On Friday 02 March 2007, David Brodbeck wrote:

Patrick Shanahan wrote:

...

You must just be lucky :^) I'm not getting them, not one.

I just got a big wad of them. Since they're being bounced to us and not to the list server, he probably won't be automatically unsubscribed, either.

He has his filters set up to evaluate EVERY IP in the chain, and bounces the message even though it has already been accepted by the list server months ago. -- _____________________________________ John Andersen

David Brodbeck wrote:

Patrick Shanahan wrote:

...

You must just be lucky :^) I'm not getting them, not one.

I just got a big wad of them. Since they're being bounced to us and not to the list server, he probably won't be automatically unsubscribed, either.

Funny thing. Just today, someone mentioned the list has reply set to sender, instead of list, to avoid endless loops, even though I've never seen such a thing on lists that don't set return to sender. On the other hand, this is the only list I subscribe to that does reply to sender and it's also the only list I subscribe to that gives me these bounced message notices. I received 180 tonight, though the are a frequent occurance Perhaps someone should rethink which method causes the problems and change this list to reply to the list. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

* John Andersen [03-02-07 21:22]: [...]

I'm suddenly reminded why Shorewall is a much better firewall than Suse's firewall. I cant find anywhere in yast to enter a blacklist ip.

add to /etc/sysconfig/SuSEfirewall2: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" edit /etc/sysconfig/scripts/SuSEfirewall2-custom as below: fw_custom_after_antispoofing() { # could also be named "before_port_splitting()" # these rules will be loaded after the anti-spoofing and icmp # handling # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or # TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. ####pat added per Ulf Rasch ####X-Mailinglist: suse-linux-e ####X-Message-Number-for-archive: 251791 ####10-29-2005 iptables -I INPUT 1 -s 66.77.136.123 -j DROP iptables -I INPUT 1 -s 70.88.86.57 -j DROP The last two 'iptables .... DROP' lines were added to refuse access to 66.77.136.123 and 70.88.86.57 -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2 OpenSUSE Linux http://en.opensuse.org/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

John Andersen wrote:

Or perhaps Martin, who has decided to run his own mail server should learn a thing or two about postfix and only reject mail based on the last hop.

Aside from spam it is one of the reasons why I reject all mail to the list address that does not origin from the listserver. His backscatter can be rejected by checking the helo: dothangizmo.gk.lan 215 rejects from that address alone (he is also subscribed to the German opensuse-de list) in about one hour.

Its odd a guy on a dhcp IP runs a mail server that rejects mail from a dhcp IP.

I started with a server on a dynamic ip as well. But I hope I wasn't as trigger-happy as Martin.

I'm suddenly reminded why Shorewall is a much better firewall than Suse's firewall. I cant find anywhere in yast to enter a blacklist ip.

I'm using ipcop as firewall. Just searched for the possibility to blacklist an ip without luck. I guess you can only do that with custom rules on the command line. Can you set up rules for outgoing traffic in Shorewall? -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

I use header-checks, it works:

Mar 3 03:07:44 nimrodel postfix/cleanup[14749]: 7C263B6EC7: reject: header From: MAILER-DAEMON@dothangizmo.gk.lan (Mail Delivery System) from localhost[127.0.0.1]; from=<> to= proto=ESMTP helo=: 5.7.1 20070303 stupid bouncer!

Okay, the header_checks work, but...

And using imap, the fetching is cancelled:

Mar 3 03:07:44 nimrodel fetchmail[18653]: (6395 body octets) (log message incomplete) Mar 3 03:07:44 nimrodel fetchmail[18653]: IMAP< ) Mar 3 03:07:44 nimrodel fetchmail[18653]: IMAP< A0008 OK FETCH complete Mar 3 03:07:44 nimrodel fetchmail[18653]: SMTP>. (EOM) Mar 3 03:07:44 nimrodel fetchmail[18653]: SMTP< 550 5.7.1 20070303 stupid bouncer! Mar 3 03:07:44 nimrodel fetchmail[18653]: SMTP error: 550 5.7.1 20070303 stupid bouncer! Mar 3 03:07:44 nimrodel fetchmail[18653]: SMTP listener refused delivery Mar 3 03:07:44 nimrodel fetchmail[18653]: SMTP> RSET Mar 3 03:07:44 nimrodel fetchmail[18653]: SMTP< 250 2.0.0 Ok Mar 3 03:07:44 nimrodel fetchmail[18653]: flushed

It is slow, though.

what happens after you reject the mail? Where does it go to? If everything works fetchmail should bounce the message back to the sender. In other words: rejecting with fetchmail probably makes you a backscatter source. The mail has already been accepted by you (precisely, the provider accepted the mail for you). So you should only reject mails when you receive them directly via smtp. After the mail has been accepted you can only discard or tag and deliver it. The reason why you did not become a backscatter source in this case is the empty sender address <>, so the mail could not be bounced (again) and was discarded anyway. Still, I suggest you use the action DISCARD instead of REJECT. If the next mail you want to reject with such a header_check is NOT the empty sender address <>, you WILL become a backscatter source with REJECT. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Anders Norrbring wrote:

Sandy Drobic skrev:

...

