[qmailtoaster] Long connect times
Greetings all: I am curious -- I have a brand new toaster installed (COS6, if you must know), and I am experiencing some rather long SMTP and even longer SUBMISSION connection times. SMTP Connect times (as measured by mxtoolbox) are 7-10 seconds! Submission Connect times (as measured on my watch) are 5-9 seconds! Both of these are abysmal... any ideas? (BTW: I know your knee-jerk reaction will be DNS -- but I run my own BIND caching-nameserver, and I've also tried running with a PowerDNS resolver... no significant change.) Baffled in Florida Dan McAllister QMT DNS/Mirror Admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Long connect times
Gilbert: Thanks for the tip. I hadn't looked at options for resolv.conf in probably 10 years now! Although I even restarted my named service, I still don't see a difference. Never the less, by enabling both single-request-reopen and edns0, I have resolved a long-awaiting-resolution problem of some DNS servers sending responses my server didn't like. Some progress still thanks for the suggestion! Dan On 7/18/2013 3:37 PM, Gilbert T. Gutierrez, Jr. wrote: Do you have the same issue with SSH login? Add options single-request-reopen into your /etc/resolv.conf file. Gilbert On 7/18/2013 11:51 AM, Dan McAllister wrote: Greetings all: I am curious -- I have a brand new toaster installed (COS6, if you must know), and I am experiencing some rather long SMTP and even longer SUBMISSION connection times. SMTP Connect times (as measured by mxtoolbox) are 7-10 seconds! Submission Connect times (as measured on my watch) are 5-9 seconds! Both of these are abysmal... any ideas? (BTW: I know your knee-jerk reaction will be DNS -- but I run my own BIND caching-nameserver, and I've also tried running with a PowerDNS resolver... no significant change.) Baffled in Florida Dan McAllister QMT DNS/Mirror Admin - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Cannot create Email account for deleted email account
First guess is that the account was deleted in MySQL, but the folder still exists Check for the existence of the folder at: /home/vpopmail/domains/domainname/username - or - /home/vpopmail/domains/0/domainname/username If either exists, remove or rename it and try the add again. Dan McAllister QMT DNS/Mirror Admin On 08/05/2013 12:02 AM, ChandranManikandan wrote: Hi All, I cannot create new email account in our server using qmailadmin. This email account already created in my server and deleted before as well forwards. But even cannot create and it's shows error email account could not be created Anyone please help me. -- */Thanks Best Regards, Manikandan.C /*
Re: [qmailtoaster] vqadmin on centos 6.4 x64
The issues surrounding making the current CentOS 5 build of QMT work on COS6 are increasing... Firstly, let me address a major issue: 32-bit vs. 64-bit. These are the 20-teens folks... IMHO, 32-bit hardware is outdated. Of course, if you have 32-bit hardware laying around, it is perfectly reasonable to run QMT on it -- but I suggest you run COS5-32-bit and install a stock QMT -- I suspect we'll be supporting that version for many years to come! Otherwise, if you're installing on 64-bit hardware, COS6 is the way to go (again -- IMHO)... but there are some significant issues to overcome. At my last attempt, here is what I found: 1) PHP Short Open Tags must be enabled (I have previously done it system wide in the /etc/php.ini file, but placing it in the apache options folder for just that one directory might be a better solution) 2) Our vqadmin-toaster package will not compile because some of the includes and headers have never been updated from upstream. As a result, you can either: a) unpack the src RPM, fix the headers (easily available from inter7.com), and recompile yourself, or b) secure a pre-built package available from the site: http://mirrors.qmailtoaster.com//testing/centos/6/x86_64/vqadmin-toaster-2.3.7-1.4.1.x86_64.rpm 3) You'll think you're out of the woods because everything will start up -- but you're not... there is a dependency I haven't tracked down yet to the libmysqlclient.15 library (vs. the libmysqlclient.16 that is current). Until that dependency can be fixed, you need to copy in an older version (mysql-5.0 vs. mysql-5.1). NOTE: It is sufficient to copy in the binaries for libmysqlclient.so.15.0.0 and libmysqlclient_r.so.15.0.0, and then create symbolic links from libmysqlclient.so.15 libmysqlclient_r.so.15. DO NOT change the links for libmysqlclient.so and libmysqlclient_r.so (which point to ver 16 for everyone else -- again, I don't know what or why the link is to libmysqlclient.so.15 -- but it is, and until we finish development of the COS6 version, we'll have to live with this patch). 4) Again, you will think you're golden -- except that 64-bit software takes up more memory than 32-bit software -- well, it does when it's really 32-bit software PORTED to 64-bit! :-) So your next problem will be some of your runtimes will fail because they'll exceed their memory limits. You will need to edit the run scripts located in /var/qmail/supervise/*/run. Those that use the softlimit option should have the limit increased to 64MB RAM (67108864 -- 64 * 1024 * 1024) -- EXCEPT that if you use SSL, you should increase the memory limit to 128MB (134217728 -- 128 * 1024 * 1024). NOTE: If you allow SSL connections on your SMTP, you'll want that 128MB option on ALL SMTP daemons, not just the ones on ports 587 and/or 465! And now, at least as far as I have tested lately, you're finally ready to rock! Go forth and EMAIL in 64-BIT CENTOS 6!!! Best Regards, Dan McAllister QMT DNS/Mirror Admin Unofficial bleeding edge QMT tester (OK, well, with the age of COS6, maybe it's a scabbed edge... healed but scarred edge... oh, whatever... :)) - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Dovecot SSL question
I don't think your issue is with the Courier, but rather with the folder structure. By default, Outlook wants to copy Drafts and Sent Items to folders on the root of the IMAP directory -- only QMT places those files /inside /the Inbox folder. So Outlook is set to put the Sent Items into /Sent, but the REAL location needs to be Inbox/Sent The fix is to tell Outlook the RIGHT place to put the Sent Items -- a change that has to be made for each account in Outlook. (Sadly, each version of Outlook does this differently, but they ALL allow you to change this -- EXCEPT for Outlook 2013, which will find your Sent Items for you but will not let you override its self-selected destination. MS knows best -- especially when it comes to mail!) BTW: Assuming your SMTP settings were set correctly, the message went, it just wasn't saved in your Sent Items folder... I hope this helps... Dan McAllister QMT DNS/Mirror Admin On 8/16/2013 1:50 AM, rich...@avits.ca wrote: Hi all: I am experiencing issues with Courier IMAP in that Thunderbird takes forever to clear saving copy to sent folder, so I am considering a move to Dovecot. Do I need to do anything special with my SSL cert after switching over? It is a signed cert setup as per the qmailtoaster documentation on certificates. Thanks, Richard Sent from my BlackBerry 10 smartphone on the Bell network. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] SpamDyke MBL_349876.UNOFFICIAL
Greetings all: I have a large mailserver that just today decided that all messages with attachments are infected with MBL_349876.UNOFFICIAL I have temporarily bypassed SpamDyke processing on outbound mail, but would prefer to put it back in. Has anyone else run into this? If so, how did you remove it? Thanks, Dan McAllister -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: SpamDyke MBL_349876.UNOFFICIAL
Eric, I have forced freshclam to reload, but it still has the same effect. I am afraid I've never played with the clamav or simscan much in the past... how/where would I go to temporarily turn off clamav scanning? Dan On 8/21/2013 3:04 PM, Eric Shubert wrote: On 08/21/2013 09:46 AM, Dan McAllister wrote: Greetings all: I have a large mailserver that just today decided that all messages with attachments are infected with MBL_349876.UNOFFICIAL I have temporarily bypassed SpamDyke processing on outbound mail, but would prefer to put it back in. Has anyone else run into this? If so, how did you remove it? Thanks, Dan McAllister Yeah, others on the sanesecurity list are reporting this as well. One person put it in the local.ign file (to ignore it), and another chose to delete the pattern. Then there was this, posted 35 minutes ago on the sane list: quote MBL sigs are now fixed, just had contact with them We sincerely apologize for the trouble caused by these faulty signatures. An update to our system was applied this morning and, unfortunately, it had this unwanted side effect. The update was reverted and signatures should be fixed now. We'll work to determine what happened and how we can avoid problems like this in the future. Thank you for alerting us about this issue. /quote I presume that things will return to normal once freshclam does its thing again. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] bounce back
This is a CLAMAV problem -- one of their vendors (MBL) released a pattern that essentially matches anything with a :// in it -- or any URL. It will also almost always match any attachment with a real message. The fix is to either wait out CLAMAV (or manually update with a freshclam start command); disable CLAMAV scanning (what I did overnight -- it's fixed today [Thurs]); or remove the pattern (beyond my CLAMAV config expertise). Dan On 8/22/2013 3:40 AM, Linux wrote: Hi All, I got the bounce back error every time as, Remote host said: 554 Your email was rejected because it contains the MBL_349876.UNOFFICIAL virus. Can anyone suggest me what to do? Regards, Vivek Patil system admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Email Server access is very slow
Assuming a stock QMail Toaster install, your problem is with those giant mailboxes the default courier IMAP that the toaster comes with. While the project as a whole will be jumping to DoveCot soon, you're going to need to jump the shark a bit early. Courier IMAP has many known issues (including corruption, not just slowness) with large mailboxes (over 2GB, much less 10GB!)... DoveCot has a much better reputation for these circumstances. There is a WIKI article for switching to DoveCot: _*http://wiki.qmailtoaster.com/index.php/Replacing_Courier_IMAP_with_Dovecot_IMAP*_ I hope this helps! Dan IT4SOHO (QMT DNS/Mirror Admin) On 8/22/2013 4:24 AM, ChandranManikandan wrote: Hi All, I had install centos 5.7 with qmailtoaster. My HDD 500GB and RAM 10 GB Our total email account 60 Some account is more than 10 GB mailboxes. Every day access emails it's very slow to open email and switch to other folder using imap. when i goto check netstat -an |grep :143|wc -l command it's shows 150 as well increased automatically. Is there any spam attach in server . So how to protect from spammers and hackers. How to get fast performance and access emails fast. Please help me any one have the solution. -- */Thanks Best Regards, Manikandan.C /* -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] lots of failed imap attempts - fail2ban setup
Peter: I personally use fail2ban in the default way and _*purposefully *_reset the bans /*weekly */(and sometimes, manually more often than that). The issue is that sometimes (albeit rarely) the person failing the login is a legitimate user. Also, you may be being attacked by some guy at the corner Starbucks -- and the next person to use that address might be a legit customer/user of yours. To my mind, the idea is to block the attacker and have them move on... if they can attempt 20 logins a minute indefinitely, they'll attack until they succeed. However, if they can attempt 20 logins a DAY, they'll move on -- because the time to reach success becomes CENTURIES instead of DAYS or WEEKS. Just my 2-cents worth... Dan McAllister IT4SOHO QMT DNS/Mirror Admin On 8/22/2013 7:58 AM, Peter Peltonen wrote: Hi, I've started to notice lots of failed imap attemps for nonexisting accounts, so I guess it would be a good idea to setup fail2ban. There is a nice guide available in the wiki (thanks!) : http://wiki.qmailtoaster.com/index.php/Fail2Ban A few questions before I try to put this in production: In general, these instructions are still valid for the toaster, yes? There is a note in the Wiki saying when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. To prevent this two advices are given: * Before changes, write existing iptables rules to file # service iptables save * And after any change load the saved set of rules # service iptables restart * Tune fail2ban to write IPs to /etc/fail2ban/ip.deny My question regarding this are: 1) How is fail2ban configured to write IPs to /etc/fail2ban/ip.deny ? 2) And would a valid approach to be to configure fail2ban init script and logrotate to read the banned IPs from that ip.deny and then feed it to iptables? Or how are people using fail2ban handling this situation? Best regards, Peter -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: CNAME lloup fail
Eric, et. al.: My feelings about PDNS are that: - PDNS is as good a resolver as there is, but as a project we shouldn't play favorites - PDNS would make an excellent OPTIONAL package -- but shouldn't necessarily be a pdns-toaster package... I would prefer that we just tell people how to install it -- maybe even to the point of including the binary RPMs on our own mirrors... but not to the point of a custom package that is installed by default too many users of other software (pardon me, but I actually LIKE BIND!) that would have a hard time every time they ran qtp-newmodel and had to exclude or remove PDNS because they don't use that. Just my 2-cents worth (since Eric mentioned me by name!) :-) Dan On 8/26/2013 1:43 PM, Eric Shubert wrote: I know of no disadvantages. This is the setup I recommend. pdns-recursor might become 'stock' at some point if there are no objections. As Dan has pointed out, QMT doesn't actually need an onboard resolver, but it does need to use a resolver that works reliably. I think this is the simplest and most efficient (you might say best) solution for this requirement. Vivek, please be sure that if you had a resolver running on your QMT host previously that it's at least disabled if not uninstalled. An example might be the caching-nameserver package (which uses bind). You might also look for a named service. Given that your system is running ok though, I expect things are all right. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: CNAME lloup fail
On 8/26/2013 3:52 PM, Eric Shubert wrote: I'm not suggesting a QMT-specific package. (What would be the point?) Most of a 'stock' QMT includes packages that aren't *-toaster specific. I don't think it should necessarily be a requirement either. Choice is good. As Dan has pointed out, QMT doesn't *require* an onboard resolver. None the less, QMT needs to use a resolver. I think in the case of a 'stock' setup, it's easier to install and configure pdns-recursor (it's the same for everyone) than it'd be to say edit the /etc/resolv.conf and insert the ip addresses of appropriate DNS resolvers of your choice. If someone wanted to customize their resolver by using something else, there should (and would) be nothing prohibiting that. Is there problem? Eric... OK -- question then... if a user has just imaged a new system and desires to run a QMT stock mailserver on it... Just how would they download QMT to begin with if they had not already configured a resolving DNS service?? I say leave well enough alone (e.g. don't mess with their already chosen method of DNS resolution), but still to recommend it for optimum performance. I realize that this is getting persnickety... but its that kind of we know what's best for you arrogance that drives many users AWAY from Micro$oft to begin with! Also, it would be reasonable (even suggested) that we put a check in at the END of the QMT install/update programs that checks DNS resolution -- and if it's NOT local, to recommend doing it locally -- preferably with the pdns-resolver package. My QMT-CentOS6.sh script does something similar -- if the me control file's host name is not in /etc/hosts, it declines to start QMT and instead warns that starting it might be counter productive. I'll climb down now... just give me a moment, as it is a very fine high horse I'm on just now! :-) Dan McAllister QMT DNS/Mirror Admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: How to remove cached and buffer memory in Centos server
Eric is spot-on it is a DNS issue (usually because the DNS name you use [or IP address] in the SSH client command to connect, doesn't resolve backwards). The easiest fix is on the server end: Change the default SSHD setting to NOT attempt DNS reverse lookups. The file is: */etc/ssh/sshd_config* The entry is: *UseDNS no* Enjoy! Dan IT4SOHO On 8/26/2013 11:40 PM, Eric Shubert wrote: On 08/26/2013 08:07 PM, ChandranManikandan wrote: Hi All, I had used this command and shows below result. #free total used free shared buffers cached Mem: 103704169965280 405136 0 2264288775244 -/+ buffers/cache: 9636089406808 Swap: 40965641044096460 But if i access the server via ssh it's open slow performance even in local ip. This is a name resolution problem that's fairly common with ssh. There's a sometimes long pause waiting for the password, because the ssh host is trying to find a name of some sort. When it times out, the password prompt is shown. I've seen this frequently, just haven't taken the time to fix it, so I don't recall the solution off hand. Is there any way to clear temporary buffer and cached commands. Those aren't what you think they are. They're for disk i/o. The kernel allocates and uses these areas automatically. The kernel uses what it can and what it needs. High cached values are a good thing, because a lot of disk i/o is cached. It appears you've got way more ram on that host than you really need. -- */Thanks Best Regards, Manikandan.C /* -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: How to remove cached and buffer memory in Centos server
In anticipation of the next response: - please execute a restart of the SSH service after you have completed the change below. NOTE: In stock COS installs, the UseDNS entry is commented out and has the default Yes value -- un-comment it (remove the leading # character) change the Yes to a No - The command in COS to restart the sshd service is: *service sshd restart* Dan On 8/27/2013 9:59 AM, Dan McAllister wrote: Eric is spot-on it is a DNS issue (usually because the DNS name you use [or IP address] in the SSH client command to connect, doesn't resolve backwards). The easiest fix is on the server end: Change the default SSHD setting to NOT attempt DNS reverse lookups. The file is: */etc/ssh/sshd_config* The entry is: *UseDNS no* Enjoy! Dan IT4SOHO -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: How to remove cached and buffer memory in Centos server
On 8/27/2013 10:35 AM, Eric Shubert wrote: I just did this, but I'm sorry to say that it didn't solve my problem entirely. After a few tests, it appears that every other login is quick, and every other login has a delay (20 seconds or so). Seems persistent in that regard (I did a dozen or so tests). Perhaps a nss config issue? Thanks. (P.S. I'm aging here!) ;) Eric -- I thought you were running COS5??? In COS6, there is another set of SSHd configs whose default was changed: *GSSAPI* Like the reverse DNS lookup, you want to TURN OFF this feature: Change to: *GSSAPIAuthentication no* (The other GSSAPI settings don't matter much if you're not permitting AUTH) To my understanding, the GSSAPI functionality is an alternative way of securing your connection for a password-less connection (vs. auth keys) that uses a Kerberos-type auth scheme no thanks... :) Dan IT4SOHO -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] SPF, DKIM, and now DMARC... a discussion?
