You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "David F. Skoll" <df...@roaringpenguin.com> on 2013/10/16 19:27:38 UTC
Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam
(continued))
On Wed, 16 Oct 2013 09:21:46 -0800
Kevin Miller <Ke...@ci.juneau.ak.us> wrote:
> So if I'm reading this right, milters such as smf-sav or milter-ahead
> will no longer be of any use?
You are reading it correctly. On our anti-spam service, we require
some sort of recipient validation so we don't go insane scanning
messages destined to nonexistent addresses. SMTP call-ahead was the easiest
way to do this, but now our customers either have to let us hook into their
Active Directory or explicitly provide a list of valid recipients.
Someone did send me a hack for doing recipient verification on
Exchange 2013 which I include here for archiving purposes. Please
note that I have not tested this. I'm also not familiar with Exchange,
so some of the terminology means nothing to me...
Regards,
David.
==========================================================================
From: Leon Black
To: "info@roaringpenguin.com" <in...@roaringpenguin.com>
Subject: Recipient Verification correction
Date: Sat, 7 Sep 2013 03:59:27 +0000
Hey Guys,
Just saw your info on this page
http://www.roaringpenguin.com/recipient-verification re Exchange 2013
recipient verification.
I have found the workable solution with exchange 2013 to get recipient
verification working correctly with an antispam product.
The problem is when it is a single server with CAS and Mailbox
roles. To use correct verification you need to talk to the hub
transport receive connector (mailbox role) and this rejects the
address as per normal.
This is by default on port 2525, all you need to do is enable
anonymous access on the connector and open port 2525 to the antispam
IP. Set your product to do recipient verification on port 2525 and
deliver to port 25 and it works perfectly.
Hopefully this information can help you guys out :) We do this with a
number of our exchange 2013 single server clients and it rejects
emails correctly.
Oh! Just make sure they do not create another hub transport connector.
If there is an additional one it will cause exchange transport to stop
receiving emails after a few hours.
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by Jason Haar <Ja...@trimble.com>.
On 17/10/13 09:03, Kevin A. McGrail wrote:
> We've done similar real time checks using Sendmail but seen this
> actually bring down Exchange Servers (more like bringing it to its
> knees from a resource perspective than actually crashing it) from the
> LDAP queries associated with these type of issues. So I agree the
> instantaneous nature is nice but we switch to the store because the
> volume we could handle with Sendmail was so much higher than what was
> effectively halting Exchange Servers.
>
We saw the same thing, so we have hourly cronjobs dumping the email
addresses out of Active Directory and push the addresses to the edge
Unix mail relays. We find Active Directory LDAP too slow and too
unreliable to rely on for a realtime service. Internally, even our
Windows IT staff do something similar: batch jobs to dump data out via
LDAP so that their actual websites and/or applications can reference
LDAP data without having to talk to what Microsoft thinks passes for an
LDAP server (eg try to figure out all the groups a user is a member of,
in a multi-forest AD spread across 5 continents - and do it in <1sec -
go on, I dare ya ;-)
</rant ;-)>
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 10/16/2013 3:46 PM, David F. Skoll wrote:
> On Wed, 16 Oct 2013 15:41:04 -0400
> "Kevin A. McGrail" <KM...@PCCC.com> wrote:
>
>> So in the beginning for our issue, our firm implemented something
>> similar and it's documented at http://www.pccc.com/downloads/ldap/
>> thanks primarily to Brian Landers <br...@packetslave.com> and his
>> work. This is a nice solution that uses LDAP and queries it to build
>> an access list with sendmail.
> We use MIMEDefang and we make real-time LDAP calls in filter_recipient.
> So when a modification to Active Directory is made, it's instant... no
> need to wait for the data to be updated on the Sendmail server.
>
> The downside is that you can get a *lot* of LDAP traffic if there's
> a dictionary attack.
>
We've done similar real time checks using Sendmail but seen this
actually bring down Exchange Servers (more like bringing it to its
knees from a resource perspective than actually crashing it) from the
LDAP queries associated with these type of issues. So I agree the
instantaneous nature is nice but we switch to the store because the
volume we could handle with Sendmail was so much higher than what was
effectively halting Exchange Servers.
This was back in 2007 and revolved around small companies with one
server so it was bringing down other operations as well. We wrote about
it a bit on this page
https://raptor.pccc.com/raptor.cgim?template=raptorFAST (warning
commercial site not affiliated with project though it's where I put a
lot of stuff I'm working on. I'll open a ticket to add as much as we
can. Anyway, please ignore if you aren't interested in my day job).
