[vchkpw] bug in 'vdominfo -n'?
I'm not sure that the following behavior is by purpose, but it makes 'vdominfo' confusing: $ vdominfo |egrep -A 4 '^domain:\ mydomain' ,- | domain: mydomain.com | uid:12345 | gid:12345 | dir:/srv/vpopmail/domains/mydomain.com | users: 1 | -- | domain: mydomain.de (alias of mydomain.com) | uid:12345 | gid:12345 | dir:/srv/vpopmail/domains/mydomain.com | users: 1 `- But if I use the '-n' option to get only domain names the result is unexpected: $ vdominfo -n |egrep '^mydomain' ,- | mydomain.com | mydomain.com `- Ok, I'm using an old version of vpopmail (5.4.10) and this issue has probably been gone. But if not, can somebody explain the different output? Regards, Lars Uhlmann !DSPAM:4c3338f532711001834612!
[vchkpw] no spam and virus scan for authenticated users
Excuse me if this question is already answered (if so just point me there). Is it possible to tell simscan skip scanning on authenticated (=relay) connections? best regards, Lars !DSPAM:4948f93d32312016118559!
[vchkpw] [chkuser] suggestions for future changes
On Tue, 22 Aug 2006 13:19:32 +0200 tonix (Antonio Nati) [EMAIL PROTECTED] wrote: I've noticed some spam sending hosts, which use e.g. localhost/ 127.0.0.1 as their sender MX. When my mailserver tries to verify the sending account via bounce check (connecting to 127.0.0.1), the rcpt to: check is ok, because chkuser accepts unknown rcpt to's from localhost. Is there a settings to get rid of that? Better would be a patch to qmail-smtpd that only accepted localhost and 127.0.0.1 as the HELO name on connections from 127.0.0.1. I don't know enough about chkuser to answer your original question. This would be one possibility but in this case the mail is already in the local queue - what we try to prevent. I think an extended chkuser patch is the better way. While chkuser already checks for an existing MX-record it could easily test the received A-Record against 127.0.0.0/8, RFC1918 or in case of a fqdn is it resolveable at all. If you send me more details on how check should be done, I could try to put in in 2.0.10 version of chkuser. My comment above was not quite correkt. I suggest to realize it this way: 1) Test for a valid MX-RR (RFC 1035, para. 3.3.9) A MX-Record must contain a host name, not an IP address. This could be a compile time option (MX_STRICT_FQDN_CHECK ;-) log rejects with meaningful messages (e.g. Sender MX (domain.tld MX=1.2.3.4) violates RFC1035, 3.3.9 2) Do an A-RR lookup with the acquired fqdn and test the resolved IP against any of the following scopes[0] (reject on match). Private Use IP addresses: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Autoconfiguration IP Addresses: 169.254.0.0 - 169.254.255.255 Loopback IP addresses: 127.0.0.0 - 127.255.255.255 log rejects with meaningful messages (e.g. Sender MX (fastmail.com - MX=we-dont-accept-mail.fastmail.com - A=127.0.0.1) never reachable) This could be compile time option(s) too or (what I prefer) a file loaded at runtime (e.g. $QMAIL_ROOT/control/chkuser_bad_mx_ip). The latter solution lets you add or remove ranges without recompiling (e.g. for smtpds in private LANs) Example for 'chkuser_bad_mx_ip' (I prefer the CIDR notation) ,- | # do we need comments? would be really nice ;-) | # RFC1018 | 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 | | # windows auto config range | 169.254.0.0/16 | | # loopback | 127.0.0.0/8 | | # this is my day off ;-) | 0.0.0.0/0 `- Problem: How do we handle multiple MX records? I think we only take care of the best prioritized record because this is the one nearly always used. regards Lars [0] http://www.iana.org/faqs/abuse-faq.htm#SpecialUseAddresses
[vchkpw] Re: Unable to login with POP
