# HG changeset patch # User Heiko Schlittermann (JUMPER) # Date 1426717401 -3600 # Node ID ac1700753eea6bc9564de7f84bfb0937114066ab # Parent f5fb56d00192a2176f89e5c1633dfe873c825f8c Angepasst für CLT 2015 in Chemnitz diff -r f5fb56d00192 -r ac1700753eea .hgsubstate --- a/.hgsubstate Wed Mar 18 12:01:27 2015 +0100 +++ b/.hgsubstate Wed Mar 18 23:23:21 2015 +0100 @@ -1,2 +1,2 @@ 04b3ed996d32a360a3f680391d4b265ea3b9e7dc emig -947cbd7e455c104678e33af49ada30e3f9fb47a3 smart-config +d62e15c7bccfba7b76945c69a5007ef65c25d5ea smart-config diff -r f5fb56d00192 -r ac1700753eea clt2015.tex --- a/clt2015.tex Wed Mar 18 12:01:27 2015 +0100 +++ b/clt2015.tex Wed Mar 18 23:23:21 2015 +0100 @@ -6,9 +6,10 @@ %\usetheme{Dresden} \usepackage{lmodern} \title[Exim]{Exim - MTA-Framework oder MTA?} -\subtitle{Mailserver-Konferenz Berlin 2014} +\subtitle{Chemnitzer Linuxtage 2015} \author[H. Schlittermann]{Heiko Schlittermann} \institute{schlittermann - internet \& unix support, Dresden} + \date{21.\,März\ 2015} \newcommand{\BS}{$\backslash$} \newcommand{\B}{$\hookleftarrow$} diff -r f5fb56d00192 -r ac1700753eea frames/acl.tex --- a/frames/acl.tex Wed Mar 18 12:01:27 2015 +0100 +++ b/frames/acl.tex Wed Mar 18 23:23:21 2015 +0100 @@ -14,11 +14,11 @@ \pause Die Zuordnung der SMTP-Phasen zu den ACL-Blöcken ist frei. \begin{verbatim} - acl_smtp_connect = … - … - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = … - … + acl_smtp_connect = … + … + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = … + … \end{verbatim} \end{frame} @@ -31,23 +31,25 @@ \subsection{Features} \begin{frame}[<+->][fragile]{Access Control Lists}{Features} -\begin{itemize} - \item Zugriff auf alles, was an Information verfügbar ist - \item Ratelimit mit beliebigen Keys - \item Überprüfung von Adressen \verb+verify = recipient+ - \item Callout zur Überprüfung \verb+verify = recipient/callout=use_sender,defer_ok+ - \item DNS-Blacklists \verb+dnslists = sbl.spamhaus.org+ - \item Authentifizierte Verbindung \verb+authenticated = *+ - \item Verschlüsselte Verbindung \verb+encrypted = *+ - \item Content-Scan \verb+malware = *+, \verb+spam = …+ - \item Header-Syntax \verb+verify = header_syntax+ - \item Reverse-DNS \verb+verify = reverse_host_lookup+ - \item Generische Bedingung \verb+condition =+ + Zugriff auf \textbf{alles}, was an Information verfügbar ist, u.a.: + \begin{itemize} + \item Ratelimit mit beliebigen Keys: \verb+ratelimit = 10/2h/$sender_host_address+ + \item Überprüfung von Adressen (Routing): \verb+verify = recipient+ + \item Überprüfung von Adressen (Callout): \verb+verify = recipient/callout=use_sender,defer_ok+ + \item DNS-Blacklists: \verb+dnslists = sbl.spamhaus.org+ + \item Authentifizierte Verbindung: \verb+authenticated = *+ + \item Verschlüsselte Verbindung: \verb+encrypted = *+ + \item Content-Scan: \verb+malware = *+, \verb+spam = …+ + \item Header-Syntax: \verb+verify = header_syntax+ + \item Header-Absender: \verb+verify = header_sender+ + \item SSL: \verb+verify = certificate+ + \item Reverse-DNS: \verb+verify = reverse_host_lookup+ + \item Generische Bedingung: \verb+condition = …+ \end{itemize} \end{frame} -\subsection{Beispiel} +\subsection{Beispiel