RE: Secure IMAP server
The writers of Courier are a pedantic bunch. They reject
mail with 8-bit info in the headers and will not send mail
to places with "improperly configured MX records".
Next thing you know, they'll be refusing to speak with SMTP clients
that send bare linefeeds.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: Hi
Hi, i would like to use maildir instead of mailbox, but now theres a
problem, does imap support maildir? what is the best imap
daemon which works with maildir?
Courier supports Maildir (and maildir only).
http://www.courier-mta.org and look for the "standalone IMAP package."
There are patches to make UW-Imap use Maildir (at www.qmail.org?)
but UW-Imap expressly does not support Maildir themselves.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: Hi
Brett Randall wrote: On Mon, 29 Jan 2001, [EMAIL PROTECTED] wrote: Hi, i would like to use maildir instead of mailbox, but now theres a problem, does imap support maildir? what is the best imap daemon which works with maildir? Read the FAQ and the docs that come with qmail. There's a start for you. Better yet, don't listen to Brett, who doesn't appear to know what the hell he's talking about, and who appears to post only so he can be abusive. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Secure IMAP server
I don't know what their definition of 'improperly configured MX records' is. I was also curious, so I took a quick scan through the sources. It appears that this means MX records pointing to recursive CNAME records. This is not apparently configurable. Courier also apparently allows you to block mail with bad return addresses, presumably meaning no A or MX. This is configurable via config file. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Fw: Cron root@ns1 run-parts --report /etc/cron.daily
I keep receiving this message but I don't know what's wrong with it ... /etc/cron.daily/cfengine: Call alaire tech support. cfengine is cfengine (http://www.iu.hioslo.no/cfengine/), not Allaire ColdFusion. And neither of these products has anything to do with qmail. Please ask in a more appropriate place. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Subtle qmail bug? (was Re: Handling an MX record of 0.0.0.0 or 127.0.0.1)
Well I guess that this one is definitely elligible for the "qmail security challenge". http://web.infoave.net/~dsill/qmail-challenge.html I don't think so. The challenge says: "Bugs that qualify for the prize, subject to the other conditions outlined in these rules, must be one of the following: - Remote exploits that give login access. - Local or remote exploits that grant root privileges. - Local or remote exploits that grant read or write access to a file the user can't normally access because of UNIX access controls (owner/group/mode). - Local or remote exploits that cause any of the long-lived qmail processes (currently: qmail-send, qmail-rspawn, qmail-lspawn, or qmail-clean) to terminate." This attack merely causes messages to loop a bit before bouncing. This barely even qualifies as a DOS attack. Note also that at http://cr.yp.to/qmail/guarantee.html: "I also specifically disallowed denial-of-service attacks: they are present in every MTA, widely documented, and very hard to fix without a massive overhaul of several major protocols" -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Subtle qmail bug? (was Re: Handling an MX record of 0.0.0.0 or 127.0.0.1)
Well failure to recognize that 0.0.0.0 is yourself is not quite DNS related exploit. It is a bug. I'll buy that, but it isn't a security hole. You did note the word "security" between "qmail" and "challenge," yes? Its in the titlebar, the large words at the top of the page, and the first paragraph. I like these rules that say "yeah we are setting up a challenge, but there is no way that you could ever win it"... It wasn't a bug hunt, it was a security challenge. The rules listed are reasonable, if you keep that in mind. If you ask me, qmail is far from bug free... Okay, but how many of those bugs can be exploited to breach security? (NOTE: a DOS is not a security breach.) Please, go find one, there is still a $500 prize available. - this sort of "attack" is in use and causing problems with site that selected qmail as their MTA This sort of "attack" causes little more trouble than double-bounces. Frankly, we've discussed DOS scenarios with qmail that make this look like a piece of wet popcorn. Note that qmail's integral mail loop detection stops this attack quickly. So saying "it does not fit our challenge because you need to use DNS to perform the attack" is like saying "well qmail is perfectly safe if you don't use it in the real world"... Good PR move guys, and a cheap one too! Nobody said that. We said it wasn't a security breach, it was a DOS, and an extremely limited DOS at that. If you don't understand the difference, go read some more. Let's read that line again: "bugs are specifically disqualified: Exploits that involve corrupting DNS data, breaking TCP/IP, breaking NFS, or denying service (except for the case above). " You apparently stopped at the first comma. Try going all the way to the period. Well my answer to this is "don't use qmail" Given your logic, you should stop using computers. I've noticed bugs at all levels, from the BIOS and CPU on up. But then you wouldn't get to go trolling, now would you? -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Microsoft Down???
Can anyone ping (or otherwise connect to www.microsoft.com ???) I can't get that or any other microsoft site to respond... ??? Their DNS is being fscked. These links surfaced on the djbdns list: http://www.wirednews.com/news/business/0,1367,41387,00.html http://computerworld.com/cwi/story/0%2C1199%2CNAV47_STO56817_NLTam%2C00.html -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Secondary MX
Does qmail use the default queuelife and backoff algorithm
for delivering mail to a primary MX when it is acting as
secondary? Or does it do something special?
It uses the default queuelifetime and backoff.
Note that having a concurrencyremote higher than the primary MX is
willing to handle can result in undue delays, because it'll start backing
off when the Primary says "No more!". If concurrencyremote is less than the
Primary will stop at, then it will run smoother.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: Qmail and Syslogd?
In light of my recent delivery issues, I was curious as to whether syslogd may have anything to do with it? During a mail run of our mailing lists syslogd is hitting 90% processor usage or more and staying there. Syslogd is death to a medium- to high-volume qmail server. I've seen the same thing happen. Switch to multilog. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: A firestorm of protest?
If Dan was putting out daily versions of qmail, sure. But we've had qmail-1.03 for several years now. Isn't that really the root of the problem? They aren't patches, they're features. But for whatever reasons, the main sources are never updated to reflect greater capabilities. (Which probably means that someday, someone will come out with a secure open-source MTA that accepts and rewards coders by integrating patches, and qmail will slip into history.) -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Hotmail
It would be nice if anyone could answer my questions instead
of giving a nice paragraph on win2k
Looking back at your original question:
Anyone in the world can send to me however when I send to
hotmail.com it won't accept any smtp connection.
There is a total lack of useful information for us to use to help
you with. The following information would help us help you:
What do the logs say? Show a complete delivery attempt of one
message to hotmail, from the "begin" line to the "end" line. Also show us a
successful delivery somewhere. Feel free to X out the usernames, but leave
the domain information in place.
What is your mail server's IP address? As someone has already
suggested, you may be blacklisted inadverdantly or because of a previous
owner of that IP. (This would probably also show up in the aforementioned
log).
What are the contents of your /var/qmail/control/smtproutes file?
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: problem in delivering mails locally...
I have configured qmail server and trying to connect to my main branch to get mails , but this is happening without any problem. Only thing after getting mails to the qmail server I am getting error message while delivering to each user: deferral: CNAME_lookup_failed_temporarily._(#4.4.3) my host name is: vasu.domain.com my main branch host name is: email.domain.com domain name is: domain.com Is your domain really in DNS, or are you putting it in the hosts file? qmail doesn't refer to the hosts file ever, only to DNS. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Dot in email adress
qmail replaces dots with colons before delivery. Rename the file as .qmail-ar:rubin and it should work as expected. (Is this in the man pages? I couldn't find it during a quick search) man dot-qmail: ] WARNING: For security, qmail-local replaces any dots in ] ext with colons before checking .qmail-ext -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: control/mailroutes (was: QMTP autoreply tester)
Andy Bradford said: Thus said Ricardo Cerqueira on Sun, 07 Jan 2001 01:50:16 GMT: Personally, I'd rather have one file for SMTP, and another for QMTP. Does anyone else here agree with me? This seems more logical to me as it allows finer control over the entire system. It also seems to me that one of the design traits of qmail is simplicity of config files - I can't find the reference, but I thought somewhere DJB said that having to parse complex config files is a cause of problems. Parseing two files, one for SMTP and one for QMTP, seems more in line with that philosophy than having one file that must be parsed for meaning rather than just correctness. Just my .02. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: List archives.
