Re: [vchkpw] which files truly determine "relay" into a qmail server

2007-01-19 Thread Michael Krieger

Q: ONLY the content of the 'rcpthosts' and 'morercpthosts' (and any 
special cases in tcp.smtp) defines which domains' incoming mail will be 
accepted by SMTPd.  True or False?

FALSE: The contents of rcpthosts and morercpthosts define which domains mail is 
accepted by SMTP for [that part is right] however this is ONLY IF RELAYCLIENT 
is not set.  If relayclient is set, either by smtp authentication patch,, via 
the tcp.smtp file, or the environment of tcpserver, this file is completely 
ignored and everything is accepted.  If your 'special cases in tcp.smtp' meant 
that, then my answer is true.

Q: Domains that appear in 'locals' or 'virtualdomains' (for presumed 
delivery on the local box) but DO NOT appear in 
rcpthosts/morercpthosts/tcp.smtp (and have no smtphosts controls) CANNOT 
receive mail directly under normal circumstances.  True or False?

FALSE: rcpthosts/morercpthosts is a qmail-smtp file.  locals/virtualdomains is 
for qmail-send.  The sendmail program wrapper, qmail-inject, and qmail-queue, 
also allow mail into the queue (through local means) and will use these files 
to direct them mail once it is in the queue.  If your server doesn't use 
sendmail wrapper/qmail-queue/qmail-inject [such as for cron, local web server, 
local users], and never uses forwards as described in the next sentence, then 
smtp is the only entry point.  Another entry point is dot-qmail files and other 
settings that may forward mail once it is in the queue, injecting a new 
message.  While qmail-smtp may not accept mail for the destination of a 
forward, a forward will re-enter the queue since it's not going through 
qmail-smtpd, and the virtualhosts and locals files will be used to direct the 
mail.

In summary, domains that appear in local/virtualdomains but do not 
appear in rcpthosts/etc  have a VERY high probability of being 
misconfigured - with a likely root cause of improper/incomplete deletion 
of a domain from the system.  True or False?  (speculative answer, I 
understand)



FALSE: Assuming of course these weren't added manually, configuration settings 
for alias domains weren't lost in an upgrade or something weird like that, 
these domains are unlikely to cause many problems ... --- unless they are 
domains you actually send mail to --- ...  That being the key.  If hotmail.com 
is in the locals file, you won't be able to get mail to hotmail at all, as it 
will treat it as local.  Remember, some things are added to rcpthosts depending 
on the value used in the config of qmail itself (the final command you run to 
set up the control files with qmail).  If you added something strange there, or 
if it auto-detected something that could be incorrect or misconfigured, then 
you will likely have some extra things around.

The best practice is to clean up the control files and /var/qmail/users/assign 
to reflect your configuration in any case.  In general, I don't see why you're 
asking if it's a problem, rather than just fixing your control files anyway?

-M



Re: [vchkpw] which files truly determine "relay" into a qmail server

2007-01-18 Thread Michael Krieger
locals:
Domains that the server should deliver as local rather than sending off to 
other people.  When you send mail to your own domain, it knows to not deliver 
it to the MX of that domain by its presence in the locals file

rcpthosts / morercpthosts:
Domains that the SMTP daemon should receive mail for (allow) without the 
presence of RELAYCLIENT as set in tcp.smtp or by SMTP authentication.  Domains 
in here will always be accepted, and domains not in here will be rejected 
unless relaying is allowed.  morercpthosts is just a continuation, with your 
most popular domains to be in rcpthosts, just for speed of lookup.  In modern 
fast systems, it doesn't matter.

virtualdomains:
A list of the prepended strings by domains, allowing the system to prepend 
an identifier based on the domain in question.  This converts [EMAIL PROTECTED] 
to [EMAIL PROTECTED] for later processing.

smtproutes:
A list of domains and their artificial MX server to send mail to.  Domains 
in here should also be in rcpthosts, but not treated as local.  Use this if you 
are delivering mail to another MX for select domains, or if you have a 
smarthost.


For domains that your mail server will accept mail from the Internet, see `cat 
rcpthosts morercpthosts`.

-M

- Original Message 
From: Dave Richardson <[EMAIL PROTECTED]>
To: vchkpw@inter7.com
Sent: Thursday, January 18, 2007 10:39:27 AM
Subject: [vchkpw] which files truly determine "relay" into a qmail server

I've been asked to admin an old, jumbled install of qmail/vpopmail (many 
are local users, many are vpopmail users with .cdb).  I'm having a brain 
cramp because the install has domains splattered all over the following 
files:

/var/qmail/control:
locals
rctphosts
morercpthosts
virtualdomains

My exercise is to identify ONLY those domains that the server will 
actually accept delivery for from the Internet so that we can start 
pruning away the domains that seems to be lingering with no 
customers/accounts/purpose/etc. 

My intention/belief was that ONLY 'rcpthosts' and 'morerctphosts' govern 
which domains the server will accept delivery/relay for from the 
outside.  Thus, I felt that if I built a master list from these two 
files, any other domains I might find are automatically "unused".

However this install has a number of domains that are aliases in the 
'locals' file to a single local account and the domains only seem to 
appear in 'locals'.

Does 'locals' (or 'virtualdomains') in any way influence the relay 
decision to accept incoming mail?  Or am I right that ONLY 'rcpthosts' 
and 'morercpthosts' define the permitted domains.

Sorry for the long explanation, validation/help is much appreciated!
Dave.






Re: [vchkpw] Rethinking qmail : was Re: [vchkpw] how use chkuser on "dmz"

2007-01-11 Thread Michael Krieger
Look at QMAIL-SPP ( http://qmail-spp.sourceforge.net/ ).
It provides a plugin for vpopmail and gets away from this patching situation.  
The idea is great, the implementation is good.
A mix of this and the existing patches you may have is probably the best way to 
go.

In the end, you make a perl script or something on the RCPT command that: 
 a. matches a line with the domain of the RCPT command in the smtproutes file 
(making sure it has access to read it)
 b. if it exists, then opens a socket connection and begins connecting
 c. returns an accept, reject, or defer based on the output of the program- 
also possibly adds headers accordingly.

The plugin infrastrucutre is really key.  It's not as fast due to performance 
hits of launching these plugins, but it still makes it faster than many 
applications.

It makes adding plugins as easy as adding a line to the text file.  Think about 
even just a sleep() command in a shell file could be easily implemented.

qmail has been around for a long time and hence has series of feature additions 
upon feature additions.  But remember, these patches aren't fixing problems 
with qmail.  There are very few actual PROBLEMS with qmail, and they're 
relatively minor and things that softlimit and equivalent fix.  People add 
patches because they want features.  Because there is no active development by 
the creator these have to be added themselves.  You add the features you want 
in your qmail installation.  Others have differing opinions as to what should 
be added.

If you want to manipulate simple perl/shell/C scripts to SMTP conversations, 
install qmail-spp.

Qmail doesn't have a need to change.  It's still doing the task it was intended 
to very well.  If another product suits your needs better, by all means go to 
it, but that doesn't mean qmail is bad.  Also, patches allow you to add those 
features that others have wanted.  In the old days, you had to program them 
yourself :)

-M

- Original Message 
From: tonix (Antonio Nati) <[EMAIL PROTECTED]>
To: vchkpw@inter7.com
Sent: Thursday, January 11, 2007 6:31:40 AM
Subject: [vchkpw] Rethinking qmail : was Re: [vchkpw] how use chkuser on "dmz"


I'm thinking to extend chkuser, and add an smtp fake delivery for 
checking recipients existance on end systems (i.e. when domains are 
external and use me as proxy SMTP).

But I'm really tired to fight with qmail. Bernstein programming is 
accademic and heavy to use, license is criminal. Programming with 
patches over patches is painful. There is no fun to put new features 
on this old and overextimated product. You have to run several 
chained programs just to make an SMTP acceptance...

I feel is time to migrate to another product, or is there anyone 
available to start a new project, that should rewrite a little by 
little qmail, and free all of us from this criminal license?

Project should start with a "programmed way" to add new features and 
patch, then making a decent "configure", then starting to write new 
libraries and then substituting the old code, until we have a free 
mail system. Of course vpopmail would be a library integrated in this 
new product.

I have thrown the first stone.

Tonino

At 00.25 11/01/2007, you wrote:
>Hello all,
>
>I have this setup : mail coming to relay server located in DMZ, and
>this server is relaying x domains to internal LAN mail server.
>Im receiving lot of unwanted mails for nonexistent addresses.
>
>Ho I can handle it ? Chkuser is working fine when are domains on
>server, but how I can "check" user existency on remote server ?
>FYI: rsync of passwd.cdb is ok, but how check against aliases ?
>
>Please, I need some pointing where to look at. i fit is possible done
>by chkuser or another way  (qmail-ldap)
>
>Thank you
>
>Peter M.







[vchkpw] Simscan 'trap' addresses

2006-10-17 Thread Michael Krieger
Recently I've moved from adding some spammed addresses into badmailto, but am realizing that's a bit of a waste, as these same users usually turn around and Spam the recipients that are accepted.This got me thinking- doing a bit of this at the SMTP level and including the Spam scanner could be a neat idea.Picture this: 1. mail comes in matching a CDB file of recipients (regex of course to allow for some patterns with asterisks in the middle or so on) 2. Simscan identifies one of the one or many recipeints to be a Spamtrap e-mail address, and now knows this mail is likely Spam. 3. Simscan calls sa-learn with a high probabiliy (of course as simscan, which saves any permissions issues)... so sa-learn --spam (either -L or non--- non-locally may be nice since it is a Spam trap) 4. Simscan rejects the mail with a big 'piss off' style message... of course turned to something more standard- a 5xx response with a 'service
 unavailable' or something undescriptive.With the amount of mail I see going to [EMAIL PROTECTED], [EMAIL PROTECTED], etc that gets CCd to me, that'd be nice.Or maybe if folks worry about doing that, we could just store it in a maildir, but I'd say a trap hit is pretty good to mark as Spam, and not deliver to any of the other recipeints.Thoughts?  Seems like an easy one to implement and a really good one to have.-M

Re: [vchkpw] weird, disturbing error

2006-08-05 Thread Michael Krieger
I'd be hesitant to rsync /usr/lib if it's ba enough to cause crashing errors like that.  I'd be more interested in seeing you configure/recompile vpopmail with the existing headers/libraries in order to fix your problem rather than change your system and everything that depends on it.-MPaul Theodoropoulos <[EMAIL PROTECTED]> wrote: At 12:19 PM 8/4/2006, Paul Theodoropoulos wrote:>At 11:59 AM 8/4/2006, you wrote:>>i knew i would leave out critical information - darnit.i'm using mysql auth backend. so cdb files aren't used.>>i'm wonder though now - i merely rsynced the mysql heirarchy over to >the new server. perhaps doing a mysqldump and restore is what's called for.found the problem. there were some very small differences in the libraries between the
 two servers (likely due to the new server being a brand new install of solaris 9, while the 'old' server is merely at a recent solaris patch release of 9).i rsynced /usr/lib, and all is well now. likely something specifically to do with the md5 hash libraries.whew!Paul Theodoropouloshttp://www.anastrophe.com

Re: [vchkpw] weird, disturbing error

2006-08-04 Thread Michael Krieger
Paul Theodoropoulos <[EMAIL PROTECTED]> wrote:pass theirpass-ERR aack, child crashedurk. so, on a hunch, on the new server i ran 'vpasswd theirpass' - exact same password. and after doing that, it worked fine.cd ~vpopmail/domainsrm ~vpopmail/domains/*/vpasswd.cdbfor i in `ls -ld *`; do    echo $i;     vmoduser -x [EMAIL PROTECTED]doneMaybe something with your CDB files is a bit strange, but it sounds like a rebuild did the trick.  So rebuild away.  If the cdb files don't exist, it'll do it from the text file.  Note that the time between removing the cdb files and creating them who knows what'd happen to mail, so down the smtp server first.-M

Re: [vchkpw] How can I have my mail server checked whether helo address of sender mail servers has fully-qualified domain name or not ?

