--- a/Makefile Sun May 11 10:55:34 2014 +0200
+++ b/Makefile Sun May 11 15:38:32 2014 +0200
@@ -6,6 +6,7 @@
CONF = $(wildcard conf/*.conf)
FRAMES = $(wildcard frames/*tex)
IMAGES = $(notdir $(DIA:.dia=.pdf))
+OUT = $(wildcard out/*)
.PHONY: clean
@@ -14,7 +15,7 @@
rubber -d --clean mk2014.tex
-rm -f *.vrb $(IMAGES)
-mk2014.pdf: mk2014.tex $(IMAGES) $(FRAMES) $(TT) $(CONF)
+mk2014.pdf: mk2014.tex $(IMAGES) $(FRAMES) $(TT) $(CONF) $(OUT)
%.pdf: %.tex
rubber -f -d $<
--- a/conf/acl.conf Sun May 11 10:55:34 2014 +0200
+++ b/conf/acl.conf Sun May 11 15:38:32 2014 +0200
@@ -7,9 +7,12 @@
accept domains = +local_domains
local_parts = postmaster
- ….
+ …
require message = relaying denied
domains = +local_domains
+
+ require message = unknown recipient
+ verify = recipient/callout=use_sender,defer_ok
…
accept
--- a/frames/acl.tex Sun May 11 10:55:34 2014 +0200
+++ b/frames/acl.tex Sun May 11 15:38:32 2014 +0200
@@ -23,8 +23,9 @@
\end{frame}
\begin{frame}[fragile]{Access Control Lists}{Konfiguration}
-\tiny
+\begin{small}
\verbatiminput{conf/acl.conf}
+\end{small}
\end{frame}
\subsection{Features}
@@ -44,3 +45,48 @@
\item Generische Bedingung \verb+condition =+
\end{itemize}
\end{frame}
+
+
+\subsection{Beispiel}
+
+\begin{frame}[<+->][fragile]{Access Control Lists}{Beispiel}
+\begin{block}{Aufgabe}
+Alle Empfänger müssen der selben Domain angehören (z.B. weil wir
+domainspezifische Spam-Policies haben)
+\end{block}
+\begin{block}{Lösung}
+\begin{small}
+\begin{alltt}
+begin acl
+
+ acl_check_rcpt:
+ …
+\pause
+ defer !acl = same_domain
+ accept
+\pause
+ same_domain:
+ accept condition = $\{if !def:acl_m_domain\}
+ set acl_m_domain = $domain
+
+ accept domains = $acl_m_domains
+
+ deny
+\end{alltt}
+\end{small}
+\end{block}
+\end{frame}
+
+
+\begin{frame}[<+->][fragile]{Access Control Lists}{Test 1}
+\begin{scriptsize}
+\verbatiminput{out/acl1}
+\end{scriptsize}
+\end{frame}
+
+\begin{frame}[<+->][fragile]{Access Control Lists}{Test 2}
+\begin{scriptsize}
+\verbatiminput{out/acl2}
+\end{scriptsize}
+\pause
+\end{frame}
--- a/frames/logging.tex Sun May 11 10:55:34 2014 +0200
+++ b/frames/logging.tex Sun May 11 15:38:32 2014 +0200
@@ -1,30 +1,34 @@
\section{Logging}
-\begin{frame}[fragile]{Logging}
+\begin{frame}[<+->][fragile]{Logging}
Sicherheit heißt auch Logging. Auskunft über das Verarbeiten der
-Nachricht. Gesteuert wird u.a. über \verb=log_selector=, \verb=log_write=,
+Nachricht. Gesteuert wird über \verb=log_selector=, \verb=log_write=,
\verb=debug_print=.
+\pause
+Kein Logging bedeutet Fehler 4xx!
