[milters] Archive

Lists Index Date Thread Search

Article: 543
From: Anthony Howe
Date: 2005-05-03 11:00:59 -0400
Subject: Re: Problem compiling libsnert & milter-sender on SuSE

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support

Mike wrote:
> BTW: the reason I wanted to compile it on SuSE 9.3 (while having a
> working binary compiled under SuSE 9.2), is that I made some
> additions to the HELO checks. I do not accept HELOs which are
> identical to a domain for which mail is received. At the moment this
> is a statement for each domain in milter-sender.c. This could better
> be put into a .db file, but I have no experience doing that, so
> changing the code directly and compile it is easier! ;-)

I trust you are also using the HeloClaimsUs test which does a basic form 
of this. This test could also be more effectively done using sendmail 
rule sets. Ideal for milter-sender to do this properly, it needs to know 
the contents of class w from sendmail, but class are not communicated to 
milters. So the milter could read from /etc/mail/local-host-names, but 
there might be other members of class w declared in sendmail.mc.

So a sendmail rule set would be best I think. If you had looked in the 
milter-sender/contrib/cookbook.mc file you would have found this rule set:

# Sendmail rules for a "claims to be us" test.
# 	http://www.cs.niu.edu/~rickert/cf/bad-ehlo.html
# Client software is often broken.  We don't want to reject
# our own users client connections.  Therefore we attempt
# to allow our users to pass the checks.  Otherwise, block
# sites with a HELO/EHLO hostname that is unqualified, or
# is one of our own names
# Note that I had to at "" to class $=R, so that
# local client software would bypass these tests.  I also
# added "[]" to class $=w, so that the localhost
# IP would count as one of our IPs.

$*			$:$1 $| <$&{auth_authen}>	Get auth info
# Bypass the test for users who have authenticated.
$* $| <$+>		$:$1				skip if auth
$* $| <$*>		$:$1 $| <$&{client_addr}>[$&s]	Get connection info
# Bypass for local clients -- IP address starts with $=R
$* $| <$=R $*>[$*]	$:$1				skip if local client
# Bypass a "sendmail -bs" session, which use 0 for client ip address
$* $| <0>[$*]	$:$1				skip if sendmail -bs
# Reject our IP - assumes "[ip]" is in class $=w
$* $| <$*> $=w	$#error $@5.7.1 $:"550 bogus HELO name used: " $&s
# Reject our hostname
$* $| <$*> [$=w]	$#error $@5.7.1 $:"550 bogus HELO name used: " $&s
# Pass anything else with a "." in the domain parameter
$* $| <$*> [$+.$+]	$:$1				qualified domain ok
# Reject if there was no "." or only an initial or final "."
$* $| <$*> [$*]	$#error $@5.7.1 $:"550 bogus HELO name used: " $&s
# fall through to any other local rules.

I recommend you copy this from the cookbook.mc file in order to get all 
the correct tabs.

Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

in the mist of night / by the silent sea / a siren calls - Anthony

Lists Index Date Thread Search