Carlos E. R. wrote:

...

I use header-checks, it works:

Mar 3 03:07:44 nimrodel postfix/cleanup[14749]: 7C263B6EC7: reject: header From: MAILER-DAEMON@dothangizmo.gk.lan (Mail Delivery System) from localhost[127.0.0.1]; from=<> to= proto=ESMTP helo=: 5.7.1 20070303 stupid bouncer!

Okay, the header_checks work, but...

Wouldn't it be much easier to simply go to Martin's house and cut off his incoming mains supply cable?

Unfortunately not. If my research was accurate, he's located in Germany/Bavaria, so he's not in easy reach for me. Otherwiese I might even consider this as viable! (^-^) He might not even be a member of the list, since he is not sending to the listserver. I haven't seen a post from him in my archive either. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

The Saturday 2007-03-03 at 13:54 +0100, Sandy Drobic wrote:

...

He might not even be a member of the list, since he is not sending to the listserver. I haven't seen a post from him in my archive either.

Probably because he thought he was not receiving list mail... X-)

Could it be... could it be that someone subscribes, perhaps in a business, he goes somewhere else, leaving the subscription, then someone voids the address, mail accumulates, the postmaster sees it, and thinks of rejecting it "then", after some months have accumulated?

Not likely. The mails all came from a dynamic ip, so it's very unlikely that this is a regular server (German T-Com is disconnecting every 24h AND issuing different ip addresses every time on reconnect): p549B18A2.dip0.t-ipconnect.de 84.155.24.162 The usual time email is kept in the queue until it is discarded as undeliverable is only a few days (Postfix has a default of 5 days). No, it is likely an experiment gone bad. Otherwise the mails wouldn't have come in such a batch all at once. If I see any more of the crap I could try to get him on the phone, if the phonebook entry is valid. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

So we had:

Received: from lists4.suse.de (lists4.suse.de [195.135.221.135]) by mailin.webmailer.de (8.13.7/8.13.7) with ESMTP id l01C0UMi005945 for ; Mon, 1 Jan 2007 13:00:31 +0100 (MET)

So mail arrived at the box on January, but he fetched it Yesterday:

Received: from post.strato.de [192.67.198.2] by dothangizmo.gk.lan with POP3 (fetchmail-6.3.2) for <4suse%growngizmo.de@localhost> (single-drop); Sat, 03 Mar 2007 01:42:57 +0100 (CET)

I guess he is one of those guys that like to forward mails back and forth, and he kind of forgot to poll that account as well, until he had a backlog of thousands of mails.

<4suse@growngizmo.de> (expanded from <4suse%growngizmo.de@localhost>): host mailin.rzone.de[81.169.145.100] said: 550 5.0.0 Dial-Up IP address rejected (in reply to RCPT TO command)

Maybe his postfix tried to send to "4suse@growngizmo.de", instead of taking it locally, as was intended. He is "growngizmo.de" (I think), but his mail is handled by mailin.rzone.de, which refused his client being dynamic... so finally, postfix, not knowing how to send to "4suse@growngizmo.de" bounces back to us.

Does it sound reasonable?

That could be, though the real question is why anything he polled with fetchmail was bouncing back at all. I don't like fetchmail and don't use it, but AFAIK you can set it up not to bounce anything and instead redirect it to a postmaster account. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-03-04 at 01:42 +0100, Sandy Drobic wrote:

...

Maybe his postfix tried to send to "4suse@growngizmo.de", instead of taking it locally, as was intended. He is "growngizmo.de" (I think), but his mail is handled by mailin.rzone.de, which refused his client being dynamic... so finally, postfix, not knowing how to send to "4suse@growngizmo.de" bounces back to us.

Does it sound reasonable?

That could be, though the real question is why anything he polled with fetchmail was bouncing back at all. I don't like fetchmail and don't use it, but AFAIK you can set it up not to bounce anything and instead redirect it to a postmaster account.

