this case, the user can decide to put all racl lines before the dacl lines, causing the dacl stage to be skipped whenever is racl match if found. Or put racl whitelist lines first, than the dacl lines and then the racl greylist lines. This set up will make sure that messages that get whitelisted in the racl stage, do not get forwarded to the dacl stage, but racl greylisted messages do. You get the idea.

To me, option 3 seems like the most elegant one, extending the current philosophy of milter-greylist seamlessly to the dacl stage processing. Option 2 is not too bad either (and easier to implement). You may have a different opinion, though. Please let me know what you think. I a prepared to implement a solution, once we have achieved some consensus.

I understand where you are coming from, and in most cases I'd agree: backward compatibility is critical from a user point of view.

In this situation, however, I think the current dacl implementation is so immature that I'd be surprised that a lot of people are actually using it in production.

Let's see what the mailing list members have to say. How are they using the dacl commands right now, and will they be affected by any of the proposals?

Rudy.

--- In milter-greylist@yahoogroups.com, manu@... wrote:

>
> Rudy Eschauzier <reschauzier@...> wrote:
> 
> > 1. Introduce a new keyword, e.g 'skipdacl'
> >
> > 2. Only have messages that get greylisted by a racl command pass through
> > the dacl stage. All globally whitelisted messages (through auth or global
> > spf for example) whill skip dacl, as will auto-white listed messages.
> >
> > 3. Base the precedence of dacl over racl commands on the line number.
> 
> I have concerns with options 2 and 3 because they modify the way
> existing setups work. skipdacl looks better to me (I disklike the name,
> though, but this is not a big concern)"
> 
> 
> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
>

------- Original message -------
> From: Rudy Eschauzier <reschauzier@...>
> Sent: 25.10.'09,  8:54
>
> Currently, the way milter-greylist processes data stage
> commands (dacl lines in greylist.conf) is less than optimal.
>
> (...)

I like 1., dislike 2. and find 3. to be a bit counterintuitive given
how SMTP works.

                 Petar Bogdanovic

Petar Bogdanovic wrote:
 > ------- Original message -------
 > > From: Rudy Eschauzier <reschauzier@...>
 > > Sent: 25.10.'09,  8:54
 > > 
 > > Currently, the way milter-greylist processes data stage
 > > commands (dacl lines in greylist.conf) is less than optimal.
 > > 
 > > (...)
 > 
 > I like 1., dislike 2. and find 3. to be a bit counterintuitive given
 > how SMTP works.

I also prefer 1.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Gesch\ufffdftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M\ufffdn-
chen, HRB 125758,  Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

Python is executable pseudocode.  Perl is executable line noise.

On Oct 25, 2009, at 8:23 AM, manu@... wrote:
> Rudy Eschauzier <reschauzier@...> wrote:
>
> > 1. Introduce a new keyword, e.g 'skipdacl'
> >
> > 2. Only have messages that get greylisted by a racl command pass  
> through
> > the dacl stage. All globally whitelisted messages (through auth or  
> global
> > spf for example) whill skip dacl, as will auto-white listed  
> messages.
> >
> > 3. Base the precedence of dacl over racl commands on the line  
> number.
>
> I have concerns with options 2 and 3 because they modify the way
> existing setups work. skipdacl looks better to me (I disklike the  
> name,
> though, but this is not a big concern)"
>
I'm for option 3, or an way that gets that functionality to mix racls  
& dacls, since I think it adds more flexibility, at least for the dkim  
& body case as I see it.

Today, or at least then I tested this, racls will greylist all mails  
(then using racl greylist default) unless they are whitelisted by the  
configuration. When having the philosophy "whitelist all known or  
trusted sources, give penalty to known spam sources, and greylist the  
rest", the dacl with the rules for checking for example dkim, will  
become more or less useless. So, in order to do whitelisting of dkim,  
I have to skip the racl stage (racl whitelist default). And then I  
loose the major benefit of using greylisting, which of course I don't  
want to.