+\pause
\begin{description}
-\item[mainlog] alle relevanten Transaktionen, dokumentiertes,
- maschinenlesbares Format
+\item[mainlog] alle relevanten Transaktionen, \emph{dokumentiertes}
+ menschen- und maschinenlesbares Format
\item[rejectlog] Details zu abgewiesenen Nachrichten
\item[paniclog] Konfigurationsfehler, schwere Probleme
-\item[messagelog] Transaktionen zu einer spezifischen Nachricht
\item[syslog] Fallback, wenn nicht mal mehr paniclog geht
+\item[messagelog] Transaktionen zu einer spezifischen Nachricht bis
+ zur „completion“
\end{description}
\scriptsize
\begin{alltt}
-\input{msglog.tt}
+\input{out/msglog.tt}
\end{alltt}
\end{frame}
\begin{frame}[fragile]{Logging}{mainlog}
\scriptsize
-\verbatiminput{mainlog.tt}
+\verbatiminput{out/mainlog.tt}
\end{frame}
\begin{frame}[fragile]{Logging}{rejectlog}
\scriptsize
-\verbatiminput{rejectlog.tt}
+\verbatiminput{out/rejectlog.tt}
\end{frame}
--- a/mainlog.tt Sun May 11 10:55:34 2014 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-14:13:04 1Wi0ie-0005e8-Q7 <= wwwrun@emarsys.net H=mx.net.schlittermann.de [84.19.194.2] I=[84.19.194.3]:587
- P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
- S=51433 id=0.1.B1.FAE.1CF69EDB12C0806.0@pmta40192.emarsys.net
-14:13:05 1Wi0ie-0005e8-Q7 => raabe@example.com
- F=<wwwrun@emarsys.net>
- R=domain_forward T=smtp
- H=mail.example.com [71.81.118.92] X=TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128
- C="250 OK id=1Wi0if-0008Kc-Et"
- QT=1s DT=1s
-14:13:05 1Wi0ia-0005dq-Ha => cwinkler@example.org F=<agent@ukrs939471.pur3.net>
- R=domain_forward T=smtp
- H=diw.vpn.schlittermann.de [10.10.10.18] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
- C="250 OK id=1Wi0ig-00035h-Iq" QT=7s DT=7s
-14:13:05 1Wi0ie-0005e8-Q7 Completed QT=1s
-14:13:07 1Wi0ia-0005dq-Ha Completed QT=7s
-14:13:07 1Wi0ih-0005ew-Lw <= agent@ukrs394971.pur3.net H=mx.net.schlittermann.de [84.19.194.2] I=[84.19.194.3]:587
- P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
- S=17836 id=0.0.C9.E5D.1CF69EDAA039062.0@mta20135.pur3.net
-14:13:13 1Wi0ih-0005ew-Lw => info@diw-bau.de F=<agent@ukrs394971.pur3.net>
- R=domain_forward T=smtp
- H=diw.vpn.schlittermann.de [10.10.10.18] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
- C="250 OK id=1Wi0in-00035n-Ht" QT=6s DT=6s
-14:13:13 1Wi0ih-0005ew-Lw Completed QT=6s
--- a/msglog.tt Sun May 11 10:55:34 2014 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,8 +0,0 @@
-$ exim -Mvl 1Whwqz-00019E-Hg
-2014-05-07 10:05:25 Received from a.bohl@example.com H=mout.foobar.com
- (wotan.wgnd.lokal) [12.8.252.26]
- I=[84.19.194.3]:587 P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
- S=3995 id=5369E8CA.1030704@foobar.com T="Monte Timaro"
-2014-05-07 10:06:28 gmail.de [173.194.70.18] Connection timed out
-…
-2014-05-07 10:09:38 hans@gmail.de R=dnslookup T=smtp defer (110): Connection timed out
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/out/acl1 Sun May 11 15:38:32 2014 +0200
@@ -0,0 +1,30 @@
+$ swaks --pipe 'exim -bh 8.8.8.8' -f … -t info@example.org,office@example.org -q rcpt
+<-
+<- **** SMTP testing session as if from host 8.8.8.8
+<- **** but without any ident (RFC 1413) callback.
+<- **** This is not for real!
