Mailing List CGatePro@mail.stalker.com Message #100965
From: Nicolas Hatier <nicolas.hatier@niversoft.com>
Subject: Re: authBackupChecker2.pl helper timeout
Date: Tue, 26 Oct 2010 18:30:22 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
The filter can either tell CGP "no, I don't know this user", "yes, I know this user, it's on the server <IP>", or "duh, something bad happened".

In all cases, when the target domain can't be contacted or gives a 4xx error, the filter already returns "yes, I know this user, it's on the server <last tried IP>", and this answer is NOT cached. So I think it already does what you need.

Nicolas


On 2010-10-26 17:12, John Souvestre wrote:

Hi Nicolas.

 

I don’t quite understand everything that you and Dmitry are saying, but I can say this:  If the filter is unable to contact the other mail server to see if the user exists, or if it gets anything other than a clear “no, the user doesn’t exist”, then the filter needs to treat the user as if they do exist.

 

I think that this covers all of the possibilities, like other server is offline, etc…

 

Thanks,

 

John

    John Souvestre - New Orleans LA

 

From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of Nicolas Hatier
Sent: Tuesday, October 26, 2010 3:47 PM
To: CommuniGate Pro Discussions
Subject: Re: authBackupChecker2.pl helper timeout

 

Thanks for the explanation.

So John, with this answer, I'm not sure what you want the filter to do if your "reject" option is not set. As the filter does not create account, it can only answer ROUTED, ERROR and FAILURE.

Nicolas

On 2010-10-26 15:49, Technical Support wrote:

Hello,

On 2010-10-26 23:16, Nicolas Hatier wrote:



On 2010-10-26 14:36, John Souvestre wrote:


Hi Nicholas.

Sounds great! Two suggestions.

1)Make it an option to reject if the domain isn’t listed in the
database. We do some forwarding automatically, using the CGP option
which checks DNS. Also, some we forward for don’t allow verifications
or they rate limit them so much that we won’t get replies.

This external authenticator is one meant to process "unknown names", and
can issue four different answers:
OK: Means "try again with your own tables"
ROUTED <address> means "send it to that address instead", the address
having the form "user%domain@host_ip.port.via"
ERROR means Rejected, I don't know what to do with that domain. CGP
passes it to the next authenticator or processes it as unknown name.
FAILURE means Temporary internal error, a 4xx SMTP error is sent back by
CGP.

I'm not exactly sure what's the difference in CGP processing between the
OK and ERROR responses, but currently my filter never issues OK answers.


OK may be used if the helper creates the named object, so now it can be routed locally. This idea is used for migration: a mail or login request comes in for an account that does not exist, so the external helper is tried - that in turn verifies that the account exists on the old server, creates the account and starts background process of copying mail from that old server. If the helper answer OK now the server repeats the routing process again, but now finds the account.


I never tested this, but I would think that if some domains are set to
be forwarded by their DNS MX entry, the external authenticator would
never been hit, but I can be wrong.


2)Allow setting the caching time separately for “found” and “not
found”. In the latter case I would use a short value (10 min?) to
avoid reject mail for a new user account.

Makes sense.

Nicolas


Regards,

John

John Souvestre - New Orleans LA

*From:*CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com]
*On Behalf Of *Nicolas Hatier
*Sent:* Tuesday, October 26, 2010 12:14 PM
*To:* CommuniGate Pro Discussions
*Subject:* Re: authBackupChecker2.pl helper timeout

Ok, here's a summary.

The current version takes a domain list from the sqlite database, this
is the list of domains that has to be relayed, including IPs, port and
the desired order if there is many IPs for one domain. There is also a
domain alias table to avoid repeating entries.

The filter obviously works as an external authenticator. When it
receives a request, it first rejects anything which is not [MAIL],
doesn't have a fully qualified email address, or for which the domain
part does not match an entry in the alias or the domain table. CGP
then processes the things the filter rejected normally, either passing
them to another authenticator or using its own routing table.

The filter then retrieves the connection data for this domain,
including a previously opened socket if any (the filter caches
connection for as long as it can). It checks in its account_cache
database for the presence of a previous positive or negative result
that is not yet expired (default: 24 hours), to avoid querying the
target server for things it already knows. If found, it returns the
answer to CGP, whether or not this is a known account.

If nothing is found in the cache or entries are expired, the filter
tries an SMTP connection, reusing the previous connection if any, and
issues a simple Mail From <>, RCPT TO: target email, to see if the
target server would accept the email. This should work with most SMTP
servers, providing it is configured to give an immediate valid answer
to this query to your relay server. This is of course not intended to
relay mail to servers not under your (at least indirect) control.

The filter finally caches the information and returns the final answer
to CGP.

This should probably match most of the functions present in the other
authBackupChecker filters.

There is a few command line switches, to clear the account cache on
startup, to be more verbose, and to set the cache expire delay.

The domain list setup, however, has to be done by hand using an sqlite
tool. The filter is started to create the database, and the
administrator then connects to it using an sqlite command line tool or
another such as the SQLite Manager extension for Firefox to populate
the domain and domain_alias tables, which are pretty self-explanatory.

I'm not sure exactly if this is enough or if a better domain list
management tool has to be created, be it from a config file or
something else.

A trial license will be available. The filter is stable and reliable,
mostly ready for production use after a few final tests, and is
available for the 10 OS/platform combination we usually support -
Linux (32/64), FreeBSD (32/64), Solaris (386/sparc), OSX (Intel/PPC)
and Windows (XP and up, 32/64). The *nix platform support requires
glibc 2.5 and up.

What remain to be done is some documentation, in fact a more verbose
version of what's described here...

Regards
Nicolas Hatier


On 2010-10-26 10:37, John Souvestre wrote:

Hello Nicolas.

Fantastic! I’m certainly interested.

John

John Souvestre - New Orleans LA


--

*Nicolas Hatier, ing.* <nicolas.hatier@niversoft.com
<mailto:nicolas.hatier@niversoft.com>>
Niversoft idées logicielles - http://www.niversoft.com

 

 

--

Nicolas Hatier, ing. <nicolas.hatier@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com


--

Nicolas Hatier, ing. <nicolas.hatier@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster