Re: [vchkpw] dot qmail processing
On Jun 9, 2004, at 5:46 PM, Paul Oehler wrote: Out of curiosity, is this a documented feature? I don't remember ever reading this anywhere. It's in the qmail docs. man dot-qmail It isn't in there explicitly, but it says that lines starting with # are ignored, and that qmail-local will only process .qmail files that aren't empty. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] problems after upgrading vpomail 5.2.2 to vpopmail 5.4.0
On Jun 9, 2004, at 4:12 PM, Mario Vazquez wrote: I got a patch for horde-passwd to enable crypt-md5 http://article.gmane.org/gmane.comp.horde.sork/1114/ match=passwd+vpopmail If it links to libvpopmail, you need to recompile it after installing vpopmail 5.4.0. If it still doesn't work, post a bug report on vpopmail.sf.net, and (hopefully) one of the developers will find time to look into it. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] Problem with bounce-no-mailbox
Is that domain unique in your system, or do you have other domains (working fine)? What did you change in the last times? Install a new version of vpopmail? Change system user for that domain? Move from cdb to MySQL? Tonino At 10/06/2004 10/06/2004 +0100, you wrote: Hi I'm having a problem with Vpopmail 5.4.1 on Redhat. I don't think it has been happening until recently. In a nutshell, for domains that have .qmail-default set as | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox *all* email to that domain is bouncing with 550 sorry, no mailbox here by that name (#5.1.1 - chkusr) If I change the .qmail-default to read | /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/vegasforums.com/postmaster mail is delivered without error Any suggestions gratefully received. -- Cheers Alastair --^--^-- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
[vchkpw] Possible enhancements to help protect qmail server reources against spam processing
I'd like to run some features by you. If you think they're good, you might want to include it as part of an optimized openfilter solution. Layer 1 A problem that I (and others?) have with rblsmtpd is that it's too coarse. It either rejects mail or lets it through. I would much rather kung-fu finesse the whole process by allowing non-blacklisted mail to go through quickly and pass suspected spam into a seperate purgatory queue (the slow road from china). I implemented a simple improvement to rblsmtpd.c that adds a -s (soft) option. It takes an additional argument for what you'd like to set QMAILQUEUE to instead of using the default bin/qmail-queue. I might, for example, compile /var/qmail/bin/qmail-queue2 to use /var/qmail/queue2 instead of /var/qmail/queue as its mail queue. A seperate program might look through this purgatory queue in a slow serialized manner and pass more scrutiny on whether to deliver and/or bounce the messages in that queue or not (or use spamassassin, etc.). In the meantime, mail from servers not listed in the RBLs passes quickly to the recipients. To some degree it has some advantages similar to the OpenBSD+pf+RBL efforts to preserve CPU processing for normal mail and redirect processing from RBL-listed servers to alternate processing, especially if end-user processing is expensive (like procmail or perl-based filters like spamassassin). The advantage to implementing it this way is that you don't need to install an extra OpenBSD box and learn pf. Here's an example of using Qmail-Scanner to bypass normal processing if (and only if) it comes from a suspected spam server... rblsmtpd -s/var/qmail/bin/qmail-scanner-queue.pl -rlocalrbl.mydomain.com -rbl.spamcop.net -rdnsbl.sorbs.net -rsbl-xbl.spamhaus.org /var/qmail/bin/qmail-smtpd ... though, my idea of a purgatory queue (/var/qmail/bin/qmail-queue2) might be a better approach toward protecting inbound mail servers. Prerequisite: QMAILQUEUE patch. Layer 2 A problem that I have with the Layer 2 chk-user method is that spammers are not only sending spam, but they are also harvesting addresses by checking for bounces after trying every user combination against a domain. Once they find an addres that doesn't bounce, it's marked as a lucrative address in their mailing lists (assuming all other addresses bounced). I prefer not to bounce any mis-addressed mail to help protect my users from being found. As a policy, all user domains get a catch-all postmaster account installed. Handing out passwords for the postmaster account is part of the installation process, and the policy is that all mail in the postmaster mailboxes is deleted after 14 days. If someone thinks a message was missed, they can retrieve it. Otherwise, misdirected mail just doesn't get seen, nor bounced. It also helps prevent spammers from using my domains as bounce-relays where mailing to an unknown mailing address makes my server bounce messages to real envelope-from addresses. Bounced messages for forwarded accounts Something else I need to help protect delivery is a way to rewrite the sender envelope address to use my mail server instead of