Where may I find them, (if they exist)? There are three archives linked to in the second paragraph at http://www.qmail.org/top.html. At least one is searchable. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: repost: smtp forwarding among two servers...pl help
Sometimes one is not connected to the net sometimes the other is not. We want that each of the offline servers should forward its mail to the server connected to the net. Preferably this should be automated but even a minor configuration change that can be scripted is acceptable. Does anybody have a suggestion how this can be implemented. To make your qmail box forward all mail to the sendmail relay, put the line ':sendmailrelay.example.com' into /var/qmail/config/smtproutes. You shouldn't need to restart anything; the next qmail-remote process to start should read it in. To make your sendmail box forward all mail to the qmail relay, adjust the DS, DR, and possibly DH settings in sendmail.cf and restart sendmail. To make this happen automatically, have whatever process is going onto or off of the net (pppd? pump? dhcp?) run a script upon changes. You'll probably need that script to somehow rsh to the other box because both will need to be modified. Also, what happens when they're both offline? Do they forward mail back and forth until your LAN is saturated? This is a non-trivial task, and one that is beyond this list. Frankly, I'm not sure I'd even bother trying, because you'll probably always have it 90% complete and 10% broken, and I've coded some pretty ugly hacks in my day. Not knowing what shoes you're in, I'd look into a different solution, perhaps straightening out your connectivity, or making it so that one of the boxes can route out to the internet by itself or using the other as a gateway. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: repost: smtp forwarding among two servers...pl help
A minute ago, I (Greg Owen) said: To make your sendmail box forward all mail to the qmail relay, adjust the DS, DR, and possibly DH settings in sendmail.cf and restart sendmail. Two other caveats: 1) The proper arrangement of these settings to achieve a simple desired result, and the frustration thereof, is one of the big reasons I switched to qmail. 2) For proper advice on the sendmail configuration, see a sendmail list or newsgroup. Most of us are here because we gave up on that bloody pit of doom, despair, and desperation. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: IS TIME_WAIT has somethings to do with qmail?
I have a lot of TIME_WAIT (TCP/IP) on my mail server. And this grow with time, I think that it well crash my server. I'm asking if this has no relation with qmail? TIME_WAIT means that a connection has been closed but the server is hanging around for a little bit to clear up any packets that belong to that connection. Look at the TIME_WAIT lines: Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.1.2:2510.10.0.3:1070 TIME_WAIT If 'Local Address' has :25 after it, then yes, it was a mail connection that is waiting to be cleaned up. If it has a different port, then it is a different type of connection. Seeing some of these is not necessarily an indication of a problem. Seeing a large number of these may indicate a problem. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Local users can clog qmail local queue
Has this been a problem for anyone in practice? It appears to constitute a security problem that a single local user can shut down all local mail delivery indefinitely. In theory, you are correct, although this is a Denial-Of-Service attack rather than a strict security breach. In practice, a local user has many other avenues of attack similar to this, and for all of them the fix is quite simply to throw the user off the system. If you run a system with users you worry about, you can (IIRC) use /var/qmail/users/assign to disallow them from using their .qmail file. Consider instead a user who puts a stupid filter in his .qmail that will execute commands listed in an email with COMMAND as the subject line. NOW you have a real security hole. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Local users can clog qmail local queue
...which is why .qmail commands are executed as the user,
instead of as root or as one of the qmail users. Assuming
you don't have any other local holes, the worst that user
can do is machine gun himself in the foot, and he
doesn't need qmail to do that!
...you should always assume you have local holes. Even if you
don't, allowing random remote people to get commands executed as local users
is a problem - how about '/bin/mail [EMAIL PROTECTED] /etc/passwd'? Even
if there's a shadow file, that'll list usernames to guess passwords on.
But, more to the point, check out
http://cr.yp.to/qmail/guarantee.html:
"Of course, ``security hole in qmail'' does not include problems outside of
qmail: for example, NFS security problems, TCP/IP security problems, DNS
security problems, bugs in scripts run from .forward files, and operating
system bugs generally. It's silly to blame a problem on qmail if the system
was already vulnerable before qmail was installed! I also specifically
disallowed denial-of-service attacks: they are present in every MTA, widely
documented, and very hard to fix without a massive overhaul of several major
protocols. (UNIX does offer some tools to prevent local denial-of-service
attacks; see my resource exhaustion page for more information.)"
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: thoughts for future qmail
David Benfell [mailto:[EMAIL PROTECTED]] wrote:
On Tue, Jan 02, 2001 at 10:12:43PM -0500, Russell Nelson wrote:
You also need to have an MX record with priority 12801
pointing to the host running qmtp. Right now, you only have
parts-unknown.org. 1D IN MX0 mx.parts-unknown.org.
Ouch. Now I venture off topic for the qmail list (hence the
cross-post) because I use djbdns without understanding it. How does
one set mx priorities with djbdns?
Use the 4th field of the MX record data line ("dist") as described
at http://cr.yp.to/djbdns/tinydns-data.html:
] @fqdn:ip:x:dist:ttl:timestamp
]
] Mail exchanger for fqdn. tinydns-data creates an MX
] record showing x.mx.fqdn as a mail exchanger for fqdn
] at distance dist, and an A record showing ip as the
] IP address of x.mx.fqdn. You may omit dist; the default
] distance is 0.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: smtproutes
I have a redhat 7 \ qmail installation. I want to use this as a smtp frontend to send all messages to our exchange server. I have set smtproutes to smtp:exchange. When I send a message it gets delivered locally to me Make sure that the domain you are sending mail to is not listed in locals or virtualdomains, only rcpthosts and smtproutes. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Qmail and MX records
We all know that secondary MX systems tend to know much less about the domain than the primary does. Consequently a secondary MX *is* likely to accept such mail, but largely because it has no clue about what the ultimate destinate thinks. What do you care? In this case, if the mail had dumped off to secondary, it would have either gotten there or bounced sooner than 'queuelifetime' and not wasted his servers time for a week. The error involved suggested that retrying the same exact thing remained likely to fail, that sounds like a good reason to back off to secondary. In either case, the receiving party gets what they deserve - either they get their mail through their secondary, which is why they properly set one up, or it bounces, which is what they get for improperly setting it up. Some people run well-configured secondaries for good reasons. The fact that other clowns can't get it right isn't a reason for dropping their use. Heck, if we stopped using things because people misconfigured them, we wouldn't be using qmail. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Qmail and MX records
I have this problem that when Qmail tried to deliver a
message and have this
error:
Connected to 152.x.x.x but greeting failed.
Remote host said: 521 VHAISHEXCI.x.x.gov access denied
I'm not going to try again; this message has been in the
queue too long.
...
I expected Qmail to then attempt delivery to the next
priority MX. It doesn't and eventually sends me a message
Qmail only backs off to the next MX if it is unable to reach the
first MX. In this case, it reached the first MX, started a conversation
with the SMTP server there, and was told to bugger off.
I don't agree with qmail's handling of this case, but it is arguably
fully legal. I think the standard response here runs "If their mail server
isn't willing to accept email, why is it responding to port 25?"
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: domain alias question
But when I reply, it changes things to [EMAIL PROTECTED] how do i get qmail to keep the aliased domain in the address? To do this on a server-wide basis, see defaulthost and defaultdomain in 'man qmail-inject'. I generally set both of these to the domain name to get the desired functionality. To do this on a per-user basis, see QMAILHOST and MAILHOST in 'man qmail-inject'. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: newbie question. please recommend solution
Here is the thing: I DO NOT have a domain YET. SO in my
/etc/hosts file, I added swaru as my machine name. SInce I'm
not part of any network (it's a system at which is soon going
to be a web/mail server), I named my machine swaru (swami + guru :-).
I don't know anything about vmailmgr, but I do know that qmail never
uses the hosts file, only DNS. Never ever. Not on a bet. Not if you ask
nicely. Not even if you're listed on Santa's "Nice" list.
You might want to set up a "private" DNS server that pretends you
have a domain for the purposes of setting up and testing mail services.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: [OT] do you know this MTA(not qmail) error msg?
553 mail2.dacas.com.ar. config error: mail loops back to me (MX problem?) 554 [EMAIL PROTECTED]... Local configuration error That is Sendmail. I forget how exactly you cause that error, but it isn't hard to do, and yes, it is their configuration that needs fixing. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Loop protection
What kind of loop protection does qmail have? By that, I
mean, if I have a user that forwards his email to another
account on another system, which forwards back to his
original mailbox, how does qmail handle this case?
qmail inserts a "Delivered-To: " line into the header on each
delivery, and will notice any loop that way, even if the loop is between
multiple hosts.
This is mentioned in BLURB3 in the distribution and in the
'qmail-local' man page.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: Looking for way to delete all mail sent to a non-existent mailbox
What's the best way to simply have *all* mail for a
particular mailbox go to /dev/null? I created a
.qmail-{mailbox} file and simply left it blank -
hoping that would do it. Is that an appropriate,
effective measure?
No; in the case of a zero-sized .qmail file, the "defaultdelivery"
instructions will be followed (see 'man dot-qmail').
What you want is a .qmail file containing a single line with a
comment in it, so that the file is non-empty but contains no delivery
instructions. All mail to that user will be silently discarded.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: Concurrent access to one mailbox via IMAP?
All this IMAP talk raises another question I have - which do most of you use? [An open ended question that could generate a flurry of responses! ;] I don't now, but when I used IMAP, I preferred Cyrus IMAP. It has a reasonably clean design that throws away /bin/mail compatibility to concentrate on handling IMAP optimally. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Qmail source files - developer version
Felix von Leitner [mailto:[EMAIL PROTECTED]] said:
Thus spake Alex Kramarov ([EMAIL PROTECTED]):
I want to write an addon to qmail, so it could forward mail
to another server before it hits the queve, splitted to several
copies, one for each recipient domain. I think many could
benefit from this feature, in terms of bandwidth conservation.
This feature can (and should) be implemented externally, i.e. without
editing the qmail sources at all.
Just take the qmail-smtpd sources and write a new smtpd.
