RE: [qmailtoaster] Re: Disable CHKUSER

[Michael Colvin]

 
> 
> On 11/12/2010 12:38 PM, Michael Colvin wrote:
> > OK…  So, I’ve got some clients that send mails out to affiliates of
> > theirs via rather large distribution lists. When at least one, maybe
> > more, of those addresses are bad, they get the “Sorry, can’t find a
> > valid MX for rcpt domain” bounce that, basically is bouncing the whole
> > message, so even the valid recipients don’t get the e-mail.
> >
> > I’ve searched the archives, particularly:
> > http://www.mail-archive.com/qmailtoaster-
> list%40qmailtoaster.com/msg27066.html,
> > and haven’t really found anything that helps…Unless I’m doing something
> > wrong…
> >
> > I’ve tried removing the references to CHKUSER_RCPT_MX in tcp.smtp, then
> > issued qmailctl cdb, same issue. I tried setting CHKUSER_RCPT_MX=””, and
> > CHKUSER_RCPT-MX=”0”… Nothing. Tried setting
> > CHKUSER_STARTING_VARIABLE=”NONE”…No change.
> >
> > I’ve read where the default CHKUSER config is to have these commented
> > out, but it appears that this isn’t the QMT default, per the linked
> > thread above.
> >
> > How do I go about commenting these out in CHKUSER’s config, and then
> > “Rebuild” QMT? I installed from the CentOS 5 ISO.
> >
> > I simply don’t want to check the MX for any e-mail on these particular
> > servers…I’d rather the client get bounces for those e-mails, so they can
> > clean up their lists.
> >
> >
> 
> http://wiki.qmailtoaster.com/index.php/Chkuser
> ;)
> 
> --
> -Eric 'shubes'
> 


Thanks Eric...Not sure how I missed that...I know I dug around on the Wiki
during my searches...

Tossing my .02 into the earlier thread that I linked too, I would agree with
your comment that these settings should be something that are "Enabled" in
tcp.smtp...  That would be more "User" friendly.  

Another item for Jake's already full "to-do" list.  :-)

Thanks again, I'll give that a try and see if it resolves my issue...Looks
like it will.


Michael J. Colvin
NorCal Internet Services
www.norcalisp.com


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Disable CHKUSER

[Eric Shubert]

On 11/12/2010 12:38 PM, Michael Colvin wrote:

OK…  So, I’ve got some clients that send mails out to affiliates of
theirs via rather large distribution lists. When at least one, maybe
more, of those addresses are bad, they get the “Sorry, can’t find a
valid MX for rcpt domain” bounce that, basically is bouncing the whole
message, so even the valid recipients don’t get the e-mail.

I’ve searched the archives, particularly:
http://www.mail-archive.com/qmailtoaster-list%40qmailtoaster.com/msg27066.html,
and haven’t really found anything that helps…Unless I’m doing something
wrong…

I’ve tried removing the references to CHKUSER_RCPT_MX in tcp.smtp, then
issued qmailctl cdb, same issue. I tried setting CHKUSER_RCPT_MX=””, and
CHKUSER_RCPT-MX=”0”… Nothing. Tried setting
CHKUSER_STARTING_VARIABLE=”NONE”…No change.

I’ve read where the default CHKUSER config is to have these commented
out, but it appears that this isn’t the QMT default, per the linked
thread above.

How do I go about commenting these out in CHKUSER’s config, and then
“Rebuild” QMT? I installed from the CentOS 5 ISO.

I simply don’t want to check the MX for any e-mail on these particular
servers…I’d rather the client get bounces for those e-mails, so they can
clean up their lists.

**Michael J. Colvin**

**NorCal Internet Services**

**//www.norcalisp.com// **

**(916) 864-**



http://wiki.qmailtoaster.com/index.php/Chkuser
;)

--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] QMT Use Stats

[Eric Shubert]

FWIW, here's an interesting link:
http://www.securityspace.com/s_survey/data/man.200910/mxsurvey.html
That data is a year old.

Summarizing the last few years for QMT:
Year  Servers  Percent
11/09  1844 .20
02/09  1642 .20
02/08  1583 .17
02/07  1174 .13
11/06  1028 .11

So from 11/06 - 11/09, QMT has averaged growth of about 25% per year.
Not great market penetration (yet), but respectable growth.