ACL} \begin{frame}[<+->][fragile]{Access Control Lists}{Beispiel} \begin{block}{Aufgabe} @@ -62,7 +64,8 @@ acl_check_rcpt: … \pause - defer !acl = same_domain + defer message = multiple recipients with same domain only + !acl = same_domain accept \pause same_domain: diff -r f5fb56d00192 -r ac1700753eea frames/anatomie.tex --- a/frames/anatomie.tex Wed Mar 18 12:01:27 2015 +0100 +++ b/frames/anatomie.tex Wed Mar 18 23:23:21 2015 +0100 @@ -3,8 +3,8 @@ \begin{frame}[<+->]{Arbeitsweise und Anatomie}{Überblick} \begin{itemize} \item Binary ist ein ca 1\,MB großer Universalklumpen - \item Einfache Struktur der operativen Daten - 2 Files je - Message, Spool in 16 Verzeichnissen + \item Einfache Struktur der operativen Daten - 2 Text-Files je + Message + ggf. 1 Messagelog, Spoolhierarchie in 16 Verzeichnissen \item Keine aufwändigen IPC - nichts, außer fork(2) oder exec(3) \item Wenig gemeinsam genutzte Daten - nur „Hint“-Files \item Ohoh - setuid 0! @@ -19,7 +19,8 @@ \item Empfang \begin{description} \item[authenticators] Eventuell SMTP-Authentifizierung - \item[acl] mit Ratelimit, Blacklists, Adressüberprüfungen, Contentscan + \item[acl] mit Ratelimit, Blacklists, Adressüberprüfungen, + Inhaltsüberprüfung \end{description} \item Start des Sendeprozesses \begin{description} diff -r f5fb56d00192 -r ac1700753eea frames/emig.tex --- a/frames/emig.tex Wed Mar 18 12:01:27 2015 +0100 +++ b/frames/emig.tex Wed Mar 18 23:23:21 2015 +0100 @@ -1,14 +1,14 @@ \subsection{EmiG} -\begin{frame}[<+->][fragile]{Beispiel}{Emig} +\begin{frame}[<+->][fragile]{Beispiel: DANE für Arme}{Emig} \begin{block}{Aufgabenstellung} -Es existiere ein JSON-File, in dem je MX-Host die +Es existiere ein JSON-File (\verb=mxinfra.json=), in dem je MX-Host die SSL-Zertifikatsinformation liegt. Nun soll Exim, wenn er sich mit einem dieser Hosts verbindet, prüfen, ob das korrekte Zertifikat präsentiert wird. \end{block} \begin{block}{Lösung} \begin{itemize} - \item Perl-Script generiert aus dem mxinfra.json-File eine Ordnerstruktur + \item Perl-Script generiert aus dem mxinfra-File eine Ordnerstruktur mit Zertifikaten \verb=emig.d/certs/= \item Transport prüft das Zertifikat zum aktuellen Ziel-Host \verbatiminput{conf/emig-transport.conf} diff -r f5fb56d00192 -r ac1700753eea frames/exim.tex --- a/frames/exim.tex Wed Mar 18 12:01:27 2015 +0100 +++ b/frames/exim.tex Wed Mar 18 23:23:21 2015 +0100 @@ -4,12 +4,13 @@ \begin{frame}[<+->][fragile]{Exim}{Entwicklung} \begin{itemize} \item \textbf{Ex}perimental \textbf{I}nternet \textbf{M}ailer - \item seit 1995 Phil Hazel, seit ca. 2007 ca. 5…8 Aktive Entwickler + \item seit 1995 Phil Hazel, seit ca. 2007 ca. 5…8 aktive Entwickler \item klassisch Unix: traditionelle Konfiguration und traditionelles Prozess-Management - \item aktuell stabil 4.82 von Oktober 2013 - \item Releases ca. 1x Jahr - \item 7.12.2010 - großes Sicherheitsproblem - \item ca. 40\% der erreichbaren MTA sind Exim + \item aktuell stabil 4.85 von Januar 2015 + \item Releases ca. 1…2x Jahr + \item !! 