+<-
+<- 220 jumper.Speedport_W_724V_Typ_A_05011602_00_001 ESMTP Exim 4.80 Sun, 11 May 2014 14:55:35 +0200
+ -> EHLO jumper.schlittermann.de
+<- 250-jumper.Speedport_W_724V_Typ_A_05011602_00_001 Hello jumper.schlittermann.de [8.8.8.8]
+<- 250-SIZE 52428800
+<- 250-8BITMIME
+<- 250-PIPELINING
+<- 250 HELP
+ -> MAIL FROM:<hs@schlittermann.de>
+<- 250 OK
+ -> RCPT TO:<info@example.org>
+>>> using ACL "acl_check_rcpt"
+>>> processing "require"
+>>> check domains = +local_domains
+>>> example.org in "example.com : example.org"? yes (matched "example.org")
+>>> example.org in "+local_domains"? yes (matched "+local_domains")
+>>> check verify = recipient
+…
+>>> accept: condition test succeeded in ACL "acl_check_rcpt"
+<- 250 Accepted
+ -> RCPT TO:<office@example.org>
+…
+<- 250 Accepted
+ -> QUIT
+<- 221 jumper.Speedport_W_724V_Typ_A_05011602_00_001 closing connection
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/out/acl2 Sun May 11 15:38:32 2014 +0200
@@ -0,0 +1,21 @@
+$ swaks --pipe 'exim -bh 8.8.8.8' -f … -t info@example.org,office@example.org -q rcpt
+<-
+<- **** SMTP testing session as if from host 8.8.8.8
+<- **** but without any ident (RFC 1413) callback.
+<- **** This is not for real!
+<-
+<- 220 jumper.Speedport_W_724V_Typ_A_05011602_00_001 ESMTP Exim 4.80 Sun, 11 May 2014 15:16:37 +0200
+ -> EHLO jumper.schlittermann.de
+<- 250-jumper.Speedport_W_724V_Typ_A_05011602_00_001 Hello jumper.schlittermann.de [8.8.8.8]
+<- 250-SIZE 52428800
+<- 250-8BITMIME
+<- 250-PIPELINING
+<- 250 HELP
+ -> MAIL FROM:<hs@schlittermann.de>
+<- 250 OK
+ -> RCPT TO:<info@example.org>
+<- 250 Accepted
+ -> RCPT TO:<office@example.com>
+<** 451 multiple recipients for differend domains
+ -> QUIT
+<- 221 jumper.Speedport_W_724V_Typ_A_05011602_00_001 closing connection
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/out/mainlog.tt Sun May 11 15:38:32 2014 +0200
@@ -0,0 +1,24 @@
+14:13:04 1Wi0ie-0005e8-Q7 <= wwwrun@emarsys.net H=mx.net.schlittermann.de [84.19.194.2]\B
+ I=[84.19.194.3]:587\B
+ P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128\B
+ S=51433 id=0.1.B1.FAE.1CF69EDB12C0806.0@pmta40192.emarsys.net
+14:13:05 1Wi0ie-0005e8-Q7 => raabe@example.com\B
+ F=<wwwrun@emarsys.net>\B
+ R=domain_forward T=smtp\B
+ H=mail.example.com [71.81.118.92] X=TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128\B
+ C="250 OK id=1Wi0if-0008Kc-Et"\B
+ QT=1s DT=1s
+14:13:05 1Wi0ia-0005dq-Ha => cwinkler@example.org F=<agent@ukrs939471.pur3.net>\B
+ R=domain_forward T=smtp\B
+ H=diw.vpn.schlittermann.de [10.10.10.18] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
+ C="250 OK id=1Wi0ig-00035h-Iq" QT=7s DT=7s
+14:13:05 1Wi0ie-0005e8-Q7 Completed QT=1s
+14:13:07 1Wi0ia-0005dq-Ha Completed QT=7s
+14:13:07 1Wi0ih-0005ew-Lw <= agent@ukrs394971.pur3.net H=mx.net.schlittermann.de [84.19.194.2] I=[84.19.194.3]:587\B
+ P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128\B
+ S=17836 id=0.0.C9.E5D.1CF69EDAA039062.0@mta20135.pur3.net
+14:13:13 1Wi0ih-0005ew-Lw => info@diw-bau.de F=<agent@ukrs394971.pur3.net>
+ R=domain_forward T=smtp\B