On Wed, 20 Sep 2006 12:55:05 +0300, Cantemir wrote: [html chunk] My brain lacks of a HTML parser. If you expect fast help please provide your question/informations in a suitable way. The common and preferred content type is and stays 'text/plain'. /usr/lib/mysql/libmysqlclient.so.14: no version information available Sounds like the installed mysql library isn't the same vpopmail is compiled with. Did you build vpopmail on another host with a different version of mysql? What prints: # ls -ld /usr/lib/mysql/libmysqlclient.so.14 HTH Lars
Re: [vchkpw] QMail Forward
/var/control/smtproutes or /var/qmail/control/smtproutes If »qmail« is installed under '/var/qmail' then it is '/var/qmail/control/smtproutes'. The file 'smtproutes' may not exist so just create it. For a description on how to set routes see the man page of qmail-remote(8). HTH Lars
Re: [vchkpw] chkuser + localhost as sender MX
On Wed, 16 Aug 2006 09:07:28 -0700 Tom Collins [EMAIL PROTECTED] wrote: I've noticed some spam sending hosts, which use e.g. localhost/ 127.0.0.1 as their sender MX. When my mailserver tries to verify the sending account via bounce check (connecting to 127.0.0.1), the rcpt to: check is ok, because chkuser accepts unknown rcpt to's from localhost. Is there a settings to get rid of that? Better would be a patch to qmail-smtpd that only accepted localhost and 127.0.0.1 as the HELO name on connections from 127.0.0.1. I don't know enough about chkuser to answer your original question. This would be one possibility but in this case the mail is already in the local queue - what we try to prevent. I think an extended chkuser patch is the better way. While chkuser already checks for an existing MX-record it could easily test the received A-Record against 127.0.0.0/8, RFC1918 or in case of a fqdn is it resolveable at all. regards, Lars Uhlmann
[vchkpw] [vpopmail] handle 'postmaster' as non existing user (reject mails)
We only need this mailbox for »qmailadmin« to log in. Is it possible to treat this account as non existing? I've tried a domain-global '.qmail-postmaster' (... bounce-no-mailbox) and a '.qmail' (same content) inside the folder 'postmaster' but nothing worked. regards Lars
[vchkpw] Re: [vpopmail] handle 'postmaster' as non existing user (reject mails)
On Tue, 09 May 2006 10:47:30 -0400, Michael Krieger wrote: I'd point you to the RFCs that state that the postmaster must exist and should accept mail, but since you're asking, you probably don't really mind. You're right but I think RFC822 should be worked over. Problems with UBE and SPAM were 1982 not even theoretically existing. I'd like it better this way: I have several domains with the same MX RR(s). The domain the MX host(s) belong to has a case insensitiv 'postmaster' mailbox. It is filtered for SPAM/Viruses (rejected with a meaningful message) and checked once a day. Most if not all problems the appropriate clause in RFC822 is defined for are technical by nature. For all other concerns this account can help too. regards Lars
[vchkpw] Re: [vpopmail] handle 'postmaster' as non existing user (reject mails)
On Tue, 09 May 2006 17:18:15 +0200, tonix (Antonio Nati) wrote: Now I'd imagine the main frontline you'd want to investigate is chkuser.c if you use it. By line 567, it's got a user and domain split. Under case 10, it actually does the user check, so just have it test the user for 'postmaster' and return a failed 'user does not exist'. It could be more easy to set the BOUNCE_FLAG on for each postmaster, and message will be rejected. That's it! Shame on me. ;) $ vmoduser -v ,- | version: 5.4.10 | vmoduser: usage: [options] email_addr or domain (for each user in domain) | ... | the following options are bit flags in the gid int field ... | ... | -b ( bounce all mail ) | ... `- It was too easy to find out. ;) regards Lars
