552 5.2.0 Message contains bare CR and is violating 822.bis section 2.3 (in reply to end of DATA command))

Today, I spent half my day debugging an email error. I got a lot of bounces saying:

552 5.2.0 Message contains bare CR and is violating 822.bis section 2.3 (in reply to end of DATA command))

In the 20+ years I'm running mailservers, I had never heard of this error before. And Google couldn't make me much wiser either.

The mailserver generating the message was mxin5.ziggo.nl - the primary server for Dutch provider Ziggo. I could not figure out which MTA they are using, although the banner right after an EHLO looks like Sendmail. I downloaded the latest Sendmail sources, but this error message does not come from a vanilla Sendmail installation. Other software like FortiMail may be a Sendmail fork or mimic the Sendmail signatures. But of course we cannot examine their source code.

I did find some references that qmail may have problems with bare LFs. But those were with regards to LF (line feed), not CR (carriage return). Downloaded the source of qmail and netqmail to find that qmail was probably not the MTA used either.

Then I tried to trace my own postfix server. Let's see that the mail does indeed contain a bare CR. I did not believe there was a bare CR as I examined the sourcecode of the generating software. Tracing is a lot harder nowadays since starttls will prevent a simple tcpdump. As an alternative, I used postfix' header_checks to HOLD a suspected mail and sure enough, the software generating the message included a stray CR = hex char %0D = \r in a small percentage of outgoing mails. The generating software used an external data source which inserted the CR.

The bug generating the CR in the emails is years old, the mails were always accepted by Ziggo without any problem. My best guess is that Ziggo recently upgraded their mailserver and the new version now forbids the CR.

© GeekLabInfo 552 5.2.0 Message contains bare CR and is violating 822.bis section 2.3 (in reply to end of DATA command)) is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...

Syslog kills Postfix performance

This night, some scriptkiddie decided it'd be fun to overload one of my servers by bruteforcing the FTP. The FTP server taking 90% of the CPU made the whole server slow. Especially the Postfix mailserver experienced a huge delay.

Anyway, I just firewalled out the scriptkiddie and Postfix could start processing the queue. But for some reason, it delivered no more than 5-10 mails a second. That would mean that processing the queue of 18.000 mails would take 30-60 minutes.

I've tried to figure out why Postfix was so slow before. Without any luck. Using the well known tuning pages didn't help me at all. Today, I opened up /usr/bin/top, to see that the system was doing a lot of I/O. I accidently found out why: I like to have syslog write *.* to /var/log/allmessages.

This simple rule caused so much extra I/O, that postfix was slowed down 90%. After disabling "allmessages" performance went up, and the queue was processed within minutes. Makes me wonder what happens if I...

  • disable logging at all, which is a bad idea as you can no longer spot abuse
  • find a way to enable write-cache - the default syslog of CentOS 5 does not support this AFAIK
  • write logs to another device

Interesting...© GeekLabInfo
Syslog kills Postfix performance is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

How to use chained SSL certificates

What are chained SSL certificates?

Normal "single root" certs are only certified by one single parent which is recognised by clients immediately. Chained certs on the other side are signed by a parent which itself is signed by another parent. This effectively makes your cert a "grandchild" of the CA root. In the image attached you'll see a cert that is chained by two intermediate certs.

How to use chained SSL certificates?

The several server software distributions require different types of configuration. This page is not telling you how to set up ssl for your software, I'm just telling how to use chained certs with the different programs.

Apache

Apache has quite some SSL functionality on board. I'm not gonna discuss it all, just want to say that the words you're looking for are:

SSLCertificateFile [path to crt file here]
SSLCertificateKeyFile [path to key file here]
SSLCACertificateFile [path to intermediate ca certs bundle here]

I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.

PureFTPd

My PureFTPd key and cert are all located in /etc/pure-ftpd/pure-ftpd.pem. In order to make ftp clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I combined the contents of the key, my own cert and the intermediate CA certs to /etc/postfix/ssl/smtpd.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: my private key, certificate for my domain, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test it: openssl s_client -connect [your-hostname]:21 -starttls ftp

Dovecot

My dovecot SSL key is located in /etc/pki/dovecot/private/dovecot.pem and my SSL cert is /etc/pki/dovecot/certs/dovecot.pem. In order to make email clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I added the contents of the intermediate CA certs to /etc/pki/dovecot/certs/dovecot.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: YourDomain.com, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test pop3s: openssl s_client -connect popserver:995
  4. Test imaps: openssl s_client -connect imapserver:995

Postfix

My postfix key and cert are all located in /etc/postfix/ssl/smtpd.pem.
In order to make email clients accept the SSL cert, i performed the following steps:

  1. I downloaded the intermediate CA certs from my SSL provider: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1371 . Your SSL provider has a page with their own intermediate CA certs.
  2. I combined the contents of the key, my own cert and the intermediate CA certs to /etc/postfix/ssl/smtpd.pem. I don't know if the order of the certs is important, but just to be sure I went back one parent at a time. So my file contains from top to bottom: my private key, certificate for my domain, thawte DV SSL CA, thawte primary root. It doesn't need thawte primary server CA as your client already has this one.
  3. Test smtps: openssl s_client -connect [your-hostname]:465
  4. Test smtp with starttls: openssl s_client -connect [your-hostname]:25 -starttls smtp

© GeekLabInfo
How to use chained SSL certificates is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 3.88 out of 5)
Loading...

Blocking .wwf attachments

Some idiotic german 'invented' a way to 'save trees'. By converting your attachments to .wwf format - a special .pdf format that blocks printing. While this may be a great feature to block printing of contracts etcetera if you're running a malicious company, most people simply don't want this.

So the big question is: How do I block .wwf files?

Postfix

In /etc/postfix/main.cf uncomment or add the following line
header_checks = pcre:/etc/postfix/header_checks

Then edit /etc/postfix/header_checks and add the following line:
/Content-Disposition: .*\.wwf"/ REJECT Please don't send .wwf files.

Exchange

Attachment blocking in exchange is usually performed by a virusscanner/spamfilter. You could use for example Trend Micro or GFI to block .wwf files.

Sendmail

Depending on your setup, you could use amavisd-new, mailscanner or procmail to block out .wwf files.

qmail

To block attachments with qmail, you'll need Simscan. Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum. The project is open source and uses other open source components. Small, very efficient and written in C. © GeekLabInfo
Blocking .wwf attachments is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...