Re: virtualdomains vs. VERP and Delivered-To
>Executive summary: qmail breaks VERP under certain circumstances. Revised executive summary: qmail's VERP works fine, but some people are more than a little unclear on the way virtual domains work. >Let H be a host running qmail, A and B users at H, and V a virtual domain >redirected to B@H. Let X@V, i.e. B-X@H, be forwarded to some other, maybe >remote, address, say K@L. Now, let's assume A uses > > QMAILINJECT=r qmail-inject X@V > >to send a "VERPed" message M to X@V. M is forwarded to K@L. Now, let's >assume the delivery to K@L fails and the message is bounced back to A. >Well, it should be bounced to A-X=V@M, shouldn't it? Well, actually, it should be bounced to A-X=V@H, and that's exactly where it goes since that's the address that VERP creates. (I presume M was a typo for H there.) > ... >Unfortunately, the return address in the scenario described above is > > A-B-X=V@M No, it's not. Qmail rewrites target virtual domain addresses at the time they're delivered, and virtual domain handling doesn't rewrite return addresses at all, ever. >... A *completely untested* patch is here: Too bad you didn't test it, you could have avoided wasting a lot of time. I misunderstood what you were arguing last time. The only time you might have to consult control/virtualdomains to handle a VERP is if the domain sending the VERP'ed mail is itself a virtual domain. I happen to have a bunch of mailing lists in virtual domains, and they have bounce handlers. I can assure you from experience that all addresses on the mailing lists are handled the same, and it makes no difference whatsoever if an address to which VERP mail is sent is local, remote, virtual, or anything else. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: virtualdomains vs. VERP and Delivered-To
>> Is it really that overwhelmingly difficult to have whatever configures >> your bounce handler look in /var/qmail/control/virtualdomains to see >> what prefix to strip off the local part of the VERP address? I >> suspect either of us could do it in about four lines of perl. > >You can turn the question upside-down: > >Is is really that overwhelmingly difficult to add or change about four >lines of C and make qmail behave in a sane way and eliminate the need to >add such a twisted piece of code to every program using VERP on this >planet? Difficult? Of course not, if you want to change that, you have the source. But just because it's easy doesn't mean it's not a good idea. >If I (DJB) want to keep my program (qmail) as small and clean as possible >to avoid bugs etc., I should not force other people to make their programs >bloated, should I? Of course. That's why it works the way it does. The Delivered-To: contents is actually $RECIPIENT which is $LOCAL@$HOST. When qmail delivers a message, it finds the longest prefix of $LOCAL in the "users" database and uses that to set the user/group IDs and home directory for the delivery. Then the rest of $LOCAL is the extension and is used to pick the appropriate .qmail file and is available as $EXT and so forth. This is what happens regardless of whether the message was originally addressed to a local domain or a virtual one. If it was to a virtual domain, there was a preprocessing step that put the virtual domain's prefix on the front of $LOCAL, but delivery code doesn't have to worry about that. In the particular case where a program run from .qmail does VERP bounce processing, it has to de-prefix $LOCAL, but for other purposes, $LOCAL shows the address that the message is delivered to and that's what delivery scripts need. Now let's look at your plan. If a message is addressed to a virtual domain, qmail looks it up, finds the prefix and does, um, something with it. Does it change $LOCAL? Or does it concoct $REALLYLOCAL or the like? Do .qmail scripts see the unprefixed $LOCAL or the prefixed one? Since $LOCAL no longer is the actual delivery address for virtual domains, to work reliably scripts that deliver mail that might have been sent to a virtual domain have to look at $HOST and do one thing if it's a local domain and another if it's virtual. Sounds pretty bloated to me, particularly since there are generally far more deliveries to virtual addresses, which want the prefixed address, than VERP bounces, which don't. Like I said: > It's true, qmail doesn't work the way you might first have guessed it > does. That doesn't mean it's wrong. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: virtualdomains vs. VERP and Delivered-To
>There is no way for the mailing list software to get from >`[EMAIL PROTECTED]' to >`[EMAIL PROTECTED]' without having knowledge of virtualdomains. >That's not an acceptable solution. Is it really that overwhelmingly difficult to have whatever configures your bounce handler look in /var/qmail/control/virtualdomains to see what prefix to strip off the local part of the VERP address? I suspect either of us could do it in about four lines of perl. It's true, qmail doesn't work the way you might first have guessed it does. That doesn't mean it's wrong. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: rblsmtpd and mail-abuse.org's DNS servers
>2) Did you actually pay MAPS for use of their mail-abuse.org >servers? They started charging on August 1st so you are >not going to have much luck using them to block spam if you >aren't paying them. Have you looked at the price list? The price for individual users is $0. If you want to keep using the RBL, RSS, an DUL, they want a written agreement from you, but if you can't afford to pay, they don't demand money. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
rblsmtpd and rblplus?
Has anyone modified rblsmtpd to work with MAPS' rbl-plus? It's a merged RBL, RSS, and DUL with the particular list(s) an address is on being determined by bits in the low part. The changes I'd want to rblsmtpd would be 1) tell which bits to pay attention to and which not tom since I reject RBL and RSS mail, but send DUL mail into a spam trap, and 2) provide default TXT messages to use depending on which bits are set. It's not all that hard to do, but I'd rather not do it if someone else already has. I see nothing about rbl-plus in the archives yet. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Blank lines in .qmail files
I've been reading through the source code of qmail-local to be sure I'm telling the truth about what it does in the qmail book. I see that if the first line of a .qmail file is blank, qmail-local dies with a temporary failure code. Other blank lines are ignored, but there's a specific test and a failure message "Uh-oh: first line of .qmail file is blank. (#4.2.1)" Anyone know why? It's documented in the man page, but even for DJB code, it seems awfully arbitrary. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: rss spam filtering problems
>Bruno> This should be in the archives. The RSS people dropped the >Bruno> text records, because of problems with the DNS server they >Bruno> use has handling the large number of text records. For a >Bruno> short time there was a mirror, but they started charging >Bruno> and the person doing the mirroring had to stop his service. relays.mail-abuse.org has seven mirror servers, one of which I run. It works fine and was most recently updated about two minutes ago. You should be running tcpserver something like this: exec tcpserver -u120 -g105 -v -p \ -x/var/qmail/rules/smtprules.cdb 0 smtp \ /usr/local/bin/rblsmtpd -b -rblackholes.mail-abuse.org. \ -r'relays.mail-abuse.org.:Open relay problem - see http://www.mail-abuse.org/cgi-bin/nph-rss?%IP%>' -rmail.services.net \ /var/qmail/bin/qmail-smtpd 2>&1 -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Using qmail-queue
>So is there anyway of having the email address of the user being emailed in >the To: field without using qmail-inject for every message? Using plain qmail, no, it tries very hard no to mutate messages as they pass through. For a similar application I wrote a little perl module called qspam to send out lots of customized messages. It passes each message directly to qmail-remote, and only if that fails passes it to qmail-queue to retry. It runs many qmail-remote processes in parallel, and on any half-decent list rarely has to queue a message so it pumps out mail about as fast as qmail itself does. For me it does a pretty decent job of sending out messages to an 18,000 address list I have. It uses files in /tmp rather than pipes because that makes the code a lot simpler and it seems to me that files in a ramdisk /tmp should be about as fast as pipes. You can find it at http://wx.iecc.com/Qspam.pm -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Dynamic allow of relay
>I think you misread what I wrote...we're using cyrus, not courier ;-( I rolled my own smtp after pop/imap setup. It's really easy. There's a 94 line daemon written in perl (running under supervise, of course) that makes a named pipe and then reads lines from it in the form "IP 22.33.44.55" that tell it when someone's logged in, and updates the cdb file that the smtp tcpserver uses to control relay. I use courier and rather than try to stuff a shim into the authentication, I just hacked the code into courier's pop and imap login routines, adding three lines to each to open the named pipe, write out the IP that just logged in, and close the pipe. I haven't looked at the code, but it's unlikely that it'd be difficult to make a similar change to Cyrus. If you want the daemon, you're welcome to it. It also handles a file of fixed relay addresses for hosts on the local network and ages relays out after about an hour. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: forwarding msgs analyzing subject text
Russ' solution would certainly work, but this is exactly the sort of thing that procmail is intended for. A procmailrc to do this would look like this: :0 c * Subject:.*xxx ! user2 user3 user4 :0 c * Subject:.*yyy ! user5 user6 user7 (Recent versions of procmail play better with qmail, in particular they can deliver directly to both mboxes and maildirs.) > > It's possibile? How? > >cat >~user1/.qmail <./Mailbox >|condredirect user234 `822field Subject | grep -q "xxx"` >|condredirect user567 `822field Subject | grep -q "yyy"` >EOF > >cat >~alias/.qmail-user234 <&user2 >&user3 >&user4 >EOF > >cat >~alias/.qmail-user567 <&user5 >&user6 >&user7 >EOF -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Lotsa messages from perl with qmail-remote
>> I whipped up a little message blasting module in perl: >> >> http://wx.iecc.com/Qspam.pm >> >> It's only 136 lines. > >This looks way cool. Thanks, John! > >One question: it doesn't look like qspam_send() removes the mail file once >it has been sent (or queued, if the attempt failed). I am looking at using >Qspam in a sort of mail merge program; will I need to unlink() the mail file >myself? I fiddled it a little more last night so when a delivery is done it tells the callback routine that's called when a delivery is done whether the delivery worked or not. If you don't use failure info to update the address list (either immediately or when you pass some threshold of bounces), it really would be spamware. The callback routine does have to delete the file with the message. The reason I did it that way is that at some point I want to see whether it's faster to rewrite existing temp files than to unlink and create a new one, in which case the callback would just push the temp file on a list of available ones to reuse. Or the temp file might be a named pipe fed by another program or something. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Lotsa messages from perl with qmail-remote
>> What I was interested in was using perl to drive qmail-remote, not a >> discussion of poll vs select, although that would be handy. I whipped up a little message blasting module in perl: http://wx.iecc.com/Qspam.pm It's only 136 lines. You tell it how many subprocesses you want it to manage, then call its sending routine repeatedly with envelope to and from and a file containing the message. For each message, it calls qmail-remote, then if that didn't work qmail-queue, using as many subprocesses as you told it to use. Rather than mess around with vast tangles of pipes and selects, it uses temp files and tracks subprocesses by pid. In the typical case that /tmp is a RAM filesystem, I suspect that the performance will be about the same, and the code is a lot simpler. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Lotsa messages with qmail-remote?
