From owner-freebsd-isp@FreeBSD.ORG Thu Jun 29 05:35:40 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48BDF16A494 for ; Thu, 29 Jun 2006 05:35:40 +0000 (UTC) (envelope-from lists@stringsutils.com) Received: from zoraida.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A06943DB8 for ; Thu, 29 Jun 2006 05:35:34 +0000 (GMT) (envelope-from lists@stringsutils.com) Received: from zoraida.natserv.net (localhost.natserv.net [127.0.0.1]) by zoraida.natserv.net (Postfix) with ESMTP id EC1B1B896; Thu, 29 Jun 2006 01:35:32 -0400 (EDT) Received: from zoraida.natserv.net (zoraida.natserv.net [66.114.65.147]) by zoraida.natserv.net (Postfix) with ESMTP id B43C4B893; Thu, 29 Jun 2006 01:35:32 -0400 (EDT) References: <20060620141528.GA5731@uk.tiscali.com> <20060620204633.GA6813@uk.tiscali.com> Message-ID: X-Mailer: http://www.courier-mta.org/cone/ From: Francisco Reyes To: Brian Candler Date: Thu, 29 Jun 2006 01:35:32 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="US-ASCII" Content-Disposition: inline Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: FreeBSD ISP Subject: Re: NFS automounting. Stable for mail servers? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jun 2006 05:35:40 -0000 Brian Candler writes: > And this doesn't happen with soft mounts (-o soft) ? Softmounts did not help. FreeBSD 6.X clients do not handle well at all when the server goes away for any reason. Was able to confirm this with 6 different machines in different "stable" status of 6.0 and 6.1 Clients in 5.X are able to at least "umount -f" the volume, plus they don't freeze. Also the nfsd in 6.X seem to be less stable too.. From owner-freebsd-isp@FreeBSD.ORG Thu Jun 29 17:20:44 2006 Return-Path: X-Original-To: isp@freebsd.org Delivered-To: freebsd-isp@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B32316A407 for ; Thu, 29 Jun 2006 17:20:44 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: from phoenix.gargantuan.com (srv01.lak.lwxdatacom.net [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6393944347 for ; Thu, 29 Jun 2006 17:20:42 +0000 (GMT) (envelope-from michael@gargantuan.com) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id C2DEC355; Thu, 29 Jun 2006 13:20:40 -0400 (EDT) Date: Thu, 29 Jun 2006 13:20:40 -0400 From: "Michael W. Oliver" To: isp@freebsd.org Message-ID: <20060629172040.GC78932@gargantuan.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xo44VMWPx7vlQ2+2" Content-Disposition: inline X-WWW-URL: http://michael.gargantuan.com X-GPG-PGP-Public-Key: http://michael.gargantuan.com/gnupg/pubkey.asc X-GPG-PGP-Fingerprint: 2694 0179 AE3F BFAE 0916 0BF5 B16B FBAB C5FA A3C9 X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Mailing-Address0: 8008 Apache Lane X-Mailing-Address1: Lakeland, FL 33810-2172 X-Mailing-Address2: United States of America X-Guide-Questions: http://www.catb.org/~esr/faqs/smart-questions.html X-Guide-Netiquette: http://www.ietf.org/rfc/rfc1855.txt User-Agent: mutt-ng/devel-r774 (FreeBSD) Cc: Subject: email filtering with GPG X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jun 2006 17:20:44 -0000 --xo44VMWPx7vlQ2+2 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi list, I have a question about a particular MTA, not FreeBSD specifically, but since you are a bunch of service provider folk I figured I would ask. Here is my situation. I am using Postfix as my MTA, and would like to drastically cut the amount of email that my users see. I am already doing blacklist filtering and lots of other stuff in "smtpd_recipient_restrictions" in main.cf, but it isn't enough. What I would like to do is kill any email that doesn't have a valid PGP/GPG signature, but I am not sure that Postfix is the right place to do this. Right now, all mail is delivered to ~/Maildir for each user by maildrop, and they pick up their mail via IMAPS (Dovecot). At first I was thinking about some sort of filter for Postfix that would check for a signature and then reject the message if