new (since 2012), but purports to try to tell mail recipients just what kind of message authentication is being used by the sending domain, AND to provide a user-identified method of reporting back issues and/or errors. I'm going to show my own DMARC record, then explain it below: v=DMARC1; p=reject; aspf=s; adkim=r; rua=mailto:it4s...@it4soho.com; ruf=mailto:it4s...@it4soho.com; Like SPF, DMARC is implemented with DNS TXT records: - v=DAMRC1 means this is a version 1 format - p=reject means that the policy for failed tests should be to reject them (other options include quarantine none) - aspf=s means I recommend using SPF in a strict mode (the alternative is a relaxed mode) - adkim=r means I recommend using DKIM in a relaxed mode (this is the default, so I could have not included this entry) - rua=mailto:it4s...@it4soho.com means that reports (non-failure feedback) should be sent to it4s...@it4soho.com - ruf=mailto:it4s...@it4soho.com means that failure reports (like detected SPAM) should be sent to it4s...@it4soho.com Now QMT doesn't yet support DMARC -- but I would assume that spamdyke eventually will... in any case, it's the recipient that has to implement it, and for now I would like to receive those error reports if they're available! Open to discussing this with the rest of the group -- security (and SPAM control) are both topics we should banter around periodically! Ciao! Dan McAllister IT4SOHO QMT DNS/Mirror Admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Mailer -daemon failure notice
You list several messages -- each a different reason for failure... see embedded below: On 8/29/2013 12:14 AM, ChandranManikandan wrote: Hi All, Again i received below message when we send email to any one and getting bounce with unwanted emails are showing also. I have to mention other thing. Am using outgoing server other smtp server. Is any problem occur from outgoing smtp server. Please help me. Below All ip and email address is not ours. Hi. This is the qmail-send program at mail.panasiagroup.net http://mail.panasiagroup.net. I tried to deliver a bounce message to this address, but the bounce bounced! jk...@stsinspect.com mailto:jk...@stsinspect.com: User and password not set, continuing without authentication. jk...@stsinspect.com mailto:jk...@stsinspect.com 72.167.238.29 failed after I sent the message. Remote host said: 552 5.2.0 H1Dm1m00r2XfecZ011DoK1 IB212 msg rejected as spam Remote host determined AFTER receiving the message that the contents were SPAM and then rejected it. Check your reputation -- or maybe even try to contact postmas...@stsinspect.com to see why it thought your message was SPAM. harms...@supanet.com mailto:harms...@supanet.com: User and password not set, continuing without authentication. harms...@supanet.com mailto:harms...@supanet.com 213.40.180.222 failed after I sent the message. Remote host said: 550-This message contains a virus or other harmful content 550 (Sanesecurity.Spam.ldb.59.UNOFFICIAL) The recipient mail server is using SaneSecurity (perhaps even a QMT host using simscan, because it uses SaneSecurity as well!) and it detected a virus in your message. SaneSecurity just recently had a problem with a virus pattern file that essentially matched any URL (any occurrence of :// was marked as viral)... but this is another example (as the previous one) where you cannot control how the recipient deals with your message. If they have a bad virus pattern file, there isn't much YOU can do about it except TRY to bring it to their attention. --- Below this line is the original bounce. Return-Path: Received: (qmail 21062 invoked for bounce); 28 Aug 2013 15:27:45 - Date: 28 Aug 2013 15:27:45 - From: mailer-dae...@mail.panasiagroup.net mailto:mailer-dae...@mail.panasiagroup.net To: ravindran.recruiter+caf_=ravi=panasiagroup@gmail.com mailto:panasiagroup@gmail.com Subject: failure notice Hi. This is the qmail-send program at mail.panasiagroup.net http://mail.panasiagroup.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. ear...@familyaccess.net mailto:ear...@familyaccess.net: Sorry, I couldn't find a mail exchanger or IP address. (#5.4.4) familyaccess.net is likely a local domain -- either way, using the DNS services you've configured, there is no familyaccess.net, or if there is, it has no MX record. itcpubli...@flashmail.com mailto:itcpubli...@flashmail.com: User and password not set, continuing without authentication. 173.194.79.27 does not like recipient. Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 hb3si7063498pac.65 - gsmtp Giving up on 173.194.79.27. Just as it says -- there is no such mailbox as itcpubli...@flashmail.com -- no mailbox = no delivery. BE WARNED -- repeated attempts to send mail to the same bad address can get you blacklisted... either publicly, privately, or both! cmo...@filmgraphics.com mailto:cmo...@filmgraphics.com: User and password not set, continuing without authentication. 173.194.79.27 does not like recipient. Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 bo2si6500759pbb.44 - gsmtp Giving up on 173.194.79.27. Just as it says -- there is no such mailbox as cmo...@filmgraphics.com -- no mailbox = no delivery. BE WARNED -- repeated attempts to send mail to the same bad address can get you blacklisted... either publicly, privately, or both! NOTE: THIS IS THE SECOND GMAIL HOSTED ACCOUNT THAT HAS FAILED -- _*STRIKE TWO!*_ c...@farbeduciel.com mailto:c...@farbeduciel.com: User and password not set, continuing without authentication. 66.39.2.47 does not like recipient. Remote host said: 554 5.7.1 c...@farbeduciel.com mailto:c...@farbeduciel.com: Recipient address rejected: Access denied Giving up on 66.39.2.47. Not as verbose as GMAIL's failure, but the cause is the same -- c...@farbeduciel.com does not appear to be a valid email address... home...@fastwebnet.it mailto:home...@fastwebnet.it: User and password not set,
Re: [qmailtoaster] Re: a dns patch maybe
I generally agree with Eric's responses below -- however your current resolve.conf doesn't JUST identify dns servers; it ALSO defines a default domain to search. *IF* you install pdns-resolver (and I agree with Eric that you should), you should make your resolv.conf look like: search pps-inc.com nameserver 127.0.0.1 This solution will result in better performance on your mailserver, without placing a significant additional processing burden on the same server. If you're like me, and often ssh into servers in your domain with just the hostname, you'll want to keep that search option in there. Dan IT4SOHO QMT DNS/Mirror Admin On 8/30/2013 6:08 PM, Eric Shubert wrote: On 08/30/2013 01:19 PM, Jim Shupert wrote: here are contents of /etc/resolv.conf search pps-inc.com nameserver 216.136.95.2 nameserver 192.168.200.226 === the above refers to 2 other machines that are running bind dns Right. The first is twtelecom, presumably your ISP. The second (which would only be used if the first one had a problem) is running on your local network. And that might not be the *smart move* It's not ideal. It's not quite as efficient as it might be, plus you're primarily at the mercy of your ISP for correct name resolution. I take it you think I should be running dns on my mailserver? A resolver, yes. (NOT an authoritative DNS server though). and the dns pkg of choice is pdns-recursor Yes. install w # yum install pdns-recursor # service named stop # service pdns-recursor start # chkconfig named off # chkconfig pdns-recursor on - all I have to have in the conf is one line -- 'localhost'? nameserver 127.0.0.1 Correct. The dns resolving service (pdns-recursor) runs on the QMT host itself. You might leave the nameserver 216.136.95.2 line in there listed 2nd as a backup resolver, but I prefer to know if my localhost resolver is having an issue. Not having a backup lets me know rather quickly. ;) If you feel better using a backup resolver, I would consider using google (8.8.8.8, 4.4.4.4) or opendns (208.67.220.220, 208.67.222.222) as backup resolvers. They both have good reputations for reliability. what about allow-from http://www.thatfleminggent.com/2009/08/09/getting-a-powerdns-recursor-up-and-going-fast pdns-recursor will allow requests from localhost by default. If you want to use this server as a resolver for other hosts on your network, you can tailor this and your firewall appropriately. That link is a little dated, as pdns-recursor is now in the base el5 repo. I am not an 'expert' with dns Thanks for the help! Sure. We all learn a little along the way. Now that I'm looking at this again, I realize that you need *absolutely nothing* in your /etc/resolv.conf file. Linux uses itself by default. :) I may just begin making a habit of installing pdns-recursor on all my servers and leaving /etc/resolv.conf empty. One less thing to deal with. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] DNS Best Practices for QMT
A lot has been written lately about DNS as it relates to QMT. As I am the DNS Admin for the project, I thought it worthwhile to share my thoughts. NOTE: Although I am the DNS Admin of the project, these are _/MY /_opinions, based on /_MY _/experiences... they do NOT represent any official position of the QMT project. Firstly, let's differentiate the KINDS of DNS service: - A _*RESOLVING *_DNS server answers /permitted client /requests to resolve ANY DNS request (like YAHOO.COM) by recursively searching for an appropriate authoritative DNS server for the domain requested. (A *RECURSIVE *DNS server is a /synonym /to a *RESOLVING *DNS server) - AN _*AUTHORITATIVE *_DNS server answers /PUBLIC /requests to resolve DNS for domains for which it is authoritative (e.g. its own domains). Some DNS servers (like BIND 9 and later) have the ability to do both (securely - BIND8 could do both, but not very securely), while others (like PDNS) take the QMail approach and use separate programs to do each kind of task. FWIW, I use PDNS resolvers on some of my QMT servers, and BIND9 on others. I'm reasonably well-known for not drinking the kool-aide from any vendor or software project. Instead, I choose the right tool for the right use - and choosing a DNS server is one of those instances where one size fits all is definitely UNTRUE. SIDE NOTE: I am far less adamant than Eric (my boss on this project!) that an authoritative DNS service should /not /be on the same server as a QMT (or other mailserver). IMHO, there are times when it is appropriate, and times when it is not. In my experience (which is considerable, though I don't yet consider myself an expert): - I have some high-traffic QMT servers that service high-use domains and use pdns-resolver (and external authoritative DNS servers) - I have some low-traffic QMT servers where the DNS is BIND9 running as both recursive (for the localhost) and authoritative (for the serviced domains). Again, FWIW, my personal experience is that QMT servers typically fall into one of 3 categories: - _*TINY*_: One or two personal domains, where the authoritative DNS is usually at the domain registrar... in this case, I recommend pdns-resolver (because there is no need for local authoritative DNS, and it is MUCH easier to configure than BIND) - _*SMALL*_: Several domains, probably not all owned by the same company, with advanced DNS being hosted locally as well... in this case, I prefer BIND9 configured with view options that limit recursive lookups to the LAN (if not only the localhost), and acts as the authoritative server for the domains being served. - _*LARGE*_: Many domains hosted with high levels of traffic. In this case, I only slightly prefer BIND9 over PDNS (both only as a caching-only nameserver, but in my experience BIND9 is somewhat faster than PDNS) Then, I use a SEPARATE server for authoritative DNS! (I typically use BIND9 there, unless I want client-access to the DNS settings, in which case PDNS has a GUI frontend that's reasonable for that). The end result from my experiences is that PDNS BIND are /each /good options, so long as you use each *appropriately*. Dan McAllister IT4SOHO QMT DNS/Mirror Admin PS: The master authoritative DNS server for QMT is BIND9 :) -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Squirrelmail is not working after replace courier to dovecot
It is /possible /that this is a squirrelmail problem, it is MORE likely that a login error is an IMAP error. Even MORE likely given thats what you changed :). Try to connect to your server with an IMAP client (like Thunderbird)... my guess is that it won't work -- you need to make Dovecot use your vpopmail MySQL databases, but by default it uses Linux usernames passwords. Dan McAllister On 8/31/2013 12:36 PM, Eric Shubert wrote: On 08/31/2013 04:43 AM, ChandranManikandan wrote: Hi All, I have done replace courier to dovecot through wiki and setup squirrelmail as wiki mentioned . But when i goto open the webmail after put username and password it's show unknown user or password are incorrect : ERROR. But outlook and thunderbird is working perfect. Some roaming users want to check webmail. Am using Dovecot 2.0 and squirrelmail 1.4.22 Please help me any one. -- */Thanks Best Regards, Manikandan.C /* Please post contents of your /etc/squirrelmail/config_local.php file. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Avoid auto Bounce message
Nic, If it was posted on the Internet, it must be true! Don't you see the ads where you are? :-) Seriously, when I get errors like this I like to trace the DNS tree -- amazing how often I find that there are DNS traps in the wild... because, truth be told, you could BOTH be right! (It's amazing to me how much people take DNS for granted... ) For example: - the TLD says example.com uses NS servers 1.1.1.1 1.1.1.2 - the NS service at 1.1.1.1 says that it truly is a DNS serer for example.com, and lists 1.1.1.3 1.1.1.4 as other NS servers... but not 1.1.1.2 - the NS service at 1.1.1.2 says that it truly is a DNS server for example.com, and lists 1.1.1.1 as the only other NS server - the NS service at 1.1.1.1 says the least-cost MX record for example.com is 2.2.2.1 - the NS service at 1.1.1.2 says the least-cost MX record for example.com is 2.2.2.1 - the NS service at 1.1.1.3 says the least-cost MX record for example.com is 2.2.2.4 - the NS service at 1.1.1.4 says the least-cost MX record for example.com is 2.2.2.16 - The mailserver at 2.2.2.1 says u...@example.com is a local mailbox - The mailserver at 2.2.2.4 says example.com is NOT a valid local domain and rejects ALL messages for example.com - The mailserver at 2.2.2.16 says u...@example.com is NOT a valid user, but accepts some OTHER messages for example.com Now this is an extreme example, but I have found situations like this for real -- the issue is that people migrate from server to server don't clean up the configurations behind them. (In the example above, the 2.2.2.16 server was used years ago, so simply doesn't know u...@example.com, and 2.2.2.4 is just an error). The good news is that there are tools that can help you discover these kinds of issues: check out _*INTODNS.*__*COM*__* *_Along with *_MXTOOLBOX.COM_**, *its just one of those tools that I wouldn't want to live without (as a mail admin, at least) Dan McAllister IT4SOHO QMT DNS/Mirror Admin PS: Can you see why I was chosen to be the DNS Admin for this project? :-) ___ _On 9/5/2013 1:09 AM, Nicholas Chua wrote: Hi, But the specific error stated Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Regards Nic On 5 Sep, 2013, at 12:45 PM, ChandranManikandan kand...@gmail.com mailto:kand...@gmail.com wrote: Hi Nic, I have checked online to validate this email address is correct. On Thu, Sep 5, 2013 at 12:21 PM, Nicholas Chua nicholasc...@outlook.com mailto:nicholasc...@outlook.com wrote: Hi, Make sure the receiver address is correct Regards Nic On 5 Sep, 2013, at 12:19 PM, ChandranManikandan kand...@gmail.com mailto:kand...@gmail.com wrote: Hi All, One of our user send email to their clients and other user get below bounce message and system administrator get the same bounce message. How to avoid this issue. This problem come very frequently. Please help me anyone. I mentioned below message which i got. Sender address is: s...@xxx.net mailto:s...@xxx.net Sender Domain is: mail..net http://mail..net Bounce message below. Hi. This is the qmail-send program at mail..net http://mail..net. I tried to deliver a bounce message to this address, but the bounce bounced! a...@stellarsoftware.net mailto:a...@stellarsoftware.net: User and password not set, continuing without authentication. 74.125.25.26 does not like recipient. Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 dz4si19889772pbc.329 - gsmtp Giving up on 74.125.25.26. aj...@rjtcompuquest.com mailto:aj...@rjtcompuquest.com: User and password not set, continuing without authentication. 74.125.25.26 does not like recipient. Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 cr3si19952184pbc.20 - gsmtp Giving up on 74.125.25.26. a...@nihaki.com mailto:a...@nihaki.com: User and password not set, continuing without authentication. 207.5.72.155 does not like recipient. Remote host said: 550 5.1.1 a...@nihaki.com mailto:a...@nihaki.com: Recipient address rejected: User unknown in relay recipient table Giving up on 207.5.72.155. al...@pegasyssoft.com mailto:al...@pegasyssoft.com: User and password not set, continuing without authentication. 198.57.229.105 does not like recipient. Remote host said: 550 No such person at this address Giving up on 198.57.229.105
Re: [qmailtoaster] CNAME Lookup failed
Just to throw my 2-cents worth in... If the other (receiving) domain is using an MX record value that is a CNAME, this error can show... in such a case, this is not a name resolver error, but rather a DNS error. It is a violation of the RFCs for the MX record value to resolve to anything BUT an A record. I have recommended these sites before, but as a mail admin, checking out the settings of the OTHER domain when delivery problems are being reported is just a smart idea. *intodns.com* - checks a wide variety of DNS issues, including MX records *mxtoolbox.com* - has a wide variety of tests available, including SMTP connection tests. Many of these tests will FAIL if the MX record for the domain is a CNAME Good luck to you! Dan McAllister IT4SOHO QMT DNS/Mirror Admin
Re: [qmailtoaster] Re: CNAME Lookup failed
I can't argue with the point about replacing your resolver if it handles an anomaly better -- but IME, BIND handles oddities far better than PDNS. I still say: - If you're a newbie, or just want it to work hands off, out of the box then pdns-resolver will not steer you wrong -- it's a good product! - If you're experienced with BIND, or want to learn DNS (or have some odd DNS requirements), then BIND is the definitive DNS server (and one of the most efficient caching-resolvers out there) But I will add (as a final comment) that CNAME lookup failures are USUALLY that the CNAME points to something that doesn't resolve. mail.qmailtoaster.comCNAME mailsterver.qmailtoaster.com mailserver.qmailtoaster.comIN A1.1.1.1 See the break? (mailsterver is not mailserver)... This will get you a CNAME lookup failure message... Hope this helps! Dan IT4SOHO On 9/6/2013 12:58 PM, Eric Shubert wrote: A CNAME lookup failure isn't necessarily due to an MX pointing to a CNAME record. Or is it? This would be easy for us to check if Chandran had posted the domain name. Chandran, you really need to do a better job of providing details such as this in order for us to help you effectively. Dan's suggestions are certainly appropriate. When I've identified a domain with misconfigured DNS (typically a problem with rDNS), I attempt to notify the domain's administrator (technical contact info can be obtained from whois). They are usually grateful. On the other hand, if changing the resolver your QMT uses improves reliability by dealing effectively with some anomaly, why wouldn't you want to make the change, especially if the anomaly is something outside of your control? -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Can I disable CRAM-MD5 authentication for submission service?
Suggested options (not sure how to do it -- hurt my back and not thinking 100% this morning): - Users are the only ones who should be using SMTP AUTH, and they should NOT be using port 25 when they do it... so the SMTP daemon on port 25 should NOT ALLOW SMTP AUTH at all - Its up to you whether you support SUBMISSION connections on port 587 with or without SSL, but in my case I REQUIRE SSL on both ports 587 and 465 (several mail clients will specifically look for 465 with SSL before even trying 587). Of course, this means that I either pay for a publicly signed SSL certificate, or make my users import my self-signed certificate. Once you're connecting on ports 587 or 465 over SSL, the AUTH method is less important -- it's all encrypted in the SSL connection. Just my thoughts... Dan McAllister On 9/10/2013 9:59 AM, Eric Shubert wrote: On 09/10/2013 02:34 AM, Johannes Weberhofer wrote: Dear all! For security reasons I have disabled the storage of vpopmail's plain-text passwords. Upon connection the qmail-server still responds with 250-server.test.com - Welcome to Qmail Toaster Ver. 1.03.5 SMTP Server 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 20971520 250 AUTH LOGIN PLAIN CRAM-MD5 Qmail's implementation of cram-md5 is implemented in a way, that the plain-text password is required [1] for CRAM-MD5 authentication. My problem is, that some clients are sending the CRAM-MD5 response, but Qmail is not able to process it correctly. Unfortunately I have not found a way to turn this feature off. Does someone know, how to? Best regards, Johannes [1] http://en.wikipedia.org/wiki/CRAM-MD5 You're one step ahead of me, Johannes. :) I had planned to do so by having spamdyke handle authentication. The current version doesn't implement this quite rightly though, but it'll be fixed in the soon to be released version. In the meantime, check for qmail config options in the .spec file. There might be a ./configure option for turning cram-md5 off. I don't know off hand, but I would expect so. Either that or vpopmail. I don't recall off hand how qmail makes the determination of which auth methods are available. Please let me know how you make out with this. Thanks! P.S. Just to be clear, plain-text passwords are required for any implementation of cram-md5, not just qmail's. That's a weakness which is inherent in the protocol. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Can I disable CRAM-MD5 authentication for submission service?
Eric, Why wouldn't it be possible to keep the plaintext password field in the vpopmail database, but protect it? I would think you could compile vpopmail to keep the cleartext passwords, but then create an additional user in the DB (an admin user) and restrict rights to view that field to the admin user. (NOTE: You still have to have write permission to that field from the vpopmail user so that updates/changes can be recorded). Just an idea... Dan McAllister On 9/10/2013 12:39 PM, Eric Shubert wrote: On 09/10/2013 08:06 AM, Johannes Weberhofer wrote: P.S. Just to be clear, plain-text passwords are required for any implementation of cram-md5, not just qmail's. That's a weakness which is inherent in the protocol. The wiki page says, that some (dovecot) implementation stores a intermediate step of HMAC, so I guess there is anoter way to do that, too. I sit corrected. :) http://wiki2.dovecot.org/HowTo/CRAM-MD5 Again, I don't know off hand. I suspect that it's vpopmail which needs the clear text for it's implementation of cram-md5. If vpopmail can be configured/changed in such a way that it uses a password hash instead of clear text for cram-md5, that would seem to be ideal. I'm not adverse to keeping cram-md5, but I think the storage of plain text passwords needs to go bye-bye. I know of several potential users we've lost due to this, and it's simply a bad practice. I know there are some users who have expressed a preference to keep plain text passwords. It would be nice to have an option whereby they could continue this insecure practice, and I will try to provide this option if it doesn't take too much work. I think the 'stock' QMT should not be configured in this manner though, and someone else may need to do the development to make this possible if I can't come up with an easy way to accommodate it. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Fwd: ezmlm warning
Sorry about that -- I implemented DMARC for my own domain, and gmail was grabbing that because there was no DMARC record in qmailtoaster.com. Mail for the qmailtoaster.com domain doesn't go through my systems, so its odd that gmail is doing that... I've queried google about it (DMARC is kinda new, so there are some odd implementations out there), but haven't heard back. In the mean time, I gave qmailtoaster.com its own DMARC record in the DNS and I believe that will settle the issue. Dan McAllister QMT DNS/Mirror Admin (NOT the mail admin! -- but now you see how dependent we are on DNS... again!) On 9/10/2013 6:42 PM, Roxanne Sandesara wrote: Looks like Gmail/Google is getting cranky about it4soho's policies or configuration. Is anyone else seeing these problems? Roxie Begin forwarded message: *From: *qmailtoaster-list-h...@qmailtoaster.com mailto:qmailtoaster-list-h...@qmailtoaster.com *Subject: **ezmlm warning* *Date: *September 10, 2013 4:29:04 AM EDT *To: *roxie.sil...@gmail.com mailto:roxie.sil...@gmail.com Hi! This is the ezmlm program. I'm managing the qmailtoaster-list@qmailtoaster.com mailto:qmailtoaster-list@qmailtoaster.com mailing list. I'm working for my owner, who can be reached at qmailtoaster-list-ow...@qmailtoaster.com mailto:qmailtoaster-list-ow...@qmailtoaster.com. Messages to you from the qmailtoaster-list mailing list seem to have been bouncing. I've attached a copy of the first bounce message I received. If this message bounces too, I will send you a probe. If the probe bounces, I will remove your address from the qmailtoaster-list mailing list, without further notice. I've kept a list of which messages from the qmailtoaster-list mailing list have bounced from your address. Copies of these messages may be in the archive. To retrieve a set of messages 123-145 (a maximum of 100 per request), send an empty message to: qmailtoaster-list-get.123_...@qmailtoaster.com mailto:qmailtoaster-list-get.123_...@qmailtoaster.com To receive a subject and author list for the last 100 or so messages, send an empty message to: qmailtoaster-list-in...@qmailtoaster.com mailto:qmailtoaster-list-in...@qmailtoaster.com Here are the message numbers: 14778 14791 --- Enclosed is a copy of the bounce message I received. Return-Path: Received: (qmail 10672 invoked for bounce); 29 Aug 2013 03:28:43 - Date: 29 Aug 2013 03:28:43 - From: mailer-dae...@mail.qmailtoaster.com mailto:mailer-dae...@mail.qmailtoaster.com To: qmailtoaster-list-return-147...@qmailtoaster.com mailto:qmailtoaster-list-return-147...@qmailtoaster.com Subject: failure notice Hi. This is the qmail-send program at mail.qmailtoaster.com http://mail.qmailtoaster.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. roxie.sil...@gmail.com mailto:roxie.sil...@gmail.com: User and password not set, continuing without authentication. roxie.sil...@gmail.com mailto:roxie.sil...@gmail.com 173.194.69.26 failed after I sent the message. Remote host said: 550-5.7.1 Unauthenticated email from it4soho.com http://it4soho.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of it4soho.com http://it4soho.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC 550 5.7.1 initiative. t9si59667bkh.168 - gsmtp -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: how to move all failure notice message to one email address
Actually, I usually see this when the catchall setting is set to an address that doesn't exist, or forwards to an address that doesn't exist. This also happens when, as Eric was alluding to, the failure is actually fake -- the message it's complaining about wasn't your message to begin with (thus, backscatter). My solution is a simple one... I stop playing so nicely because I'm tired of being taken advantage of... that is, I set all of my domains catchall setting to DELETED. Now, if you send mail to d...@it4soho.com instead of d...@it4soho.com... you won't know you screwed up... my mail server will accept the mis-addressed mail and delete it. The reduction in SPAM when I did that was measurable! Specifically because people could no longer mine my mailserver for email addresses. They're all accepted, so miners quit trying -- everything they try appears to succeed, so they don't have a clue which ones actually get delivered. An alternative (if you're worried about valid mis-directed mail) is to setup a special catchall account -- but be prepared to get a lot of mail in there! I hope this helps Dan McAllister On 9/11/2013 12:36 PM, Eric Shubert wrote: On 09/10/2013 08:14 PM, ChandranManikandan wrote: Hi All, Am getting below message from server Hi. This is the qmail-send program at mail..net http://mail..net. I tried to deliver a bounce message to this address, but the bounce bounced! and shows unknown email address which is not sent email or communicate with them earlier. but they tried to send spam and am getting bounce message of our email address and it's receive this message randomly . So all our users forward to me instead of they are getting this message. So how to receive all failure notice message in single email address only instead of receiving all our domain email account. if possible to catch all failure notice bounce message to only one email account. Please help me anyone. -- */Thanks Best Regards, Manikandan.C /* This is what's called backscatter. http://en.wikipedia.org/wiki/Backscatter_%28email%29 Setting up SPF should help. http://wiki.qmailtoaster.com/index.php/Spf Dan posted a message to this list recently regarding SPF as well. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] DENIED_RDNS_MISSING and DENIED_OTHER
Vivek: You appear to believe that every message your server receives is legitimate and should be delivered... a belief that was common in the 1980's and 1990's and resulted in SMTP (the protocol) being so very easy to use for SPAM. We've learned our lesson, but are stuck in backward compatibility hell and thus, about 80% of email hosting activities these days is some form of SPAM control. If you are receiving mail from a server that has no RDNS, you are most likely receiving SPAM or mail from a mis-configured domain (or, in a small percentage of cases - mail from a domain that just changed IP addresses and forgot to have the RDNS entry created -- but that will be very rare, and its on them to fix it! Your error message tells them what is wrong, so they'll have to fix it themselves!). Effective SPAM control requires that public mail servers (that is, the ones that send mail from one domain to another) be on a static IP address and have a valid (non-generic) PTR record on that IP address. The RDNS_Missing message says that they didn't implement that PTR record, and so you rejected it... FWIW, Google, Yahoo!, Outlook, AOL, and all of the other big mail providers will block those messages too! As for the denied other message, you should look at other nearby lines in the log file -- there is likely another program blocking it for virus content or because its in an RBL you're subscribed to, or something similar. One final word from me on this: - whitelisting sending domains is something that should only be done when the two domains (sending and receiving) are well known to each other and have a legitimate reason for making sure all messages are received. One example I have seen is that I whitelist the local courthouse (clerk of the court) for my attorney clients so that legal service emails are not processed for SPAM content. My thoughts, my ideas... if you like them, keep them as your own... if not, kindly discard them in an environmentally friendly manner! :-) Dan McAllister On 9/11/2013 1:12 AM, Linux wrote: Hi All, I have the problem with receiving the mails, when I go through SMTP logs I found maximum error DENIED_RDNS_MISSING and DENIED_OTHER If I put the domain in adjust whitelist senders, then it solved, but there are lots of domain that I can't put it manually or monitor daily. Please give me the best solution so that I can fixed that issue. Regards, Vivek Patil system admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: how to move all failure notice message to one email address
If you want to include your ISP's mail services, you'll need to know if your ISP even uses SPF (most do). - You could call them... good luck getting to talk to someone who knows what SMTP even stands for with most ISPs!... - Or, you could dig around a little Locally, brighthouse networks (actually roadrunner) is a major ISP -- but until now, I didn't know if they used SPF... how did I find out? - *dig txt tampabay.rr.com* tells me that they have a dedicated record for SPF entries: a._spf.rr.com - *dig txt a._spf.rr.com* tells me that all rr mail is getting sent through one of 4 public servers So, assuming my private mail server is at address 1.1.1.1, and assuming (for example) that you're a roadrunner customer, your SPF record would look like: *@ IN TXT v=spf1 include:a._spf.rr.com ip4:1.1.1.1 ~all* NOTE: At least for a while, I recommend using the ~all -- once you're sure things are working, switch to -all. - the ~all means you're just testing SPF... failures are soft fail failures, so most servers will still accept failed SPF messages on your domain. - the -all says you're fully implementing SPF and failures are hard failures and you're asking receiving servers to reject failed messages This'll get you started! Dan McAllister On 9/12/2013 1:13 AM, ChandranManikandan wrote: Hi Eric, Thanks for your help. I understand my problem now. My domain is hosting with my service provider. But our email and web server is running in house. So they are redirect our domain to our server public ip. My server spfbehaviour is 3 now and suggest me How to make spf for my domain. This spf need to make myself or hosting provider. If i need to make myself kindly give me the default spf syntax example. I saw the spf syntax but some how afraid to make myself. if you give some example it will help full for me. On Thu, Sep 12, 2013 at 12:36 AM, Eric Shubert e...@shubes.net mailto:e...@shubes.net wrote: On 09/10/2013 08:14 PM, ChandranManikandan wrote: Hi All, Am getting below message from server Hi. This is the qmail-send program at mail..net http://mail..net http://mail..net. I tried to deliver a bounce message to this address, but the bounce bounced! and shows unknown email address which is not sent email or communicate with them earlier. but they tried to send spam and am getting bounce message of our email address and it's receive this message randomly . So all our users forward to me instead of they are getting this message. So how to receive all failure notice message in single email address only instead of receiving all our domain email account. if possible to catch all failure notice bounce message to only one email account. Please help me anyone. -- */Thanks Best Regards, Manikandan.C /* This is what's called backscatter. http://en.wikipedia.org/wiki/Backscatter_%28email%29 Setting up SPF should help. http://wiki.qmailtoaster.com/index.php/Spf Dan posted a message to this list recently regarding SPF as well. -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com mailto:qmailtoaster-list-h...@qmailtoaster.com -- */Thanks Best Regards, Manikandan.C /* -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: how to move all failure notice message to one email address
Personally, I don't like using A records (or MX records) in my SPF entries -- it just makes the recipient do /*another */DNS lookup... on MY DNS server! When deciding what DOES GO into my SPF records, I like to do 2 things: - First, I specify the IP addresses (eg: ip4 entries) of my own mail servers -- these aren't likely to change often, as they come from MY ISP (or, in my case, my ISPs) - IMPORTANT: These are the PUBLIC IP addresses -- we're telling people where the valid mail servers for my domain(s) are -- and those ALWAYS appear as the WAN IP addresses, not the LAN IP addresses... - Next, I specify the SPF RECORDS (eg: include entries) of my secondary mail service providers (ISP Smart Hosts, SPAM filters, etc.) - By using the INCLUDE, I let them decide what IP addresses they're using for their server(s), and I won't ever be caught off-guard because they changed something! But what you should NEVER do, is specify LAN addresses -- /_*so the 192.168 addresses in your SPF records *_//_*HAVE TO GO*_//_!_/ (They should NEVER be able to match on someone ELSE's LAN anyway... but if I wanted to SPOOF a local mail server into accepting my inputs as coming from YOUR domain, all I would have to do is setup my own mini-LAN with my server sitting at the same LAN address you specified... and voila! I'm an authorized sender for your domain!) Just to be clear - your server at LAN IP 192.168.1.23 is NOT your mailserver address -- When that server connects to the Internet, it does so (probably with NAT) with an Internet Address (no 10/8, 172.16/12, or 192.168/16 addresses allowed!). ONLY THE INTERNET addresses should EVER be advertised to outside locations. So, if I host my own mail (with QMT on two separate servers) my WAN IP addresses from my ISP are 1.1.1.1 and 1.1.1.2, then my SPF record says: v=spf1 ip4:1.1.1.1 ip4:1.1.1.2 ~all This says: ALL of my mail should be coming FROM 1.1.1.1 or 1.1.1.2... anything else should be suspect If I'm confident with my SPF implementation, I might change that to: v=spf1 ip4:1.1.1.1 ip4:1.1.1.2 1 -all This says: ALL of my mail should be coming FROM 1.1.1.1 or 1.1.1.2... anything else should be REJECTED On the other hand, if my email is hosted at GMAIL, then my SPF record says: v=spf1 include:_spf.google.com -all This says: ALL of my mail should be coming from a GMAIL server (as defined by GMAIL)... anything else should be REJECTED (I trust GMAIL to do SPF correctly) And finally, if I use GFI to do spam blocking for me, my SPF record might look like: v=spf1 ip4:1.1.1.1 ip4:1.1.1.2 1 include:smtproutes.com -all This says: My mail might come from my server directly, or from one of those GFI mail servers, but if not any of those, REJECT the message as being false... Hopefully this makes sense to y'all (I'm Southern -- even though this IS Florida!) :-) Dan McAllister IT4SOHO On 9/13/2013 5:00 AM, ChandranManikandan wrote: Hi , My domains spf record below. v=spf1 a:abc.com http://abc.com ip4:12.12.12.12/29 http://12.12.12.12/29 a:abc123.com http://abc123.com ip4:13.13.13.13 a:.com http://.com ip4:192.168.1.13 a:xyz.net http://xyz.net ip4:192.168.1.23 mx ~all Note: Here abc.com http://abc.com and ip4: 12.12.12.12/29 http://12.12.12.12/29 is our third party domain and ip and we are using online tool to receive emails from this domain same abc123.com http://abc123.com and ip xxx.com http://xxx.com and ip 192.168.1.13 is our another smtp server. we are using this server for only outgoing email. xyz.net http://xyz.net and ip 192.168.1.23 is my mail server and which we are getting this message from server. Please let me know my spf record is correct or do i need to change anything. I want to solve this issue. Please adivce to create my domains spf record. On Fri, Sep 13, 2013 at 9:26 AM, Eric Shubert e...@shubes.net mailto:e...@shubes.net wrote: On 09/12/2013 05:35 AM, Dan McAllister wrote: Actually, I usually see this when the catchall setting is set to an address that doesn't exist, or forwards to an address that doesn't exist. This also happens when, as Eric was alluding to, the failure is actually fake -- the message it's complaining about wasn't your message to begin with (thus, backscatter). My solution is a simple one... I stop playing so nicely because I'm tired of being taken advantage of... that is, I set all of my domains catchall setting to DELETED. Now, if you send mail to d...@it4soho.com mailto:d...@it4soho.com instead of d...@it4soho.com... you won't know you screwed up... my mail server will accept the mis-addressed mail and delete it. The reduction in SPAM when I did that was measurable! Specifically because people could no longer mine my mailserver for email addresses. They're all accepted, so miners quit
Re: [qmailtoaster] Re: Can I disable CRAM-MD5 authentication for submission service?