2006-07-21 Thread Michael Krieger
Why would you want to?  First look at the RFC822 statement below.Also look at though, RFC 1123, stating:"  The HELO receiver MAY verify that the HELO parameter really  corresponds to the IP address of the sender.  However, the  receiver MUST NOT refuse to accept a message, even if the  sender's HELO command fails verification."I get a mix of valid and invalid HELOs, as well as many mail clients, such as outlook/thunderbird/etc just sending the Windows computer name.- This command is used to identify the sender-SMTP to thereceiver-SMTP.  The argument field contains the host name ofthe sender-SMTP.The receiver-SMTP identifies itself to the sender-SMTP inthe connection greeting reply, and in the response to thiscommand.This command and an OK reply to it confirm that
 both thesender-SMTP and the receiver-SMTP are in the initial state,that is, there is no transaction in progress and all statetables and buffers are cleared.--M   Bulent Guclu <[EMAIL PROTECTED]> wrote:   Hello    I use vpopmail5.4   I want my qmail-server to check whether helo  address of sender smtp servers who send mails
 to my mail server is  fully-qualified domain name or  not. How can I do that as tcp.smtp file or qmail-smtpd file other  method?    Thanks

Re: [vchkpw] That domain isn't in my list of allowed rcpthosts

2006-07-13 Thread Michael Krieger
tcpserver uses one CDB file- that being a compiled database in CDB format with the keys (domains) and their values.Whichever file is in your -x parameter for tcpserver is the one that is used.  The other is not used at all by your SMTP server.Given that, vpopmail has a neat feature of POP-before-SMTP which adds IPs of authenticated users into a file called 'open-smtp', often in the ~vpopmail/etc folder.  After writing to this file, it then wants to put the list of IPs into your CDB file.  It includes the original CDB, and generates and appends the lines as it places them into the CDB file.This is where " --enable-tcpserver-file=PATH   File where tcpserver -x relay information is stored /home/vpopmail/etc/tcp.smtp." comes in in vpopmail configuration.  vpopmail takes in this file, appends the lines it would from open-smtp, and then outputs a cdb file, if --enable-roaming-users is enabled.  That CDB file is exactly
 what you entered when you configured vpopmail, with the addition of .cdb.So to recap: - tcpserver uses what you specify on the -x parameter - vpopmail takes etc/open-smtp, combines it with the value of enable-tcpserver-file - vpopmail outputs enable-tcpserver-file's value + '.cdb' onto the end of it - IN THEORY, and for a properly working roaming users setup, tcpserver's -x paramter should point to enable-tcpserver-file's value + '.cdb'.If you don't use roaming users, put the tcpserver's -x file wherever you want, and that'll be what will be used, as vpopmail does not affect it.-Muro jotne <[EMAIL PROTECTED]> wrote: I had to put the 196.168.2 (the LAN) in /etc/tcp.smtp. However, I still have 172.16.0 (DMZ, where the mail server is) in /home/vpopmail/etc/tcp.smtp. Now it works,
 but I would sleep better if I understood how vpopmail uses the two files /etc/tcp.smtp and /home/vpopmail/etc/tcp.smtp. I mistakenly thought that /home/vpopmail/etc/tcp.smtp overroled /etc/tcp.smtp, but apparently it doesn't. I woluld be thankful if somebody in the know would care to explain how the two files are related.  Best regards.

Re: [vchkpw] concurrency

2006-07-08 Thread Michael Krieger
[EMAIL PROTECTED] wrote:As for (1), SQL database and CDB have their own mechanism to serialize the concurrent access, so we will not worry about it.Well SQL has its own locking, be it table or row level that will prevent a single domain from being updated at the same time.  For example, an update and a delete will either update and then delete, or delete and then fail on an update.  Either way, it does the right thing.As for (2), there may be a chance of conflict in theory, because vpop commands do not implement the mechanism to avoid the concurrent access.But, in the real world, it is the rare case that the same folder is created/deleted at the same time.When would you
 create a user and delete them at the exact same time?  Either the user exists or doesn't.  Whatever state you end up in is probably sane, and odds are you won't do multiple actions as each depend on the opposite state.So, we need not to worry about the concurrent usage of vpop commands.Is my understanding correct?A big question is what harm can you cause?  Concurrency can always lead to unpredictability, unless you lock the whole process.  Even then, you could issue a command that negates the command before it (as a whole).  Worst case updating a password for an e-mail address fails because the e-mail address is deleted... so it probably doesn't matter what the password is.  Worst case you are updating a domain and it gets deleted, so again, who cares about the update- and occurring in the other order is
 fine too.Vpopmail will prevent corruption of your data, by using locking if needed (or depend on locking of a DB system).  It will lock .qmail files when it writes them.  Everything else shouldn't really matter.  Maildir if it doesn't exist will be created, but you shouldn't get to that state.In a database, concurrency has issues.  The textbook example is subtracting from an account balance, where if two programs update the balance at the same time (through two transactions), then they can cause problems (currbal=100, currbal-50, currbal-10 -=- possible outcomes are 90, 50, or 40).  In this case, multiple updates to the same datum are uncommon, and any irregularity is still something the user wanted.-M

[vchkpw] Simscan Crucial matching bug

2006-07-08 Thread Michael Krieger
So an interesting bug in simscan I noticed when at a clients' today.  She said that she was getting tons of Spam- a good 20 times what she should rightfully get.  All obvious Spam as well.  Looking in the headers, it's not being scanned by spamc, despite the domain being in simcontrol.The answer?  They were sending mail to [EMAIL PROTECTED]  Sending mail to [EMAIL PROTECTED] works as expected, but not in all caps.  I'm assuming this matching is case sensitive, and since qmail and as far as I know the RFCs for mail, don't distinguish case, shouldn't that mean that simscan doesn't either?At present, varying case of the domain can disable virus and spam scanning.  In theory that could be used to infect PCs who believe that they are safe (though I'm not overly concerned about the security implications as much as the effective working of this).I haven't looked at detail at
 the code, but will gladly do so first thing next week, unless someone else knows the easy fix.I'm guessing we just need to convert the string to lowercase at the top of per_domain_email_lookup() [and possibly per_domain_lookup() if we don't lowercase the parameter].  Possibly even just set it in set_per_domain?Haven't looked at the bigger picture as I mentioned, but wanted to point that one out.  Will investigate and post.  Probably a very easy fix.-M

Re: [vchkpw] concurrency

2006-07-05 Thread Michael Krieger
In theory, ther'es always potential, particularly when dealing with files on disk.  One program could in theory do one thing and not another.The MySQL database should deal with its own concurrency.  The CDB database has .vpasswd.lock files when updating the password files.You probably don't have to worry about corrupting anything, but in theory one could get system time and do something unexpected on the other, particularly in deleting and creating folders.  That's usually not that important.  Odds are that's never going to happen that you do two opposite actions on the same [EMAIL PROTECTED] at the same time.Odds are, you won't cause any harm.-MJeremy Kitchen <[EMAIL PROTECTED]> wrote: On Wednesday 05 July 2006 11:39, [EMAIL PROTECTED] wrote:> Hello,>> Can
 we run the commands in:>/home/vpopmail/bin> concurrently?> For instance, can someone run>   vadduser [EMAIL PROTECTED] password_foo> at the time when someone else run:>   vadduser [EMAIL PROTECTED] password_bar> ?depends on what they do.If they will modify the same files, you shouldn't.  Otherwise, sure.For example.you can run vadddomain and vadduser (with a different domain) at the same time, but you shouldn't run two vaddusers on the same domain at the same time, etc.  There's locking involved that prevents them from stepping on each other, but I don't know if they will just see the file as locked and bomb out, or wait for the lock to clear, etc.-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]http://www.pirate-party.us/ -- defend your rights

Re: [vchkpw] Misc Bugfixes- update, cleanup

2006-06-29 Thread Michael Krieger
Tom Collins <[EMAIL PROTECTED]> wrote:One question related to the vpalias.c fix.  Why is mydir static?  It's always set to NULL before that function exits.  Wouldn't making it not static and initializing it to NULL make more sense?mydir was static in vpopmail-5.4.16, so I didn't set that.  Looking at it now, I'm not really sure why.  From the same token, I'm not sure if it's worth changing.  Possibly to ensure that mydir is closed on any second itteration in case it hits one of those returns?-M

Re: [vchkpw] double_free_or_corruption

2006-06-05 Thread Michael Krieger
Upgrade to 5.4.16 and add the patch I posted earlier today to fix some outstanding bugs (one additional crash on no aliases, and then a CDB fix).  A lot of bugs were fixed in 5.4.15 that are probably causing issues in many vpopmail functions.  Getting support for old versions will be a challenge for you I'm sure.  It should be a drop-in replacement in the toaster with the new version.-MPablo Povarchik <[EMAIL PROTECTED]> wrote:  Hello We are having this on a couple of servers:@4000448365ad3882b29c delivery 11617:
 deferral:lseek_errno=29/mail_is_looping/***_glibc_detected_***_/home/vpopmail/bin/vdelivermail:_double_free_or_corruption_(fasttop):_0x089080c0_***/===_Backtrace:_=//lib/libc.so.6[0x9c4124]//lib/libc.so.6(__libc_free+0x77)[0x9c465f]//home/vpopmail/bin/vdelivermail[0x8049bd4]//home/vpopmail/bin/vdelivermail[0x8048c2b]/===_Memory_map:_/00111000-00114000_rwxp_00111000_00:00_0_/00943000-0095d000_r-xp__08:03_1081379/lib/ld-2.3.5.so/0095d000-0095e000_r-xp_00019000_08:03_1081379/lib/ld-2.3.5.so/0095e000-0095f000_rwxp_0001a000_08:03_1081379/lib/ld-2.3.5.so/00961000-00a84000_r-xp__08:03_1081407/lib/libc-2.3.5.so/00a84000-00a86000_r-xp_00123000_08:03_1081407/lib/libc-2.3.5.so/00a86000-00a88000_rwxp_00125000_08:03_1081407/lib/libc-2.3.5.so/00a88000-00a8a000_rwxp_00a88000_00:00_0_/00ae3000-00ae8000_r-xp__08:03_1082423/lib/libcrypt-2.3.5.so/00ae8000-00ae90
00_r-xp_4000_08:03_1082423/lib/libcrypt-2.3.5.so/00ae9000-00aea000_rwxp_5000_08:03_1082423/lib/libcrypt-2.3.5.so/00aea000-00b11000_rwxp_00aea000_00:00_0_/00c2-00c29000_r-xp__08:03_1081456/lib/libgcc_s-4.0.2-20051126.so.1/00c29000-00c2a000_rwxp_9000_08:03_1081456/lib/libgcc_s-4.0.2-20051126.so.1/00c97000-00c98000_r-xp_00c97000_00:00_0__[vdso]/00d1a000-00d2c000_r-xp__08:03_1081410/lib/libnsl-2.3.5.so/00d2c000-00d2d000_r-xp_00011000_08:03_1081410/lib/libnsl-2.3.5.so/00d2d000-00d2e000_rwxp_00012000_08:03_1081410/lib/libnsl-2.3.5.so/00d2e000-00d3_rwxp_00d2e000_00:00_0_/08048000-08054000_r-xp__08:03_44204044___/home/vpopmail/bin/vdelivermail/08054000-08055000_rwxp_c000_08:03_44204044___/home/vpopmail/bin/vdelivermail/08055000-0805c000_rwxp_08055000_00:00_0_/08908000-08929000_rwxp_08908000_00:00_0__[heap]/b7e0-b7e21000_rwxp_b7e0_00
:00_0_/b7e21000-b7f0_---p_b7e21000_00:00_0_/bff3f000-bff55000_rwxp_bff3f000_00:00_0__[stack]/Aack,_child_crashed._(#4.3.0)/Fedora 4glibc-2.3.5-10.3 (updating does not solve)Linux servername 2.6.15-1.1831_FC4smp #1 SMP Tue Feb 7 13:48:31 EST 2006i686 i686 i386 GNU/Linuxnetqmailvpopmail 5.4.13 shupp toaster mainlyIt happens here on forwards with vdelivermail:[EMAIL PROTECTED] [/home/vpopmail/domains/maildomain.com]# cat .qmail-default| /home/vpopmail/bin/vdelivermail '' [EMAIL PROTECTED][EMAIL PROTECTED] [/home/vpopmail/domains/maildomain.com]#names munged of courseAny help will be very appreciated, we are stuck hereThanks! -- Pablo Povarchik - FuturaHost.ComCEOManaged hosting services, the core of our work+- Web Hosting - Dedicated Servers - Colocation (AS39317) --+| [EMAIL PROTECTED] - http://www.futurahost.com/ - (+39)
 0461 592710| Special! Get a Full Cabinet + 10Mbps full burst for only EUR 1,099 per month| in our London (UK) facilities. Availability also in Fremont CA, USA.+---+

