Strange behavior about applicable conditions with clamav milter

[okkez]

• https://sourceforge.net/p/milter-manager/mailman/message/32312002/
• Debian wheezy
• milter-manager 2.0.2
• clamav-milter 0.98.1+dfsg-1+deb7u3

milter-manager.local.conf:

define_applicable_condition("Restrict Recipient") do |condition|
  condition.description = "Selective SMTP Restriction to recipient list"
  condition.define_envelope_recipient_stopper do |context, recipient|
    case recipient
    when /marco@example.com/, /@ucb\.example\.com>\z/
      Milter::Logger.message("not stop: #{recipient}")
      false
    else
      Milter::Logger.message("stop: #{recipient}")
      context["not-restricted"] = "true"
      true
    end
  end

  # (1)
  #condition.define_data_stopper do |context|
  #  context["not-restricted"] == "true"
  #end
  # (2)
  #condition.define_header_stopper do |context|
  #  context["not-restricted"] == "true"
  #end
end

defined_milters.each do |name|
  case name
  when "spamass-milter", "milter-greylist"#, "clamav-milter"
  remove_milter(name)
  end
end

restrict_accounts_by_list("marco@example.com", :condition_name => "Restricted Accounts")

define_milter("clamav-milter") do |milter|
  milter.applicable_conditions = ["Restrict Recipient"]
  # (3)
  #milter.applicable_conditions = ["Restricted Accounts"]
end

(A) Enable (1) block
Expected result: Stop clamav-milter
Actual result: Do not stop clamav-milter and spent 7 seconds (reading timeout)

(B) Enable (2) block
Expected result: Stop clamav-milter
Actual result: Stop clamav-milter

(C) Enable (3) line but the avobe line is disabled
Enable bundled applicable condition "Restricted Accounts".
Expected result: Stop clamav-milter
Actual result: Do not stop clamav-milter

[kou]

Why

      Milter::Logger.message("stop: #{recipient}")
      context["not-restricted"] = "true"
      true

return true? Do you want to stop on RCPT TO?

Anyway, the following patch may fix it:

diff --git a/milter/manager/milter-manager-children.c b/milter/manager/milter-manager-children.c
index 2fc8773..1d964da 100644
--- a/milter/manager/milter-manager-children.c
+++ b/milter/manager/milter-manager-children.c
@@ -2152,7 +2152,6 @@ cb_stopped (MilterServerContext *context, gpointer user_data)
         milter_server_context_quit(context);
         break;
     case MILTER_SERVER_CONTEXT_STATE_ENVELOPE_FROM:
-    case MILTER_SERVER_CONTEXT_STATE_DATA:
         compile_reply_status(children, state, MILTER_STATUS_ACCEPT);
         cb_continue(context, user_data);
         break;
@@ -2160,6 +2159,7 @@ cb_stopped (MilterServerContext *context, gpointer user_data)
         milter_server_context_set_status(context, MILTER_STATUS_NOT_CHANGE);
         cb_continue(context, user_data);
         break;
+    case MILTER_SERVER_CONTEXT_STATE_DATA:
     case MILTER_SERVER_CONTEXT_STATE_HEADER:
     case MILTER_SERVER_CONTEXT_STATE_END_OF_HEADER:
     case MILTER_SERVER_CONTEXT_STATE_BODY:

We should test affected cases carefully before we apply the patch.

[okkez]

return true?

See bundled applicable-conditions/restrict-accounts.conf:

    condition.define_envelope_recipient_stopper do |context, recipient|
      if restricted_account_p.call(context, recipient)
        false
      else
        context["have-not-restricted-account"] = "true"
        true
      end
    end

I don't know why return true in define_envelope_recipient_stopper.

Do you want to stop on RCPT TO?

Maybe yes, see https://sourceforge.net/p/milter-manager/mailman/message/32312002/

[kou]

See bundled applicable-conditions/restrict-accounts.conf:
I don't know why return true in define_envelope_recipient_stopper.

I understand that you just did copy and paste.
I hope that you do something with understanding what you do. If you practice it, you will get more deeply and widely knowledge. :-)

OK. I'll look at restrict-accounts.conf is right or not. I'll get more deeply and widely knowledge after it.

Maybe yes, see https://sourceforge.net/p/milter-manager/mailman/message/32312002/

He doesn't use neither define_data_stopper and define_header_stopper. I think that it isn't same as your case. I wanted to know that YOU want to stop on RCPT TO.

[okkez]

Apply "Restrict Recipient" to milter-test-client

$ milter-test-client -s inet:20025 
$ sudo milter-test-server -s unix:/var/spool/postfix/milter-manager/milter-manager.sock -r macro@example.com

negotiate: version=<6>, action=<add-headers|change-body|add-envelope-recipient|delete-envelope-recipient|change-headers|quarantine|change-envelope-from|add-envelope-recipient-with-parameters|set-symbol-list>, step=<no-connect|no-helo|no-envelope-from|no-envelope-recipient|no-body|no-headers|no-end-of-header|no-reply-header|no-unknown|no-data|skip|envelope-recipient-rejected|no-reply-connect|no-reply-helo|no-reply-envelope-from|no-reply-envelope-recipient|no-reply-data|no-reply-unknown|no-reply-end-of-header|no-reply-body|header-value-with-leading-space>
connect: host=<mx.example.net>, address=<inet:50443@[192.168.123.123]>
macros:
  if_name=localhost
  daemon_name=milter-test-server
  j=mail.example.com
  if_addr=127.0.0.1
helo: <delian>
macros:
  tls_version=0
  cert_subject=cert_subject
  cipher=0
  cert_issuer=cert_issuer
  cipher_bits=0
envelope-from: <<sender@example.com>>
macros:
  mail_mailer=mail_mailer
  mail_addr=mail_addr
  i=i
  mail_host=mail_host
header: <From: <sender@example.com>>
header: <To: <macro@example.com>>
end-of-header
body: <La de da de da 1.
La de da de da 2.
La de da de da 3.
La de da de da 4.>
end-of-message
macros:
  i=message-id
finished

No RCPT and DATA, but events applied after DATA such as header and etc.