[vchkpw] [chkusr] valid Sender-MX
The Sender-MX-Check needs some enhancements. ;) Spammers mostly use RFC1918-adresses or unresolveable names as MX-RR, e.g.: @ IN MX $PRI 127.0.0.1 @ IN MX $PRI has.no.a-record. @ IN MX $PRI has.rfc1918.a-record. latest examples (all of the domains below are only used to deliver SPAM): $ dig MX radiocompa.com ,- | ;; ANSWER SECTION: | radiocompa.com. 86289 IN MX 0 127.0.1.51. `- or: $ dig MX fflowershop.com ,- | ;; ANSWER SECTION: | fflowershop.com.3600IN MX 10 localhost.fabulous.com. `- $ dig A localhost.fabulous.com @ns1.darkbluesea.com ,- | ;; ANSWER SECTION: | localhost.fabulous.com. 3600IN A127.0.0.1 `- If I had the time and better C skills, I would add the tests myself but... ;) regards, Lars
[vchkpw] Re: vadddomain error
On Mon, 10 Apr 2006 16:05:37 +0800, Oliver A. Rojo wrote: Hi! im trying to add a domain with numbers say 123domain.com. It says: vpgsql: error creating table '123domain_com': ERROR: syntax error at or near 1 at character 14 I'm not really familiar with postgresql but iirc table names must start with a letter or an underscore. HTH Lars
Re: [vchkpw] OT, but abuse related
On Tue, 27 Sep 2005 09:52:39 -0700 Clayton Weise [EMAIL PROTECTED] wrote: I know this is way off topic, but there are a lot of really smart people on this list so I'm hoping to get some ideas here. I've got a web server that has some kind of formmail-esque script that is being horribly abused but I can't find it. The server (shut down qmail-send on it for now) is spewing out messages by the hundreds, if not thousands, and I can't seem to center down on which site has the offending script. Again, it's pretty off topic but I'm just looking for some help here... please. To get the path of the script whose sending mail you could do this: Write a wrapper for qmail-inject. From within the wrapper you'll find the path of the caller script in the environment variable $PWD (assuming bourne[again]shell) here is a wrapper example: ,-[ qmail-inject.wrapper ] | #! /bin/bash | | ORIG_INJECT=/var/qmail/bin/qmail-inject.djb_original | RETURN_PATH=[EMAIL PROTECTED] | TMPFILE=`tempfile` | DATETIME=`date +%d.%m.%Y %H:%M:%S` | | # send desired information to myself | # first the mail header | echo From: [EMAIL PROTECTED] $TMPFILE | echo To: [EMAIL PROTECTED] $TMPFILE | echo -ne Subject: [$DATETIME] something meaningful\n\n $TMPFILE | | # now the message body | echo -e PWD: $PWD\n $TMPFILE | echo -e \n- original e-mail below -\n $TMPFILE | | # save the original message for our mail and pass ist on to the real qmail-inject | tee -a $TMPFILE | $ORIG-INJECT -f$RETURN_PATH | | # send the log mail | $ORIG-INJECT $TMPFILE | rm -f $TMPFILE | | # local logging | /usr/bin/logger -p mail.info -t qmail-wrapper command line parameters: $* `- Don't forget to change the symbolic link /usr/sbin/sendmail (normally linked to $QMAILDIR/bin/sendmail) to $QMAILDIR/bin/qmail-inject. If the link stays unchanged and the script uses /usr/bin/sendmail »qmail-inject« is invoked by $QMAILDIR/bin/sendmail and therefore $PWD will be equal to $QMAILDIR/bin. HTH Lars
[vchkpw] [chkuser] qutoacheck with catchall accounts
Hi, i'm using netqmail 1.05 with qmail-toaster-0.7.2.patch.bz2. This works great but I have a little problem with 'chkuser': A recipient is only checked if the domain has bouncing enabled. Is it possible to check an users quota if the domain has a catch-all account? Or with other words, can I compile 'chkuser' with CHKUSER_ALWAYS_ON but have mails with unknown local parts delivered to the target from.qmail-default instead of rejecting them? TIA Lars Uhlmann