I have a spam-like application that will be sending out thousands of customized single-recipient messages. (It's spam-like because it says "you wrote to us about on ", but unlike spam, they really did write and I have the saved messages to prove it.) Rather than dumping them all into qmail-inject or qmail-queue which would cause constipation unless I install the big-todo patch which is a pain, I was thinking of calling qmail-remote directly, then qmail-queue if qmail-remote didn't work, with a bunch of remotes going at once. The addresses come out of a database and the customization is trivial, so I was planning to write it in perl. (The main bottleneck is the network delays for qmail-remote.) But before I do, has someone already written this? Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: Filter incoming messages for one particualr user
>> Let's say I have a user "[EMAIL PROTECTED]", whose home directory is >> /home/mailuser. I want to set things up so that mailuser only accepts >> messages from one particular e-mail address. In other words, if the sender >> is any other address besides [EMAIL PROTECTED], mailuser will silently >> throw the message away. If the message is from [EMAIL PROTECTED], it >> completes the instructions in mailuser's .qmail file (which right now >> forwards to three other addresses). It's very easy. Put this as the first line in the .qmail file: | case "$SENDER" in [EMAIL PROTECTED]) exit 0 ;; *) exit 99 ;; esac The exit 99 tells qmail to skip the rest of the .qmail file. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Is qmail "best reserved for mailing list server purposes only"?
>One last note on this thread. While rereading the FAQ, I came across this >which indicates qmail has brakes to keep from generating denial of service >attacks. > >http://cr.yp.to/qmail/faq/efficiency.html > >Does qmail back off from dead hosts? >Answer: Yes. qmail has three backoff features: ... Qmail backs off very well, but doesn't work all that well with sendmail under heavy load. The problem is that sendmail keeps accepting connections even when it doesn't have enough system resources to accept mail, and tends to thrash to death. (Qmail systems usually use tcpserver which enforces a maximum number of simultaneous connections rejecting any beyond that limit.) But since sendmail doesn't reject connections, qmail can't tell that the recipient system isn't responding. Sendmail users tend to assume that anything sendmail does must be right, and anything different must be wrong, so they often blame qmail for opening "too many" connections. In reality, the connections could just as easily come from any other mail system, of course. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: qmail-pop3d bug
>Putting the linecount in there makes more sense. Some MUAs might be happy >about that, and it still allows easy calculation of wiresize (add >number of lines to physical size). More info, less bytes :) > >> Optimally the wire-size is calculated when the mail is written to >> Maildir/tmp/ and then applied as an "info" flag when the file is moved >> to Maildir/new/. > >Yes. Mind the performance penalty tho. Not a bad idea. The performance penalty would be tiny, reading buffers that are about to be written out won't cause an extra page fault. >> A possible complication with this approach is that my reading of >> Maildir infers that "info" can only be set when the file moves from >> Maildir/new/ to Maildir/cur/. > >That's what the spec says, indeed. A delivery process is not supposed >to know anything, so :info is not needed in new/. Gee, we find that even Dan isn't infallible. In retrospect, there's all sorts of hints that the delivery process could leave. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
qmail-pop3d bug
The usual mailbox vs. maildir war has flared up on inet-access, and points out a bug in qmail-pop3d. When you do a LIST command, it gives you the size of each message. Pop3d just reports the file sizes, while it's clear from the RFC that it's supposed to report the wire size of each message, i.e., the size using cr/lf as a line terminator, so the sizes it reports are too small. I gather nobody's ever reported this as a bug, and I expect that the only thing that uses the size is the "don't download bigger than size X" option for which it's close enough, but it's still wrong. I use courier-imap, and its POP daemon does get the sizes right, presumably by reading the files and adding the number of \n characters. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Peculiar results with multilog
I just switched my qmail setup (one of them at least) to daemontools, qmail, two tcpservers for smtp, one for qmqp. It works great, execpt for one teensy thing. I have the same run command for all the log files: exec setuidgid qmaill \ multilog t s400 ./logfiles '-*' '+*status:*' =logfiles/status (except for the log size after the t, which I fiddle so each one rotates its logs about equally often.) The logger for qmail puts the status in logfiles/status. The loggers for the tcpservers don't, although they make the main logfiles (current, rotating to @whatever) correctly. It just creates a zero length status file. The status lines logged from tcpserver look like this: @40003aa13cff07eb6d7c tcpserver: status: 2/40 so it sure looks to me like they should be stored in logfiles/status. Any suggestions what's wrong? Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: orbs and qmail
>I made a check of the server and all was well but >when I checked it from the facility at >abuse.net I found it was reporting an open relay. Sigh. He must be referring to the place that says in large ugly blinking letters: THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY. If it is really an open relay, the test message will be delivered to you. If you do not receive the test message in your e-mail in the next few hours, it IS NOT an open relay. I wish there were some way I could make this stuff more idiot resistant, but some idiots can resist anything. Regards, John Levine, [EMAIL PROTECTED], http://www.abuse.net, Trumansburg NY abuse.net postmaster
Re: Re: Mass Mailout Performance Tips
>It takes approximately 6 hours for the script to complete, each >message invokes a separate qmail-inject process as the mails are >customised with the persons name / details etc. The concurrency only >seems to hit about 30- 40 while the script is still pumping messages >into qmail-inject. I would definitely call qmail-remote directly, then fall back to qmail-queue if the qmail-remote fails. Since you know that each message has a single recipient and you can assume that all the recipients are remote, you can skip all of the overhead of queueing and dequeueing all message that get delivered on the first try. (Even if a few of them are local, they'll still get delivered by looping back to the local SMTP daemon.) The interface to qmail-remote is pretty simple; I've driven it from a 68 line perl script, although it'd take a few extra lines to manage a pool of qmail-remotes to keep up the concurrency you'd want for an application like this. I believe that Russ Nelson has done this sort of thing in the past with great success. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Open relay test.
>*duh* - telnetting into the world from our mail server is prohibited by >the firewall hehe. >mail-abuse.org accepts mail from me via that server tho (relay reports). You're welcome to use my experimental tester at http://www.abuse.net/relay.html. It's more or less the same tests that the MAPS RSS uses, and is pretty similar to but less aggressive than ORBS. It also does the user%dom1@dom2 test, because that's a famous relay hole in a lot of sendmail systems. If you have qmail, the tester will note that it accepted the message, then say in large ugly blinking letters that your system is only an open relay if it actually forwards the message back. If you're a registered abuse.net user, it can assign you a temporary abuse.net forwarding address so you can test your own server using an address not in your own domain. (Friendly hint: if you ignore the ugly blinking message and send me mail anyway saying that the tester claimed that your system is an open relay because it accepted the test message, I'll write back and call you a moron.) -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Rejecting mail from outside for a specific user
>! I would need to somehow check the IP address of the remote host >! sending the mail, and the To: address to the mail, and I am not >! sure where in the qmail process these two pieces of information >! are readily available. At delivery time, the target address is in $RECIPIENT, the incoming IP address in one of the Received: headers near the beginning of the message. >10.:allow,INTERNAL="yes" >|bouncesaying "You can't send to this address" [ -z "$INTERNAL" ] >I haven't tested the above, but that's the basic gist of it. You should have tested it, since it doesn't work. Tcpserver hands its environment variables to smtpd, but bouncesaying is called much later in the process from a different program that doesn't inherit the environment variables. What I'd do is to put the restricted addresses into .qmail files that look like this: | check-local-origin &user1 &list2 ... And I'd write a little perl script called check-local origin that reads its input until it finds a "Received: from" header, checks the IP in that header to see if it's a local one, and returns 0 if it's OK, otherwise prints "Restricted internal list, go away\n" and returns 100. I use something like that to keep people from spoofing mail into the lists that majordomo controls here. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Data in exel to Vpopmail
Another possibility is to install the MySQL ODBC driver which works quite well and use that to upload the data directly from Excel into MySQL. >Export to CSV format, then you can import them into MySQL with very >little difficulty (LOAD DATA ... see MySQL manual). If you're not using >MySQL authentication, sorry. > >> I have a big table in MS exel with de login and pass, How can I do to >> import from VPOPMAIL all the users ? I hope so u can help me -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: remote load management, was orbs.org nonsense
>If, however, you admit that it causes problems for sendmail installations, and >you admit that a lot of sites use sendmail, then you'll probably agree that >defining "good netizen" would include "limiting outgoing connections to a >particular MX" ... to some reasonable number (heck, you can detect what the >foreign MTA is when you connect usually ... ) I've been thinking for quite a while of some sort of hack to qmail to do remote load management, the idea being that we want to open almost but not quite enough connections to each remote system to make the remote fall over. Possibilities for guessing the appropriate limit per remote might include: - sniff the SMTP banner for known lame MTAs - measure the round trip time, for the response to HELO, stop connecting when it becomes "too much", either an absolute limit or N times more than it used to be - pay more attention to "421 come back later" type messages -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: How do I stop this spam test from failing?