As I read it, fetchmail did it right, but it does a translation: | Received: from post.strato.de [192.67.198.2] | by dothangizmo.gk.lan with POP3 (fetchmail-6.3.2) | for <4suse%growngizmo.de@localhost> (single-drop); Sat, 03 Mar 2007 01:42:57 +0100 (CET) | Probably because it is configured to translate the "remote" username (ie, martin.koch.4suse@growngizmo.de) to a local name of "4suse%growngizmo.de @localhost". Maybe it is a multidrop. So far, so good. Or maybe not so good, the local user is not well defined. The next step, is to put that into the local folder, by postfix. But postfix expands "4suse%growngizmo.de@localhost" into "4suse@growngizmo.de" (I have no idea why, I don't know how he has it configured). Next, postfix thinks that the destination of that email is not local (the "localhost" past has been lost), so postfix tries to send it to "growngizmo.de". And mail to "growngizmo.de" happens to be handled by "mailin.rzone.de". It is this "growngizmo.de", aka "mailin.rzone.de" who rejects the email for coming from a dynamic address. It is not the combination of fetchmail/postfix who is responsible for the rejection. It is his own ISP who is doing the rejection: <4suse@growngizmo.de> (expanded from <4suse%growngizmo.de@localhost>): host mailin.rzone.de[81.169.145.100] said: 550 5.0.0 Dial-Up IP address rejected (in reply to RCPT TO command) What happens now is that our "friend's" postfix now have a rejected email... so it sends it back... to us. The error is in fetchmail not translating to the correct local user name. Plus, if it is a multidrop, I don't think you can handle it with procmail directly. But the fault is not fetchmail nor postfix: it is our friend's fault for not doing checks and configuring properly his setup. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFF6ie+tTMYHG2NR9URAoUOAJ4nOstIqgYbqo6Ae+ggmcVMvsK9sQCfdsN0 GBidHu8okP24RayPnQPVRmo= =03tQ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-03-04 at 11:10 +0100, Sandy Drobic wrote:

Carlos E. R. wrote:

...

So far, so good. Or maybe not so good, the local user is not well defined.

The next step, is to put that into the local folder, by postfix. But postfix expands "4suse%growngizmo.de@localhost" into "4suse@growngizmo.de" (I have no idea why, I don't know how he has it configured).

Next, postfix thinks that the destination of that email is not local (the "localhost" past has been lost), so postfix tries to send it to "growngizmo.de".

And that is most likely the problem. If Postfix doesn't know which domains are local it is trying to relay the mail.

Yep, but probably caused by a bad name translation by fetchmail, or misconfiguration of same.

...

And mail to "growngizmo.de" happens to be handled by "mailin.rzone.de".

It is this "growngizmo.de", aka "mailin.rzone.de" who rejects the email for coming from a dynamic address. It is not the combination of fetchmail/postfix who is responsible for the rejection. It is his own ISP who is doing the rejection:

He probably didn't configure smtp auth for the client part of Postfix, so Postfix tries to submit the mail directly to the responsible mailserver.

Right. It is curious, though, because it is his ISP, I think.

...

<4suse@growngizmo.de> (expanded from <4suse%growngizmo.de@localhost>): host mailin.rzone.de[81.169.145.100] said: 550 5.0.0 Dial-Up IP address rejected (in reply to RCPT TO command)

What happens now is that our "friend's" postfix now have a rejected email... so it sends it back... to us.

Correct. In my case he tries to send it to me.

554 5.7.1 : Recipient address rejected: Access denied; from=<> to= proto=ESMTP helo= (total: 45) 45 p549B18A2.dip0.t-ipconnect.de 554 5.7.1 : Recipient address rejected: Access denied; from=<> to= proto=ESMTP helo= (total: 170) 170 p549B18A2.dip0.t-ipconnect.de

Well, I think that first he tries to send to "him", and failing, tries to bounce to you, which also fails. Hold on, if it fails, you don't have those emails, do you? You must have the rejections in your logs, but not the emails themselves.

...

The error is in fetchmail not translating to the correct local user name. Plus, if it is a multidrop, I don't think you can handle it with procmail directly.

But the fault is not fetchmail nor postfix: it is our friend's fault for not doing checks and configuring properly his setup.

The usual diagnosis: the problem is sitting in front of the keyboard.

Right :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFF6shKtTMYHG2NR9URAoTmAJ9mqK06E0vwvED4++0pTxTddaDWKQCdHqgd qXrV6pdWssq2hqpEcrRlZEk= =yuUr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-03-04 at 15:14 +0100, Sandy Drobic wrote:

...

It is curious, though, because it is his ISP, I think.

Doesn't matter, without smtp auth he will be rejected because of dynamic ip.