12/2010 - großes Sicherheitsproblem für $\le$ 4.72, seit 2010 + ca. 10 CVEs + \item keine genauen Zahlen über Verbreitung \end{itemize} \end{frame} diff -r f5fb56d00192 -r ac1700753eea frames/konfiguration.tex --- a/frames/konfiguration.tex Wed Mar 18 12:01:27 2015 +0100 +++ b/frames/konfiguration.tex Wed Mar 18 23:23:21 2015 +0100 @@ -19,7 +19,7 @@ \begin{frame}[<+->][fragile]{Konfiguration}{Struktur} Strukturiertes Konfigurationsfile mit mehreren Abschnitten, teilweise miteinander verlinkt (Router referenziert Tranports, globaler Teil -referenziert ACL) +referenziert ACL, ACL nutzt Router) \pause \begin{small} \begin{verbatim} @@ -32,7 +32,7 @@ \end{small} \pause \begin{description} - \item[global] knapp 240 allgemeine Direktiven + \item[(global)] etwa 250 allgemeine Direktiven \item[acl] Access Control Lists für SMTP \item[routers] Routing-Regeln (genutzt auch von ACL) \item[transports] Transport-Mechanismen @@ -47,8 +47,7 @@ \begin{frame}[fragile]{Konfiguration}{Syntax} \begin{block}{Macros, Kommentar, lange Zeilen} \begin{verbatim} - # Super! - CF = /etc/exim4/ + # Kommentar sind Zeichen für schlechte Konfiguration :) USER_BASE = ou=users,BASE BASE = dc=example,dc=com received_header_text = Received: ${if def:sender_rcvhost \ @@ -82,10 +81,10 @@ \begin{description} \item[Variablen] \verb=$local_part=, \verb=${local_part}= \item[Operatoren] \verb=${md5:$local_part}=, \verb=${uc:$domain}= -\item[Manipulation] \verb=${sg{$local_part}{.laus}{XXX}}= +\item[Funktionen] \verb=${sg{$local_part}{.laus}{XXX}}= \item[Bedingungen] \verb=${if eq{$local_part}{x}{~/mbox}{~/.mail}}= -\item[Key-Lookup] \verb=${lookup{$local_part}lsearch{/etc/aliases}}= -\item[Query-Lookup] \verb+${lookup dnsdb{mx=example.com}}+ +\item[Lookup (Key)] \verb=${lookup{$local_part}lsearch{/etc/aliases}}= +\item[Lookup (Query)] \verb=${lookup psql{SELECT …}}= \end{description} \end{frame} @@ -99,10 +98,12 @@ ${perl{}[{}…]} \end{verbatim} \pause -\begin{block}{Greylisting} +\begin{block}{Beispiel: Greylisting} \begin{verbatim} + # source: http://schlittermann.de/doc/grey GREYKEY = $sender_address/$local_part@$domain - perl_startup = do '/etc/exim4/exim-exigrey.pl' + # sub unseen() from perl script + perl_startup = do '/etc/exim4/exim-exigrey.pm' acl_smtp_rcpt = acl_check_rcpt … begin acl diff -r f5fb56d00192 -r ac1700753eea frames/routing.tex --- a/frames/routing.tex Wed Mar 18 12:01:27 2015 +0100 +++ b/frames/routing.tex Wed Mar 18 23:23:21 2015 +0100 @@ -16,7 +16,7 @@ \end{description} \item Routerblock \begin{verbatim} - dnslookup: + remote: driver = dnslookup domains = ! +local_domains transport = remote_smtp @@ -27,7 +27,7 @@ \begin{frame}[<+->][fragile]{Routing}{Treiber} Treiber legt das Verhalten des Routers fest, alle Treiber -sind parametrisierbar (ca. 40 allgemeine Optionen, dnslookup ca 15 +sind parametrisierbar (ca. 40 allgemeine Optionen, \textsl{dnslookup} ca. 15 spezifische Optionen) \begin{description} \item[dnslookup] Klassiker - MX, A/AAAA diff -r f5fb56d00192 -r ac1700753eea frames/smart.tex --- a/frames/smart.tex Wed Mar 18 12:01:27 2015 +0100 +++ b/frames/smart.tex Wed Mar 18 23:23:21 2015 +0100 @@ -1,6 +1,6 @@ \subsection{Viele Smarthosts} -\begin{frame}[<+->][fragile]{Beispiel}{Smarthost - Vorversuche} +\begin{frame}[<+->][fragile]{Beispiel: Source based Routing}{Viele Smarthosts - Vorversuche} \begin{block}{Aufgabe} Wir haben mehrere Smarthosts und müssen