[Pymilter] Possible to use a milter for reverse SRS?

Mark Himsley mark+pymilter at mdsh.com
Mon Feb 11 17:26:16 EST 2019 

Hi Stuart,

Mel pointed me at this email thread because on another list I asked 
whether anyone could help me doing exactly the same thing.

Having read the whole thread I'm still somewhat confused, so please 
excuse me if I ask really basic questions...

On 25/01/2019 15:49, stuart at gathman.org (Stuart D. Gathman) wrote:
> On Fri, 25 Jan 2019, Melanie Dymond Harper wrote:
> 
>> I'm in the process of testing an SRS setup -- we need to be able to
>> forward email for some customers from domains managed here to their own
>> email accounts. We have srsmilter working the way it ought to for
>> outbound mail, so far so good; is it possible to configure it to handle
>> returned (bounced) mail to SRS-encoded addresses as well? The
> 
> Oh my.  That was a very misleading thing for me to do.  srsmilter.py is
> a proof of concept for using the (at the time) new chgfrom milter API.
> Notice that it can't handle multiple recicients well due to the
> nature of the environment chgfrom is called from.
> 
> The SRS I use in production uses pysrs.py (a socket map) in conjunction
> with the pysrs.m4 feature for sendmail.cf for outgoing mail.


Basics:
  * I'm running the packaged Sendmail on Ubuntu 18.04.

  * I have the packaged spfmilter.py running and I'm using it with this 
in sendmail.mc.

INPUT_MAIL_FILTER(`pyspffilter', 
`S=local:/var/run/spf-milter-python/spfmiltersock, F=T, 
T=C:4m;S:4m;R:8m;E:10m')

  * I have srsmilter.py from the package pysrs-bin 1.0.3-1 runnning and 
I'm using it with this in sendmail.mc,

INPUT_MAIL_FILTER(`pysrsfilter', 
`S=local:/var/run/srs-milter-python/srsmiltersock, F=T, 
T=C:5m;S:20s;R:5m;E:5m')

I can see forward SRS is happening, but I think it's not the right 
solution for multiple recipients (I want an alias in /etc/mail/aliases 
to forward to multiple recipients).

  * I have pysrs.py from the package pysrs-bin 1.0.3-1 runnning - but 
its not being used by anything yet.

I know I'd need to use the pysrs.m4 HACK to use the pysrs.py socket.


So, my questions:

Does pysrs.py replace pysrsfilter? In a later email you have a 
sendmail.mc fragment which includes both, so I'm somewhat confused.


> Incoming SRS is handled off stage, in my case by the milter package.

What do you mean by 'SRS is handled off stage'?



Thanks in advance.

> It is really rather mean of me.  srsmilter, even if chgfrom doesn't
> handle multiple recipients well, should at least provide a basic
> implementation of incoming SRS!
> 
> So, the thing to do is extract the basics from bms.py in the milter
> package, and add them to srsmilter.py.  Invoking chgfrom should be
> configurable, as it is limited, so that pysrs.py can be used instead
> for outgoing SRS with sendmail.  And srsmilter would then provide
> simple processing of SRS bounces for either case.
> 
> Note that pysrs.m4 also handles reverse by simply unwrapping SRS
> bounces.  Invalid SRS bounces are then rejected as 'unknown user'.
> 
> Handling SRS bounces in a milter simply lets you do more accurate
> errors, e.g. bms.py responds to an invalid SRS bounce like this:
> 
>               if not (self.internal_connection or self.trusted_relay):
>                 if srsre.match(oldaddr):
>                   self.log("REJECT: srs spoofed:",oldaddr)
>                   self.setreply('550','5.7.1','Invalid SRS signature')
>                   return Milter.REJECT
> 
> Which is more informative than "unknown user".
> 
> So, outgoing SRS can be handled via CF and a socket map in pysrs.py,
> or via chgfrom milter API in srsmilter.py.
> 
> Incoming SRS can be handle via CF and a socket map in pysrs.py with
> an "invalid user" response. Or, in the future - I think I can get
> something to test by Jan 29 - by srsmilter.py issuing an SRS specific
> rejection.  It is only a few lines - they just need to be the right
> lines.
> 
> In bms.py, I made srs_reject_spoofed a config boolean, thinking that
> I might want to give deliberately ambiguous errors to spammers.  But
> it has turned out that spammers don't really do anything with that kind
> of response, and being helpful to mail admins is more important.


-- 
Mark Himsley

More information about the Pymilter mailing list