Mixing racl and dacl will be more CPU intensive than doing them in the  
current order, but I think it adds more flexibility if it's possible  
to be able to do whitelisting (or greylisting and perhaps even  
blacklisting) on both RCPT and DATA before falling back on the default.

As an example, I would like to be able to do something similar to this.
(where the acls are parsed in linear order)

racl whitelist list "my network"
racl whitelist list "awl admin recipients"
racl whitelist list "broken mta"
dacl whitelist dkim pass
dacl whitelist body /^-----BEGIN PGP.*MESSAGE-----$/
racl greylist sm_macro "maybe_forged" delay 1h autowhite 3d
racl greylist dnsrbl "SPAMHAUS" delay 24h autowhite 3d
dacl greylist dkim fail delay 1h autowhite 3d
*acl greylist default delay 30m autowhite 30d

*I think "racl greylist default" would be misleading in this  
configuration case. Correct me if I'm wrong here, but I also believe  
that the way "racl greylist default delay ... autowhite ..." works,  
wasn't possible to configure with dacl (see it as another suggestion  
for enhancement :-)).

Regards,
/P

Fredrik Pettai <pettai@...> wrote:

> an way that gets that functionality to mix racls   & dacls

An idea about this:

We have something called properties, that can be fetched from a LDAP
directory or a web service. I use it for have LDAP-stored, per-recipient
filtering settings. It does somthing like this:

ldapcheck "senderpref" "ldapi:///o=home?userBlackList?one?mail=%f" clear
racl whitelist ldapcheck "senderpref"
racl blacklist $userBlackList "%f" msg "you're in recipient's blacklist"

the ldapcheck statement is just the LDAP source configuration.
The first racl cause $userBlackList to be populated as the list of
recipients blakclisted by the user, as stored in the LDAP directory.
There is a syntax horror here, as this "whitelist" will not stop ACL
evaluation. It should really be changed as racl continue ldapcheck
"senderpref", but  this is another story.

Now, we could extend this so that any ACL would be able to set a
property. Something like this:

racl continue from friend@... set($skipdacl,"TRUE")
dacl whitelist $skipdact "TRUE"

And here we get a really powerful solution, where racl can store a lot
of information to be used to make a décision at DATA stage.

If we go that way, we need to introduce the continue action, and I'm in
favor or renaming whitelist/blacklist in accept/tempfail/reject. 

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Thanks for your feedback. You are describing exactly what I was running into with the dacl commands in the current greylist, and why I think it needs a major overhaul.

Basing precedence on the config order is intuitive to most users (except maybe for SMTP and milter die-hards) and it elegantly extends the milter-greylist philosophy. No additional keywords needed.

I'd be very interested to hear more feedback from users that are using dacl statements in their current setup, or have tried using them in the past but have given up.

Thanks,
Rudy.


--- In milter-greylist@yahoogroups.com, Fredrik Pettai <pettai@...> wrote:

> rest", the dacl with the rules for checking for example dkim, will
> become more or less useless. So, in order to do whitelisting of

> Mixing racl and dacl will be more CPU intensive than doing them in the  
> current order, but I think it adds more flexibility if it's possible  
> to be able to do whitelisting (or greylisting and perhaps even  
> blacklisting) on both RCPT and DATA before falling back on the default.
> 
> As an example, I would like to be able to do something similar to this.
> (where the acls are parsed in linear order)
> 
> racl whitelist list "my network"
> racl whitelist list "awl admin recipients"
> racl whitelist list "broken mta"
> dacl whitelist dkim pass
> dacl whitelist body /^-----BEGIN PGP.*MESSAGE-----$/
> racl greylist sm_macro "maybe_forged" delay 1h autowhite 3d
> racl greylist dnsrbl "SPAMHAUS" delay 24h autowhite 3d
> dacl greylist dkim fail delay 1h autowhite 3d
> *acl greylist default delay 30m autowhite 30d
> 
> *I think "racl greylist default" would be misleading in this  
> configuration case. Correct me if I'm wrong here, but I also believe  
> that the way "racl greylist default delay ... autowhite ..." works,  
> wasn't possible to configure with dacl (see it as another suggestion  
> for enhancement :-)).
> 
> Regards,
> /P
>

I prefer 1, although I have only used dacl in testing, not in  
production.


