AW: [suse-security] Per user config for SpamAssassin with amavisd-new and cyrus-imapd
Hello David, i dont want to give wrong info to you :-( I use SpamAssassin 2.55 and my rbl_check's are stored in "20_head_tests.cf" gate:/usr/share/spamassassin # grep check_rbl * 20_head_tests.cf:#header RCVD_IN_OSIRUSOFT_COM rbleval:check_rbl('osirusoft', 'relays.osirusoft.com.') 20_head_tests.cf:#header X_OSIRU_OPEN_RELAY rbleval:check_rbl_results_for('osirusoft', '127.0.0.2') 20_head_tests.cf:#header X_OSIRU_DUL rbleval:check_rbl_results_for('osirusoft', '127.0.0.3') 20_head_tests.cf:#header X_OSIRU_SPAM_SRC rbleval:check_rbl_results_for('osirusoft', '127.0.0.4') 20_head_tests.cf:#header X_OSIRU_SPAMWARE_SITE rbleval:check_rbl_results_for('osirusoft', '127.0.0.6') 20_head_tests.cf:#header X_OSIRU_DUL_FH rbleval:check_rbl('osirusoft-dul-firsthop', 'relays.osirusoft.com.') 20_head_tests.cf:# the new first arg for check_rbl() indicates what type of check it is; 20_head_tests.cf:header RCVD_IN_RELAYS_ORDB_ORG rbleval:check_rbl('relay', 'relays.ordb.org.') 20_head_tests.cf:header RCVD_IN_SBL rbleval:check_rbl('relay', 'sbl.spamhaus.org.') 20_head_tests.cf:#header RCVD_IN_ORBS rbleval:check_rbl('relay', 'orbs.dorkslayers.com.') 20_head_tests.cf:header RCVD_IN_OPM rbleval:check_rbl('relay', 'opm.blitzed.org.') 20_head_tests.cf:#header RCVD_IN_DSBL rbleval:check_rbl('relay', 'list.dsbl.org.') 20_head_tests.cf:#header RCVD_IN_MULTIHOP_DSBL rbleval:check_rbl('multihop', 'multihop.dsbl.org.') 20_head_tests.cf:#header RCVD_IN_UNCONFIRMED_DSBL rbleval:check_rbl('relay', 'unconfirmed.dsbl.org.') 20_head_tests.cf:#header RCVD_IN_RFCI rbleval:check_rbl('rfci', 'ipwhois.rfc-ignorant.org.') 20_head_tests.cf:header HABEAS_HIL rbleval:check_rbl('hil', 'hil.habeas.com.') 20_head_tests.cf:header RCVD_IN_BONDEDSENDER rbleval:check_rbl('relay', 'query.bondedsender.org.') 20_head_tests.cf:#header RCVD_IN_BL_SPAMCOP_NET rbleval:check_rbl('spamcop', 'bl.spamcop.net.') 20_head_tests.cf:#header RCVD_IN_RBL rbleval:check_rbl('rbl', 'blackholes.mail-abuse.org.') 20_head_tests.cf:#header RCVD_IN_RSS rbleval:check_rbl('relay', 'relays.mail-abuse.org.') 20_head_tests.cf:#header RCVD_IN_DUL rbleval:check_rbl('dialup', 'dialups.mail-abuse.org.') 20_head_tests.cf:#header RCVD_IN_DUL_FH rbleval:check_rbl('dialup-firsthop', 'dialups.mail-abuse.org.') 20_head_tests.cf:header RCVD_IN_NJABL rbleval:check_rbl('njabl', 'dnsbl.njabl.org.') 20_head_tests.cf:header X_NJABL_OPEN_PROXY rbleval:check_rbl_results_for('njabl', '127.0.0.2') 20_head_tests.cf:header X_NJABL_DIALUP rbleval:check_rbl_results_for('njabl', '127.0.0.3') CU Robert -----Ursprüngliche Nachricht----- Von: David Huecking [mailto:d.huecking@gmx.net] Gesendet: Sonntag, 28. März 2004 01:04 An: suse-security@suse.com Betreff: Re: [suse-security] Per user config for SpamAssassin with amavisd-new and cyrus-imapd Hi Robert, first thanks for your hint, but I think that SpamAssassin when run from amavisd-new doesn't get its configuration out of the local.cf file, but from the $sa_* entries in the amavisd.conf. There I found an entry: $sa_local_tests_only = 1; No I set this to 0, so non-local test will be performed(?) and I will see what will happen with realtime blacklisting which I think are non-local tests. BTW I found the check_rbl string in 20_dnsbl_tests.cf and not in 20_head_tests.cf. 8-) Anyway I'm looking for a possibility of Bayes filtering if possible with white- and black-listing per user with my setup. Maybe I will try to integrate dspam (Homepage: http://www.nuclearelephant.com/projects/dspam/ ;German article: http://www.pro-linux.de/news/2004/6620.html) into postfix. But as I'm no postfix configuration hero I will need some time (for reading the Postfix book I ordered...). ;-> On Samstag, 27. März 2004 16:17, Rasp, Robert wrote:
