Phil Pennock wrote:
>
> On 2001-07-13 at 12:03 +0930, Jason Pearce gifted us with:
> > Hope someone has a similar system out there or can suggest a way around
> > the problem.
>
> Perhaps if you show us the Director and Transport corresponding to the
> log entry?
************************
*** Firewall Machine ***
************************
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
# This transport is used for local delivery to user mailboxes. On debian
# systems group mail is used so we can write to the /var/spool/mail
# directory. (The alternative, which most other unixes use, is to
deliver
# as the user's own group, into a sticky-bitted directory)
local_delivery:
driver = appendfile
group = mail
mode = 0660
mode_fail_narrower = false
# envelope_to_add = true
file = /var/spool/mail/${local_part}
# This transport is used for handling pipe addresses generated by
# alias or .forward files. If the pipe generates any standard output,
# it is returned to the sender of the message as a delivery error. Set
# return_fail_output instead if you want this to happen only when the
# pipe fails to complete normally.
address_pipe:
driver = pipe
return_output
# This transport is used for handling file addresses generated by alias
# or .forward files.
address_file:
driver = appendfile
# This transport is used for handling file addresses generated by alias
# or .forward files if the path ends in "/", which causes it to be
treated
# as a directory name rather than a file name. Each message is then
delivered
# to a unique file in the directory. If instead you want all such
deliveries to
# be in the "maildir" format that is used by some other mail software,
# uncomment the final option below. If this is done, the directory
specified
# in the .forward or alias file is the base maildir directory.
#
# Should you want to be able to specify either maildir or non-maildir
# directory-style deliveries, then you must set up yet another
transport,
# called address_directory2. This is used if the path ends in "//" so
should
# be the one used for maildir, as the double slash suggests another
level
# of directory. In the absence of address_directory2, paths ending in //
# are passed to address_directory.
address_directory:
driver = appendfile
no_from_hack
prefix = ""
suffix = ""
# maildir_format
# This transport is used for handling autoreplies generated by the
filtering
# option of the forwardfile director.
address_reply:
driver = autoreply
# This transport is used for procmail
procmail_pipe:
driver = pipe
command = "/usr/bin/procmail -d ${local_part}"
return_path_add
delivery_date_add
envelope_to_add
check_string = "From "
escape_string = ">From "
user = $local_part
group = mail
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
# Remove Received: headers from the message headers to eliminate the
# internal delivery chain and keep our internal net anonymous
headers_remove = Received
end
######################################################################
# DIRECTORS CONFIGURATION #
# Specifies how local addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A local address is passed to each in turn until it is accepted. #
######################################################################
# This allows local delivery to be forced, avoiding alias files and
# forwarding.
real_local:
prefix = real-
driver = localuser
transport = local_delivery
# This director handles aliasing using a traditional /etc/aliases file.
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary.
system_aliases:
driver = aliasfile
file_transport = address_file
pipe_transport = address_pipe
file = /etc/aliases
search_type = lsearch
# user = list
# Uncomment the above line if you are running smartlist
# This director runs procmail for users who have a .procmailrc file
procmail:
driver = localuser
transport = procmail_pipe
require_files =
${local_part}:+${home}:+${home}/.procmailrc:+/usr/bin/procmail
no_verify
# This director handles forwarding using traditional .forward files.
# It also allows mail filtering when a forward file starts with the
# string "# Exim filter": to disable filtering, uncomment the "filter"
# option. The check_ancestor option means that if the forward file
# generates an address that is an ancestor of the current one, the
# current one gets passed on instead. This covers the case where A is
# aliased to B and B has a .forward file pointing to A.
# For standard debian setup of one group per user, it is
acceptable---normal
# even---for .forward to be group writable. If you have everyone in one
# group, you should comment out the "modemask" line. Without it, the
exim
# default of 022 will apply, which is probably what you want.
userforward:
driver = forwardfile
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
no_verify
check_ancestor
file = .forward
modemask = 002
filter
# This director matches local user mailboxes.
localuser:
driver = localuser
transport = local_delivery
end
?
