How do I reach the dev team or security?

Vernon Schryver vjs@calcite.rhyolite.com
Tue Jan 3 15:39:31 UTC 2006


> From: Benu <flash@benu.widge.org>

> 1. Is greylisting (servers, clients) only available in sendmail 
> configurations?

no, greylisting also works with dccifd.

>If the answer is no, then I can not understand why dbclean complaints and dies 
> when I enable greylisting client in dcc_conf when starting the dccifd daemon.

With what complaint does dbclean die?

> 2. This is a new install. When I issue: cdcc ID it returns 1, the ids file 
> have different values for DCC Server and Greylist. Is this correct?

That is probably correct, because you would probably be using the public
DCC servers with the anonymous client-ID 1, but a real client-ID with
the local dccd process that maintains your private greylist database.

>Attempts to change the ID that cdcc reports to the DCC ID in the ids file with 
> "reload ids" complaints with something similar to needs su.

The command `cdcc "reload ids"` has nothing to do with the changing the
contents of the /var/dcc/ids or /var/dcc/maps file.  That command
merely tells dccd to read and so reload the /var/dcc/ids file immediately
instead of waiting for dccd to notice automatically that the file has changed.

The operation used by `cdcc` to tell the server to check its /var/dcc/ids
file must be authenticated by the server using an ID and a password
found in the server's /var/dcc/ids file.  You must provide the ID and
the password either by using the commands `cdcc "id X; password secret"`
or just `cdcc "id X"`.  The latter looks for the password for X in the
local /var/dcc/ids file.  Because it contains passwords, /var/dcc/ids
is private.

>                                                             When the cdcc 
> "reload ids" is issued I am superuser. I attribute this as an ops problem not 
> knowing correct syntax.  Nevertheless, which ID is cdcc reporting?

Now that you mention it, I see that a bug has crept in.  The error message
should read

    cdcc -> reload ids
    "reload IDs" is a privileged operation;
       use the "id server-ID" command
       and either "passwd secret" or `su` to read passwords from /var/dcc/ids

> 3. When the combo amavis+clamav+SA+DCC+postfix is employed, at what point 
> during the scanning, will amavis call dccifd? When dccproc was configured I 
> would see calls to dccproc in the mail logs, now I do not see calls to dccifd 
> in the logs. I know that DCC is working because I see its logs.

I know very little and nothing useful about amavis, and about the same about
clamav.  

It would be best to run dccifd as a postfix before-queue filter and let 
dccifd spam mail during the SMTP transaction.
Second best is to run dccifd as a postfix before-queue filter but only
adding X-DCC header lines that SpamAssassin would check for the
string "bulk" or thresholds in the counts.  Both of these tactics would
give the mail message to dccifd during the SMTP transaction and so
permit the use of greylisting.
However, you are probably trying to use the default configuration in
which SpamAssassin talks to dccproc or dccifd.  This generally does
not allow the use of greylisting for various reasons.  One is that
SpamAssassin is usually invoked after the end of the SMTP transaction.
Greylisting must be done during the SMTP transaction, and embargoed
mail must be rejected with a 4yz SMTP status code.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.