i use spamassassin with qmail and i dont use a per-user-config. The first few weeks it worked very good but then the spamlevel begun to increase. Now i enabled RBL-Check. By default RBL is disabled in local.cf. This works very good but you have to look for servers that are offline or very slow. I simple tested all the servers in "/usr/share/spamassassin/20_head_tests.cf" (grep "check_rbl" 20_head_tests.cf). You can use nslookup for that. I disabled every slow server with '#'.....
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216 -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hello Robert, no doubt and no problem! I use SpamAssassin 2.63 and there it is the file 20_dnsbl_tests.cf. Your hint to run these blacklisting-tests is good so far. Now even some mails in this style: Content-Type: text/plain; <!-- clamorous ammonia epicycle detent savvy bucharest keypunch lamb boyce methuselah author ephesian annapolis fuel stray edna render passivate painstaking constraint balustrade tell annals deluge aps venison amongst emmett petroleum virginia smokestack copenhagen tor acid !--> and than continuing with a "Content-Type: text/html" section are tagged as spam! :-) Before all of these mails "came through". So thanks again! On Sonntag, 28. März 2004 14:59, Rasp, Robert wrote:
Hello David,
i dont want to give wrong info to you :-( I use SpamAssassin 2.55 and my rbl_check's are stored in "20_head_tests.cf"
gate:/usr/share/spamassassin # grep check_rbl * 20_head_tests.cf:#header RCVD_IN_OSIRUSOFT_COM rbleval:check_rbl('osirusoft', 'relays.osirusoft.com.') [...]
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
--- "Rasp, Robert" <Rob@killrob.de> wrote:
Hello David,
i dont want to give wrong info to you :-( I use SpamAssassin 2.55 and my rbl_check's are stored in "20_head_tests.cf"
just an OT question -- is there any reason the SpamAssasin on SuSE (8.2) is so far behind what is available from the developer, which is version 2.63? the previous update posted on the SuSE FTP server for 2.55, was it wholistic enough with new heuristic detection(s) for what 2.63 can now do..?.. also, same goes for Squid, Exim e.t.c. could someone point me to a guide or FAQ or some info that mentions SuSE's upgrade/update policy to their *very nice* RPM's for popular (and not so popular) software distributions out there..?.. Regards, Mark. __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html
* Mark Tinka; <aknit444@yahoo.com> on 29 Mar, 2004 wrote:
--- "Rasp, Robert" <Rob@killrob.de> wrote: also, same goes for Squid, Exim e.t.c. could someone point me to a guide or FAQ or some info that mentions SuSE's upgrade/update policy to their *very nice* RPM's for popular (and not so popular) software distributions out there..?..
This should give you an idea http://susefaq.sourceforge.net/faq/software.html -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
The Monday 2004-03-29 at 07:18 -0800, Mark Tinka wrote:
just an OT question -- is there any reason the SpamAssasin on SuSE (8.2) is so far behind what is available from the developer, which is version 2.63?