Some times not: some isps simply check the IP; if it belongs to their network, you can post. Some do not check dynamic addresses per se: I know, I use one of those and I can usually post. Unfortunately, some dump the email without rejecting it: ie, the email is accepted, then deleted. That's very inconsiderate. And yes, the users there complain of not receiving many emails they should receive... No wonder normal people consider email as unreliable... and some ignore emails and claim they never got them!

...

Well, I think that first he tries to send to "him", and failing, tries to bounce to you, which also fails. Hold on, if it fails, you don't have those emails, do you? You must have the rejections in your logs, but not the emails themselves.

No, I don't have those emails, the excerpt above is taken from the daily pflogsumm report.

Ah, I see. Then you couldn't see the received headers I used for my analysis. :-} - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFF63SCtTMYHG2NR9URApMoAJ4olLA7kyAdVFqsbCaHPTfA0lppswCgjkjU ut+24SjZXEkQnBQie/mKPaM= =ZFRU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

...

Still, I suggest you use the action DISCARD instead of REJECT. If the next mail you want to reject with such a header_check is NOT the empty sender address <>, you WILL become a backscatter source with REJECT.

You are right. Well, in any case, my backscatter would have "nimrodel.valinor" as the source, so it serves them right if they do accept it! ;-P

Grin! What would I give, if I could just implement strict RFC compliance checks on our company server, for example "reject_unknown_helo_hostname". I see a lot of regular servers announcing themselves as "mail.intranet" or "exchange.local" and the like.

Probably my subconscious mind chooses "reject" as a way of punishing them... Ok, ok, I'll start reviewing my config O:-)

I feel for you, man! I always get this warm fuzzy feeling when I see the reject rate on my server spike. (^-^) Recently I had a few thousand rejects when a spammer decided to use "localhost" as HELO. Sometimes I really wonder if the evolution theory is valid. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

...

I see a lot of regular servers announcing themselves as "mail.intranet" or "exchange.local" and the like.

Well, what I'm bothered is receiving email from my ISP boxes with false envelope from.I don't understand why they don't check it. My postfix doesn't accept it, so fetchmail leaves it there - but it doesn't delete them either: a dns failure can be temporary, so mail is not rejected finally, but given a "try later". That's how it should be, but... it means I have to go and delete them manually from the boxes. I might be better off by accepting them and letting spamassassin take care of those...

Policy decision. In our company I also use "reject_unknown_sender_domain", but I doubt that I would use it on an ISP mailserver. The best case would be to offer several classes of anti-spam measures and let the customer decide which one to choose. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

The Sunday 2007-03-04 at 10:49 +0100, Sandy Drobic wrote:

...

Carlos E. R. wrote:

...

...

...

I see a lot of regular servers announcing themselves as "mail.intranet" or "exchange.local" and the like. Well, what I'm bothered is receiving email from my ISP boxes with false envelope from.I don't understand why they don't check it. My postfix doesn't accept it, so fetchmail leaves it there - but it doesn't delete them either: a dns failure can be temporary, so mail is not rejected finally, but given a "try later". That's how it should be, but... it means I have to go and delete them manually from the boxes. I might be better off by accepting them and letting spamassassin take care of those... Policy decision. In our company I also use "reject_unknown_sender_domain", but I doubt that I would use it on an ISP mailserver. The best case would be to offer several classes of anti-spam measures and let the customer decide which one to choose.

Why not on an ISP? Resources? I'm curious... if you convince me, I'll stop being mad at them ;-)

I'll definitely won't try to persuade you not to be mad any longer. (^-°) The more people are mad the likelier it is that someday the situation may change. The reason is very pragmatic and comes in three parts. - It's mostly the number of idiots that can't configure servers and yet they are tasked with that very job. Often they have so many different jobs to do that they simply don't have the time and energy to set up a system as it should be done. - the number of idiots that don't care why the mail is rejected, they simply want the mail and complain afterwards that they receive too many spams. - the time you have to manage your server and fight spam. On my private server here at home I very seldom see any spam at all, because I can hand-tailor the restrictions to fit my needs. I think in the last 15 month I only had about 5 spams in my inbox, three of them I sent to an unrestricted address to test if the spam configuration was still working. (^-^) The number of idiots that try to sent crap to my server is very low, I can set up a manual whitelist for these guys, provided I am interested in their mails at all. On our company mailserver I have a completely different situation. I don't know anymore, who is communicating with who, we have contacts all around the world, yes also to Taiwan, China, South Corea, Chile, South Africa, you name it. I also was very suprised to see that from one server I had only received spam so far (an Italian ISP server), suddenly there seemed to be a valid mail. Still, the volume is low enough for me to monitor the log excerpt fairly closely, and most of the time our mailserver is just idling. In spite of that I must adhere to the management order that said: "accept all mails we are interested in, reject spam as second priority". That is why I can't reject some spam. Even measures like greylisting and blacklists are used selectively, not on all clients. As a big company or an ISP you have very little time to manage your server compared to the mail volume you receive. The server is not idling along any more, it is instead sometimes taxed to the physical limit. So you do not track the log very closely, instead you monitor the overall situation, set up policies that are the best compromise for the demands of many customers/users and set up things as automated as possible. The number of clueless people/admins you have to deal with is daunting, so you are acting pragmatic with the situation and don't try to change it.

