Loading ...
Sorry, an error occurred while loading the content.

Re: pfsasl - A perl script to remove messages from queues, based on sasl_username

Expand Messages
  • list@...
    ... Very nice, we tend to see the same behavior in our compromised SASL users so this will come in handy. Thanks! To keep the sharing train rolling, I
    Message 1 of 5 , May 3, 2013
    • 0 Attachment
      On 2013-05-02 23:02, Nick Bright wrote:
      > On 5/2/2013 10:53 PM, Nick Bright wrote:
      >> Greetings,
      >>
      >> After having a problem with a lot of mail being queued by a
      >> compromised end users mailbox, I was unable to find a script able to
      >> remove messages from the queue based on the sasl_username.
      >>
      >> The pfdel script is very handy for removing things when the from/to
      >> addresses are stable, but in this case the attacker had set random
      >> from addresses.
      >>
      >> So, I used the original pfdel script and modified it into the
      >> attached pfsasl script. I'm a novice with perl, so there may be some
      >> optimizations possible - but it does work properly.
      >>
      >> I hope somebody finds this useful :)
      >>
      > Well, I feel a little silly. I posted the wrong version of the file!
      > Correct version attached. My apologies!
      >
      > The differences are renaming $email_addr to $sasl_user for clarity,
      > and the regex on line 41 was made tighter.

      Very nice, we tend to see the same behavior in our compromised SASL
      users so this will come in handy. Thanks!

      To keep the sharing train rolling, I attached a queue monitoring script
      which we use with our SNMP monitoring system to alert when the mail
      queue exceeds a certain number of messages.
      We run CentOS, and configure SNMP with the following entry in
      /etc/snmp/snmpd.conf:

      "exec postqueuemon /usr/bin/sudo /path/to/scripts/mon_queue.sh"

      If it's the first custom SNMP entry your OID should be
      1.3.6.1.4.1.2021.8.1.101.1, and now you can poll this OID for your
      current mail queue size from whatever SNMP monitoring software you're
      using. Hope this is helpful as well!
    • Viktor Dukhovni
      ... It best to not let compromised accounts dominate the queue in first place. Consider a policy service that rate limits by SASL username. ... Have you
      Message 2 of 5 , May 3, 2013
      • 0 Attachment
        On Fri, May 03, 2013 at 12:07:56PM -0500, list@... wrote:

        > Very nice, we tend to see the same behavior in our compromised SASL
        > users so this will come in handy. Thanks!

        It best to not let compromised accounts dominate the queue in first
        place. Consider a policy service that rate limits by SASL username.

        > To keep the sharing train rolling, I attached a queue monitoring
        > script which we use with our SNMP monitoring system to alert when
        > the mail queue exceeds a certain number of messages.

        Have you looked at:

        http://www.postfix.org/QSHAPE_README.html

        By the way, the attachment was all NUL bytes.

        --
        Viktor.
      • Axel Luttgens
        ... Hello Viktor, I always wondered: qshape seems to be in fact a perl script (qshape.pl), and this doesn t seem to be stated in the docs. Is that
        Message 3 of 5 , May 4, 2013
        • 0 Attachment
          Le 3 mai 2013 à 19:48, Viktor Dukhovni a écrit :

          > [...]
          > Have you looked at:
          >
          > http://www.postfix.org/QSHAPE_README.html

          Hello Viktor,

          I always wondered: qshape seems to be in fact a perl script (qshape.pl), and this doesn't seem to be stated in the docs.

          Is that auxiliary/qshape/qshape.pl script the "qshape(1) program" mentioned in above document?

          TIA,
          Axel
        Your message has been successfully submitted and would be delivered to recipients shortly.