Regards,
KAM
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 16 Oct 2013 15:41:04 -0400
"Kevin A. McGrail" <KM...@PCCC.com> wrote:
> So in the beginning for our issue, our firm implemented something
> similar and it's documented at http://www.pccc.com/downloads/ldap/
> thanks primarily to Brian Landers <br...@packetslave.com> and his
> work. This is a nice solution that uses LDAP and queries it to build
> an access list with sendmail.
We use MIMEDefang and we make real-time LDAP calls in filter_recipient.
So when a modification to Active Directory is made, it's instant... no
need to wait for the data to be updated on the Sendmail server.
The downside is that you can get a *lot* of LDAP traffic if there's
a dictionary attack.
Regards,
David.
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 10/16/2013 2:27 PM, David F. Skoll wrote:
> I think this is a deliberate strategy on the part of Microsoft. I
> think they're making Exchange so complicated and such a PITA that
> people give up and go to the cloud, ideally to Office 365. For many
> small companies, going to the cloud probably makes lots of sense, as
> long as they don't mind paying extra and don't mind the NSA having
> access to their email. :) Regards, David.
That is giant tin-hat foil worthy! LOL. I also do not know why
Microsoft makes it so difficult but it really started to become
difficult a while ago. Really long before their cloud initiative.
So in the beginning for our issue, our firm implemented something
similar and it's documented at http://www.pccc.com/downloads/ldap/
thanks primarily to Brian Landers <br...@packetslave.com> and his
work. This is a nice solution that uses LDAP and queries it to build an
access list with sendmail.
However, for our proprietary stuff, we had turned that concept on it's
head and used a program to push the data to the server (we call it
Forward and Store Technology) and support sendmail and exchange. I'll
see if I can share more about that.
Regards,
KAM
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one
word spam (continued))
Posted by Joe Acquisto-j4 <jo...@j4computers.com>.
>>>> "David F. Skoll" <df...@roaringpenguin.com> 10/16/13 2:32 PM >>>
>. . . .as long as they don't mind
>paying extra and don't mind the NSA having access to their email. :)
>
>Regards,
>
>David.
Of course you mean "easier access" . . . ?
joe a.
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 16 Oct 2013 10:52:08 -0700
Ted Mittelstaedt <te...@ipinc.net> wrote:
> Just be aware that Microsoft's "standard" is to use LDAP queries to
> the AD.
True, and we support that. But not everyone wants to open up their LDAP
to the outside world, even to a few outside IPs.
Furthermore, if you use Office 365 (Microsoft's hosted Exchange
product) you're out of luck. I don't believe they give you LDAP
access, at least not unless you're a very large company.
> Go big or go elsewhere.
I think this is a deliberate strategy on the part of Microsoft. I think
they're making Exchange so complicated and such a PITA that people give
up and go to the cloud, ideally to Office 365. For many small companies,
going to the cloud probably makes lots of sense, as long as they don't mind
paying extra and don't mind the NSA having access to their email. :)
Regards,
David.
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Tue, 22 Jul 2014 13:30:13 -0800
Kevin Miller <Ke...@ci.juneau.ak.us> wrote:
> I guess catting the output of the ldap
> query onto the access table and hash it once a night would be just as
> easy. I'll give that test.
Another option, since you're running Sendmail, is to use a milter such
as MIMEDefang and do a real-time LDAP lookup for each RCPT command.
If the overhead is not too high, this is a nice solution because
any changes to Active Directory are immediately seen by Sendmail.
Regards,
David.
RE: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by Kevin Miller <Ke...@ci.juneau.ak.us>.
At the moment I'm using spf-sav talking to Exchange 2007. I mentioned virtualuser because that's what Ted said he was using to good affect. I am using the access table as well, mostly to reject mail from specific places. I guess catting the output of the ldap query onto the access table and hash it once a night would be just as easy. I'll give that test.