[vchkpw] Misc Bugfixes- update, cleanup

2006-06-05 Thread Michael Krieger
Hey folks,I've submitted a few bugfixes against 5.4.16 to fix: - a crash when there are no names and one is using the cdb module- qmailadmin can cause this one as well as the command line programs - a series of lockfile permissions fixes when using the locking to...  1. comply with the man pages': "mode MUST be specified when O_CREAT is in the flags, and is ignored otherwise" which suggests that mode should be specified in those cases, and  2. prevents lock files from (on my base Debian system) being created with 000 and then failing on all future attempts after the first one to obtain a lock on the file as a result of a lack of permission.I advise seeing if you have any ~vpopmail/domain/*/.vpasswd.lock files and removing them if they do not have at least some permission.These seem to clear up all of the issues I've noticed with vpopmail-5.4.16 at this time [fortunately that big bugfix last release helped as
 well].Think we may be ready for 5.4.17 soon?  I want to make sure these get in there.-M

vpopmail-5.4.16-20060605.bugfixes.gz
Description: 3200796762-vpopmail-5.4.16-20060605.bugfixes.gz


RE: [vchkpw] Unwanted Local Delivery

2006-05-20 Thread Michael Krieger
Title: Ingo Claro
Why would you want to do MX lookups on every incoming connection.If you _REALLY_ want to, look at the mfcheck patch for qmail-smtpd.  While this does it for the mail from, you could enhance it to check for each rcpt, as well as look up MX.  Remember that if no MX exists, you should look up the A record for the domain name itself.  You will also need to follow any MX record and convert it to an IP.  Also keep in mind that your DNS servers may cache for double your TTL on the domains you host, so this won't help you much for quick changes- just long term effects.Since it doesn't do any quick changes due to caching on your Internal DNS systems, you might as well run a script every day (or more often or less often) to just do lookups of domains in your rcpthosts and notify you if any of the IPs aren't in your subnet, or if you use the same MX for all of them, you can get away with just looking up the MX [knowing that you have MXs, you can
 skip the other lookups and followup lookups mentioned above].Who said anything about switching off local delivery?  How would that help you?  You could do the lookups and then create a report of unmatching MX records and send it to your e-mail.I'd ___HIGHLY___ discourage, if not downright call you names, if you were to automate the removal of these domains (vdeldomain) or any sort of automatic disabling.  Realize that DNS isn't perfect.  Network connectivity isn't perfect.  Domains are left to expire and then renewed after a few days.  Users may transition to another ISP and DNS caches may point to your server for days if not weeks.  One may change a setting by accident.In any case, in all of these cases, you don't want to delete the mail, settings, users/forwards/lists, or prevent any delivery of mail.  You'll have a lot more pissed off clients if you do that.Just run a script daily to notify you of
 domains that don't have you listed as your MX (keeping in mind grepping out things like localhost or the shortname of your server, or being aware of any subdomains and how that can affect things) but are in your rcpthosts.  Use this e-mail to contact users and make educated decisions as to what actions to take, including potentially sending the user their mail, or encouraging them to login to a webmail system to get it before you delete it.Cheers-MAndy BIERLAIR <[EMAIL PROTECTED]> wrote:So you say that there is no option to simply switch off local delivery and treat everything as coming from the outside? I guess I have to live with that :)     How would I do the script based idea below realtime based? I mean, each time an email is sent from the smtp.        Thanks,AndyFrom: Ingo Claro [mailto:[EMAIL PROTECTED]  Sent: Friday, May 19, 2006 18:12 To: vchkpw@inter7.com Subject: Re: [vchkpw] Unwanted Local Delivery   to get only the domains that don't matches you should do:  host -t MX $i | egrep "mail1.thiscouldbeme.com|mail2.thiscouldbemetoo.com" > /dev/null 2>&1 || echo $i   regards,    Ingo Claro
 F.   Gerente de Operaciones   [EMAIL PROTECTED]   (+56-2) 43 00 155Certificado ISO 9001:2000Michael Krieger escribi�:   for i in `cat /var/qmail/control/{more,}rcpthosts`; do   host -t MX $i | egrep "mail1.thiscouldbeme.com|mail2.thiscouldbemetoo.com" 2>&1 || echo $i done  Done- will echo everything that does not include your _expression_ in its MX record.  If it has no matches, grep exits 1 and will trigger the echo.  If it matches at least one, then you're set.  You can make more complex expressions or do more tests if you'd like.  -M  Tom Collins <[EMAIL PROTECTED]> wrote:   On May 19, 2006, at 12:46 AM, Andy BIERLAIR wrote: > How can I force vpopmail/qmail to deliver it to the right MX instead  > to a > local zombie domain?  You can't.  You possibly need to write an auditing program that goes through the  domains in your rcpthosts and morercpthosts and makes a list of domains  that don't list you as an MX.  -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/   

Re: [vchkpw] Unwanted Local Delivery

2006-05-19 Thread Michael Krieger
for i in `cat /var/qmail/control/{more,}rcpthosts`; do  host -t MX $i | egrep "mail1.thiscouldbeme.com|mail2.thiscouldbemetoo.com" 2>&1 || echo $idoneDone- will echo everything that does not include your _expression_ in its MX record.  If it has no matches, grep exits 1 and will trigger the echo.  If it matches at least one, then you're set.  You can make more complex expressions or do more tests if you'd like.-MTom Collins <[EMAIL PROTECTED]> wrote: On May 19, 2006, at 12:46 AM, Andy BIERLAIR wrote:> How can I force vpopmail/qmail to deliver it to the right MX instead > to a> local zombie domain?You can't.You possibly need to write an auditing program that goes through the domains in your rcpthosts and morercpthosts and makes a list of domains
 that don't list you as an MX.--Tom Collins  -  [EMAIL PROTECTED]QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/

[vchkpw] dot-qmail ordering

2006-05-13 Thread Michael Krieger
Hi Folks,I've been browsing the qmailadmin/vpopmail code and see that there's no effort to enforce order in dot-qmail files.  Adding lines to a dot-qmail file is just an append to the end of the file it seems with valias_insert and so on [at least in vpalias it is for the files/cdb backend].I'm looking to add some additional features that depend on order.  The main one is a script I've written that checks for existing Spam headers, and should they not exist, checks the mail through SpamAssassin's spamc and exits 99 to stop processing the dot-qmail file or exits cleanly.The reasoning for this is that I want Maildir delivery's first, delivering properly to the user in question.  I then want to run my |ifnotspam command.  If it exits 99 (yes it's definately Spam), I don't want to forward the mail, and don't want to autorespond to it.  Yes I realize this isn't perfect and may have the occasional bit of real mail not
 forwarded.  Even more important is the autoresponding, as I find users who set vacation messages can often have hundreds of e-mails per day, many of which are Spam.Some users have spam scanning with Simscan, but others don't and don't want it.  At the same time, I don't want to forward or autorespond (with the mail attached) to mail that if SA thinks will be Spam, so will other major providers.Now the reasoning isn't too bad, but it depends on the following: 1. vpopmail sorting .qmail and .qmail-* files after it writes them -OR- vpopmail inserting lines in the right place as opposed to appending 2. qmailadmin having a 'add before remote' option that will, if autorespond/forward is set, add a customized line to the dot-qmail file in the right place [using the abilities above] of properly ordering dot-qmail files.Obviously both would need to take into account extra
 things like keeping maildrop and any custom commands above the |ifnotspam command.Now the second part I don't see as too difficult, as it could check using the valias_* functions to see if the command already exists, and if not add it [as well as remove it in the case of removing a forward/autoresponder, just to clean up].  This would just be adding an extra valias_insert call with a fixed define.It's the ability to add in a proper order that I'm curious about.  Anyone already tried it?  Should I give the code a good hacking?  See anything else I could affect in doing this?I think it's a really valuable feature, and should be easy enough to implement.-=-=-=-=-As a side note, in qmailadmin's autorespond.c, shouldn't these be in the opposite order to prevent any temporary failures after closing the .qmail file without the message file existing yet?   * Make the autoresponder .qmail
 file   * Make the autoresponder message file-M

Re: [vchkpw] restrict users

2006-05-12 Thread Michael Krieger
Remember- they can set the header To/From to be whatever they want, unless you want to scan the whole message.  You can with reasonable ease probably get this going with the envelope from/to.This would probably be a custom job.How I'd approach it: - use the REQUIREAITH patch (note that it no longer works with smtpauth and so on, but it's three lines so if you change the variable names around you'll be good to go) on a submission port - add some code to the mail_rcpt() command if requireauth is true and the requireauth test succeeds [it would be tested at mail_from if requireauth is set, so just check if requireauth is set in the rcpt command], to read one of the vpopmail USER_# flags and if it's set, compare the @mydomain.com in the envelope from with the @authenticateddomain.com in RELAYCLIENT, failing on the mail from otherwise.  If you're not wanting to only have them send to their own domain, just test for the few domains you want
 in sequence.A hack I know, but should be able to implement it in just a few minutes.-MCristi Tauber <[EMAIL PROTECTED]> wrote:   hello,i have qmail + vpopmail installed. is there a way to restrict some users of one domain (i have many domains spread on 4 email servers in different locations) to send mail only to some specific domains (the ones in our company) not to the whole world ? remember that i want only some users of one domain to be restricted and some of the same domain to be able to send mail without restrictions ? and is there a way to have a copy of all sent emails of a certain user ? (qmail does this but i have to recompile it , and is not only for one user but for all traffic
 )thankscristi---This message and its contents have been scanned and certified fortransmission as being free from malicious code by <>. Thismessage may contain confidential, privileged or other legally protectedinformation. It is intended for the addressee(s) only. If you are not theaddressee, or someone the addressee authorized to receive this message, youare prohibited from copying, distributing or otherwise using it. Pleasenotify the sender and return it.Thank you.   

[vchkpw] qmailmrtg7 simscan patch update.

2006-05-10 Thread Michael Krieger
An update on the qmailmrtg7 simscan patch.Remove the following (line 280)    } else if ((tmpstr1 = strstr(TmpBuf, ":RELAYCLIENT:"))!=NULL) {    // just log message  ++tclean;as this is logging outgoing messages and hence making the numbers look lower than they are.The new patch should first check for rejection, then for tagging, otherwise for clean, since spam scanning doesn't run when relayclient is set.-M

Re: [vchkpw] Vpopmail With Only One Domain and POP Logins

2006-05-09 Thread Michael Krieger
You're looking for vipmap and the --enable-ip-alias-domain configure option:  # --enable-ip-alias-domains  #  Enable mapping of default domain via reverse ip lookup table.See README.ipaliasdomains for more information in the vpopmail distribution.You want to add a record (vipmap -h for details) for your primary domain name to your IP address that they'll use to connect (or for each IP address) on your server.-MKen Schweigert <[EMAIL PROTECTED]> wrote: I'm migrating a client's mail server to a qmail+vpopmail setupfollowing the directions at http://www.shupp.org/toaster .  They had aqmail+system-level-account setup before.My question:  since this is the only domain that will be on the box,is there a way to allow the users to login as just their login name asopposed to
 complete email address?  This would make the migration tonseasier since I wouldn't have to go to every user's machine (over ahundred) and walk them through changing the client settings.  If theycould still be able to login as 'sallysue' instead of'[EMAIL PROTECTED]' there wouldn't need to be any changes on theirend.Thanks!-ken schweigert

