Re: [policyd-users] Quota on ports 465/587 [TLS]

Sebastien Huart Mon, 31 Jan 2011 07:23:40 -0800

Le 31.01.2011 14:54, Nigel Kukard a écrit :
> Hi,
>

[snip]


>> Quota, policies, limits set with the webui interface are effectively
>> applied on usual port:25 smtpd mails, but users connected on ports 587
>> and 465 using TLS seem to  bypass the cbpolicyd rules.
>> It looks a lot like this recent thread:
>>
>> http://lists.policyd.org/pipermail/users/2011-January/003238.html
>>
>> so I tried to apply the same recipe, without being successful...
>>
>> Should I also tweak the master.cf config file?
>> Thanks a lot for any hint.
>
> Can you enable full debugging and paste?
>
> Regards
> Nigel
>

Hello Nigel,

here is  a sample of /var/log/cbpolicyd.log

[2011/01/31-15:22:06 - 16105] [CORE] NOTICE: Process Backgrounded
[2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: Policyd v2 / 
Cluebringer - v2.0.10
[2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: Initializing system 
modules.
[2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: System modules 
initialized.
[2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: Module load started...
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => AccessControl: enabled
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => CheckHelo: enabled
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => CheckSPF: enabled
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => Greylisting: enabled
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => Quotas: enabled
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => Protocol(Postfix): enabled
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE:   => Protocol(Bizanga): enabled
[2011/01/31-15:22:06 - 16105] [CBPOLICYD] NOTICE: Module load done.
[2011/01/31-15:22:06 - 16105] [CBPOLICYD] DEBUG: Opening syslog, 
destination = 'unix', facility = 'mail'.
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE: 2011/01/31-15:22:06 cbp 
(type Net::Server::PreFork) starting! pid(16105)
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE: Using default listen value 
of 128
[2011/01/31-15:22:06 - 16105] [CORE] NOTICE: Binding to TCP port 10031 
on host *
[2011/01/31-15:22:06 - 16105] [CORE] WARNING: Group Not Defined. 
Defaulting to EGID '0 0 1 2 3 4 6 10'
[2011/01/31-15:22:06 - 16105] [CORE] WARNING: User Not Defined. 
Defaulting to EUID '0'
[2011/01/31-15:22:06 - 16105] [CORE] INFO: Setting up serialization via 
flock
[2011/01/31-15:22:06 - 16105] [CORE] INFO: Beginning prefork (4 processes)
[2011/01/31-15:22:06 - 16105] [CORE] INFO: Starting "4" children
[2011/01/31-15:22:06 - 16108] [CORE] DEBUG: Child Preforked (16108)
[2011/01/31-15:22:06 - 16108] [CBPOLICYD] DEBUG: Starting up caching engine
[2011/01/31-15:22:06 - 16109] [CORE] DEBUG: Child Preforked (16109)
[2011/01/31-15:22:06 - 16109] [CBPOLICYD] DEBUG: Starting up caching engine
[2011/01/31-15:22:06 - 16110] [CORE] DEBUG: Child Preforked (16110)
[2011/01/31-15:22:06 - 16110] [CBPOLICYD] DEBUG: Starting up caching engine
[2011/01/31-15:22:06 - 16105] [CORE] DEBUG: Parent ready for children.
[2011/01/31-15:22:06 - 16111] [CORE] DEBUG: Child Preforked (16111)
[2011/01/31-15:22:06 - 16111] [CBPOLICYD] DEBUG: Starting up caching engine
[2011/01/31-15:22:34 - 16105] [CORE] INFO: Starting "1" children
[2011/01/31-15:22:34 - 16108] [CORE] INFO: 2011/01/31-15:22:34 CONNECT 
TCP Peer: "127.0.0.1:35905" Local: "127.0.0.1:10031"
[2011/01/31-15:22:34 - 16146] [CORE] DEBUG: Child Preforked (16146)
[2011/01/31-15:22:34 - 16146] [CBPOLICYD] DEBUG: Starting up caching engine
[2011/01/31-15:22:35 - 16109] [CORE] INFO: 2011/01/31-15:22:35 CONNECT 
TCP Peer: "127.0.0.1:35906" Local: "127.0.0.1:10031"
[2011/01/31-15:23:05 - 16105] [CORE] INFO: Killing "1" children
[2011/01/31-15:23:05 - 16146] [CBPOLICYD] DEBUG: Shutting down caching 
engine (16146)
[2011/01/31-15:23:35 - 16105] [CORE] INFO: Starting "1" children
[2011/01/31-15:23:35 - 16110] [CORE] INFO: 2011/01/31-15:23:35 CONNECT 
TCP Peer: "127.0.0.1:41388" Local: "127.0.0.1:10031"
[2011/01/31-15:23:35 - 16247] [CORE] DEBUG: Child Preforked (16247)
[2011/01/31-15:23:35 - 16247] [CBPOLICYD] DEBUG: Starting up caching engine
[2011/01/31-15:23:36 - 16111] [CORE] INFO: 2011/01/31-15:23:36 CONNECT 
TCP Peer: "127.0.0.1:41390" Local: "127.0.0.1:10031"