the original address. This will become important later as people implement SPF to ensure that forwarded mail is recieved by SPF-enforcing servers. I'd like to use [EMAIL PROTECTED] as the return address on forwarded mail. This will ensure that if mail forwarding breaks, mail is rejected to a place where a customer domain representative can do something with it if they catch the problem within two weeks. Scripts can be rewritted to redeliver bounced mail for a user after their forwarding alias is fixed. I've had enough run-ins with being blacklisted for forwarded spam that wasn't my responsibility that I need something to help me detect the fact that mail is bouncing for a forwarded user. I haven't figured out implementation details yet, though. AOL message tagging In addition to the above, the AOL whitelist bounce policy makes me want to implement message tagging and tracking that let's me know which abuse-reported messages are attached to which forwarding accounts. I might add a word to the Subject line, for example: Subject: original subject line [fwd: [EMAIL PROTECTED] that would come back to me in an AOL abose report. I could then correspond the id to a forwarder to figure out who is mis-reporting spam. I'd have a mapping of addresses to IDs. Seeing the tag, they might not quickly tag a message as This is spam if they knew that doing it often enough would cause me to kill their forwarding to protect the AOL-integrity of my servers. I think a modification to qmail-remote or vdelivermail on my primary inbound mail server is problably the best way to implement this. What do you think? Local spam RBL generation When a spammer wants to send spam to users on your server, they usually send several messages (perhaps even hundreds) of the same messages or send to many
Re: [vchkpw] Problem with bounce-no-mailbox
Hi Antonio That domain is in the system, as I said, when I change bounce-no-mailbox to 'catchall to postmaster' there is no problem at all. I have many domains running without a problem, but it is all 4 that are using bounce-no-mailbox that are having all mail rejected with 5.1.1 Nothing has changed on the system recently, and I am only aware that this problem existed in the last 4 or 5 days I am using mysql to store the vpopmail information. I am also using qmail-scanner to run f-prot and spamassassin on mail I'd rather not have to reinstall vpopmail unless this is a known issue with version 5.4.1, and I am not aware that it is Cheers Alastair tonix (Antonio Nati) said: Is that domain unique in your system, or do you have other domains (working fine)? What did you change in the last times? Install a new version of vpopmail? Change system user for that domain? Move from cdb to MySQL? Tonino At 10/06/2004 10/06/2004 +0100, you wrote: Hi I'm having a problem with Vpopmail 5.4.1 on Redhat. I don't think it has been happening until recently. In a nutshell, for domains that have .qmail-default set as | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox *all* email to that domain is bouncing with 550 sorry, no mailbox here by that name (#5.1.1 - chkusr) If I change the .qmail-default to read | /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/vegasforums.com/postmaster mail is delivered without error Any suggestions gratefully received. -- Cheers Alastair --^--^-- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthos ts
Title: Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts On Wed, 2004-06-09 at 00:13, Devendra Singh wrote: At 08/06/04 11:41 (), Tom Collins wrote: On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote: I would like to re-frame my Subject: SMTP Authenticated user is able to impersonate anyone in rcpthosts. You could re-frame it even more. Authenticated SMTP users can use any FROM address and submit mail for any host. Some clients may have multiple from addresses going through a single authenticated session. Limiting them to the address they authenticated as may be too strict. Including it in the Received header is probably a more useful option. Dear Tom, Thanks, that you understood. (Sorry, the issue is not related to Vpopmail, but may be of interest to most). Including the authenticated ID in the Received header is good, but still it would not be able to stop the menace of Spamming from your own users (who is going to monitor the logs of mails sent by users). Also, in the days of virus outbreak and users having password saved in their outlook express, the feature can be saviour. BTW, Shouguan Lin had pointed to a link http://night.rdslink.ro/dudu/qmail/http://night.rdslink.ro/dudu/qmail/ with features o Added my own patch, that checks whether the 'mail from' value is different from the username used for SMTP AUTH, thus preventing source address spoofing. Useful for ISP's that only relay mails from authenticated users. o The 'mail from' verification is now configurable through a knob defined in /var/qmail/control/spoofcheck or in the environment variable $SPOOFCHECK But, this is part of unified patch which is difficult