Re: [vchkpw] Crash in qmailadmin 1.2.10/vpopmail 5.4.16 adding first forward

2006-05-09 Thread Michael Krieger
Ken- a segfault patch against 5.4.16 is attached.Since mydir is static (and hence survives the function call), if max_names is null (which happens if there are no aliases on the domain), then mydir has been closed, but mydir is not set to NULL.  Hence when it does a second itteration of the function as qmailadmin will, it will segfault since it's not null, yet is closed.See attached,I also attached my patch from earlier regarding forcing at least read/write permissions on the lock file, as I'm finding qmailadmin is creating them with no permissions (likely relating to a umask or something Debian related, so it's always best to force the permissions of the lock file).-MMichael Krieger <[EMAIL PROTECTED]> wrote: Seems there's a crash in qmailadmin/vpopmail still when adding only the first forward in a
 domain.  The second works fine, but deleting the first and recreating it even shows an internal server error.I'll have another look at the source, but I think there's still some bugs left to squash.-M

vpalias.segfault.crash.20060509.patch.gz
Description: 3308966721-vpalias.segfault.crash.20060509.patch.gz


vpopmail-5.4.16-lockperm.patch.gz
Description: 3462119702-vpopmail-5.4.16-lockperm.patch.gz


[vchkpw] Crash in qmailadmin 1.2.10/vpopmail 5.4.16 adding first forward

2006-05-09 Thread Michael Krieger
Seems there's a crash in qmailadmin/vpopmail still when adding only the first forward in a domain.  The second works fine, but deleting the first and recreating it even shows an internal server error.I'll have another look at the source, but I think there's still some bugs left to squash.-M

Re: [vchkpw] Corrupt return-path help? [OT]

2006-05-09 Thread Michael Krieger
Have the same thing with a message with a CTRL-Z in the from/reply-to line.  it's fine as a local delivery, but since forwards even within the same domain go in &[EMAIL PROTECTED] then it gets called with qmail-inject.  > From: "Eva Andrews" <)^Z>> X-Mailer: The Bat! (v2.00.9) Business> Reply-To: "Eva Andrews" <)^Z>>>qmail-inject:_fatal:_unable_to_parse_this_line:/From:_"Eva_Andrews"_<)_>/user>>_does_not_exist,_but_will_deliver_to_/home/vpopmail/domains/domain.ca/>>bob//system_error/I don't think this is directly linked to the previous malformed e-mail that had no Return-Path but instead had Return-Path: Received, as this has a ^Z in the mail from whereas the e-mail before seemed to have normal characters... unless it's all-round the use of qmail-inject as Jeremy suggests.-M

Re: [vchkpw] [vpopmail] handle 'postmaster' as non existing user (reject mails)

2006-05-09 Thread Michael Krieger
Ken Jones <[EMAIL PROTECTED]> wrote:I've been thinking of setting up all new domains with thisway. Nobody really reads postmaster email.I do see the occasional person who does, but it's rare.  I like the 'set the bounce flag' idea suggested in this thread.  Postmaster should have the bounce message flag set, so that it's not even accepted by chkuser at the smtp level, as opposed to accepting the mail and then bouncing it.the code in chkuser is: if (user_passwd->pw_gid & BOUNCE_MAIL), so it seems to take it into account.Personally I wouldn't worry about running vdelivermail.  If it's set with a bounce_mail flag as in chkuser (which I'd guess most people use) then it'll never run vdelivermail anyway, and any locally inserted mail would have the extra vdelivermail execution- but
 that'll be rare if ever.-M

Re: [vchkpw] [vpopmail] handle 'postmaster' as non existing user (reject mails)

2006-05-09 Thread Michael Krieger
Easiest thing to do is add a .qmail file in the postmaster directory stating '|/bin/true delete' to scrap the message [just sets it as deleted by default].Now I'd imagine the main frontline you'd want to investigate is chkuser.c if you use it.  By line 567, it's got a user and domain split.  Under case 10, it actually does the user check, so just have it test the user for 'postmaster' and return a failed 'user does not exist'.I'd point you to the RFCs that state that the postmaster must exist and should accept mail, but since you're asking, you probably don't really mind.-MLars Uhlmann <[EMAIL PROTECTED]> wrote: We only need this mailbox for �qmailadmin� to log in. Is it possible totreat this account as non existing? I've tried a domain-global'.qmail-postmaster' (... bounce-no-mailbox)
 and a '.qmail' (same content)inside the folder 'postmaster' but nothing worked.regards   Lars

Re: [vchkpw] Corrupt return-path help? [OT]

2006-05-08 Thread Michael Krieger
5.4.15- the one that was current beyond a couple days ago.-MTom Collins <[EMAIL PROTECTED]> wrote: On May 8, 2006, at 12:08 PM, Michael Krieger wrote:> Is this a bug in vdelivermail?� The message into vdelivermail seems to > have a valid return-path, and coming out of vdelivermail into > qmail-inject appears to blank the line but not remove it: Return-Path: > Received: from keitWhat version of vpopmail?  vdelivermail went through huge changes in 5.4.11.--Tom Collins  -  [EMAIL PROTECTED]QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/

Re: [vchkpw] vpopmail 5.4.16 locking issue?

2006-05-08 Thread Michael Krieger
Permissions in the answer.  .vpasswd.lock is being created 000 by vpopmail.I made a patch to add the mode to it.  Since it's being created by vpopmail, it should be 600.  It seems it's not only qmailadmin that is doing this, but also vadduser for example is making a 000 lock file.Patch attached,-MMichael Krieger <[EMAIL PROTECTED]> wrote: Seem to be having an issue since vpopmail 5.4.16 and qmailadmin 1.2.10.The first operation tends to work alright, such as creating a user, deleting a user, or so on, however the second fails.  Even changing a password fails.If I delete the .vpasswd.lock file everything goes through... for one more usage.I scanned through vcdb.c and didn't see anything, and I'm looking through vpopmail.c now.  Any ideas on this
 one?-M

vpopmail-5.4.16-lockperm.patch.gz
Description: 3462119702-vpopmail-5.4.16-lockperm.patch.gz


[vchkpw] vpopmail 5.4.16 locking issue?

2006-05-08 Thread Michael Krieger
Seem to be having an issue since vpopmail 5.4.16 and qmailadmin 1.2.10.The first operation tends to work alright, such as creating a user, deleting a user, or so on, however the second fails.  Even changing a password fails.If I delete the .vpasswd.lock file everything goes through... for one more usage.I scanned through vcdb.c and didn't see anything, and I'm looking through vpopmail.c now.  Any ideas on this one?-M

Re: [vchkpw] Corrupt return-path help? [OT]

2006-05-08 Thread Michael Krieger
The message comes in properly (or so it seems) and into qmail-local and then vdelivermail.  It reads a .qmail file that says &[EMAIL PROTECTED] and has a second line with the maildir.  The first one [the inject] is failing, which vdelivermail is supposed to be handling.Is this a bug in vdelivermail?  The message into vdelivermail seems to have a valid return-path, and coming out of vdelivermail into qmail-inject appears to blank the line but not remove it: Return-Path: Received: from keit-MMichael Krieger <[EMAIL PROTECTED]> wrote: Somewhat off-topic, but I'm imagining that somewhere in the mix is where this is all beginning.This is an example of a [junk but unscanned] message [slightly edited for the actual e-mail addresses, though mostly should be the same] that was received.  You'll
 notice the Return-Path: fails to have any data or a newline after it, being prepended to a received line that already exists.I then get this in my qmail log file: qmail-inject:_fatal:_unable_to_parse_this_line:/Return-Path:_Received:_...when it tries to forward the mail based on a .qmail file.So my question is where would this be allowed into the system?  Shouldn't qmail-smtpd (and simscan) be adding a proper return path based on the senders' from address when it passes it along for the initial delivery?Received: (qmail 27397 invoked by uid 89); 8 May 2006 13:12:31 -0400Received: by simscan 1.2.0 ppid: 27387, pid: 27395, t:  0.0977s scanners: clamav: 0.88.2/m:38/d:1448DomainKey-Status: no signatureReceived: from unknown (HELO 211.57.43.201) (211.57.43.201)  by suede.mydomain.com with SMTP; 8 May 2006 13:12:28 -0400Received-SPF: neutral (suede.mydomain.com:
 211.57.43.201 is neither permitted nor denied by SPF record at _spf.google.com)Return-Path: Received: from keith.lloyd.com (keith.lloyd.com [158.222.0.2]) by mailgate.yorkinternet.net with ESMTP; May, 08 2006 12:03:14 PM -0300Received: from mail.bellsouth.com (mail.bellsouth.com [139.76.165.130]) by mail.landg.com with smtp; May, 08 2006 10:54:17 AM -0300From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Atuh stock is on the move !!! Could double in a week qqklSender: [EMAIL PROTECTED] <[EMAIL PROTECTED]>Mime-Version: 1.0Content-Type: text/html; charset="iso-8859-1"Date:  Mon, 8 May 2006 12:12:27 -0500X-Mailer: Microsoft Outlook Build 10.0.2616Any help is apprecaited,-M

Re: [vchkpw] Corrupt return-path help? [OT]

2006-05-08 Thread Michael Krieger
Sorry- I meant shouldn't this be added by qmail-local on delivery.  I guess I am trying to figure out why it isn't properly adding it.-MMichael Krieger <[EMAIL PROTECTED]> wrote: Somewhat off-topic, but I'm imagining that somewhere in the mix is where this is all beginning.This is an example of a [junk but unscanned] message [slightly edited for the actual e-mail addresses, though mostly should be the same] that was received.  You'll notice the Return-Path: fails to have any data or a newline after it, being prepended to a received line that already exists.I then get this in my qmail log file: qmail-inject:_fatal:_unable_to_parse_this_line:/Return-Path:_Received:_...when it tries to forward the mail based on a .qmail file.So my question is where would this be allowed into the system? 
 Shouldn't qmail-smtpd (and simscan) be adding a proper return path based on the senders' from address when it passes it along for the initial delivery?Received: (qmail 27397 invoked by uid 89); 8 May 2006 13:12:31 -0400Received: by simscan 1.2.0 ppid: 27387, pid: 27395, t:  0.0977s scanners: clamav: 0.88.2/m:38/d:1448DomainKey-Status: no signatureReceived: from unknown (HELO 211.57.43.201) (211.57.43.201)  by suede.mydomain.com with SMTP; 8 May 2006 13:12:28 -0400Received-SPF: neutral (suede.mydomain.com: 211.57.43.201 is neither permitted nor denied by SPF record at _spf.google.com)Return-Path: Received: from keith.lloyd.com (keith.lloyd.com [158.222.0.2]) by mailgate.yorkinternet.net with ESMTP; May, 08 2006 12:03:14 PM -0300Received: from mail.bellsouth.com (mail.bellsouth.com [139.76.165.130]) by mail.landg.com with smtp; May, 08 2006 10:54:17 AM -0300From:
 [EMAIL PROTECTED] <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Atuh stock is on the move !!! Could double in a week qqklSender: [EMAIL PROTECTED] <[EMAIL PROTECTED]>Mime-Version: 1.0Content-Type: text/html; charset="iso-8859-1"Date:  Mon, 8 May 2006 12:12:27 -0500X-Mailer: Microsoft Outlook Build 10.0.2616Any help is apprecaited,-M

[vchkpw] Corrupt return-path help? [OT]

2006-05-08 Thread Michael Krieger
Somewhat off-topic, but I'm imagining that somewhere in the mix is where this is all beginning.This is an example of a [junk but unscanned] message [slightly edited for the actual e-mail addresses, though mostly should be the same] that was received.  You'll notice the Return-Path: fails to have any data or a newline after it, being prepended to a received line that already exists.I then get this in my qmail log file: qmail-inject:_fatal:_unable_to_parse_this_line:/Return-Path:_Received:_...when it tries to forward the mail based on a .qmail file.So my question is where would this be allowed into the system?  Shouldn't qmail-smtpd (and simscan) be adding a proper return path based on the senders' from address when it passes it along for the initial delivery?Received: (qmail 27397 invoked by uid 89); 8 May 2006 13:12:31 -0400Received: by simscan 1.2.0 ppid: 27387, pid: 27395, t:
 0.0977s scanners: clamav: 0.88.2/m:38/d:1448DomainKey-Status: no signatureReceived: from unknown (HELO 211.57.43.201) (211.57.43.201)  by suede.mydomain.com with SMTP; 8 May 2006 13:12:28 -0400Received-SPF: neutral (suede.mydomain.com: 211.57.43.201 is neither permitted nor denied by SPF record at _spf.google.com)Return-Path: Received: from keith.lloyd.com (keith.lloyd.com [158.222.0.2]) by mailgate.yorkinternet.net with ESMTP; May, 08 2006 12:03:14 PM -0300Received: from mail.bellsouth.com (mail.bellsouth.com [139.76.165.130]) by mail.landg.com with smtp; May, 08 2006 10:54:17 AM -0300From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Atuh stock is on the move !!! Could double in a week qqklSender: [EMAIL PROTECTED] <[EMAIL PROTECTED]>Mime-Version: 1.0Content-Type: text/html; charset="iso-8859-1"Date:
 Mon, 8 May 2006 12:12:27 -0500X-Mailer: Microsoft Outlook Build 10.0.2616Any help is apprecaited,-M

[vchkpw] problem overriding qmailadmin limits at authentication?