--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

RE: [qmailtoaster] Re: Bounce mail

[bax bax]

Thanks for help I have unistall perl

rpm -e --allmatches --nodeps perl

and reistall it seem to work


> To: qmailtoaster-list@qmailtoaster.com
> From: e...@shubes.net
> Date: Thu, 11 Nov 2010 10:01:05 -0700
> Subject: [qmailtoaster] Re: Bounce mail
> 
> I don't know why that code is being invoked.
> 
> Have you installed any perl modules using CPAN? If so, using rpm 
> packages instead might fix things up. Please read through recent thread 
> on list with subject "Clamav update trouble" for instructions on how to 
> get rid of CPAN modules and install perl modules using rpm packages.
> 
> -- 
> -Eric 'shubes'
> 
> On 11/11/2010 09:23 AM, bax bax wrote:
> > yes disabled.
> >
> >
> >
> >
> >  > To: qmailtoaster-list@qmailtoaster.com
> >  > From: e...@shubes.net
> >  > Date: Thu, 11 Nov 2010 09:06:09 -0700
> >  > Subject: [qmailtoaster] Re: Bounce mail
> >  >
> >  > That part of the code is doing IPv6 lookups. I don't know why.
> >  > Have you disabled IPv6?
> >  >
> >  > On 11/10/2010 05:38 PM, bax bax wrote:
> >  > > No now I recive two mail the bounced one and the second
> >  > >
> >  > >
> >  > > subject:Cron  env LANG=C /usr/bin/mrtg
> >  > > /usr/share/toaster/mrtg/qmailmrtg.cfg 2>&1 > /dev/null
> >  > >
> >  > > Subroutine main::AF_INET6 redefined at
> > /usr/lib/perl5/5.8.8/Exporter.pm line 65.
> >  > > at /usr/bin/mrtg line 97
> >  > >
> >  > >
> >  > >
> >  > > > To: qmailtoaster-list@qmailtoaster.com
> >  > > > From: e...@shubes.net
> >  > > > Date: Wed, 10 Nov 2010 16:42:02 -0700
> >  > > > Subject: [qmailtoaster] Re: Bounce mail
> >  > > >
> >  > > > It looks as though some IPv6 modules are coming into play. I
> > would try
> >  > > > disabling IPv6 and see if that fixes things up. In
> >  > > > /etc/sysconfig/network file:
> >  > > > NETWORKING_IPV6=no
> >  > > > (unless of course you're actually *using* IPv6, which I'm guessing
> >  > > > you're not)
> >  > > > You'll need to restart networking (or reboot) after making this
> > change.
> >  > > >
> >  > > > This really is just a guess. Hard to say what's really going on w/out
> >  > > > looking at the code.
> >  > > >
> >  > > > Did you fix the problem with cron email delivery?
> >  > > >
> >  > > > --
> >  > > > -Eric 'shubes'
> >  > > >
> >  > > > On 11/10/2010 03:59 PM, bax bax wrote:
> >  > > > > Thanks Eric but problem still here
> >  > > > >
> >  > > > > #qtp-whatami
> >  > > > > qtp-whatami v0.3.7 Wed Nov 10 23:58:41 CET 2010
> >  > > > > DISTRO=CentOS
> >  > > > > OSVER=5.5
> >  > > > > QTARCH=x86_64
> >  > > > > QTKERN=2.6.18-194.17.4.el5
> >  > > > > BUILD_DIST=cnt5064
> >  > > > > BUILD_DIR=/usr/src/redhat
> >  > > > > This machine's OS is supported and has been tested
> >  > > > >
> >  > > > >
> >  > > > >
> >  > > > > > To: qmailtoaster-list@qmailtoaster.com
> >  > > > > > From: e...@shubes.net
> >  > > > > > Date: Wed, 10 Nov 2010 10:55:28 -0700
> >  > > > > > Subject: [qmailtoaster] Re: Bounce mail
> >  > > > > >
> >  > > > > > On 11/07/2010 07:28 PM, bax bax wrote:
> >  > > > > > > Good morning I have update my qmailtoaster but now every 4-5
> >  > > > > minutes I get =
> >  > > > > > > this message, can I fix this?
> >  > > > > > > Thanks for you help
> >  > > > > > >
> >  > > > > > > Hi. This is the qmail-send program at server2.x.org.
> >  > > > > > > I tried to deliver a bounce message to this address, but
> > the bounce
> >  > > > > bounc=
> >  > > > > > > ed!
> >  > > > > > >
> >  > > > > > > :
> >  > > > > > > Sorry=2C I wasn't able to establish an SMTP connection.
> > (#4.4.1)
> >  > > > > > > I'm not going to try again; this message has been in the
> > queue too
> >  > > > > long.
> >  > > > > > >
> >  > > > > > > --- Below this line is the original bounce.
> >  > > > > > >
> >  > > > > > > Return-Path:<>
> >  > > > > > > Received: (qmail 23910 invoked for bounce); 6 Nov 2010 22:10:03
> >  > > -
> >  > > > > > > Date: 6 Nov 2010 22:10:03 -
> >  > > > > > > From: mailer-dae...@server2.x.org
> >  > > > > > > To: anonym...@localdomain.com
> >  > > > > > > Subject: failure notice
> >  > > > > > >
> >  > > > > > > Hi. This is the qmail-send program at server2.xx.org.
> >  > > > > > > I'm afraid I wasn't able to deliver your message to the
> > following
> >  > > > > addresses=
> >  > > > > > > .
> >  > > > > > > This is a permanent error=3B I've given up. Sorry it didn't
> >  > > work out.
> >  > > > > > >
> >  > > > > > > :
> >  > > > > > > Sorry=2C I wasn't able to establish an SMTP connection.
> > (#4.4.1)
> >  > > > > > > I'm not going to try again=3B this message has been in the
> > queue
> >  > > > > too long.
> >  > > > > > >
> >  > > > > > > --- Below this line is a copy of the message.
> >  > > > > > >
> >  > > > > > > Return-Path:
> >  > > > > > > Received: (qmail 10832 invoked by uid 0)=3B 5 Nov 2010 21:10:02
> >  > > -
> >  > > > > > > Date: 5 Nov 2010 21:10:01 -
> >  > > > > > > Message-ID:<20101105211001.10784.qm...@server2..org>
> >  > > > > > > From: r...@loc