I installed 2.63 with my suse 8.2, it is not difficult. I understand the policy is not to do version updates of packages, only security patches, in order not to break dependencies. However, it could be argued whether following that policy with SpamAssassin compromises security - my opinion is that it does, therefore, I upgraded it myself. -- Cheers, Carlos Robinson
just an OT question -- is there any reason the SpamAssasin on SuSE (8.2) is so far behind what is available from the developer, which is version 2.63?
I installed 2.63 with my suse 8.2, it is not difficult. I understand the policy is not to do version updates of packages, only security patches, in order not to break dependencies.
However, it could be argued whether following that policy with SpamAssassin compromises security - my opinion is that it does, therefore, I upgraded it myself.
I didn't find any answers for that thread here, so I found my own information about: a) amavisd-new is able to work together with spamassassin, but does not allow user defined rules. b) postfix & amavisd on 8.2 work fine together and spamassassin can be included via procmail. I installed spamassassin from www.spamassassin.org (not the one shipped with SuSE, because it's newer). Here you get a config: http://www.yrex.com/spam/spamconfig.php => activate razor-agents, deactivate rbl-lookups (this is timeconsuming) For Postfix setupup own rbl_check and procmail as local delivery /etc/postfix/main.cf: mailbox_command = /usr/bin/procmail -a "$EXTENSION" /etc/procmailrc smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain smtpd_client_restrictions = reject_rbl_client relays.ordb.org You may add: mime_header_checks = regexp:/etc/postfix/mime_header_check body_checks = regexp:/etc/postfix/body_checks And put basic regexp syntax, to filter before spamassassin (to prevent it from overload!). I installed razor agents http://razor.sourceforge.net/ and the needed perl modules from razor-sdk with: perl -MCPAN -e shell; install <Module> quit For each user you want to activate razor-agents with reporting: su <user> razor-admin -create razor-admin -register The installation is described in each package. Read README and INSTALL. Here is my /etc/procmailrc: # I don't use spamd/spamc, instead I use the perl-script! :0fw: spamassassin.lock * < 256000 | /usr/bin/spamassassin # I added spambox to /etc/skel, is needed for any user, maybe you write a small script (like I did) to copy it in all user's dirs. # Spam >15% to spambox 1 :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* spambox/almost-certainly-spam # Mails with > 1% spam go to spambox 2 for analysing :0: * ^X-Spam-Status: Yes spambox/probably-spam # Work around procmail bug: any output on stderr will cause the "F" in "From" # to be dropped. This will re-add it. :0 * ^^rom[ ] { LOG="*** Dropped F off From_ header! Fixing up. " :0 fhw | sed -e '1s/^/F/' } # Errorhandling :0e EXITCODE==$? Have a lot of fun Philippe
I was trying to install SUSE from FTP server, everything went well until the package configuration, I got: "ERROR: No proposal" and something like: "no package configuration on media, media error?" I have a HTTP proxy and I think it is related, did anyone got the same problem? Any solution?
I was trying to install SUSE from FTP server, everything went well until the package configuration, I got: "ERROR: No proposal" and something like: "no package configuration on media, media error?" I have a HTTP proxy and I think it is related, did anyone got the same problem? Any solution?
The Tuesday 2004-03-30 at 15:42 +0200, Stephane wrote:
I was trying to install SUSE from FTP server, everything went well until the package configuration, I got: "ERROR: No proposal" and something like: "no package configuration on media, media error?"
Er.... 1) You hijacked a thread. 2) Even if you change the subject in the next email, still you hijack (again!) a thread. 3) That's a question not too well suited to a security list, IMO. You will probably get more answers in suse-linux-e, for example. 4) Known problem: search the sdb. -- Cheers, Carlos Robinson
--- "Carlos E. R." <robin1.listas@tiscali.es> wrote:
The Monday 2004-03-29 at 07:18 -0800, Mark Tinka wrote:
just an OT question -- is there any reason the SpamAssasin on SuSE (8.2) is so far behind what is available from the developer, which is version 2.63?