2006-05-07 Thread Michael Krieger
Interesting problem..qmailadmin-limits is my default that has disable_imap set for the domain.  Naturally that should make new accounts have that limit.Sadly though, I want some people to use imap.  So I clear the flags (-x) with vmoduser, but the disable_imap still holds true, rejecting the login.I don't recall it working that way before.  Is this something new?-M

Re: [vchkpw] Best way to receive mail on TWO servers

2006-05-03 Thread Michael Krieger
Yes.  Set up a new copy of qmail in a different folder other than /var/qmail [or your current location] (see conf-*), as otherwise you can't have two running on the same machine, unless they point to the same queue and all.Bring up tcpserver for the second installation on a different port- if you care to take over a valid but lesser used port, try 26.Then add an smtproute (man qmail-remote for details) for  :localhost:26 [do check the syntax] to route all mail to that smtp server.Of course, if you loose the mail, you still loose the mail.  I'd advise delivering to a maildir locally and maybe using some of the many tools to send a mail queue from a maildir to a relay instead, leaving a copy of the mail for safekeeping.-MJeremy Oddo <[EMAIL PROTECTED]> wrote: Does anyone have suggestions for
 sending all incoming mailto two servers?I have a vpopmail server in place. I want to replace it withan upgraded server. I want both to receive mail for a bit soI can test the new server. I only have one external IPaddress. Is there a way to tell the first server to send theincoming mail over to the new server?Thanks.

Re: [vchkpw] Force Auth from all but localhost

2006-04-14 Thread Michael Krieger
You'd want something like http://www.netable.com/~dburkes/qmail-smtpd-requireauth/dist/qmail-smtpd-requireauth-0.30.tar.gz to do it.  Note that this patch is against old/different versions of the auth patch, so you'll have to just use it as a guide and do it by hand.  In specific, and if I recall correctly, authd is renamed and you have to move a define for requireauth up a bit higher in the file.  If you need a hand with that let me know.  Then add REQUIREAUTH="" to your tcp.smtp file.You _DO NOT_ want to have this on port 25 for the default connection if you're receiving mail from others.  It is useful for port 587 or some other submission port where you don't want non-authenticated mail to come through, so that you don't have to worry about Spam on these ports, and always know you have a user [useful for domainkeys for example to make sure that the auth user is always
 set].localhost:allowmy.class.c.:allow:allow,REQUIREAUTH=""-MSascha Ebach <[EMAIL PROTECTED]> wrote: Hi,how can I enforce that everybody (except localhost) has to authenticate via smtp auth. The way I have it configured now is that all that are not in rcpthosts have to authenticate, but all that are in rcpthosts can be send email without auth. How can I change that?Thank you.--Sascha Ebach   Digitale Wertsch�pfungHugo-Junkers-Str. 26   50739 K�lnTel: 0221 / 5994393Fax: 0221 / 5994394mailto:[EMAIL PROTECTED]Web: http://www.digitale-wertschoepfung.de

Re: [vchkpw] rblsmtpd with vchkpw

2006-04-04 Thread Michael Krieger
Use a scoring based RBL check.  rblsmtpd denies all connections existing in RBLs  You could modify it to do a scoring algorithm if you wanted, finding only the popular entries.  SpamAssassin (with simscan) will do what you want, adding a score based  on the credibility and error rates of each RBL.  So something in  one RBL will have a higher Spam score (and combined with other features  may throw it over the edge), but something in three RBLs will be enough  to reject the message.You could of course just find RBLs that don't block your customers or have good removal rules.-M  Fernando Milovich <[EMAIL PROTECTED]> wrote:  I mean bypass RBL is the client is authenticated. But it seems to be no possibly.This problem is because our customers use ISP connections like ADSL and Dial Up and
 these connections are blocked by CBL at spamhaus.orgI think i´ll have to change the RBL checker.Thanks so much.- Original Message - From: "John Simpson" To: Sent: Monday, April 03, 2006 7:18 PMSubject: Re: [vchkpw] rblsmtpd with vchkpw

Re: [vchkpw] Re: 5.4.15 onchange patch

2006-03-28 Thread Michael Krieger
It is indeed possible to use wrappers as you do, but this adds overheadto every invocation of [insert progran here] which I'd rather avoid.  How much overhead do you think executing a  shell script and an internal call to test implements?  How often  do you think IMAP connections are made?  Think of all the calls  that already wrap around shells.  Think of how many exec calls (or  their variiants in this case) are made to run tcpserver, authentication  programs, bincimap-up, and bincimapd?  Why not modify bincimap or  bincimap-up to do the same thing on invocation and provide the patch to  the bincimap folks instead- a likely better way to do things.Just don't get caught up in the hype as to how much faster c programs  are- when the shell is probably kept in memory, and the
 stat calls used  by test are cached, this isn't a huge performance hit- especially for a  connection like imap that is more persistant.I run about 10K+ users on bincimap through this linkwrapper and  generally see almost no load... I know that's vague, but I've never  benchmarked the use with or without a simple shell script.It's incredibly easy to add or modify functionality to qpsmtpdbecause of the plugin hooks that are built-in.  I'd suggest that:   1. qpsmtpd lacks many plugins and doesn't seem to have a lot of  support in the community, along with the various plugin methods to  qmail-smtpd.  I'm sure there's a good chunk of overhead in there  as well, not to mention difficulties
 like plugin ordering, etc. 2. vpopmail manages qmail users and delivers mail.  I'm  weary of making it even more of a kitchen sink to start adding plugins  and management functions that would likely be used by a small  number.  It's still changing considerably between major releases.Anyway, I've solved the IMAPdir issue a different way (see separate post).  Saw it- thumbs up.  Glad you solved your issue.-M

Re: [vchkpw] Patch to create IMAPdir

2006-03-28 Thread Michael Krieger
Did you see my post last night about the same issue and wrapping a  shell script and exec call around bincimap?  It means you don't  have to deal with this problem for pop/smtp uses, but only imap.Why modify vpopmail to do something specific to another program?-MRobin Bowes <[EMAIL PROTECTED]> wrote:  Hi all,After struggling for sometime to get skeldir functionality to work, I'vegiven up for now.The primary reason for wanting skeldirs was so that new accounts couldbe created with IMAPdir support for use with bincimap.The following patch modifies vpopmail to create an IMAPdir directory.It also modifies r_chown to work correctly with symlinks (required sinceIMAPdir contains a symlink IMAPdir/INBOX -> ../Maildir/)R.--- vpopmail-5.4.15/vpopmail.c 
 2006-01-17 11:30:52.0 -0800+++ vpopmail-5.4.15-IMAPdir/vpopmail.c  2006-03-27 11:30:50.0 -0800@@ -1298,11 +1298,16 @@   while((mydirent=readdir(mydir))!=NULL){ if ( strncmp(mydirent->d_name,".", 2)!=0 &&  strncmp(mydirent->d_name,"..", 3)!=0 ) {-  stat( mydirent->d_name, &statbuf);-  if ( S_ISDIR(statbuf.st_mode) ) {-r_chown( mydirent->d_name, owner, group);+  lstat( mydirent->d_name, &statbuf);+  // don't recurse into symlinks - just chown symlink to owner:group+  if ( S_ISLNK(statbuf.st_mode) ) {+lchown(mydirent->d_name,owner,group);   } else {-chown(mydirent->d_name,owner,group);+if ( S_ISDIR(statbuf.st_mode) ) {+  r_chown( mydirent->d_name, owner, group);+} else {+  chown(mydirent->d_name,owner,group);+}   } }   }@@ -2115,7
 +2120,7 @@  struct vqpasswd *mypw;  char calling_dir[MAX_BUFF];  char domain_dir[MAX_BUFF];- const char *dirnames[] = {"Maildir", "Maildir/new", "Maildir/cur",+ const char *dirnames[] = {"Maildir", "IMAPdir", "Maildir/new","Maildir/cur","Maildir/tmp"};  int i;@@ -2175,6 +2180,16 @@ }   }+  // Add the symlink IMAPdir/INBOX -> ../Maildir/+  if (symlink("../Maildir/", "IMAPdir/INBOX") == -1) {+fprintf(stderr, "make_user_dir: failed to symlink %s\n","IMAPdir/INBOX");+/* back out of changes made above */+chdir("..");+vdelfiles(username);+chdir(calling_dir);+return(NULL);+  }+   /* set permissions on the user's dir */   r_chown(".", uid, gid);

RE: [vchkpw] Re: 5.4.15 onchange patch

2006-03-27 Thread Michael Krieger
 The reason I mention this is that I'm having a bugger of a job getting my code that implements skel dirs to work with vqadmin - it works fine from the command line (as root) but I get a permission denied error when executing from vqadmin.Have  you thought at all about just wrapping your qmail programs executed  from tcpserver and doing it at run-time instead of account creation?Example that I use for creating an IMAP folder structure for use with bincimap  # /var/qmail/bin/linkwrapper #  #!/bin/sh  test -d IMAPdir || mkdir IMAPdir  test -e IMAPdir/INBOX || ln -sf ../Maildir IMAPdir/INBOX  exec $@Then in my service run file, I have  tcpserver  \      /home/vpopmail/bin/vchkpw \     
 /var/qmail/bin/linkwrapper \      /var/qmail/bin/bincimapdI don't see why you couldn't do the same with your pop daemon or smtp  daemon to do some basic parameters (and maybe extend it to keep  additional information).Something to consider.  On a run of qmail-smtpd, test the timestamp of a file to the cdb file and rebuild if needed.-M

Re: [vchkpw] qmail-inject deferrals

2006-03-24 Thread Michael Krieger
Jeremy Kister <[EMAIL PROTECTED]> wrote:  I'm using qmail and vpopmail in a rather large environment.  I've always got several hundred messages in my queues because of unparsable header fields.delivery 50391: deferral: qmail-inject:_fatal:_unable_to_parse_this_line:/Return-Path:_Received:_from_wctc.net.airstream.mail8.psmtp.com_(wctc.net.airstream.mail8.psmtp.com_[63.240.161.100])_by_mx1.extreme-hosting.net_with_smtp;_mrt,_24_2006_3:13:50_-0100/system_error/I do not want to fixup broken messages with new-inject, and I because qmail-inject is giving a fatal error, vdelivermail should also.It  should be noted that this is saying that the header is invalid.   Note return-path is blank, and fails to contain a newline.  I'd  fix the problem- being whatever is accepting this mail
 message into  your queue in the first place.We sometimes get these when people try to inject into php scripts by  making a from address contain newlines and the programmer is an idiot  and doesn't check this.  In theory, qmail-smtpd should turn down  the message when it comes in.  So I guess the question is where is  it coming from?I wouldn't 'fix' this header, as it's malformed to start with.-M

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread Michael Krieger
  no, no cdb rebuilding at all. this is with the patches to do so of  course. my vpopmail tcp.smtp.cdb file hasn't been touched in just over  three years.  Good to know- thanks for the correction.of course, i have lots more mysql transactions going on all the time, but  have had no performance problems associated with it.  I suppose so, but benchmarks are all specific to any setup as well.   Didn't know there were patches to do this (to qmail-smtpd or to  tcpserver)?  I guess the big question is why add that dependency?  Why  have all that database activity and connection requirement when you  could just pass a password along... But then you can see from previous  messages that I promote the
 smtp-auth these days-M  