RE: [qmailtoaster] iptables firewall issue

[Helmut Fritz]

 
i used cmt-iso-1.4.1 to install.  i am actually not sure if the firewall is
enabled in that version or not.
 
yes, i tend to update my systems with yum if i hear about a security or
application issue or every 6 months or so.
 
i do use webmin to manage a large portion of my systems and that is how i
implemented my firewall (went from behind a firewall appliance to direct on
the internet).
 
Helmut

  _  

From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] 
Sent: Friday, November 12, 2010 12:23 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iptables firewall issue


Hi Helmut,
 
I wonder if it has something to do with the way that CentOS was installed:
The ISO starts out with the firewall being disabled and in addition to the
configuration options that the firewall.sh script adds, I am not sure what
method is used to enable the service to run at startup (though it is as easy
as using 'service iptables start' to start it once and using 'chkconfig
iptables on' to enable it to run on startup).
My iptables config had been installed during initial setup and though that
is just a hunch, I believe that there may be a difference between having the
system installed with the firewall enabled and enabling it afterwards
(though that should not be the case?).
Also, the latest ISO is not using the latest CentOS - did you do any yum
update stuff to bring it up to date? If so, did you have those problems
before and after or just after the update?
I am sure we'll get to the bottom of this eventually. I never used the ISO
and I never had firewall trouble (other than when I configured it the wrong
way Zwinkerndes Smiley myself).
Steve, did you use the ISO or install using the wiki instructions?
 
I am sort of hoping you used the ISO so that we might have something to
focus our research on!
 
Martin
From: Helmut Fritz   
Sent: Friday, November 12, 2010 6:55 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: RE: [qmailtoaster] iptables firewall issue
 
i have the same issue with mine, and the -restore command was in my
rc.local.  i have attached my anaconda-ks.cfg.  i installed from QMT.iso,
not sure if that matters.  maybe this helps.
 
Helmut
 
  _  

From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] 
Sent: Friday, November 12, 2010 9:21 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iptables firewall issue


Hi Scott,
 
Perhaps if you still have the install kickstart file for the CentOS
installation in /root/anaconda-ks.cfg we could compare the settings?
If it is running CentOS that is...
 
Martin
 
From: Scott Hughes   
Sent: Friday, November 12, 2010 3:44 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] iptables firewall issue
 
Martin,

The problem turned out to be in the rc.local file. It was loading the basic
QMT firewall settings instead of firewalll setting in the iptables file.
Once I commented out that line in the rc.local file, it worked perfect
(survived the reboot process).