je nach Sender-Adresse über einen anderen Smarthost versenden. @@ -16,14 +16,14 @@ smtp.km21.com km433221 zecrit\pause > $\{sg\{smtp.km21.com km433221 zecrit\}\{\BS\BS{}s+\}\{\BS{}t\}\} smtp.km21.com km433221 secrit\pause - > $\{extract\{1\}\{\BS{}t\}\{smtp.km21.com km433221 secrit\}\} + > $\{extract\{1\}\{\BS{}t\}\{smtp.km21.com km433221 zecrit\}\} smtp.km21.com\pause \pause \end{alltt} \end{block} \end{frame} -\begin{frame}[<+->][fragile]{Beispiel}{Viele Smarthosts - Config} +\begin{frame}[<+->][fragile]{Beispiel}{Viele Smarthosts - Macros} Das kann jetzt schön in Macros verpackt werden, damit es übersichtlich wird: \begin{verbatim} @@ -36,7 +36,7 @@ \end{verbatim} \end{frame} -\begin{frame}[<+->][fragile]{Beispiel}{Viele Smarthosts - Config 2} +\begin{frame}[<+->][fragile]{Beispiel}{Viele Smarthosts - Routers + Transports} \begin{small} \begin{verbatim} begin routers @@ -69,8 +69,8 @@ Das Routing können wir wieder relativ einfach testen: \pause \begin{alltt} -$ exim -f hans@example.com -t nobody@discworld.com -nobody@discworld.com +$ exim -f hans@example.com -t nobody@nowhere +nobody@nowhere router = smarthosts, transport = smtpa host mx.freenet.de [2001:748:100:40::8:112] port=25 host mx.freenet.de [195.4.92.212] port=25 diff -r f5fb56d00192 -r ac1700753eea out/acl1 --- a/out/acl1 Wed Mar 18 12:01:27 2015 +0100 +++ b/out/acl1 Wed Mar 18 23:23:21 2015 +0100 @@ -1,30 +1,32 @@ $ swaks --pipe 'exim -bh 8.8.8.8' -f … -t info@example.org,office@example.org -q rcpt -<- <- **** SMTP testing session as if from host 8.8.8.8 -<- **** but without any ident (RFC 1413) callback. <- **** This is not for real! -<- -<- 220 jumper.Speedport_W_724V_Typ_A_05011602_00_001 ESMTP Exim 4.80 Sun, 11 May 2014 14:55:35 +0200 - -> EHLO jumper.schlittermann.de -<- 250-jumper.Speedport_W_724V_Typ_A_05011602_00_001 Hello jumper.schlittermann.de [8.8.8.8] -<- 250-SIZE 52428800 -<- 250-8BITMIME -<- 250-PIPELINING -<- 250 HELP - -> MAIL FROM: -<- 250 OK +… -> RCPT TO: ->>> using ACL "acl_check_rcpt" ->>> processing "require" ->>> check domains = +local_domains ->>> example.org in "example.com : example.org"? yes (matched "example.org") ->>> example.org in "+local_domains"? yes (matched "+local_domains") ->>> check verify = recipient +>>> using ACL "acl_check_recipient" +>>> processing "defer" +>>> check !acl = same_domain +>>> using ACL "same_domain" +>>> processing "accept" +>>> check condition = ${if !def:acl_m_domain} +>>> = true +>>> check set acl_m_domain = $domain +>>> = example.org +>>> accept: condition test succeeded in ACL "same_domain" … ->>> accept: condition test succeeded in ACL "acl_check_rcpt" <- 250 Accepted -> RCPT TO: +>>> using ACL "acl_check_recipient" +>>> processing "defer" +>>> check !acl = same_domain +>>> using ACL "same_domain" +>>> processing "accept" +>>> check condition = ${if !def:acl_m_domain} +>>> = +>>> accept: condition test failed in ACL "same_domain" +>>> processing "accept" +>>> check domains = $acl_m_domain +>>> example.org in "example.org"? yes (matched "example.org") +>>> accept: condition test succeeded in ACL "same_domain" … <- 250 Accepted - -> QUIT -<- 221 jumper.Speedport_W_724V_Typ_A_05011602_00_001 closing connection diff -r