So far, I have never received a good email from a bad sender domain, all of them are spam.

In my whitelist I already have a few dozen broken sites. Sometimes they see that they have problems and change their configuration with other broken settings so fast I can't keep up and their mail is rejected permanently. My situation is a mixed case, the mail volume is low, but I have a lot of other tasks at work, so I can't spend that much time on the mailserver. Add to that the consideration that I don't want to create such a convoluted setup that nobody else has a hope to understand. We are already at the point that I have rather created a VMWare double than try to explain to a not-linux-savvy collegue, how the mail system works and how to debug it. In case of trouble with the primary mailserver he can just change to the VMWare setup and let me solve the problem when I am present again. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

David Brodbeck wrote:

Sandy Drobic wrote:

...

I see a lot of regular servers announcing themselves as "mail.intranet" or "exchange.local" and the like.

MS Exchange servers are a common offender here, often saying HELO with their WIndows domain name. Unfortunately in a lot of business applications rejecting all mail from Exchange servers isn't acceptable, so HELO checks are of limited use. ;)

I wouldn't say that, helo checks are rejecting a lot of crap in our company, and they use very little resources, too. Everyone has to see for himself, what checks make more trouble by rejecting wanted mail than spam. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Monday 05 March 2007, Hans du Plooy wrote:

On Sat, 2007-03-03 at 12:23 +0100, Sandy Drobic wrote:

...

I'm using ipcop as firewall. Just searched for the possibility to blacklist an ip without luck. I guess you can only do that with custom rules on the command line.

Drop them in /etc/rc.d/rc.firewall.local

Hans

Such a file does not exist, and rc.d is only a link to init.d since forever in Suse. -- _____________________________________ John Andersen

On Sat, 03 Mar, 2007 at 12:23:10 +0100, Sandy Drobic wrote: <snip>

Can you set up rules for outgoing traffic in Shorewall?

Certainly, and quite easily too. I'll refrain from quoting documentation (too much) and instead you try to give a short high-vantagepoint view: Shorewall uses the concept of 'zones'. Nothing works without them, but you can basically make as many as you want. Interfaces are associated with a zone, and traffic can be allowed/dropped/rejected/nat'ed/proxyarp'ed/etc'ed between zones in more or less any fashion you can think of. Usually a 'single-interface' installation would have just two zones; 'net' and 'fw'. A typical two-interface 'router' setup would have three zones; net, fw and lan. Basically you define a set of policies, and then set up exceptions in the 'rules' file, which has a pretty simple and (to me at least) intuitive layout: <quote> # Example: You want to accept SSH connections to your firewall only # from internet IP addresses 130.252.100.69 and # 130.252.100.70 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # # PORT PORT(S) DEST # ACCEPT net:130.252.100.69,130.252.100.70 $FW tcp 22 </quote> So to permanently drop specific 'outgoing' traffic it would be something like; DROP lan net tcp 1863 -in /etc/shorewall/rules, followed by shorewall restart As such Shorewall is 'just' a bunch of shell-scripts which parse the config-files to 'compile' iptables statements. This means that it will run on just about anything, even if it may take a while to complete on 'skinny' hardware. In order to alleviate this, Shorewall now includes a 'just read the config and output the iptables statements to a file' option. This way you can have Shorewall create the actual configuration. The created file can then be reused on subsequent boots, where it will just be executed without any parsing at all. I'm by no means an iptables authority, and I'll probably never become one either. This doesn't mean that I don't sometimes want or need firewall configurations more complex than what SuSEfirewall (f.x.) has to offer. What is *does* mean, however, is that the need to add custom iptables rules to some local firewall file invariably makes me shake my head and wonder: "What's the point of having something like SuSEfirewall, if it *still* means that I have to write 'raw' iptables?" Personally I wish SuSE would just drop SuSEfirewall, and include Shorewall instead. I don't expect it to happen anytime soon though, so I recently went ahead and repackaged the rpm to match the SuSE environment. Since I'm no rpm expert either I'm not going to 'publish' said rpms, as they probably contain packaging errors. Still, if someone wants to check them out, contact me privately. /Jon -- YMMV -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 7 Mar 2007, John Andersen wrote:

On Tuesday 06 March 2007, Jon Clausen wrote:

...