situation for me. It's my request to Dr Erwin Hoffmann through this list that if he adds the feature into his authentication patch which is also included into the Vpopmail contrib, we all would get benefited. This is problematic for ISP customers whose ISPs block outbound port 25, therefor forcing relaying through their servers, but who also have a vanity domain or similar provided by a third party. ISPs would then be disallowing any form of sending mail with that From: field, which is pretty bogus. Many of these so-called anti-spam measures are approaching throwing not just the baby out with the bathwater, but the entire tub. Why don't I reiterate the question Jeremy Kitchen so accurately asked, What problem are you solving?. Forged From fields server a legitimate purpose, just like doing the same in the To field can (think BCC mailing lists with Undisclosed Recipients in the To). Yes, spammers abuse this, as do virus writers. I definitely recommend this functionality be made optional, hard to turn on, and as unadvertised as possible. Those few people who know they'd benefit and not suffer can then find it, and those people who think they'd benefit but wouldn't realize the consequences wouldn't clobber their users. Nick Harring Webley Systems
Re: [vchkpw] Problem with bounce-no-mailbox
Did you make any change of this kind? Did you recompile qmail after updating vpopmail? You should link the new vpopmail library. Did you make the following changes? From www.interazioni.it/qmail: Note on vpopmail 5.3.25 following Starting from version 5.3.25, vpopmail has dismissed the function vget_real_domain(). The function making the work of vget_real_domain() is already existing within chkusr, so the lines related to vget_real_domain() may be commented out, without losing any functionality. Just delete or comment out these lines in red: /* Check if domain is a real domain */ if (!stralloc_0 (domain)) die_nomem(); vget_real_domain(domain.s, domain.a); domain.len = strlen (domain.s); if (domain.len (domain.a - 1)) die_nomem(); /* Let's get domain's real path */ Ciao, Tonino At 10/06/2004 10/06/2004 +0100, you wrote: Hi Antonio That domain is in the system, as I said, when I change bounce-no-mailbox to 'catchall to postmaster' there is no problem at all. I have many domains running without a problem, but it is all 4 that are using bounce-no-mailbox that are having all mail rejected with 5.1.1 Nothing has changed on the system recently, and I am only aware that this problem existed in the last 4 or 5 days I am using mysql to store the vpopmail information. I am also using qmail-scanner to run f-prot and spamassassin on mail I'd rather not have to reinstall vpopmail unless this is a known issue with version 5.4.1, and I am not aware that it is Cheers Alastair tonix (Antonio Nati) said: Is that domain unique in your system, or do you have other domains (working fine)? What did you change in the last times? Install a new version of vpopmail? Change system user for that domain? Move from cdb to MySQL? Tonino At 10/06/2004 10/06/2004 +0100, you wrote: Hi I'm having a problem with Vpopmail 5.4.1 on Redhat. I don't think it has been happening until recently. In a nutshell, for domains that have .qmail-default set as | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox *all* email to that domain is bouncing with 550 sorry, no mailbox here by that name (#5.1.1 - chkusr) If I change the .qmail-default to read | /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/vegasforums.com/postmaster mail is delivered without error Any suggestions gratefully received. -- Cheers Alastair --^--^-- [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
[vchkpw] Can't get rid of authmysql!
I've installed and reinstalled courier-imap/vqadmin, and I keep getting the mysql auth errors. How do I get rid of them? I'm running FreeBSD 4.9 RELEASE and have installed courier-imap and vqadmin using the ports collection. portinstall -m -DWITH_CRAM -DWITH_VPOPMAIL -DWITH_FAM -DWITH_TRASHQUOTA courier-imap locate authmysql gives me nothing, i.e. there is no such file. portinstall vqadmin Both ports compile fine. And here come the error: [EMAIL PROTECTED] ~ # /usr/local/vpopmail/bin/vadddomain example.com password vmysql: sql error[c]: MySQL server has gone away vmysql: sql error[b]: MySQL server has gone away vmysql: sql error[3]: MySQL server has gone away vmysql: sql error[c]: MySQL server has gone away vmysql: sql error[c]: MySQL server has gone away vmysql: sql error[b]: MySQL server has gone away vmysql: sql error[3]: MySQL server has gone away vmysql: sql error[2]: MySQL server has gone away Failed while attempting to add user to auth backend Error: (vadduser) no auth connection -- Regards, Charles.
Re: [vchkpw] Can't get rid of authmysql!
Accidently sent the message ... /usr/local/etc/courier-imap/authdaemonrc authmodulelist=authpam authcustom authcram authuserdb authvchkpw /usr/local/etc/courier-imap/imapd AUTHMODULES=authdaemon courier-imap v2.2.1 vqadmin v2.3.5 -- Regards, Charles.