Best...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
-----Original Message-----
From: Kevin A. McGrail [mailto:KMcGrail@PCCC.com]
Sent: Tuesday, July 22, 2014 12:01 PM
To: Kevin Miller; users@spamassassin.apache.org
Subject: Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))
On 7/22/2014 3:54 PM, Kevin Miller wrote:
> Resurrecting an old thread here. We're finally migrating to Exchange 2013, and I have a script that will extract email addresses from ldap, but when looking at the virtualuser table it seems that it's used to map one address to another. The script puts out addresses in the following format:
> Some_User@ci.juneau.ak.us OK
> suser@jnuairport.com OK
> some_user@skijuneau.com OK
>
> Easy enough to strip the "OK" out in a bash scritp to create the virtualuser table, but what does the virtualuser table actually look like? The preamble in the file in /etc/mail shows:
Why are you using virtusertable and not the access table?
regards,
KAM
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/22/2014 3:54 PM, Kevin Miller wrote:
> Resurrecting an old thread here. We're finally migrating to Exchange 2013, and I have a script that will extract email addresses from ldap, but when looking at the virtualuser table it seems that it's used to map one address to another. The script puts out addresses in the following format:
> Some_User@ci.juneau.ak.us OK
> suser@jnuairport.com OK
> some_user@skijuneau.com OK
>
> Easy enough to strip the "OK" out in a bash scritp to create the virtualuser table, but what does the virtualuser table actually look like? The preamble in the file in /etc/mail shows:
Why are you using virtusertable and not the access table?
regards,
KAM
RE: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by Kevin Miller <Ke...@ci.juneau.ak.us>.
Resurrecting an old thread here. We're finally migrating to Exchange 2013, and I have a script that will extract email addresses from ldap, but when looking at the virtualuser table it seems that it's used to map one address to another. The script puts out addresses in the following format:
Some_User@ci.juneau.ak.us OK
suser@jnuairport.com OK
some_user@skijuneau.com OK
Easy enough to strip the "OK" out in a bash scritp to create the virtualuser table, but what does the virtualuser table actually look like? The preamble in the file in /etc/mail shows:
# Examples:
#
#info@foo.com foo-info
#info@bar.com bar-info
#joe@bar.com error:nouser No such user here
#jax@bar.com error:D.S.N:unavailable Address invalid
#@baz.org jane@example.net
That's clear enough, but I'm not mapping one address to another - I'm just wanting to validate the entries that are in there. Do I just create a single column file with the output from my ldap query script and hash it? And after that sendmail will reject anything not in there? Do I have to tweak sendmail.mc beyond
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
to achieve the desired behavior of rejecting unknown inbound emails?
I'm unclear on what "and combine them with a fixed file" means in Ted's comments below. Pearls of wisdom greatly appreciated...
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
-----Original Message-----
From: Ted Mittelstaedt [mailto:tedm@ipinc.net]
Sent: Wednesday, October 16, 2013 9:52 AM
To: users@spamassassin.apache.org
Subject: Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word spam (continued))
Just be aware that Microsoft's "standard" is to use LDAP queries to the AD. Every major commercial antispam product does this and you will save yourself a lot of work later when MS changes the next version of Exchange to not support the 2525 hack. (which they could easily do) if you do it that way.
This issue has been discussed to the death elsewhere but I guess for me I can't understand why I would have to -pay- for a milter like milter-ahead when on my prefilter Sendmail server I can simply once a day issue an ldapsearch to the domain controller the exchange server is in, then strip the results down to just the email addresses and combine them with a fixed file then replace the virtusertable.
I can run clamav, and spamassassin on the prefilter and I don't have to fool with the ldap routing in sendmail or worry about uncontrolled access to the AD server.
But I realize that's a "large company" approach to the problem and many people still want a single-server solution. Well wake up folks, Exchange is a "large company" product nowadays.
We still have a few customers on honeymoons with exchange 2010 all-in-ones but they have all been given notice that Microsoft has provided no future roadmap for this approach. Go big or go elsewhere.
Ted
On 10/16/2013 10:27 AM, David F. Skoll wrote:
> On Wed, 16 Oct 2013 09:21:46 -0800
> Kevin Miller <Ke...@ci.juneau.ak.us> wrote:
>
>> So if I'm reading this right, milters such as smf-sav or milter-ahead
>> will no longer be of any use?
>
> You are reading it correctly. On our anti-spam service, we require
> some sort of recipient validation so we don't go insane scanning
> messages destined to nonexistent addresses. SMTP call-ahead was the
> easiest way to do this, but now our customers either have to let us
> hook into their Active Directory or explicitly provide a list of valid recipients.
>
> Someone did send me a hack for doing recipient verification on
> Exchange 2013 which I include here for archiving purposes. Please
> note that I have not tested this. I'm also not familiar with
> Exchange, so some of the terminology means nothing to me...