Whoa, whoa, let's not get too excited here. Before you go
rewriting, you should read FAQ 8.2:
] 8.2. How do I keep a copy of all incoming and outgoing mail messages?
]
] Answer: Set QUEUE_EXTRA to "Tlog\0" and QUEUE_EXTRALEN to 5 in extra.h.
] Recompile qmail. Put ./msg-log into ~alias/.qmail-log.
Using this to forward copies however you want is left as a
straightforward exercise for the reader. 'man dot-qmail' will be helpful.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: It's been a while...
a control/smtproutes file containing ":my mail server's IP" on the firewall. Actually, that would forward ALL mail - for your domain, or being sent out from your domain! - to the internal server. You want "mydomain.com:my mail server's IP" in smtproutes on the firewall. As for the control/rcpthosts file, does it suffice to put "mydomain.com:my mail server's IP" or do I need a list of machine names, ie: "mail.mydomain.com:my mail server's IP", etc... You're confusing smtproutes syntax and rcpthosts syntax here. On the firewall, you want "mydomain.com" in the rcpthosts file. If you also intend to accept mail for hosts in your domain (i.e., mail.myodmain.com), you can put them in one by one or wildcard them with ".mydomain.com". Make sure MX records exist in global DNS pointing to firewall.mydomain.com for any hosts or domains you want it to relay. Then, what's needed in control/locals, control/me and control/virtualdomains (I have no virtual domain), only the firewall's hostname (except for virtualdomains)? control/locals should be empty; you are forwarding mail. If you want mail for firewall.mydomain.com to stay on the firewall instead of being forwarded, you can put that there (and make sure firewall.mydomain.com or .mydomain.com is in rcpthosts). control/me should be the firewall's hostname. control/virtualdomains can be deleted. On my mail server itself, all I do is create control/smtproutes and put it the following; ":my firewall's IP" ? Yes. Also add "mydomain.com" to rcpthosts and locals (and, again, any hosts or wildcards you also want to accept mail for). I am using both tcpserver and tcprules on the firewall already. The rule was to relay from any host inside to the mail server. It still needs to relay... but what should be in there exactly now ? Like I started by saying, it's been a while... That can stay as is, unless you want to tighten the rules so outgoing mail can only come from the internal mail server. As long as the internal mail server is allowed to relay in the existing rules, you're fine. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Quality of this List
And I have found clear attempts to make as difficult as possible for newbies to learn more. I'm curious if you'd post what you consider a clear attempt to make it difficult to learn. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Quality of this List
From: asantos [mailto:[EMAIL PROTECTED]] From: Greg Owen [EMAIL PROTECTED] I'm curious if you'd post what you consider a clear attempt to make it difficult to learn. I'm not a policeman for the list. Check the archives. I didn't consider that you might count abusive posts under that category, which I now realize is what you mean. I read your statement as implying that people posted misinformation with the intent of misleading newbies, or something like that, which I certainly haven't seen. I personally don't think abusive posts make it hard to learn. Ignore them, and pay attention to the ones that ask for more information or tell you which FM to R. Now, what I would like to understand is way did people pick on this issue, instead of the wider points that I mentioned in my post ] 1) Dan's anti-packaging policy No argument. ] 2) Increasing dependency in other packages No argument. ] 3) Newbie bashing on the main support list Sometimes deserved. Sometimes not. Chaff in the wind, grasshopper. ] 4) Badly disguised manouvers to create a qmail maintaners guild or two The point I raised a question about. ] 5) Proliferation of patches See #1. See agreement with #1. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: This is my limit???
Now if I sent from any machine in the Lan message to
e.g: [EMAIL PROTECTED] which must be received on the
"local" machine, the mail box is always empty.
But message sent to [EMAIL PROTECTED] reach he's Maildir
on "local" machine.
What do the logs say about the mail to [EMAIL PROTECTED]?
Also, consider posting the output of qmail-showctl instead of
obsfucating it for us.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: Where is Dave Sill??
I'm asking if anyone using "Live with qmail" find the
following error:
"supervise:fatal:unable to start qmail-smptd/run:
exec format error".
Make sure that the qmail-smtpd/run file doesn't have DOS-style CR/LF
pairs. The 'file' command should tell you if it does. If it does, fix it -
see http://kb.indiana.edu/data/acux.html for various ways to convert.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
SoftLock.com is now DigitalGoods!
RE: Where is Dave Sill??
I believe some Unixes use the string "#! /" as a magic string for interpreted executeables and ignore "#!/". Your mileage may vary. I suspect you're right but can't remember which *ix is picky that way. Anyone, anyone? For all *ixes I've used, however, " #!" will not work because those magic characters must be the first two bytes in the file. That's the part that's important to get right. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: This is my limit???
Since a week I'm trying to configurating two mail server based on qmail. One as Relay (in my DMZ) and the second in my LAN. A scheme is better: RouteurSwitch-DMZ --(Relay is here) | | Firewall | | LAN (local mail server) Let's assume we have relay.example.com in the DMZ and mail.example.com on the LAN. External DNS records should have an MX record listing relay.example.com as the mail exchanger for example.com. relay.example.com should allow relay by mail.example.com, but not from anyone else (see http://www.palomine.net/qmail/relaying.html and http://www.palomine.net/qmail/selectiverelay.html). relay.example.com should have the following files set as follows: rcpthosts: example.com "I accept mail for example.com" smtproutes: example.com:mail.example.com "I forward all mail for example.com to mail.example.com" mail.example.com should have the following: rcpthosts: example.com "I accept mail for example.com" locals: example.com "Mail for example.com is delivered locally" smtproutes: :relay.example.com "Everything not delivered locally is forwarded to relay.example.com for relay" -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: Outbound Hostname
On Mon, Dec 04, 2000 at 08:03:47PM +, Peter Woods wrote: I am having some difficulty getting qmail to send outbound email with the CNAME of the system rather than the actual hostname. I have modified me and defaulthost files in /var/qmail/control to include the CNAME of the system. The hostname is only referenced in the rcpthosts file. Any hints where I might proceed to get this fixed? I recommend that MTAs identify themselves with their canonical hostnames instead of aliases. That said, man qmail-control, look at helohost. 'helohost' defaults to 'me', so I don't think that's the problem. I'm not sure how to parse the original email, but I think the problem is in the mail headers, not the envelope, in which case the MTA is probably at fault. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
RE: ReiserFS
What has qmail to do with the underlaying file system? This
is hidden by the OS of course.
qmail relies heavily on proper operation of the underlying
filesystem to be truly reliable. Not much except BSD meets qmail's
definition of "proper." Ext2 and reiserfs are discussed thoroughly in the
archives.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Forwarding
How do I forward all mail recieved by a user to a user on a different host. I have looked at the forward command but this does not seem to do the trick. Could someone point me in the direction of some documentation on the forward command if this is the correct one. Read 'man dot-qmail', specifically the part that begins: ] (3) A forward line begins with an ampersand: ] ] [EMAIL PROTECTED] -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: HELL, STOP IT (was: Re: List Courtesy (was Newbie question))
Isn't it funny, how *some* people that live in a country and a culture
- that killed thousands of black people
- that killed thousands of red indians
- that killed thousands of people with the atomic bomb
- that killed thousands of people in Vietnam
You forgot the hundreds of thousands of Iraqis, both in the war and
after, whom we're still trodding under the boots of our puppet apparatus,
the so called "United Nations."
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: List Courtesy (was Newbie question)
How exactly is my MUA broken? It isn't, the user is broken. The user incorrectly decided that everyone would just love to see the full text of the original message (perhaps in case they inexplicably missed it the first time!), and that it needed no marking to make it clear to readers that it isn't new material. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Long Local Delivery Delays
The delay seems to occur from when mx0 accepts the message to when mx0 writes it to the user's Maildir. My guess would be that the queue is not being processed fast enough. Have you checked the trigger? http://web.infoave.net/~dsill/lwq.html#trigger Sounds like a classic case of a bad trigger. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: How maybe times qmail will retry send the bounce email?
If a email bounced back, how offen the qmail will try to send it again? try how many times? "Bounce" implies permanent error from the remote end or inability to connect to the remote within the appropriate time. No mail system (except, um, Outlook) retries bounced mail. However, for temporary errors: See queuelifetime in 'man qmail-send' See "Does qmail back off from dead hosts?" in the FAQ. and how long the qmail will give up? See queuelifetime in 'man qmail-send' If qmail give up, how it process the bounced email? delete it from queue and forward it to Mail-daemon@localhost? Bounces are returned to the sender. If the bounce bounces, it'll end up in the local postmaster account. Can we control the retry interval No - you don't really want to, anyway. and the longest waiting time? Yes - see queuelifetime in 'man qmail-send' Is it possible qmail forget a mail in the queue? Unlikely. if so, how can we dump it out? If you want to force it to bounce before the queuelifetime is up, see the following tip from www.qmail.org/top.html: "Frederik Vermeulen says: If you don't want a specific undeliverable mail to sit in the queue any longer, you can make it reach the queuelifetime by running touch -d '1 week ago' on its queue/info file. It will then be bounced after one more delivery attempt." -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Some emails in my queue delayed more than 2 weeks, help?
