From stuart at bmsi.com  Wed May 25 10:33:31 2005
From: stuart at bmsi.com (Stuart D. Gathman)
Date: Wed, 25 May 2005 10:33:31 -0400 (EDT)
Subject: [Pymilter] You are correct, it is a bug (rejecting non-SRS)
In-Reply-To: <20050429131857.DE2588D8002@2.revivim.org.il>
Message-ID: <Pine.LNX.4.44.0505251029390.12973-100000@bmsred.bmsi.com>

On Fri, 29 Apr 2005, Alex Savguira wrote:

> You need to turn on rejecting non-SRS.
> 
> [srs]
> config=/etc/mail/pysrs.cfg
> # allow a grace period, then turn this on reject_spoofed = 1
> 
> 
> I did... And I do the pysrs as well.. It works as I said, when the fake DSN
> contains any headers (at least subject:)... The point is that you can send a
> fake DSN with no headers (no subject, nothing), that is: <<mail from: rcpt
> to: data Buy viagra fashion...>>> It is limited, and your excellent milter
> will divert most of the fake DSN's, but it is still possible to get through,
> if the fake DSN (see the telnet dialog from my previous mail) does not
> transmit any mail headers... It is quite obvious since you check for the fake
> not srs-signed DSN in the headers parser routine...

I am sorry I was not paying full attention before.  You are absolutely
correct.  The 'data_allowed' flag is checked in the header callback,
and sending no headers avoids it.  That is certainly a bug.  The check
should be duplicated in eoh.  (We want to reject as soon as possible.)
If it is not obvious how to duplicate the check (beginning with 
if not self.data_allowed), then I can send you my current code.

-- 
	      Stuart D. Gathman <stuart at bmsi.com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.




From stuart at bmsi.com  Thu May 26 15:49:05 2005
From: stuart at bmsi.com (Stuart D. Gathman)
Date: Thu, 26 May 2005 15:49:05 -0400 (EDT)
Subject: [Pymilter] pymilter registered at sourceforge
Message-ID: <Pine.LNX.4.44.0505261538270.25311-100000@bmsred.bmsi.com>

Several people have asked me to move pymilter to sourceforge where they
can access the latest CVS code without waiting for me to post a new
release.  I have taken the plunge, and registered 'pymilter'.  The license
is still GPL - which is I think optimal for this project.  Commercial
ventures using it tend to be service oriented (e.g. used internally at
ISPs to filter mail) - so there is no need for LGPL.  We certainly don't 
need any more closed source mail manglers.

I am new to sourceforge, so it will be a learning curve figuring out how 
to set up stuff, load existing source (can you load history?), etc.
Meanwhile, the old web page is still available.

-- 
	      Stuart D. Gathman <stuart at bmsi.com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.



From stuart at bmsi.com  Tue May 31 17:51:21 2005
From: stuart at bmsi.com (Stuart D. Gathman)
Date: Tue, 31 May 2005 17:51:21 -0400 (EDT)
Subject: [Pymilter] Sourceforge
Message-ID: <Pine.LNX.4.44.0505311749300.2567-100000@bmsred.bmsi.com>

I've moved the project to sourceforge, at least the CVS and releases.   
Now you can get bleeding edge stuff without waiting for a release, and 
submit bug reports and support requests.

-- 
	      Stuart D. Gathman <stuart at bmsi.com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.