Re: qmail enhancements
On Tue, 21 Nov 2000, Johan Van Gompel wrote: > (1) check if a FQDN exists for the sender's IP (if not: no go); If tcpserver has the -h option then it looks up FQDN and puts it in TCPREMOTEHOST. If you use -p option as well, then it even verifies it, and unsets TCPREMOTEHOST if it cannot be matched (no A or CNAME to the FQDN matches the remote ip-literal). You can write a wrapper before qmail-smtpd, which calls qmail-smtpd if TCPREMOTEHOST is set, or echoes the error message of your selection and terminates. It will do the trick I think. > (2) allow POP3 access via SSL only; Use stunnel (see my post in the stunnel list regarding this). > (3) extract any mail attachment and check it for various things; > (viruses, unallowed extensions, etc.) See the amavis website regarding this. > (4) support delivery to same users at different domains; Virtual domain feature in qmail. > (5) allow only a more rigid form of authentication; > (e.g. POP-before-SMTP) See www.qmail.org for a solution solving this (there is at least two solutions there), or the vpopmail package regarding this. Regards, Robert Varga
Re: qmail enhancements
On Tue, Nov 21, 2000 at 11:25:36PM +0100, Johan Van Gompel wrote: > Qmail will be the first preverbial victim. The now a year and a half old > 'ye > standard qmail build' will have to replaced by something more enhanced. Why? Is it broken? > (1) check if a FQDN exists for the sender's IP (if not: no go); Are you talking about doing a lookup on the sender domain name? Not much point to doing that since the vast majority of spam uses legitimate but faked sender addresses. > (2) allow POP3 access via SSL only; Use a SSL wrapper. > (3) extract any mail attachment and check it for various things; > (viruses, unallowed extensions, etc.) We use a fairly simple scanner that rejects anything with an attachment that would be executable by Windoze -- exe, VBScript, etc. It's worked great for us. There are some tools for doing this at http://em.ca/~bruceg/qmail-qfilter/ > (4) support delivery to same users at different domains; http://www.vmailmgr.org/ > (5) allow only a more rigid form of authentication; > (e.g. POP-before-SMTP) http://em.ca/~bruceg/relay-ctrl/ > Are there any patches that I should really consider? Depends what your target environment is. If you aren't handling hundreds of thousands of messages a day, most if not all of the "big" patches are irrelevant (big-todo, big-concurrency). If you're running on Linux, you'll want to link against a library that provides synchronous directory operations (like http://em.ca/~bruceg/syncdir/) or else you lose reliability. Everything else should wait until you know you need it. -- Bruce Guenter <[EMAIL PROTECTED]> http://em.ca/~bruceg/ PGP signature
Re: qmail enhancements
On Tue, Nov 21, 2000 at 11:25:36PM +0100, Johan Van Gompel wrote: >A year and a half ago I built a Linux/qmail server to replace an aging >Windows NT 3.51/Microsoft Mail system. This system has been working Excellent. We've had a number of clients asking us to help them migrate from NT to Linux, and they've been happy with the results. If NT works for you, great. If not, there's a nice alternative you should look at. Spend the NT licensing money on a nice Athlon 1GHz upgrade. ;-) >(2) allow POP3 access via SSL only; sslwrap works well for that. >(3) extract any mail attachment and check it for various things; >(viruses, unallowed extensions, etc.) Amavis (with some studly caps thing). Check freshmeat.net... >(4) support delivery to same users at different domains; ? [EMAIL PROTECTED] and [EMAIL PROTECTED] are different users? http://www.inter7.com/vpopmail/ works well for this. Also doesn't require system accounts for virtual domain users. >(5) allow only a more rigid form of authentication; >(e.g. POP-before-SMTP) http://www.em.ca/~bruceg/relay-ctrl/ Very easy install if you use the qmail+patches RPMs from the same site. Sean -- Money is the root of all evil! Man needs roots... Sean Reifschneider, Inimitably Superfluous <[EMAIL PROTECTED]> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
qmail enhancements
A year and a half ago I built a Linux/qmail server to replace an aging Windows NT 3.51/Microsoft Mail system. This system has been working flawlessly since its inception. However, after a while management wanted to have a web site, so I installed Apache. Then they wanted Internet access for their employees so I installed Squid. I was even forced to install Samba when the original mail storage server died on us. Needless to say, I am now looking into separating a couple of things. Qmail will be the first preverbial victim. The now a year and a half old 'ye standard qmail build' will have to replaced by something more enhanced. Among things, it should: (1) check if a FQDN exists for the sender's IP (if not: no go); (2) allow POP3 access via SSL only; (3) extract any mail attachment and check it for various things; (viruses, unallowed extensions, etc.) (4) support delivery to same users at different domains; (5) allow only a more rigid form of authentication; (e.g. POP-before-SMTP) For (2) I guess any standard SSL wrapper will do and virtualdomains should take care of (4) after some trial and error. I have no idea about (1) and (5) though. Regarding (3) I've seen qmail-scanner mentioned several times. I've downloaded the Life with Qmail page and will be devouring it shortly. Are there any patches that I should really consider? Any other things or specifics that I might be missing? Pitfalls I should really look out for? -- Johan Van Gompel -- Sent through GMX FreeMail - http://www.gmx.net