I am newbie of qmail, but I noticed some emails in my qmail server queue have been there more than 2 weeks. Mail that cannot be delivered will be retried for /var/qmail/control/queuelifetime seconds, which defaults to one week (604800 seconds). After that, it will bounce. (man qmail-send) I found some useful tools to check the delayed email in the queue from the qmail homepage, but I have no idea how I can force qmail deliver them right away or backup and delete them from queue. If the mail has been delayed, then most likely the destination host is not responding, and therefore forcing the queue will not cause it to be delivered. In order to see why mail isn't getting delivered, look at the logs. Get the queue id using qmail-qread: # qmail-qread 5 Nov 2000 00:32:30 GMT #716722 2940 remote [EMAIL PROTECTED] In this case, 716722. Now grep to get the last delivery attempt: # grep 716722 /var/log/maillog | tail -1 Nov 8 04:32:31 zephyr qmail: 973675951.152330 starting delivery 46683: msg 716722 to remote [EMAIL PROTECTED] Now grep for the details of that delievery attempt: # grep 46683 /var/log/maillog Nov 8 04:32:31 zephyr qmail: 973675951.152330 starting delivery 46683: msg 716722 to remote [EMAIL PROTECTED] Nov 8 04:33:31 zephyr qmail: 973676011.198378 delivery 46683: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/ so, the mail server for thegamblingreport.com isn't responding. Now, you could look it up to figure out what the IP is (209.67.50.203), and telnet to port 25, and verify by hand that it isn't responding... but it isn't really worth the trouble. Having said all that, to force the queue to retry, send a kill -HUP to the qmail-send process (this is in the FAQ, I forget the number. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: (Fwd) ezmlm response
220 0* *2*2000 **02**0*00 EHLO buick.978.org 500 Syntax error, command " buick.978.org" unrecognized QUIT 221 ehub1.sherwin.com SMTP Service closing transmission channel This looks like what the Cisco PIX firewall does. Yes, that is a Cisco PIX firewall. To turn off this "feature" just add the command "no fixup protocol smtp 25" to the configuration on the PIX. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Force Queue run
I was wondering if there was a way to force a queue run with qmail. Find the qmail-send process and send it a kill -ALRM. See the FAQ entry at: http://cr.yp.to/qmail/faq/admin.html#queuerun -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Can I run multiple qmail-smptd on one install
My immediate idea for a solution was to run a second qmail-smtpd on another port that Earthlink is not blocking. My question is, can I run multiple instances of qmail-smtpd concurrently on different ports through supervise and tcpserver, Yes. Merely invoke tcpserver twice, with different port arguments. or do I need to do something wierd to make this work? Nope. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Problem in getting forwarded mails
Here the part of the logfile Which machine is this logfile from? The forwarding host, or the final destination? And which machine is 212.185.23.250? Nov 2 23:53:47 mail qmail: 973205627.559026 delivery 7: success: 212.185.23.250_accepted_message./Remote_host_said:_250_OK./ If 212.185.23.250 is the final destination, what do the logs on that machine say? It accepted the message, so the responsibility for the message is no longer that of the machine whose logs you posted. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: plusdomain
Can anyone tell me what the 'plusdomain' control file is used for? Can't find anything in the docs...thanks. For any control file, read 'man qmail-control,' which has a table listing which man page describes which control file. All control files have an entry like the following from 'man qmail-inject:' plusdomain Plus domain name. Default: me, if that is supplied; otherwise the literal name plusdomain, which is prob ably not what you want. qmail-inject adds this name to any host name that ends with a plus sign, includ ing defaulthost if defaulthost ends with a plus sign. If a host name does not have dots but ends with a plus sign, qmail-inject uses plusdomain, not default domain. The QMAILPLUSDOMAIN environment variable overrides plusdomain. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: A bug or am I being daft?
Doesn't the case change violate RFC821 or 822? In short, no; they govern the transmission of email between systems, not the policies of the final delivery step. For mind-numbing detail, search the archives. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: dash addresses failing
A test to [EMAIL PROTECTED] completes properly. A test to [EMAIL PROTECTED], ... fails, and I don't understand what I'm missing. Does the file ~lists/.qmail-jobs exist? If not, how about ~alias/.qmail-lists-jobs? If not, that's probably the problem. Read the dot-qmail man page section titled: EXTENSION ADDRESSES In the qmail system, you control all local addresses of the form user-anything, as well as the address user itself, where user is your account name. Delivery to user-anything is controlled by the filehome dir/.qmail-anything. (These rules may be changed by the system administrator; see qmail-users(5).) -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Are we acting as an open relay?
I am new to qmail but I have read the "Qmail newbie's guide to relaying" and I thought when I sent from a remote email address to a remote email address I should have received a 553 domain not in allowed rcpthosts message. None of the mail i was trying to deliver has appeared in the remote accounts I was using. That is not correct - the newbies guide to relaying tells you how to configure your mail server to accept mail from anyone, to anyone, as long as the connection is from a trusted address. The list of trusted addresses is in the /etc/tcp.smtp file (compiled into tcp.smtp.cdb and referenced in the tcpserver command line). Following those instructions, if you test from your own box and your tcp.smtp file allows that box to relay, then the test will work. The real test is what happens when mail is sent from an outside address, one not owned by you or your users. I am concerned that we may be acting as an open relay. How can I check/fix this? You can use an automated relay tester, but beware that qmail appears not to pass the "[EMAIL PROTECTED]" test (and the test usually says "This is not conclusive unless you actually got mail"). There's a test at http://www.abuse.net/relay.html. If you have an external account, you can try to test from there, manually. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: abuse.net results...was 'RE: Are we acting as an open relay?'
You can use an automated relay tester, but beware that qmail appears not to pass the "[EMAIL PROTECTED]" test (and the test usually says "This is not conclusive unless you actually got mail"). It appears that my Qmail setup allows relaying when % is between uername and domain. Why would that happen? I apologize, I don't seem to have worded that correctly. "qmail appears not to pass the mail%target... test, BUT IT DOES PASS; that particular subtest is a false positive for qmail" So, failing that one test is a false positive; ignore it and consider yourself safe. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Questions...
On Mon, Sep 11, 2000 at 09:36:07AM -0700, James Stevens wrote: 2. Is there any way to view whats actually in queue as oppsed to just seeing numbers.. My boss likes being able to actually see the queue like in the old Sendmail. qmHandle from the qmail home page (you did look there, didn't you?) does just that. Also plain old qmail-qread in the distribution. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Routing qmail through a gateway
I'm tring to make a internal qmail server route through a gateway running sendmail. I've added :[192.168.1.1] to /var/qmail/control/smtproutes which is the inside ip address of the gateway running sendmail. When I send mail to the qmail server, I get the following error, deferral: Connected_to_192.168.1.1_but_connection_died._(#4.4.2)/ What happens when you connect from the qmail box to the gateway using telnet to port 25? Do you get a greeting from the SMTP host? Can you manually enter an SMTP transaction? -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: CHANGING INETD
Anyway, while on this thread it has occurred to me to ask why put qmail in either inetd or tcpserver? Why not run it as a daemon? 1) If it ran as its own daemon, it would require root privileges to bind to port 25. When it is spawned by tcpserver, the amount of code requiring root privileges is smaller, and therefore less of a security risk. This is a security feature. 2) One could argue that daemons require much more care for cleaning up memory use and buffer use, so that a) information isn't leaked between two users and b) memory leaks don't impact the system. Note that the Apache daemons are discarded over time to avoid these dangers. By spawning one process per message, this is not an issue. (One might argue that djb's code is small and tight enough to trust. One might also argue that good design is still good design even if you trust the coder). -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Error: Deferred: Connection refused
I have a problem with qmail. A mail sent through the
qmail-smtp to a local user is delivered properly, but
when I send the same mail through another smtp server
I get this error message:
- The following addresses had permanent fatal errors -
[EMAIL PROTECTED]
- Transcript of session follows -
[EMAIL PROTECTED]... Deferred: Connection refused by mydomain.com.
First, let me repeat what I heard you say, to make sure we're on the
same page. You have qmail running on 'mydomain.com' (whatever that resolves
to.) When logged into 'mydomain.com', you can send mail to another user
just fine. When other machines try to deliver mail to 'mydomain.com',
however, they get the above error.
This implies that qmail-smtpd is not running and/or not listening
correctly on port 25. The "Connection refused" message usually means
exactly that.
You can test this theory by typing 'telnet mydomain.com 25' and
seeing if the connection is accepted or rejected.
If the connection is truly rejected, then find out why. Is
qmail-smtpd running (ps -auxwww | grep qmail-smtpd). If so, is it listening
to port 25 (look at the tcpserver command line, use 'lsof', or possibly
'netstat')?
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: auth/identd?
Is it wise to run auth/identd on an email gateway?
If you do run it, then you don't have to worry about delays or time
penalties when doing mail transactions with other servers that do ident
lookups.