-- 
Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline  IL  61265

For my interest, what have you been using the dacls for? Interfacing w/ spamd, DKIM check or something else?

Thanks,
Rudy.

--- In milter-greylist@yahoogroups.com, chasd <chasd@...> wrote:

>
> I prefer 1, although I have only used dacl in testing, not in  
> production.
> 
> 
> -- 
> Charles Dostale
> System Admin - Silver Oaks Communications
> http://www.silveroaks.com/
> 824 17th Street, Moline  IL  61265
>

On Tue, Nov 03, 2009 at 12:56:15PM -0000, reschauzier wrote:
> For my interest, what have you been using the dacls for? Interfacing w/ spamd, DKIM check or something else?

I use it as a cheap content filter, using the base64 encoded win32 
executable header. 

-- 
Emmanuel Dreyfus
manu@...

> For my interest, what have you been using the dacls for?  
> Interfacing w/ spamd, DKIM check or something else?

To see if applying virus or spam filtering would be worthwhile at  
that mail processing point.
I hadn't realized that one of the reasons the delivery times  
increased so much was because _every_ message was being processed. It  
makes sense now. The performance issue was why I didn't move forward  
toward implementation, I just did testing. With finer-grained control  
of dacl processing, I'd revisit my tests.


-- 
Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline  IL  61265

Thanks for the info. It confirms what I found: the current milter-greylist will work for spam and virus filtering (albeit with a significant performance hit, as you mention).

The milter does not work, on the other hand, for message authentication systems such as DomainKeys and DKIM.

The reason is that the dacl can override a racl whitelist, but not a racl greylist or blacklist.

A simple conf file like

racl greylist default
dacl whitelist dkim pass

will not function as expected (allow all dkim authenticated messages, greylist all others), as will an even simpler file like

dacl whitelist dkim pass

The racl will greylist by default, and a dacl whitelist will not override a racl greylist (if it sounds confusing, that's because it is; it took me couple of hours sorting through the source to figure this out)

Is there anyone that can prove me wrong and has a working DKIM/DK setup with milter-greylist?

Thanks,
Rudy.


--- In milter-greylist@yahoogroups.com, chasd <chasd@...> wrote:

>
> > For my interest, what have you been using the dacls for?  
> > Interfacing w/ spamd, DKIM check or something else?
> 
> To see if applying virus or spam filtering would be worthwhile at  
> that mail processing point.
> I hadn't realized that one of the reasons the delivery times  
> increased so much was because _every_ message was being processed. It  
> makes sense now. The performance issue was why I didn't move forward  
> toward implementation, I just did testing. With finer-grained control  
> of dacl processing, I'd revisit my tests.
> 
> 
> -- 
> Charles Dostale
> System Admin - Silver Oaks Communications
> http://www.silveroaks.com/
> 824 17th Street, Moline  IL  61265
>

reschauzier <reschauzier@...> wrote:

> The milter does not work, on the other hand, for message authentication
> systems such as DomainKeys and DKIM. reason is that the dacl can
> override a racl whitelist, but not a racl greylist or blacklist.

Of course: if a RCPT stage ACL reject the message for all recipients,
there is no DATA stage ACL.

If you want to use DKIM, you will have to whitelist the sender's domain
at RCPT stage ACL:

racl whitelist from /@foo\.com$/
dacl whitelist from /@foo\.com$/ dkim pass
dacl blacklist from /@foo\.com$/ msg "foo.com must use DKIM"

Of course it you do that with multiple domains, a list will be usefull.
Or even better, a DNSRBL of domains using DKIM.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

In the course of testing a modification to improve the handling of dacl statements, I noticed the strangest thing. It looks like there is a bug in dkimcheck.c that will prevent dkim from working.

