# HG changeset patch # User Heiko Schlittermann (JUMPER) # Date 1399815512 -7200 # Node ID 823b583c7f723c3091ec5a6be9be0f04ba31723b # Parent a5163d6645bf8129ed02d62c53acf0bba0764aaa [snapshot] diff -r a5163d6645bf -r 823b583c7f72 Makefile --- a/Makefile Sun May 11 10:55:34 2014 +0200 +++ b/Makefile Sun May 11 15:38:32 2014 +0200 @@ -6,6 +6,7 @@ CONF = $(wildcard conf/*.conf) FRAMES = $(wildcard frames/*tex) IMAGES = $(notdir $(DIA:.dia=.pdf)) +OUT = $(wildcard out/*) .PHONY: clean @@ -14,7 +15,7 @@ rubber -d --clean mk2014.tex -rm -f *.vrb $(IMAGES) -mk2014.pdf: mk2014.tex $(IMAGES) $(FRAMES) $(TT) $(CONF) +mk2014.pdf: mk2014.tex $(IMAGES) $(FRAMES) $(TT) $(CONF) $(OUT) %.pdf: %.tex rubber -f -d $< diff -r a5163d6645bf -r 823b583c7f72 conf/acl.conf --- a/conf/acl.conf Sun May 11 10:55:34 2014 +0200 +++ b/conf/acl.conf Sun May 11 15:38:32 2014 +0200 @@ -7,9 +7,12 @@ accept domains = +local_domains local_parts = postmaster - …. + … require message = relaying denied domains = +local_domains + + require message = unknown recipient + verify = recipient/callout=use_sender,defer_ok … accept diff -r a5163d6645bf -r 823b583c7f72 frames/acl.tex --- a/frames/acl.tex Sun May 11 10:55:34 2014 +0200 +++ b/frames/acl.tex Sun May 11 15:38:32 2014 +0200 @@ -23,8 +23,9 @@ \end{frame} \begin{frame}[fragile]{Access Control Lists}{Konfiguration} -\tiny +\begin{small} \verbatiminput{conf/acl.conf} +\end{small} \end{frame} \subsection{Features} @@ -44,3 +45,48 @@ \item Generische Bedingung \verb+condition =+ \end{itemize} \end{frame} + + +\subsection{Beispiel} + +\begin{frame}[<+->][fragile]{Access Control Lists}{Beispiel} +\begin{block}{Aufgabe} +Alle Empfänger müssen der selben Domain angehören (z.B. weil wir +domainspezifische Spam-Policies haben) +\end{block} +\begin{block}{Lösung} +\begin{small} +\begin{alltt} +begin acl + + acl_check_rcpt: + … +\pause + defer !acl = same_domain + accept +\pause + same_domain: + accept condition = $\{if !def:acl_m_domain\} + set acl_m_domain = $domain + + accept domains = $acl_m_domains + + deny +\end{alltt} +\end{small} +\end{block} +\end{frame} + + +\begin{frame}[<+->][fragile]{Access Control Lists}{Test 1} +\begin{scriptsize} +\verbatiminput{out/acl1} +\end{scriptsize} +\end{frame} + +\begin{frame}[<+->][fragile]{Access Control Lists}{Test 2} +\begin{scriptsize} +\verbatiminput{out/acl2} +\end{scriptsize} +\pause +\end{frame} diff -r a5163d6645bf -r 823b583c7f72 frames/logging.tex --- a/frames/logging.tex Sun May 11 10:55:34 2014 +0200 +++ b/frames/logging.tex Sun May 11 15:38:32 2014 +0200 @@ -1,30 +1,34 @@ \section{Logging} -\begin{frame}[fragile]{Logging} +\begin{frame}[<+->][fragile]{Logging} Sicherheit heißt auch Logging. Auskunft über das Verarbeiten der -Nachricht. Gesteuert wird u.a. über \verb=log_selector=, \verb=log_write=, +Nachricht. Gesteuert wird über \verb=log_selector=, \verb=log_write=, \verb=debug_print=. +\pause +Kein Logging bedeutet Fehler 4xx! +\pause \begin{description} -\item[mainlog] alle relevanten Transaktionen, dokumentiertes, - maschinenlesbares Format +\item[mainlog] alle relevanten Transaktionen, \emph{dokumentiertes} + menschen- und maschinenlesbares Format \item[rejectlog] Details zu abgewiesenen Nachrichten \item[paniclog] Konfigurationsfehler, schwere Probleme -\item[messagelog] Transaktionen zu einer spezifischen Nachricht \item[syslog] Fallback, wenn nicht mal mehr paniclog geht +\item[messagelog] Transaktionen zu einer spezifischen Nachricht bis + zur „completion“ \end{description} \scriptsize \begin{alltt} -\input{msglog.tt} +\input{out/msglog.tt} \end{alltt} \end{frame} \begin{frame}[fragile]{Logging}{mainlog} \scriptsize -\verbatiminput{mainlog.tt} +\verbatiminput{out/mainlog.tt} \end{frame} \begin{frame}[fragile]{Logging}{rejectlog} \scriptsize -\verbatiminput{rejectlog.tt} +\verbatiminput{out/rejectlog.tt} \end{frame} diff -r a5163d6645bf -r 823b583c7f72 mainlog.tt --- a/mainlog.tt Sun May 11 10:55:34 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,23 +0,0 @@ -14:13:04 1Wi0ie-0005e8-Q7 <= wwwrun@emarsys.net H=mx.net.schlittermann.de [84.19.194.2] I=[84.19.194.3]:587 - P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 - S=51433 id=0.1.B1.FAE.1CF69EDB12C0806.0@pmta40192.emarsys.net -14:13:05 1Wi0ie-0005e8-Q7 => raabe@example.com - F= - R=domain_forward T=smtp - H=mail.example.com [71.81.118.92] X=TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128 - C="250 OK id=1Wi0if-0008Kc-Et" - QT=1s DT=1s -14:13:05 1Wi0ia-0005dq-Ha => cwinkler@example.org F= - R=domain_forward T=smtp - H=diw.vpn.schlittermann.de [10.10.10.18] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 - C="250 OK id=1Wi0ig-00035h-Iq" QT=7s DT=7s -14:13:05 1Wi0ie-0005e8-Q7 Completed QT=1s -14:13:07 1Wi0ia-0005dq-Ha Completed QT=7s -14:13:07 1Wi0ih-0005ew-Lw <= agent@ukrs394971.pur3.net H=mx.net.schlittermann.de [84.19.194.2] I=[84.19.194.3]:587 - P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 - S=17836 id=0.0.C9.E5D.1CF69EDAA039062.0@mta20135.pur3.net -14:13:13 1Wi0ih-0005ew-Lw => info@diw-bau.de F= - R=domain_forward T=smtp - H=diw.vpn.schlittermann.de [10.10.10.18] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 - C="250 OK id=1Wi0in-00035n-Ht" QT=6s DT=6s -14:13:13 1Wi0ih-0005ew-Lw Completed QT=6s diff -r a5163d6645bf -r 823b583c7f72 msglog.tt --- a/msglog.tt Sun May 11 10:55:34 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,8 +0,0 @@ -$ exim -Mvl 1Whwqz-00019E-Hg -2014-05-07 10:05:25 Received from a.bohl@example.com H=mout.foobar.com - (wotan.wgnd.lokal) [12.8.252.26] - I=[84.19.194.3]:587 P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 - S=3995 id=5369E8CA.1030704@foobar.com T="Monte Timaro" -2014-05-07 10:06:28 gmail.de [173.194.70.18] Connection timed out -… -2014-05-07 10:09:38 hans@gmail.de R=dnslookup T=smtp defer (110): Connection timed out diff -r a5163d6645bf -r 823b583c7f72 out/acl1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/out/acl1 Sun May 11 15:38:32 2014 +0200 @@ -0,0 +1,30 @@ +$ swaks --pipe 'exim -bh 8.8.8.8' -f … -t info@example.org,office@example.org -q rcpt +<- +<- **** SMTP testing session as if from