>I have been put on the RSS and ORBS list because this test keeps failing: > > >>> MAIL FROM: No, you haven't. I wrote the original tester that MAPS uses, and I can assure you that you only get listed if your system actually sends the spam back to MAPS. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Suggestion for mailing list manager?
I'm moving my lists to a new server, and I figure this is as good a time as any to look for something better than Majordomo 1.94. Here's what I want: -- automatic VERP bounce processing -- plain and digest lists -- multiple lists in multiple virtual domains -- plays nicely with qmail -- does somethinge reasonable with MIME, e.g., strip multipart/alternative down to plain text -- web interface, at least enough so that the subscription confirmation can have a "click to confirm" Majordomo gives me all but the last two (I hacked in the VERP stuff myself) Possible candidates I've looked at: * Majordomo 2: looks swell but is in perpetual alpha, dunno about VERP * Sympa: needs NLS library that I don't have on BSDI, unknown VERP support, needs work to do virtual domains * ezmlm: no digests, no web, no MIME * SmartList: no digests, no web, no MIME * GNU Mailman: looks superswell, but I'd rather not have to learn python Any suggestions? Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: Does someone knows what is this about?
>There exists sites which do not have a nice block of IP addresses >which describe all of their valid mail relay users. For such sites, >tarpitting is a much better solution than relay blocking. MIT is one >of them (many of its mail relay users are customers of random outside >ISPs), The amount of spam I get from MIT tells me that whatever tarpitting they think they're doing doesn't work. Pop-before-SMTP and SMTP AUTH both work and are widely implemented, as do various IP-in-IP tunnels. It's sheer pigheadedness that makes MIT refuse to run mail systems the way that responsible admins do. Regards, John Levine, [EMAIL PROTECTED], http://www.abuse.net, Trumansburg NY abuse.net postmaster
Re: DRAFT RFD - comp.mail.qmail - Comments Sought
>I agree with you in general, Russ. The only benefit I can see to >comp.mail.qmail is that there is also a comp.mail.sendmail. I suppose it might work with a two-way gateway between the newsgroup and this list, and registration to post as it is now. I've been doing that for [EMAIL PROTECTED] for a while and it works reasonably well. But I do agree that other than the moderately greater visibility on usenet, there's not much benefit to be gained. In years past, the volume of traffic on a usenet group would swamp any plausible mail server. Now, with almost free computrons and fast mail software like qmail, that's much less of an issue. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: A Good Book On Qmail
>> Qmail & ezmlm is now getting so popular that someone has to get their >> arse in gear and get a book to print. The Idea is a certain winner so >> com'on O'reilly, Que, or Sam's if your listening in get your finger out >> guys where drowning out here. > >I don't believe that publisher interest is the hold-up. If Russ and I got our butts in gear and wrote the book, Tim O'Reilly would be overjoyed to publish it. (Tim and I discussed this just last week.) I hope we can get it written this summer, which would make the book come out sometime near the end of the year. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: How to apply a patch and conserve Bruce G's structure?
>(The reason for this is that all machines that accept mail with more than >one @ or % get their port 25 locked from the outside world by campus >network administration...) It'd probably be easier to figure out which host they do their lame mail testing from, and tell tcpserver to reject connections from it. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Pummelling limiting, again
An acquaintance of mine who has a religious devotion to sendmail tells me that the next version of sendmail will have a swell new feature. As we all know, one of the aspects of sendmail that makes it so exciting to use is that it will accept an unlimited number of simultaneous inbound connections, causing thrashing and other disasters. So their solution is to let you set a limit on the number of simultaneous connections from a single host and reject mail (not connections) if there are more than that. Surely it is a coincidence that this misfeature will reject entirely legitimate mailing list traffic from qmail, while being ineffective at limiting overloads if there's just a lot of traffic overall. So in the spirit of playing nice with other kids, even when the other kids deserve to be stomped into the mud, I'm wondering again about how hard it would be to do some global per MX connection limiting. Sendmail isn't the only MTA with this problem, of course. My thought would be to keep some estimate of server load based on the time from the connection attempt to the banner, or maybe the response to the HELO, and throttle connections to a host when it got significantly slower than it used to be. The idea is to set up almost but not quite enough connections to each remote host to make it fall over. Anyone experimented with this? Considering that qmail already keeps a retry time for MX'es that don't answer, I'd think it'd be a relatively straightforward extension to that. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: qmail book
>I know that a qmail book is in the works for some time in 2000, and it has >fallen off of O'Reilly's production schedule...any update on this? Any idea >when it's coming out? I think I'll be the first in line for it when it >comes! Russ and I expect to get back to work on it this summer. I have one book in the queue ahead of it which is mostly done. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Qmail's sendmail does not obey $MAILUSER, $MAILHOST etc.
>fetchmail handles the translation with no problems. For outgoing mail, I >want to use the MAILUSER and MAILHOST environment variables so that replies >go to my univeristy email address. This works fine if I send messages via >qmail-inject, but my MUA (pine) invokes sendmail. ... >It looks like qmail's sendmail does not obey the MAILUSER and MAILHOST >variables in the same way as qmail-inject. Is there any way to change the >user name which appears in my messages when using sendmail? The "sendmail" program is just a wrapper around qmail-inject, and does indeed look at those variables. But it only looks at them if there isn't already a From: line, and pine is a helpful program that puts a From: line in messages it writes. In your pinerc file, personal-name sets the name in parens, and user-domain is analogous to MAILHOST. I can't see any way to change the user name, it doesn't look at USER or LOGNAME. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: how do you use a deferral host in qmail?
> I'd like slow mail, deferred or whatever on a host that's dedicated > to retrying and not getting new mail. You may want to try a custom hack. I've heard that some high volume sites call qmail-remote directly from the application that generates the mail, then hand off messages that get soft failures. Often it's enough just to hand them off to normal qmail, but I'd think it'd be just as easy to pass them to another host using qmqp, using qmail-qmqpc rather than qmail-queue. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: "Date: Mon, 20 Mar 2000 17:33:11 zTo:" header
>BMarts is fairly evil. They insert whatever sender address the sender >specifies in the SMTP envelope of the mail. They do nothing to verify >that it is a valid address. This means that bounces (and they create lots >of those) come to the local postmaster. (this is all past experience) Aw, come on. That makes them approximately as evil as every single copy of Eudora, Pegasus, Netscape, Outlook Express, PC Pine, and other POP mail clients, all of which let you configure any old unverified sender address(es) you want. I certainly agree that online greeting cards can be treacly, but they're no worse than any other over-the-transom e-mail. >They also don't read/respond to complaints sent to postmaster. It is too >bad, they could easily fix the bounce problem. That hasn't been my experience. They've bent over backward to try to be responsible, were the first (and as far as I know the only) greeting card site to put trace info in the message header including the IP address that made the card. They don't let you send a card to multiple addresses, unlike many other sites, and will on request block all outgoing mail to your domain. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47 Claimer: I was their expert witness in a suit against Microsoft, so I've actually talked to the people involved.