I installed 2.63 with my suse 8.2, it is not difficult. I understand the policy is not to do version updates of packages, only security patches, in order not to break dependencies.
this is understandable...
However, it could be argued whether following that policy with SpamAssassin compromises security - my opinion is that it does, therefore, I upgraded it myself.
i would have thought just as much, perhaps... there r some packages whose efficacy depends on how 'late' they r.. anti-virus servers, anti-spam servers, whois web interfaces with the latest TLD's out there, e.t.c. my thinking is that wouldn't a distro have a policy for such packages..?.. u could as well simply use the .spec file to build an patched rpm of your source package, but maybe SuSE could have another idea.. :)..
-- Cheers, Carlos Robinson
Regards, Mark.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html
I am running a single Internet-facing application server on SLES 8 for AMD64. We have the SuSE firewall configuration enabled and all appears protected well when we do nmap scans. We need to add an additional IP address to provide an additional SSL certificate on a different Apache2 virtual host. Two questions: 1) Does this affect our firewall configuration? I could not find any references in the configuration pages to this. 2) Should I use the ip-alias facility for doing this? I found mention on one post that since kernel 2.4 this facility has been superceded by features in the firewall. Not sure how, nor could I find any hints. Thank you - Richard
We need to add an additional IP address to provide an additional SSL certificate on a different Apache2 virtual host.
2) Should I use the ip-alias facility for doing this? I found mention on one post that since kernel 2.4 this facility has been superceded by features in the firewall. Not sure how, nor could I find any hints. I can only answer your second question. To add more than one IP address to a SuSE box, edit /etc/sysconfig/network/ifcfg-eth0 and modify it to look
On Mar 30, Richard Mixon (qwest) <rnmixon@qwest.net> wrote: like this: IPADDR_A='1.2.3.244' NETMASK_A='255.255.255.224' IPADDR_B='1.2.3.245' NETMASK_B='255.255.255.224' Although I belive,that the NETMASK could probably even be left alone, and you just have IPADDR_A, IPADDR_B, etc. instead of the original IP_ADDR. Markus PS: Richard, your linebreaks are missing. Probably because outlook is just broken sh*t ... -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
We need to add an additional IP address to provide an additional SSL certificate on a different Apache2 virtual host.
2) Should I use the ip-alias facility for doing this? I found mention on one post that since kernel 2.4 this facility has been superceded by features in the firewall. Not sure how, nor could I find any hints. I can only answer your second question. To add more than one IP address to a SuSE box, edit /etc/sysconfig/network/ifcfg-eth0 and modify it to look
Markus, Thank you for the reply, however it does not appear to work for me. I issues an SuSEconfig and then did " rcnetwork restart -o type=eth". The conents of my ifcfg-eth1 (eth0 is not used) and output of ifconfig are below. BTW: I did not realize that my email client should wrap outgoing text. I had been taught to let the receiving client format it according to user preferences. If this really causes my posts to be hard to read, then obviously I should change it. Yes, I am using Outlook, but soon will be on a new Mac with OS X, which is at least a littel better than Windoze:) Thank you - Richard bighost:/etc/sysconfig/network # cat ifcfg-eth1 BOOTPROTO='static' BROADCAST='140.96.50.63' IPADDR_A='140.96.50.58' NETMASK_A='255.255.255.248' IPADDR_B='140.96.50.59' NETMASK_B='255.255.255.248' NETWORK='140.96.50.56' REMOTE_IPADDR='' STARTMODE='onboot' UNIQUE='kN0E.naPqmzBs9CA' WIRELESS='no' bighost:/etc/sysconfig/network # ifconfig eth1 Link