NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-11

Question for WV? [Fwd: Re: [dkim-milter-beta] dkim-filter 2.4.0.Beta* failing with protocol error]

From: Tony Earnshaw (tonnihetnet.nl)
Date: Tue Nov 13 2007 - 11:56:35 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry, Wietse, to bother you with the attached.

But as my original message states, "Whilst 2.3.2 does an ok job, all (?)
versions of 2.4.0 are" failing.

What can I offer of Postfix milter details?

1511 [root:tru.leerlingen] /etc/postfix # postconf -n | grep milter

Niks.

1512 [root:tru.leerlingen] /etc/postfix # postconf | grep milter
milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} v
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_data_macros = i
milter_default_action = tempfail
milter_end_of_data_macros = i
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
{cert_issuer}
milter_macro_daemon_name = $myhostname
milter_macro_v = $mail_name $mail_version
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
milter_protocol = 2
milter_rcpt_macros = i {rcpt_addr}
milter_unknown_command_macros =
non_smtpd_milters =
smtpd_milters =

1516 [root:tru.leerlingen] /etc/postfix # grep '^[^#]' master.cf

smtp inet n - n - 100 smtpd
     -o smtp_send_xforward_command=yes
     -o smtpd_proxy_filter=10024
     -o smtpd_proxy_timeout=200s
     -o smtp_use_tls=no
     -o smtp_skip_quit_response=no
     -o receive_override_options=no_header_body_checks
     -o smtp_destination_concurrency_limit=100
     -o disable_mime_output_conversion=yes
:10025 inet n - n - 100 smtpd
     -o content_filter=lmtp:[127.0.0.1]:24
     -o lmtp_send_xforward_command=yes
     -o lmtp_destination_concurrency_limit=5
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_error_sleep_time=0
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
     -o disable_mime_output_conversion=yes
:10026 inet n - n - 100 smtpd
     -o content_filter=
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_error_sleep_time=0
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o receive_override_options=no_unknown_recipient_checks
     -o smtpd_milters=inet:localhost:10004
     -o milter_default_action=accept
     -o milter_macro_daemon_name=ORIGINATING
     -o disable_mime_output_conversion=yes
smtps inet n - n - 1000 smtpd
     -o smtpd_tls_wrappermode=yes
     -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
     -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
     -o smtpd_proxy_filter=10024
     -o smtpd_proxy_timeout=200s
     -o smtp_use_tls=no
     -o smtp_skip_quit_response=no
     -o smtpd_client_connection_count_limit=0
     -o smtpd_destination_concurrency_limit=100
     -o disable_mime_output_conversion=yes
plainsmtp unix n - n - 500 smtp
     -o smtp_use_tls=no

submission inet n - n - 500 smtpd
     -o smtpd_enforce_tls=yes
     -o smtpd_sasl_auth_enable=yes
     -o smtp_host_lookup=dns
     -o smtpd_proxy_filter=10024
     -o smtpd_proxy_timeout=200s
     -o smtp_use_tls=no
     -o disable_mime_output_conversion=yes
smtp unix - - n - 500 smtp
     -o smtp_data_done_timeout=1200
     -o smtp_discard_ehlo_keywords=silent-discard,8bitmime
     -o disable_mime_output_conversion=yes
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
     -o header_checks=pcre:/etc/postfix/maps/header_checks.pcre
     -o body_checks=pcre:/etc/postfix/maps/body_checks.pcre
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
relay unix n - n - - smtp
     -o smtp_helo_timeout=5
     -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - 5 lmtp
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
discard unix - - n - - discard
retry unix - - n - - error
maildrop unix - n n - - pipe
     flags=DRhu user=vmail
     argv=/usr/bin/maildrop -w 80 -d ${user} ${sender} ${recipient}
${extension} ${user}
wachtwoord unix - n n - - pipe
     user=filter
     flags=Rq argv=/usr/local/bin/wachtwoord -f ${sender} -- ${recipient}
mailman unix - n n - - pipe
     flags=FR user=mailman:mailman
     argv=/usr/local/mailman/postfix-to-mailman.py ${nexthop} ${user}

Best.

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

attached mail follows:

Murray S. Kucherawy skrev, on 13-11-2007 18:17:

> On Tue, 13 Nov 2007, Tony Earnshaw wrote:
>> Whilst 2.3.2 does an ok job, all (?) versions of 2.4.0 are giving "Nov
>> 13 11:06:02 tru dkim-filter[12998]: Sendmail DKIM Filter:
>> st_optionneg[-1240769648]: xxfi_negotiate returned 1 (protocol
>> options=0x17f, actions=0x3f)" in the dkim-filter log.
>
> Someone expert at the Postfix milter implementation will have to help us
> out here.
>
> mlfi_negotiate() is the dkim-filter side of what libmilter is referring to
> as "xxfi_negotiate". I'll return 1 (SMFIS_REJECT) from that function if
> the MTA doesn't offer dkim-filter all of the actions it requires, namely
> SMFIF_ADDHDRS (the ability to add headers), SMFIF_CHGHDRS (the ability to
> change/remove headers) and SMFIF_SETSYMLIST (the ability to request
> specific macros/symbols from the MTA). Perhaps one of these is not being
> offered by Postfix. In that case, I might be able to make the latter two
> optional depending on configuration, but it really does need at least
> SMFIF_ADDHDRS (but I'm pretty sure Postfix has that already).
>
> The log entry you cited indicates "0x17f" for options. That's all of the
> following:
>
> SMFIF_SETSYMLIST 0x100
> SMFIF_CHGFROM 0x040
> SMFIF_QUARANTINE 0x020
> SMFIF_CHGHDRS 0x010
> SMFIF_DELRCPT 0x008
> SMFIF_ADDRCPT 0x004
> SMFIF_CHGBODY 0x002
> SMFIF_ADDHDRS 0x001
>
> ...which obviously contains the set mlfi_negotiate() wants, so I'm pretty
> sure we get past that step.
>
> The actions it offers, 0x3f, means:
>
> SMFIP_NOHDRS 0x20
> SMFIP_NOBODY 0x10
> SMFIP_NORCPT 0x08
> SMFIP_NOMAIL 0x04
> SMFIP_NOHELO 0x02
> SMFIP_NOCONNECT 0x01
>
> mlfi_negotiate() has a larger set of options that it wants, but it settles
> for the intersection of what it wants and what it's offered. There's no
> error in the fact that Postfix isn't giving it everything.
>
> I'll also return SMFIS_REJECT from there if in my attempt to build the
> macro list I want, the list of macros overflows available buffer space, or
> the request for the macro list from the MTA returns an error. Based on
> what you've pasted, this is more likely the cause (though the "why?" part
> isn't evident).
>
> If you want to take a crack at it yourself, load up dkim-filter inside gdb
> and set a breakpoint at mlfi_negotiate(). When a connection arrives and
> trips that breakpoint, print the value of f0. Then step forward until you
> see it "return SMFIS_REJECT;" from someplace and note which line number it
> was. Those two things together will give me some hints about what to do
> or suggest next.

Thanks Murray; before attacking this with gdb, I'll post this on the
Postfix list, in the hope that WV or NJ can identify this. If not, I'm
"from the ground off" with 2.4.0 again, as Dutch people write.

Hope one of them can, I'll post back.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]