Re: Ineffective anti spamming
>> Yes, ORBS catches a ton of spam. It also labels a lot of email that >> I'd like to see, as spam. > >But that wasn't what ORBS is about. ORBS stands for Open Relay Blocking >System, and it does exactly that. It blocks open relays. That's simply untrue. ORBS lists vast numbers of IPs of either networks that have blocked ORBS because he won't stop spamming them, and of systems run by people he dislikes. My servers, which have never been open relays, have been in and out of ORBS over the years. The entire network ranges of above.net and Roadrunner, both rather large providers who have blocked ORBS' probes out of exasperation, are listed as "open" in ORBS. I do agree that the three MAPS lists block a lot of spam with few false positives. Claimer: I helped build the MAPS RSS. This isn't the place to have the ORBS arguement yet again. The usual venue is the SPAM-L list. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: mail-abuse.org test fail at step 6
In article <[EMAIL PROTECTED]> you write: > I'm new to qmail so I guess I'll put some stupid question but please help >me... I put qmail last days on one of my servers and I make the test from >mail-abuse.org... > >What I have to do to pass the test ? ><<< 250 ok >RCPT TO:<[EMAIL PROTECTED]> Nothing. If you get that far with your qmail setup, it's OK. Someday I'll fiddle the test to notice what MTA it's testing and skip the ones likely to give false alarms. Regards, John Levine, [EMAIL PROTECTED], http://www.abuse.net, Trumansburg NY abuse.net postmaster
Re: q-mail relay responses (revisited)
In article <006d01bf5579$81bfd5e0$[EMAIL PROTECTED]> you write: >There are a variety of sites on the internet that will perform such a relay >probe for you. It's important to consider the possibility that the probe >script at some of these sites may not be perfect and the dialog echoed back >to your browser (or telnet session) may not be complete. Yup. Roadrunner's running a modified version of the script I wrote for the MAPS RSS and the abuse.net tester. It's spoofed by qmail, since some of the relay tests are accepted by the SMTP daemon and bounced later, only the tester can't tell that at SMTP time. My script is full of warnings like "the system MAY or MAY NOT be an open relay, depending on whether it mails the message back to you or bounces it." But people ignore the warnings and panic. Sigh. When I have a chance, I plan to make it look at at the SMTP banner, and if it recognizes a particular MTA, reorder the tests to put the most useful ones first and warn about the ones that may be spoofed. >> >>> MAIL FROM: >> <<< 250 ok >> >>> RCPT TO:<[EMAIL PROTECTED]@[24.131.161.83]> >> <<< 250 ok >> >>> DATA >> <<< 354 go ahead >> >>> (message body) >> <<< 250 ok 945363799 qp 29925 -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Is there an update on the qmail book
>Has anyone heard about the release date of the O'Reilly qmail book? Trust me, when Russ and I actually get around to writing it, this list will be the first to know. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: How to get your qmail server into ORBS
> | forward "$LOCAL"@bigbang.af.mil > I will think of a better fix in a couple of days, hints are > welcome. My first urge was to just have it bounce everything with a > % in it, First answer: so long as you're not relaying spam, there's no reason to worry about being in ORBS since almost nobody uses it. Alan listed me for spite a couple of times, the amount of mail that bounced as a result was infinitesimal, two messages out of many thousands, other than to my anti-spam fanatic pals on my spamtools list. Second answer: tell your friends who run sendmail to fig their config to turn off the percent hack, since it's a security hole there whether or not the mail is relayed from your host. The fixes are well known, see www.sendmail.org for links. Third answer: if your sendmail manager isn't up to the task of managing sendmail (most aren't), it's really easy to add a little bit to your .qmail to bounce mail with addresses that are likely to provoke sendmail bugs: (put this on one line, of course) | case "$LOCAL" in '*[%"@]*') bouncesaying 'Go away,' ;; *) forward "$LOCAL"@bigbang.af.mil ;; esac -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Mail abuse in syslog
>> Someone at mail-abuse.org came up with the idea of creating a list >> to enable ISP's to "blacklist" their pools of dialups. > Um, no. ISPs aren't expected to report this themselves. And the > idea came about because they noticed more and more spam coming from > dial-up IPs. Actually, most of the IPs in the DUL were contributed by the ISPs themselves. > And at least on my system, it blocks far more spam than anything > else I use, AND blocks far fewer legitemate connections than RBL or > ORBS have. I'd agree. I block connections from systems in the RBL or MAPS RSS (the non-insane service like ORBS) but I use a modified version of rblsmtpd that I call "detour" that routes DUL mail into my spam traps. I can confirm that far more than 99% of it is spam, and that the annual amount of legit mail that arrives here directly from dialups can be counted on my fingers. If anyone wants the detour program, just ask. It looks up the incoming IP in an RBL-ish domain, and sets RELAYCLIENT to a string from the command line if the IP matches. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: smtproutes and MX aliases
>Anyway, AOL would like all their email to go to >partner.aol.com instead of the usual aol.com. The problem with setting it >up in smtproutes like > >aol.com:partner.aol.com > >is that partner.aol.com has only MX records and no A records so it bounces. I'm confused. Is the mail supposed to go to [EMAIL PROTECTED] rather than [EMAIL PROTECTED], or are you just supposed to route the mail through the partner MXes but leave the RCPT TO addresses unchanged? In the latter case, unless you plan to send a truly stupendous amount of mail, I'd just pick one of the partner MXes and put that in SMTProutes. In the former case, you put aol.com in your local virtualdomains file and write a little .qmail-default that remails everything to "$[EMAIL PROTECTED]". Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47 PS: Can we all do that to get around AOL's filters, too?
Re: Mail relaying with QMail
>> >>> RCPT TO:<"relaytest%abuse.net"> >> <<< 250 ok > >> Relay test result >> Uh oh, host appeared to accept a message for relay. > >The percent sign does not have any special meaning to qmail in >this case. The address given is an address without a host- >part, like e.g. a plain "root" is. In most cases qmail will later >determine that a user with the name "relaytest%abuse.net" does not >exist locally and bounce the message. It is doing nothing wrong. > >Abuse.net is concluding too rash. Abuse.net is concluding nothing, other than that it wishes that people would read the sentence following the one he quoted. It says: The host may reject this message internally; if it is really an open relay, the test message will be delivered to you. I know how qmail works, I use it myself. At some point I will try to make the relay tester reorder the tests based on what MTA it appears to be testing. I will probably put in some more bright blinking messages like THIS DOES NOT PROVE WHETHER THIS HOST IS A RELAY OR NOT but from experience I know that nobody will read them and they'll complain that I'm misdiagnosing them anyway. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: How to forward unrecognised mail to another host?
>3. In the .qmail-default put something to re-send all mail to the ms-mail >host, eg: > >| redeliver msmail.eoc.org.uk > >Where "redeliver" is a program that opens an SMTP session to the specified >host, and writes out the message being read from stdin. > >Step 3. is where I'm stuck. > >Does such a program exist? Or is there a better/different way to do this? If the volume of mail isn't too large, dump the mail into a maildir, e.g. $ cat .qmail-default /var/mail/eoc-mail/ and then use serialsmtp to push the mail out to the Windows box. Serialsmtp is fast but sends only one message at a time; if it can keep up with the volume that's probably the best way to go since it'll avoid swamping the NT box. If that's not adequate, I'd run two copies of qmail (which as has been noted is not as messy as it sounds), one for the inbound and sorting, the other for outbound to the various NT boxes. The inbound copy of qmail should be set up with virtual domains to catch the domains you want to sort, the outbound copy with no virtual domains and perhaps smtproutes for any domains that don't have MX records that point where you want them to. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: How is spam relaying done?
>I know that removing rcpthosts is a very very bad thing because it opens >the door for spammers to use your server to spam, but I haven't heard HOW >a spammer *finds* such a server to begin with. If one removes rcpthosts, >what are the chances that anyone will find this out? How does any spammer >get such information? Spammers scan IP ranges looking for open relays. Since there are so many of them (tens of thousands at last count) the chances that they'll stumble on yours is low but definitely not zero. If your host sends out mail, it will almost certainly be robo-probed by some of the receipient systems. That's pretty rude, but they do it anyway. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: HELP - qmail server and apache server on separated boxes
>How to configure qmail to handle following scenario: >Apache server is running on separate box with numbers of virtual hosts. >How to convince qmail server to service virtual hosts mail ? >So far when both www and qmail were on the same box mail worked perfectly. >Could you help me ? You need to add an MX record for each domain pointing to the box that's handling the mail. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Concurrencyremote for a specific host
>> However, should you chose to attempt a band-aid for a key remote site, >> the approach would be to install a second qmail with a lower >> concurrencyremote and redirect messages for the swamped site from the >> primary qmail to the secondary. > >Or use serialmail. This limits the concurrency to one and you'll have >to trigger serialmail from time to time, but it is easier I think to >install serialmail for a few band-aided sites than to have qmail >installations multiplying. Actually, you can run multiple instances of serialmail out of the same maildir, so if you want up to four deliveries, do something like this in your trigger script if [ there are messages to send ] then for i in 1 2 3 4 do maildirsmtp blah blag ... & done wait # for all those serialmails to be done fi -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Qmail book
>Qmail > John R. Levine Russell Nelson Tim O'Reilly (Editor) > ... >Pub. Date: September 1999 > So, John and Russell are you guys to get over to Amazon and start > autographying copies for us hungry qmailers next month? ;-) Hadn't planned on it. On the other hand, if anyone can get a copy of this book, please send it to me ASAP so we can plagiarize it rather finish writing it ourselves. (Well, gee, it worked for Shakespeare in those time-travel SF stories.) -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
detour program