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread Michael Krieger
unless you're doing it in mysql. which works dandy.You sure about that?the MySQL open relay database would speed up the cleanup of old entries  and the updates making that pretty quick, but ultimately it needs to  make that a cdb file that sets relayclient for tcpserver to execute  qmail-smtpd doesn't it?  Still building a CDB file regularly.  -M

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread Michael Krieger
To correct myself...  Each future POP authentication will update the  expire time of the open-smtp entry and rebuild the CDB file  again.I don't believe it actually rebuilds the CDB file here, but it does  update the open-smtp file with the new timestamp for the expiry.   In any case, any change to the IP list and it updates the CDB file.  So for every pop authentication you have a CDB rebuild,  versus a CDB read.  And adjust list line per above.CDB is great for mail, because it needs to be updated only when an  account is added or password is changed.  It's made for reading,  and a lot of reading, as well as updating without causing issues.   Fast lookups.  As that database gets big and
 filled with IPs,  rebuilding it can begin to slow down.-M

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread Michael Krieger
I have my clients use port 587 whenever possible, because I use RBLs on port 25 that block some dynamic address ranges.Is there a better practice for this?I'd also recommend turning of hostname lookups and identd lookups in tcpserver's command line.You may want to look at the REQUIREAUTH patch (I had to modify it  slightly to make it work with newer smtpauth versions) as well, making  sure that only smtp authentication can be used on port 587.  While  spammers don't submit mail to 587 to date, who knows when that may  start.  Plus, it lets me ensure that nobody is using the  pop-before-smtp on port 587.  When we have them on the phone and  are changing settings, might as well check 'enable authentication'Some discussion is here about using SSL instead ('requires a secure  connection'), but that's up to
 you.  Some versions of outlook  confuse users with 'use secure password authentication SPA' which works  with exchange servers... Every time I told soemone to turn on SSL, SPA  was turned on and it didn't authenticate properly.-M

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread Michael Krieger
i don't use smtp auth, so i wouldn't know. i thought you were claiming that most providers these days are doing smtp auth.  I was stating that most mail CLIENTS (Outlook,  Thunderbird, etc) tend to prefer any mangled authentication method in  favour of sending a password in clear text, based on my  observations.  Even better, many (especially newer ones) tend to  use challenge/response algorithms for SMTP-Auth for example, which  ensure one-time use, and prevent creating an open relay if the  connection is viewed.Now, I'd also argue (unrelated to my previous e-mail) that more and  more ISPs are turning to SMTP Authentication and blocking port  25.  This number is growing, but based on the customers who  contact us, there seems to be more regions with this upcoming  issue.  Mainly this is to
 prevent worms from sending mail on their  own (port 25 blocking).The SMTP Authentication is more popular because mail no longer comes  from an IP, but instead comes from an e-mail address.  With pop  before smtp, you know that 123.123.123.123 has a virus or is relaying  Spam through your server, or is producing a lot of bounces, who's  settings can be easily obtained and used via MAPI.  With smtp  authentication, you see in the headers that the user is  [EMAIL PROTECTED]@123.123.123.123 and that's on mail that goes out,  Spam reports that comes back, etc.  It associates the connection  with a username in addition to an IP, which is really what matters.  it's reliableExcept when it's done in the wrong order, which some mail clients do... or if a users' IP changes.  , it's simple, it's low overheadYou sure about that?  Every successful POP/IMAP authentication  will do a CDB lookup for the IP address, and if not found will add it  to the open-smtp file, expire old entries, and then rebuild the CDB  file.  CDB is fast to read, but building it, while not very slow,  isn't super-quick.  Each future POP authentication will update the  expire time of the open-smtp entry and rebuild the CDB file  again.  So for every pop authentication you have a CDB rebuild,  versus a CDB read. [note to see the benefit of not updating it, you'd  need to phase it out and then disable the feature or it'll happen  anyway].  . if someone believes their email is important enough that someone would want to sniff the line to get it, then they should be
 using PGP or some other means of making the actual content secure.It's deceptive and lying to the user really to use SSL and think it's  secure.  While your [not you, but the gp] mail server may have the  TLS patch and SSL ports, others may not.  So you encrypt your  super-secret message thinking it's going from your computer to the end  encrypted... but it's not.  It's encrypted to your mail  relay.  Then it's decrypted and put onto disk in CLEAR TEXT.   At which point it's then sent to another mail server... which could be  encrypted or not.  In the end, the plain text insecure file sits  on a final mail server, and then is picked up by the user, likely  unencrypted and stored unencrypted on a workstation that's probably not  secure.In any case, the point is that no matter how you look at it, SSL from  the client to mail relay or client to POP server is one part of the  process, and creates a false sense of
 security.  in my opinion, of course.Naturally... Of course most of what I say is my opinion on the  matter.  I'm sure there are many schools of thought, but we've  transitioned mostly from POP-before-smtp.  It's difficult, and has  been YEARS in the works to detect and transition users (similarly  difficult was moving from ip aliased domains to using [EMAIL PROTECTED]  authentication).  The end result is that it's easier to track down  and follow mail when it needs to happen.-M

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread Michael Krieger
I know that it was broken on one of our mail servers a few years ago  (where it advertised it but then didn't authenticate properly) and we  got <10% of users properly authenticating and >90% of them not  (these are if I recall correctly and are of course rough numbers.   The general observation I find is that most mail clients use as much of  the protocol as they know.So no claim/fact that's enough to go by, but pop RECORDIO on your pop  or smtp server, and tail -F (capital to follow the file name itself)  the current file and see how many of your authentications are mangled,  be it by challenge-response or that are short and plain text.   There may be more recognizable sections to look at.-MPaul Theodoropoulos <[EMAIL PROTECTED]> wrote:  At 10:48 AM 3/24/2006, Michael Krieger wrote:>Keeping
 in mind most SMTP uses CRAM-MD5 or some equivalent these >days with some portion of challenge/response from the server for >authentication details... this of course happens automatically.do you have a source for the claim of 'most'?  just curious.Paul Theodoropouloshttp://www.anastrophe.comhttp://www.smileglobal.comhttp://www.forumgarden.com

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread Michael Krieger
Keeping in mind most SMTP uses CRAM-MD5 or some equivalent these days  with some portion of challenge/response from the server for  authentication details... this of course happens automatically.Some e-mail clients will go kicking and screaming on self-signed  certificates, particularly in a virtualhosting environment where the  common name needs to be a wildcard (*) for users to access the mail  server under their own domains.I love the paranoia around sniffing that many parties with an invested  interest have encouraged.  In the end, your data transmits with  some encryption on passwords from your PC, through a private network of  your ISP who has tens if not hundreds of thousands of clients, then  onto MCI/Verizon and other key players in core bandwidth into some  datacenter.  Nobody of which has any care what your e-mail looks  like.  Don't get me wrong, I'm all for encryption, but on services  like e-mail it seems a bit excessive in favour
 of a challenge/response  authentication.  Besides- these days odds are your PC will be infected and e-mail read  on there rather than over the wire where it passes by your ISP  aggregated with tons of other traffic at a few hundred Mbit/s.   Just my 2c.  Both are solutions to the problem, but 587 is more to  avoid port 25 blocking by many ISPs as well as to run a SMTP service  without ident/hostname lookups to ensure a speedier connection for mail  senders, while keeping this on the ports that other mail servers send  to.-MJeremy Kitchen <[EMAIL PROTECTED]> wrote:  On Friday 24 March 2006 10:31, Michael Krieger wrote:> SMTP Authentication seems to be the norm these days, and I'd encourage  it.>  Now if only M$ would make it the default or easier than going  into> advanced settings when
 adding an account (and also the port 587  option).why use port 587?  the 'use secure connection' is right there, and if you're doing any passing of authentication tokens across the wire, you should be encrypting it.that's just my two cents.-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]In the beginning was The Word and The Word was Content-type: text/plain  -- The Word of Bob.

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread Michael Krieger
SMTP Authentication seems to be the norm these days, and I'd encourage  it.  Now if only M$ would make it the default or easier than going  into advanced settings when adding an account (and also the port 587  option).-M  Jeremy Kitchen <[EMAIL PROTECTED]> wrote:  On Friday 24 March 2006 09:52, Jeremy Kitchen wrote:> If it doesn't, just tell your users to make sure if they see it happen to> hit send/receive and try again.  Or switch to an smtp auth based solution> if it's that big of a problem.wow, I can't believe I didn't mention this before:a third option is to have them stop using that pile of doo known as outlook.now to find my coffe...-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]In the beginning was The Word and The Word was
 Content-type: text/plain  -- The Word of Bob.

Re: [vchkpw] Virtual SMTP Greeting?

2006-03-24 Thread Michael Krieger
Just ignore it.  In a world where machines could do only one thing  due to a lack of power, machines greeted with their own name, which was  where you want to deliver to.  These days, where hundreds of  domains can operate on one machine, this greeting just allows you to  identify the server.  It is not required, nor does it  matter.  this should NOT affect your Spam score, especially  considering this is on your SMTP server, which is when you are  receiving mail and not sending it.-MJeremy Oddo <[EMAIL PROTECTED]> wrote:  Hi All--Sorry if this has been brought up in the past...I've beenoff the list for  a couple years.Lately, our mail has had trouble getting to Yahoo, Hotmail,and a smaller ISP. Sometimes the mail ends up in the spamfolders so I know our mail is getting to their
 box. Ichecked the big blacklist sites and we are not listed. Ithen ran our domain through the test athttp://www.dnsreport.com/. Everything came up clean exceptfor two things:1. No SPF record (which I've fixed)2. Mail server host name in greetingBecause I'm using Vpopmail with virtual domains, my mailserver address doesn't match my host address name in theSMTP greeting.Does anyone know how to fix this? Is there even a fix for it?Thanks for the help.

[vchkpw] Transition from pop-before-smtp

2006-03-14 Thread Michael Krieger
I've got a much older mail system running vpopmail/qmail that was  created some time ago.  We have been encouraging new settings on  users for some time, including using their full e-mail address instead  of just the username to authenticate, as well as enabling smtp  authentication.As with any transition, it's a slow process that nobody seems to care much about until it stops working.The vipmap situation (default domains) was easy, as I document below  incase it helps anyone.  The SMTP authentication I seem to be  having a bit more trouble with.  Of course many users don't use  our smtp servers at all and instead use their ISPs.  Yet vpopmail  opens POP for everyone.  What I want to know is to have a log  entry (probably the from address) every time a user:   - is allowed to relay through our mail server (so has RELAYCLIENT set)   - did not authenticate (so TCPREMOTEINFO does not have their username)   -
 sends to an e-mail address not in rcpthosts (so relays)Any ideas how we'd implement that?  Are any existing contributions useful here?To find people who are using vipmap and not specifying their domain  (with a % or @), we implemented the following code in vpopmail.c's  parse_email() function instead of just vset_default_domain().       FILE *;  and    if ( (domain == NULL) || (strlen(domain)<1) ) {     vset_default_domain(domain);      = fopen("/tmp/legacyipalias", "a");     fprintf(,"[EMAIL PROTECTED]", user, domain, get_remote_ip());     fclose();      = NULL;    } else {    // not needed since it'll just return, but just in case     vset_default_domain(domain);    }    

RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working

2006-03-09 Thread Michael Krieger
#ifndef TLSThis means that it will only run chkuser if you didn't compile it with TLS support, which you might have done.  If TLS is defined, I don't see chkuser being included in the executable.  You need the chkuser calls in the TLS/SSL section as well.This is not an if structure as it would be in regular code.  This is a compiler direction, that tells it to completely ignore those parts at COMPILE TIME.  Meaning, that those parts may never get included... ever... in the executable.Of course I'm making an assumption that TLS is defined :)-M  Lee Evans <[EMAIL PROTECTED]> wrote:  > You could post here (or send me) the routine where chkuser is > called (both for sender and recipients), just to see what to change.I have attached snippets from qmail-smtpd.c showing the send &
 rcpt routinesand chkuser code I hope this is what you meant. > [Is chkuser.h included in a valid point within qmail-smtpd.c?]I have:#include "fd.h"#include "dns.h"#include "spf.h"/*chkuser*/#include "chkuser.h"ThanksLeevoid smtp_mail(arg) char *arg;{  int r;  rcptcounter = 0 ;  if (!addrparse(arg)) { err_syntax(); return; }  /*chkuser*/  if (chkuser_sender (&addr) != CHKUSER_OK) { return; }  /*chkuser end*/  flagbarf = bmfcheck();  switch(mfcheck()) {case DNS_HARD: err_hmf(); return;case DNS_SOFT: err_smf(); return;case DNS_MEM: die_nomem();  }  flagbarfspf = 0;  if (spfbehavior && !relayclient)  {switch (r = spfcheck()){  case SPF_OK: env_put2("SPFRESULT","pass"); break;  case SPF_NONE: env_put2("SPFRESULT","none"); break;  case SPF_UNKNOWN: env_put2("SPFRESULT","unknown");
 break;  case SPF_NEUTRAL: env_put2("SPFRESULT","neutral"); break;  case SPF_SOFTFAIL: env_put2("SPFRESULT","softfail"); break;  case SPF_FAIL: env_put2("SPFRESULT","fail"); break;  case SPF_ERROR: env_put2("SPFRESULT","error"); break;}switch (r){  case SPF_NOMEM:die_nomem();  case SPF_ERROR:if (spfbehavior < 2) break ;out ("451 SPF lookup failure (#4.3.0)\r\n");return;  case SPF_NONE:  case SPF_UNKNOWN:if (spfbehavior < 6) break ;  case SPF_NEUTRAL:if (spfbehavior < 5) break ;  case SPF_SOFTFAIL:if (spfbehavior < 4) break ;  case SPF_FAIL:if (spfbehavior < 3) break ;if (!spfexplanation(&spfbarfmsg)) die_nomem();if (!stralloc_0(&spfbarfmsg)) die_nomem();flagbarfspf = 1;}  }  else   
 env_unset("SPFRESULT");  seenmail = 1;  if (!stralloc_copys(&rcptto,"")) die_nomem();  if (!stralloc_copys(&mailfrom,addr.s)) die_nomem();  if (!stralloc_0(&mailfrom)) die_nomem();  out("250 ok\r\n");}void smtp_rcpt(arg) char *arg; {  rcptcounter++;  if (!seenmail) { err_wantmail(); return; }  if (checkrcptcount() == 1) { err_syntax(); return; }  if (!addrparse(arg)) { err_syntax(); return; }  if (flagbarf) { err_bmf(); return; }  if (flagbarfspf) { err_spf(); return; }  if (relayclient) {--addr.len;if (!stralloc_cats(&addr,relayclient)) die_nomem();if (!stralloc_0(&addr)) die_nomem();  }  else#ifndef TLSif (!addrallowed()) { err_nogateway(); return; }/*chkuser*/switch (chkuser_realrcpt (&mailfrom, &addr)) {case CHKUSER_KO:  return;  break;case CHKUSER_RELAYING:  --addr.len;  if
 (!stralloc_cats(&addr,relayclient)) die_nomem();  if (!stralloc_0(&addr)) die_nomem();  break;}/*end chkuser*/#elseif (!addrallowed()) {  if (ssl)  { STACK_OF(X509_NAME) *sk;X509 *peercert;stralloc tlsclients = {0};struct constmap maptlsclients;int r;SSL_set_verify(ssl,   SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,   verify_cb);if ((sk = SSL_load_client_CA_file("control/clientca.pem")) == NULL) { err_nogateway(); return; }SSL_set_client_CA_list(ssl, sk); if((control_readfile(&tlsclients,"control/tlsclients",0) != 1) ||   !constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0))  { err_nogateway(); return; }SSL_renegotiate(ssl);SSL_do_handshake(ssl);ssl->state = SSL_ST_ACCEPT;  
  SSL_do_handshake(ssl);if ((r = SSL_get_verify_result(ssl)) != X509_V_OK) {out("553 no valid cert for gatewaying: ");  out(X509_verify_cert_error_string(r));  out(" (#5.7.1)\r\n");  return; }if (peercert = SSL_get_peer_certificate(ssl)) {char emailAddress[256];  X509_NAME_get_text_by_NID(X509_get_subject_name( SSL_get_peer_certificate(ssl)),  NID_pkcs9_emailAddress, emailAddress, 256); if  (!stralloc_copys(&clientcert, emailAddress)) die_nomem();  if (!constmap(&maptlsclients,clientcert.s,clientcert.len)){ err_nogwcert(); return; }  relayclient = ""; }  else { err_nogwcert(); return; }   }  else { err_nogateway(); return; } }#endif  if (!stralloc_cats(&rcptto,"T")) die_n

RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working

2006-03-09 Thread Michael Krieger
I should ask-  Is the domain set the 'bounce-no-mailbox' or do you  have a catch all account?  If you have a catch-all account,  checkuser disables itself (as all recipients are valid).  Disable  the catch-all account if any and then see if it works.-M"tonix (Antonio Nati)" <[EMAIL PROTECTED]> wrote:>[EMAIL PROTECTED] qmail-1.03]# ./qmail-smtpd>220 mail.leeevans.org ESMTP>mail from [EMAIL PROTECTED]>250 ok>rcpt to:[EMAIL PROTECTED]>250 ok>quit

Re: [vchkpw] IMAP connections fail after undetermined period.

2006-03-08 Thread Michael Krieger
Check your connection limits to the MySQL server.  Seems to  occasionally happen when a flood of smtp connections or pop connections  opens up a lot of MySQL backends.  Essentially it means that it  tried to run its database queries and the server isn't there and has  broken or didn't accept the connection.-M  james cooke <[EMAIL PROTECTED]> wrote:  Hello,After a few hours of running - I haven't narrowed it down to a certain time, it seems to vary - IMAP connections fail with:  dovecot: Mar 08 16:29:59 Error: auth(default): vmysql: sql error[3]: MySQL server has gone awaySetup is FreeBSD 5.4, qmail 1.03, vpopmail 5.4.13, dovecot 1.0, mysql 5.0.18.I thought the issue was with the imap server, but it occurred with courier-imap also.Auth with pop3 continues to work, and
 if I reset dovecot then imap  begins to work again temporarily, as it did with courier-imap.I'm assuming this might be some sort of MySQL version or connection  timeout issue, but I'm at a loss on where to go from here, I'm fairly  new to this area in general, any feedback would be very welcome.Thanks,  James Cooke  

Re: [vchkpw] Re: what's this 'vpopmailctl' stuff? (Was: [vchkpw] 552 message too large error)

2006-03-08 Thread Michael Krieger
Potential answer to the parent question below.  Now, re vpopmailctl:vpopmailctl is a script provided by some distros, that ultimately is  more like a qmailctl but not for each component.  All it does is  run svc for these pop3 and pop3ds.  It really sholdn't be named  vpopmailctl, but so be it.   stop -- stops mail service (pop3 connections refused)    start -- starts mail service (pop3 connection accepted)    pause -- temporarily stops pop3 service     cont -- continues paused pop3 service     stat -- displays status of pop3 service  restart -- stops and restarts pop3d  Databytes is not used by qmail-send or anything other than  qmail-smtpd.  It should take effect on all future SMTP connections.If it doesn't, then you probably have DATABYTES= set in your  tcp.smtp file, or maybe in the run script of qmail-smtpd.   According to the man pages "If
 the environment variable DATABYTES is  set, it overrides databytes."Also check the softlimit memory limit, though that doesn't seem to be  your issue, but any change in databytes should then make sure the  memory limit is high enough.-MJeremy Kitchen <[EMAIL PROTECTED]> wrote:  On Wednesday 08 March 2006 03:13, Michele Virgilio wrote:> > Did you reload qmail after changing the databytes value?>> Yes, i did a #qmailctl restart and a #vpopmailctl restart without success,> then a full reboot, but the error is still there :(forgive my ignorance, but I don't understand where people are getting this 'vpopmailctl restart' idea at.vpopmail is a set of 'one shot' programs, there are no long running processes.  What does this magical 'vpopmailctl' script
 even do?-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]In the beginning was The Word and The Word was Content-type: text/plain  -- The Word of Bob.

Re: [vchkpw] Transfering vpopmail domains

2006-03-04 Thread Michael Krieger
Rick Macdougall wrote:> devnull wrote:>> I've tryed to modify by hand the passwd and the>> passwd.cdb files changing the path but it dont>> work any suggestion?> You'll need to modify the /var/qmail/users/assign> file as well as the vpasswd files.devnull-Your solution of using vadduser in a script worksbecause it is properly updating the cdb file.vpopmail will use the cdb file if they are available,and if not, generate from the vpasswd file.  It soundslike you edited vpasswd, and modified the cdb file (whichdefinately won't work, as the index will be off in thelength changes).  If you just edit vpasswd, on the nextadd/delete user, it will undo your change, because it willread in the cdb file and write out vpasswd and vpasswd.cdb.The solution?  rm ~vpopmail/domains/*/vpasswd.cdb.  Modify~vpopmail/domains/*/vpasswd with the proper paths.  Alsomodify
 ~vpopmail/domains/*/.qmail-default to properly pointto the new vdelivermail location, and make sure the maildirfor default delivery if not bounce-no-mailbox has the newpath.  Also update ~vpopmail/domains/*/.qmail-* to havethe proper aliases (if you have them to maildirs from oldvpopmail versions) and point to the proper location for ezmlmand autorespond if that changed.  Finally edit ~vpopmail/domains/*/*/.qmailto make sure the maildir delivery lines are all pointing tothe right location.I'm not sure how chkuser will mix into this (it may want thecdb files), so if the cdb files don't regenerate for you, justrun vmoduser on each postmaster user toggling a flag (then putit back), such as the no_imap flag.  That should regenerate thecdb properly from vpasswd text file.-M  

Re: [vchkpw] Why not disconnect after rejection/limit ?

2006-03-04 Thread Michael Krieger
Jeremy Kister <[EMAIL PROTECTED]> wrote:  On 3/3/2006 10:28 AM, Michael Krieger wrote:>An SMTP server MUST NOT intentionally close the connection except:>- After receiving a QUIT command and responding with a 221 reply.>  - After detecting the need to shut down the SMTP service and returning  a 421 response code. This response code can be issued after the server  receives any command or, if necessary, asynchronously from command  receipt (on the assumption that the client will receive it after the  next command is issued).Not to turn this into a RFC contest on the wrong mailing list, but we must be interpreting that differently --my qmail-1.03.isp.patch will close a connection after a defined number of errors.  I claim RFC 2821 #3.9 compatibility, because before closing the
 connection, I send a 400 error.  I have the 'need' to close the connection, because I no longer want to hear from this abuser, and he is automatically entered into tcp.smtp.cdb for rejection.I'm  not saying that you shouldn't do that.  All I'm saying is that the  RFC states that you should not intentionally kill the SMTP connection  unless   1. the client sends a quit and you ack it with a 221.   2. the SMTP __service__ needs to shut down.  Note that the second one is not you wanting to shut down the connection, but rather the service restarting for example.Now what you choose to do is up to you.  In practice, the remote  mailer in real-world situations will assume a disconnection beyond both  of your control and try again in a wee bit, so it's deemed okay by  some.  That doesn't make it right by the standard, but then again,  these are 'Requests For Comments' as a way to set an agreed upon  standard. 
 You can religiously follow them or veer from them, but  it's safe to assume that they represent what most people are doing with  their systems and how it's "supposed" to work.So is there a reason not to do it?  Yes the RFC suggests that this  shouldn't happen if you can help it and have another way to do  it.  Is there a reason to do it?  You cite bandwidth and CPU  usage, as well as generally hostile Internet behaviour.  So throw  a coin and see what is more important to you.I'd argue that you may find it more beneficial to add a qmail-smtpd.c  code hack to keep a count of rcpt commands and issue a 5xx reply when  there's a good number, placing this code before chkuser so that it eats  up next to no CPU usage.  In terms of bandwidth, it's probably  minimal.  There are already patches for tarpitting and having a  max rcpts, so it should be easy to modify to increment on failed rcpts  and avoid the overhead of a vpopmail lookup,
 favouring a simple if  failed > 10, err_pissoff().  That'll reuduce any CPU overhead  and the bandwidth will be minimal.Then of course block for future connections if you wish (but I'd argue  again that odds are it's some automated hacked Spam bot on an innocent  system that picked up your domain randomly or from a list and will  never come back after a few minutes anyway.)  We've tried keeping  blacklists for a while, but they tend to block real people too, who we  will never see the attack from again.  Temporary blocks are okay,  but in most cases, you'll never see the abusive system again.So anyway- RFC says one thing, but you do as you wish.  That's always the case on the Internet.  -M

Re: [vchkpw] Why not disconnect after rejection/limit ?