f5fb56d00192 -r ac1700753eea out/acl2 --- a/out/acl2 Wed Mar 18 12:01:27 2015 +0100 +++ b/out/acl2 Wed Mar 18 23:23:21 2015 +0100 @@ -1,21 +1,33 @@ $ swaks --pipe 'exim -bh 8.8.8.8' -f … -t info@example.org,office@example.org -q rcpt -<- <- **** SMTP testing session as if from host 8.8.8.8 -<- **** but without any ident (RFC 1413) callback. <- **** This is not for real! -<- -<- 220 jumper.Speedport_W_724V_Typ_A_05011602_00_001 ESMTP Exim 4.80 Sun, 11 May 2014 15:16:37 +0200 - -> EHLO jumper.schlittermann.de -<- 250-jumper.Speedport_W_724V_Typ_A_05011602_00_001 Hello jumper.schlittermann.de [8.8.8.8] -<- 250-SIZE 52428800 -<- 250-8BITMIME -<- 250-PIPELINING -<- 250 HELP - -> MAIL FROM: -<- 250 OK +… -> RCPT TO: +>>> using ACL "acl_check_recipient" +>>> processing "defer" +>>> check !acl = same_domain +>>> using ACL "same_domain" +>>> processing "accept" +>>> check condition = ${if !def:acl_m_domain} +>>> = true +>>> check set acl_m_domain = $domain +>>> = example.org +>>> accept: condition test succeeded in ACL "same_domain" +… <- 250 Accepted -> RCPT TO: -<** 451 multiple recipients for differend domains - -> QUIT -<- 221 jumper.Speedport_W_724V_Typ_A_05011602_00_001 closing connection +>>> using ACL "acl_check_recipient" +>>> processing "defer" +>>> using ACL "same_domain" +>>> check condition = ${if !def:acl_m_domain} +>>> = +>>> accept: condition test failed in ACL "same_domain" +>>> processing "accept" +>>> check domains = $acl_m_domain +>>> example.com in "example.org"? no (end of list) +>>> accept: condition test failed in ACL "same_domain" +>>> processing "deny" +>>> deny: condition test succeeded in ACL "same_domain" +>>> defer: condition test succeeded in ACL "acl_check_recipient" +… +<** 451 multiple recipient with same domain only diff -r f5fb56d00192 -r ac1700753eea out/exim-bV.tt --- a/out/exim-bV.tt Wed Mar 18 12:01:27 2015 +0100 +++ b/out/exim-bV.tt Wed Mar 18 23:23:21 2015 +0100 @@ -1,14 +1,19 @@ -Exim version 4.80 #2 built 02-Jan-2013 18:59:17 -Copyright (c) University of Cambridge, 1995 - 2012 -(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012 -Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011) -Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages \B - Content_Scanning DKIM Old_Demime -Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm \B - dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite -Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa -Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect +Exim version 4.85_RC1-53-a466d09-XX #21 built 18-Mar-2015 15:36:46 +Copyright (c) University of Cambridge, 1995 - 2014 +(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014 +Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) +Support for: crypteq iconv() IPv6 OpenSSL Content_Scanning + DKIM Old_Demime + PRDR OCSP Experimental_DANE Experimental_Event +Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch + cdb dbm dbmjz dbmnz dnsdb dsearch + ldap ldapdn ldapm + nis nis0 nisplus passwd + pgsql +Authenticators: cram_md5 dovecot plaintext spa +Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 -Configuration file is /etc/exim4/exim4.conf +Configuration file is /usr/local/exim/etc/exim.conf +