Here are some diffs. Copy antirbl.c to detour.c before running these. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47 ---detour diffs--- *** detour.c.oldTue Aug 25 11:58:22 1998 --- detour.cSun Oct 3 15:20:42 1999 *** *** 8,17 void usage() { ! strerr_die1x(100,"antirbl: usage: antirbl domain program [ arg ... ]"); } char *domain; struct ip_address ip; void check() --- 8,18 void usage() { ! strerr_die1x(100,"detour: usage: detour domain relayclient program [ arg ... ]"); } char *domain; + char *relayclient; struct ip_address ip; void check() *** *** 19,27 char *x; int numenv; char **newenv; int i; ! if (env_get("RBLSMTPD")) return; x = env_get("TCPREMOTEIP"); if (!x) return; --- 20,29 char *x; int numenv; char **newenv; + char *newclient; int i; ! if (env_get("RELAYCLIENT")) return; x = env_get("TCPREMOTEIP"); if (!x) return; *** *** 43,50 for (numenv = 0;environ[numenv];++numenv) ; newenv = (char **) alloc((numenv + 2) * sizeof(char *)); if (!newenv) return; for (i = 0;i < numenv;++i) newenv[i] = environ[i]; ! newenv[numenv++] = "RBLSMTPD="; newenv[numenv] = 0; environ = newenv; } --- 45,56 for (numenv = 0;environ[numenv];++numenv) ; newenv = (char **) alloc((numenv + 2) * sizeof(char *)); if (!newenv) return; + newclient = alloc(str_len(relayclient)+13); + if (!newclient) return; + byte_copy(newclient, 12, "RELAYCLIENT="); + byte_copy(newclient+12, 1+str_len(relayclient), relayclient); for (i = 0;i < numenv;++i) newenv[i] = environ[i]; ! newenv[numenv++] = newclient; newenv[numenv] = 0; environ = newenv; } *** *** 55,63 { if (!argv[1]) usage(); if (!argv[2]) usage(); domain = argv[1]; check(); ! execvp(argv[2],argv + 2); ! strerr_die4sys(111,"antirbl: fatal: ","unable to run ",argv[2],": "); } --- 61,71 { if (!argv[1]) usage(); if (!argv[2]) usage(); + if (!argv[3]) usage(); domain = argv[1]; + relayclient = argv[2]; check(); ! execvp(argv[3],argv + 3); ! strerr_die4sys(111,"detour: fatal: ","unable to run ",argv[3],": "); } *** Makefile.oldMon Oct 4 10:39:25 1999 --- MakefileSun Oct 3 15:19:47 1999 *** *** 88,93 --- 88,110 compile chmod 755 compile + ## JRL + detour: \ + load detour.o ip.o strerr.a substdio.a alloc.a error.a env.a str.a \ + fs.a dns.lib socket.lib + ./load detour ip.o strerr.a substdio.a alloc.a error.a \ + env.a str.a fs.a `cat dns.lib` `cat socket.lib` + + #detour.0: \ + #detour.8 + # nroff -man detour.8 > detour.0 + + detour.o: \ + compile detour.c alloc.h strerr.h fmt.h str.h ip.h env.h + ./compile detour.c + + + dns.lib: \ tryrsolv.c compile load socket.lib ( ( ./compile tryrsolv.c && ./load tryrsolv \ *** *** 210,216 ./compile open_trunc.c prog: \ ! rblsmtpd antirbl rblsmtpd: \ load rblsmtpd.o txt.o commands.o ip.o getopt.a strerr.a substdio.a \ --- 227,233 ./compile open_trunc.c prog: \ ! rblsmtpd antirbl detour rblsmtpd: \ load rblsmtpd.o txt.o commands.o ip.o getopt.a strerr.a substdio.a \
new "detour" program for RBL use
I have made a mutant version of antirbl called "detour" for people who'd like to accept mail from hosts on an RBL-ish list, but treat it specially. Syntax: detour domain relayclientstring program ... The domain is the RBL-ish domain, e.g., dialups.mail-abuse.org, and the relayclientstring is stuck into RELAYCLIENT in the environment if the domain's in that RBL-ish domain and RELAYCLIENT isn't already set. I use it to send stuff from dialups into a spam trap which looks up the IP and if it's a domain it knows, fires off a complaint. The program is the mutated from antirbl with about six lines of new code. If anyone's interested, I can put it up on the web. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: Recording the envelope-from in Received: line
In article <[EMAIL PROTECTED]> you write: >With sendmail and Postfix (or so I've heard) it is possible to record the >envelope-from address in the Received: line. This is deemed useful by my >colleagues for tracing mails trough broken e-mail gateways. qmail puts that in Delivered-To: Looks to me like you get a Delivered-To: each time the envelope changes, so that should give you the trace info you need. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
SMTP AUTH ?
Has anyone tried to add SMTP AUTH to the qmail SMTP daemon? I hear from an extremely reliable source that sendmail 8.10 will have it, so it seems like for better or worse this will be the way that people solve the roaming user problem. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: testing for an open relay
>OK Tried that (http://maps.vix.com/tsi/ar-test.html) and I failed the >very last test. Nope, qmail gives a misleading response. It accepts the message and then bounces it, since it checks only the domain at SMTP time. >> http://maps.vix.com/tsi/ar-test.html It's based on one I wrote. For the original, which can actually send a little test mail, try http://www.abuse.net/relay.html. I've been meaning to make it smarter and look at the SMTP banner, see if it recognizes the MTA, and if so skip tests that won't give useful results. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Mail.com blacklisting
>http://maps.vix.com/tsi/new-rlytest.cgi?ADDR=iq-ss5.iquest.net I wrote that relay tester. It does indeed give false positives for qmail. It mostly looks for sendmail holes, since that's where most of the holes are. One of the things on my list of things to do is to make it look at the banner and if it recognizes the MTA, skip tests that are likely to give false positives. See http://www.abuse.net/relay.html for the full version that can actually send test messages. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: ISP Needs Qmail for *thousands* of third-level (foo.bar.com) domains!
>We need to accept incoming mail for thousands of third-level domains (e.g. >foo.bar.com). Then we need to forward all mail for each third-level domain >to an email address specified by the third-level domain's owner. > >Ideas? Go ahead and do it. There are two or three config files that will bloat up with thousands of domains. One is the "virtualdomains" file that lists the mapping from domain to address, but that's only read once by qmail-send and held in an internal form, so that's not likely to be a performance problem. The SMTP daemon reads the list of domains to accept from rcpthosts and morercpthosts, but you compile the latter into a CDB file so that shouldn't be a problem, either. One way to handle the forwarding addresses would be to make fake addresses in users/assign, but I'd suggest mapping them all through a single virtual user, e.g. in virtualdomains: floob.org:virtual-floob.org Then make a .qmail-alias-default that uses fastforward to look up the actual address. (Remember that dots turn into colons when it looks up the address.) CDB is designed so that lookups take constant time regardless of the size of the database, so at first glance I don't see any reason this shouldn't work for thousands of virtual domains. >Hmmm. Considering another option, what about a cool Web interface enabling >the domain's owner to access email sent to their domain (e.g. foo.bar.com), >with Qmail on the backend? Sounds like a swell idea, shouldn't be very hard to adapt from one of the existing web mail packages. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: I've been doing some relay testing.
>I just got this little note from our ISP saying that qmail is allowing this >backdoor relay method through. Instead of relaying (which I don't want), it >tries to deliver the message to our internal server. This isn't so good. I'd >like to refuse outright anything like this, so how would I go about doing >so? That's not ORBS, it's the relay tester at mail-abuse.com, home of the RBL. Tell your ISP that there's a reason I made it say "The host may reject this message internally, however" because qmail and some other MTAs accept anything with a valid domain after the at-sign and sort out the mailbox part later. When I have a chance, I'm planning to do some pattern matching on the responses to figure out what MTA the target system is using and skip tests that are likely to give false positives. Incidentally, the full version of that tester lives at http://www.abuse.net/relay.html and if you're a registered abuse.net user, it will send a test message for you so you can see whether it actually relays or not. Don't get cute, everything's logged and rate-limited. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47 >-Original Message- >From: Tom J [mailto:[EMAIL PROTECTED]] >Sent: Thursday, August 19, 1999 11:32 AM >To: Ben Kosse >Subject: Re: Follow up on Relay testing > > >FROM TOM JONES > >>>> RSET ><<< 250 flushed >>>> MAIL FROM: ><<< 250 ok >>>> RCPT TO:<[EMAIL PROTECTED]> ><<< 250 ok > > >Uh oh, host appeared to accept a message for relay. >The host may reject this message internally, however -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: ORBS and other relay blockers
>> ORBS probes come from a single IP address so it's easy just to block >> them with tcpserver rules. While you're at it, you might as well >> block some of the other SMTP relay scanners: > >Before you do, you should make sure blocking them isn't going to get >you put on their lists. Unless you do something else to annoy them, you won't. It hardly matters, when I was in ORBS the amount of mail that bounced was infinitesimal. The only blocking system that's widely used is the RBL. >Also if you don't mind the occasional small amount of traffic, having >ORBS or one of the others tell you that your mail server is open, is >better than having abused by spammers when they find it. My mail server isn't open, and when somone starts rattling each of the 100 virtual IPs on the machine and sending 18 probe messages per IP, it gets really old really fast. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
ORBS and other relay blockers
>>This being the case, how does one _prevent_ a mail server which >>is running qmail to be _not_ included in the orbs database? It's true that ORBS generally lists only hosts that actually return relay spam, but it's not invariably true -- he listed some of my addresses for a while because he was mad at me. ORBS probes come from a single IP address so it's easy just to block them with tcpserver rules. While you're at it, you might as well block some of the other SMTP relay scanners: # ORBS 202.36.148.5:deny # null.dk 194.192.207.9:deny # IMRSS 199.0.22.2:deny -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Wierd tcpserver DNS failure problem
I am running tcpserver to run qmail-smtpd. I have patches applied to let me use rules based on reverse DNS as well as IP range (yes, I know that's insecure) although they don't seem to be the problem here. I also have a small tarpitting patch to qmail-smtpd.c, but it's not active for the site in question. This site can't deliver mail to me: Aug 17 15:02:30 xuxa qmail-smtpd: MAIL FROM MX (temporary) check failed ([EMAIL PROTECTED]) -> ([EMAIL PROTECTED]) [193.164.172.32] (HELO hydrogen.electronic-vending.net) When I do a lookup, it doesn't have an MX but its forward A record and reverse PTR appear to be fine. I've restarted BIND, qmail-send, and tcpserver, doesn't make any difference. Any ideas? Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: bare line feeds
>>Bare LFs are now categorically prohibited by 822bis. They were never >>handled correctly by sendmail. The client's behavior is inexcusable. > >I guess not having access to 822bis, I'll have to ask for clarification. It's at http://www.ietf.org/internet-drafts/draft-ietf-drums-msg-fmt-07.txt >Are bare LF's themselves prohibited? Or is it the treating of bare >LF's as line terminators that is prohibited? It says: - CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body. >What about in 8BITMIME messages? No bare LF's allowed at all? 822bis says that it doesn't define MIME, but RFC 2045 which does says: 2.8. 8bit Data "8bit data" refers to data that is all represented as relatively short lines with 998 octets or less between CRLF line separation sequences [RFC-821]), but octets with decimal values greater than 127 may be used. As with "7bit data" CR and LF octets only occur as part of CRLF line separation sequences and no NULs are allowed. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: bare line feeds
>>Bare LFs are now categorically prohibited by 822bis. They were never >>handled correctly by sendmail. The client's behavior is inexcusable. > >I guess not having access to 822bis, I'll have to ask for clarification. Everyone has access to it. It's at http://www.ietf.org/internet-drafts/draft-ietf-drums-msg-fmt-07.txt >Are bare LF's themselves prohibited? Or is it the treating of bare >LF's as line terminators that is prohibited? It says: - CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body. >What about in 8BITMIME messages? No bare LF's allowed at all? 822bis says that it doesn't define MIME, but RFC 2045 which does says: 2.8. 8bit Data "8bit data" refers to data that is all represented as relatively short lines with 998 octets or less between CRLF line separation sequences [RFC-821]), but octets with decimal values greater than 127 may be used. As with "7bit data" CR and LF octets only occur as part of CRLF line separation sequences and no NULs are allowed. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: $HOME must be owned by user?