I have two QMT boxes that had the same issue. I still have figured out why
it is set up this way.  There is no point in running the firewall.sh script
if it is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch 


Hi Scott,
 
The important file for iptables which will be loaded at startup is in  
/etc/sysconfig/iptables
 
It is basically the same information you have in the firewall script, but in
a slightly different syntax. Perhaps you need to check if that file is on
the system and has valid content?
 
It should look something like this:
 
# Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:1444]
-A INPUT -i eth0 -f -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 255.255.255.255 -i ! lo -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -

Re: [qmailtoaster] iptables firewall issue

[Martin Waschbuesch]

Hi Helmut,

I wonder if it has something to do with the way that CentOS was installed: The 
ISO starts out with the firewall being disabled and in addition to the 
configuration options that the firewall.sh script adds, I am not sure what 
method is used to enable the service to run at startup (though it is as easy as 
using ‘service iptables start’ to start it once and using ‘chkconfig iptables 
on’ to enable it to run on startup).
My iptables config had been installed during initial setup and though that is 
just a hunch, I believe that there may be a difference between having the 
system installed with the firewall enabled and enabling it afterwards (though 
that should not be the case?).
Also, the latest ISO is not using the latest CentOS – did you do any yum update 
stuff to bring it up to date? If so, did you have those problems before and 
after or just after the update?
I am sure we’ll get to the bottom of this eventually. I never used the ISO and 
I never had firewall trouble (other than when I configured it the wrong way  
myself).
Steve, did you use the ISO or install using the wiki instructions?

I am sort of hoping you used the ISO so that we might have something to focus 
our research on!

Martin
From: Helmut Fritz 
Sent: Friday, November 12, 2010 6:55 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: RE: [qmailtoaster] iptables firewall issue

i have the same issue with mine, and the -restore command was in my rc.local.  
i have attached my anaconda-ks.cfg.  i installed from QMT.iso, not sure if that 
matters.  maybe this helps.

Helmut



From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] 
Sent: Friday, November 12, 2010 9:21 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iptables firewall issue


Hi Scott,

Perhaps if you still have the install kickstart file for the CentOS 
installation in /root/anaconda-ks.cfg we could compare the settings?
If it is running CentOS that is...

Martin

From: Scott Hughes 
Sent: Friday, November 12, 2010 3:44 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] iptables firewall issue

Martin,

The problem turned out to be in the rc.local file. It was loading the basic QMT 
firewall settings instead of firewalll setting in the iptables file.  Once I 
commented out that line in the rc.local file, it worked perfect (survived the 
reboot process).

I have two QMT boxes that had the same issue. I still have figured out why it 
is set up this way.  There is no point in running the firewall.sh script if it 
is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch 

  Hi Scott,

  The important file for iptables which will be loaded at startup is in  
  /etc/sysconfig/iptables

  It is basically the same information you have in the firewall script, but in 
a slightly different syntax. Perhaps you need to check if that file is on the 
system and has valid content?

  It should look something like this:

  # Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
  *filter
  :INPUT DROP [0:0]
  :FORWARD DROP [0:0]
  :OUTPUT DROP [12:1444]
  -A INPUT -i eth0 -f -j DROP
  -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
  -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
  -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
  -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
  -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 255.255.255.255 -i ! lo -j DROP
  -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
  -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
  -A OUTPUT -o lo -j ACCEPT
  -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABL

[qmailtoaster] Disable CHKUSER

[Michael Colvin]

OK.  So, I've got some clients that send mails out to affiliates of theirs
via rather large distribution lists.  When at least one, maybe more, of
those addresses are bad, they get the "Sorry, can't find a valid MX for rcpt
domain" bounce that, basically is bouncing the whole message, so even the
valid recipients don't get the e-mail.

 

I've searched the archives, particularly:
http://www.mail-archive.com/qmailtoaster-list%40qmailtoaster.com/msg27066.ht
ml, and haven't really found anything that helps.Unless I'm doing something
wrong.

 

I've tried removing the references to CHKUSER_RCPT_MX in tcp.smtp, then
issued qmailctl cdb, same issue.  I tried setting CHKUSER_RCPT_MX="", and
CHKUSER_RCPT-MX="0".  Nothing.  Tried setting
CHKUSER_STARTING_VARIABLE="NONE".No change.

 

I've read where the default CHKUSER config is to have these commented out,
but it appears that this isn't the QMT default, per the linked thread above.

