Re: [vchkpw] SMTP_VRFY supported?
> Hello, > > I'm trying to use a mail filter appliance with a qmail/vpopmail (gentoo) > install and am running into a issue with the filter generating excessive > email accounts due to the way qmail handles invalid email addresses. > > I'm familiar with the chkuser 2 patch and have tried it with little > success. I am using TLS on my system and the chkuser patch works > exactly one time then begins rejecting even valid addresses. The vendor > that makes the filter suggested using SMTP_VRFY but I'm unable to find a > way to implement this in qmail/vpopmail. > > Can anyone here point me in the right direction? > Sounds like there's something funky going on with the chkuser patch for you - do you have the same problem when not using TLS? I'm not a chkuser expert, but have you double-checked your chkuser settings? Qmail implements SMTP_VRFY, but it doesn't actually do anything. DJB (rightly, IMHO) decided that it didn't make sense to let people constantly hammer your system with VRFY commands to determine who was or wasn't a valid user, and so (per the RFC) qmail's VRFY implementation responds with a message that indicates a non-answer (252 send some mail, i'll try my best) and doesn't actually indicate whether the address is valid or not. Chkuser can result in giving the same information, as it will reject non-valid users, but this at least forces spammers to try to send mail, and get rejections (and possibly dropped altogether) rather than just scanning a qmail SMTP server... Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
Re: [vchkpw] SMTP_VRFY supported?
Quoting Joshua Megerman <[EMAIL PROTECTED]>: Sounds like there's something funky going on with the chkuser patch for you - do you have the same problem when not using TLS? I'm not a chkuser expert, but have you double-checked your chkuser settings? The only extra setting I'm using is the CHKUSER_ENABLE_UIDGID. From what I've read on the Interazioni site this option will cause issues wtih TLS. I enabled this because qmail-smtpd was unable to run vchkpw without it enabled. I assume this is because of users/group permission but even with the qmail & vpopmail user in the same group vchkpw didn't run. Qmail implements SMTP_VRFY, but it doesn't actually do anything. DJB (rightly, IMHO) decided that it didn't make sense to let people constantly hammer your system with VRFY commands to determine who was or wasn't a valid user, and so (per the RFC) qmail's VRFY implementation responds with a message that indicates a non-answer (252 send some mail, i'll try my best) and doesn't actually indicate whether the address is valid or not. Chkuser can result in giving the same information, as it will reject non-valid users, but this at least forces spammers to try to send mail, and get rejections (and possibly dropped altogether) rather than just scanning a qmail SMTP server... This makes sense but doesn't chkuser essentially do the same thing SMTP_VRFY would do? Matt This message was sent using IMP, the Internet Messaging Program.
Re: [vchkpw] SMTP_VRFY supported?
> Quoting Joshua Megerman <[EMAIL PROTECTED]>: >> Sounds like there's something funky going on with the chkuser patch for >> you - do you have the same problem when not using TLS? I'm not a >> chkuser >> expert, but have you double-checked your chkuser settings? >> > > The only extra setting I'm using is the CHKUSER_ENABLE_UIDGID. From > what I've read on the Interazioni site this option will cause issues > wtih TLS. I enabled this because qmail-smtpd was unable to run vchkpw > without it enabled. I assume this is because of users/group > permission but even with the qmail & vpopmail user in the same group > vchkpw didn't run. > I don't have it enabled, and I have no problems running qmail-smtpd as vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS patch set are you using? >> Qmail implements SMTP_VRFY, but it doesn't actually do anything. DJB >> (rightly, IMHO) decided that it didn't make sense to let people >> constantly >> hammer your system with VRFY commands to determine who was or wasn't a >> valid user, and so (per the RFC) qmail's VRFY implementation responds >> with >> a message that indicates a non-answer (252 send some mail, i'll try my >> best) and doesn't actually indicate whether the address is valid or not. >> Chkuser can result in giving the same information, as it will reject >> non-valid users, but this at least forces spammers to try to send mail, >> and get rejections (and possibly dropped altogether) rather than just >> scanning a qmail SMTP server... >> > > This makes sense but doesn't chkuser essentially do the same thing > SMTP_VRFY would do? > Yes and no. The VRFY command is outside of sending mail - a rogue client could connect to the SMTP server, and after issuing a HELO/EHLO greeting, just run repeated VRFY commands to see if a user is valid or not. Chkuser operates in the RCPT phase of the conversation, so a client has to start with a MAIL FROM command, which can be checked, and then each RCPT command can either be accepted or rejected - and chkuser can also be configured to reject ALL users after a certain number of invalid ones, preventing spam to real users if fake ones are also sent. It's a fine line, but it can make a difference. Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
Re: [vchkpw] SMTP_VRFY supported?
