[Esa-l]Special handling of local mail [was: Help with hybris getting thru filters]

Tommy Lindqvist lindqt at space.se
Fri Jun 8 02:35:14 PDT 2001


Actually, this may not work in all cases.. 

If you are using a proxy-based firewall like TIS or Gauntlet,
The firewall puts its own received on the mail before it reaches
your mailserver.

Otherwise this Recieved would have worked very well. ( Maybe an if-then-else
connstruct would do the job.. )


This is how it looks for us.  We have

Internet ---> Gauntlet FW ---> Mailserver v Filter

Received: from outsidefw.space.se (insidefw [10.112.XXX.XXX])
	by mailserver.space.se (8.8.8+Sun/8.8.8) with ESMTP id EAA07292
	for <tommy.lindqvist at space.se>; Fri, 8 Jun 2001 04:11:12 +0200 (MET DST)
Received: by outsidefw.space.se; id EAA21693; Fri, 8 Jun 2001 04:11:11
+0200 (MET DST)
Received: from vhost.spconnect.com(204.96.XXX.XXX) by insidefw.space.se via
smap (V5.5)
	id xma021684; Fri, 8 Jun 01 04:10:41 +0200
Received: from merlin.spconnect.com (localhost [127.0.0.1])
	by merlin.spconnect.com (Postfix) with ESMTP
	id 9AFD1C0D4; Thu,  7 Jun 2001 19:10:08 -0700 (PDT)
Delivered-To: esa-l at spconnect.com
Received: from gypsy.impsec.org (evt-pm3-1-p161.wolfenet.com
  [206.159.XXX.XXX]) by merlin.spconnect.com (Postfix) with SMTP id
  2208FC065 for <esa-l at spconnect.com>; Thu,  7 Jun 2001 19:08:32 -0700
  (PDT)
Received: from localhost (IDENT:jhardin at localhost [127.0.0.1]) by
  gypsy.impsec.org (8.9.3/8.8.8) with ESMTP id TAA11050 for
  <esa-l at spconnect.com>; Thu, 7 Jun 2001 19:05:16 -0700





At 19:05 2001-06-07 -0700, John D. Hardin wrote:
>On Thu, 7 Jun 2001, Rick Thompson wrote:
>
>> Ok....I follow this logic.  So I need to have a special case
>> MANGLE_EXTENSIONS, just for internal mail, and let all mail be
>> filtered.  I don't have a problem filtering internal mail, but I
>> don't want to mangle extensions on M$ Office files (yeah I know
>> its prob a bad idea).  Everything else would be the same as
>> external mail.  But I don't want to let these spoofed headers/no
>> header messages slip thru either.
>
>Exactly correct.
>
>> So the question is what do I key the special case from if I can't
>> use messageid or sender?
>
>Well, let's take a look at your internal mail system...
> 
>> Typical Internal mail header:
>> 
>> Return-Path: <ssunderman at motleypc.com>
>> Received: from ssunderman (ssunderman.motleypc.com [192.168.1.26])
>> 	by prometheus.motleypc.com (8.11.0/8.11.0/SuSE Linux 8.11.0-0.4) with SMTP
>> id f56KmOZ05956
>> 	for <rthompson at motleypc.com>; Wed, 6 Jun 2001 16:48:24 -0400
>> From: "Steve Sunderman" <ssunderman at motleypc.com>
>> To: "Rick Thompson" <rthompson at motleypc.com>
>> Subject: RE: Ellis Hall Millwork
>> Date: Wed, 6 Jun 2001 16:56:13 -0400
>> Message-ID: <NCBBJKBNCJNJBOCLCDEICEPHCPAA.ssunderman at motleypc.com>
>
>I would suggest something like the following:
>
>SECURITY_STRIP_MSTNEF=Y
>
>:0
>* ^Received: from [a-z0-9\.]+ \([a-z0-9\.]\.motleypc\.com
\[192\.168\.1\.[0-9]+\]\) by prometheus.motleypc.com
>{
>   MANGLE_EXTENSIONS='looser list'
>   SECURITY_STRIP_MSTNEF=
>   etc...
>}
>
>Looking for your domain name and IP address as the source of the
>message in a Received header should positively identify the message as
>being locally originated. In order for this to be forged someone
>would pretty much have to do it by hand.
>
>--
> John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
> jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
>  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
> 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>-----------------------------------------------------------------------
>  An entitlement beneficiary is a person or special interest group
>  who didn't earn your money, but demands the right to take your
>  money because they *want* it.
>                                  -- John McKay, _The Welfare State:
>                                     No Mercy for the Middle Class_
>-----------------------------------------------------------------------
>   1244 days until the Presidential Election
>_______________________________________________
>E-mail Security Announce list mailing list
>E-mail Security Announce list at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esa-l
>
--
Systems Manager      |\      _,,,---,,_      Saab Ericsson Space AB
Postmaster          /,`.-'`'    -.  ;-;;,_   tommy.lindqvist at space.se
                   |,4-  ) )-,_. ,\ (  `'-'  +46 (0)31 735 4391
***************   '---''(_/--'  `-'_)
Tommy Lindqvist



More information about the esd-l mailing list