Re: ldirector and custom smtp regexes

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: ldirector and custom smtp regexes
From: Todd Lyons <tlyons@xxxxxxxxxx>
Date: Thu, 14 Oct 2004 11:40:55 -0700
Horms wanted us to know:

>> I'm using ldirectord to monitor several services (80, 25, 110, and 143).
>> These services are load balanced all from the same director using
>> LVS-DR.  This is all working properly.

And is still working properly.  I'm in the middle of trying to get
heartbeat working with it so that I can have a backup load balancer.
I'm working through those problems, the biggest of which is that load
balancer 1 does not see the udp broadcasts coming from load balancer 2
and vice versa.  So they both assume the other is dead and both try to
go active.  I'm working through that right now.

>> In my sendmail logs, I'm getting this:
>> Jul 13 10:11:23 smtp1 sm-mta[24653]: i6DHBNXo024653:
>> [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>> Jul 13 10:11:28 smtp1 sm-mta[24656]: i6DHBShO024656:
>> [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>> Jul 13 10:11:33 smtp1 sm-mta[24659]: i6DHBXRd024659:
>> [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

In the short term, I am ignoring it in syslog :-)  Relevant lines:

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
filter f_mail { facility(mail); };
filter f_monitoring { not match("(did not issue)|("); };
destination mail { file("/var/log/maillog"); };
log { source(src); filter(f_mail); filter(f_monitoring); destination(mail); };

>> I want to script the connection, such as:
>> send:   expn root
>> expect: .*rootuser@xxxxxxxxxxxxxxxxxxx*
>> send:   quit

This was a case very specific to my needs because it verified both that
the application was running and that basic authentication (ie LDAP) was
functional as well.  I would hesitate to assume that expn or vrfy would
be enabled by default on any other smtp server since that can be used as
an attack vector for anything ranging from email address cultivation to
raw DDOS attacks.

>> I added this to the config file:
>> virtual =
>>        real => gate 10
>>        checktype = negotiate
>>        scheduler = wrr
>>        request = "expn root"
>>        receive = "rootuser@xxxxxxxxxxxxxxxxxx"
>> I restarted ldirectord and 'tcpdump -n -p -X port 25' shows that it's
>> still only connecting, doing a 'ehlo localhost.localdomain' and then
>> 'quit'.  How come it is not doing my specified commands?  I'm probably
>> misunderstanding the man pages.
>Not at all.

Thank you for the reply.

>I just checked the code and the smtp check does not actually do
>anything behond connecting and sending ehlo. In a nutshell it ignores
>the request and receive lines all together. Clearly there is room
>for improvement here. However it is not imediately clear what
>should be permitted in a request. Do you have some thoughts on this?

1) Continue to always do the EHLO, because if you omit that and skip
straight to whatever send string is defined, the smtp server will
generate a complaint about no HELO or EHLO.
2) I would use the full hostname instead of localhost.localdomain.
3) I would allow the user to completely define the request and receive
commands as indicated above, subject to bounds/length checking.
4) I hesitate to ask for ldirector be "SMTP aware" with any specific
limitations on "what should be permitted", other than length.  A sample
setting and sample exchange (below) illustrates how I would utilize it
and could be a stepping stone for making it work with other protocols as
well (specifically thinking IMAP).  I think a more useful request would
be the ability to specify more than one send sequence and correspondingly
more than one recv sequence.  That complicates things though, both in
configuration and executing that configuration on the backend.  It may
end up being less useful (because it's only for a very few specific
cases and more options to confuse the user).

Here is a sample send/recv SMTP exchange where the EHLO and QUIT are
hard coded.
  request="EXPN root"

[todd@tlyons ~]$ telnet 25
Connected to (
Escape character is '^]'.
220 ESMTP Sendmail 8.12.11/8.12.11; Thu, 14 Oct 2004 09:49:42 
EHLO Hello [], pleased to meet 
250 HELP
EXPN root
250 2.1.5 <rootmailbox@xxxxxxxxxx>
221 2.0.0 closing connection
Connection closed by foreign host.
[todd@tlyons ~]$ 

Here is a sample send/recv IMAP exchange where the "a2 logout" is hard
  request="a1 login cannonball@xxxxxxxxxxxxxx XxXxXxXxXxXxXxX"
  receive="OK LOGIN Ok"

[todd@tlyons ~]$ telnet 143
Connected to (
Escape character is '^]'.
* STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision,
* Inc.  See COPYING for distribution information.
a1 login cannonball@xxxxxxxxxxxxxx XxXxXxXxXxXxXxX
a2 logout
* BYE Courier-IMAP server shutting down
a2 OK LOGOUT completed
Connection closed by foreign host.
[todd@tlyons ~]$ 

Regards...              Todd
OS X: We've been fighting the "It's a mac" syndrome with upper management
for  years  now.  Lately  we've  taken  to  just  referring  to  new  mac 
installations  as  "Unix"  installations  when  presenting proposals  and 
updates.  For some reason, they have no problem with that.          -- /.
Linux kernel 2.6.3-16mdkenterprise   2 users,  load average: 0.00, 0.01, 0.00
<Prev in Thread] Current Thread [Next in Thread>