Re: qmail enhancements
On Tue, 21 Nov 2000, Johan Van Gompel wrote: (1) check if a FQDN exists for the sender's IP (if not: no go); If tcpserver has the -h option then it looks up FQDN and puts it in TCPREMOTEHOST. If you use -p option as well, then it even verifies it, and unsets TCPREMOTEHOST if it cannot be matched (no A or CNAME to the FQDN matches the remote ip-literal). You can write a wrapper before qmail-smtpd, which calls qmail-smtpd if TCPREMOTEHOST is set, or echoes the error message of your selection and terminates. It will do the trick I think. (2) allow POP3 access via SSL only; Use stunnel (see my post in the stunnel list regarding this). (3) extract any mail attachment and check it for various things; (viruses, unallowed extensions, etc.) See the amavis website regarding this. (4) support delivery to same users at different domains; Virtual domain feature in qmail. (5) allow only a more rigid form of authentication; (e.g. POP-before-SMTP) See www.qmail.org for a solution solving this (there is at least two solutions there), or the vpopmail package regarding this. Regards, Robert Varga
Re: qmail enhancements
On Tue, Nov 21, 2000 at 11:25:36PM +0100, Johan Van Gompel wrote: A year and a half ago I built a Linux/qmail server to replace an aging Windows NT 3.51/Microsoft Mail system. This system has been working Excellent. We've had a number of clients asking us to help them migrate from NT to Linux, and they've been happy with the results. If NT works for you, great. If not, there's a nice alternative you should look at. Spend the NT licensing money on a nice Athlon 1GHz upgrade. ;-) (2) allow POP3 access via SSL only; sslwrap works well for that. (3) extract any mail attachment and check it for various things; (viruses, unallowed extensions, etc.) Amavis (with some studly caps thing). Check freshmeat.net... (4) support delivery to same users at different domains; ? [EMAIL PROTECTED] and [EMAIL PROTECTED] are different users? http://www.inter7.com/vpopmail/ works well for this. Also doesn't require system accounts for virtual domain users. (5) allow only a more rigid form of authentication; (e.g. POP-before-SMTP) http://www.em.ca/~bruceg/relay-ctrl/ Very easy install if you use the qmail+patches RPMs from the same site. Sean -- Money is the root of all evil! Man needs roots... Sean Reifschneider, Inimitably Superfluous [EMAIL PROTECTED] tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
Re: qmail enhancements
On Tue, Nov 21, 2000 at 11:25:36PM +0100, Johan Van Gompel wrote: Qmail will be the first preverbial victim. The now a year and a half old 'ye standard qmail build' will have to replaced by something more enhanced. Why? Is it broken? (1) check if a FQDN exists for the sender's IP (if not: no go); Are you talking about doing a lookup on the sender domain name? Not much point to doing that since the vast majority of spam uses legitimate but faked sender addresses. (2) allow POP3 access via SSL only; Use a SSL wrapper. (3) extract any mail attachment and check it for various things; (viruses, unallowed extensions, etc.) We use a fairly simple scanner that rejects anything with an attachment that would be executable by Windoze -- exe, VBScript, etc. It's worked great for us. There are some tools for doing this at http://em.ca/~bruceg/qmail-qfilter/ (4) support delivery to same users at different domains; plug http://www.vmailmgr.org/ /plug (5) allow only a more rigid form of authentication; (e.g. POP-before-SMTP) plug http://em.ca/~bruceg/relay-ctrl/ /plug Are there any patches that I should really consider? Depends what your target environment is. If you aren't handling hundreds of thousands of messages a day, most if not all of the "big" patches are irrelevant (big-todo, big-concurrency). If you're running on Linux, you'll want to link against a library that provides synchronous directory operations (like http://em.ca/~bruceg/syncdir/) or else you lose reliability. Everything else should wait until you know you need it. -- Bruce Guenter [EMAIL PROTECTED] http://em.ca/~bruceg/ PGP signature