>You don't necessarily need those rights. Maybe a maildir is used that >is owned by the user, or something like '|/usr/cyrus/bin/deliver $USER'. Those are perfectly reasonable ways to deliver mail. If you don't want users to be able to change their delivery rules, make a users/assign that doesn't list those users, and create ~alias/.qmail-whoever files with the delivery rules you want to use. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Internet draft for VERP
>My problem with it is the same problem I've always had: the >responsibility should be on the client smtp, not the server. How can >the client smtp know the server will encode the VERP correctly? Because it uses ESMTP option negotiation to find out if the server supports that. >It would be better to send as many "return paths" as recipient >addresses, but only one message. This might end up looking like: >MAIL FROM/RCPT TO:<[EMAIL PROTECTED]> Can you suggest an application where that would be useful? I use VERP all the time and I can't ever recall a situation where the default form of VERP wasn't entirely adequate. Adding features because someone might want them for some unknown purpose leads to bloatware. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: cyclog, was *sigh* performance issues again. Please help!
>We also saw a lot of our performance problems disappear when we moved = >from syslog to cyclog What do you do about daily or weekly log summaries? I still haven't come up with a good way to do that with cyclog. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Can qmail feed multiple users from one POP3 Mailbox
> [EMAIL PROTECTED] > [EMAIL PROTECTED] > >would end up in the same mailbox at the ISP-. The only difference noted, is >in the mail header, where the 'to:' field reflects the difference. Sorry, you lose, since plenty of legit mail doesn't have the recipient's address in the To: line. (Mailing lists are the prime example.) If there's something in the Received: headers that lets you tell the difference, you could probably hack up fetchmail to do what you want. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Internet draft for VERP
Gee, someone admits that VERP is a good idea. This draft needs a lot of work. It has gratuitous language about the extra bandwidth that VERP requires, and hex encodes characters for no reason I can understand. But I suppose the idea of allowing the VERP expansion on another machine is OK. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47 -- Forwarded message -- Date: Wed, 28 Jul 1999 07:05:36 -0400 From: [EMAIL PROTECTED] To: IETF-Announce: ; Subject: I-D ACTION:draft-varshavchik-verp-smtpext-01.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Variable Envelope Return Path SMTP Extension Author(s) : S. Varshavchik Filename: draft-varshavchik-verp-smtpext-01.txt Pages : 11 Date: 27-Jul-99 This document describes an extension to the SMTP service [1], called Variable Envelope Return Path (VERP). The VERP extension implements a way of automatically identifying undeliverable mail recipients, even when non-delivery reports originate from mail systems that do not implement delivery status notifications as specified in [2] and [3]. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-varshavchik-verp-smtpext-01.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-varshavchik-verp-smtpext-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: [EMAIL PROTECTED] In the body type: "FILE /internet-drafts/draft-varshavchik-verp-smtpext-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft.
Re: [.qmail-default] trying to start another program if vdeliver fails
> Now, I'd like to use also another program (findmail, output = email > adress), that would try to deliver the mails _only_ if vdeliver > doesn't find a defined user. >|/usr/local/bin/vdeliver >|if T=`./.findmail.pl`; then forward $T; else echo "Sorry, no mailbox here by that >name (#5.1.1)."; exit 100; fi > ... >but it doesn't work correctely (it always forward 2 mails : >one normal, and the other one error). The answer's lurking in qmail-command. An exit code of 0 means go on to the next line in .qmail. An exit code of 100 means send a bounce message. An exit code of 111 means stop and retry this later. But an exit code of 99 means to stop processing the .qmail file. So what you want is this: >| if /usr/local/bin/vdeliver; then exit 99; else exit 0; fi >|if T="`./.findmail.pl`"; then forward "$T"; else bouncesaying "Sorry, no mailbox >here by that name (#5.1.1)."; fi The except program doesn't do what you want, since it won't exit 99. But bouncesaying works for the final bounce. I'd also put in a few more " " to make your script more spoof-resistant against hostile addresses. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Automatic administration of a lots of aliases -> looking for the best way
>I'm currently writing a mail-alias system "à la" iname.com (but just for >a few domains), and I am asking myself which is the best way to do it. ... >Isn't it possible to let qmail look in a file looking like >this : ? >- >user1 [EMAIL PROTECTED] >user2 [EMAIL PROTECTED] >... Sure. There are a couple of ways to do this. If you know you'll just be forwarding the mail without inspecting or changing it, deliver all of the mail for a domain like this: ~MAILDOMAIN/.qmail-default would contain: | forward `lookup-address MAILDOMAIN "$DEFAULT"` You provide a little lookup-address program that takes the virtual domain and address as arguments and writes the forwarding address to its stdout. Qmail will do the rest and forward it along. If you want to do something fancier, deliver your mail to a program and have it remail it. That's what I do for abuse.net. For example: ~MAILDOMAIN/.qmail-default would contain: | deliver-virtual-mail MAILDOMAIN "$DEFAULT" Now the program deliver-virtual-mail gets the domain and username as arguments and can read the incoming mail as the standard input. It calls qmail-queue to remail the message. Here's the skeleton of a perl script to remail stuff with a tag at the bottom. A real version would do some logging and error checking. # remailer $vdomain = shift; $vuser = shift; # command line arguments $realaddress = &lookup($vdomain, $vuser); # consult database or something # run qmail-queue to remail the message, use envelope from of virtual # user because we remailed it open(MAIL, "|-") || exec ("/var/qmail/bin/qmail-inject", "-a", "-f$vuser\@$vdomain", $realaddress); while(<>) { # pass through message print MAIL $_; } # add tag at the end print MAIL "--\nForwarded by the Most Excellent Mail Forwarding Service.\n" close(MAIL); exit 0; -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Messages reinjected to this mailing list
>Is there a way of doing on-demand SMTP without an IP for the client >machine? (Ie., the client is IP masqueraded, and uses a private >network IP-ETRN requires an IP.) Russ Nelson has some great hacks around serialmail. One of the best uses a dummy POP mailbox, and every time there's a successful login on that POP mailbox, fires up serialmail to send all of the spooled mail to the IP that's POP-ing. It was about three lines of code. If your client dials in using PPP to a Unix box, it's usually easy to start serialmail from the PPP startup script, again to whatever IP they're connected on, so the mail gets delivered each time they call in. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: RRSS, was LOTS of Orbs hits
> But how is this different from Vixie RBL, except for the openness check? RBL listings are entered manually, after live people review them, which takes a long time. RRSS runs automatically so listings are entered in real time. > Or are you saying that if a site does spam but turns out not to be open it > doesn't get listed? RRSS is a list of spam relays. It doesn't try to be a list of spammers. If spam comes from a system that's not a relay, it might be an evil spam factory, or it might be a legitimate ISP who happens to have a hit-and-run spammer. No automated system can distinguish those. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: rblsmtp with many RBLs
>MAPS="rbl.maps.vix.com mr-out.imrss.org relay.orbs.org relays.radparker.com" >I hope I did not forget any RBL I could have used ;-) You should use dul.maps.vix.com which lists dialup ports that shouldn't be sending direct mail. Imrss has problems similar to ORBS, bad attitude on the part of the guy who runs it. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: RRSS, was LOTS of Orbs hits
>>I've heard good things about RRSS (http://relays.radparker.com/>) and >>the person running it certainly seems to be much calmer and more >>professional about it. > >I saw this site mentioned on the Tidbits Talk list about a week ago. I >took a look, and I didn't see anything very useful. It looked to me like a >Vixie RBL clone, only listing sites that had already spammed. I rarely get >RBL hits, and would guess that RRSS hits would be equally as rare. On the contrary, I get scads of delivery attempts from hosts in RRSS. RRSS is like ORBS in that when an IP is nominated, it sends a relay test and adds the host immediately if the relay test succeeds. This can take as little as a minute or two. Many sites, including mine, have spam trap addresses set up to automatically send nominations to RRSS whenever spam arrives from an unknown address, meaning that a new relay is typically listed within a few minutes of starting a spam run. >The usefulness of ORBS to me has always been that they do list sites that >have never spammed but are open to abuse. That's part of the problem -- the vast majority of hosts in ORBS have never relayed any spam and never will, and I hope we agree that the goal is not to block legitimate non-spam mail. RRSS lists actual open spam relays, and gets them in promptly. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Why 2 tcpserver processes?