2006-03-03 Thread Michael Krieger
Yes.  RFC 2821 ( http://www.faqs.org/rfcs/rfc2821.html ) states as follows (note the words 'MUST NOT')3.9 Terminating Sessions and Connections An SMTP connection is terminated when the client sends a QUIT  command. The server responds with a positive reply code, after which it  closes the connection. An SMTP server MUST NOT intentionally close the connection except:   - After receiving a QUIT command and responding with a 221 reply.   - After detecting the need to shut down the SMTP service and  returning a 421 response code. This response code can be issued after  the server receives any command or, if necessary, asynchronously from  command receipt (on the assumption that the client will receive it  after the next command is issued). In particular, a server that closes connections in response to  commands that are not understood is in violation of this specification.  Servers are expected to be
 tolerant of unknown commands, issuing a 500  reply and awaiting further instructions from the client. An SMTP server which is forcibly shut down via external means  SHOULD attempt to send a line containing a 421 response code to the  SMTP  client before exiting. The SMTP client will normally read  the 421 response code after sending its next command. SMTP clients that experience a connection close, reset, or other  communications failure due to circumstances not under their control (in  violation of the intent of this specification but sometimes  unavoidable) SHOULD, to maintain the robustness of the mail system,  treat the mail transaction as if a 451 response had been received and  act accordingly.Ibiltari <[EMAIL PROTECTED]> wrote:  Hi,I'm trying to fine tune my mail system, and looking at
 howqmail-smtpd/vchkpw handle rejected mail i started thinking; whyqmail-smtp doesn't disconnect after the intrusion threshold? it keepsrejecting messages (from the spammer normally) and eating cpu and bandwhit. Perhaps there is a good reason to don't disconnect but i thinkit could be a nice feature too.any opinion about this?Ion

[vchkpw] qmailadmin 1.2.10 vpopmail 5.4.15 segfaults on forwards page

2006-03-03 Thread Michael Krieger
I've spent the past few days working on this problem for a good 8 hours  a day, so figure I'll send it back to the list for some insight.This is using no valias code, so it should be using vpalias.c.  I'm using standard qmail aliases.I'm getting qmailadmin segfaulting when handling forwards, most  obviously is viewing the forward list even.  My debugging has  taken me to the final call to 'alias_line =  valias_select_all_next(alias_name);' when alias_name is the final alias  in the set, or when the set is empty (no aliases at all).If I make it stop running (through code hacks) valias_select_all_next  one short of the number of aliases, all works well with no problems no  matter what I do in qmailadmin.  However, when it continues, it  tends to continue but corrupt other areas, such as segfaulting on a  fclose() in send_template_now() mainly.  There seems to be some  sort of overrun going on here but I can't seem to find it to my
  displeasure.Is anyone else seeing these issues?  Any ideas on a  solution?  I'm looking to vpalias.c for solutions and have been  fiddling with that code as well with no real success, as everything  seems alright.qmailadmin 1.2.10 : '--enable-htmldir=/var/www'  '--enable-cgibindir=/var/www/cgi-bin' '--enable-help'  '--enable-cgipath=/cgi-bin/qmailadmin' '--enable-domain-autofill'\" vpopmail 5.4.15 : '--enable-qmail-ext' '--enable-auth-module=cdb' '--enable-logging=y'Debian 3.1Thanks in advance folks,-M  

[vchkpw] Fwd: vpopmail 5.4.15/qmailadmin 1.2.x - was: Crashes and Bugs?

2006-02-28 Thread Michael Krieger
Note: Crossposting this as it seems to be related to vpopmailI still had my 5.4.13 (patched with Shupp's patch to bring it somewhere  in the middle of where it is now) source.  I changed qmailadmin's  Makefile to replace the -I and -L's for vpopmail's includes/libraries  and did a 'cp  config.h vpopmail_config.h' in the vpopmail-5.4.13  folder.   The result?  It now works perfectly again, displaying  the aliases without segfaulting.  It's displaying the autoresponders  without segfaulting as well.  However it's staticly linked with 5.4.13,  which isn't ideal (and shouldn't be needed of course).  No other  changes have been made.   I'm imagining some quirk that was  introduced that is affecting qmailadmin?  I have the ltrace/strace's  (see some of the previous messages).PS: Sorry to everyone for debugging aloud, but hopefully it helps someone.-MMichael
 Krieger <[EMAIL PROTECTED]> wrote:Seems  that qsort is returning a void in the case of the aliases according to  ltrace (gdb doesn't seem to be giving me much useful, so I'm sticking  to strace/ltrace).837  readdir(0x807a440)    = 0x807a52c 837  readdir(0x807a440)    = NULL 837  closedir(0x807a440)   = 0  837 qsort(0x807a240, 0, 4,
 0x8062510)    =   837   strcpy(0xb140, NULL   837 --- SIGSEGV (Segmentation fault)   ---  837 +++ killed by SIGSEGV +++  any ideas?Michael Krieger <[EMAIL PROTECTED]> wrote:  It  seems to be dying as such (trying to get a backtrace, but debugging  cgi's isn't exactly easy unless someone has an idea).  Of course  editing for the domain, but the length is the same.strace:  21422  geteuid32()    = 89  21422 chdir("/home/vpopmail/domains/test1.mydomains.com") = 0  21422 open("/home/vpopmail/domains/test1.mydomains.com/.qmailadmin-limits", O_RDONLY) = -1
 ENOENT (No such file or directory)  21422 open("/home/vpopmail/etc/vlimits.default", O_RDONLY) = 521422 fstat64(5, {st_mode=S_IFREG|0644, st_size=1143, ...}) = 0  21422 mmap2(NULL,   4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000  21422 read(5, "# Default limits file.  This file is used for domains  without a\n# .qmailadmin-limits file.\n\n# maximums for each ac  count type, -1 =  unlimited\nmaxpopaccounts\t\t-1\nmaxforwards\t\t-1\nmaxautoresponders\t-1\nmaxmailinglists\t\t-1\n\n#  quota for ent  ire domain, in megabyte"..., 4096) = 1143  21422 read(5, "", 4096) = 0  21422  close(5)   = 0  21422 munmap(0x4001a000,
 4096)  = 0  21422  geteuid32()    = 89  21422  getpid()   = 21422  21422 open("/home/vpopmail/domains/test1.mydomains.com/vpasswd.cdb", O_RDONLY) = 521422 lseek(5, 8, SEEK_SET) = 8  21422 read(5, "\3\t\0\0\2\0\0\0", 8)    = 8  21422 lseek(5, 2307, SEEK_SET)  = 2307  21422 read(5, "\00188T}\10\0\0", 8) = 8  21422 lseek(5, 2173, SEEK_SET)  = 2173  21422 read(5, "\n\0\0\0t\0\0\0", 8)
 = 8  21422 read(5, "postmaster",   10) = 10  21422 read(5, "*** SNIP ***"  , 116) = 116  21422  close(5)   = 0  21422 open("/home/vpopmail/domains/test1.mydomains.com/.qmailadmin-limits", O_RDONLY) = -1 ENOENT (No such file or directory)  21422   open("/home/vpopmail/etc/vlimits.default", O_RDONLY) = 5  21422 fstat64(5, {st_mode=S_IFREG|0644, st_size=1143, ...}) = 0  21422 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000  21422 read(5, "# Default limits file.  This file is used for domains  without a\n# .qmailadmin-limits file.\n\n# maximums for each account  type, -1 =  unlimited\nmaxpopaccounts\t\t-1\nmaxforwards\t\t-1\nmaxautoresponders\t-1\nmaxmailinglists\t\t-1\n\n#  quota for entire domain, in
 megabyte"..., 4096) = 1143   21422 read(5, "",   4096) = 0  21422  close(5)   = 0  21422 munmap(0x4001a000, 4096)  = 0  21422   chdir("/home/vpopmail/domains/test1.mydomains.com") = 0  21422 open("/home/vpopmail/domains/test1.mydomains.com/postmaster/Maildir/1141140624.qw", O_RDONLY) = 5  21422 fstat64(5, {st_mode=S_IFREG|0600, st_size=43, ...}) = 0  21422 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000  21422 read(5, "ip_addr=72.59.3.44&returntext=&returnhttp=\n", 4096) = 43  21422 
 close(5)   = 0  21422   munmap(0x4001a000, 4096)  = 0  21422  time(NULL)     = 1141140718  21422 open("/home/vpopmail/domains/test1.mydomains.com", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 5  21422 fs

Re: [vchkpw] vpopmail extensions not working correctly

2006-02-28 Thread Michael Krieger
Seemed to always work with previous versions however.and if that's the case, why does it process the forward?  The  problem is that it's doing one line of the .qmail-michael but not the  second.-MChris Pugh <[EMAIL PROTECTED]> wrote:  Er, Mike ..Wouldn't that due to the fact that ..home/vpopmail/domains/mydomain.com/.qmail-michaelandhome/vpopmail/domains/mydomain.com/.qmail-michael-testingare two *entirely separate* accounts?C.  --- Michael Krieger  wrote:> I am using 5.4.15 vpopmail and I've noticed that > extensions aren't quite working right.  If I send> mail to  [EMAIL PROTECTED] I get mail going to my> inbox and blackberry.   If I send mail to>
 [EMAIL PROTECTED] I get mail going only> to  my inbox.>   >   # cat> /home/vpopmail/domains/mydomain.com/.qmail-michael >   &[EMAIL PROTECTED]>   &[EMAIL PROTECTED] >   >   qmail-send logs:>   bytes 1329 from  qp 7661 uid> 89>   starting delivery 77: msg 374730 to local> [EMAIL PROTECTED]>   delivery 77: success: did_0+0+1/>   >   And that's it.  When I send to just 'michael', it> then creates a  new message to remote> [EMAIL PROTECTED], as it should.  but  sending> to michael-testing doesn't.>   >   That doesn't seem right.>   -M>   > __Do You Yahoo!?Tired of spam?  Yahoo! Mail has the best spam protection around http://mail.yahoo.com
 

[vchkpw] vpopmail extensions not working correctly

2006-02-27 Thread Michael Krieger
I am using 5.4.15 vpopmail and I've noticed that  extensions aren't quite working right.  If I send mail to  [EMAIL PROTECTED] I get mail going to my inbox and blackberry.   If I send mail to [EMAIL PROTECTED] I get mail going only to  my inbox.# cat /home/vpopmail/domains/mydomain.com/.qmail-michael   &[EMAIL PROTECTED]  &[EMAIL PROTECTED] qmail-send logs:  bytes 1329 from <[EMAIL PROTECTED]> qp 7661 uid 89  starting delivery 77: msg 374730 to local [EMAIL PROTECTED]  delivery 77: success: did_0+0+1/And that's it.  When I send to just 'michael', it then creates a  new message to remote [EMAIL PROTECTED], as it should.  but  sending to michael-testing doesn't.That doesn't seem right.  -M  

[vchkpw] vpopmail 5.4.14 && valias

2006-02-16 Thread Michael Krieger
Two topics:1. Last chatter on vpopmail 5.4.14 was about a month ago with hints  that it would be a few days to fix a few configure quirks.  Were  other issues discovered?  What's expected new in 5.4.14 and what's  the status of it?2. valias- migrating 3 CDB-based mail systems to one MySQL-based system  for ease of management and some better services.  I figure as a  result of the greater quantity of users and domains, MySQL is a  plus.  Is there a benefit to using valias as well (keeping in mind  domain.com/user/.qmail doesn't end up in the database).  Is there  a performance hit this is attempting to solve?  I've generally  used files.  If I use valias instead, can I still on occasion add  a maildrop line or some sort of executed command into the valias  table?  How easy is that to do?  Can it do Maildir deliveries  instead of forwards to other e-mail addresses?Thanks in
 advance,-M