>
> Regards,
>
> David.
>
> ======================================================================
> ====
> From: Leon Black
> To: "info@roaringpenguin.com" <in...@roaringpenguin.com>
> Subject: Recipient Verification correction
> Date: Sat, 7 Sep 2013 03:59:27 +0000
>
> Hey Guys,
>
> Just saw your info on this page
> http://www.roaringpenguin.com/recipient-verification re Exchange 2013
> recipient verification.
>
> I have found the workable solution with exchange 2013 to get recipient
> verification working correctly with an antispam product.
>
> The problem is when it is a single server with CAS and Mailbox roles.
> To use correct verification you need to talk to the hub transport
> receive connector (mailbox role) and this rejects the address as per
> normal.
>
> This is by default on port 2525, all you need to do is enable
> anonymous access on the connector and open port 2525 to the antispam
> IP. Set your product to do recipient verification on port 2525 and
> deliver to port 25 and it works perfectly.
>
> Hopefully this information can help you guys out :) We do this with a
> number of our exchange 2013 single server clients and it rejects
> emails correctly.
>
> Oh! Just make sure they do not create another hub transport connector.
> If there is an additional one it will cause exchange transport to stop
> receiving emails after a few hours.
>
Re: Exchange 2013 and rejection of invalid RCPTs (was Re: one word
spam (continued))
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Just be aware that Microsoft's "standard" is to use LDAP queries to the
AD. Every major commercial antispam product does this and you will
save yourself a lot of work later when MS changes the next version of
Exchange to not support the 2525 hack. (which they could easily do)
if you do it that way.
This issue has been discussed to the death elsewhere but I guess for me
I can't understand why I would have to -pay- for a milter like
milter-ahead when on my prefilter Sendmail server I can simply once a
day issue an ldapsearch to the domain controller the exchange server is
in, then strip the results down to just the email addresses and
combine them with a fixed file then replace the virtusertable.
I can run clamav, and spamassassin on the prefilter and I don't have
to fool with the ldap routing in sendmail or worry about uncontrolled
access to the AD server.
But I realize that's a "large company" approach to the problem and
many people still want a single-server solution. Well
wake up folks, Exchange is a "large company" product nowadays.
We still have a few customers on honeymoons with exchange 2010
all-in-ones but they have all been given notice that Microsoft
has provided no future roadmap for this approach. Go big or go
elsewhere.
Ted
On 10/16/2013 10:27 AM, David F. Skoll wrote:
> On Wed, 16 Oct 2013 09:21:46 -0800
> Kevin Miller <Ke...@ci.juneau.ak.us> wrote:
>
>> So if I'm reading this right, milters such as smf-sav or milter-ahead
>> will no longer be of any use?
>
> You are reading it correctly. On our anti-spam service, we require
> some sort of recipient validation so we don't go insane scanning
> messages destined to nonexistent addresses. SMTP call-ahead was the easiest
> way to do this, but now our customers either have to let us hook into their
> Active Directory or explicitly provide a list of valid recipients.
>
> Someone did send me a hack for doing recipient verification on
> Exchange 2013 which I include here for archiving purposes. Please
> note that I have not tested this. I'm also not familiar with Exchange,
> so some of the terminology means nothing to me...
>
> Regards,
>
> David.
>
> ==========================================================================
> From: Leon Black
> To: "info@roaringpenguin.com" <in...@roaringpenguin.com>
> Subject: Recipient Verification correction
> Date: Sat, 7 Sep 2013 03:59:27 +0000
>
> Hey Guys,
>
> Just saw your info on this page
> http://www.roaringpenguin.com/recipient-verification re Exchange 2013
> recipient verification.
>
> I have found the workable solution with exchange 2013 to get recipient
> verification working correctly with an antispam product.
>
> The problem is when it is a single server with CAS and Mailbox
> roles. To use correct verification you need to talk to the hub
> transport receive connector (mailbox role) and this rejects the
> address as per normal.
>
> This is by default on port 2525, all you need to do is enable
> anonymous access on the connector and open port 2525 to the antispam
> IP. Set your product to do recipient verification on port 2525 and
> deliver to port 25 and it works perfectly.
>
> Hopefully this information can help you guys out :) We do this with a
> number of our exchange 2013 single server clients and it rejects
> emails correctly.
>
> Oh! Just make sure they do not create another hub transport connector.
> If there is an additional one it will cause exchange transport to stop
> receiving emails after a few hours.
>