>This is an unpatch version of tcpserver from the latest ucspi-0.84 and you >are correct. The tcpserver instances do go change to (in my case) sh >instances when the reverse lookups have completed. My goof and sorry for >the confusion! Aha. I bet if you adjust the shell script so the last thing is "exec qmail-smtpd" rather than just "qmail-smtpd", you'll find that a lot of extra processes go away. >Dave and John, do you both run tcpserver with the -H option set? Nope. I do all of the lookups. In fact, I use the patches that let me filter on the looked up domain names as well as IP addresses so I can route some mail for, uh, special scrutiny. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Why 2 tcpserver processes?
>On a moderately busy (50 messages/minute for ~16 hours per day), there is >a tcpserver process spawned for every incoming connection attempt. I >usually have 35-40 of these present on the system in addition to the one >started by supervise. Each of these authenticates the IP address the >connection is coming from and then spawns qmail-smtpd. The tcpserver >process does NOT exit until the qmail-smtpd is finished. I don't know what tcpserver you're running, but it's not the one that's part of ucspi-0.84. It has a single master tcpserver process. It forks each time it accepts a connection, then the child process runs the rules and either exec's qmail-smtpd or exits. The child should show up as tcpserver only for as long as it takes to do the authentication, then it changes to qmail-smtpd. This should be easy enough to verify -- look at the parent PIDs of the qmail-smtpd processes and observe that they're all children of the master tcpserver. Or read the source code. It's quite short. If you have a lot of tcpserver child processes lying around, that suggests you have a DNS problem and they're stalling and timing out on some of the lookups. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Random Qmail Questions
>As for running an IMAP daemon, i honestly dont see why you would want to >do that either. You can choose pop or imap, but running both only allows >you to service a market where people prefer IMAP over POP, which is rare. Pine users are a notable IMAP market. Pine believes deeply, devoutly, in IMAP. I'm planning to bring up an IMAP server here partly for Pine, partly so I can check my mail from Eudora on my laptop and see all of the mailboxes into which procmail has sorted my mail and stay in sync with Pine when I get home. >The pop daemon that DJB wrote for maildir works beautifully, is simple, >fast, secure, and what more can you ask for? IMAP does a lot more than POP. I agree that the IMAP people at Washington have a very bad attitude toward qmail and maildirs, though. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Random Qmail Questions
>aliased to pinq so that everything will work. I notice that when a user >starts pine, it automatically creates a Mailbox instead of using the >Maildir. Does maildir2mbox do this automatically, or do I have something >set up wrong? Pine only groks mailboxes, so maildir2mbox moves the messages from a maildir to an mbox for Pine's benefit. In the longer run, consider running an IMAP server that handles maildirs. >Second Question: I can't seem to send mail to root. Every time I try, a >message ends up in the logs stating: That's a feature, qmail doesn't want to run as root which it would have to do. Use ~alias/.qmail-root to send root's mail somewhere else. >Also, I get the same error message when I send mail to a certain >user, but it waits a second and delivers the mail to that user anyway. >Weird.. Hmmn. Beats me. Usual voodoo suggestions regarding protections of the maildir and the user's home directory. >unreliable, and basically worthless. Yet, I don't see any mention of what >one is supposed to use instead. What is the preferred MUA for DJ Bernstein >dittoheads? Is there a mailer with native Maildir support? People say nice things about mutt. The rest of us make do with worthless unreliable MUAs. >Fourth Question: Last question I promise. While looking through the docs, >I've seen lots of recommendations to switch over to various programs, >programs to replace things such as syslog and inet. I've noticed that all >of these replacement programs seem to be in the beta stage. How reliable >are they currently? More reliable than the things they replace. Dan's definition of beta is along the lines of "not known to be bug-free" rather than the more popular "runs well enough that maybe the users will debug it for us." Like most bits of qmail, tcpserver is really nice once you believe that it really is fast and nail down its typical three-mile long command line. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: prevent double sends with aliases
>Actually, I was just asking why couldn't qmail supress dupes on local >addresses. The real reason is because it's the wrong tool. If you use procmail to deliver your mail, it's a two-line recipe to check for duplicate message ID's and discard the duplicates. That's what I do, it's much more effective than what sendmail does and it doesn't glop up the internals of the mail system. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: dot-qmail
>I need a virtual domain to support more than one user using pop3d: >[EMAIL PROTECTED] >[EMAIL PROTECTED] > >My idea is to create one line in the virtualdomains file: >abc.com:bob > >Then in bob's directory create .qmail-joe and in it add: >/home/joe/Maildir/ > >Joe's Maildir is setup and he has a .qmail file pointing to ./Maildir/ >although I don't think this is necessary. Your problem is almost certainly that bob doesn't have write permission in joe's Maildir. Fortunately, he doesn't need it. Rather than trying to write in someone else's files, just forward the message to joe so qmail will deliver mail to joe normally. That is, in ~bob/.qmail-joe put: &joe -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: QMail Book
>i asked someone at the o'reilly booth last week at spring internet world in >los angeles, the street date she gave me was i believe 1 sep 99. Uh, oh. Hey, Russ, we have to write faster. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
helping qmail vs. lame MTAs
>>Actually, if you are unfortunate enough to have a list of addresses sorted >>by the right side of the @, qmail can be a big loser here. ... >somedomain is poorly configured. Should qmail assume all sites are >poorly configured? Should properly configured sites suffer because >some sites are poorly run? This is a topic I've been thinking about for a while. I want my MTA to open as many connections to a remote site as the remote can handle. If we're lucky, the remote is well configured and will reject connections to tell us that it's busy, but as we all know, most MTAs tend to accept them all and fall over. Since qmail already keeps a retry interval for each remote IP it tries to contact, how hard would it be also to keep some estimate of the remote load, perhaps the time from accepting the connection to sending the initial banner? Then it could limit the number of simultaneous connections to slow hosts, for some definition of slow. On a site with a lot of outgoing mail, I'd think this could improve overall outgoing mail throughput, since it prevents qmail from doing a DOS on itself by opening all of its outgoing connections to hosts that are terminally slow. Instead, it favors deliveries to hosts that can accept mail quickly and gets them out of the queue. Yeah, none of this should be necessary, but there are a lot of features in a robust MTA that wouldn't be necessary if the rest of the world were better behaved. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: non-resolving domain name patch
>>Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender >>domain can't be resolved? > >Funny you should ask, not 15 minutes ago I upgraded to 1.0.3 using >such a patch. You want the patches from Jonathan Bradshaw mentioned >on www.qmail.org. I've been using them, and they work pretty well. One bug I've found is that it doesn't properly handle domains with a trailing dot. That is, this is rejected: MAIL FROM:<[EMAIL PROTECTED]> It looks easy enough to fix, but before I patch the patch, has anyone already done it? -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Qmail, Majordomo, and virtual domains
Jeez, you go away on a trip for a few days, and someone asks one of the few questions to which you have an answer. I run qmail 1.03 and majordomo 1.94 on two servers. One server (this one) has majordomo lists in its native domain iecc.com and also four virtual domains, three of which live here (as in, this is the MX for the domain) and one of which doesn't. The other server runs lists in three virtual domains. The lists are secure, in that unlike typical sendmail setups, knowing the true name of the outgoing list doesn't let you spoof a message onto the list. I use VERP to automatically take people off lists when there are a lot of bounces. The domains are logically separate, if you write to [EMAIL PROTECTED] you only get the lists that are @abuse.net, and you can have lists with the same name in each domain. (Each domain in fact has a separate bounces list.) All of the domains also have other addresses not handled by majordomo. My approach is different from Russ' in that I use a whole lot of .qmail files, as many as eight .qmail files per list or 12 if there's also a digest, but since all of the files are generated mechanically by a script, they don't cause me any trouble. The reason there's so many files is that I have a user majordom that owns all of the majordomo software and lists, and the lists all have aliases like majordom-domain-list-out and majordom-domain-list-out-owner-default so that qmail runs the software as majordom automatically. If this sounds interesting, let me know and I'll pack up my scripts. There's a perl script to handle the bounces, and a shell script that creates the lists and makes the .qmail files. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Email addresses with .'s in
> All agreed, but I still don't understand Russell saying 'slashes > were useful to allow subdirectories'. Slashes in individual user names are indeed not very useful, but they can be quite handy for virtual domains. You might put a line in control/virtualdomains like this: blather.com:virtual-blather/m- so that the mail for [EMAIL PROTECTED] is controlled by ~virtual/.qmail-blather/m-fred, putting each domain's qmail files in a separate subdirectory. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: two questions about set-up