[vchkpw] vpopmail-bin (vpopmail package for Debian linux)
Hi Does anyone have experience with the vpopmail-bin package for Debian? I have installed it, but clearopensmtp seems to cause heavy CPU load, and I don't know why. Further I can't get mysql support work with libvpopmail-mysql package. Maybe a bit off topic, but if someone use these package I would like to know how you get mysql support and clearopensmtp to work properly. Thanks. /Lars
Re: [vchkpw] vpopmail-bin (vpopmail package for Debian linux)
Lars E. D. Jensen wrote: Hi Does anyone have experience with the vpopmail-bin package for Debian? I have installed it, but clearopensmtp seems to cause heavy CPU load, and I don't know why. Further I can't get mysql support work with libvpopmail-mysql package. Maybe a bit off topic, but if someone use these package I would like to know how you get mysql support and clearopensmtp to work properly. Thanks. /Lars I tried it and dropped it. Just install from source, so you know what it happening and everything is installed in the right places
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthos ts
At 10/06/04 19:11 (), you wrote: On Wed, 2004-06-09 at 00:13, Devendra Singh wrote: At 08/06/04 11:41 (), Tom Collins wrote: On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote: I would like to re-frame my Subject: SMTP Authenticated user is able to impersonate anyone in rcpthosts. You could re-frame it even more. Authenticated SMTP users can use any FROM address and submit mail for any host. Some clients may have multiple from addresses going through a single authenticated session. Limiting them to the address they authenticated as may be too strict. Including it in the Received header is probably a more useful option. Dear Tom, Thanks, that you understood. (Sorry, the issue is not related to Vpopmail, but may be of interest to most). Including the authenticated ID in the Received header is good, but still it would not be able to stop the menace of Spamming from your own users (who is going to monitor the logs of mails sent by users). Also, in the days of virus outbreak and users having password saved in their outlook express, the feature can be saviour. BTW, Shouguan Lin had pointed to a link http://night.rdslink.ro/dudu/qmail/http://night.rdslink.ro/dudu/qmail/http://night.rdslink.ro/dudu/qmail/ with features o Added my own patch, that checks whether the 'mail from' value is different from the username used for SMTP AUTH, thus preventing source address spoofing. Useful for ISP's that only relay mails from authenticated users. o The 'mail from' verification is now configurable through a knob defined in /var/qmail/control/spoofcheck or in the environment variable $SPOOFCHECK But, this is part of unified patch which is difficult situation for me. It's my request to Dr Erwin Hoffmann through this list that if he adds the feature into his authentication patch which is also included into the Vpopmail contrib, we all would get benefited. This is problematic for ISP customers whose ISPs block outbound port 25, therefor forcing relaying through their servers, but who also have a vanity domain or similar provided by a third party. ISPs would then be disallowing any form of sending mail with that From: field, which is pretty bogus. Many of these so-called anti-spam measures are approaching throwing not just the baby out with the bathwater, but the entire tub. Why don't I reiterate the question Jeremy Kitchen so accurately asked, What problem are you solving?. Forged From fields server a legitimate purpose, just like doing the same in the To field can (think BCC mailing lists with Undisclosed Recipients in the To). Yes, spammers abuse this, as do virus writers. I definitely recommend this functionality be made optional, hard to turn on, and as unadvertised as possible. Those few people who know they'd benefit and not suffer can then find it, and those people who think they'd benefit but wouldn't realize the consequences wouldn't clobber their users. Nick Harring Webley Systems Any AntiSpamming measure onto SMTP Authenticatted mail sending has to be optional like all other such means. Devendra Singh __ Devendra Singh IndiaMART InterMESH Limited (Global Gateway to Indian Market Place) B-1, Sector 8, Noida, UP - 201301, India EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342 Fax: +91-120-2424943 http://www.indiamart.com http://www.indiangiftsportal.com http://www.indiantravelportal.com __
[vchkpw] Anyone using 5.5.x in production?
Can anyone report on performance of the MySQL and/or Postgres backends in 5.5.0 or later on a production machine? I made some significant changes related to building SQL queries which should make them more secure. I also fixed some outstanding bugs in Postgres code and consolidated some code in MySQL and Postgres. I'd like to be sure that the new code works before I push it into the 5.4 series. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