 

How do I go about commenting these out in CHKUSER's config, and then
"Rebuild" QMT?  I installed from the CentOS 5 ISO.

 

I simply don't want to check the MX for any e-mail on these particular
servers.I'd rather the client get bounces for those e-mails, so they can
clean up their lists.

 

 

Michael J. Colvin

NorCal Internet Services

  www.norcalisp.com

(916) 864-

 



 

<>

RE: [qmailtoaster] iptables firewall issue

[Helmut Fritz]

i have the same issue with mine, and the -restore command was in my
rc.local.  i have attached my anaconda-ks.cfg.  i installed from QMT.iso,
not sure if that matters.  maybe this helps.
 
Helmut

  _  

From: Martin Waschbuesch [mailto:mar...@waschbuesch.de] 
Sent: Friday, November 12, 2010 9:21 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] iptables firewall issue


Hi Scott,
 
Perhaps if you still have the install kickstart file for the CentOS
installation in /root/anaconda-ks.cfg we could compare the settings?
If it is running CentOS that is...
 
Martin
 
From: Scott Hughes   
Sent: Friday, November 12, 2010 3:44 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] iptables firewall issue
 
Martin,

The problem turned out to be in the rc.local file. It was loading the basic
QMT firewall settings instead of firewalll setting in the iptables file.
Once I commented out that line in the rc.local file, it worked perfect
(survived the reboot process).

I have two QMT boxes that had the same issue. I still have figured out why
it is set up this way.  There is no point in running the firewall.sh script
if it is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch 


Hi Scott,
 
The important file for iptables which will be loaded at startup is in  
/etc/sysconfig/iptables
 
It is basically the same information you have in the firewall script, but in
a slightly different syntax. Perhaps you need to check if that file is on
the system and has valid content?
 
It should look something like this:
 
# Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:1444]
-A INPUT -i eth0 -f -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
-A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -s 255.255.255.255 -i ! lo -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j
ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Sep  9 17:00:22 2010
 
From: Scott Hughes   
Sent: Thursday, November 11, 2010 5:40 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: [qmailtoaster] iptables firewall issue
 
All, 
 
I continue to have strange firewall issues.  The iptables firewall is acting
normal EXCEPT when the system gets restarted.  Then it is like it goes back
to some default setting and I have log into the console and manually run the
firewall.sh script.  The script automatically saves the settings with
'service iptables save' and I have run this manually as well. Still having
the same issue.
 
Anyone out there have any ideas that might save my firewall settings though
restarts/reboots?
 
Thanks,
Scott
 

 


anaconda-ks.cfg
Description: Binary data
-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] iptables firewall issue

[Martin Waschbuesch]

Hi Scott,

Perhaps if you still have the install kickstart file for the CentOS 
installation in /root/anaconda-ks.cfg we could compare the settings?
If it is running CentOS that is...

Martin

From: Scott Hughes 
Sent: Friday, November 12, 2010 3:44 PM
To: qmailtoaster-list@qmailtoaster.com 
Subject: Re: [qmailtoaster] iptables firewall issue

Martin,

The problem turned out to be in the rc.local file. It was loading the basic QMT 
firewall settings instead of firewalll setting in the iptables file.  Once I 
commented out that line in the rc.local file, it worked perfect (survived the 
reboot process).

I have two QMT boxes that had the same issue. I still have figured out why it 
is set up this way.  There is no point in running the firewall.sh script if it 
is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch 

  Hi Scott,

  The important file for iptables which will be loaded at startup is in  
  /etc/sysconfig/iptables

  It is basically the same information you have in the firewall script, but in 
a slightly different syntax. Perhaps you need to check if that file is on the 
system and has valid content?

  It should look something like this:

  # Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
  *filter
  :INPUT DROP [0:0]
  :FORWARD DROP [0:0]
  :OUTPUT DROP [12:1444]
  -A INPUT -i eth0 -f -j DROP
  -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
  -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
  -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
  -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
  -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
  -A INPUT -s 255.255.255.255 -i ! lo -j DROP
  -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
  -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
  -A OUTPUT -o lo -j ACCEPT
  -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
  COMMIT
  # Completed on Thu Sep  9 17:00:22 2010

  From: Scott Hughes 
  Sent: Thursday, November 11, 2010 5:40 PM
  To: qmailtoaster-list@qmailtoaster.com 
  Subject: [qmailtoaster] iptables firewall issue

  All, 

  I continue to have strange firewall issues.  The iptables firewall is acting 
normal EXCEPT when the system gets restarted.  Then it is like it goes back to 
some default setting and I have log into the console and manually run the 
firewall.sh script.  The script automatically saves the settings with 'service 
iptables save' and I have run this manually as well. Still having the same 
issue.