I'm by no means an iptables authority, and I'll probably never become one either.

But Tom Eastep (Shorewall author) is. The guy is a wizard, and really knows his stuff. I've been using shorewall for years on Suse and now also on Kubuntu.

What ever you do READ the QUICK START GUIDES. It will save so much time.

Every site I maintain does egress filtering with Shorewall. Especially for port 25.

Could I get a sample of some of your configs? My main problem is as such. I have SuSEfirewall working but complains from yast I would like to look at shorewall, but I have not gotten configs correct. I have a Class C network and all machine I want visiable to the world are one it. I also have part of an other Class C that I share with others. So I have a machine with three network cards as my router/firewall. Here is a diagram that shows network. Most machines have two NIC's public and private. Internet Internet | | | X.X.X.X Partial Class C | Download Dynamic IP | Y.Y.Y.Y Full Class C |__ | | | System System | | shared shared | DHCP IP | storage storage | --------- --------- --------- --------- | | | | | | | | | |---+ | | | | | | | 1 | |P | 2 | | 3 | | 4 | | | |B | | | | | | | | | | | | | | | | | |I | | | | | | --------- |P --------- --------- --------- | | | | | | --------- | | | | | HUB/ |-----------------+----------------+---- | | Switch| | | | | | --------- | | | | | | | Other Systems | 192.168.x.x | | Unix/Linux | | | | & MS Machines | | MS Masquarded ---------- --------- --------- --------- | HUB/ |-+ | | | | | | | Switch | | | | | | | | ---------- | | 5 | | 6 | | 7 |... +----| | | | | | | | | | | | | | --------- --------- --------- +--------|---------------|---------------| -- Boyd Gerber ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Tue, 06 Mar 2007, by jon@ymmv.dk:

Personally I wish SuSE would just drop SuSEfirewall, and include Shorewall instead. I don't expect it to happen anytime soon though, so I recently went ahead and repackaged the rpm to match the SuSE environment.

Since I'm no rpm expert either I'm not going to 'publish' said rpms, as they probably contain packaging errors. Still, if someone wants to check them out, contact me privately.

Very late, but nevertheless: the rpms on the shorewall.net site integrate perfectly in SUSE afaik, no need to make them yourself. http://shorewall.de/pub/shorewall/3.4/shorewall-3.4.0/shorewall-3.4.0-1.noar... Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.18 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Monday 12 March 2007, John Andersen wrote:

I conure.

concur Damn spell checkers.... -- _____________________________________ John Andersen

On Monday 12 March 2007 19:21, John Andersen wrote:

On Monday 12 March 2007, Theo v. Werkhoven wrote:

...

Tue, 06 Mar 2007, by jon@ymmv.dk:

...

Personally I wish SuSE would just drop SuSEfirewall, and include Shorewall instead. I don't expect it to happen anytime soon though, so I recently went ahead and repackaged the rpm to match the SuSE environment.

Since I'm no rpm expert either I'm not going to 'publish' said rpms, as they probably contain packaging errors. Still, if someone wants to check them out, contact me privately.

Very late, but nevertheless: the rpms on the shorewall.net site integrate perfectly in SUSE afaik, no need to make them yourself. <http://shorewall.de/pub/shorewall/3.4/shorewall-3.4.0/shorewall-3.4.0-1. noarch.rpm>

I conure. The shorewall rpms work fine, and even the init script works great.

Suse would be better off spending the time they spend on Suse Firewall on a yast interface for configuring shorewall. As it stands you actually have to have "advanced skills" like reading a web page and actually typing with fingers applied to keyboard !!! into a text file in order to get shorewall up. Oh The Horror of it all!!!

You can install webmin and you will have a graphical interface for configuring Shorewall. Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Monday 12 March 2007 21:18, John Andersen wrote:

On Monday 12 March 2007, Mike Noble wrote:

...

...

Suse would be better off spending the time they spend on Suse Firewall on a yast interface for configuring shorewall.  As it stands you actually have to have "advanced skills" like reading a web page and actually typing with fingers applied to keyboard !!! into a text file in order to get shorewall up.  Oh The Horror of it all!!!

You can install webmin and you will have a graphical interface for configuring Shorewall.

No, my tongue was lodged firmly in my cheek Mike. I prefer the text file approach. Webmin is pretty limited in the options it provides.