************************
*** Internal Machine ***
************************
# This transport is used for local delivery to user mailboxes. On debian
# systems group mail is used so we can write to the /var/spool/mail
# directory. (The alternative, which most other unixes use, is to
deliver
# as the user's own group, into a sticky-bitted directory)
local_delivery:
driver = appendfile
group = mail
mode = 0660
mode_fail_narrower = false
# envelope_to_add = true
file = /var/spool/mail/${local_part}
# This transport is used for handling pipe addresses generated by alias
# or .forward files. It has a conventional name, since it is not
actually
# mentioned elsewhere in this configuration file. (A different name
*can*
# be specified via the "address_pipe_transport" option if you really
want
# to.) If the pipe generates any standard output, it is returned to the
sender
# of the message as a delivery error. Set return_fail_output instead if
you
# want this to happen only when the pipe fails to complete normally.
address_pipe:
driver = pipe
return_output
# This transport is used for handling file addresses generated by alias
# or .forward files. It has a conventional name, since it is not
actually
# mentioned elsewhere in this configuration file.
address_file:
driver = appendfile
# This transport is used for handling file addresses generated by alias
# or .forward files if the path ends in "/", which causes it to be
treated
# as a directory name rather than a file name. Each message is then
delivered
# to a unique file in the directory. If instead you want all such
deliveries to
# be in the "maildir" format that is used by some other mail software,
# uncomment the final option below. If this is done, the directory
specified
# in the .forward or alias file is the base maildir directory.
#
# Should you want to be able to specify either maildir or non-maildir
# directory-style deliveries, then you must set up yet another
transport,
# called address_directory2. This is used if the path ends in "//" so
should
# be the one used for maildir, as the double slash suggests another
level
# of directory. In the absence of address_directory2, paths ending in //
# are passed to address_directory.
address_directory:
driver = appendfile
no_from_hack
prefix = ""
suffix = ""
# maildir_format
# This transport is used for handling autoreplies generated by the
filtering
# option of the forwardfile director. It has a conventional name, since
it
# is not actually mentioned elsewhere in this configuration file.
address_reply:
driver = autoreply
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
end
######################################################################
# DIRECTORS CONFIGURATION #
# Specifies how local addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A local address is passed to each in turn until it is accepted. #
######################################################################
# This allows local delivery to be forced, avoiding alias files and
# forwarding.
real_local:
prefix = real-
driver = localuser
transport = local_delivery
# This director handles aliasing using a traditional /etc/aliases file.
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary.
system_aliases:
driver = aliasfile
file_transport = address_file
pipe_transport = address_pipe
file = /etc/aliases
search_type = lsearch
# user = listserv
# Uncomment the above line if you are running smartlist
#
# Majordomo list handler
#
majordomo_aliases:
driver = aliasfile
file = /usr/lib/majordomo-1.94.5/lists/lists.aliases
pipe_transport = address_pipe
search_type = lsearch
user = majordomo
group = majordomo
# This director handles forwarding using traditional .forward files.
# It also allows mail filtering when a forward file starts with the
# string "# Exim filter": to disable filtering, uncomment the "filter"
# option. The check_ancestor option means that if the forward file
# generates an address that is an ancestor of the current one, the
# current one gets passed on instead. This covers the case where A is
# aliased to B and B has a .forward file pointing to A.
# For standard debian setup of one group per user, it is
acceptable---normal
# even---for .forward to be group writable. If you have everyone in one
# group, you should comment out the "modemask" line. Without it, the
exim
# default of 022 will apply, which is probably what you want.
userforward:
driver = forwardfile
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
no_verify
check_ancestor
file = .forward
modemask = 002
filter
# This director matches local user mailboxes.
localuser:
driver = localuser
transport = local_delivery
userunknown:
driver = smartuser
new_address = info
end
>
> > Here is the log off of the firewall
> [attempted reconstruction of b0rked wrapped entries:]
> 2001-07-13 11:13:27 15KrzL-00089J-00
> <= jason.pearce@???
> H=gemini.keyworks.com.au [10.1.1.6]
> P=esmtp S=1036
> id=3B4E5372.B092BD95@???
> 2001-07-13 11:13:27 15KrzL-00089J-00
> => info <majordomo@???>
> D=local_user T=local_delivery
> 2001-07-13 11:13:27 15KrzL-00089J-00 Completed
>
> So, this "local_delivery" Transport, what format does it store the mail
> in? "mbox"? "maildir"? What POP3 server are you using?
>
/usr/sbin/ipop3d version 7.64
> Making several wild assumptions, to something which might be right for
> you, I'd guess that if you add these lines to the local_delivery
> transport:
> envelope_to_add
> return_path_add
> then these will make it unmolested to fetchmail, which will then see
> them and use those extra headers for constructing the envelope when
> talking to the SMTP server on your internal box.
>
I had envelope_to_add and I tried return_path_add with no luck
> This is as much as I can say on the information which you've given.
> --
> To a first approximation, security is always at odds with convenience. Security
> is the business of denying access, so it can't help make things less convenient.
> To improve security without materially compromising convenience requires
> fundamental breakthroughs. -- Crispin Cowan
--
Jason Pearce
Engineering Manager Phone : +61 8 82720137
Keyworks Technologies Pty Ltd Mobile: +61 408 360 760
10 Greenhill Road Fax : +61 8 82720138
Wayville SA 5034 Email : jason.pearce@???
Australia WWW : http://www.keyworks.com.au