  Anyone out there have any ideas that might save my firewall settings though 
restarts/reboots?

  Thanks,
  Scott

[qmailtoaster] Re: Black list problem

[Eric Shubert]

On 11/12/2010 05:27 AM, carlos...@tmdigital.es wrote:

hi,
some days ago, began to arrive from the  NJABL blacklist mails and try
remove my ip but not work , mails returned to me with the same error.
what can i do?



Hi. This is the qmail-send program at qmail.tmgranada.es.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<**...@*.***>:
User and password not set, continuing without authentication.
**.**.**.** does not like recipient.
Remote host said: 550 Email blocked by NJABL - to unblock see
http://www.example.com/
Giving up on **.**.**.**.

--- Below this line is a copy of the message.
-


Have you followed the procedure(s) at http://www.njabl.org/, in 
particular http://www.njabl.org/remove.html ?


Is your server an open relay? What's in your /etc/tcprules.d/tcp.smtp file?

If you've done all you can do to get removed to no avail, then I would 
contact the recipient domain administrator and have them either 
whitelist your server, or get them to quit using njabl.


FWIW, I have no experience with that RBL. Anyone else?

--
-Eric 'shubes'


-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] iptables firewall issue

[Scott Hughes]

Martin,

The problem turned out to be in the rc.local file. It was loading the basic
QMT firewall settings instead of firewalll setting in the iptables file.
Once I commented out that line in the rc.local file, it worked perfect
(survived the reboot process).

I have two QMT boxes that had the same issue. I still have figured out why
it is set up this way.  There is no point in running the firewall.sh script
if it is just going to be ignored the next time the system reboots.

Scott


2010/11/11 Martin Waschbuesch 

>   Hi Scott,
>
> The important file for iptables which will be loaded at startup is in
> /etc/sysconfig/iptables
>
> It is basically the same information you have in the firewall script, but
> in a slightly different syntax. Perhaps you need to check if that file is on
> the system and has valid content?
>
> It should look something like this:
>
> # Generated by iptables-save v1.3.5 on Thu Sep  9 17:00:22 2010
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [12:1444]
> -A INPUT -i eth0 -f -j DROP
> -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
> -A INPUT -s 10.0.0.0/255.0.0.0 -i ! lo -j DROP
> -A INPUT -s 172.16.0.0/255.240.0.0 -i ! lo -j DROP
> -A INPUT -s 192.168.0.0/255.255.0.0 -i ! lo -j DROP
> -A INPUT -s 224.0.0.0/240.0.0.0 -i ! lo -j DROP
> -A INPUT -s 240.0.0.0/240.0.0.0 -i ! lo -j DROP
> -A INPUT -s 0.0.0.0/255.0.0.0 -i ! lo -j DROP
> -A INPUT -s 255.255.255.255 -i ! lo -j DROP
> -A INPUT -s 169.254.0.0/255.255.0.0 -i ! lo -j DROP
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -j
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
> -A INPUT -p tcp -m tcp --dport 143 --tcp-flags FIN,SYN,RST,ACK SYN -j
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 993 --tcp-flags FIN,SYN,RST,ACK SYN -j
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 995 --tcp-flags FIN,SYN,RST,ACK SYN -j
> ACCEPT
> -A INPUT -p tcp -m tcp --dport 5667 --tcp-flags FIN,SYN,RST,ACK SYN -j
> ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
> -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
> -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> # Completed on Thu Sep  9 17:00:22 2010
>
>  *From:* Scott Hughes 
> *Sent:* Thursday, November 11, 2010 5:40 PM
> *To:* qmailtoaster-list@qmailtoaster.com
> *Subject:* [qmailtoaster] iptables firewall issue
>
> All,
>
> I continue to have strange firewall issues.  The iptables firewall is
> acting normal EXCEPT when the system gets restarted.  Then it is like it
> goes back to some default setting and I have log into the console and
> manually run the firewall.sh script.  The script automatically saves the
> settings with 'service iptables save' and I have run this manually as well.
> Still having the same issue.
>
> Anyone out there have any ideas that might save my firewall settings though
> restarts/reboots?
>
> Thanks,
> Scott
>
>

[qmailtoaster] Black list problem

[carlos-tm]

hi,
some days ago, began to arrive from the  NJABL blacklist mails and try
remove my ip but not work , mails returned to me with the same error.
what can i do?