+ H=diw.vpn.schlittermann.de [10.10.10.18] X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128\B
+ C="250 OK id=1Wi0in-00035n-Ht" QT=6s DT=6s
+14:13:13 1Wi0ih-0005ew-Lw Completed QT=6s
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/out/msglog.tt Sun May 11 15:38:32 2014 +0200
@@ -0,0 +1,8 @@
+$ exim -Mvl 1Whwqz-00019E-Hg
+2014-05-07 10:05:25 Received from a.bohl@example.com H=mout.foobar.com\B
+ (wotan.wgnd.lokal) [12.8.252.26]\B
+ I=[84.19.194.3]:587 P=esmtps X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128\B
+ S=3995 id=5369E8CA.1030704@foobar.com T="Monte Timaro"
+2014-05-07 10:06:28 gmail.de [173.194.70.18] Connection timed out
+…
+2014-05-07 10:09:38 hans@gmail.de R=dnslookup T=smtp defer (110): Connection timed out
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/out/rejectlog.tt Sun May 11 15:38:32 2014 +0200
@@ -0,0 +1,26 @@
+06:30:13 1WhtSh-0004KX-Ta H=(ete4g.com) [174.36.30.154] I=[84.19.194.2]:25\B
+ F=<ete39@ete4g.com> rejected after DATA: spam 9
+Envelope-from: <ete39@ete4g.com>
+Envelope-to: <info@example-dresden.de>
+P Received: from [174.36.30.154] (helo=ete4g.com)
+ by mx.net.schlittermann.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256)
+ (Exim 4.80)
+ (envelope-from <ete39@ete4g.com>)
+ id 1WhtSh-0004KX-Ta
+ for info@example-dresden.de; Wed, 07 May 2014 06:28:08 +0200
+P Received: from [58.61.157.29] (port=55782 helo=WIN-5JAQ6OH8L0P)
+ by spoon.arvixe.com with esmtpa (Exim 4.80.1)
+ (envelope-from <ete39@ete4g.com>)
+ id 1WhtSa-0002vh-7B
+ for info@example-dresden.de; Tue, 06 May 2014 21:28:01 -0700
+ Disposition-Notification-To: winni@ttm-group.com.cn
+ MIME-Version: 1.0
+F From: winni <winni@ttm-group.com.cn>
+S Sender: ete39@ete4g.com
+T To: info@example-dresden.de
+R Reply-To: winni@ttm-group.com.cn
+ Date: 7 May 2014 12:27:48 +0800
+ Subject: Fw: cooperation for plastic and Metal parts
+ Content-Type: text/html; charset=utf-8
+ Content-Transfer-Encoding: base64
+
--- a/rejectlog.tt Sun May 11 10:55:34 2014 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-06:30:13 1WhtSh-0004KX-Ta H=(ete4g.com) [174.36.30.154] I=[84.19.194.2]:25
- F=<ete39@ete4g.com> rejected after DATA: spam 9
-Envelope-from: <ete39@ete4g.com>
-Envelope-to: <info@example-dresden.de>
-P Received: from [174.36.30.154] (helo=ete4g.com)
- by mx.net.schlittermann.de with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256)
- (Exim 4.80)
- (envelope-from <ete39@ete4g.com>)
- id 1WhtSh-0004KX-Ta
- for info@example-dresden.de; Wed, 07 May 2014 06:28:08 +0200
-P Received: from [58.61.157.29] (port=55782 helo=WIN-5JAQ6OH8L0P)
- by spoon.arvixe.com with esmtpa (Exim 4.80.1)
- (envelope-from <ete39@ete4g.com>)
- id 1WhtSa-0002vh-7B
- for info@example-dresden.de; Tue, 06 May 2014 21:28:01 -0700
- Disposition-Notification-To: winni@ttm-group.com.cn
- MIME-Version: 1.0
-F From: winni <winni@ttm-group.com.cn>
-S Sender: ete39@ete4g.com
-T To: info@example-dresden.de
-R Reply-To: winni@ttm-group.com.cn
- Date: 7 May 2014 12:27:48 +0800
- Subject: Fw: cooperation for plastic and Metal parts
- Content-Type: text/html; charset=utf-8
- Content-Transfer-Encoding: base64
-