On 9/13/2013 3:18 PM, Eric Shubert wrote: I think that's the case with qmailadmin to some extent. The postmaster can control all accounts in the domain. What would be the purpose of allowing the postmaster to read/delete people's emails? The QMT administrator can of course grep through emails and look at them with less or whatever tools are available there. I would like to see an option where even this would not be possible. I'm not in favor of using the mbox format though (in case someone's wondering). The objective here is to ensure that emails are as private as possible, and the user is entirely in control as much as practical. OK, so you want to secure email messages in a Maildir (or mbox, for that matter) format so that even root cannot read them? Good luck with that! :-) (You might be able to do this with SELinux, but even then, root can dynamically turn off enforcement, so you're outta luck!) The only way the *I* know of to protect data against root access is to drum roll _*turn off the system and destroy the hard drives.*_ Otherwise, the root user can accomplish whatever s/he has the heart, mind, desire, and skills to accomplish on that system... which is why a rootkitted *nix system is such a dangerous animal! (When I did security consulting, I told clients who had been rooted to not even TRY to re-secure such a system... build a NEW system just copy over the data.) Quick aside: Its also why I insist on having a /home filesystem that I can put ALL user accessible storage on -- and then set the NODEV NOSUID flags on the mount! Mind you -- not being *able *to access data is not the same thing as not being able to EASILY access that data! Thus, when my users inquire, I tell them that: a) Yes, I am the root user on the mail server, so I CAN see EVERYTHING! But... b) I am not a snoop, and my privacy policy states that I WON'T actually read any emails or other documents that belong to them unless specifically authorized to do so. They have to trust me NOT to read their mail with a mail reader, open a word document with a document reader, etc... while at the same time giving me the ability to read the file with various other programs -- like virus scanners, backups, and other system admin activities. If you don't trust your system admin, move to another system (or other system admin!) Dan McAllister -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Your reverse DNS entry contains your IP address and a country code. ##
A proper RDNS entry is a hostname. Some ISPs insert dummy RDNS entries like a-b-c-d.provider.location.com. Actually, some should probably be most ISPs. Because these are generic PTR records, they are treated as no PTR values by anti-SPAM settings. The correct fix is therefore not white-listing - it is setting a proper PTR record -- usually SOMETHING that resolves in the other direction back to that same IP address. E.g.: mail.qmailtoaster.com. IN A1.2.3.4 4.3.2.1-inaddr.arpa.IN PTRmail.qmailtoaster.com. Dan McAllister IT4SOHO QMT DNS/Mirror Admin On 9/19/2013 9:08 AM, Eric Shubert wrote: On 09/19/2013 02:10 AM, Linux wrote: Hi All, When my client try to send a mail to me, he received the error message, as follows, *MYMAILID.MYDOMAIN.in* *mail.MYDOMAIN.in #554 Refused. Your reverse DNS entry contains your IP address and a country code. ##*** Will it solved when I put clients domain name in whitelist senders. Regards, Vivek Patil system admin You genenerally don't want to whitelist senders. They're very easy to forge. You can either comment out the reject-ip-in-cc-rdns rule, or perhaps whitelist the rdns name. Personally, I would whitelist the rdns name. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Compromised passwords.
Tony, The vpopmail tools in /home/vpopmail/bin are your friends! In this case, call upon the vpasswd command -- which will allos you to set the password on the command line (vs. challenge/response). So write your script reset those passwords! Dan On 9/22/2013 7:04 AM, Tony White wrote: Hi folks, A bit of an issue here. Is there a quick way of updating client passwords? Is there a way of them doing it then having the script report the update is done? I am not sure if it has been compromised but better safe than sorry I think. All help greatly appreciated. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Outgoingip / Outgoingips
On 9/25/2013 10:31 AM, Eric Shubert wrote: On 09/24/2013 10:37 AM, Nicholas Chua wrote: Hi, Have anything work with outgoingip / outgoiningips Can any of these patches do what I want below. I had binded 2 IPs to eth0 and eth0:1 respectively with IP 1.1.1.1 and 1.1.1.2. I would like to send emails to abc.com domain using IP 1.1.1.1 all others with 1.1.1.2. Is it possible? Regards Nic I don't believe this is presently possible with qmail (or QMT). I don't see any reference to patches. I'd be glad to consider including one which allows this. Thanks. The only way I know of doing this is with IPTables (set an outgoing rule that specifies the outbound IP for all things SMTP. My only concern is whether IPTables can do this with the other IP being the same device -- have to look into that one (I know I can do it when the devices are different hardware (eth0 vs. eth1) -- I'm just not sure I can do it with 2 instances of eth0). Dan McAllister IT4SOHO -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Windows 8 mail client and courier-IMAP SSL woes
Win 8 and all of its predecessors DOES allow you to install a new trusted certificate. Your issue appears to be that your MAIL program does not allow you to INSTALL that certificate into Win 8 I have had this problem before, and the solution is actually simple: a) make sure your web server is also using that same certificate (consider using SquirrelMail or RoundCube ONLY over SSL links anyway) b) browse to your secure web page with IE9 or IE10 (or, older versions) -- it will complain abut the certificate c) VIEW the certificate, then add it to your system! NOTE: One of the most common mistakes made is in the system NAME: - Your self-signed certificate used the hostname of your system at installation. If you changed it, or if you use a different name in the me or default* entries, you might get an error. Also, if your mail client isn't using that same name to connect, you'll never get a match. - PERSONALLY, I called my server mail.mydomain to begin with, then made sure my DNS referred to my mail host by the same name (mail.domain), THEN made sure my clients were all connecting to mail.domain (which was resolved by my DNS server to the right host) -- and thus, the name certificate used matched. - If that horse has already left the barn, just get a new self-signed certificate with the right name... but remember, the clients have to use that name to access the host or else the name won't match on the certificate. OK, so once you use IE to install the certificate to your system, your mail clients should allow the connections without issue. (If you continue to have an issue, re-connect with IE to the same host name you configure in your mail client -- and see if there is still a problem with the certificate (like a name mismatch, or a date problem)... fix those issues, and you'll be fine! FWIW: I used to have all of my users connect with IE to my SquirrelMail FIRST -- to install the certificate AND to create the special folders (Sent, Trash, Drafts) that otherwise seemed to be missing all the time. Good Luck! Dan McAllister IT4SOHO On 10/4/2013 1:57 AM, Sebastian Grewe wrote: Hey Eric, Should be Windows Mail - what a great name isn't it? ;) Agreed, there are free certificates too. I am myself using a free certificate but by creating a proper certificate chain, a CA Root Certificate on the client is not required. Usually they provide instructions on their website but in general it's just concatating the personal key and they intermediate vert into a single file. Cheers, Sebastian On Oct 4, 2013, at 7:48 AM, Eric Shubert e...@shubes.net wrote: I didn't think that Win8 included a mail client any more. Which email client are you using? I concur with Sebastian. If you'd like a free certificate, you can get one at cacert.org. Their root certs aren't recognized by most (any?) programs though, so you'll also need to install the cacert.org root certificate on every client host which will be accessing your server using TLS/SSL (TLS/SSL is highly recommended). This is ok for soho type use, but if you have more than a handful of devices/users, purchasing a certificate may be your best route. Either that or use an email client which allows you to accept a certificate that cannot be verified, which most do afaik. It's not much of a security risk to do so. -- -Eric 'shubes' On 10/03/2013 09:55 PM, Sebastian Grewe wrote: If you are planning to run a real server you should consider getting a valid SSL certificate. The ones supplied with qmailtoaster are self signed and will be rejected by mail clients. Most clients allow to accept self signed certificates, as for windows 8 I am not sure but Google might help. Cheers, Sebastian On 04.10.2013, at 04:51, Kelly Cobean kcob...@vipercrazy.com wrote: I'm trying to set up my first Windows 8 laptop and the email client won't allow me to set up my email because it says I need to install an SSL certificate because I'm using SSL for the IMAP connection. I'm using the cert that got installed when I installed QMT on the server. Anyone have any insights on how to make this work? - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list
Re: [qmailtoaster] Stop the domain
You want to suspend outbound mail only (still receive mail?) If so, then do what I do when an account gets hacked or infected and starts sending out tons of emails -- I change the password on the account until the user proves to me that they've fixed their system. (Typically, I set it to *SUSPENDED* -- but they don't know that!) In your case, just do it for all of the users in the domain. You can re-permit them one by one! Dan McAllister IT4SOHO On 10/4/2013 2:00 AM, Linux wrote: Hi All, I have 14 domain configured on qmail toaster, I need to stop temporary mailing from only single domain. How I can do this? Regards, Vivek Patil system admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: DENIED_RDNS_RESOLVE
OK, so those IPs DO have RDNS values that seem fine to me (point to a real domain without an IP address in the PTR record). What's more, the PTR records refer to valid A records that point back to the same IP... So it's pretty clear from this that your DNS resolution is failing. 1) Have you checked your own settings in /etc/resolv.conf? If that's pointing you somewhere else, then having PDNS-Resolver on your system is moot. 2) Have you checked these lookups on your own server? *host 86.96.226.151* -- /resolves to domail1.emirates.net.ae/ *host domail1.emirates.net.ae *-- /resolves to 86.96.226.151/ That's at least a start... Dan McAllister IT4SOHO On 10/5/2013 2:46 AM, Linux wrote: 10-05 10:51:58 spamdyke[5624]: DENIED_RDNS_MISSING from: sp...@anta.ae to: om...@miceplanners.co.in origin_ip: 86.96.226.151 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) 10-05 12:06:08 spamdyke[8920]: DENIED_RDNS_RESOLVE from: sticku...@gmail.com to: u...@epochworld.com origin_ip: 122.161.211.239 origin_rdns: abts-north-dynamic-239.211.161.122.airtelbroadband.in auth: (unknown) encryption: (none) reason: (empty) 10-05 10:59:36 spamdyke[5912]: DENIED_RDNS_MISSING from: (unknown) to: shubha...@epochworld.com origin_ip: 176.60.181.228 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) 10-05 10:46:18 spamdyke[5460]: DENIED_RDNS_MISSING from: sp...@anta.ae to: sand...@miceplanners.co.in origin_ip: 86.96.226.151 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) -Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: Saturday, October 05, 2013 11:39 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: DENIED_RDNS_RESOLVE qmlog yes, but spamdyke messages are in the smtp log. spamdyke front-ends qmail-smtpd. The spamd log contains spamassassin messages. Anywise, the errors in my case ended up being caused by one errant nameserver name in the domain's registration. The errant nameserver did not have the most recent updates, so queries would sometimes succeed and sometimes fail. It was intermittent, and the luck of the draw whether things would work or not. Note, I was only able to find the problem because I had the real name. I would have never found the problem with a reference to whateverdomain.com. When trying to do problem determination of this sort, it's imperative to have real data. Vivek, if you continue to have a problem with a domain and would like assistance, please post a spamdyke rejection message or two, from the smtp log. Thanks. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Simscan disappeared
Tom, Your premise is not impossible, however: 1) QMT does not self-update -- it must be done manually (this is a best-practice for servers in general) 2) The way you got simscan installed to begin with was by building the RPM Eric pointed you to from source. This has traditionally been the way to distribute and use QMail because of some odd licensing that the original coder insisted upon. Those licensing restrictions are gone, but the common practice of distributing source (vs. binary) remains. 3) When you built the source, you actually built an RPM file, which was then installed to place the binaries (and config files) in the appropriate places So, going back to the RPM file you built during your last install/update is the most direct route to replacing the simscan executable. As to how it could disappear, I would look in your log file for drive errors, as well as schedule an FSCK as soon as possible. The simscan executable is stored in a root-protected area of the filesystem. Thus, any disappearance has to have been root-controlled. (Do you access your system as root a lot?) Good Luck! Dan McAllister IT4SOHO On 10/7/2013 5:01 AM, Tom Keyser wrote: OK. I was expecting some process was rebuilding it and crashed, leaving the executable missing. I was looking for a more permanent solution then reinstalling. On Oct 6, 2013 7:06 PM, Eric Shubert e...@shubes.net mailto:e...@shubes.net wrote: I couldn't tell what you meant exactly. The simplest way to recover it is probably to reinstall the rpm, which should be in the /usr/src/qtp-upgrade/old-rpms/ directory, provided you've been using qtp-newmodel to upgrade. Make sure you use the latest one there, which should match the one that's installed. # rpm -Uvh --replacefiles /usr/src/qtp-upgrade/old-rpms/simscan-toaster (use the appropriate file) You should probably do this with qmail stopped, then start it after installing simscan, just to be on the safe side. -- -Eric 'shubes' On 10/06/2013 06:52 PM, Tom Keyser wrote: No seriously Eric, simscan the executable is not in the directory anymore. Can it be rebuilt? Does it get rebuilt periodically? Thanks Tom On Oct 6, 2013 6:48 PM, Eric Shubert e...@shubes.net mailto:e...@shubes.net mailto:e...@shubes.net mailto:e...@shubes.net wrote: On 10/06/2013 10:55 AM, Tom Keyser wrote: What would cause simscan to disappear? Thanks Tom Simscan is invoked by way of the QMAILQUEUE=/var/qmail/bin/__simscan variable in the /etc/tcprules.d/tcp.smtp file. If the incoming connection matches an entry in this file which does not have this variable set, simscan will not be invoked. Remember to run service qmail cdb after making changes to this file. -- -Eric 'shubes' --__--__- To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@__qmailtoaster.com http://qmailtoaster.com mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-help@__qmailtoaster.com http://qmailtoaster.com mailto:qmailtoaster-list-h...@qmailtoaster.com mailto:qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com mailto:qmailtoaster-list-h...@qmailtoaster.com -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Where does VQADMIN get domain list from?
Is there a 0 folder in /home/vpopmail/domains ??? Once you reach a certain threshold, to improve performance, vpopmail creates sub-folders inside of /home/vpopmail/domains... the first one created is 0. Also, look in the /var/lib/mysql/vpopmail folder to see if there is still a remnant database file in there... Dan McAllister IT4SOHO On 10/9/2013 3:32 AM, Sebastian Grewe wrote: Have you checked the /var/qmail/control folder? Maybe it's in there still. Not sure what other places it would look, might have to check the source if nobody has an idea :) Cheer, Sebastian On Oct 9, 2013, at 6:50 AM, LHTek dennywjo...@yahoo.com mailto:dennywjo...@yahoo.com wrote: I've got rogue entry in the domain list when I view the list of domains via VQADMIN. It's a domain I know was deleted sometime ago but there must be some remnant of it still there. The problem is I can't find it in the vpopmail MySql database. There also is no directory in ~/vpopmail/domains for this domain. I can't seem to find the little booger. Where does VQADMIN keeps it's list of domains? Thanks, Denny -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] How to install qmailtoaster packages in centos 6.4
While there are a number of places to find suggestions for making things work in COS6, one thing I do know about them all is that they are focused on the 64-bit version. PROBABLY the 32-bit version would be the same, but I wouldn't bet on it! Make sure you give yourself plenty of test space to make that work! Dan McAllister IT4SOHO PS: I have a script for a 64-bit install that covers nearly all of the changes... check the wiki, or if need be, I'll tune it up again and re-post. On 10/9/2013 1:17 PM, Peter Peltonen wrote: Hi, On Wed, Oct 9, 2013 at 6:13 AM, Chandran Manikandan tech2m...@gmail.com mailto:tech2m...@gmail.com wrote: Hi All, I would like to install centos 6.4 i386 in my new server. How do i install qmailtoaster packages in this server. I would able to see in wiki only centos 5 for qmailtoaster install steps and procedure. CentOS 6 is not officially yet supported. If you search the list archives, you can find some messages about people installing it on CentOS 6 and the problems they encountered and some solutions as well. But beware, there will be issues that has to be dealt with. I would suggest running it on COS5 for now. Regards, Peter -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] I cannot see new folders in outlook email client
There are SIGNIFICANT and HUGE problems with Outlook 2013 and IMAP. Microsoft, in their INFINITE wisdom, completely re-designed the IMAP interface into Outlook 2013 -- among other things, IMAP data is now stored locally in an OST file (vs. a PST). Further, Outlook 2013 will decide for you what special folders are what (like Sent, Drafts, Trash) -- and you have no options to change its mind. If I had a nickel for every Outlook 2013 user who was FURIOUS with MS over this, I'd make Bill Gates look like a pauper! For now, my suggestion to Outlook 2013 users is to install Outlook 2010 and wait for SP1 (or whatever other patch MS eventually offers up). This can be tricky - especially if you don't already have an older Outlook 2010 or 2007 license... but MS has been slow to acknowledge problems, and I don't believe they'll be any faster to fix them. Dan On 10/22/2013 4:18 AM, Chandran Manikandan wrote: Hi Nic, I have tried to subscribe and after subscribe also it's not reflect. then i closed outlook and reopen again still not showing. My outlook client is 2013 On Mon, Oct 21, 2013 at 6:01 PM, Nicholas Chua nicholasc...@outlook.com mailto:nicholasc...@outlook.com wrote: I have created one new folder on Squirrelmail(webmail) but this folder is not reflected in outlook client. I have tried to click imap folders option in outlook it's Most likely you need to subscribe it in outlook regards nic -- *Thanks,* *Manikandan.C* *System Administrator* -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Old Mails download again
On 10/22/2013 5:23 AM, Nicholas Chua wrote: But I did not make any type of changes in mail server or in outlook, and it happening with more than 10 users. Are you experience bandwidth issue? Looks to me you are experiencing bandwidth issue. All email clients have an anchor to mark which email has been downloaded/read. At the same time, auto check is often turned on usually by default is 10mins. During times when your internet(yours or the remote server) is very utilized or exhausted, and the email client cannot complete send receive within that 10mins, it will automatically run again. Over a number of times, the anchor is broken and you will re-download all the emails left on the server. regards nic I suspect your server re-numbered your messages, or you wrapped the message counters. Either way, this is not an uncommon issue with POP - and it is a design problem with POP, not a programming error. Recommend to your users to switch to IMAP. Dan -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: SpamAssassin Working?