If you don't run it, that is one less service you have to worry
about the security of (read, the possibility of buffer overflows).
As Peter said, forcibly rejecting connections rather than dropping
packets is preferred if you don't run it. Different firewalls make this
easier or harder.
I personally consider it easier to run it than to spend time
worrying about the interactions with mail servers that prefer to use it.
But you may want to look for a "fake" identd that is stripped down for
security purposes; freshmeat lists a few different identd implementations.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Newbie help: qmail as a relay gateway
Install qmail as described in INSTALL. For each domain you want to receive mail for: 1) Put that domain name in /var/qmail/control/rctphosts 2) Put domain.com:[w.x.y.z] in /var/qmail/control/smtproutes, where w.x.y.z is the IP address of your internal exchange server. 3) Make sure that none of these domains are listed in /var/qmail/control/locals, or the mail will not make it to Exchange. 4) If you will also send mail from the bastion host directly, modify defaultdomain and defaulthost to your taste (man qmail-control will tell you where to find more info on them). These steps will set up inbound relay for your domains; the internet sends mail to qmail, and qmail forwards it all to Exchange. To allow Exchange to relay out through the machine, follow the selective relaying instructions at http://www.palomine.net/qmail/selectiverelay.html. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: trouble
Everythings fine but the smtp server takes a long time to initialize..like when I telnet to port 25 on my localhost...the 220 host.domain.com ESMTP appears but after a long time. Has anybody experienced such a problem and was able to solve this... Your tcpserver invocation is probably trying to get IDENT info, which is the default. This times out after 26 seconds or so. Put '-R' into your tcpserver command line and the lag goes away, or open up port 113 on the firewall to allow IDENT traffic to freely flow. From http://cr.yp.to/ucspi-tcp/tcpserver.html: -r: (Default.) Attempt to obtain $TCPREMOTEINFO from the remote host. -R: Do not attempt to obtain $TCPREMOTEINFO from the remote host. To avoid loops, you must use this option for servers on TCP ports 53 and 113. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: qmail - cyrus
does anyone know or has working the connection from qmail to IMAP-daemon Cyrus? I am experimenting with these two, but qmail does not deliver mail to cyrus. I want to use qmail as MTA and cyrus as IMAP-daemon for all users. Are you using the deliver program that comes with Cyrus? (You have to). Have you wrapped it or modified its permissions? (You need to). Read the following archive messages, give it a try, and if you're still having problems come back with some details about what you're trying, where it is failing, and what log messages result. http://www.ornl.gov/its/archives/mailing-lists/qmail/2000/03/msg01173.html http://www.ornl.gov/its/archives/mailing-lists/qmail/2000/02/msg00561.html -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Problems with qmail startup on OpenBSD 2.7/Intel
When (as root), I try to start qmail with /var/qmail/etc/qmail.rc start this is the output I see: Starting qmail: svscan. # supervise: fatal: unable to start log/run: exec format error supervise: fatal: unable to start log/run: exec format error Very likely, one or more of your log/run executable files (/var/qmail/supervise/qmail-send/log/run, for example) is in DOS format. You can check this by typing 'file filename' or 'vi filename' and see if it says it is DOS text (and type ':q!' to get out of vi afterwards). Convert them to DOS (see http://kb.indiana.edu/data/acux.html for some ways to convert) and you should be fine. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: incorrect date..
I'm getting the wrong date in my headers Received: (qmail 18083 invoked from network); 27 Jul 2000 23:57:48 - my time zone should be +1000, qmail intentionally uses GMT (-) for Received headers, but will correctly use your time zone for the Date: header, which is what end users see. The rationale behind this is that the Received headers are used to debug mail paths, and mail paths often involve machines from different time zones. If everybody used GMT for Received headers, debugging mail paths would be much easier. When I worked for a Xerox subsidiary, mail originating in GMT would go to a bastion host in PST that would forward mail back to my EST location, and trying to figure out why mail was slow sometimes was a pain in the neck. (plus two, minus three- or is that minus two, plus three?) There is a patch on the qmail.org site to modify this behavior, but think twice about why you're doing it, and what you use Received: headers for. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: mail server location question
OK, I think I have my firewall masquerading the firewall external IP port 25 to the qmail box internal IP port 25 I'm getting connection rejects, when I try to telnet to port 25 on the firewall. This should redirect me to port 25 on the qmail box, right? If your firewall is set up right, it should. Does your qmail box accept connections on port 25 at all? While logged into your qmail box, type 'telnet localhost 25'. If you get connection refused, then you aren't running qmail-smtpd properly. If your connection is accepted and you get the SMTP banner, then test the firewall's port 25 again. If the first suceeds and the second fails, then the firewall is probably not configured correctly. I'm not sure that it's the qmail box that's causing the problem, but is there anything I need to do to allow smtp connections from the internet? Not on the connection level. Once you get port 25 responding to the outside world, you may need to tweak your configuration as far as rcpthosts and relaying goes, but first let's get plain old connectivity going. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: How to set qmail to forward all email to mail hub
What is the best way to set up qmail to handle mails from web
forms and CGIs and send it to a mail hub for processing i.e a
qmail install that does not do any mail processing even for
locals but send all mail to another qmail server.
Put ":mailhub.domain.com" into /var/qmail/control/smtproutes.
Alternately, you can use qmqp, but that's non-portable.
I would want all mail ent to mail hub masqueraded to remove host name
i.e [EMAIL PROTECTED] to look [EMAIL PROTECTED]
Put "domain.com" into /var/qmail/control/defaultdomain and
/var/qmail/control/defaulthost.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: mail server location question
I want to rely on the dns MX records on the firewall to route mail to the qmail server, which is on an internal LAN, with a non Internet routable 192.168.1 address. Will this work?, or, do I need to have the qmail server addressable from the internet directly? In order for this to work, your MX records will have to point to the publicly routable address of the firewall, and the firewall will have to redirect incoming port 25 to port 25 of the internal qmail mail server address. In other words, if your firewall has an external address of 1.2.3.4, an internal address of 192.168.1.1, and your qmail server has 192.168.1.2, then your firewall must forward inbound traffic to 1.2.3.4:25 to 192.168.1.2:25. Your MX records will point to 1.2.3.4. But, yes, it works without any problems that I've ever seen. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: orbs.org accuses qmail of mailbomb relaying!
Greg Owen writes:
Yup. If you have one qmail box forwarding to a second qmail box
which is the mail store, you get this amplification.
No, you don't get any amplification. You only get amplification if
you can get someone else's machine to expend resources that you
didn't.
Yes, there is amplification. It does work, I have tested it, what
follows is a description of how it works.
Given a qmail box which relays mail to one other box (qmail,
exchange, sendmail, whatever), a malicious user can generate N messages of
size X (N * X) with the use of (N * sizeof(rcpt to)) + X. Note that
sizeof(rcpt to) is miniscule compared to the possible values for X.
Let's say you own qmail box mx10.example.com, and mx10.example.com
relays to mx5.example.com as the final mail store. It has no knowledge of
users; it just forwards as defined by MX records or smtproutes. Let's also
say I am at dialup06.msn.com, and that I'm pissed at heaven.af.mil.
If I (at dialup06.msn.com) connect to mx10.example.com, I can use a
MAIL FROM that points to [EMAIL PROTECTED]:
MAIL FROM: [EMAIL PROTECTED]
I can then enter 100 RCPT TOs, all pointing to invalid users for the
valid domain example.com, which MX10 accepts mail for:
RCPT TO: [EMAIL PROTECTED]
RCPT TO: [EMAIL PROTECTED]
...
RCPT TO: [EMAIL PROTECTED]
This costs me 100 * 28 bytes, or under 3k.
Now I send a 1 megabyte DATA segment.
The total cost to me, on my dialup line, is 1 meg + 3k.
mx10.example.com then sends that message to mx5.example.com, but
instead of aggregating the RCPT TOs, it sends it 100 times, with one RCPT TO
per message. Presumably mx10 and mx5 are connected by LAN not WAN, so this
is not a problem for the example.com network.
But upon reaching mx5.example.com, each one of these messages
bounces because u001 through u100 do not exist at example.com. Example.com
then sends 100 bounce messages, EACH CONTAINING A 1 MEG ATTACHMENT, to
[EMAIL PROTECTED] This imposes a 100 megabyte traffic hit on the
relatively lower bandwidth WAN lines of example.com and heaven.af.mil.
Therefore, I have amplified my force from 1meg + 3k to over 100 meg. Note
that this scales at the cost of 28 bytes per 1 meg of amplified force, and
that the amount of force amplified (the 1 meg) is also able to scale up (a 5
meg file, for example, is tedious but possible from a dialup line).
If both example.com and heaven.af.mil have a T1 line, then this
attack DOSes both of them equally (at little cost to lil ole me @ msn.com).
If example.com has a T3 compared to heaven.af.mil's T1, or if I can find
more than one bounce-relay victim (example1.com, example2.com, etc.) then I
can hit heaven.af.mil hard enough to saturate its T1 link. (Forget
downloading the MAPS list; go to qmail.org and then probe the list of "large
internet sites using qmail" to see which ones have more than one mail hop.