encap:Ethernet HWaddr 00:E0:81:52:78:01 inet addr:140.96.50.58 Bcast:140.96.50.63 Mask:255.255.255.248 inet6 addr: fe80::2e0:81ff:fe52:7801/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1683 errors:0 dropped:0 overruns:0 frame:0 TX packets:754 errors:0 dropped:0 overruns:0 carrier:0 collisions:1 txqueuelen:100 RX bytes:153050 (149.4 Kb) TX bytes:768902 (750.8 Kb) Interrupt:25 Memory:fc9f0000-fca00000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1572955 errors:0 dropped:0 overruns:0 frame:0 TX packets:1572955 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1697136795 (1618.5 Mb) TX bytes:1697136795 (1618.5 Mb) bighost:/etc/sysconfig/network # -----Original Message----- From: Markus Gaugusch [mailto:markus@gaugusch.at] Sent: Tuesday, March 30, 2004 10:13 AM To: SuSE-Security Subject: Re: [suse-security] Adding and additional IP address, does it affect SuSE firewall? On Mar 30, Richard Mixon (qwest) <rnmixon@qwest.net> wrote: like this: IPADDR_A='1.2.3.244' NETMASK_A='255.255.255.224' IPADDR_B='1.2.3.245' NETMASK_B='255.255.255.224' Although I belive,that the NETMASK could probably even be left alone, and you just have IPADDR_A, IPADDR_B, etc. instead of the original IP_ADDR. Markus PS: Richard, your linebreaks are missing. Probably because outlook is just broken sh*t ... -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \ -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Tue, Mar 30, 2004 at 12:16:20PM -0700, Richard Mixon (qwest) wrote:
Thank you for the reply, however it does not appear to work for me. I issues an SuSEconfig and then did " rcnetwork restart -o type=eth". The conents of my ifcfg-eth1 (eth0 is not used) and output of ifconfig are below.
I apologize for jumping in into the thread. It did work for you, you just mixed different tool that's why you were not able to see the results. ifcfg-eth1 file is processed by ip command, so if you run /sbin/ip addr show after restarting the network, you should see your aliases. If you want to see aliases in ifconfig, then you have to add LABEL entries to your ifcfg-eth1 file. Syntax should be similar to all others, LABEL_A=":0" LABEL_B=":1" HTH, -Kastus
Kastus/all, thank you - yes indeed the addresses were there. Also the LABEL_A/B synax has made them visible in the ifconfig command. Thanks much - Richard -----Original Message----- From: Kastus [mailto:NOSPAM@tprfct.net] Sent: Tuesday, March 30, 2004 12:56 PM To: SuSE-Security Subject: Re: [suse-security] Adding and additional IP address, does it affect SuSE firewall? On Tue, Mar 30, 2004 at 12:16:20PM -0700, Richard Mixon (qwest) wrote:
Thank you for the reply, however it does not appear to work for me. I issues an SuSEconfig and then did " rcnetwork restart -o type=eth". The conents of my ifcfg-eth1 (eth0 is not used) and output of ifconfig are below.
I apologize for jumping in into the thread. It did work for you, you just mixed different tool that's why you were not able to see the results. ifcfg-eth1 file is processed by ip command, so if you run /sbin/ip addr show after restarting the network, you should see your aliases. If you want to see aliases in ifconfig, then you have to add LABEL entries to your ifcfg-eth1 file. Syntax should be similar to all others, LABEL_A=":0" LABEL_B=":1" HTH, -Kastus -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
The Tuesday 2004-03-30 at 06:31 -0800, Mark Tinka wrote:
my thinking is that wouldn't a distro have a policy for such packages..?.. u could as well simply use the .spec file to build an patched rpm of your source package, but maybe SuSE could have another idea.. :)..
Some packages do get non official updates in the people or project ftp subdirs. I don't know if that is the case. -- Cheers, Carlos Robinson
participants (10)
-
Carlos E. R. -
David Huecking -
Kastus -
Mark Tinka -
Markus Gaugusch -
Philippe Vogel -
Rasp, Robert -
Richard Mixon (qwest) -
Stephane -
Togan Muftuoglu