-- _____________________________________ John Andersen

I agree the text editing is much better, but somepeople like to have a GUI.............. Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

John Andersen escribió:

...

...

Since I'm no rpm expert either I'm not going to 'publish' said rpms, as they probably contain packaging errors. Still, if someone wants to check them out, contact me privately.

I can create those rpms, in fact I should ;P

Suse would be better off spending the time they spend on Suse Firewall on a yast interface for configuring shorewall. As it stands you actually have to have "advanced skills" like reading a web page and actually typing with fingers applied to keyboard !!! into a text file in order to get shorewall up. Oh The Horror of it all!!!

It aint a trivial task, it can get quite complicated, just take my word on it ;)

On Friday 02 March 2007, Joe Morris (NTM) wrote:

Without a moderator, and the volume of this list, I think it would be a nightmare.  The first or second time my mailbox filled up with the endless messages

This instance wasn't just any bounces, it was over two months worth of my own posts, only my posts. The first was posted 1/1/07 the last was posted just today. How he hell he saved up two months and processed it all at once with a miss-configured postfix is beyond me. I get the occasional bounce and vacation message from posting on suse lists but this is the first time I've seen a bounce fest like this, so I don't think we can blame it on list configuration (yet again). Its Mr Glötzl-Koch's fault and no body elses. -- _____________________________________ John Andersen

On Sat, 3 Mar 2007, Joe Morris (NTM) wrote:

John Andersen wrote:

...

On Friday 02 March 2007, Joe Morris (NTM) wrote:

...

Without a moderator, and the volume of this list, I think it would be a nightmare. The first or second time my mailbox filled up with the endless messages This instance wasn't just any bounces, it was over two months worth of my own posts, only my posts. The first was posted 1/1/07 the last was posted just today.

I get the occasional bounce and vacation message from posting on suse lists but this is the first time I've seen a bounce fest like this, so I don't think we can blame it on list configuration (yet again). Its Mr Glötzl-Koch's fault and no body elses.

My point was IF the policy was different, and that was a normal happening, i.e. someone's vacation or auto responder sent to the list, which sent back to them, which returned the message to the list, etc., or at least as common here someone just getting started and having their mail server mis configured and bouncing to the list INSTEAD of the current policy of replies being sent to the sender, then it would be enough trouble for me to learn somewhere else. I have learned much over the 7 years or so I have been here, but it has not always been easy to wade through. We have all got those bounces if we have posted over the years, and I am just reiterating I agree with the present policy, and IF there was a change, THEN the first time it filled my mailbox with bounces may be enough to send me packing (I probably would wait til the second, we all make mistakes. Especially since with Linux you have the power to change things, I can be optimistic.).

One list I am on sent over 200 email in an hour because of the vacation auto responder loop. Finally a sys opt noticed it and removed his account but the damage was already done. That is why I really like the way this list is configured. That list has had it happen many times. One other list has done the same. I have never seen the mail loop problem with a list configured like this. -- Boyd Gerber ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

The Friday 2007-03-02 at 18:55 -0900, John Andersen wrote:

...

I get the occasional bounce and vacation message from posting on suse lists but this is the first time I've seen a bounce fest like this,

No, I have seen a few. Usually they are slower and come in batches over several days. This one dumped everything on one go! He is still at it, I got two more this morning (rejected).

On my server they were all tried within about one hour. I guess he was trying to import the list archive of the last two month and was bitten by a bad antispam configuration or something like that. If you receive them with delay it is probably a delay on your mailserver. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Saturday 03 March 2007, Carlos E. R. wrote:

Ough. But importing the archive (in mbox format) doesn't involve sending them... hold on, perhaps... an antispam measure in procmail?

No, if you look at the headers in the encapsulated bounce notices you see this: Received: from post.strato.de [192.67.198.2] by dothangizmo.gk.lan with POP3 (fetchmail-6.3.2) So he had the list subscribed to an email account at post.strato.de and then he decided to use the standard Suse setup to pop that with fetchmail directly into the postfix input stream rather than routing his fetchmail thru procmail -(suse: please fix that, its a crazy way to do it). -- _____________________________________ John Andersen

On Saturday 03 March 2007, Carlos E. R. wrote:

And it wouldn't bounce back if he had left it alone, it doesn't check for dynamic ip addresses.

It does if you select the options to use some of the black-hole lists. I suspect thatt is what he did. But that shouldn't be done on fetchmail. Fetchmail input should go direct to procmail rather than come in as if it was a direct connection. After all, he knows already who this mail is destined for, by virtue of who's fetchmail account he is popping. It should go direct to the MDA, not thru the MTA. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sunday 04 March 2007, Scott Leighton wrote:

On Saturday 03 March 2007 12:32 pm, John Andersen wrote:

...