How do you probe? Send an email to a made up address and study the
Received: headers of the bounce.)
The point that the original ORBS quote apparently tried to make is
that other MTAs (like sendmail) which would forward the message once with
the 100 RCPT TO lines, and bounce it once with 100 "User [EMAIL PROTECTED]
not known" only adds the slight overhead of the bounce text, and are
therefore not effective in this type of attack. I don't play with sendmail
any more, and can neither confirm nor deny this understanding.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: orbs.org accuses qmail of mailbomb relaying!
In the main, though, you've laid out yet another argument
against secondary MX.
If so, it's the first anti-secondary-MX argument I've seen that
didn't boil down to "incompetent machine administration causes problems,"
which is true with or without multiple MX - it's just easier for mistakes to
happen with more machines involved.
But even if you got rid of secondary MXs, there's another scenario
this attacks, one which most basic firewall design courses and books
recommend: using a mail relay as a bastion host in the DMZ to disallow
direct access from the Internet to the mail store.
For example, people running Exchange or Notes (and many do, for
various good or bad reasons) may not want that box directly on the Internet,
open to SYN flooding, DOS attacks, and buffer overflow attempts. qmail
makes the perfect intermediate relay - high performance, high security, high
reliability. If the bastion host is attacked, internal mail isn't directly
affected, which is a good thing.
Let me try this argument instead: Between two networkographically
close mail hosts owned by a single entity (Secondary and primary MX, or
bastion relay and mail store), the high bandwidth and low latency of the LAN
connection means that the SMTP latency issue is diminished. Between such
hosts, then, using multiple RCPTs with a single DATA may be faster then
qmail's default behavior, which is tuned for the high-latency Internet
environment. Therefore, having the ability to modify qmail's behavior on a
host-by-host basis (much as smtproutes affects mail routing) might be
useful. It would also close this DOS capability.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: orbs.org accuses qmail of mailbomb relaying!
sounds like you used the patch that controls relaying by the from address?? No, ORBS is talking about a different thing. If I want to mailbomb foo.com, and bar.com is running qmail, then I can connect to bar.com's mail and say: mail from: [EMAIL PROTECTED] (not me, my victim) rcpt to: [EMAIL PROTECTED] (presumed not to exist, will bounce) rcpt to: [EMAIL PROTECTED] (same) ... (and so on) rcpt to: [EMAIL PROTECTED] (same) data Subject: ha ha ha Enjoy this DOS . quit And qmail will send 26 individual bounce messages, one for each nonexistent recipient at bar.com, back to our victim at foo.com. I think ORBS is worrying too much, but that's just me. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: orbs.org accuses qmail of mailbomb relaying!
And qmail will send 26 individual bounce messages, one for each
nonexistent recipient at bar.com, back to our victim at foo.com.
Where did you get this nonsense from? Please go ahead and test;
qmail will return only ONE bounce message specifying all 26
addresses. (I have tried, just now. Why haven't you?)
I did test, and it IS true with qmail forwarding in to an internal
mail store from the DMZ. I did not test where the qmail box is the final
delivery box, relay or no, because I'm not set up for that here. If it'll
make you happy, though...
clickety click
Yup. If you have one qmail box forwarding to a second qmail box
which is the mail store, you get this amplification.
The only way for this attack to work is to talk to qmail on a
secondary MX (and have primary MX generate 26 distinct
bounces), but then the effect of the mailbomb is probably
diminished by the (allegedly) poor line between secondary and
primary (why would you care about secondary, otherwise?).
Lots of other reasons.
1) Many sites will have a relay machine in the DMZ which talks with
Internet hosts, and an internal mail store that only talks to the relay
machine. It's a pretty standard firewall layout. It improves security and
performance.
2) Some sites will have 1+n mail relays in the DMZ, so that a hard
drive failure won't knock mail out, and so that maintenance and upgrades are
non-disruptive.
3) Some sites have multiple high-bandwidth lines, and will have mail
relays at various sites. Think co-lo. If you're paying through the nose to
have your web servers at a hardened high-availability installation, why
wouldn't you throw a secondary or tertiary MX out there for redundancy? In
such a case, the bandwith on your secondary is BETTER than on your primary.
This attack doesn't work if you have a single mail server which is
your mail store and your primary internet SMTP conduit. I'd run something
like that at home, but not at work. Of course, I'm a little funny when it
comes to redundancy; I prefer having it over not having it.
I think ORBS is worrying too much, but that's just me.
Yeah, sure. I mean, there is lot of other DoSes possible. Why
would you care about too-many-emails? Is your computer really
secured against any DoS possible (including DDoS), except
mailbombing?
The big thing with this DOS is the multiplication. If you enter 100
bogus recipients at a total traffic of 1k, and enter one data component
equaling 1 meg, then at the cost of 1meg+1k you have created an attack
equaling 100 meg of data. DOS attacks in general usually focus more on
"many tiny packets," because they're harder to block. This attack creates
less, but larger, packets, and from less sources - which makes it easier to
block, which makes it less useful as a DOS, which is why I think ORBS is
worrying too much.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: orbs.org accuses qmail of mailbomb relaying!
oh, I get it.. I agree that they're probably worrying too
much, but how should qmail prevent this? does sendmail
handle it differently?
If N recipients at a site are getting the same exact message, you
enter multiple RCPT TO lines and one DATA entry. If N recipients at a site
are getting N different messages, you use RSET to reuse the existing SMTP
connection (something I've never fully trusted the PC-mail-store vendors to
get right, quite frankly). Sendmail defaults to doing the former, but not
the latter, if I recall (and I don't, 'cause I haven't screwed with sendmail
for years, so don't get on my case if I'm wrong.)
Qmail gets better performance by opening multiple connections in
parallel. ORBS thinks that this is too greedy of an algorithm. Presumably
they'd rather save the bandwidth for more useful business traffic like
Napster or Quake. I find it hard to see how someone working at an
organization dedicated to protecting the mail infrastructure can say
something like "treating smtp as low priority data."
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: routing a qmail setup
- I've got 2 qmail servers, one co-located and one
internal to my company, with dial-up connection.
- Both think they are *.scim.net MX
- Upon dial-up connection, the internal server uses fetchmail to
download mail for local users and I send an ALRM signal to
qmail-send.
...
what I want it to do is:
- route all the 'remote' mail to the online server.
- the remote server should RELAY those mail, but ...
only from me (don't really want to be an open relay). But
hey! I'm on a dial-up acc - dynamic ip ...
I really think it *should* be possible to 'route' all my traffic
through the co-located server, but can I keep it from being an open
relay?
On internal.scim.net, your smtproutes should contain the following:
:external.scim.net
That way, all domains not local will be forwarded to
external.scim.net for relay. external.scim.net must allow selective
relaying; if you're using tcpserver, then add the IP address of
internal.scim.net followed by ':allow,RELAYCLIENT=""' into /etc/tcp.smtp and
type 'tcprules /etc/tcp.smtp.cdb /tmp/tcp.tmp /etc/tcp.smtp' (This is
paraphrasing Michael Samuel's detailed "How to selective relay" instructions
at http://qmail-docs.surfdirect.com.au/docs/qmail-antirelay.html, which
seems to be not responding right now.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: routing a qmail setup
but I have a dynamic IP address! [because of the dial-up connection]. Oops, missed that part. I'm making wild guesses now, but you could script something to use the POP-before-SMTP patch, or you could just write a password protected web script on the external server that updates the tcp.smtp rules automatically, and which is automatically run when your dialup comes up. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: secondary mail server
a quick question. what paramater controls the relay duration ( you
mentioned "a week" ), and how can we change it. thank you
/var/qmail/control/queuelifetime
man qmail-control
I'm shamelessly cribbing from Petr's post that came all of 4 hours
ago.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Diff between Supervise Tcpserver?
Hi guys. This is probly a simple question but I can't find an obvious answer anywhere.As far as I can tell, there are three ways to run Qmail: Inetd (yuck), tcpserver (regular), and supervisor (??). Inetd and tcpserver are programs designed to accept traffic on a port and start a given program in response to that traffic. supervise is designed to start a program, restart it if it fails unexpectedly, and provide an easy way to pass signals to the program. So, you would use supervise to start tcpserver which starts qmail-smtpd, and if tcpserver died supervise would restart it for you. Given the reliability of qmail and related tools, I've always wondered why supervise came about ;. You can use it or not, as you prefer. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Diff between Supervise Tcpserver?
One other thing now. I want to use multilog to log on
machines not running supervise, because we just want
simple set up and I want to be able to parse the log
files through either qmailanalog or qmail-mrtg (any
recommendations here?). Is this easy to do?
Sure, just replace 'splogger' in your qmail-start invocation
(/var/qmail/rc in the INSTALL directions) with the appropriate 'multilog'
line. qmailanalog won't correctly handle the new timestamps that the newest
multilog uses, but there are ways to work around that - I've attached two
relevant messages.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
Ken Jones writes:
Does anyone have a patch to qmailanalog to read
the new multilog time format?
