Jan-Piet Mens

Early yesterday, I detected that our outgoing BATV signatures weren't correctly being verified upon being returned to us, and some Exim debugging confirmed that:

13:06:15 15374 prvscheck: received hash is b745ee
13:06:15 15374 prvscheck:      own hash is b745ee
13:06:15 15374 prvscheck: signature expired, $pvrs_result unset

Unfortunately I had to disable BATV until that was fixed.

Tom Kistner quickly found the error, which as I'd supposed was a miscalculation in the date. He writes:

Not your fault. An off-by-one error in the expiry date calculation. This happens every
1000 days only. Next occurence would be early in 2011.

which is great, because I don't have to hurry to apply the patch.

And without the patch? Today everything works as expected:

07:45:37 32621 prvscheck: received hash is 5f859e
07:45:37 32621 prvscheck:      own hash is 5f859e
07:45:37 32621 prvscheck: success, $pvrs_result set to 1

Now tell me: do you get that kind of support with your multi-million Euro/Dollar enterprise agreement from your wiz-bang company? No. You don't. That kind of support, you get only with Open Source.

E-mail administrators (real ones) make sure e-mail messages are accepted by a mail exchanger only if its intended recipients really exist. If a recipient doesn't exist, the Mail Transfer Agent (MTA) should inform the sending MTA during the SMTP transaction and refuse to accept the message.

There are thousands of incorrectly configured MTA on the Internet that accept a message first, to then find out that it is undeliverable. They then create a Non-Delivery Report (NDR) that is sent to the envelope sender of the original message.

Now consider a spammer who sends out millions of messages with a faked sender address. Consider further, that the faked address is your address (e.g. you@example.net). Who, would you say, is going to get all the Non-Delivery Reports sent to her mailbox? Right: you.

A method to overcome this is for you to modify outgoing envelope addresses, giving them some sort of random value that expires over time. Doing so means that a legitimate NDR can be delivered within, say, a week, but no longer after that (the address expires and if it is used, your e-mail server just refuses to accept the bounce).

All this is called Bounce Address Tag Validation (BATV). In simple terms, what it does is to transform your envelope sender (you@example.net) to something like prvs=you/0192884@example.net. Note the magic key, generally an SHA hash of a date and a magic key you define. When a legitimate bounce returns, your mail server converts that back to you@example.net if, and only if, the key and the date can be decoded.

I've postponed implementing BATV for far too long; work-load was such that I just didn't get around doing it. Because of a huge load of backscatter we've been getting, I've implemented BATV on our Exim gateways. It isn't difficult to do, and this will give you a good idea of what to do. One comment however: depending on your setup, you'll want to place the batv_redirect router as high up as possible in your Exim routers list, to ensure that routers have a translated version of the recipient's e-mail address.

And how well does it work? Well, in our environment, we caught over 2000 fake bounces in the first few hours. Pretty good, I'd say.

Every three or four years, depending on how a company writes off its hardware, you have machines to replace. Now, replacing a box with a few cables on it isn't hard: you rip the old cords out of the wall and throw the lot on the dump. After that, you place the new boxes in your data centre and plug in all the cords in their respective sockets.

But that isn't quite all there is to it, is it?

You then install a base operating system. If you are lucky, nothing much has changed and you load backup tapes (or whatever media you've used) and restore from that. If you aren't so lucky (as what happened to me), the machine you are replacing wasn't quite, shall we call it up to date?

In that case, it is more or less a start from scratch kind of operation. Software has changed, you decide to use a different IMAP server, the MTA configuration needs tweaking, Apache's authentication modules have changed (for the, it must be, trillionth and a half time), etc., etc., etc.

Oh, well, I'm all done.

Well: not quite. There is still half a load of utilities and stuff that need recompiling (new version of GCC, you know), but I should be getting there soon.

I hope.

Do you like this skyline?

Actually it is a graph of mail server usage…

My candidates for top notch utilities in 2007:

• Exim and OpenLDAP remain high on the list of enterprise utilities; they are both unbeatable.


• VMware continues to be a daily lifesaver.


• I've probably spent more time with a text editor in the last six months than in the last several years. All the more reason to appreciate vi.


• 2007 marks the year in which I got to know LaTeX, the document preparation system. An incredible tool.


• RedHat has the best Linux server distribution, and CentOS make it available free of charge.

One thing I experienced several times this year is what lousy tools Windows has on board; I commiserate with all who have to fight with or against Windows, and I hope 2008 brings you a real operating system.

Philip Hazel, the man behind the Exim MTA takes his leave:

Just so you all know: this is my last day at work before retiring. I am
about to unsubscribe from the exim-users list. However, I will stay on
the exim-dev list for the moment and I am continuing to maintain PCRE.

It's been fun interacting with all you over the years!

It is a shame to see him go. He created one of the best documented and best functioning programs that exist.

Der Bund hat Probleme mit Mail?

Gibt es den Empfänger nicht oder ist der Inhalt unerwünscht, kann der Server einfach die Annahme verweigern und braucht dann keinen NDR an eine Adresse von zweifelhafter Authentizität zu versenden. Das scheint jedoch nicht so einfach realisierbar zu sein.

Wo ist denn das Problem? Brauchen die 'ne vernuenftige Beratung?

Das ist auch suess:

Während die Mailserver von cducsu-fraktion.de alles zu schlucken scheinen, nehmen diejenigen für spdfraktion.de falsch adressierte Mails gar nicht erst an. Das gilt auch für bundestag.de.

Da waren also schon mal zwei verschiedene Mailtypen zu Gange…

Based on a query on the Exim users mailing list, I've slapped together a small OpenSearch plugin for Firefox (it might work with IE7; I don't care).

You are welcome to use it.