135400183 to remote c...@mk.com 11-01 14:20:55 delivery 10560: success: User_and_password_not_set,_continuing_without_authentication./c...@mk.com_xx.xx.xx.xx_accepted_message./Remote_host_said:_250_ok:__Message_505069548_accepted/ 11-01 14:20:55 end msg 135400183 This snipped is pulled from a log file containing over 100K lines of messages (and the full output of my [q]mtrack query shows 30+ failed messages) -- but here I can see QUICKLY (and grouped together) that THIS message had only a temporary failure, and was delivered with only a 7-minute delay ... a delay caused by the remote server. My only real issue with [q]mtrack is that it is designed SOLELY for qmail-send logs (there is a separate tool - [qm]strack for qmail-smtpd logs) -- and both sometimes have perl-script errors (due to unexpected line formats)... which I conveniently send to /dev/null. I have not attempted to reach the guy who wrote these (see http://qmail.jms1.net/scripts/) -- in part because they haven't been updated in SOOO long (though he did update the (C) notice to 2013 grin) in any case, I'm afraid if I point out problems he may take the site (or the scripts) down... and I've only just begun to mine the plethora of stuff he's got on there... Just my thoughts... Dan McAllister IT4SOHO QMT Mirror/DNS Admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] Message Tracking - sharing my favorite tools
OK, I included this information in a follow-up a few minutes ago and almost immediately got a request/suggestion to re-post so it's not lost in the other message history. The issue being brought up was one of 3rd party tools that help in managing a QMT installation. Erick brought up one, *qmlog*, that does a GREAT job of helping manage QMT log files -- especially since the standard timestamps on those qmail logs are in an unusual format, not easily human decipherable. (*qmlog *is included in the *QTP *-- Qmail Toaster Plus -- package). The one I was adding is called *mtrack *(and a sister, called *strack*)... and I mentioned that I stick a pre-fix on them in my systems to keep my feeble little head on straight, so to me they're /*qmtrack */and /*qmstrack*/. [q]*mtrack *groups together log entries from qmail-send (either raw, or output from qmlog -- I prefer the latter). [qm]*strack *does the same for qmail-smtpd log files. As an example -- to make finding bad actors easier, I use qmlog, grep, and wc to count (every 15 minutes) how many failed attempts have happened today (so far)... when they reach a certain threshold, I send an automated email to my cell phone and run a [q]mtrack on the log files over the same time which shows me the same messages, but grouped by failed attempt. To show you the value of this, let me show you a snippet (redacted to protect client data): 11-01 14:13:17 new msg 135400183 11-01 14:13:17 info msg 135400183: bytes 20503 from f...@m.com qp 29365 uid 89 11-01 14:13:17 starting delivery 10363: msg 135400183 to remote c...@mk.com 11-01 14:13:41 delivery 10363: deferral: Connected_to_xx.xx.xx.xx_but_sender_was_rejected./Remote_host_said:_452_4.1.0_..._temporary_failure/ 11-01 14:19:58 starting delivery 10560: msg 135400183 to remote c...@mk.com 11-01 14:20:55 delivery 10560: success: User_and_password_not_set,_continuing_without_authentication./c...@mk.com_xx.xx.xx.xx_accepted_message./Remote_host_said:_250_ok:__Message_505069548_accepted/ 11-01 14:20:55 end msg 135400183 This snipped is pulled from a log file containing over 100K lines of messages (and the full output of my [q]mtrack query shows 30+ failed messages) -- but here I can see QUICKLY (and grouped together) that THIS message had only a temporary failure, and was delivered with only a 7-minute delay ... a delay caused by the remote server (I suspect a grey-listing similar to what a QMT install does!). My only real issue with [q]mtrack and [qm]strack is that both sometimes have perl-script errors (due to unexpected line formats)... which I conveniently send to /dev/null. I have not attempted to reach the guy who wrote these (see http://qmail.jms1.net/scripts/) -- in part because they haven't been updated in SOOO long (though he did update the (C) notice to 2013 grin) in any case, I'm afraid if I point out problems he may take the site (or the scripts) down... and I've only just begun to mine the plethora of stuff he's got on there... I might suggest some of these make it into the QTP package at some further date... or something like them withouth [q]mtrack, I don't know how many hours I'd spend tracking messages through the log files... since I've got a client with users who love to get us blacklisted, it has saved me countless hours! Just my ideas... Dan McAllister IT4SOHO QMT DNS/Mirror Admin (at least for as long as there are still mirrors) -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] plague caused by virus
On 11/4/2013 3:27 PM, Nicholas Chua wrote: Hi, I am receiving an average of 13 new virus each day. Due to these virus, email accounts passwords are stolen and caused massive spams from the server. Valuable time is wasted to delist our IP and to maintain a private list of a virus database which till date 100+ virus are still not detected by clamav. This server is housing about 600 users. We were not experience this issue since 4 months ago. Anyone out there would like to share your experience fighting virus? Thanks nic Nic: You'll need to look to your qmail-send logs to see the users who are sending messages that are failing. For virus infected systems, you'll see the messages going out to 20 or so addresses at a time, most of which will be invalid. Once you identify a hacked user, change their password decline to give them the new password until they can demonstrate that they've run a full virus scan on their system. It is because of issues like this that I keep a 15-minute timer on my larger mail systems... every 15 minutes, I count how many failed messages there have been so far today. When the value reaches 100, I look into it and usually find ONE USER who is responsible for the vast majority of them, and I immediately suspend that user as described above (I just change the password). The problems with your idea of resting on clamav for virus protection includes: 1) you're assuming clamav is scanning messages from your users -- which in a stock QMT, it is not. It only scans messages coming in on port 25 received without authentication (e.g. inbound mail, not outbound mail); 2) you're assuming virus infections are spreading as attachments -- usually they are nothing but links... which usually get opened and infect clients because stupid, lazy users keep their mail clients set to having a preview pane and to showing html content always... thus, the swear they didn't OPEN the infecting message -- but their preview pane sure did! 3) you're assuming you're being blacklisted because of SPAM or virus contents -- usually you hit the blacklists because you send SPAM to honeypot addresses, or you keep hitting sites over and over again with invalid addresses (considered fishing). So, if this started a few days ago, start by extracting the log files, one day at a time, for the past week. 1) use qmlog to scan ALL available logs (not just the current file 2) pipe the output of qmlog into grep and sort out all entries for the given day (e.g. | grep ^10-31) 3) put the results into a /tmp file (I would use / 4) use the [q]mtrack program I mentioned just earlier today to examine JUST THAT FILE, and look for messages that have multiple recipients. I hope this points you in the right direction... Dan IT4SOHO QMT DNS/Mirror Admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: how to disable local delivery for one virtual domain
I'm johnny-come-lately on this, and Peter nearly nailed it: 1) If you remove DOMAIN-X.com from *rcpthosts*, you no longer accept mail for it at all -- so it probably needs to remain there (or in *morercpthosts*) 2) You should remove the domain from *virtualdomains* 3) If present, you must also remove the domain from *locals* (All files located in */var/qmail/control*) Having done the above, the QMT knows to accept mail for DOMAIN-X.com, but not where to deliver it (you took that out!)... so now you go into smtproutes and tell it where to forward the mail... All sounds good -- except you're probably breaking your own SPF rules, so make sure the IP address of this server (the QMT server) is in the SPF record as a valid sender for the domain, even though the only place it will actually send TO is the Office365 server. Good luck! Dan McAllister IT4SOHO QMT Project DNS/Mirror Admin On 11/6/2013 4:56 AM, Peter Peltonen wrote: Hi, On Wed, Nov 6, 2013 at 1:14 AM, Eric Shubert e...@shubes.net mailto:e...@shubes.net wrote: On 11/05/2013 01:48 PM, Peter Peltonen wrote: Hi, I have a virtual domain on a toaster which mails go nowadays to Office365 (- MX is pointint there). I would still need to offer IMAP service for this domain, but if an email is sent through this toaster to that virtual domain, it should not be delivered locally to the toaster inbox, but it should sent to Office365 (= treated as a message that should be sent to the default smtp smarthost defined in smtproutes). How can I achieve this, do I just remove the domain from rcpthosts? Regards, Peter Wouldn't you simply add a line in smtproutes for that domain to be sent to the Office365 server? This did not work. What I tried in smtproutes: myvirtualdomain.dom:office365.smtp.server.dom :mydefaultsmtp.dom I think the toaster does local delivery before checking the contents of smtproutes... Removing the domain from rcpthosts and virtualdomains file solved the situation: I still can login with webmail to the old account and sending messages using the toaster as the smtp server delivers to office365 and not to the toaster. Regards, Peter -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com mailto:qmailtoaster-list-h...@qmailtoaster.com -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] plague caused by virus
Sure -- happy to share... it's pretty brute force, but I don't have a
lot of time for clean development!
Remember: I reset the name of my mtrack command to qmtrack... (Bolding
the non-commented lines is just my way of making them stand out)
#! /bin/bash
# $0 (or check-failures.sh) - (should run every 15 minutes from a
cron job... so ensure there is no output!)
# NOTE: If run with no arguments (e.g. from cron), the report is run
for TODAY
# if 1 argument, the report is run for the STARTING VALUE entered
# $0 11 would run the report for all of November
# $0 11-11 would run the report solely for November 11 (no matter
what day today is)
# if 2 arguments, the report is run for the MONTH and DAY provided
# $0 11 11 would run the report for November 11 (no matter what
day today is)
#
# Delete old log files
*rm -f /tmp/send**
#
# Process Args
*if [ $# -eq 0 ] ; then**
** TODAY=`/bin/date +%m-%d`**
**elif [ $# -eq 1 ] ; then**
** TODAY=$1**
**elif [ $# -eq 2 ] ; then**
** TODAY=$1-$2**
**else**
** echo Usage: $0 [month] | [month] [day] 12**
exit 1
**fi**
*#
# Create nice logs for the period requested
*/usr/sbin/qmlog send | grep ^${TODAY} /tmp/send-${TODAY}*
# Look for faliures
*/it4soho/sbin/qmtrack -p fail /tmp/send-${TODAY}
/tmp/send-${TODAY}-fail*
# Count failures*
**FAILURES=`grep 'failure:' /tmp/send-${TODAY}-fail | wc -l`*
# If too many, send an email
*if [ $FAILURES -gt 100 ] ; then**
** mail -s TOO MANY MAIL SYSTEM FAILURES */u...@domain.com /*
-EOL**
**There have been $FAILURES failed message attempts so far today.**
**Please check the server ASAP to prevent blacklistings**
**-EOL**
**fi*
# Done.
I hope you find it useful...
Dan McAllister
IT4SOHO
QMT DNS/Mirror Admin
On 11/4/2013 9:00 PM, LHTek wrote:
Dan,
I'm curious in this script you run every 15 minutes...
Is that something you can share?
Thanks,
Denny
*From:* Dan McAllister q...@it4soho.com
*To:* qmailtoaster-list@qmailtoaster.com
*Sent:* Monday, November 4, 2013 5:27 PM
*Subject:* Re: [qmailtoaster] plague caused by virus
On 11/4/2013 3:27 PM, Nicholas Chua wrote:
Hi,
I am receiving an average of 13 new virus each day. Due to these
virus, email accounts passwords are stolen and caused massive
spams from the server. Valuable time is wasted to delist our IP
and to maintain a private list of a virus database which till
date 100+ virus are still not detected by clamav.
This server is housing about 600 users. We were not experience
this issue since 4 months ago. Anyone out there would like to
share your experience fighting virus?
Thanks
nic
Nic:
You'll need to look to your qmail-send logs to see the users who
are sending messages that are failing. For virus infected systems,
you'll see the messages going out to 20 or so addresses at a time,
most of which will be invalid.
Once you identify a hacked user, change their password decline
to give them the new password until they can demonstrate that
they've run a full virus scan on their system.
It is because of issues like this that I keep a 15-minute timer on
my larger mail systems... every 15 minutes, I count how many
failed messages there have been so far today. When the value
reaches 100, I look into it and usually find ONE USER who is
responsible for the vast majority of them, and I immediately
suspend that user as described above (I just change the password).
The problems with your idea of resting on clamav for virus
protection includes:
1) you're assuming clamav is scanning messages from your users --
which in a stock QMT, it is not. It only scans messages coming in
on port 25 received without authentication (e.g. inbound mail, not
outbound mail);
2) you're assuming virus infections are spreading as attachments
-- usually they are nothing but links... which usually get opened
and infect clients because stupid, lazy users keep their mail
clients set to having a preview pane and to showing html content
always... thus, the swear they didn't OPEN the infecting message
-- but their preview pane sure did!
3) you're assuming you're being blacklisted because of SPAM or
virus contents -- usually you hit the blacklists because you send
SPAM to honeypot addresses, or you keep hitting sites over and
over again with invalid addresses (considered fishing).
So, if this started a few days ago, start by extracting the log
files, one day at a time, for the past week.
1) use qmlog to scan ALL available logs (not just the current file
2) pipe the output of qmlog into grep and sort out all entries
for the given day (e.g. | grep ^10-31)
3) put the results
Re: [qmailtoaster] wasn't able to deliver
MXLogic is McAfee's anti-spam product (like Symantec, they just purchased another company to enable this service for their company). MXLogic has either labeled that particular message as SPAM, or has blacklisted your server IP address. MXLogic is a ROYAL PAIN because they intentionally don't reveal what makes them see your message as SPAM, and they don't have any easy way of being de-listed either. I have shared my experiences with several clients and told recipients that they will have to be the ones to get us de-listed by MXLogic, as they won't listen to us. I even told one vendor that if he wanted my business, he'd either have to drop MXLogic or intervene on my behalf, but I wasn't going to do business with him if I couldn't send him emails he wound up dropping MXLogic. Just my thoughts and history on the matter. Dan McAllister IT4SOHO QMT DNS/Mirror Admin On 11/8/2013 12:16 PM, Brent Gardner wrote: On 11/08/2013 09:36 AM, Jim Shupert wrote: No has responded. ~ and I can appreciate that this is a goofy one -- but if there is any wisdom / opinions out there I would give them greedy audience. Any thoughts would welcomed. Has anyone else ran into this sort of thing? what do you think? thanks in advance. best regards jS On 11/4/2013 4:25 PM, Jim Shupert wrote: Friends, I wonder if anyone can shed light on a non delivery that appears like the below snippit. also I am told that it goes through if my client sends from another email account/server. ( she has a diff account through the phn company fuse.net -- smtp.fuse.net) header snip Hi. This is the qmail-send program at myserver.pps-inc.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. m...@meetneighbor.com: User and password not set, continuing without authentication. m...@meetneighbor.com 208.65.145.2 failed after I sent the message. Remote host said: 554 Denied [5d4f7725.0.3787295.00-1881.5574125.p01c12m016.mxlogic.net] (Mode: normal) --- Below this line is a copy of the message. Return-Path:m...@theppsgroup.com Received: (qmail 30807 invoked by uid 89); 4 Nov 2013 19:26:11 - Received: from unknown (HELO debp) (m...@theppsgroup.com@192.168.200.1) by myserver.pps-inc.com with ESMTPA; 4 Nov 2013 19:26:10 - From: am...@theppsgroup.com To: bm...@meetneighbor.com References:e283b674-061a-47e2-a067-3322951fd...@meetneighbor.com In-Reply-To: Subject: FW: checking in. Date: Mon, 4 Nov 2013 14:26:13 -0500 Message-ID:019701ced993$b9f2a570$2dd7f050$@theppsgroup.com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0198_01CED969.D11F0E70 X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQJp8vS7zRQmpv47cobjJgLY96hVUpjfOq3wgAAGxqA= Content-Language: en-us / header snip I think the important part is this m...@meetneighbor.com: User and password not set, continuing without authentication. m...@meetneighbor.com 208.65.145.2 failed after I sent the message. Remote host said: 554 Denied [5d4f7725.0.3787295.00-1881.5574125.p01c12m016.mxlogic.net] (Mode: normal) ~~~i think this is message-id-num.mxlogic.net This may be a case where They [ meetneighbor.com ] are using McAfee's mail scan service (mxlogic.net) and that service isn't handing it back to the mail server User and password not set, continuing without authentication. m...@meetneighbor.com 208.65.145.2 failed after I sent the message. any and all things McAfee are garbage. i think i know that the dom for meetNEIGHBOR.com is 205.186.144.85 and the assoc mail server of 208.65.145.2 is NetRange: 208.65.144.0 - 208.65.151.255 CIDR: 208.65.144.0/21 OriginAS: NetName:MXL1 = 1-- so I wish to know why I cannot deliver to this address. 2-- if I can do anything about it? Thanks! jS Jim- Looks like the message was rejected by the mxlogic system. The mxlogic system didn't provide enough information to know why. You'll probably need to contact someone at meetneighbor.com to see if they can give you more information. regards, Brent Gardner - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Bounce back even I am not sent mail
Sebastian is mostly right - what you're getting is backscatter see *_http://en.wikipedia.org/wiki/Backscatter_(email)_* But there IS something you can do about it -- especially with */mail.ru/*: and that is to properly configure your SPF and/or DomainKeys (the /former /is far easier). If you have a properly configured SPF entry for your domain (it goes in your DNS server, not necessarily your mail server), /*mail.ru*/ (which is actually one of the worlds largest ESPs (E-mail service providers)) will *reject *the message long _before _it gets to SPAM detection. How do I know this? Because I subscribe to *DMARC *-- a method where the major ESPs send me a daily report of messages received and passed, as well as messaged rejected from my domains. (see _*http://en.wikipedia.org/wiki/DMARC*_**) I see reports from time to time from mail.ru showing rejected messages, but I never see the backscatter! I hope this helps... Dan IT4SOHO PS: I'm writing an article for the Wiki about DMARC -- I'll provide a link to the list when I'm done. On 11/12/2013 7:45 AM, Sebastian Grewe wrote: Some Spammer uses your mail as the FROM address for Spam. Not sure if you can do anything against that but I doubt it. Cheers, Sebastian On Nov 12, 2013, at 11:05 AM, Linux li...@ikf.co.in mailto:li...@ikf.co.in wrote: Team, I am not sending the mails onmail.ru http://mail.ru/, but I received the daily failure notice as the following, please guide someone how this happening and how to stop it. From:mailer-dae...@email.mydomain.com mailto:mailer-dae...@email.mydomain.com[mailto:mailer-dae...@email.mydomain.com] Sent: Tuesday, November 12, 2013 2:58 PM To:u...@mydomain.com mailto:u...@mydomain.com Subject: failure notice Hi. This is the qmail-send program atemail.cqra.com http://email.cqra.com/. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. crew...@mail.ru mailto:crew...@mail.ru: User and password not set, continuing without authentication. crew...@mail.ru mailto:crew...@mail.ru 94.100.176.20 failed after I sent the message. Remote host said: 550 spam message rejected. Please visithttp://help.mail.ru/notspam-support/id?c=THgN9kw_8BCFD-q-SgAmAldgUqSIBUhpSiD XWzSOyHRVDNJwsXVattOecD39RrDxaDQi3_anVQ8JbVsAALX30yc~ or report details toab...@corp.mail.ru mailto:ab...@corp.mail.ru. Error code: F60D784C10F03F4CBEEA0F850226004AA4526057694805885BD7204A74C88E3470D20C55B65A 75B13D709ED3F1B046FDDF2234680F55A7F6. ID: 00095B6D27D3F7B5. --- Below this line is a copy of the message. Return-Path: u...@mydomain.com mailto:vishwa...@durocrete.com Received: (qmail 20154 invoked by uid 89); 12 Nov 2013 09:01:27 - Received: by simscan 1.4.0 ppid: 20137, pid: 20147, t: 0.4466s scanners: attach: 1.4.0 clamav: 0.97.3/m:55/d:18031 Received: from unknown (HELOmail.promhzoj.com http://mail.promhzoj.com/) (u...@mydomain.com@188.187.138.103 mailto:vishwa...@durocrete.com@188.187.138.103) byemail.cqra.com http://email.cqra.com/with ESMTPA; 12 Nov 2013 09:01:27 - Received: from [464.19.514.13] (port=76243 helo=[89.835.936.577]) bysmtp82.i.mail.ru http://smtp82.i.mail.ru/with esmtps (envelope-from u...@mydomain.com mailto:vishwa...@durocrete.com) id 1Gucxu-0002zc-aV forcrew...@mail.ru mailto:crew...@mail.ru; Tue, 12 Nov 2013 12:01:20 +0300 Message-ID: DSxBTlNKQYRwUSFDahOmOEwoynUXIESyiCbZXPzRpcvFswigaz@mbnruokx Date: Tue, 12 Nov 2013 12:01:20 +0300 Reply-To: =?utf-8?B?0JDRhNCz0L7QvSDQpdCw0LvQuNC90LrQvtCy0YHQutCw?= =?utf-8?B?0Y8=?= u...@mydomain.com mailto:vishwa...@durocrete.com From: =?utf-8?B?0JDRhNCz0L7QvSDQpdCw0LvQuNC90LrQvtCy0YHQutCw?= =?utf-8?B?0Y8=?= u...@mydomain.com mailto:u...@mydomain.com To: crew571 crew...@mail.ru mailto:crew...@mail.ru Subject: =?utf-8?B?0Jgg0LPQvtC70L7RgSDQstC10YnQtdCz0L4g0JHQsNGP?= =?utf-8?B?0L3QsCw=?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; Content-Transfer-Encoding: quoted-printable crew571! =D0=9F=D1=80=D0=B8=D1=8F=D0=B2 =D1=81=D1=83=D0=BF=D1=80=D1=83=D0=B6=D0=B5= =D1=81=D0=BA=D0=B8=D0=B9 =D0=B2=D0=B5=D0=BD=D0=B5=D1=86 =D0=A3=D0=B6=D0=B5 =D0=BA=D0=BE=D0=BB=D0=B4=D1=83=D0=BD =D0=BF=D0=BE=D0=B4= =D0=BE=D0=B1=D0=BB=D0=B0=D0=BA=D0=B0=D0=BC=D0=B8; Into a curious-hill'd and curious-valley'd Vast, =D0=A1=D0=B1=D1=8B=D0=BB=D0=B8=D1=81=D1=8C =D0=B4=D0=B0=D0=B2=D0=BD=D0=B8= =D1=88=D0=BD=D0=B8=D0=B5 =D0=BC=D0=B5=D1=87=D1=82=D1=8B, http://mountainregionallibrary.org/awstats-icon/foto/crew571 Swiftly responsive to the cry of ill: =D0=A9=D0=B8=D1=82=D1=8B =D1=82=D1=80=D0=B5=D1=89=D0=B0=D1=82, =D0=B2 =D0= =BA=D1=83=D1=81=D0=BA=D0=B8 =D1=80=D0=B0=D0=B7=D0=B1=D0=B8=D1=82=D1=8B... =D0=A3=D0=BD=D1=8B=D0=BB=D1=8B, =D0=B3=D1=80=D1=83=D0=B1=D1=8B =D0=BD=D0=B0= =D1=81=D0=BB=D0=B0=D0=B6=D0=B4=D0=B5=D0=BD=D1=8C=D1=8F: What ails thee at thy vows? 13 =D0=A1=D1=83=D1=80=D0=B5=D0=BD=D0=B4=D1=80=D0=B0
Re: [qmailtoaster] wasn't able to deliver
Jim, et. al.: Just some comments on my own set of best practices as an ESP (E-mail Service Provider), and my own experiences with the likes of MXLogic: First, I keep a set of email addresses on free mail services (it4s...@yahoo.com, for example). I primarily use them to test in/out mail flow when clients complain, but in this kind of case, I have used them to contact otherwise blocked recipients to enlist their assistance in removing the block. (The difference with the likes of MXLogic is that you need to use this alternate address as a way to contact the person who is missing the email (the recipient)... You will ask THAT person (the one NOT receiving messages from your server) for their help in getting messages to them... but they can't actually help you themselves! To help, that person then needs to contact /*their */IT department so that they (now the_*4th *_person) can contact MXLogic to help you get de-listed.) Believe me, I know the pain that this is -- and there are other vendors who are just as much a pain in the a$$! But it is especially difficult because you're dependent upon so many others to do what you need them to do just to get someone at MXLogic to look at you! My own tale: I actually _subscribed _to one vendor's anti-spam product for one of my domains for a 30-day trial SOLELY so their tech support team would even TALK to me about getting a new mail server de-listed! I'd spent more than TWO WEEKS trying to get off of their filters (another case of an anti-SPAM company purchased by an AV company and subsequently trashed by same). Once I subscribed (for the trial, mind you -- I never paid them a dime!) I was off their damnable list -- same day! The REASON I was on the list to begin with was that some decade or so ago, the IP address I was assigned was in a dynamic range... when my ISP purchased that IP range, they didn't know about its past, and I was the first mailserver to be implemented (I was, after all, address 6 in the range). When I contacted my ISP about this, and THEY tried to contact the vendor -- they too were rebuffed. Only when *I* became a paying client were they willing to give ANYONE the time of day about why they were blocking the IP address range... as a paying client, I got reasons and resolution in a matter of hours! I very nearly lost the account over the length of time it took to get that one last block removed -- and I may yet still lose it because the client lost some significant confidence in me over it... but that's another story (the moral of which is, I'll never again accept mail hosting without DNS hosting as part of the package!). Another suggestion is to use multiple types of monitoring... if you're hosting hundreds (or even thousands) of users, you need to watch out for bad actors. I previously posted a short script that makes use of free tools to scan the QMT log files and count the number of failed message attempts per day. When it exceeds an artificial threshold, I get notified and I can presumably do something about it -- like determine if one user is the majority of those failures, and if so, shut them down BEFORE they get us blacklisted! Another option is to subscribe to tools like those available at mxtoolbox.com. They're not free, but the scan and test things for you and only bother you if there are changes. I hope this is useful... to SOMEONE! Dan IT4SOHO On 11/11/2013 1:34 PM, Jim Shupert wrote: I do appreciate your thoughts and history. I have since my 1st post done some google searching -while results are thin... the bottomline is : MXLogic is a lump of crap ... but then it is from MacAfee [ how DO they stay in business?) On 11/8/2013 12:35 PM, Dan McAllister wrote: MXLogic is McAfee's anti-spam product (like Symantec, they just purchased another company to enable this service for their company). MXLogic has either labeled that particular message as SPAM, or has blacklisted your server IP address. MXLogic is a ROYAL PAIN because they intentionally don't reveal what makes them see your message as SPAM, and they don't have any easy way of being de-listed either. I have shared my experiences with several clients and told recipients that they will have to be the ones to get us de-listed by MXLogic, as they won't listen to us. I even told one vendor that if he wanted my business, he'd either have to drop MXLogic or intervene on my behalf, but I wasn't going to do business with him if I couldn't send him emails he wound up dropping MXLogic. Just my thoughts and history on the matter. Dan McAllister IT4SOHO QMT DNS/Mirror Admin -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] IMAP Connection Limit
Greeting Family/Team: Question from a client that I haven't been able to answer: - Is there a limit to the number of simultaneous IMAP connections on a QMT solution? - If so, where is it controlled? Thanks Dan McAllister -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Blocked.