There's two (2) patches to create a program which accepts multilog
time format (tai64n) and rewrites it into fractional seconds (taifrac)
format. They're listed on www.qmail.org.
--
-russ nelson [EMAIL PROTECTED] http://russnelson.com
Crynwr sells support for free software | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M.
Not using the patches from www.qmail.org, but this works for me
Script to convert to a format qmailanalog likes
#!/usr/bin/perl
while () {
if (my($s,$t,$rest)=/^\@.(\w{15})(\w{8})(.*)/) {
$s = hex($s);
$t = hex($t); $t =~ s/500$//;
$_ = "$s.$t$rest\n";
}
} continue {
print;
}
exit 0;
Script to process the logs and mail to me
#!/bin/sh
PATH=/usr/local/qmailanalog/bin:/var/qmail/bin:/bin:/usr/bin
QMAILLOG="/tmp/q.$$"
QMAILTMP="/tmp/r.$$"
umask 077
cat /var/log/qmail/@* $QMAILTMP
cat /var/log/qmail/current $QMAILTMP
cat $QMAILTMP | tai64n2time | matchup $QMAILLOG 5/dev/null
DATE=`date +'%a %d %b'`
(echo "To: [EMAIL PROTECTED]"
echo "From: [EMAIL PROTECTED]"
echo "Subject: Qmail daily report $DATE"
echo ""
zoverall $QMAILLOG) | qmail-inject
rm -f $QMAILLOG
rm -f $QMAILTMP
-Original Message-
From: kbo [mailto:kbo]On Behalf Of Ken Jones
Sent: Wednesday, June 07, 2000 3:29 PM
To: [EMAIL PROTECTED]
Subject: qmailanalog and multilog
Does anyone have a patch to qmailanalog to read
the new multilog time format?
Ken Jones
inter7
RE: qmail loses my users
Periodically, and I haven't been able to narrow this down to any
specific event, qmail overwrites my ~/users/assign file, and rebuilds
the cdb.
Checked all your cron entries?
I also find a huge mail log 'cause qmail tries to deliver a copy of
every message to a non-existent [EMAIL PROTECTED]
http://web.infoave.net/~dsill/lwq.html#queue_extra will explain why it's
trying to log a copy. If you find what alias it is using to log to ('log'
in the example, 'msglog' for you, perhaps) you can drop those messages by
creating /var/qmail/alias/.qmail-name (where name is 'log', 'msglog', or
whatever your system was compiled to use) and putting a single '#' in the
file.
In the long term, if you don't want logging, you may want to
recompile without QUEUE_EXTRA. The extra deliveries show up in the logs
even if you drop the mail using '#' in the .qmail file.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Qmail performance issue...
We are currently using qmail 1.03 on a Sun E450 running Solaris 8. We are having a problem with mail taking a very long time to be delivered locally (sometimes in excess of 6 or 8 hours). Check your trigger: http://web.infoave.net/~dsill/lwq.html#trigger -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Mail queueing in relay host.
We have two computers with one acting as a relay host(abc.valid.net connected to the internet) and the other, on the local network(xyz.local.net), for storing mails. abc.valid.net is just for forwarding mails to and from the local mail machine(xyz.local.net). The problem I face is that if the internet link is down then the mails sent bounces back immediately and does not queue up in the abc.valid.net. I have setup the control/smtproutes file which has the following entry: :[ip address of the ISP MX] What error message do the logs say on the bounces, and in the log files? One possible explanation is that the ISP mail server isn't willing to relay mail for you, and is bouncing the messages as relay attempts. Unless there's a particular reason you want to relay through the ISP, you might want to have abc.valid.net just send the mail out directly to the intended recipients. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: relaying questions.
Now, my problem is related to relaying . I have read "The qmail newbie's quide to relaying" which comes with life with qmail as a URL. It states that "qmail's rcpthosts file, which gets its name from the RCPT TO command, determines whether the recipient will be accepted; it will be accepted if and only if the domain of the address given in the RCPT TO command is listed in rcpthosts." This only affects SMTP relaying. When you inject mail into the queue via a local process, that does not involve SMTP relaying. So if your web programs call /usr/lib/sendmail (the qmail version) or /var/qmail/bin/qmail-inject, then there are no relaying controls; that is a local user sending mail, and that local user is allowed to send out to anyone. I need to put their domain in my rcphosts file before sending them a password. Is this correct ?? if yes, how to overcome this problem?? Any suggestion is helpful.!!! No, this is not correct. For local users/programs sending mail, the rcpthosts file doesn't come into play. If your local user agent is injecting the mail using SMTP, or if you have a series of web servers using a single mail hub for sending mail, then you need to add them to the list of hosts allowed to relay. This is covered in section 3.2.3 of Life With Qmail. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Sender rejected
In /var/qmail/control/defaultdomain I have powerup.com.au; ... How do I stop qmail from adding the user to the machine name and confusing some (not all) ISPs? Put powerup.com.au in /var/qmail/control/defaulthost as well as defaultdomain. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: server load problem
I found out from top that mysqld is taking most of the cpu utilization. Now how to customize it? That's a better question for a MySQL list. The problem can fall into one of three categories: 1) MySQL itself has a bug which is being exercised and which needs fixing 2) Your company's code is inefficiently using MySQL and should be optimized 3) MySQL is fine, your code is fine, you just need more server for 24000 users You'll need to find a MySQL resource that can help you with those questions. This list isn't it. Server is hanging up and it won't respond to ctrl-alt-del I would definitely raise that on a MySQL list. I have never seen a server with MySQL hit that failure mode, but my MySQL server experience was with much smaller installations. There are probably MySQL diagnostics and logs which can help you figure out why things are getting that bad. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Forwarding a Mail to other Mailserver
I want qmail to send and receive mail. The mail which qmail would receive should get forwarded to my existing domino server. How do I do this without setting up all the users or groups which I set on Domino server. Let's say that for domain foo.com you want your qmail relay (qmail.foo.com) to forward all mail to your Domino server (domino.foo.com). On qmail.foo.com, put 'foo.com' in rcpthosts and 'foo.com:domino.foo.com' in smtproutes. Make sure that 'foo.com' is not in locals or virtualdomains on qmail.foo.com. This will mean that qmail.foo.com accepts mail for foo.com (rcpthosts) and that all mail for foo.com is forwarded to domino.foo.com (smtproutes). Once you've set the qmail box up and tested it, modify your DNS so that your MX records point to qmail.foo.com instead of domino.foo.com. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: qmail-smtp problem
Have a strange problem with qmail-smtpd.. when i use pine to send a mail from my mailserver..it stands for a long time waiting before it sends the mail, same when i telnet to port 25 from the mailserver to the mailserver...it takes a while before the "220 hostname ESMTP" comes up.. But if i send or telnet from another host it goes right away... Anyone have a pointer what might be wrong? You are probably starting qmail-smtpd using tcpserver, and the default "-r" option is causing it to attempt to connect to the ident server on the host you are connecting from. Unless you specify "-R" in your tcpserver command line, it will do this, and then will wait for 26 seconds if there is no ident server answering the call. (You can read all about this in the tcpserver man page). You can fix this by turning off the TCPREMOTEINFO (ident) checks, or by running ident on your mailserver. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: How to set up Qmail as a front-end (relaying) server?
It will accept all the smtp mail in the name of another server (which is behind a firewall). I think this is about /etc/tcp.smtp and control/smtproutes files. I've set them as following; /etc/tcp.smtp 127.:allow,RELAYCLIENT="" For those hosts which are allowed to use this machine as an outbound relay, add them to this file. Based on what you say below, it looks like you have two internal mail servers, so you add these two lines: 10.21.200.200:allow,RELAYCLIENT="" 10.21.200.201:allow,RELAYCLIENT="" There is documentation for this format at http://cr.yp.to/ucspi-tcp/tcprules.html. Once you've modified the file, run tcprules like this: tcprules /etc/tcp.smtp.cdb /tmp/tcp.smtp.tmp /etc/tcp.smtp And then just make sure your tcpserver invocation of qmail-smtpd has '-x /etc/tcp.smtp.cdb' in it. You say tcpwrappers above, and I'm giving instructions for tcpserver which is part of ucspi. If you meant tcpserver/ucspi, then this is okay; if not, you'll need to find the right way to do the equivalent with tcpwrappers. All you're doing is setting the RELAYCLIENT environment variable for the invocation of each qmail-smtpd process. And if you're using tcpwrappers, you don't care about tcp.smtp but rather hosts.allow. control/smtproutes mycompany.com:10.21.200.200 my2ndcomp.com:10.21.200.201 You'll probably want to quote those domain literals, like such: mycompany.com:[10.21.200.200] I'm not completely sure that's necessary, but I think it is. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: How to set up Qmail as a front-end (relaying) server?