Without applicable conditions:

negotiate: version=<6>, action=<add-headers|change-body|add-envelope-recipient|delete-envelope-recipient|change-headers|quarantine|change-envelope-from|add-envelope-recipient-with-parameters|set-symbol-list>, step=<no-connect|no-helo|no-envelope-from|no-envelope-recipient|no-body|no-headers|no-end-of-header|no-reply-header|no-unknown|no-data|skip|envelope-recipient-rejected|no-reply-connect|no-reply-helo|no-reply-envelope-from|no-reply-envelope-recipient|no-reply-data|no-reply-unknown|no-reply-end-of-header|no-reply-body|header-value-with-leading-space>
connect: host=<mx.example.net>, address=<inet:50443@[192.168.123.123]>
macros:
  if_name=localhost
  daemon_name=milter-test-server
  j=mail.example.com
  if_addr=127.0.0.1
helo: <delian>
macros:
  tls_version=0
  cert_subject=cert_subject
  cipher=0
  cert_issuer=cert_issuer
  cipher_bits=0
envelope-from: <<sender@example.com>>
macros:
  mail_mailer=mail_mailer
  mail_addr=mail_addr
  i=i
  mail_host=mail_host
envelope-recipient: <<macro@example.com>>
macros:
  rcpt_addr=<macro@example.com>
  rcpt_mailer=rcpt_mailer
  rcpt_host=rcpt_host
data
header: <From: <sender@example.com>>
header: <To: <macro@example.com>>
end-of-header
body: <La de da de da 1.
La de da de da 2.
La de da de da 3.
La de da de da 4.>
end-of-message
macros:
  i=message-id
finished

[okkez]

Hmm...

May 14 01:55:52 packer-debian-7 postfix/smtpd[3552]: connect from localhost[127.0.0.1]
May 14 01:55:52 packer-debian-7 milter-manager[3416]: stop: <bob@example.com>
May 14 01:55:52 packer-debian-7 milter-manager[3416]: before: 
May 14 01:55:52 packer-debian-7 milter-manager[3416]: after: true
May 14 01:55:52 packer-debian-7 postfix/smtpd[3552]: 064C714001D: client=localhost[127.0.0.1]
May 14 01:55:52 packer-debian-7 postfix/cleanup[3559]: 064C714001D: message-id=<287cc599bd38f5ed1e96b37c951b2dac29778d1876c801d40b4db31f6b80ccb2@mail.example.com>
May 14 01:55:52 packer-debian-7 milter-manager[3416]: [statistics] [milter][header][add](16): <x-hoge>=<value>: milter-test-client
May 14 01:55:52 packer-debian-7 milter-manager[3416]: [statistics] [session][header][add](15): <x-hoge>=<value>
May 14 01:55:52 packer-debian-7 postfix/qmgr[2888]: 064C714001D: from=<null@example.com>, size=748, nrcpt=1 (queue active)
May 14 01:55:52 packer-debian-7 postfix/smtpd[3552]: disconnect from localhost[127.0.0.1]
May 14 01:55:52 packer-debian-7 milter-manager[3416]: [statistics] [session][end][end-of-message][pass][0.059241](15)
May 14 01:55:52 packer-debian-7 milter-manager[3416]: [statistics] [milter][end][end-of-message][stop][0.00646](16): milter-test-client
May 14 01:55:52 packer-debian-7 milter-manager[3416]: [statistics] [sessions][finished] 8(+1) 0
May 14 01:55:52 packer-debian-7 postfix/local[3560]: 064C714001D: to=<bob@example.com>, relay=local, delay=0.07, delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to file: /dev/null)
May 14 01:55:52 packer-debian-7 postfix/qmgr[2888]: 064C714001D: removed

Added x-hoge header. Why?

[okkez]

I have tried patch in #39 (comment)
It fixes this issue.

[okkez]

Inverted change in a939f22.
@kou, Do you remember deail for this change.

[kou]

Here are bug reports for the problem fixed by a939f22. Do they help you?

https://twitter.com/kshiono/status/23619089243054080

またまた別件ですが、rubyでmilterを書いていて、どうもdataメソッドが呼ばれるタイミングがおかしい気がします。

https://twitter.com/kshiono/status/23619769819205632

SMTPでDATAが送信されたタイミングで呼ばれると思っていたのですが、ログ等でタイミングを確認すると本文を全て送り終わった後（end_of_messageと同じタイミング？）で呼ばれてしまってます。

https://twitter.com/kshiono/status/23620165203664897

envelope_recipientも試してみたら、こっちはちゃんとRCPTのタイミングで呼ばれてるようです。

https://twitter.com/kshiono/status/23621482491944960

ちなみに、これはUbuntu 10.04, Postfix 2.7.0の環境で試してます。

[okkez]

Thanks!!
It is very helpful information.

It works well.