the signature check failed. However, the more I think about it, the more I am inclined to use maildrop's xfilter mechanism to do the signature checking to keep the load off of Postfix. The reality is that I am not sure which is why I am asking you. Am I crazy? Can you think of better ways to do strict signature checking in this environment, either with Postfix, maildrop, or something else I am not currently using? I thank you for your time and consideration. --=20 Mike Oliver, KI4OFU [see complete headers for contact information] --xo44VMWPx7vlQ2+2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEpAvosWv7q8X6o8kRAkK6AJsFut/m7IxBcnHJU2p+tR04ZBP4sQCeM2WI y+95GZIxTcPO53C4fhZLA5w= =HuFY -----END PGP SIGNATURE----- --xo44VMWPx7vlQ2+2-- From owner-freebsd-isp@FreeBSD.ORG Thu Jun 29 17:26:17 2006 Return-Path: X-Original-To: isp@freebsd.org Delivered-To: freebsd-isp@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A216316A40F for ; Thu, 29 Jun 2006 17:26:17 +0000 (UTC) (envelope-from ow.mun.heng@wdc.com) Received: from wdscexfe01.sc.wdc.com (wdscexfe01.sc.wdc.com [129.253.170.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1C9D43D6B for ; Thu, 29 Jun 2006 17:25:10 +0000 (GMT) (envelope-from ow.mun.heng@wdc.com) Received: from neuromancer.home.net ([129.253.217.156]) by wdscexfe01.sc.wdc.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Jun 2006 10:24:52 -0700 Received: from neuromancer.home.net (neuromancer.home.net [127.0.0.1]) by neuromancer.home.net (8.13.7/8.13.6) with ESMTP id k5THOHm2015953; Thu, 29 Jun 2006 10:24:17 -0700 From: Ow Mun Heng To: "Michael W. Oliver" In-Reply-To: <20060629172040.GC78932@gargantuan.com> References: <20060629172040.GC78932@gargantuan.com> Content-Type: text/plain Date: Thu, 29 Jun 2006 10:24:17 -0700 Message-Id: <1151601857.14510.5.camel@neuromancer.home.net> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 Jun 2006 17:24:52.0862 (UTC) FILETIME=[EEB611E0:01C69BA0] Cc: isp@freebsd.org Subject: Re: email filtering with GPG X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jun 2006 17:26:17 -0000 On Thu, 2006-06-29 at 13:20 -0400, Michael W. Oliver wrote: > What I would like to do is kill any email that doesn't have a valid > PGP/GPG signature, May I just ask, why are you doing such things? It's seems like overkill. From owner-freebsd-isp@FreeBSD.ORG Thu Jun 29 17:33:00 2006 Return-Path: X-Original-To: isp@freebsd.org Delivered-To: freebsd-isp@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35BF916A403 for ; Thu, 29 Jun 2006 17:33:00 +0000 (UTC) (envelope-from michael@gargantuan.com) Received: from phoenix.gargantuan.com (srv01.lak.lwxdatacom.net [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DDDE43D82 for ; Thu, 29 Jun 2006 17:32:55 +0000 (GMT) (envelope-from michael@gargantuan.com) Received: by phoenix.gargantuan.com (Postfix, from userid 1001) id 16FDB197; Thu, 29 Jun 2006 13:32:53 -0400 (EDT) Date: Thu, 29 Jun 2006 13:32:52 -0400 From: "Michael W. Oliver" To: Ow Mun Heng Message-ID: <20060629173252.GD78932@gargantuan.com> References: <20060629172040.GC78932@gargantuan.com> <1151601857.14510.5.camel@neuromancer.home.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wLAMOaPNJ0fu1fTG" Content-Disposition: inline In-Reply-To: <1151601857.14510.5.camel@neuromancer.home.net> X-WWW-URL: http://michael.gargantuan.com X-GPG-PGP-Public-Key: http://michael.gargantuan.com/gnupg/pubkey.asc X-GPG-PGP-Fingerprint: 2694 0179 AE3F BFAE 0916 0BF5 B16B FBAB C5FA A3C9 X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Mailing-Address0: 8008 Apache Lane X-Mailing-Address1: Lakeland, FL 33810-2172 X-Mailing-Address2: United States of America X-Guide-Questions: http://www.catb.org/~esr/faqs/smart-questions.html X-Guide-Netiquette: http://www.ietf.org/rfc/rfc1855.txt User-Agent: mutt-ng/devel-r774 (FreeBSD) Cc: isp@freebsd.org Subject: Re: email filtering with GPG X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jun 2006 17:33:00 -0000 --wLAMOaPNJ0fu1fTG Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006-06-29T10:24:17-0700, Ow Mun Heng wrote: > On Thu, 2006-06-29 at 13:20 -0400, Michael W. Oliver wrote: >=20 >> What I would like to do is kill any email that doesn't have a valid >> PGP/GPG signature,=20 >=20 > May I just ask, why are you doing such things? It's seems like overkill. >=20 Because I am fed up with SPAM of all kinds, and so are my clients. They have agreed to this plan, and I am excited to bring this to them. The more I think about this, the more certain I am that maildrop is the right place. A user can manage their own .mailfilter configuration to allow email from whomever they want, but there will still be a GPG signature xfilter before the final drop to ~/Maildir. Sorry if I wasted anyone's time with this thread, I am feeling good about using maildrop's xfilter now... unless I hear something different. Thanks. --=20 Mike Oliver, KI4OFU [see complete headers for contact information] --wLAMOaPNJ0fu1fTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFEpA7EsWv7q8X6o8kRAl1GAJ9Mt6aUBE/JAsYZQTS+ovZrZMcYzwCdGmsK ovyESVnwIFwGCqxbrqxcmBw= =zZOq -----END PGP SIGNATURE----- --wLAMOaPNJ0fu1fTG-- From owner-freebsd-isp@FreeBSD.ORG Fri Jun 30 17:51:57 2006 Return-Path: X-Original-To: isp@freebsd.org Delivered-To: freebsd-isp@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBF1816A40F for ; Fri, 30 Jun 2006 17:51:57 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6748543D48 for ; Fri, 30 Jun 2006 17:51:57 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 80F4523FAC; Fri, 30 Jun 2006 13:51:56 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id 36A7F5F80B; Fri, 30 Jun 2006 13:51:54 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1FwN9k-0002VT-Gk; Fri, 30 Jun 2006 18:51:52 +0100 Date: Fri, 30 Jun 2006 18:51:52 +0100 From: Brian Candler To: "Michael W. Oliver" Message-ID: <20060630175152.GA9623@uk.tiscali.com> References: <20060629172040.GC78932@gargantuan.com> <1151601857.14510.5.camel@neuromancer.home.net> <20060629173252.GD78932@gargantuan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060629173252.GD78932@gargantuan.com> User-Agent: Mutt/1.4.2.1i Cc: Ow Mun Heng , isp@freebsd.org Subject: Re: email filtering with GPG X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 17:51:58 -0000 On Thu, Jun 29, 2006 at 01:32:52PM -0400, Michael W. Oliver wrote: > The more I think about this, the more certain I am that maildrop is the > right place. A user can manage their own .mailfilter configuration to > allow email from whomever they want, but there will still be a GPG > signature xfilter before the final drop to ~/Maildir. > > Sorry if I wasted anyone's time with this thread, I am feeling good > about using maildrop's xfilter now... unless I hear something different. The advantage of doing it in the MTA is that you can respond to the incoming mail with a 5xx response and properly reject it. If you do this after receiving the mail, either you will blackhole the message (i.e. neither the sender nor the recipient will know that a mail has gone missing), or you will have to create a send a bounce message, which will be collateral spam if the incoming mail is a spam with a forged return address. I don't know if Postfix can filter at this point, but Exim certainly can. Another strategy to consider, if all the mail servers are under your control, is to require SMTP with TLS and valid certificates, and reject all non-TLS mail. Your GPG approach would be better if the clients are sending outbound mail through random ISP smarthosts; but I'd argue that clients should be using *your* mailservers as smarthosts, using the message submission service (port 587) and SMTP AUTH to enter mails into the system. With each of the mailservers talking SMTP-TLS to each other, you have a closed and secure mail network, but also the option of adding certain other authorised sources of mail in the future if you wish. Regards, Brian.