host 8.8.8.8 +<- **** but without any ident (RFC 1413) callback. +<- **** This is not for real! +<- +<- 220 jumper.Speedport_W_724V_Typ_A_05011602_00_001 ESMTP Exim 4.80 Sun, 11 May 2014 14:55:35 +0200 + -> EHLO jumper.schlittermann.de +<- 250-jumper.Speedport_W_724V_Typ_A_05011602_00_001 Hello jumper.schlittermann.de [8.8.8.8] +<- 250-SIZE 52428800 +<- 250-8BITMIME +<- 250-PIPELINING +<- 250 HELP + -> MAIL FROM: +<- 250 OK + -> RCPT TO: +>>> using ACL "acl_check_rcpt" +>>> processing "require" +>>> check domains = +local_domains +>>> example.org in "example.com : example.org"? yes (matched "example.org") +>>> example.org in "+local_domains"? yes (matched "+local_domains") +>>> check verify = recipient +… +>>> accept: condition test succeeded in ACL "acl_check_rcpt" +<- 250 Accepted + -> RCPT TO: +… +<- 250 Accepted + -> QUIT +<- 221 jumper.Speedport_W_724V_Typ_A_05011602_00_001 closing connection diff -r a5163d6645bf -r 823b583c7f72 out/acl2 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/out/acl2 Sun May 11 15:38:32 2014 +0200 @@ -0,0 +1,21 @@ +$ swaks --pipe 'exim -bh 8.8.8.8' -f … -t info@example.org,office@example.org -q rcpt +<- +<- **** SMTP testing session as if from host 8.8.8.8 +<- **** but without any ident (RFC 1413) callback. +<- **** This is not for real! +<- +<- 220 jumper.Speedport_W_724V_Typ_A_05011602_00_001 ESMTP Exim 4.80 Sun, 11 May 2014 15:16:37 +0200 + -> EHLO jumper.schlittermann.de +<- 250-jumper.Speedport_W_724V_Typ_A_05011602_00_001 Hello jumper.schlittermann.de [8.8.8.8] +<- 250-SIZE 52428800 +<- 250-8BITMIME +<- 250-PIPELINING +<- 250 HELP + -> MAIL FROM: +<- 250 OK + -> RCPT TO: +<- 250 Accepted + -> RCPT TO: +<** 451 multiple recipients for differend domains + -> QUIT +<- 221 jumper.Speedport_W_724V_Typ_A_05011602_00_001 closing connection diff -r a5163d6645bf -r 823b583c7f72 out/mainlog.tt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/out/mainlog.tt Sun May 11 15:38:32 2014 +0200 @@ -0,0 +1,24 @@ +14:13:04 1Wi0ie-0005e8-Q7 <= wwwrun@emarsys.net H=mx.net.schlittermann.de [84.19.194.2]\B + I=[84.19.194.3]:587\B + P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128\B + S=51433 id=0.1.B1.FAE.1CF69EDB12C0806.0@pmta40192.emarsys.net +14:13:05 1Wi0ie-0005e8-Q7 => raabe@example.com\B + F=\B + R=domain_forward T=smtp\B + H=mail.example.com [71.81.118.92] X=TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128\B + C="250 OK id=1Wi0if-0008Kc-Et"\B + QT=1s DT=1s +14:13:05 1Wi0ia-0005dq-Ha => cwinkler@example.org F=\B + R=domain_forward T=smtp\B + H=diw.vpn.schlittermann.de [10.10.10.18] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128 + C="250 OK id=1Wi0ig-00035h-Iq" QT=7s DT=7s +14:13:05 1Wi0ie-0005e8-Q7 Completed QT=1s +14:13:07 1Wi0ia-0005dq-Ha Completed QT=7s +14:13:07 1Wi0ih-0005ew-Lw <= agent@ukrs394971.pur3.net H=mx.net.schlittermann.de [84.19.194.2] I=[84.19.194.3]:587\B + P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128\B + S=17836 id=0.0.C9.E5D.1CF69EDAA039062.0@mta20135.pur3.net +14:13:13 1Wi0ih-0005ew-Lw => info@diw-bau.de