Not to re-invent the wheel here, but this falls into the same kind of thing I've been rolling out to all of my mailservers: - Port 25 is used to receive inbound mail ONLY. There is *no auth *capability on port 25 (currently enforced by /*spamdyke*/), and there is no relaying on port 25 (unless via /smtproutes/). - Users who send via port 25 can ONLY be successful (by accident) if they're sending to a locally hosted domain... and if that accidentally works, it should be because SPF somehow allowed it to work. - Port 587 is used by all users to send mail. Period. They MUST authenticate, and the use of SSL is permitted (although, you could choose to require it if you so desire). - Port 465 is used exactly like port 587 except that SSL is definitely required. Users are told to use 587, but some few have clients that choose 465 automatically. BTW: I also REQUIRE my hosted domains to use an -all at the end of their SPF designation (clearly, that means I also REQUIRE SPF)... and I enforce SPF with a 3 in spfbehavior (and in SpamAssassin). Among other things, this allows me to monitor/scan log files for inbound and outbound mail separately. While my users still get plenty of SPAM, these steps help alleviate the faked SPAM. If more people used SPF with a -all (correctly), then far LESS SPAM would be out there... but if more people were smarter about these things, I wouldn't be making the money I am helping them fix them! :-) I'll write a Wiki article (the 2nd I'm trying to work through) to explain this in detail. Dan McAllister QMT DNS/Mirror Admin PS: Had fun the other day when a client got a QMAIL reject when sending a message to one of their clients they assumed the reject came from our server, but it turns out at least some of GoDaddy's mail servers are QMAIL, as it was a QMAIL server at secureserver.net that issued the REJECT :-) Made my client feel good about my email service, knowing I was using the same systems as GoDaddy! :-) On 11/21/2013 9:11 PM, Angus McIntyre wrote: Eric Shubert wrote: I honestly don't understand fail2ban in any detail. I wonder though, if perhaps it's set up such that if someone's authentication fails, then it changes iptables such that nobody can attempt to authenticate any more (like blocking port 587 for any address). That'd be pretty bad. :( If you get a certain number of failed authentications from a particular IP (usually 3 or 4), it will use iptables to ban that IP from connecting to the port in question. So 'nobody' means 'nobody at that IP', not 'nobody in the world'. Incidentally, when I got tired of grinders trying to guess passwords on my toaster, I banned a bunch of Chinese class C's (banning a surprisingly small number took care of most of the attempts I was seeing) and added a fail2ban filter that does an insta-kill (1 attempt is enough to invoke the rule) on anything that tries to authenticate with a username that doesn't include a domain name. That's been pretty effective. Angus - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Blocked.
Eric, The default setting for SpamAssassin is to enforce SPF as directed (which means: soft-fail for ~ matches, hard fail for - matches, and ignore for ? matches). The operative part for me (since both qmail-smtpd AND SpamAssassin are apparently checking SPF) is the part where I ensure that my hosted mail domains are using a *-all* at the end of their SPF declarations. I'm not really worried that we're checking SPF The problem, in my experience, is that people setup SPF with a ~all at the end to test and then never go back and change it to a -all -- thus, they're forever just testing and thus telling mail servers essentially that they should be ignoring SPF after all (or, using it solely as part of your SPAM ranking). I mentioned a Wiki article -- the other one I'm working on is the use of DMARC -- which is a facility whereby you can get reports from larger ISPs about how mail from your domains are being processed. You can choose to get aggregate reports (that is, summaries of all connections), or just error reports. I have DMARC records on the qmailtoaster.com domain... and I routinely get error responses like the one here: This is a spf/dkim authentication-failure report for an email message received from IP 113.190.1.230 on Fri, 22 Nov 2013 12:52:47 +0800. Below is some detail information about this message: 1. SPF-authenticated Identifiers: none; 2. DKIM-authenticated Identifiers: none; 3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures; For more information please check Aggregate Reports or mail toab...@yeah.net. The email also includes full headers for the rejected message(s) -- which in this case is someone trying to send out SPAM as *qmailtoaster-list@qmailtoaster.com* DIRECTLY from the above IP address. (The only legitimate source of messages from qmailtoaster-list@qmailtoaster.com is our mailserver @ 80.254.129.244.) While this doesn't help me to block messages from 113.190.1.230, it DOES help me to know that my SPF settings are working... and if I get one of these messages from a legitimate source (like the proverbial my-marketing-company, who sends out email SPAM on my behalf [well, I don't think it's SPAM, only 99% of the recipients think its SPAM!], then I know I need to adjust my SPF settings to allow those messages. No one ever said e-mail was easy -- it's only the USERS who think it's easy! :-) Dan McAllister IT4SOHO QMT DNS/Mirror Admin On 11/22/2013 11:49 AM, Eric Shubert wrote: We're planning to move the stock QMT in the direction as Dan describes. On 11/22/2013 09:01 AM, Dan McAllister wrote: and I enforce SPF with a 3 in spfbehavior (and in SpamAssassin). I wonder about this though. Since you're enforcing SPF, what's left for SpamAssassin to do regarding SPF? Some rule that will score ~all configs? Just wondering. -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Common Email signature with all mails
On 11/25/2013 1:11 PM, Eric Shubert wrote: The problem has to do with electronic signatures. Any sort of signing that's done needs to happen after the footer is added. Having the server add a footer would break gpg that's implemented by the client. There might be a suitable way to add a footer on the server for submitted (authenticated) messages that are otherwise unsigned, before adding a DKIM signature. We can certainly look into this at some point, but it's not a priority in my view. Of course, anyone can make it their own priority and write some code to do it. This is after all a community project. P.S. I'd beg to differ that all enterprises implement this at the server, although many of them do. Many of them also run Exchange, which I do not recommend in most cases. ;) P.P.S. There is also some disagreement as to the effectiveness of these disclaimers. Personally, I think they're rather silly (although IANAL). I wonder if there's ever been a case in court where a disclaimer had any effect. To Eric's point: I have a number of financial advisors and insurance agencies that seem to think that these signatures are a requirement (e.g.: requests to bind insurance cannot be made via email, etc.) However, recent legal opinions in several states have held that these signatures cannot be legally binding -- in part because they're being delivered via e-mail, which makes them every bit as unenforceable as the typed of email they're warning against. Never the less, the *professional organizations* still suggest that these disclaimers be present. Kind of reminds me of the warning on the back of the *peanut butter* jar that reads: *WARNING: This product is manufactured in a plant that may use peanuts.* Really? Dan -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] Re: Outlook 2013 IMAP folder rename problem - Outlook 2013 is just plain BROKEN
Sorry I'm so late on this one -- I took a 4-day weekend for the Thanksgiving holiday! :-) I have bad news RE: _*Outlook 2013*_ and IMAP -- its _*broken*_, and MS hasn't given any real signs (yet) that they're keen on fixing it. I'm sure by now you've Google'd IMAP and Outlook 2013 -- and you have probably found what I did: Hundreds (thousands?) of /irate /users who have found that Outlook 2013 completely re-wrote the IMAP part of the application, and REALLY /*REALLY */messed it up. Among many other changes, IMAP local PST files are now stored as OST files (the right thing to do, IMHO -- just a bad implementation, not a bad idea). Also, the ability to self-map the reserved folder functions (sent items, trash, drafts, etc) is gone. Outlook 2013 will determine for you which folder is the best one, and use that one... whether it is the right one or not, and it cannot be overridden (at least that I could find). Most of the problems I noted in my searches seem to stem from either these automated folder mappings, or synch issues. To be honest, I'm not at all sure why MS hasn't put the Outlook Development Team back on this issue -- my guess is that a week of intensive debugging and they'd find at least the major cause of these issues... but apparently, they have other priorities. I have only a handful of clients on Outlook 2013 (fortunately, most on Office 365). The ones who use Outlook.com and Exchange based email are quite happy with it. But those who use QMT, GMail, or other IMAP based mail services, are FURIOUS. NOTE: If you call MS support (you paid for it with the Office365 subscription), and DEMAND it, they will authorize you to download and use Outlook 2010 as part of your Office365 subscription. ALSO OF NOTE: I did have one client who was so irate that they declined the charge for the Office365 -- told their credit card company the software was misrepresented and charged the entire purchase back to MS... and they (MS) didn't contest it speaks volumes, if you ask me. This particular client simply re-installed Office 2010 Enterprise throughout, and while they WANT to be using Word, Excel, etc under 2013, they're mollified by the fact that Outlook actually works with their mail server. _*FWIW: In your case:*_ - If the folder was renamed in Outlook 2013, it may or may not have actually changed the name on the server. Use a webmail interface to check? - If the folder was renamed in any other client (or from the webmail interface), Outlook 2013 may or may not detect the change. What I have done successfully in the past is to _delete the OST_ file for the account, restart Outlook 2013, and let it completely re-synch the account (e.g.: re-build the OST file from scratch). A ROYAL pain, I know -- but its the only method I've found yet that actually makes Outlook 2013 get it right (at least until something else changes on the server that the Outlook client doesn't recognize). I hope this helps. Dan McAllister IT4SOHO On 11/28/2013 9:48 AM, Eric Shubert wrote: On 11/28/2013 02:17 AM, Tommi Järvilehto wrote: Have you guys seen Outlook 2013 working correctly when renaming imap folders? While testing I have seen it working just couple of times. Most of the times it just doesnt do anything. Same problem is with both qmt courier-imap and dovecot-imap servers. Thunderbird folder rename is working correctly with these servers. I have also tested it with another ISP that has some version of dovecot/postfix server and its working correctly. I have not seen O'13. Have you googled the problem? I expect it's strictly imap related. There's likely a fix of some sort for that, perhaps a workaround setting or a more recent version. Can you post your dovecot configuration? Verify version of dovecot with the other ISP that's working? -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Load-balancing in SMTP route
Load balancing on outbound traffic is most commonly done with iptables. See: http://blog.khax.net/2009/12/01/multi-gateway-balancing-with-iptables/ for some help... Dan McAllister IT4SOHO On 11/29/2013 6:11 AM, Pak Ogah wrote: On 10/29/2013 2:24 AM, Eric Shubert wrote: I think Amit's talking about outbound emails here. MX records only apply to inbound emails (from external domains). There's no mechanism built-in that I know of which can do this. It shouldn't be too difficult to write a script that does it though. The script would run periodically via cron. It would simply try to telnet to the smarthost, and if the connection fails, have it modify your smtproutes file appropriately, and restart qmail. have you tried HAProxy script ? HAProxy is load-balance transparant proxy and it's said it can be with any protocol example: this it the config of smtproutes w/ HAProxy gotoserverA.com:via.haproxybox.net and on haproxybox, you list multiple smtp ip address you can see it on http://blog.secaserver.com/2012/02/high-availability-mysql-cluster-galera-haproxy/ see on haproxy section, on this blog haproxy is load-balancing mysql connection ps: I haven't tested it, it just my idea - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Outlook 2013 IMAP folder rename problem - Outlook 2013 is just plain BROKEN
OUCH! That has tons of implications in all kinds of arenas -- not just SPAM detection and control! I'm thinking compliance and record keeping issues here! I'll have to look into that some more, and warn my clients in the legal and medical fields! Thanks for the input! Dan IT4SOHO On 12/2/2013 11:54 AM, Eric Broch wrote: Dan and list members, Outlook 2013 also removes header information when copying/moving from the INBOX to another IMAP folder. This is not good if you're training a spam filter. It screwed up our DSPAM database and we had to start over rebuilding the database from scratch. Eric On 12/2/2013 9:33 AM, Dan McAllister wrote: Sorry I'm so late on this one -- I took a 4-day weekend for the Thanksgiving holiday! :-) I have bad news RE: _*Outlook 2013*_ and IMAP -- its _*broken*_, and MS hasn't given any real signs (yet) that they're keen on fixing it. I'm sure by now you've Google'd IMAP and Outlook 2013 -- and you have probably found what I did: Hundreds (thousands?) of /irate /users who have found that Outlook 2013 completely re-wrote the IMAP part of the application, and REALLY /*REALLY */messed it up. Among many other changes, IMAP local PST files are now stored as OST files (the right thing to do, IMHO -- just a bad implementation, not a bad idea). Also, the ability to self-map the reserved folder functions (sent items, trash, drafts, etc) is gone. Outlook 2013 will determine for you which folder is the best one, and use that one... whether it is the right one or not, and it cannot be overridden (at least that I could find). Most of the problems I noted in my searches seem to stem from either these automated folder mappings, or synch issues. To be honest, I'm not at all sure why MS hasn't put the Outlook Development Team back on this issue -- my guess is that a week of intensive debugging and they'd find at least the major cause of these issues... but apparently, they have other priorities. I have only a handful of clients on Outlook 2013 (fortunately, most on Office 365). The ones who use Outlook.com and Exchange based email are quite happy with it. But those who use QMT, GMail, or other IMAP based mail services, are FURIOUS. NOTE: If you call MS support (you paid for it with the Office365 subscription), and DEMAND it, they will authorize you to download and use Outlook 2010 as part of your Office365 subscription. ALSO OF NOTE: I did have one client who was so irate that they declined the charge for the Office365 -- told their credit card company the software was misrepresented and charged the entire purchase back to MS... and they (MS) didn't contest it speaks volumes, if you ask me. This particular client simply re-installed Office 2010 Enterprise throughout, and while they WANT to be using Word, Excel, etc under 2013, they're mollified by the fact that Outlook actually works with their mail server. _*FWIW: In your case:*_ - If the folder was renamed in Outlook 2013, it may or may not have actually changed the name on the server. Use a webmail interface to check? - If the folder was renamed in any other client (or from the webmail interface), Outlook 2013 may or may not detect the change. What I have done successfully in the past is to _delete the OST_ file for the account, restart Outlook 2013, and let it completely re-synch the account (e.g.: re-build the OST file from scratch). A ROYAL pain, I know -- but its the only method I've found yet that actually makes Outlook 2013 get it right (at least until something else changes on the server that the Outlook client doesn't recognize). I hope this helps. Dan McAllister IT4SOHO On 11/28/2013 9:48 AM, Eric Shubert wrote: On 11/28/2013 02:17 AM, Tommi Järvilehto wrote: Have you guys seen Outlook 2013 working correctly when renaming imap folders? While testing I have seen it working just couple of times. Most of the times it just doesnt do anything. Same problem is with both qmt courier-imap and dovecot-imap servers. Thunderbird folder rename is working correctly with these servers. I have also tested it with another ISP that has some version of dovecot/postfix server and its working correctly. I have not seen O'13. Have you googled the problem? I expect it's strictly imap related. There's likely a fix of some sort for that, perhaps a workaround setting or a more recent version. Can you post your dovecot configuration? Verify version of dovecot with the other ISP that's working? -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! -- PLEASE TAKE NOTE OF OUR NEW ADDRESS === IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646
[qmailtoaster] SQL Server Change for QMT
Greetings all: I have 2 QMT servers that need to share a SQL (user) database. I have tried synching them, but when the synch gets lost all hell breaks loose and it makes me look bad. What I'd really like to do is to allow (through IPTables) for the main mail server (where all inbound mail is delivered) to share the MySQL ports with the outbound mail server (accepts mail only on submission and smtps ports -- not port 25 -- and delivers it as necessary -- including, potentially back to the primary mail server -- for which there are special routing rules in smtproutes). So, in order to do what I think I want to do, I need the smtpauth (qmail-auth, vpopmail auth, or whatever) to connect to an external MySQL database server. How would I go about doing this? Thanks, Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] SQL Server Change for QMT
OK, I found my own answer: Since all I'm working with is the qmail-toaster smtp daemon, and it uses vpopmail for auth, I found the database connection specified in /home/vpopmail/etc/vpopmail.mysql I changed the first 2 entries, so it reads instead: server_address|3306|vpopmail|SsEeCcRrEeTt|vpopmail Then, I went over to the actual MySQL server and did 2 things: first, I enabled the MySQL ports in through the iptables firewall, then I permitted the remote server to query the database (but ONLY query it!) mysql -u root -ppassword grant select on vpopmail.* to 'vpopmail'@'remote_address' identified by 'SsEeCcRrEeTt'; NOTE: If you haven't previously, you should change the vpopmail default password AWAY from SeEeCcRrEeTt :) That should do it! Dan On 12/4/2013 4:02 PM, Dan McAllister wrote: Greetings all: I have 2 QMT servers that need to share a SQL (user) database. I have tried synching them, but when the synch gets lost all hell breaks loose and it makes me look bad. What I'd really like to do is to allow (through IPTables) for the main mail server (where all inbound mail is delivered) to share the MySQL ports with the outbound mail server (accepts mail only on submission and smtps ports -- not port 25 -- and delivers it as necessary -- including, potentially back to the primary mail server -- for which there are special routing rules in smtproutes). So, in order to do what I think I want to do, I need the smtpauth (qmail-auth, vpopmail auth, or whatever) to connect to an external MySQL database server. How would I go about doing this? Thanks, Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: yum repos - beta testing, list server migration
Eric: I suggest that we create a GROUP install for QMT -- that way a single yum command can take care of things, ala: yum groupinstall qmt-base yum groupinstall qmt-dovecot yum groupinstall qmt-antispam etc... Dan McAllister BTW: All of the other qmt-x groups would necessarily be dependent upon the qmt-base On 12/19/2013 3:15 PM, System Admin wrote: Update of my test install, Centos 6.5 bare metal, not VM *What worked for me:* Clean install, minimal yum update yum install yum-priorities rpm -ivh http://mirrors.qmailtoaster.com/testing/nodist/qmailtoaster-release-2.0-1.qt.nodist.noarch.rpm vi /etc/yum.repos.d/qmailtoaster-centos.repo ** edit the two repo files in testing ** *enable =1* yum install autorespond yum install libsrs2 libsrs2-devel libvpopmail-devel rpm -ivh http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/libev-4.15-1.el6.rf.x86_64.rpm groupadd vchkpw useradd vpopmail yum install qmail qmailadmin yum install clamav control-panel yum install mailadmin isoqlog libdomainkeys maildrop qmailmrtgb vqadmin ripmime squirrelmail *What Failed:* *dovecot*, How I fixed dovecot: yum install perl-JSON ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/csbuild:/Perl/CentOS_CentOS-6/noarch/perl-common-sense-3.0-2.3.noarch.rpm rpm -Uvh ftp://ftp.muug.mb.ca/mirror/fedora/epel/6/x86_64/perl-JSON-XS-2.27-2.el6.x86_64.rpm yum install dovecot dovecot-devel dovecot-mysql *Simscan and spamassasin both same errors*: ( not fixed ) inished Dependency Resolution Error: Package: spamassassin-3.3.2-0.qt.el6.x86_64 (qmailtoaster-testing) Requires: perl(Razor2::Client::Agent) Error: Package: spamassassin-3.3.2-0.qt.el6.x86_64 (qmailtoaster-testing) Requires: perl(Mail::DomainKeys) Error: Package: spamassassin-3.3.2-0.qt.el6.x86_64 (qmailtoaster-testing) Requires: perl(Mail::SPF::Query) Error: Package: spamassassin-3.3.2-0.qt.el6.x86_64 (qmailtoaster-testing) Requires: perl(Net::Ident) You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest * **send-emails* ( not fixed ) finished Dependency Resolution Error: Package: send-emails-0.5-0.qt.el6.x86_64 (qmailtoaster-testing) Requires: control-panel-toaster = 0.5-0.qt.el6 Tried yum install control-panel-toaste, *no package* *At least we are getting there : )** **Also noted mysql-server not installed * yum install mysql-server /etc/init.d/mysqld start /usr/bin/mysql_secure_installation ( set pasword for root ) mysqladmin create vpopmail -u root -p login to mysql mysql -u root -p GRANT ALL PRIVILEGES ON vpopmail.* TO vpopmail@localhost IDENTIFIED BY 'SsEeCcRrEeTt'; flush privileges; quit *NTP* ( time servers ) yum install ntp /etc/init.d/ntpd start ntpdate -p 8 -u 0.us.pool.ntp.org So far thats where I am at: ) Dave M -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: yum repos - beta testing, list server migration
On 12/19/2013 7:45 PM, Eric Shubert wrote: Of course you're welcome to do an iso if you'd like. I'm not thrilled with the idea of an iso for QMT though. First, there would be a large download involved that I'd like to avoid from our mirrors. (I trimmed 35M from clamav because I thought it was excessive.) Secondly, the contents of the iso become outdated rather quickly as distros evolve. Bottom line, it seems wasteful to me for us to distribute software which can be easily be acquired elsewhere. I'd like to focus our efforts more on how to best simplify QMT creation, while minimizing downloading. Perhaps a network-install type of iso with a kickstart file would be appropriate though. So I guess I'm not against isos entirely, only bloated ones. ;) Plus, keep in mind that one size doesn't fit all. There will be several spins (to borrow Fedora terminology) that represent the various roles involved with a mail server. I don't imagine that isos will be very well suited to distributing multiple spins. I think that Chef has great promise in this area. Sebastian has done some work already with Chef, and I hope we can leverage his work to come up with something very simple (and very slick I expect). Sebastian? Thanks. As opposed to an ISO -- and since we're focussing on CentOS lately, might I suggest a KVM image if a base install? Then, admins could just add the add-ons we're splitting out and go from there... Obviously, it would have to be updated once or twice a year... and new installs would have to run an update routine of some kind... Just a thought... as more and more of us move to KVM installs of basic server functions... Dan -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: How to update PHP higher version without affect qmailtoaster
OK, I see 2 topic here that I want to comment upon: _*PHP 5.3 and COS5*_ PHP 5.3 on COS5 is not that hard -- but the packages are named *php53*, not /php5/ (but you probably already knew that) -- NOTE: I did the update/upgrade AFTER installing QMT, and when packages had to be uninstalled for replacement and YUM complained, I just did an *rpm -e --nodeps* followed by the appropriate yum install. Other than the web scripts, everything went well... NOT having a no-deps option to YUM is its biggest flaw, IMHO -- but then again, it IS there with rpm, so I guess I'm just being picky (and un-UNIX -- one tool to do everything runs counter to the UNIX philosophy of each tool doing only 1 thing, and doing it well). The noted break in QMT is (obviously) only in the web interfaces (vpopmail squirrelmail in base QMT) -- and are easily fixed by patching the php.ini to allow open tags. That is the ONLY real issue that I am aware of in QMT and PHP53. I know this because one of my mail servers (actually, my primary mail server) is still running COS5 and PHP53 (I'm planning to upgrade to COS6 on Thursday (Boxing Day), as it is expected to be an otherwise slow day. :) -- That server (actually, THIS server, as it is the one this mail will come from) is COS 5.7 PHP 5.3.3 and has been for a VERY LONG time now. _*Virtualization *_While poo-poohed by many, I actually like the QEMU/KVM method of managing VMs (I know Eric likes ProMox VE)... but my experience with VMs has been excellent with Linux guests -- my only recommendation is to run the newer SW as the VM manager (so COS6 as VM host, then COS 5 or COS6 -- or any other Linux -- as guest). Where I have had performance issues was when I tried running Windoze on KVM -- and it turned out it was the storage and network controllers that were hanging me up. RHEL has a virtio driver for Windows that GREATLY improves the storage I/O efficiency, and switching the NIC card emulation to E1000 (I prefer it over the virtio) solved all of those issues. I now successfully routinely deploy a Windows 2012 server (for AD, local DNS, and DHCP only) and a Linux file server (for everything else) on a COS6 VM Manager (running COS6 with QEMU/KVM). If I have any issues with QEMU/KVM it would be that the tools to BUILD a new VM don't offer all of the options that really exist (for example, to make the disk image qcow2 vs. a raw image, I have to first create it as a raw image, then convert it and manually change the drive type in the manager.)... this isn't a HUGE issue, since I keep a starter kit of qcow disk images on hand to kick start installs :) Just my thoughts and experiences Dan QMT DNS/Mirror Admin PS: You might note that Eric and I often disagree on tech issues -- personally, I think this makes our project stronger, as we challenge each other. I know that MY installations and procedures have been improved because I take the time to argue the point with Eric -- which makes me look at my decisions anew frequently, and re-evaluate my opinions often. I suspect that he has altered an opinion or two based on my input over the years... but that is pure speculation on my part :) On 12/22/2013 1:27 PM, Eric Shubert wrote: Hey Kahn, First, I would try to avoid running anything other than the hypervisor on bare iron. Run everything virtualized underneath it. Generally speaking, KVM performs better with newer kernels. Older kernels use 10-20% of a cpu when idle. With newer kernels, KVMs use 0.5% cpu when idle. I'm not sure exactly what the change is that provides this improvement. It appears to have happened around 3.4 in the main kernel versions, but it also appears that RedHat (and thus COS) has backported this change to their 2.6.32 version. BL, COS6 runs well as a KVM, but COS5 does not. I expect that both hypervisor and guests need to be running the improved version of the kernel to realize this improvement. My virtualization platform of choice is ProxmoxVE. It provides a nice web interface for management, and has been very reliable for me. I've used versions 2.1-3.1. While PVE is debian based and uses .deb packages, it uses a RedHat kernel, which give it the performance gains mentioned. The PVE kernel also provides OpenVZ container support, as does the web interface. While COS5 guests don't run so well as KVMs, they run quite nicely as OpenVZ containers. I won't go into the differences here, but running just about anything linux based as an OpenVZ container should work ok. I should emphasize that the point is not that running COS5 as a KVM *won't* work (it will), it's just that there's some overhead involved that's been eliminated in more recent kernels. In fact, I've run COS5 as KVMs in production just fine for a period of time, on as little as a dual-core 1.6GHz machine. It's fine so long as the horsepower's available to run it (which it quite commonly is, as I've found most servers to be
Re: [qmailtoaster] Re: How to update PHP higher version without affect qmailtoaster