> > Question two. Can someone suggest a way that I can get qmail to do > > tarpitting, or at least point me to a good wrapper to do tarpitting?? > > John Levine has such a thing. He's deep in the throes of finishing a > book, and I don't know if he kibos, so I'll CC: him just to get his > attention. I have a small patch that sticks sleeps in front of each read call in qmail-smtpd. It's not a real tarpit, but it does slow spammers down. It's controlled by a TARPIT environment variable that I set in hosts.allow. Will package it up and send it along. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: Three solutions for spam
>It was quite standard at each company to send email direct through >dialup, w/valid return address of company email, to save phone costs >and company bandwidth. > >Are you suggesting there is something wrong with this? Yes, in today's environment, you'll lose a lot of mail. Dialup filtering is already here. ISPs all over the place do it. I can think of a couple of sensible approaches for travelling users: * Relay the mail host of the ISP you're dialed into. That's what I do. * Set up a tunnel back to headquarters (easy now that there's a standard albeit not very secure tunnel package provided with Windows) and be a host on your home network. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: various smtp name filtering hacks
>Why not break the smtpd into two parts, the way qmail's pop3d >separates auth from mail access. The first part handles everything >before DATA, and this can be as simple as a shell or perl script. Doesn't break up very nicely, since it's quite common to do multiple mail messages in one transaction with a RSET (which I know isn't really necessary) after each one. This seems to be a reasonable place to use an exit routine. That is, each time you get a RCPT TO address, optionally fork and run a program specified in a control file or environment variable. The program might get the MAIL FROM as the first argument, RCPT TO as second argument, and inherits the TCP environment variables from smtpd. The program can do any processing it wants and returns 0 if the recipient should be added to the list, 1 for don't add, 2 for don't add and don't say anything because the program's already written an error message, and maybe 100 for croak instantly. This lets people implement any funky smtp filtering they want without cluttering smtpd with patches. I gather Dan doesn't think much of this idea, but I don't see what's wrong with it. Certainly exit routines have been around for a long time and are a well-proven extension mechanism. It's sort of the inverse of the way that "except" and "bouncesaying" work. Yeah, it could screw up the SMTP dialog, but patches can screw it up worse. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: wanted: patch to reject mail if envelope sender isn't valid domain
>Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender >domain can't be resolved? Funny you should ask, not 15 minutes ago I upgraded to 1.0.3 using such a patch. You want the patches from Jonathan Bradshaw mentioned on www.qmail.org. The patches do some other stuff as well, most of which is useful, notably logging when qmail-smtpd rejects a mail attempt due to relay or other rules. It also supports a cdb for a large badmailfrom database if you want to try and get into spam filtering by MAIL FROM address. (I don't, I just want the domain validation.) When you test this, note that the rejection actually comes after the RCPT TO, because he makes a special case of postmaster@ and abuse@ and accepts mail to those even from bogus sender domains. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: qmail II request
>> Since I started this thread I can tell you without question what it's about >> and [EMAIL PROTECTED] isn't any part of it. I want to reject mail being >> sent to certain valid usernames, such as my database. I'd also like to bounce >> some mail to nonvalid usernames without accepting and bouncing afterward since >> they only double bounce anyway. Me too. As people pointed out, I meant RCPT TO not MAIL TO. >To do this, then it requires qmail-smtpd to know everything that qmail-send >does. It requires a major rethink and rewriting of the qmail system. Interesting theory, but hard to believe. All I want is a place to put a list of addresses that won't be accepted as RCPT TO arguments even if the domain is otherwise acceptable. Note that there's no new linkage here to anything other than perhaps a file in which the names are listed. >If you are in control of the local delivery then you already can control >who sends mail to your database. Why can't you use procmail? As has been noted many times, rejecting mail at the SMTP level saves processing and makes it more likely that the sender will notice that it was rejected. I'll dig up the patch that does this and try it out. Given that the badmailfrom code already exists, it shouldn't be very big. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: qmail II request
>What you want is: >/var/qmail/control/badmailheaderto >which really doesn't buy you anything. What I would like, and I believe what he's asking for, is /var/qmail/control/badmailto which would list specific addresses in otherwise acceptable domains to which all mail should bounce instantly. They'd match against the "MAIL TO:" command, not anything in the body. I have a fist full of 100% spam-only addresses in my domains that were scraped ages ago, never were valid, and get spammed every day. I currently receive the spam and complain back to the IP sender, but it would be easier to bounce them directly. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: spambait?
>Have any of you seen the spam prevention system Brightmail uses. I found >it well thought-out, and is quite similar to what you folks are talking >about. If what you have not looked at it, I would recommend it, as it >may give this development some ideas. Nope. Brightmail uses live geeks 24/7 who look at digested mail from spamtraps and manually update filters. It's incredibly labor intensive. The closest automated thing is the MAPS RSS which lists open relays that send spam. Many spam traps (including mine) autoforward stuff for testing and listing. To prevent spoofing, people who the manager knows get passwords to put in the submissions that let them bypass his manual scrutiny. It works pretty well, blocks a lot of spam for me. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: bug in Qmail re virtualdomains
[ On mail to virtual domains, the local part of an address is rewritten but the domain isn't ] >Now, the RECIPIENT environment variable is set to >"[EMAIL PROTECTED]". Here is were the problem lies, RECIPIENT >does not contain the actual recipient of the message, but some other >address. This other address is not equivalent because it will not be handled >in the same way by the qmail system, and may end up in a different mailbox >than [EMAIL PROTECTED], the actual recipient. No, that's how it's supposed to work, but like much of qmail, it could be documented a lot better. On any mail received in a .qmail file, you know that the local part is relative to the local domain. Why? Because if it weren't, you wouldn't have gotten it. On the other hand, the domain isn't rewritten because that's how you tell whether the mail was really sent to westegg.com (the virtual domain), or to w1.drh.net (the local domain.) Knowing whether it came in via a virtual domain is important when you have private domains in virtualdomains but not in rcpthosts for the benefit of local users. (I have a mail to news gateway set up that way, for example.) A counter question is why rewrite the address at all, if we're going to leave the domain alone anyway. I believe (having limited vision into Dan's thought processes) that the reasoning is that if the mail originated locally, it could have been sent either to the virtual address [EMAIL PROTECTED] or directly to morgan-testforward, and he wanted the .qmail scripts to work consistently either way. I agree this last bit is debatable, but at least it's not gratuitous. As to ezmlm working, I dunno, I'm a troglodyte, I still run majordomo albeit with many fully virtualized virtual domains. Maybe someone else can report on ezmlm+virtualdomain experience. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Queueing remote deliveries at specific intervals (ala sendmail-q)?
>Ok, this sounds good. Now I have a way to flush the queue at specific >intervals, but; How do I stop qmail(-rspawn I guess) from trying to deliver >at all? I'm in a dial-on-demand system, and I don't won't the mailer-daemon >to trigger a dialup except when I tell it to. Really, you want the serialmail package, since you don't really want to deliver on a clock, you want to deliver when you're connected, which may be based on a clock or may not. Tell qmail to deliver all of the outgoing mail into a maildir by putting a catchall entry into virtualdomains. Then when you're dialed up, start maildirsmtp to pump out the messages, typically by running it at the end of the "ppp up" script. This is exactly the sort of application that maildirsmtp is intended for, and it works quite well. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: replacing .qmail-* with cdb?
>Is it possible to use a cdb in place of a large number of .qmail-* >files? Sure. That's what Dan's fastforward program does. Run it from a .qmail-default file, usually ~alias/.qmail-default. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Frustrating sort of security issue with virtual domains
I've always liked the way that qmail separated rcpthosts from locals and virtualdomains, so that you can have private virtual domains for your local and LAN users not visible to the outside. This lets me have, say, a fax gateway where I set up, say. fax.example.org in virtualdomains but not in rcpthosts, so my users and I can send messages to 13115552368@fax and it sends it along to the fax modem, without opening it up to the entire world. It's a private relay. Except that there's a glaring loophole: that address is mapped to a non-virtual address something like [EMAIL PROTECTED], which means that if you let the world send mail to your local domain, anyone who can guess the mapping of virtuals can send to any virtual address. I can plug the loophole by having the fax gateway code look at the first couple of Received: headers to see where a message came from, but in effect I'm reimplenting the relay protection that tcpserver already has, which can get hairy and unpleasnt when you have pop-before-smtp and other complex rules about who gets RELAYHOST and who doesn't. Or I could move everything out of the local domain, make everything a virtual domain and empty out locals. That surely is not the right solution. Am I missing something, or is there straightforward no way to implement a private virtual domain in qmail? Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47