F= + R=domain_forward T=smtp\B + H=diw.vpn.schlittermann.de [10.10.10.18] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128\B + C="250 OK id=1Wi0in-00035n-Ht" QT=6s DT=6s +14:13:13 1Wi0ih-0005ew-Lw Completed QT=6s diff -r a5163d6645bf -r 823b583c7f72 out/msglog.tt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/out/msglog.tt Sun May 11 15:38:32 2014 +0200 @@ -0,0 +1,8 @@ +$ exim -Mvl 1Whwqz-00019E-Hg +2014-05-07 10:05:25 Received from a.bohl@example.com H=mout.foobar.com\B + (wotan.wgnd.lokal) [12.8.252.26]\B + I=[84.19.194.3]:587 P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128\B + S=3995 id=5369E8CA.1030704@foobar.com T="Monte Timaro" +2014-05-07 10:06:28 gmail.de [173.194.70.18] Connection timed out +… +2014-05-07 10:09:38 hans@gmail.de R=dnslookup T=smtp defer (110): Connection timed out diff -r a5163d6645bf -r 823b583c7f72 out/rejectlog.tt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/out/rejectlog.tt Sun May 11 15:38:32 2014 +0200 @@ -0,0 +1,26 @@ +06:30:13 1WhtSh-0004KX-Ta H=(ete4g.com) [174.36.30.154] I=[84.19.194.2]:25\B + F= rejected after DATA: spam 9 +Envelope-from: +Envelope-to: +P Received: from [174.36.30.154] (helo=ete4g.com) + by mx.net.schlittermann.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) + (Exim 4.80) + (envelope-from ) + id 1WhtSh-0004KX-Ta + for info@example-dresden.de; Wed, 07 May 2014 06:28:08 +0200 +P Received: from [58.61.157.29] (port=55782 helo=WIN-5JAQ6OH8L0P) + by spoon.arvixe.com with esmtpa (Exim 4.80.1) + (envelope-from ) + id 1WhtSa-0002vh-7B + for info@example-dresden.de; Tue, 06 May 2014 21:28:01 -0700 + Disposition-Notification-To: winni@ttm-group.com.cn + MIME-Version: 1.0 +F From: winni +S Sender: ete39@ete4g.com +T To: info@example-dresden.de +R Reply-To: winni@ttm-group.com.cn + Date: 7 May 2014 12:27:48 +0800 + Subject: Fw: cooperation for plastic and Metal parts + Content-Type: text/html; charset=utf-8 + Content-Transfer-Encoding: base64 + diff -r a5163d6645bf -r 823b583c7f72 rejectlog.tt --- a/rejectlog.tt Sun May 11 10:55:34 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,26 +0,0 @@ -06:30:13 1WhtSh-0004KX-Ta H=(ete4g.com) [174.36.30.154] I=[84.19.194.2]:25 - F= rejected after DATA: spam 9 -Envelope-from: -Envelope-to: -P Received: from [174.36.30.154] (helo=ete4g.com) - by mx.net.schlittermann.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) - (Exim 4.80) - (envelope-from ) - id 1WhtSh-0004KX-Ta - for info@example-dresden.de; Wed, 07 May 2014 06:28:08 +0200 -P Received: from [58.61.157.29] (port=55782 helo=WIN-5JAQ6OH8L0P) - by spoon.arvixe.com with esmtpa (Exim 4.80.1) - (envelope-from ) - id 1WhtSa-0002vh-7B - for info@example-dresden.de; Tue, 06 May 2014 21:28:01 -0700 - Disposition-Notification-To: winni@ttm-group.com.cn - MIME-Version: 1.0 -F From: winni -S Sender: ete39@ete4g.com -T To: info@example-dresden.de -R Reply-To: winni@ttm-group.com.cn - Date: 7 May 2014 12:27:48 +0800 - Subject: Fw: cooperation for plastic and Metal parts - Content-Type: text/html; charset=utf-8 - Content-Transfer-Encoding: base64 -