On 12/23/2013 11:59 AM, Eric Shubert wrote: On 12/23/2013 08:17 AM, Dan McAllister wrote: PS: You might note that Eric and I often disagree on tech issues -- personally, I think this makes our project stronger, as we challenge each other. I know that MY installations and procedures have been improved because I take the time to argue the point with Eric -- which makes me look at my decisions anew frequently, and re-evaluate my opinions often. I suspect that he has altered an opinion or two based on my input over the years... but that is pure speculation on my part :) Quite true, Dan. I agree. In fact Dan and I probably agree much more often than not. There are many things we agree upon which simply go unsaid. Thanks for your PHP comments, Dan. I suspected that this was the case, but had no personal experience with that so I didn't want to speculate. Regarding virtualization, we're much closer than it might appear. PVE is simply a (very nice) web interface which sits atop Qemu/KVM/Openvz. While a good many things are covered by the web interface (you can create COW2 (default), Raw, or VMDK disks initially), some things must still be done manually (such as giving a VM direct access to a disk, which I do for user data). Also, PVE provides storage pools and clustering of sorts, which is kinda nice even though I don't typically use these features. I feel that PVE has allowed me to utilize Qemu/KVM with less of a training curve, and it continues to help my productivity, so I continue to use it. Bottom Line is that we're both using essentially the same technology for virtualization. We're simply using different tools for managing things. I didn't mean to imply that we disagree ALL THE TIME -- that would likely make our work on QMT unbearable for one (or both) of us... But there are some areas where we do disagree -- and as I mentioned, /_*I LIKE IT*_/ when we do, because it usually means I should go back and look at my assumptions and/or previous decisions. (An example might be Eric's preference for 32-bit software grin)... I'm a busy guy -- the point of which is, I don't spend a lot of time re-inventing or re-evaluating how I do things. When something comes up and I mention how I do it, and Eric bounces back with a different way, it makes me think again about why I'm doing it that way. Sometimes, I still like my way (like using 64-bit COS6 clients for my appliances), while other times I have made changes... sometimes to what Eric suggested, other times to a 3rd way -- after all, I like to say I don't drink the Kool-Aide, and that includes Eric's Kool-Aide as well as anyone else's! For example: a vendor of mine for cloud-based backups just made a terrible blunder -- they called to convince me to upgrade to the next level of their service. Rather than just re-up, I looked at our backup solutions all over again... and chose a new vendor altogether! LOL - lesson to vendors: don't stir the pot! One final FWIW - I'm working on a SHELL script (vs. the previous Perl) that will offer the opportunity to organize search log files. I may have to re-write when Eric redoes the logging mechanism, but I need the functionality too much not to do it now. I'll publish once its done. Dan McAllister QMT DNS/Mirror Admin -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Suddenly shows the error message
The fix for PHP (and thus, vqadmin) is to enable short open tags (not just tags) in php.ini. -- background: used to be, you could open a PHP statement with ? -- but that syntax was hijacked by other languages, like XML -- so now you have to use ?php insead. The problem for many people is that they think of this as a MAIL problem (more specifically, a QMail problem), when in fact, it is a WEB problem! Thus, people often update php.ini, then restart QMail (qmailctl restart)... and complain that it didn't fix anything. (Does it help your /motorcycle /when you get the *car *tuned up?) INSTEAD, update your file (*/etc/php.ini* on CentOS 6) and insert (at the location of your choice) the line: short_open_tag = On And then restart APACHE! (service httpd restart). _*NOTE:*_ Plenty of QMail users run on hosted systems -- and in many cases, this prevents them from accessing /etc/php.ini... in those cases, you'll need to enable short open tags in an htaccess for each folder you need them run in. _*FINALLY:*_ I am of the understanding that the vqadmin AND squirrelmail issues are both also solved by using more up-to-date versions... which we're getting to! - I'm not POSITIVE about vqadmin, but I do know for sure that squirrelmail fixes PHP compatibility in version 1.4.22 (the current version Enjoy! Dan McAllister PS: Happy New Year! On 12/30/2013 1:15 AM, Nicholas Chua wrote: I didn't have time to track down the issue, all I can say is php53 broke my installation. I also didn't like the fact that VQadmin never worked correctly. My Postfix installation works perfectly for my needs and so do the administrative tools, and web based applications created for it. YUM works without issue and hasn't broken anything yet when updating. That's what I need. I really like QMail and didn't want to change, but it was the prudent thing to do. snip Agree that postfix is reliable. I am also running some EDM servers and all i need is a fast light-weight MTA. So my choice is postfix with dovecot. No antivirus and antispam. Just SPF and DKIM. Once any campaign is done, i will just shut it down to prevent any security breech, if there is any. With the knowledge of installing QMTs, postfix is much easier. With a 2mbps dedicated bandwidth, i can send 250k emails each about 10k to my registered users within 4 hours. But I still wouldn't want to implement postfix as an enterprise email solution. regards nic - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Pdns error: 127.0.0.1: Address already used
schrieb As you can see below (see bolded font-increased lines in your output below), you _ARE _running some kind of DNS service... and, as Marco points out, since the process is named /*dnscache*/ it is _highly likely_ that you have installed the DNS Caching Server from *DJBDNS*. If all you want/need is to run a caching nameserver, it is perfectly fine to just keep *DJB *installed -- it is every bit as quick as *powerdns *(IMHO - I have no metrics to prove this). If you insist on removing it in favor of powerdns, there isn't likely to have been a YUM RPM that you used to install it (at least none that I'm aware of - it is usually installed manually), but it is small -- VERY small -- so just turning it off in your startup scripts should suffice. *cd /etc/init.d** **grep -l dnscache *** *look at result -- one of these scripts is starting the dnscache process either remove the script or try something like *chkconfig filename off* Unfortunately, since DJBDNS is usually built and installed locally, the exact methods to turn it off can only be guessed at from here... I hope this helps... Dan McAllister IT4SOHO On 1/3/2014 1:20 AM, Marco Volkert wrote: Any chance that djbdns is installed? http://wiki.qmailtoaster.com/index.php/CentOS_5_QmailToaster_Install#DNS_Notes (section /Install djbdns (if you don't want bind)/) Am 03.01.2014 05:54, schrieb Linux: [root@email ~]# netstat -anp | grep 53 *tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2327/dnscache* tcp 0 0 192.168.0.200:110 182.72.16.53:49867 TIME_WAIT - tcp 0 14053 192.168.0.200:993 192.168.0.1:49447 ESTABLISHED 18706/imap-login tcp 0 200 :::192.168.0.200:22 :::115.111.32.170:53548 ESTABLISHED 18850/1 *udp 0 0 127.0.0.1:53 0.0.0.0:* 2327/dnscache* udp 0 0 0.0.0.0:5353 0.0.0.0:* 2878/avahi-daemon: udp 0 0 :::5353 :::* 2878/avahi-daemon: unix 2 [ ACC ] STREAM LISTENING 6653 2209/acpid /var/run/acpid.socket unix 3 [ ] STREAM CONNECTED 516753 18707/imap-login unix 3 [ ] STREAM CONNECTED 507529 17053/imap unix 3 [ ] STREAM CONNECTED 499453 2790/anvil /var/run/dovecot/anvil unix 3 [ ] STREAM CONNECTED 6539 2123/dbus-daemon /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 6538 2132/hcid -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Q about the smtp banner
The QMT SMTP Banner is actually called the SMTP Greeting, and you can set it in your controls folder. NOTE: The config file is normally NOT PRESENT, so you'll have to create it: Filename: /var/qmail/control/smtpgreeting Contents example: mail.myserver.com - Welcome to MyMail Ver. 1.09 SMTP Server Make the domain name in the smtp greeting match the me value (also in your control) value as well as your RDNS value... and you should be good to go. Dan McAllister On 1/9/2014 1:39 AM, L. A. wrote: Hi. 1. Is adresses from this test are real? I try check some of it and all failed even on google dns. 2. Usually better when records in mx and revers and records that used in banners and sending are equal. Also be careful, there is different settings for smtp banner and domain that smtp server tell other mailserver when send message. So it's in me and smtpgreeting files of qmail installation. 3. This asterisks in greeting that shows toolbox is real? Usually this shows that you are used cisco pix or asa, disable smtp inspection on it, sometimes it just must be off for debug problems. 09.01.2014, 00:45, Jim Shupert jshup...@pps-inc.com: I check a mail server with http://mxtoolbox.com http://mxtoolbox.com/ I got the following 2 warnings 1. SMTP Reverse DNS Mismatch Warning - Reverse DNS does not match SMTP Banner Is there a means of changing the SMTP Banner to avoid. I *could change the machine name from goober to mailhost but I am reluctant to change my domain ( as it is known on the machine ) from pp-inc.com to ppgroup.com my *hope is I can simply change a text file somewhere that is 'the banner' 2. and what about this SMTP TLS Warning - Does not support TLS. More Info is it possible/suggested to have qmailtoaster use TLS are 'yall doing that? I am reading http://www.fehcom.de/qmail/smtptls.html much thanks jS full results from tests Connecting to 168.88.88.222 220 [892 ms] EHLO MXTB-PWS3.mxtoolbox.com 502 unimplemented (#5.5.1) [643 ms] MAIL FROM: supert...@mxtoolbox.com mailto:supert...@mxtoolbox.com 250 ok [952 ms] RCPT TO: t...@example.com mailto:t...@example.com 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser) [1752 ms] QUIT 221 goober.pp-inc.com - Welcome to Qmail Toaster Ver. 1.3 SMTP Server [645 ms] MXTB-PWS3v2 24896ms -- Test Result SMTP Reverse DNS Mismatch Warning - Reverse DNS does not match SMTP Banner More Info SMTP TLS Warning - Does not support TLS. More Info SMTP Transaction Time 23.840 seconds - Not good! on Transaction Time More Info SMTP Reverse Banner Check OK - 168.88.88.222 resolves to mailhost.theppgroup.com SMTP Connection Time 0.942 seconds - Good on Connection time SMTP Open Relay OK - Not an open relay. -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] ezmlm warning
I received the same exmlm warning this morning... I'll look into it with Eric. Thanks for bringing it to our attention. Dan McAllister QMT Mirror/DNS Admin On 1/13/2014 8:09 AM, Mike Tirpak wrote: It seems that spamcop is stopping 162.213.42.64 and some messages from qmailtoaster.com are getting bounced. Does anyone else have this problem or is it just me? Thanks, Mike - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] qtp.qmailtoaster.com name resolution
Thanks for bringing this to my attention - I am working on it with the provider. I'll post to the list, as well as to Wicus directly once we have it resolved. Dan McAllister QMT DNS/Mirror Admin On 1/15/2014 10:26 AM, Wicus Roets wrote: *Hi,* ** Is anyone else battling to resolve *qtp.qmailtoaster.com* ? *www.qmailtoaster.com http://www.qmailtoaster.com*does resolve though. Alternatively, can anyone please advice on an IP ? Thanks http://www.avast.com/ This email is free from viruses and malware because avast! Antivirus http://www.avast.com/ protection is active. -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] squirrelmail time stamp issue
On 1/23/2014 12:21 AM, Helmut Fritz wrote: OK, I could not find anything in the list archive and only one mentioned that is not exactly the same as my issue. I have a few users using squirrelmail, and checked this myself. The time stamp listed on incoming messages is 7 hours and 20 to 23 minutes BEHIND current time. The server time and date checks out. I am running these plugins currently: 1. delete_move_next 2. squirrelspell 3. newmail 4. autocomplete 5. compatibility This is a VMWare VM running on ESXi if it matters. I am not yet sure when this started, I have asked the user that noticed it. this effects only the received time in the webmail client. All headers report correct data. Thx! Have you checked the date/time stamps on both the ESXi server AND the squirrelmail host? Assuming this is the same host as the SMTP host? (If not, check that host as well) If all goes well, check the date/time on the client system. (You weren't clear on which date stamp was off, so I'm covering all bases here). If it was an exact set of hours off, I'd suspect a timezone issue -- but 20 to 23 minutes should not be attributed to a TZ setting. Dan McAllister IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] of PTR smtpgreeting and spf
Your SMTP Greeting should NOT be an IP address. The issue is slightly mislabeled. The PTR record (which is under the control of your ISP, NOT your local DNS service) is apparently BLANK -- which it cannot be. The PTR record would ideally match your SMTP header, but to get it changed, you MUST contact your ISP. Also, assuming your MX server (inbound mai) and outbound mail source are the same host (they usually are for smaller companies), then your SPF record is fine... HOWEVER, to remain compatible with older DNS and mail systems, you should have a DUPLICATE TXT record... That is: theppsgroup.com. IN SPF "v=spf1 a mx -all" theppsgroup.com. IN TXT "v=spf1 a mx -all" I hope this helps. Dan McAllister QMT DNS/Mirror Admin On 1/31/2014 5:45 PM, Cecil Yother, Jr. wrote: On 01/31/2014 02:38 PM, Jim Shupert wrote: Friends, I wish to solve 2 matters Who is your ISP? 1-- DNS does not match SMTP Banner 2-- a spf record Try one of these https://www.google.com/#q=spf+record+generatorsafe=off If you check out a couple of them, you'll begin to see how they work. There is also a page with a legend telling you what all of the entries mean. ---matter 1 I am now doing DNS for a domain at my isp ( twtelecom ) that I am doing a mailserver domain = theppsgroup.com mailserver - mailhost.theppsgroup.com 168.215.62.222 the above machine is named sifter.pps-inc.com but I have edited the /var/qmail/control/smtpgreeting to read mailhost.theppsgroup.com - Welcome Blah Blah When I run http://mxtoolbox.com/ Domain Name:= theppsgroup.com I get 7 warnings 1 is Warning - Reverse DNS does not match SMTP Banner my PTR reads ptr= 222.62.215.168.in-addr-arpa. 86400 IN PTR should my smtpgreeting to read 168.215.62.222 - Welcome Blah Blah ? why do i still get thsi warning? matter 2 indeed I have no spf and I would like to add a SPF maybe a TXT i am thinking my SPF would read theppsgroup.com. IN SPF "v=spf1 a mx -all" do you agree? I am referencing the wisdom of http://wiki.qmailtoaster.com/index.php/SPF Thanks much once I get that Ironed out reckon I will try TLS jshupert -- -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: Spamming via valid vpopmail account
Wicus' issues are not uncommon: An attacker gains a password (through guesswork or other means) of a user on your system, then proceeds to spam the hell out of the world from your system. Alternatively, some user gets a malware infection on their system that uses their mail program (usually Outlook) to spam the hell out of the world from your system. So how can you head it off? I am in the finishing stages of writing a script that, if I am not mistaken, will be obsoleted rather quickly. This script is designed to look through the send log file and essentially build a message log for each message: - who its from - who its addressed to - results of each send - when it is done (final act of removing it from the queue) The sticky wicket in this is that qmail uses the inode number of the message body in the queue as the tracking ID, thus the same numbers appear over and over. This is what breaks all other attempts to do this that I have encountered, and this is the biggest stumbling block that I can see so far. I hope to have this completed in the coming week or 2. How this applies, it that I already have a script that attempts (albeit with many instances missed currently) to count the number of failed messages from any single user in any given day. When that number reaches 50, I automatically change the password on the user account (thus, stopping their authentication) until I can investigate further. So that will help with DETECTION -- what about deterrence? Well, for one -- and I've talked about this before -- you can stop allowing users to AUTHENTICATE on port 25. Port 25 SHOULD be used SOLELY for inbound messages to your hosted (or relayed) domains. Thus, when you ran your telnet attempt and used a destination of a gmail address, your server should have (and did) refused the message. The problem is that we enable authentication on port 25 because we seem to think we should be running the same code for submission (port 587) and smtp-ssl (port 465). IMHO, THOSE ports should be the OPPOSITE of port 25: - Port 25 should allow anonymous connections (non authenticated)... ports 587 and 465 should not - Port 25 should NOT accept messages for non-local domains... ports 587 and 465 must - Port 25 must not require SSL or AUTH; ports 587 and 465 SHOULD (or, as I prefer -- allow it on 587, require it on 465). This STOPS spammers from connecting on your port 25 interface and sending all kinds of messages through an authenticated work around. Of course, it doesn't stop the same hacker from just switching to ports 587 or 465... but I haven't seen them use those ports YET. Just my thoughts Dan McAllister IT4SOHO Dan McAllister - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Spamming via valid vpopmail account
Wicus - On port 25 CURRENTLY: - If the connection is for a LOCAL address (that is: the RECIPIENT address is one that is local to the server), the message is accepted -- regardless of whether you are authenticated or not - If the connection is for a REMOTE address (that is: the RECIPIENT address is one that is NOT local to the server), the messages is accepted ONLY IF the user is authenticated. Again, the CORRECT use of port 25 is SOLELY for the receipt of inbound messages for the local server. Users (who authenticate) should be using ports 587 or 465 -- which, after they authenticate, will allow them to relay to other servers. Now here's a kicker -- if you authenticate to the QMail SMTP server (with ANY credentials that work!) you can send as any user to any user. Once you're AUTHENTICATED, you're free to send from anyone TO anyone. This is because the AUTH mechanism is separate from the SMTP mechanism -- and to my knowledge, there is no way to fix this in QMail (maybe with spamdyke? I don't know). Now, if your server accepts UNAUTHENTICATED clients, and forwards to domains that are NOT LOCAL to you, then you are what is referred to as an OPEN RELAY -- you've made a mistake that will get you blacklisted within 24-48 hours, for sure! :) I hope this answers your question Wicus... Dan IT4SOHO On 2/16/2014 3:07 PM, Wicus Roets wrote: Eric, This is where I'm confused. If qmail accepts mail for relay based on authentication of a valid account/pw pair, how could I have send mail via telnet on port 25 by only supplying a valid account (without a password)? -Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: 16 February 2014 09:56 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: Spamming via valid vpopmail account On 02/16/2014 11:32 AM, Wicus Roets wrote: That explains is quite nicely. One more question though ;) Quoting from http://gmane.org/post.php; - People who do not have valid email addresses in their From or Reply-To headers can't use Gmane to post to mailing lists. That's (primarily) because gmane doesn't have accounts with passwords. It uses the From/Reply-To to verify that an address exists, when the first message from an account is sent to the list. This is akin to adding an account. From my earlier mail, qmail accepts mail based only on the rcpt to: of the header. As an interim, would inclusion of verification on the mail from: be easier/quicker ? I'm not sure what you mean by this. qmail accepts mail (for relay) based on authentication (valid account/pw pair). I don't think that verifying the mail from is always practical, but I know that SamC is considering adding some such capability to spamdyke. I think we should wait and see what he comes up with for that. QMT doesn't presently use spamdyke on port 587, but it soon will. spamdyke v5.0 was just released, and once it's deemed stable (by me), QMT will use it to handle authentication (on port 587). -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Spamming via valid vpopmail account
I have every intention of sharing both the message tracking system AND the failure detection scripts once I've completed (to a certain degree) debugging them. Dan IT4SOHO On 2/16/2014 2:04 PM, LHTek wrote: Could you please share your script for detecting failed massages with us? It sounds like a good stop-gap treatment for this insidious issue. *From:* Dan McAllister q...@it4soho.com *To:* qmailtoaster-list@qmailtoaster.com *Sent:* Sunday, February 16, 2014 12:33 PM *Subject:* Re: [qmailtoaster] Re: Spamming via valid vpopmail account Wicus' issues are not uncommon: An attacker gains a password (through guesswork or other means) of a user on your system, then proceeds to spam the hell out of the world from your system. Alternatively, some user gets a malware infection on their system that uses their mail program (usually Outlook) to spam the hell out of the world from your system. So how can you head it off? I am in the finishing stages of writing a script that, if I am not mistaken, will be obsoleted rather quickly. This script is designed to look through the send log file and essentially build a message log for each message: - who its from - who its addressed to - results of each send - when it is done (final act of removing it from the queue) The sticky wicket in this is that qmail uses the inode number of the message body in the queue as the tracking ID, thus the same numbers appear over and over. This is what breaks all other attempts to do this that I have encountered, and this is the biggest stumbling block that I can see so far. I hope to have this completed in the coming week or 2. How this applies, it that I already have a script that attempts (albeit with many instances missed currently) to count the number of failed messages from any single user in any given day. When that number reaches 50, I automatically change the password on the user account (thus, stopping their authentication) until I can investigate further. So that will help with DETECTION -- what about deterrence? Well, for one -- and I've talked about this before -- you can stop allowing users to AUTHENTICATE on port 25. Port 25 SHOULD be used SOLELY for inbound messages to your hosted (or relayed) domains. Thus, when you ran your telnet attempt and used a destination of a gmail address, your server should have (and did) refused the message. The problem is that we enable authentication on port 25 because we seem to think we should be running the same code for submission (port 587) and smtp-ssl (port 465). IMHO, THOSE ports should be the OPPOSITE of port 25: - Port 25 should allow anonymous connections (non authenticated)... ports 587 and 465 should not - Port 25 should NOT accept messages for non-local domains... ports 587 and 465 must - Port 25 must not require SSL or AUTH; ports 587 and 465 SHOULD (or, as I prefer -- allow it on 587, require it on 465). This STOPS spammers from connecting on your port 25 interface and sending all kinds of messages through an authenticated work around. Of course, it doesn't stop the same hacker from just switching to ports 587 or 465... but I haven't seen them use those ports YET. Just my thoughts Dan McAllister IT4SOHO Dan McAllister - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com mailto:qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] re: hack attempts
On 2/20/2014 7:57 AM, Angus McIntyre wrote: cj yother wrote: Is anyone else experiencing a rise in attempted account access over the past 24 hours? Over the past week or so, I've seen very large numbers of password-guessing attempts: other hosts trying to authenticate against SMTP. They seem to try 'admin@', 'info@', 'support@', 'webmaster@' and, in some cases, 'name-of-domain@name-of-domain'. ... Angus I have also seen a dramatic rise in redirected bounce failure messages (with SPAM or virus-infected attachments). These are the messages with the reply to set to one of my client's email accounts, but addressed somewhere that successfully blocks it. Since I host for so many domains, it's not uncommon for me to get a handful per day -- but lately, I've been getting 10x to 20x the normal flow. The good news is that in most cases, it's SPAM blocking that's rejecting the message back to me (well, my server -- as the reply-to). so at least we're catching the SPAM. And I've now trained my Thunderbird to catch most of them as JUNK anyways, so it's less annoying now than back in January. Angus -- would you mind sharing with the group how you implemented the fail2ban on your system. It should probably go into the WIKI (if its not already there -- too lazy to check just now). Along with the idea of not allowing SMTP Auth on port 25, I think we're making some significant strides in battening down the stock QMT installations. Dan IT4SOHO -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Clamav reinstall - help please
On 3/13/2014 5:39 PM, Finn Buhelt wrote: Hi. I just issued a yum update and got clamav.x86_64-0.98.1-1.el6 from Epel repository installed. (I pressed 'y' not thinking). It is on my Centos 6.5 latest and greatest qmailtoaster test installation (which is (was) running just fine). So now I'm stuck with no clamd running ( my clamd/run and log/run files are gone and some other changes in locations of files) and I'm not able to re-install the proper clamav package from the almost current ;-) Centos6.5 release - what is the name of the package ? or what can I do to rectify the problem ? Regards Finn - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com Finn You want to run yum to uninstall the clamav.x86_64-0.98.1-1.el6, then download the clamav-0.98.1-0.qt.el6.x86_64.rpm from one of the mirrors (e.g.: http://mirrors.qmailtoaster.com/testing/CentOS/6/x86_64/clamav-0.98.1-0.qt.el6.x86_64.rpm) and install it manually (rpm -i clamav-0.98.1-0.qt.el6.x86_64.rpm). If there are dependencies, you can re-run RPM with a --nodeps to make it re-install (depends on how you installed the QMT into your COS6 environment). Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] How to block unknown user with our domain name
One of 4 issues: 1) they hacked your system and are sending it on your own system -- in which case, you need to better secure your own system, as there is usually no sender-check on local messages. 2) you have no SPF record on your domain (panasiagroup.net) -- but it appears you DO have one, albeit a complex one -- or you are not CHECKING SPF (or enforcing SPF) on your local server 3) vs. having hacked into YOUR server, the sender may have hacked into one of your SPF approved senders -- and thus, you allowed the mail to come from one of those senders 4) a system on your own domain has been hacked (virus/worm) and since the message was coming from a legit local account, the message was allowed -- even with the from address not matching the authentication address. The actual issues can be determined only by looking at the FULL HEADER of the message as received, and using the information there with your log files to determine the true source of the message. Best of luck! Dan McAllister IT4SOHO On 3/19/2014 1:10 AM, Chandran Manikandan wrote: Dear All, I have received one email from spammers which is not that email box in our domain. but they are mentioned their name with our domain name from sender address and destination address to me. FYR below. *From:*saman...@panasiagroup.net mailto:saman...@panasiagroup.net [mailto:saman...@panasiagroup.net] *Sent:* Wednesday, March 19, 2014 11:23 AM *To:* shan...@panasiagroup.net mailto:shan...@panasiagroup.net *Subject:* Follow-up: Making Paperwork Work for You Above mentioned email address i received from saman...@panasiagroup.net mailto:saman...@panasiagroup.net to shan...@panasiagroup.net mailto:shan...@panasiagroup.net. Here saman...@panasiagroup.net mailto:saman...@panasiagroup.net email address is not in our server but i received like above. Could you please any one help me to resolve this issue. -- *Thanks,* *Manikandan.C* *System Administrator* -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] Curious Problem -- Unauthorized Access, not enough logging info