So he had the list subscribed to an email account at post.strato.de and then he decided to use the standard Suse setup to pop that with fetchmail directly into the postfix input stream rather than routing his fetchmail thru procmail -(suse: please fix that, its a crazy way to do it).

Isn't the reason for feeding the incoming mail to postfix so that amavis/spamassasin/clamav etc get a shot at the mail?

procmail can do that as well -- _____________________________________ John Andersen

On Saturday 03 March 2007, Sandy Drobic wrote:

If you receive them with delay it is probably a delay on your mailserver.

In my case it was hammer in postfix limiting his connection rate. -- _____________________________________ John Andersen

On Saturday 03 March 2007, Sandy Drobic wrote:

John Andersen wrote:

...

On Saturday 03 March 2007, Sandy Drobic wrote:

...

If you receive them with delay it is probably a delay on your mailserver.

In my case it was hammer in postfix limiting his connection rate.

Hammer? Or do you mean anvil? In any case, I never saw more than a few connections at the same time. Anvil should only limit concurrent connections if more than a few concurrent connections are opened.

The default for $smtpd_client_connection_count_limit is 50 (half the default process limit of 100). What did you set it to?

-- Sandy

List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

Oh yeah, DUH, it was one of those blacksmith tools... ;-) But, you've misread the job of anvil. It will also RATE limit the number of connections per unit of time. Quoting the Postfix release notes: The new anvil server maintains the connection statistics, and logs the maximum connection count and connection rate per client every anvil_status_update_time seconds (10 minutes), or when it terminates (when there is no work to be done, or when "postfix reload" was issued). Once you have an idea what the numbers look like, you can clamp down the limits for your system. The relevant main.cf configuration parameters are: smtpd_client- connection_count_limit for the number of simultaneous connections per client, and smtpd_client_connection_rate_limit for the number of successive connections per unit time and client. The time unit is specified with the anvil_rate_time_unit parameter, and is one minute by default. -- _____________________________________ John Andersen

On Saturday 03 March 2007, Sandy Drobic wrote:

Quote from the Postfix site:

IMPORTANT: These limits are designed to protect the smtpd(8) server against flagrant abuse. Do not use these limits to regulate legitimate traffic: mail will suffer grotesque delays if you do so.

These tools are on by default in Suse. The admonitions of the postfix site are for large ISPs or big companies. Mine is a small machine serving me alone and I see no reason to make spammer's life easier. I have these set to all the defaults, i.e. one connection per minute per remote client. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-03-04 at 11:00 +0100, Sandy Drobic wrote:

These are definitely not Postfix default. I'll have to check with a recent Suse 10.2 if such defaults have been set.

I don't have anvil enabled, I didn't even know it existed. [...] Mmm, it seems I do: cer@nimrodel:~> grep -i anvil /etc/postfix/* /etc/postfix/master.cf:anvil unix - - n - 1 anvil So I do have it... Where is it configured? I'm looking at the man page, but... ... I don't see how to know what it is doing. The man says: | To register a new connection send the following request to the | anvil(8) server: | | request=connect | ident=string But no clue how to send strings to the anvil server. There must be a simple way to know what it is doing. I don't see where is its configuration file, there is no "anvil.cf", and I don't have anything in main.cf... or do I? Right, I do, the defaults: nimrodel:~ # postconf | grep anvil anvil_rate_time_unit = 60s anvil_status_update_time = 600s Grumblffff.... - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFF6st6tTMYHG2NR9URAp3LAJ9QfTPXdVhWHZAwok/ZHxaL/lMjxgCdFfy3 y45hFx9ChZu4V1IomNVJAuE= =itc0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Joe Morris (NTM) wrote:

James Knott wrote:

...

Funny thing. Just today, someone mentioned the list has reply set to sender, instead of list, to avoid endless loops, even though I've never seen such a thing on lists that don't set return to sender.

I wonder, is there a difference in the users of those lists (i.e. more technically proficient), or in the volume on those lists? I can hardly imagine anyone subscribing to 5 or 10 lists with the volume of this list, don't see how they would have time left for anything else. But, the other lists I have signed up to over the years were more specialized and more highly technical, and probably moderated, and thus may reveal the reason there were no loops. I have seen mail loops, fortunately between one user's auto responder responding to an auto responder, which had an end when his mailbox reached his maximum limit. I see the potential here.

While I don't have a comparison of message quantities, I also subscribe to the OpenOffice list. While there are certainly some technically proficient members there, the majority are not. That list is fairly busy. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org