Actually, here Qmail is supposed to be an inbound relay. The servers behind the firewall sends out smtps directly. So in this case too, will the tcp.smtp be like below you said? No - if you're only relaying inbound, then you don't need to modify tcp.smtp at all. That file only affects mail to domains not listed in rcpthosts (and we presume you have mydomain.com and my2ndcomp.com in rcpthosts and smtproutes). I thought the same way before too, but I've this notation in another server's file. And afterall, according to log files, it does connect to that server without specifying []s. In that case you should be all set. Are you experiencing problems with this working, or were you just getting a sanity check on your configuration? If you are experiencing problems, what problems do you have? Is there any log activity associated with the attempts? And if you're experiencing problems, please let us know the real domain names involved and the hostname for the relay so we can check your DNS setup. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: How to set up Qmail as a front-end (relaying) server?
Yeah, when I try to send an email to a user (which has a
mailbox on the internal server but does not have one on
the Qmail) qmail refuses to pass that mail to my internal
server.
You know, if we knew what error messages or log messages accompany
this "refusal," we'd probably be able to help you. But until then, we're
all shooting in the dark.
It's going to be a real hard work for me to do if Qmail
requires me to open a mailbox for every user on the internal
server even though the mere thing it will do is to forward
the messages.
It doesn't require that. Your configuration is broken. But you've
provided absolutely minimal information about your config, and absolutely
nothing from your logs, so we can't help you yet.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: How to set up Qmail as a front-end (relaying) server?
Ok, here's my setup; ... control/smtproutes control/rcpthosts control/me What's in control/locals? info msg 128846: bytes 196 from [EMAIL PROTECTED] qp 2949 uid 503 starting delivery 842: msg 128846 to local [EMAIL PROTECTED] status: local 1/10 remote 0/20 delivery 842: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/ This message indicates that the mail relay thinks that it accepts mail for ihlas.com.tr (presumably that's either mycompany.com or my2ndcomp.com) locally, and it doesn't even look at smtproutes. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: How to set up Qmail as a front-end (relaying) server?
This message indicates that the mail relay thinks that it accepts mail for ihlas.com.tr (presumably that's either mycompany.com or my2ndcomp.com) locally, and it doesn't even look at smtproutes. Sorry, brain outsped fingers; I meant: This message indicates that the mail relay thinks that it accepts mail for mycompany.com locally, and it doesn't even look at smtproutes. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: How to set up Qmail as a front-end (relaying) server?
Ok, here's my setup; ... control/smtproutes control/rcpthosts control/me What's in control/locals? controls/locals mx1.mycompany.com mycompany.com mx1.mycompany.com There's your problem. Remove mycompany.com from locals, because it isn't local. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Strange delays
It seems that messages end up in the following state for
about 30 minutes time.
FreeBSD-4.0-Release$ ./qmail/bin/qmail-qstat
messages in queue: 5
messages in queue but not yet preprocessed: 5
But if i pull the trigger with:
...
The mail gets delivered right away.
What have i missed? Is this a bug or feature?
Your trigger permissions have probably gotten munged. Check and fix
them as described in Dave Sill's "Life With Qmail":
http://web.infoave.net/~dsill/lwq.html#trigger
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: mail between 2 host in one domain
but if i send mail from head.paic.com to alpha.paic.com,
error occur with a message below:
+
May 18 10:51:00 localhost qmail: 958618260.602667 starting
delivery 24: msg 4820 1 to remote [EMAIL PROTECTED]
May 18 10:51:00 localhost qmail: 958618260.602729 status:
local 0/10 remote 1/20
May 18 10:51:00 localhost qmail: 958618260.609898 delivery
24: failure: Sorry._Although_I'm_listed_as_a_best-
preference_MX_or_A_for_that_host,it_isn't_in_my_
control/locals_file,_so_I_don't_treat_it_as_local._(#5.4.6)/
It looks like the you're sending to [EMAIL PROTECTED], not
[EMAIL PROTECTED], but don't have alpha.paic.com in locals on alpha (if you did,
that would mean mail for [EMAIL PROTECTED] is delivered locally on the
machine alpha).
The right fix is to test by sending to [EMAIL PROTECTED] If your MX
records are correctly configured and you have "paic.com" in rcpthosts on
alpha, then alpha will accept the mail and attempt to deliver it to the
best-preference MX for paic.com (presumably head.paic.com).
It's probably possible to redirect mail for alpha.paic.com to
paic.com (smtproutes; I don't know if it'll redirect to the domain or just
to head.paic.com) but probably not necessary. In normal operation, you
shouldn't get people mailing to the actual host, assuming all your clients
are correctly configured to send mail as "@paic.com".
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Slow Mail Delivery
I recently was running low on disk space on the my var partition. To solve the problem, I moved all of the contents over to another partition on the same drive that had more space on it (usr). After moving everything over I made it so that var wouldn't mount on its on partition and then started up in single user mode and built a link to the subdirectory on the usr partition. /var -- /usr/rootvar. Why would this be slowing things down? I takes from 5 to 10 minutes to deliver a local email. It never used to. http://web.infoave.net/~dsill/lwq.html#trigger -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Share queue between servers and other questions.
I'm on the list, no need to Cc me. Michael Boman wrote: What I want is to be able to share the queue between n+2 servers on each loocation Qmail's design specifically precludes putting the queue on a network filesystem, so you can't share it that way. One alternative is to set up something like N+1 host PCs connected to a SCSI disk array that allows multiple hosts, and to somehow configure all but one of the hosts as a failover. Perhaps even a NAS technology like GFS (http://www.globalfilesystem.org/) would work (but not definitely). However, I've never heard of anyone doing so, so you'd be forging into new ground. Note that in particular, you'd have to have the 2nd to Nth servers lying dormant until the 1st server is believed to be dead, because multiple instances of qmail can't be processing one queue at the same time. No mail system I know of supports this kind of setup by design, and I'm not sure it is easily possible under any of them. There's a reason for that. It isn't worth the trouble. Most people who are concerned about reliability and losing mail run N+1 independent servers, put the mail queue on RAID, and if one machine dies try to manually recover the mail on their second server. Your problem seems to be that you don't have local resources that can administer these machines if something goes wrong. If that's your problem, what you should do is buy a server with serious redundancy. Compaq (among others, I'm sure) makes servers with redundant power, disk, memory, and CPU. You're safe from pretty much anything except a fried motherboard. You can go a lot further with seriously redundant server hardware than you will with some homegrown shared server approach, especially where it looks like load is not your reason for multiple servers. Then just make sure you get notified when a power supply dies so you can get a new one out while the second is still working. as well as be able to split a single domain's mailstorage so each users doesn't need to download his/hers email from the other end of the world. One way is to break down users into subdomains for delivery. I.e., given the email domain "bigdomain.com," with a primary MX server physically located in Singapore, and users in Singapore, Tokyo, and Hong Kong: You would need to set up forwarding on a user-by-user basis. User joe lives in Singapore? Then [EMAIL PROTECTED] should be forwarded to [EMAIL PROTECTED], and delivered locally there. User jane lives in Tokyo? [EMAIL PROTECTED] User josh lives in Hong Kong? [EMAIL PROTECTED] As long as their mail clients correctly send as "[EMAIL PROTECTED]," the illusion of a single domain is retained. You may or may not have to do some header rewriting on final delivery so that they don't end including [EMAIL PROTECTED] in their "Reply to..." mail messages. This is not a hard problem, it just doesn't have an elegant solution. If you need to do it that badly, then you can justify the added busy work. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: Share queue between servers and other questions.
I _need_ What is need, compared to the path? Share queue between ... several servers (atleast 4 servers) on different sites can process the queue. I'm heavily editing here, but are you REALLY saying you want a queue shared between different sites which: spread all over the world, and the connection to the HQ is not always acceptible when it comes to speed and quality (not becasue HQ is in a bad place, but that the braches don't have that high-speed and good lines to the 'net). So your sites are: 1) seperated by great distance, which rules out any SAN or NAS 2) Connected by questionable data links, which may suffer from low performance or occassional downtime. So, because of the distance, you'll need to use a networked filesystem like NFS, AFS, etc. But networked filesystems are designed for LAN environments where performance is reasonable and link downtime is rare. If you attempt to share your queue (or your mail store) like this, you are guaranteeing that performance and reliability will suffer. Please help me with a solution to this problem else I'll end up installing sendmail sometime next week. You don't want a solution to your problem, you want an implementation for your solution. But your proposed solution is suboptimal to say the least. Why don't you state the problem instead? -- gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: What does this mean? unable to parse
tcprules: fatal: unable to parse this line: 127.:allow,RELAYCLIENT=""
/usr/local/sbin/qmail cdb
Have you checked to see if this file is using DOS style CR/LF line
termination?
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
RE: qmail-send problem
# [EMAIL PROTECTED]: ... # Sorry. Although I'm listed as a best-preference MX or A for that host, # it isn't in my control/locals file, so I don't treat it as local. (#5.4.6) ... In my control/locals is localhost and mail.some-domain.com This is all pretty clear. You don't have some-domain.com in locals. Perhaps you are operating under the assumption that since the MX for some-domain.com points to mail.some-domain.com, then all you need in locals is mail.some-domain.com. That is an incorrect assumption. -- gowen -- Greg Owen -- [EMAIL PROTECTED]