Note this piece of code from the function dkimcheck_error():

  106 		break;
  107 	}
  108 
  109 	if (priv->priv_dkim != DKIM_STAT_OK) {
  110 		(void)dkim_free(priv->priv_dkim);
  111 		priv->priv_dkim = NULL;
  112 	}
  113 
  114 	return retval;
  115 }

Line 109 checks the pointer priv->priv_dkim against an integer value. Since DKIM_STAT_OK equals 0, every time the pointer is not NULL, it will be reset. This is exactly what happens as a message goes through the SMTP stages in milter-greylist. As a result, no message is ever checked for dkim.

The correct code should be:

  109 	if (priv->priv_dkimstat != DKIM_STAT_OK) {

With this change the dkim checking seems to work properly.

Does this really mean no-one was ever able to run a successful DKIM check? Or am I overlooking something?

I uploaded a patch to improve the dacl handling and fix the dkim bug. The patch ('mg-4.3.5_to_mg-4.3.5-dacl.patch') can be found here:

http://tech.groups.yahoo.com/group/milter-greylist/files/

(Sorry, Yahoo does not allow direct links). The file patches against the latest CVS check-out.

The modification will base the precedence of racl and dacl lines on the order in which they appear in the conf file.

As an example, a conf file like

dacl whitelist dkim pass
racl greylist default

will whitelist a sender if it passes dkim, and default to greylisting if not.

The modifications to the code turned out to be quite simple; all of the necessary hooks were already in there. The logic as the message passes through the milter stages is as follows:

1. The connecting host and sender are processed in the rcpt stage of the SMTP connection and checked for matches against racl statements

2. If a racl matches, the milter checks to see if there are any dacl statements before the matching racl statement. If so, the result of the racl match is stored and the message proceeds to the data and body stage of the SMPT connection.

If there are no dacl statements before the matching racl line, no data stage processing is needed and the racl result is processed immediately in the rcpt stage (saving CPU).

3. If there are dacl lines before the matching racl line, the milter will continue to the data and body stages of the SMPT connection. It will process the dacl commands up to the matching racl line. In case of a match, the dacl result will be processed; no match means the racl results will be restored.

Although the processing logic may sound complicated, the result is very intuitive and greatly increases performance by not passing messages through the dacl stage when not needed.

Take this example:

racl whitelist spf pass
dacl whitelist dkim pass
racl greylist default

If a sender matches the spf clause, the message is accepted immediately and does not pass through the data stage.

The line based dacl precedence will also work for black listing based on content scanning:

racl whitelist spf
dacl whitelist dkim pass
dacl blacklist spamd
racl greylist default

In this case, all messages that match spf or dkim will be whitelisted, whereas any other messages which are flagged by Spamassasin will be rejected. All other messages will be greylisted.

Please go ahead and try the patch. I am very interested to hear your feedback. By turning on 'verbose' in the conf file, the program will clearly log its racl/dacl decisions. The logic should become quite obvious after a couple of messages.

On 11/5/09 5:33 AM, manu@... wrote:
>
> If you want to use DKIM, you will have to whitelist the sender's domain
> at RCPT stage ACL:
>
> racl whitelist from /@foo\.com$/
> dacl whitelist from /@foo\.com$/ dkim pass
> dacl blacklist from /@foo\.com$/ msg "foo.com must use DKIM"

Yes, I thought of doing that for Gmail/googlemail. In my opinion, that's 
a more elegant way of accepting mail for Gmail's multiple "floating" 
relays. Greylisted mails tends to be resent by another (or several 
other) IPs. (Of course, if you already use lazyaw its usually not a 
problem).

But maintaining a list for others that use DKIM is too much manual 
labour for being worth it, at least for my taste.

Re,
/P