New spam filters

Written at lunch time in English • Tags: ,

Last night I upgraded the mail transport software to Postfix 2.1.1 and added a couple of new filtering rules from Jim Seymour’s list of ideas.

I now require that mail with freemail sender addresses arrive from freemail peer addresses (e.g. mail from “foo@yahoo.com” is only accepted from a *.yahoo.com peer). This has already blocked lots of mail from e.g. *.netikka.fi and *.surfer.at from machines that HELO with things like “msn.com” and use *@yahoo.com sender addresses.

I also added a check for bad MX records. I’m now blocking domains with MX records pointing to any private or reserved networks (i.e. that cannot be used for public connectivity):

0.0.0.0/8 REJECT Domain MX in broadcast network 10.0.0.0/8 REJECT Domain MX in RFC-1918 private network 127.0.0.0/8 REJECT Domain MX in loopback network 169.254.0.0/16 REJECT Domain MX in link local network 172.16.0.0/12 REJECT Domain MX in RFC-1918 private network 192.0.2.0/24 REJECT Domain MX in TEST-NET network 192.168.0.0/16 REJECT Domain MX in RFC-1918 private network 224.0.0.0/4 REJECT Domain MX in class D multicast network 240.0.0.0/5 REJECT Domain MX in class E reserved network 248.0.0.0/5 REJECT Domain MX in IANA reserved network

I thought I’d see results from this rule right away, but nothing yet…

Update (6/4/2004): It looks like not that many spammers are using “bad” IP’s for their MX hosts. However, there are a few hits, and this prevents unnecessary bounces to the local postmaster, so I’m certainly keeping these rules.

Yikes, rdist is broken

Written late in the evening in English • Tags: ,

Christos implemented statvfs on NetBSD (see his proposal when he was planning the work). I just upgraded to 2.0F and found out that rdist6 (a.k.a. freerdist, whatever you wanna call it) no longer compiles, as it expects to use statfs instead.

I use rdist6 to distribute centrally mastered files around on my systems, so I was too impatient to wait for an “official” fix, so I patched something together in pkgsrc to make rdist6 work again.

Will SPF stop spam?

Written at lunch time in English • Tags:

I’ve been looking at new spam prevention options with Postfix 2.1.1 and one of the most interesting features is SMTP Access Policy Delegation or “the policy daemon.” It seems an excellent framework — instead of having to constantly modify the MTA you can just hook up another external policy server. Current implementations of policy servers include greylisting and support for SPF.

While reading about SPF I decided to go ahead and add SPF records for a number of domains I run. I could do this because I’m not a travelling salesman and the domains I selected don’t have users that would suffer from the forwarding problem.

In general, though, it seems a bit tricky to define working SPF records for any complex domains with remote or mobile users. Maybe in a couple of years when everyone has an IMAP server with SSL or TLS support, and all MTA’s have SRS support…

WordPress character set fixes

Written at evening time in English • Tags: , , ,

PHP (or possibly Apache itself) inserts a default charset= field in the Content-Type: header. This can cause problems with the syndication feeds, if you are not using the exact same character set on your blog. In my case the character set I use on this site is iso-8859-15 while the default that shows up is iso-8859-1.

I modified wp-rss2.php to return the character set specified in the WordPress options, and then went through other files to apply the same change. You can download the full patch that should apply cleanly to WordPress 1.2.

More style?

Written late at night in English • Tags:

I have wanted to experiment with different layouts and fonts on my site. I have a “beta” site on my LAN for experimenting, but it doesn’t have all the different parts of the site available. I had already heard of alternate style sheets, and since all this experimenting was mainly within the CSS code, that’s what I added.

Firefox (and Mozilla) allow selecting the style, but I was surprised to discover that they would not remember the selection from page to page. Reading the spec I realize this is considered “correct” behaviour (as far as the spec is concerned). But just how long is anyone going to keep re-selecting the style over and over? Not me…

A quick Google search on alternate style sheets provided a link to A List Apart with the solution. Working With Alternate Style Sheets is an excellent article complete with the necessary JavaScript code.