OK, here's a known security issue, but now that I'm being exploited, I don't know how to debug. It appears (see quoted log file entries below) that someone is logging in as a valid user, then sending messages with OTHER mail addresses in the FROM section. In the log entry below, this is just 1 of HUNDREDS of messages that are now flooding my mail server. There are no .ru domains on my server, so the FROM section is clearly being generated AFTER a successful SMTP login. What I can't figure is how to determine the ID being used. Surely there is a way to increase the logging level of authlib so I can capture EVERY login (not just the failed ones)... if there is, I don't know how... Ideas?? Dan 03-27 00:08:35 new msg 81400826 03-27 00:08:35 info msg 81400826: bytes 9543 from cerenovzosim...@lenta.ru qp 17999 uid 89 03-27 00:08:35 starting delivery 964666: msg 81400826 to remote s...@21dveri.ru 03-27 00:08:35 starting delivery 964667: msg 81400826 to remote i...@sms-yandex.ru 03-27 00:08:35 starting delivery 964668: msg 81400826 to remote kris...@werewolfsurvival.com 03-27 00:08:35 starting delivery 964669: msg 81400826 to remote i...@compulog.ru 03-27 00:08:35 starting delivery 964670: msg 81400826 to remote paramo...@npo-nauka.ru 03-27 00:08:38 delivery 964670: success: User_and_password_not_set,_continuing_without_authentication./paramonov@ npo-nauka.ru_193.35.98.6_accepted_message./Remote_host_said:_250_2.0.0_OK_20/C4-28032-57EC3335/ 03-27 00:08:40 delivery 964669: success: User_and_password_not_set,_continuing_without_authentication./info@compu log.ru_78.24.218.162_accepted_message./Remote_host_said:_250_OK_id=1WT4QZ-000N2d-7C/ 03-27 00:08:41 delivery 964666: success: User_and_password_not_set,_continuing_without_authentication./sale@21dve ri.ru_188.40.59.87_accepted_message./Remote_host_said:_250_OK_id=1WT4Sg-00080u-R6/ 03-27 00:08:41 delivery 964668: success: User_and_password_not_set,_continuing_without_authentication./kristal@we rewolfsurvival.com_69.36.165.41_accepted_message./Remote_host_said:_250_OK_id=1WT4Q2-0007ET-C2/ 03-27 00:08:50 delivery 964667: deferral: User_and_password_not_set,_continuing_without_authentication./info@sms- yandex.ru_62.213.111.109_failed_after_I_sent_the_message./Remote_host_said:_451_qq_trouble_in_home_directory_(#4. 3.0)/ 03-27 00:15:15 starting delivery 965119: msg 81400826 to remote i...@sms-yandex.ru 03-27 00:15:25 delivery 965119: success: User_and_password_not_set,_continuing_without_authentication./info@sms-y andex.ru_62.213.111.109_accepted_message./Remote_host_said:_250_ok_1395904509_qp_10255/ 03-27 00:15:25 end msg 81400826 - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Curious Problem -- Unauthorized Access, not enough logging info
OOPS - almost as soon as I sent this, I realized that authlib is authenticating IMAP connections, not SMTP So, I'm looking in my SMTP logs (submission, actually) and was able to find the offending user (dumbass had a password of 123 -- another reason for KEEPING the plaintext passwords available, just limited access! Dan On 3/27/2014 7:45 PM, Dan McAllister wrote: OK, here's a known security issue, but now that I'm being exploited, I don't know how to debug. It appears (see quoted log file entries below) that someone is logging in as a valid user, then sending messages with OTHER mail addresses in the FROM section. In the log entry below, this is just 1 of HUNDREDS of messages that are now flooding my mail server. There are no .ru domains on my server, so the FROM section is clearly being generated AFTER a successful SMTP login. What I can't figure is how to determine the ID being used. Surely there is a way to increase the logging level of authlib so I can capture EVERY login (not just the failed ones)... if there is, I don't know how... Ideas?? Dan 03-27 00:08:35 new msg 81400826 03-27 00:08:35 info msg 81400826: bytes 9543 from cerenovzosim...@lenta.ru qp 17999 uid 89 03-27 00:08:35 starting delivery 964666: msg 81400826 to remote s...@21dveri.ru 03-27 00:08:35 starting delivery 964667: msg 81400826 to remote i...@sms-yandex.ru 03-27 00:08:35 starting delivery 964668: msg 81400826 to remote kris...@werewolfsurvival.com 03-27 00:08:35 starting delivery 964669: msg 81400826 to remote i...@compulog.ru 03-27 00:08:35 starting delivery 964670: msg 81400826 to remote paramo...@npo-nauka.ru 03-27 00:08:38 delivery 964670: success: User_and_password_not_set,_continuing_without_authentication./paramonov@ npo-nauka.ru_193.35.98.6_accepted_message./Remote_host_said:_250_2.0.0_OK_20/C4-28032-57EC3335/ 03-27 00:08:40 delivery 964669: success: User_and_password_not_set,_continuing_without_authentication./info@compu log.ru_78.24.218.162_accepted_message./Remote_host_said:_250_OK_id=1WT4QZ-000N2d-7C/ 03-27 00:08:41 delivery 964666: success: User_and_password_not_set,_continuing_without_authentication./sale@21dve ri.ru_188.40.59.87_accepted_message./Remote_host_said:_250_OK_id=1WT4Sg-00080u-R6/ 03-27 00:08:41 delivery 964668: success: User_and_password_not_set,_continuing_without_authentication./kristal@we rewolfsurvival.com_69.36.165.41_accepted_message./Remote_host_said:_250_OK_id=1WT4Q2-0007ET-C2/ 03-27 00:08:50 delivery 964667: deferral: User_and_password_not_set,_continuing_without_authentication./info@sms- yandex.ru_62.213.111.109_failed_after_I_sent_the_message./Remote_host_said:_451_qq_trouble_in_home_directory_(#4. 3.0)/ 03-27 00:15:15 starting delivery 965119: msg 81400826 to remote i...@sms-yandex.ru 03-27 00:15:25 delivery 965119: success: User_and_password_not_set,_continuing_without_authentication./info@sms-y andex.ru_62.213.111.109_accepted_message./Remote_host_said:_250_ok_1395904509_qp_10255/ 03-27 00:15:25 end msg 81400826 - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Curious Problem -- Unauthorized Access, not enough logging info
LOL - knowing the plaintext password doesn't help you prevent the issue... but it did let me know the level of stupidity of the user in question! :) A throttle on qmail-remote (based on user) would be awesome (think: godaddy allows email users only 250 messages a day without a reset being required). I also posted a note in the devel list -- I think we should at least TRY to plug the security hole wherein an authenticated user can send as anyone. Dan On 3/27/2014 8:22 PM, Eric Shubert wrote: On 03/27/2014 04:59 PM, Dan McAllister wrote: So, I'm looking in my SMTP logs (submission, actually) and was able to find the offending user (dumbass had a password of 123 -- another reason for KEEPING the plaintext passwords available, just limited access! I fail to see how storing passwords in plain text would've changed this situation at all. BottomLine, you found the offending account and changed the password. This is the scenario that happens regardless of the strength or limited knowledge of a password. Keep in mind, in the event that a vpopmail database with clear text passwords is compromised, then *all* of the passwords are compromised. That's a possibility I think most of us would like to prohibit if possible. Was fail2ban in place? That would likely have prohibited even that simple password from being hacked. If fail2ban is in place, then I would suspect that the password is not kept secure in some other manner (post-it note on the terminal, for example). Anywise, glad you found the culprit. I'm still planning on putting a throttle on qmail-remote one of these days. I've got specs written for the thing. Just need some time to write the code. - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] How to restrict mail sending limit to perticular user
Assuming you require SMTP AUTH to send, you could use vmoduser -s According to documentation, this disables SMTP AUTH -- which, if that is the only way to send, would disable sending. NOTE: in a stock QMT install, this would NOT block sending with the WEB interfaces, as they use SMTP directly, but are allowed by tcprules. Dan McAllister On 4/3/2014 2:45 AM, Linux wrote: Hi, Please refer my subject line and guide me. Regards, Vivek Patil system admin -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] How to investigate emails that have been silently lost (allegedly).
The first place I would look is the SMTP and SEND log files. (Yes, there is a SEND log entry for inbound messages too -- they are just sent locally). If you know who they're supposed to be FROM, the SEND log will tell you if it was delivered... if it doesn't appear in the SEND log, check the SMTP log -- perhaps the receipt failed for some reason. Dan NOTE: I like the qmlog tool (source http://wiki.qmailtoaster.com/index.php/Qmlog, or the QMTPlus package). On 4/23/2014 5:02 AM, Unai Rodriguez wrote: Dear List, I have not seen on my INBOX/SPAM/JUNK folders at least 3 emails in the last 10 days or so. It is hard to verify for me whether this is true so from a system standpoint where do I start to check? I've grepped so far: /var/log/qmail/clamd/* /var/log/qmail/smtp/* /var/log/qmail/spamd/* and I have also checked the logs on the backup MX (that runs Postfix -- our main runs QMT). Nothing seemed to indicate that the emails have been rejected. Any pointers about what would be the best place to investigate would be highly appreciated -- Sorry if this has been covered somewhere else, I was not able to find it. Thank you so much. With Best Wishes, Unai Rodriguez - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Centos6 VM
Those images might be a bit large for the mirrors. Wouldn't be a bad idea to get the mirrors in on a torrent feed, but to download a 600M file from one mirror would be overtaxing that mirror IMHO. NOTE: Not all of the mirrors have unlimited bandwidth... source files are small enough not to impact anyone that I'm aware of yet... Dan McAllister QMT Mirror/DNS Admin On 4/23/2014 1:39 PM, Richard Whittaker wrote: On 2014-04-23 11:17, Dave M wrote: Might be faster so I created a torrent https://thepiratebay.se/torrent/10026921 Would these images be something we want to push out to the mirrors?.. Regards, Richard. -- Alberni Valley IT Services - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] How to investigate emails that have been silently lost (allegedly).
If you have a backup MX server, check the logs on *that *system. If they went into that system and were not forwarded to the main system for any reason, the main system will not have a record of it. (If you think about it, that only makes sense). Dan On 4/23/2014 9:46 PM, Unai Rodriguez wrote: I cannot find any traces of those emails in our system. If our backup MX had issues forwarding to the main, will QMT show it on the logs? I'm guessing that there might be cases where it won't even show up. Thank you so much for the replies On 2014-04-24 00:45, Dan McAllister wrote: The first place I would look is the SMTP and SEND log files. (Yes, there is a SEND log entry for inbound messages too -- they are just sent locally). If you know who they're supposed to be FROM, the SEND log will tell you if it was delivered... if it doesn't appear in the SEND log, check the SMTP log -- perhaps the receipt failed for some reason. Dan NOTE: I like the qmlog tool (source http://wiki.qmailtoaster.com/index.php/Qmlog, or the QMTPlus package). On 4/23/2014 5:02 AM, Unai Rodriguez wrote: Dear List, I have not seen on my INBOX/SPAM/JUNK folders at least 3 emails in the last 10 days or so. It is hard to verify for me whether this is true so from a system standpoint where do I start to check? I've grepped so far: /var/log/qmail/clamd/* /var/log/qmail/smtp/* /var/log/qmail/spamd/* and I have also checked the logs on the backup MX (that runs Postfix -- our main runs QMT). Nothing seemed to indicate that the emails have been rejected. Any pointers about what would be the best place to investigate would be highly appreciated -- Sorry if this has been covered somewhere else, I was not able to find it. Thank you so much. With Best Wishes, Unai Rodriguez - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] A rudimentary question for multi-domain hosting
Kelly: Absolutely fine for mail.example.com (DNS and PTR agree) to serve as mail server for multiple domains. Only real issues arise when you want to use SSL -- either pay out the nose for a generic cert, or have all domains connect to your mail.example.com server and buy just the one certificate (the latter is what I do). Whatever you decide to put into /var/qmail/control/me, just make sure its valid. - say you put mailhost.example22.com in there - First, make sure that mailhost.example22.com resolves to that host's IP address (either directly or via NAT) [ for example: 10.10.10.10 ] - Second, contact your ISP and make sure the PTR record for your IP [ 10.10.10.10 ] resolves to mailhost.example22.com When you think you're done, check out intodns.com and mxtoolbox.com -- both sites can help you resolve DNS issues that may affect your server. Finally: IMPORTANT! Your QMT server does not have to be a DNS server too -- but is SHOULD resolve (recurse) queries itself. Not only do you gain efficiency for local resolution, but you also gain the presence of locally cached entries that will make your QMT much more efficient! Good Luck! Dan PS: I host a mailserver (one of 5 these days) with over 200 domains! So, yes this works and is perfectly normal! On 4/25/2014 5:29 PM, Kelly Cobean wrote: Hi all, I run mail for 5 or 6 domains on my server. I have a few questions regarding multi-domain hosting 1. What is the appropriate entry for the /var/qmail/control/me file which I believe controls how qmail identifies itself for SMTP HELO/EHLO. 2. What should the PTR record for my IP indicate? Should it match the hostname listed in /var/qmail/control/me? 3. Is it normal for a server that identifies itself as mail.example.com to send mail for, say fr...@test.com. In other words, Is this an appropriate conversation? 220 READY EHLO mail.example.com OK MAIL FROM: fr...@test.com OK RECEIPT TO: b...@sample.net Is the mail server for sample.net going to care that a server which identifies itself as being mail.example.com is sending mail for fr...@test.com? I would imagine this is very common, but is this also not what spam often looks like? Thanks. Kelly - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: A rudimentary question for multi-domain hosting
On 4/25/2014 6:08 PM, Eric Shubert wrote: On 04/25/2014 02:58 PM, Dan McAllister wrote: Whatever you decide to put into /var/qmail/control/me, just make sure its valid. - say you put mailhost.example22.com in there - First, make sure that mailhost.example22.com resolves to that host's IP address (either directly or via NAT) [ for example: 10.10.10.10 ] - Second, contact your ISP and make sure the PTR record for your IP [ 10.10.10.10 ] resolves to mailhost.example22.com Isn't 10.x a bad example here (given those are private addresses)? Shouldn't these all be public addresses we're talking about? Of course QMT can be behind a NATing router, but all IPs involved should refer to the public IP address which the router forwards to QMT. No? You would prefer 1.2.3.4? If someone was confused as to whether the IP address used in the example was a WAN or LAN address, I think their ISP would straighten that out. But point taken that public IPs shouldn't be represented in examples with RFC1918 addresses. I consider myself properly chastised. Dan ;) -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: libev
On 4/28/2014 1:02 PM, DNK wrote: On Apr 28, 2014, at 9:52 AM, Eric Shubert e...@shubes.net wrote: On 04/27/2014 04:54 PM, DNK wrote: Hi all, I am giving a go at installing the new toaster packages following: https://github.com/QMailToaster/qmailtoaster-util/blob/master/README.install Now the initial bootstrap is failing out on the libel dependency (for vpopmail.x86_64). Are we supposed to add in rpm forge or something? No mention on that wiki page… I just want to follow the supported source for this package. Thanks. Dustin - Is your QMT on a lan? The firewall script needs a little development to detect whether it's on a lan or not. It presently blocks all traffic from private addresses. Could that be your problem? -- -Eric ‘shubes' It is on a LAN, however I had temporarily disabled iptables to just do the setup. I was going to go back and review the firewall after as I noticed I lost connectivity. Dustin - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com LIBEV indeed comes from RPMFORGE However, the scripts should have added RPMFORGE to your yum configs. However, if you lost Internet connectivity, you'll get that error because you can't connect to RPMFORGE to get the missing deps. Dan -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] stripped attachments
Eric: Any chance the recipient who is not getting the attachments is on Exchange 2010 or Exchange 2013? I ask because both of these versions of Exchange will silently strip in-line attachments. Thus, depending upon how the attachment was inserted, Exchange may be the culprit. Dan On 4/28/2014 12:59 PM, Eric Broch wrote: Hello list, I've got an issue with attachments being stripped from emails. I don't think this is a QMT problem, but I'm trying here to cover all bases. Please bear with me. Here's the scenario: Remote senders transmit email to local recipients on our QMT host with PDF and DWG files attached. I've tracked these emails in the SMTP log through the Send log where I see the email delivered with size consistent with attachment present. I also see the emails with the questionable attachments scanned in the Clamd log. I've contacted the DSPAM users list where I've been told that DSPAM doesn't strip anything from email. I've discussed this with the client and they insist that their email client antivirus (AVAST) logs all questionable attachments before 'doing' anything with them. As stated earlier, I don't believe that the QMT host is the problem, but being at my wits end, I wanted to submit this issue to this user's list in hopes of gaining insight. Any help or suggestions would be appreciated. Eric -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: MX configuration for anti-spam
OK, I'm johnny-come-lately to this discussion, but let me add my 2-cents worth in here: FIRST: Users who want to switch mail providers or mail server technologies -- but have no changes on the client end are /*dreaming*/. I tell my clients that I can minimize the changes, but the more I minimize the changes, the higher the cost. (It's kinda like buying a new car and expecting the dealer to move all the crap from your old car into the new one, including copying the radio station presets and getting all the trash located in just the same spots -- even though the new car has XM radio and a glove box, while the old one did not. Converting from one mail server type to another can be tricky, and should be done with great care. Some of the gotcha's: - When you've switched from one MX server to another, some remote SMTP servers may still try to attach to the old server RESOLUTION: Create a forward (or smtproute) on the old server to force delivery of new messages to the new server - When you're migrating IMAP folders, there can be different limitations (some IMAP servers allow a space as the first or last character in an IMAP folder, others do not. Some allow special characters, others do not... and so on) RESOLUTION: Provide a method to allow users to copy their own folders from the old server to the new (alternatively, you can do it -- but then you're increasing your workload unnecessarily... or else charge for it. There are plenty more, but those are the ones that quickly jump to mind. Dan On 4/28/2014 1:15 PM, Tonix - Antonio Nati wrote: Il 28/04/2014 18:12, Eric Shubert ha scritto: On 04/27/2014 01:38 PM, Hasan Akgöz wrote: Hi Eric, The first time I heard you specify the subject. I think this method is not a good idea. becuse If you mess around with MX records, you deserve to have lost mails and angry co-workers/customer etc... :). Are you suggesting that there are legit servers that can't handle such a configuration? Before I quitted my email service (I migrated to a collegue wich manages a lot more accounts than me), I was considering to use this way to capture spam on my servers. Only problem I see this high priority MX may be active only if another low level MX is active, otherwise it will classify everything as SPAM, and a simple reboot of main MX may be troublesome. So, the main problem is to keep this spam MX up only when lower priority MX are up. Tonino Try ASSP ( Anti-Spam SMTP Proxy Server ). I've looked at ASSP in the past. I don't see a point in having both ASSP and spamdyke. If someone can sell me on ASSP over spamdyke, I'd be happy to look at it again. Is anyone out there using ASSP with QMT? And DNSBL,SURBL,SBL,RBL (zen.spamhaus.org http://zen.spamhaus.org and spamcop.org http://spamcop.org). I presently use: dns-blacklist-entry=b.barracudacentral.org dns-blacklist-entry=zen.spamhaus.org I dropped spamcop due to problems they've had with FPs. Thanks Hasan. -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] A rudimentary question for multi-domain hosting
Kelly: While Eric's reply is clear about the fact that the MX record has to use an A record reference (vs CNAME), I think the answer you need here is simply that the A-record has to point to the correct IP address. What name you put in the MX record is of little import, so long as it references an A record that points to the correct IP address. === By way of examples (for other users): Say my mail host is at 10.0.0.2, behind a NAT router with WAN IP address *1.2.3.4* (apologies to Google for using their IP in my example). - my mail host listens on ALL the standard ports (25, 80, 110, 143, 443, 465, 587, 993, 995) for web and mail hosting (all forwarded through my router). - my mail host uses a name of *mail.qmthosting.com* (that's one of MY OWN hosting domains, so no worries about using it here) - my clients each have their own domains (for grins, we'll use *a.com*, *b.com*, *c.com*, etc) - in general, my clients DNS servers (whether hosted by me or not, with entries for their domains that look like: *@ IN MX 10 mail** **mail IN A 1.2.3.4* Thus, to the outside world, they have an MX server at *mail.a.com*, which resolves to *1.2.3.4*. (Their domain name, their A record, my IP address). Now, where the SPAM detection for IP addressing starts is when an outside mail server connects: - sendingdomain.com wants to send to *u...@a.com* detects the MX record is *mail.a.com*, which resolves (by A-record) to *1.2.3.4* - sendingdomain.com connects to *1.2.3.4* on port 25 and gets an *EHLO *response that the name of the server is *mail.qmthosting.com* - sendingdomain.com then does a DNS query for *mail.qmthosting.com* and gets an IP of *1.2.3.4* -- so far, so good - sendingdomain.com next does a DNS query for 1.2.3.4 (actually, *4.3.2.1.in-addr.arpa*) and gets a PTR value of *mail.qmthosting.com* -- bingo! a match! - sendingdomain.com continues sending the message (presumably to a domain in the rcpthosts file)... The trouble comes when you want to connect your */clients/*... - for *webmail*, I simply create an entry for each domain (*https://mail.a.com*, etc) that redirects to the real ssl page *https://mail.qmthosting.com*. That way the SSL certificate (which only has the name mail.qmthosting.com in it) works. (I do not allow webmail access except through https). - for IMAP mail, there are 3 options: a) connect to *mail.a.com* on port *143 *and use *IMAP *with /_no security_/ (BAD IDEA -- I only allow this on one host, and only because the client INSISTS upon it) b) connect to *mail.a.com* on port *993 *and use *IMAP over SSL* -- clients will have /varying degrees of difficulty /as the SSL Cert won't match the host name c) connect to *mail.qmthosting.com* on port *993 *and use *IMAP over SSL* with my_*trusted SSL certificate*_ (names match, so no errors, and no worries!) NOTE: Most clients choose option C -- in large part because I tell them to :) - The same general idea goes for POP access, only on ports 110 and 995. SMTP access is a little more tricky... it is a BEST PRACTICE to disallow SMTP-AUTH on port 25 (because it can be abused -- I'm not sure how, but all the major anti-virus and anti-spam companies tell me so, and I'm not of a need to determine exactly why -- I have bigger fish to fry!). Since this is the only un-authenticated access to the system, this port's SMTP service is plugged into SPAMDYKE -- which has been told to NOT allow SMTP-AUTH. But that is OK, because we're talking about CLIENT access to an SMTP server here: - I allow SMTP-AUTH with or without SSL on port 587 (if you choose to enable SSL, remember that the certificate is for the site mail.qmthosting.com) - I allow SMTP-AUTH only with SSL on port 465 (again, remember that the certificate is for the hostname mail.qmthosting.com). So, clients can configure their SMTP access as being on port 587 using mail.a.com, or port 465 using SSL and the host name mail.qmthosting.com. I really need to post some of this on the WIKI ... sigh when I'm less overworked :) Dan On 4/25/2014 7:41 PM, Kelly Cobean wrote: Sorry about the hijack Eric. Won't do that again. One last question. Should the MX records for the other domains indicate the hostname that is in the me file or should they be a record for a host in their own domain that maps to my server ip? Ie should I have 5 domains all with identical MX entries? Sent from my iPhone -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: A rudimentary question for multi-domain hosting
On 4/28/2014 2:46 PM, Eric Shubert wrote: Nice write-up, Dan. I'd like to make a few additional points, inline. On 04/28/2014 10:55 AM, Dan McAllister wrote: Kelly: While Eric's reply is clear about the fact that the MX record has to use an A record reference (vs CNAME), I think the answer you need here is simply that the A-record has to point to the correct IP address. What name you put in the MX record is of little import, so long as it references an A record that points to the correct IP address. === By way of examples (for other users): Say my mail host is at 10.0.0.2, behind a NAT router with WAN IP address *1.2.3.4* (apologies to Google for using their IP in my example). - my mail host listens on ALL the standard ports (25, 80, 110, 143, 443, 465, 587, 993, 995) for web and mail hosting (all forwarded through my router). - my mail host uses a name of *mail.qmthosting.com* (that's one of MY OWN hosting domains, so no worries about using it here) - my clients each have their own domains (for grins, we'll use *a.com*, *b.com*, *c.com*, etc) - in general, my clients DNS servers (whether hosted by me or not, with entries for their domains that look like: *@ IN MX 10 mail** **mail IN A 1.2.3.4* Thus, to the outside world, they have an MX server at *mail.a.com*, which resolves to *1.2.3.4*. (Their domain name, their A record, my IP address). Now, where the SPAM detection for IP addressing starts is when an outside mail server connects: - sendingdomain.com wants to send to *u...@a.com* detects the MX record is *mail.a.com*, which resolves (by A-record) to *1.2.3.4* - sendingdomain.com connects to *1.2.3.4* on port 25 and gets an *EHLO *response that the name of the server is *mail.qmthosting.com* - sendingdomain.com then does a DNS query for *mail.qmthosting.com* and gets an IP of *1.2.3.4* -- so far, so good - sendingdomain.com next does a DNS query for 1.2.3.4 (actually, *4.3.2.1.in-addr.arpa*) and gets a PTR value of *mail.qmthosting.com* -- bingo! a match! This is equivalent to the reject-missing-rdns spamdyke rule. However, whether these names match or not is irrelevant. Matching *might* affect treatment of spam, but not matching must not effect whether mail is accepted or not. Matching is certainly better, but I've yet to see an example of it being required. In addition, the name given in the rDNS/PTR record *must* resolve to *some* IP address in order to be deliverable to many servers. This is equivalent to the reject-unresolvable-rdns spamdyke rule. Again, the IP address doesn't need to match anything. The name simply needs to be resolvable. The match of the EHLO provided name and the PTR record (name) is something that is becoming more and more important in SPAM fighting (see FCrDNS on Google, or http://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS) -- the issue isn't so much as all out blocking, but SPAM labeling (or SPAM rejection eventually). NOTE: There does NOT have to be a relation or a match of the EHLO provided host/domain name and the TO/FROM address -- the attempt to validate with FCrDNS is an attempt to validate that the mail server itself is legit. As-in, it is operating on static IPs that are controlled by the same domain as they are advertising they are from it's not a strong check -- which is why there are seldom smtp rejects due to a failure -- but let them mismatch and watch your SPAM labeled mail jump at the likes of gmail and yahoo! (FWIW: its the domain names that have to match, not so much the host names -- so having an EHLO announce as mail.qmthosting.com and the PTR resolve to generalserver.qmthosting.com won't matter -- so long as both mail.qmthosting.com and generalserver.qmthosting.com both point to 1.2.3.4 -- the same IP address that we connected to). - sendingdomain.com continues sending the message (presumably to a domain in the rcpthosts file)... The trouble comes when you want to connect your */clients/*... - for *webmail*, I simply create an entry for each domain (*https://mail.a.com*, etc) that redirects to the real ssl page *https://mail.qmthosting.com*. That way the SSL certificate (which only has the name mail.qmthosting.com in it) works. (I do not allow webmail access except through https). - for IMAP mail, there are 3 options: a) connect to *mail.a.com* on port *143 *and use *IMAP *with /_no security_/ (BAD IDEA -- I only allow this on one host, and only because the client INSISTS upon it) b) connect to *mail.a.com* on port *993 *and use *IMAP over SSL* -- clients will have /varying degrees of difficulty /as the SSL Cert won't match the host name c) connect to *mail.qmthosting.com* on port *993 *and use *IMAP over SSL* with my_*trusted SSL certificate*_ (names match, so no errors, and no worries!) NOTE: Most clients choose option C -- in large part because I tell them to :) I hate to point this out, but there are other options. ;) TLS (aka StartTLS
Re: [qmailtoaster] Re: SSL
Gentlemen:
I may be able to offer a reason for the mysql reference:
- the softlimit program is applied to the smtp instance -- which
includes the child processes of spamdyke, vpopmail, etc.