Hi. This is the qmail-send program at qmail.tmgranada.es.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<**...@*.***>:
User and password not set, continuing without authentication.
**.**.**.** does not like recipient.
Remote host said: 550 Email blocked by NJABL - to unblock see
http://www.example.com/
Giving up on **.**.**.**.

--- Below this line is a copy of the message.

Return-Path: 
Received: (qmail 9392 invoked by uid 89); 12 Nov 2010 12:04:23 -
Received: from unknown (HELO correo.tmgranada.es) (127.0.0.1)
  by qmail.tmgranada.es with SMTP; 12 Nov 2010 12:04:23 -
Received: from **.**.**.*
(SquirrelMail authenticated user sopo...@tmgranada.es)
by correo.tmgranada.es with HTTP;
Fri, 12 Nov 2010 13:04:23 +0100 (CET)
Message-ID: <48215.**.**.**.*.1289563463.squir...@correo.tmgranada.es>
Date: Fri, 12 Nov 2010 13:04:23 +0100 (CET)
Subject: comprobacion cuenta correo
From: sopo...@tmgranada.es
To: *...@.**
User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal



-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: POP3 Authentication on CentOS 5.5 64Bit

[Eric Shubert]

TTBOMK the plan is presently to jump to vpopmail 5.5 with QMTv2.

Going from 5.4.32 from 5.4.17 would be nice. It involves a database 
change, which qtp-convert is already able to handle.


I believe that Jake's too busy to take this on. If someone would like to 
update the spec file and package an SRPM, I expect that Jake would 
entertain putting it up on the site if/when people have tested it out.


Anyone care to take this on?

--
-Eric 'shubes'

On 11/11/2010 08:17 PM, Kevin Qiu wrote:

  Hello,

I found the last vpomail version is 5.4.32 . The QMT version is 5.4.17 .

Could the QMT upgrade the vpopmail to last version?


Kevin

于 2010/11/12 10:11, Kevin Qiu 写道:

Hello Mario,

I had same problem when I use QMT on 64bit Linux.

Is it the last vpopmail include QMT? Or I need download the src
vpopmail package from inter7.com?

By the way, If I need more RAM, is 4GB RAM OK?


Kevin



于 2010/10/17 4:50, Mario 写道:

Hello,

Problem fixed. Probably it was/is of because vchkpw.
I've downloaded and compiled the latest vpopmail from
http://www.inter7.com/index.php?page=vpopmail

and issue got fixed.

Thank you Eric.



Saturday, October 16, 2010, 10:46:40 PM, you wrote:


Hello Eric,
Saturday, October 16, 2010, 10:32:14 PM, you wrote:

On 10/16/2010 12:20 PM, Mario wrote:

Hello all,

I've POP3 authentication issues with qmail toaster on centos 5.5 .
The error the pop3 client receives it's:

The response is: /home/vpopmail/bin/vchkpw: error while loading
shared libraries: libcrypt.so.1: failed to map segment from shared
object: Cannot allocate memory -ERR authorization failed

I've tried increasing the softlimit for pop3 but error persists.

Any clues ?

Thanks


-


What'd you increase it to? How much memory do you have?
# free
64Bit machines definitely need more. I thought Jake had fixed this.
Perhaps the memory increase doesn't happen on 5.5?



# more /var/qmail/supervise/pop3/run|grep soft
exec /usr/bin/softlimit -m 4000 \



# free -m
  total   used   free sharedbuffers
cached
Mem:  5956   5743213  0229
4627
-/+ buffers/cache:886   5070
Swap: 7961 15   7945



I guess it should be sufficient ram allocated.
Thanks,
Mario



-

Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
 Vickers Consulting Group offers Qmailtoaster support and
installations.
   If you need professional help with your setup, contact them
today!
-

  Please visit qmailtoaster.com for the latest news, updates, and
packages.

   To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com




-

Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and
installations.
 If you need professional help with your setup, contact them today!




-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Doubles

[Digital Instruments]

Aha, ok! :)

On 11/11/2010 18:15, Eric Shubert wrote:

(You might try searching a bit before posting here next time)




-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com