[Esd-l] security_notify_sender

Jason Noble sysadmin at polezero.com
Thu Feb 7 06:08:00 PST 2002 

On 2002.02.06 14:34 Joe Steele wrote:
> On Wednesday, February 06, 2002 1:35 PM, Jason Noble wrote:
> > > As far as failure of 'SECURITY_NOTIFY_SENDER', sender notification is
> > > skipped if the following pattern fails to match:
> > > * !  ^FROM_DAEMON
> >
> > Is this something I caused to happen? or is it a problem with the mail
> > sanitizer?
> 
> Sorry for not being very clear.  As 'man procmailrc' says,
> 'FROM_DAEMON' is shorthand for a lengthy pattern that is intended to
> match messages sent from daemons/servers/etc.  You can see the full
> expansion of the pattern down below.
> 
> >
> > >
> > > Your debug log showed the above pattern match failed, so notification
> > > of sender did not occur.  The failure shows up as:
> > >
> > > procmail: No match on !
> > > "(^(Mailing-List:|Precedence:.*(junk|bulk|list)|To:
> > > Multiple recipients of
> > > |(((Resent-)?(From|Sender)|X-Envelope-From):|>?From
> > > 
> )([^>]*[^(.%@a-z0-9])?(Post(ma?(st(e?r)?|n)|office)|(send)?Mail(er)?|daemon|m(mdf|ajordomo)|n?uucp|LIST(SERV|proc)|NETSERV|o(wner|ps)|r(e(quest|sponse)|oot)|b(ounce|bs\.smtp)|echo|mirror|s(erv(ices?|er)|mtp(error)?|ystem)|A(dmin(istrator)?|MMGR|utoanswer))(([^).!:a-z0-9][-_a-z0-9]*)?[%@>
> > >
> > > ][^<)]*(\(.*\).*)?)?$([^>]|$)))"
> > >
> >
> 
> Now, if you cross your eyes and squint, you will see that somewhere
> in the above pattern that it says:
> 
> ! "From: root"
> 
> (honestly, it really does).  I suspect you were testing your
> sanitizer setup with a test message from root to yourself.  The
> sanitizer will not 'notify sender' if the sender is root or any other
> daemon that matches the expanded 'FROM_DAEMON' pattern.  Try testing
> it again with a test message sent from a normal user and see if it
> works.
> 
> --Joe
> 

OK, I cant seem to figure out what i'm doing wrong.
I'm not sending from root, i'm using an account thats not even from our 
company.
I get the "SECURITY WARNING" from the "Procmail Security daemon" and in 
this message it too says that the ^From is really root.
Now I think this problem is being caused by sendmail. most likely my 
sendmail.cf is not correct, but i really don't have enough experience to 
see where my error is.


REPORT: Trapped poisoned executable "testing.exe"
REPORT: Not a document, or already poisoned by filename. Not scanned for
macros.
STATUS: Message quarantined in /var/spool/mail/quarantine, not delivered to
recipient.

Headers from message:

> From root  Thu Feb  7 08:55:49 2002
> Return-Path: <nobleja at fuse.net>
> Received: from mta02.fuse.net (mx2.fuse.net [216.68.1.120])
>       by mail.polezero.com (8.11.6/8.11.3) with ESMTP id g17Dtgp01429
>       for <nobleja at polezero.com>; Thu, 7 Feb 2002 08:55:42 -0500
> Received: from there ([216.68.181.90]) by mta02.fuse.net
>           (InterMail vM.5.01.03.01 201-253-122-118-101-20010319) with 
> SMTP
>           id <20020207135535.PSNX14376.mta02.fuse.net at there>
>           for <nobleja at polezero.com>; Thu, 7 Feb 2002 08:55:35 -0500
> From: Jason Noble <nobleja at fuse.net>
> To: nobleja at polezero.com
> Subject: testing
> Date: Tue, 5 Feb 2002 08:18:52 -0500
> X-Mailer: KMail [version 1.3.1]
> MIME-Version: 1.0
> X-Security: MIME headers sanitized on mail.polezero.com
>       See http://www.impsec.org/email-tools/sanitizer-intro.html
>       for details. $Revision: 1.133 $Date: 2002-01-05 17:09:21-08 
> Content-Type: Multipart/Mixed;
>   boundary="------------Boundary-00=_GBA294V3KR1VSAJ97G8K"
> Message-Id: <20020207135535.PSNX14376.mta02.fuse.net at there>
>

More information about the esd-l mailing list