Now you can click on the Sans-Serif and Serif links at the bottom of the page to select a different font-set for viewing these pages, and the selection will be remembered throughout the site.

Easier publishing

Written late in the evening in English • Tags: ,

Writing HTML is not exactly easy — all those angle brackets require lots of shift key pressing, and reformatting text from inside one set of tags to outside means working around these or those tags constantly. On the other hand, writing regular plain text email is rather easy. Ascii enhancements to highlight text have been around for ages, and with almost 20 years of writing messages they are practically automatic to my fingers.

With WordPress and other blog tools I’ve looked into different markup systems. I’ve really taken a liking to Markdown, as it is very close to how I write in email. As an added bonus, I can basically take any email and put it on my web server, and it turns into an HTML document almost without any work. And I can still email it as plain text!

Since the framework of this site is written in PHP I installed a PHP version of Markdown. Then I hunted around for a PHP version of SmartyPants for a couple of minutes before realizing I should just look at the WordPress code right under my nose… (Look in the functions-formatting.php file in the distribution.)

To tie it all together, I enhanced my page wrapper to handle .txt files in addition to the .html files it was already processing to add the “look-and-feel” of the site.

Postfix canonical rewriting

Written in the wee hours in English • Tags: , ,

The first revision of my Postfix configuration files was committed in RCS on February 19, 2001. By March 25th I had implemented a patch to allow me to use Postfix even on the central mail server. The patch allowed disabling canonical rewriting for the SMTP envelope recipient.

Traditionally the GW systems have supported the use of external mail redirection services (e.g. IKI ry and Pobox), and I did not want to discontinue this just because I switched the MTA. I think it is great that we can have mail headers correctly reflect the preferred mail address for all of our users, regardless how the mail enters our system. This is really just a “per-user configurable masquerading” of addresses. Doing it in the MTA avoids the need to modify all software to support configurable mail addresses (and the need to separately configure the address all over the place).

However, maintaining a private patch can take quite a bit of time, so I submitted my patch for inclusion in the official Postfix distribution. Unfortunately Wietse rejected it, but he encouraged me to model it after the masquerading classes. I’m hoping he will accept the new patch. I must admit, this approach is much nicer, allowing canonical maps to be enabled or disabled for any of envelope sender, envelope recipient, sender headers or recipient headers individually.

But I need to wait a couple of weeks to make sure the new implementation works without problems in production first. Brave souls out there can download the patch and try it out. Please let me know if you are using this feature, and how it works for you.

Provided that no problems surface, this feature should be part of the Postfix package in pkgsrc as well as in the NetBSD base system as they are upgraded to Postfix 2.1.1 or later.

WordPress formatting filters

Written at lunch time in English • Tags: , , ,

I think WordPress needs dedicated filters to be applied on content and excerpt immediately when they are retrieved from the database, to be used by formatting filters such as Markdown.

I like Markdown, but I was having problems with how WordPress does not pass the complete article to it when the “more tag” is used, and when forming RSS descriptions. Markdown uses shorthand link tags that would normally be resolved with references placed at the end of the document. With the truncation, links were not being resolved, and what’s worse, Markdown notation was left in the resulting display.

I created a patch that fixes the problem for my current articles. However, I think multipage entries would still have this problem, so this patch is not sufficient. Also, I’m not sure if I’m causing undesirable side-effects by moving the the_excerpt filter further up in the code.

Before I start working on the filters to be applied on database retrieval, I’m waiting to hear back from WordPress developers about the approach, to avoid wasted work.

»
Trying to catch up on my packages, I recompiled the new version of pine since its latest security fix (not in pine itself, but the PGP scripts that come with it). The compilation failed with the old versions of the imap-uw and pico libraries, so I bumped the minimum required versions of both to the current versions in pkgsrc. If you have installed a binary pine package recently, you may want to recompile to avoid any strange behaviour (or core dumps).
»
Jukka Salmi had filed PR/25623 regarding a build failure of sudo with Kerberos (Heimdal). This turned out to be a quick fix, fortunately.