- the same will be true for the other SSL-enabled processes.
I have found that I almost universally have to adjust the softlimit
variables when I enable SSL. (and FWIW, I use 128 MB -- same as Hassan
recommended :))
Dan McAllister
On 5/2/2014 1:39 PM, Dave M wrote:
Hi Eric, I thoght that was weird to
Out put of dovecot -n :
# 2.2.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-431.11.2.el6.x86_64 x86_64 CentOS release 6.5 (Final)
auth_cache_size = 32 M
auth_mechanisms = plain login digest-md5 cram-md5
first_valid_gid = 89
first_valid_uid = 89
log_path = /var/log/dovecot.log
login_greeting = Dovecot toaster ready.
mail_plugins = quota
namespace {
inbox = yes
location =
prefix =
separator = .
type = private
}
passdb {
args = cache_key=%u webmail=127.0.0.1
driver = vpopmail
}
plugin {
quota = maildir:ignore=Trash
quota_rule = ?:storage=0
}
protocols = imap pop3
ssl_cert = /etc/ssl/certs/dovecot.pem
ssl_cipher_list = ALL:!LOW:!SSLv2
ssl_dh_parameters_length = 2048
ssl_key = /etc/ssl/private/dovecot.pem
userdb {
args = cache_key=%u quota_template=quota_rule=*:backend=%q
driver = vpopmail
}
protocol imap {
imap_client_workarounds = delay-newmail
mail_plugins = quota imap_quota
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_fast_size_lookups = yes
pop3_lock_session = yes
}
Dave M
-Original Message- From: Eric Shubert Sent: Friday, May 02,
2014 11:02 AM To: qmailtoaster-list@qmailtoaster.com Subject:
[qmailtoaster] Re: SSL
On 05/01/2014 08:09 AM, Dave M wrote:
tail -f /var/log/dovecot.log
May 01 08:54:49 auth-worker: Error: Attempting to rebuild connection to
SQL server
May 01 08:54:49 auth-worker: Error: vmysql: connection rebuild failed:
Table 'vpopmail.users' doesn't exist
May 01 08:54:49 auth-worker: Error: vmysql: sql error[3]: Table
'vpopmail.users' doesn't exist
May 01 08:54:49 auth-worker: Error: Attempting to rebuild connection to
SQL server
May 01 08:54:49 auth-worker: Error: vmysql: connection rebuild failed:
Table 'vpopmail.users' doesn't exist
**Missing Table concerned me ** Is there a mysql problem here?
Dovecot should not be configured to use mysql. It uses vpopmail
instead, which does the mysql accessing.
FWIW, I have no instances of mysql in my dovecot.log.
What's your dovecot configuration?
# doveconf -n
--
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] How to avoid this kind of emails
On 5/4/2014 11:36 PM, Chandran Manikandan wrote: Dear All, I have received such emails like below as generated from my domain and send to my domain. How to avoid this kind of emails. It's generated from my domain name but it's does not have this email account in my domain. * * *From:*panasiagroup@panasiagroup.net mailto:panasiagroup@panasiagroup.net [mailto:panasiagroup@panasiagroup.net] *Sent:* Friday, 2 May, 2014 3:54 PM *Subject:* Financial Management ICV Information Session -- *Thanks,* *Manikandan.C* *System Administrator* OK, two possibilities here: a) the emails are coming from an external server (see log files or the message header) -- in which case, implementing SPF would seem to be sufficient to repair; or b) the emails are coming from an internal source (in which case, SPF will not help). How could they be coming from inside your server? Once a user is authenticated to the SMTP server (qmail-smtp or spamdyke), the system will take messages from virtually ANY user address -- including addresses that are not local and/or are not valid. User A connects on port 587, authenticates as us...@domain.com User A delivers a message with a FROM label of: presid...@usa.gov (or some other bullshit address) and TO labels for 100 of your nearest and closest friends QMail queues them up and sends them -- even though usa.gov might not even exist, much less be serviced by your server While initially this may be seen as a flaw, Eric has correctly pointed out that this feature also helps QMT function as a smart-host. Look in your SMTP/Submission logs for instances where the login name/domain don't match the FROM address... Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] building another one to replace my old one
Ok, a few points to update my official opinions : wink a) the QMT project now has ISOs available with a COS6 32-bit build and QMT already installed (I think -- if not a full ISO, then a KVM ISO :)) b) COS 6 is the _/LAST /_RHEL-based product that will support 32-bit builds (long rumored, now confirmed): RHEL7rc is out, and it is 64-bit only (kernel-wise, anyway -- there are some 32-bit libraries for compatibility) b1) Personally, I think that is a mistake (the 64-bit only decision), as I am in agreement with Eric Shubert that 32-bit KVM clients are smaller faster b2) I lost the election for King and Emperor of all Linux, so my opinion doesn't matter that much :) RHEL and COS will go on without me :( c) One final correction: the latest COS5 is either 10 or 11 (I saw a 5.10 ISO on a mirror, but have been told in another forum that there is a 5.11). Regardless, the preferred CentOS 5 build is the latest - I see no value in building off of 5.8 (or 5.9 for that matter). So, all of that said, I will weigh in here and say that I recommend Eric's CentOS 6 build for new systems. 32 or 64 bit, there are new features and new supported add-ons that I think are worth it. I just re-built one of my backup mail servers, and ran Eric's install scripts flawlessly. THANKS FOR ALL THE GREAT WORK, ERIC! Dan McAllister QMT DNS/Mirror Admin (and official pain-in-the-project-part) On 5/8/2014 1:03 PM, Jim Shupert wrote: Friends, I have happily been running Qmaltoaster for years . I wish to build a new one - new hardware current os etc etc I see on the website a suggestion for centos 5.8 http://wiki.qmailtoaster.com/index.php/Main_Page#Installation CentOS 5, i386 x86_64 but I have seen ( i think ) talk on mailing list centos 6 so what distro is suggested? and should i follow http://wiki.qmailtoaster.com/index.php/CentOS_5_QmailToaster_Install also I think my hardware is going to be 32 bit -- i seem to recall Dan McA saying if 32 bit then stick with centos 5.6 could I go with 32 bit hardware and centos 5.8 ? also also I very much wish to be able to do a 'better' job of controlling spam that i do currently I want spamassassin ( i have that currently ) but also spamdyke fail2ban and any other magic wand or practices that will allow me to stop / reduce that darn spam. thanks js -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
[qmailtoaster] Quick Question - IMAP (Courier)
Greetings all Exactly where is it that we set the 40 connection limit for courier IMAP? I've got an older server that runs over 250 domains and for some reason the TCPserver log is saying we're using 40 out of 40 connections. (I need this to be more like 200!) Thanks Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Quick Question - IMAP (Courier)
Kelly: I found that value as well (perhaps I should have explained what I had done already tried)... but even after upping that value to 80, I still see log entries saying tcpserver is limiting the number to 40. (The value at /var/qmail/supervise/imap4/env/MAXDAEMONS (which is built in the /var/qmail/supervise/imap4/run script) is properly set to 80 -- but the tcpserver entry line in the /var/log/qmail/imap4/current continues to say the max is 40. *Thanks for any other advise -- this is impacting my customers! *Dan On 5/13/2014 5:27 PM, Kelly Cobean wrote: /etc/courier/imapd has this default value ##NAME: MAXDAEMONS:0 # # Maximum number of IMAP servers started # MAXDAEMONS=40 ##NAME: MAXPERIP:0 # # Maximum number of connections to accept from the same IP address MAXPERIP=4 On 05/13/2014 16:52, Dan McAllister wrote: Greetings all Exactly where is it that we set the 40 connection limit for courier IMAP? I've got an older server that runs over 250 domains and for some reason the TCPserver log is saying we're using 40 out of 40 connections. (I need this to be more like 200!) Thanks Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Quick Question - IMAP (Courier)
Thanks Abel -- adding the -c option in the command line worked like a charm :) Now I'm regularly seeing my IMAP status as 40/200 45/200 etc. And my clients are happy in that they aren't seeing spotty IMAP performance any more! Dan On 5/14/2014 11:48 AM, a...@globalgate.com.ar wrote: Hello Dan, I tried this in /var/qmail/supervise/imap4/run script: ... /usr/bin/tcpserver -v -R -H -l $HOSTNAME -c 80 0 143 \ # svc -t /var/qmail/supervise/imap4 and thereafter: # tail -f /var/log/qmail/imap4/current @400053738ede19e18aac tcpserver: status: 0/80 @400053738edf1e2041e4 tcpserver: status: 0/80 @400053738f1b02ca8fbc tcpserver: status: 1/80 It seems to work, independently of /var/qmail/supervise/imap4/env/MAXDAEMONS Maybe it helps regards -- Abel Lucano GlobalGate Ingeniería http://www.globalgate.com.ar Viamonte 723 5to of 22 Tel (Buenos Aires): (011) 5218 4242/44 FAX: (011) 5218 4245 Tel (Córdoba): (0351) 571 0351 Tel (Corrientes):(0379) 464 0042 Intl: Tel: +54 11 5218 4242 Fax: +54 11 5218 4245 On Wed, 14 May 2014, Dan McAllister wrote: Date: Wed, 14 May 2014 10:40:20 -0400 From: Dan McAllister q...@it4soho.com Reply-To: qmailtoaster-list@qmailtoaster.com To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Quick Question - IMAP (Courier) Kelly: I found that value as well (perhaps I should have explained what I had done already tried)... but even after upping that value to 80, I still see log entries saying tcpserver is limiting the number to 40. (The value at /var/qmail/supervise/imap4/env/MAXDAEMONS (which is built in the /var/qmail/supervise/imap4/run script) is properly set to 80 -- but the tcpserver entry line in the /var/log/qmail/imap4/current continues to say the max is 40. *Thanks for any other advise -- this is impacting my customers! *Dan On 5/13/2014 5:27 PM, Kelly Cobean wrote: /etc/courier/imapd has this default value ##NAME: MAXDAEMONS:0 # # Maximum number of IMAP servers started # MAXDAEMONS=40 ##NAME: MAXPERIP:0 # # Maximum number of connections to accept from the same IP address MAXPERIP=4 On 05/13/2014 16:52, Dan McAllister wrote: Greetings all Exactly where is it that we set the 40 connection limit for courier IMAP? I've got an older server that runs over 250 domains and for some reason the TCPserver log is saying we're using 40 out of 40 connections. (I need this to be more like 200!) Thanks Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] to catch all or no
Jim, Exactly why do you want/need a catchall account at all? Albeit, while that is far better than having a REJECT rule for badly addressed messages, it also creates an ongoing headache of someone having to scan through tons of messages that you KNOW are most likely SPAM. First, some background -- you can do 3 things with badly addressed mail messages in QMail: - reject them - send them to a catchall account - delete them Personally, all of my servers have a DELETE rule for badly addressed messages. I just drop them and forget about it. First, most new admins want to use a REJECT option -- tell users they got a bad email address. This is the WORST option, however! Because of address phishing, you will get many times more SPAM than otherwise if you send REJECT messages. Why? Spammers will send 100,000 messages to your server addressed to a...@domain.com, a...@domain.com a...@domain.com... and so forth (usually, it is actually a dictionary/name attack more than a brute-force attack, but you get the idea). Their goal is to send you 100,000 emails and get only 99,998 bounce messages -- and voila! They have 2 good email addresses they can add to their list of proven good addresses that they sell to other spammers. Just having a domain that is searchable that way will increase your SPAM attacks many-fold! So accept EVERYTHING (they'll stop phishing when they realize you NEVER reject a message due to a bad address!) That leaves 2 options: - keep the bad messages, or - just silently delete them In my book, I delete them. If you WANT to read through hundreds (or thousands) of messages that are nearly always SPAM, that's your business... but there are other ways to determine that a badly addressed message was attempted -- like that the recipient never got it! === One last tidbit for security: A lot of us are essentially lazy when it comes to accounts for email. Consider this: if your email address is your login ID, then a hacker only needs to know your password to break in! Consider instead, giving each user a separate mailbox name and e-mail address: a...@gunsnroses.com is just the email address... it actually is an alias (forward in QMT) for the mailbox axyl...@gunsnroses.com. Axyl needs to know the mailbox name when he sets up his mail clients (or uses webmail), but other than that, everyone uses axyl@ as the email address. When an attacker wants to break into the mail server for gunsnroses.com, they can use the name a...@gunsnroses.com until the cows come back from the moon -- but it'll never work, because that isn't a valid account. FWIW: for my corporate accounts, I create a mailbox name (I won't disclose the formula), and then forwards for the actual user in the form of: fi...@domain.com, fl...@domain.com, f.l...@domain.com, firstl...@domain.com, first.l...@domain.com (although first@ is sometimes omitted)... then the user can tell their friends/coworkers/associates any of the aliases that they prefer... and while all work, none are the login name for the user (nor the mailbox name). Just food for thought. Dan McAllister On 5/19/2014 9:15 AM, Jim Shupert wrote: Friends, 1st let me say that i have asked this forum for advice on my battele with spam and I can say that I am enjoying success from the wisdom. thank you. a related matter. I [ the postmaster ] personnally get a lot of spam because I am the ctach all account. this means I get spam for ' people who do not exist - this is 2 catagories. 1- accounts that did exist in the past but no longer. ie billiebob left - so no billie...@mydom.com anymore 2- accounts that have never existed . ie unic...@mydom.com as you might suspect these are largely spam. My q - what is a suggested means of doing this? my thoughts are 1. a account is made named d...@mydom.com as catch all and assign it a quota of 5 MB 2 make s...@mydom.com the catch all. or 3. no change - meaning leave it so it goes to my mailbox as catch all. thanks -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Re: to catch all or no
be reasonably certain I'm talking to the real server, as we're expecting to trade TCP messages back and forth - a bounce is a new message sent back to the person purporting to be the sender. I have NO FAITH in the sender's self-reported address, so I refuse to use it in ANY automated fashion - including, and especially, bounce messages. === These are just my thoughts -- but after being an ESP (Email Service Provider) for more than 15 years now, I'm pretty strong in my opinions! Not that they haven't changed... they have! I used to have a single catchall account for ALL of my domains, and I used to have a paid staffer whose job was to cull through those emails to see if any could be forwarded to their legitimate recipients. What a naive little nave I was back then! :^) I don't represent that I'm right you're wrong -- I am only describing what I do, and attempting to explain why... I'm a firm believer in the free market (of ideas AND of money), and firmly believe that the Internet would have FAILED if people hadn't bent, poked, prodded, and occasionally broken things over the years in the name of improvements! Dan McAllister IT4SOHO Anyone else remember ROT13 as a way to encode NSFW content? Abj vf gur orfg gvzr! :) On 5/19/2014 5:05 PM, Tonix - Antonio Nati wrote: Strange, I have an opposite opinion on the most of catch-all and delete usage I'm reading here in this thread. Personally, and as provider of email business, I consider catch-all account useful only when you have a new domain, and customer does not know which mailboxes were running. So you set up a catchall account and start creating all necessary accounts, and stop catch-all when the most of accounts are created. About deleting all email for not existing users, I consider it a bad service to customers, as they have legitimate raports with business partners, and if someone writes to the wrong address it is correct and ethical to report them back that address is wrong, so they can use another way to contact the recipient, instead of waiting for never coming reply messages. More, the abuse of deletion and missing respect for RFC forces users to ask always for delivery and read receipt, incrementing the volume of useless emails. About signing headers with authenticating sender address, is a must because it makes senders responsable for what they are sending, and the most of our business customers wants their domain to be used only for legitimate emails, Of course other opinions may be based on different needs, but I think respect of RFC should always be at first place, otherwise people will look soon for other stable and reliable message delivery methods. Something I think often about: as email providers, we should look like real postmen: we cannot read (intentionally I mean), lose, damage others emails. Virus and SPAM must be fought, and apart real viruses and real spam all the remaining MUST be delivered. Any not valid damage or loss could be legally pursued. Regards, Tonino Il 19/05/2014 21:10, Eric Shubert ha scritto: On 05/19/2014 08:06 AM, Jim Shupert wrote: How might one do - have a DELETE rule for badly addressed messages. I just drop them and forget about it? is it as easy as: Set catchall email deletedfrom admin in truth ... i thought you HAD to have a catch all account -- yes - i would rather not. thanks Personally, I use a catchall account for my domain, and I don't get very much spam there at all. I do a few use a few tools for mitigating this. 1) the badmailto file can specify addresses with a regex. So for example, if your domain accounts don't contain numbers or whatever special characters, or your accounts always follow a certain pattern, you can write badmailto rules to reject these attempts. I used to get a lot of spam with numbers in the account name, and eliminated them witha few badmailto rules. This file can also be used to reject messages to defunct accounts. 2) use spamdyke to blacklist local domains. This seems counter intuitive, but so long as legit users always authenticate and only send email via your server, this works nicely. That being said, I can see where some domains would want to simply delete these messages. While deleting messages goes against the RFCs, doing so certainly appears to be a best practice. Some rules, while well intended, have unintended consequences. I think this is one such rule. also that strategy of : giving each user a separate mailbox name and e-mail address yes , that is interesting -- I can see how that would work unfortunately in my current situation folks already have the configuration that we have. but maybe for a new bunch of folks a new domain This is a most excellent method of managing user accounts. I've considered doing this, but haven't actually implemented it yet. Along these lines, I've also considered modifying the header record qmail adds so that the authentication account isn't listed
Re: [qmailtoaster] Roundcube Survey
On 5/27/2014 10:28 PM, Eric Shubert wrote: For those using Roundcube, please be so gracious as to answer a couple questions. Do you use it with nginx? (I expect mostly no answers) If not, have you used nginx for anything else? Thank you for your participation. I'm contemplating adding Roundcube to the 'stock' QMT. It's been long overdue. No, I don't use RC with nginx (don't use nginx for anything else either). Lastly, I think RC would be an excellent addition to QMT -- I run it in tandem with SquirrelMail on all of my servers. Dan McAllister QMT DNS/Mirror Admin -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Log issues
OK, so I'm probably going to need to be re-schooled on qmail queues again, but here's my problem: -- my send log (/var/log/qmail/send/current) is filling up with queue errors, like: @400053c7d1fc328dcf84 warning: trouble opening remote/5/411567; will try again later @400053c7d1fc328deadc warning: trouble opening remote/19/418274; will try again later @400053c7d1fc328e024c warning: trouble opening remote/16/410796; will try again later @400053c7d1fc328e1da4 warning: trouble opening remote/11/411412; will try again later There are far more lines than this, but my log file is so full of them I'm considering filtering them :) qmailctl queue says there is nothing in any queue qfixq says there are no issues with my queues (they're empty at 11PM -- shockingly?) Any ideas? Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