[same message repeated 10 times]

[2011/01/31-15:25:15 - 16105] [CORE] INFO: Killing "1" children
[2011/01/31-15:25:15 - 16111] [CBPOLICYD] DEBUG: Shutting down caching 
engine (16111)
[2011/01/31-15:25:51 - 16109] [CORE] INFO: 2011/01/31-15:25:51 CONNECT 
TCP Peer: "127.0.0.1:41512" Local: "127.0.0.1:10031"
[2011/01/31-15:25:51 - 16105] [CORE] INFO: Starting "1" children

[above messages repeated]

[2011/01/31-15:28:35 - 16247] [CBPOLICYD] ERROR: Protocol data 
validation error, required parameter 'sender' was not found or invalid 
format
[2011/01/31-15:28:36 - 16789] [CORE] INFO: 2011/01/31-15:28:36 CONNECT 
TCP Peer: "127.0.0.1:41977" Local: "127.0.0.1:10031"



and here are a few lines of  postfix log concerning policyd, (the rest 
of the logs looks the same), only connections on port:25, messages sent 
through port 587 or 465 are ignored:

Jan 31 15:29:30 nilus cbpolicyd[16537]: module=Quotas, mode=update, 
host=193.49.225.82, helo=mx02.univ-lille1.fr, 
[email protected], [email protected], 
reason=quota_update, policy=6, quota=3, limit=4, 
track=Sender:[email protected], counter=MessageCount, 
quota=1/30 (3.3%)
Jan 31 15:31:10 nilus cbpolicyd[16537]: module=Quotas, mode=update, 
host=193.49.225.19, helo=smtp01.univ-lille1.fr, 
[email protected], [email protected], 
reason=quota_update, policy=6, quota=3, limit=4, 
track=Sender:[email protected], counter=MessageCount, 
quota=1/30 (3.3%)


for instance this message I've just sent :

Jan 31 16:06:42 nilus postfix/smtpd[19518]: SSL_accept:SSLv3 read finished A
Jan 31 16:06:42 nilus postfix/smtpd[19518]: SSL_accept:SSLv3 write 
change cipher spec A
Jan 31 16:06:42 nilus postfix/smtpd[19518]: SSL_accept:SSLv3 write 
finished A
Jan 31 16:06:42 nilus postfix/smtpd[19518]: SSL_accept:SSLv3 flush data
Jan 31 16:06:42 nilus postfix/smtpd[19518]: TLS connection established 
from tretus.univ-lille1.fr[134.206.80.237]: TLSv1 with cipher AES256-SHA 
(256/256 bits)
Jan 31 16:06:42 nilus postfix/smtpd[19518]: 4DC8E981EA: 
client=tretus.univ-lille1.fr[134.206.80.237], sasl_method=PLAIN, 
sasl_username=xxxx
Jan 31 16:06:42 nilus postfix/cleanup[19519]: 4DC8E981EA: 
message-id=<[email protected]>

is not intercepted by the policy service.

Does sasl_username have something to do with this issue?

I grabbed the Book Of Postfix, but still have no clue...

Many thanks for your help

regards,

sebastien


_______________________________________________
Users mailing list
[email protected]
http://lists.policyd.org/mailman/listinfo/users

Re: [policyd-users] Quota on ports 465/587 [TLS]

Reply via email to