Quoting Joshua Megerman <[EMAIL PROTECTED]>:
I don't have it enabled, and I have no problems running qmail-smtpd as
vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS
patch set are you using?
I am using the Gentoo ebuild and I have read all the negative
information reguarding the state of the ebuild but as I am new to
Gentoo and qmail I thought it would be a good route for me. As such,
I'm not to sure how to answer the TLS patch question.
I do believe I've ran my issue down to a permissions problem. When I
run qmail-smtpd as the vpopmail user & group chkuser works but TLS
does not. The opposite happens when it is ran as the qmail user. I
have edited /etc/group and added qmaild to the vpopmail group and
vpopmail to the qmaild group (qmail-smtpd was set to run as
${QMAILDUID} by default) but that did not fix the problem.
The issue I'm experiencing is compounded by the fact that I'm running
qmail-smtpd with chkuser on port 2525 so as not to affect users on the
standard port. I have been thus far unable to make logging of the
second service work so I can't tell what file(s) are being permission
restricted.
If anyone has any suggestions as to what file permissions I could
check out, I'm all ears. Thanks again for all your help Josh.
Matt
This message was sent using IMP, the Internet Messaging Program.
Re: [vchkpw] SMTP_VRFY supported?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Kane schrieb:
> Quoting Joshua Megerman <[EMAIL PROTECTED]>:
>> I don't have it enabled, and I have no problems running qmail-smtpd as
>> vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS
>> patch set are you using?
>>
>
> I am using the Gentoo ebuild and I have read all the negative
> information reguarding the state of the ebuild but as I am new to Gentoo
> and qmail I thought it would be a good route for me. As such, I'm not
> to sure how to answer the TLS patch question.
>
> I do believe I've ran my issue down to a permissions problem. When I
> run qmail-smtpd as the vpopmail user & group chkuser works but TLS does
> not. The opposite happens when it is ran as the qmail user. I have
> edited /etc/group and added qmaild to the vpopmail group and vpopmail to
> the qmaild group (qmail-smtpd was set to run as ${QMAILDUID} by default)
> but that did not fix the problem.
>
> The issue I'm experiencing is compounded by the fact that I'm running
> qmail-smtpd with chkuser on port 2525 so as not to affect users on the
> standard port. I have been thus far unable to make logging of the
> second service work so I can't tell what file(s) are being permission
> restricted.
If you're running default-setup in gentoo:
mkdir /service/$YOURSERVICENAME/log
and create a file
/service/$YOURSERVICENAME/log/run
with the following contents
- SNIP
#!/bin/sh
# Gentoo Startup script for qmail's SMTP daemon (logging)
# $Header:
# /home/cvsroot/gentoo-x86/net-mail/qmail/files/run-qmailsmtpdlog,v 1.1
# 2003/11/30 11:32:06 robbat2 Exp $
SERVICE=smtp
source /var/qmail/bin/qmail-config-system && \
exec /usr/bin/setuidgid qmaill /usr/bin/multilog \
${LOG_OPTS} ${LOG_DEST}2
- --- SNAP --
make it executable (chmod +x) and you'll have your log in
/var/log/qmail/qmail-smtpd2/current
>
> If anyone has any suggestions as to what file permissions I could check
> out, I'm all ears. Thanks again for all your help Josh.
Maybe try "chmod g+s /var/vpopmail/bin/vchkpw"
>
> Matt
>
>
> This message was sent using IMP, the Internet Messaging Program.
- --
Jens Ott
Leiter Operations
intergenia Webhosting AG
Daimlerstr. 9-11
50354 Hürth
Tel. : +49 2233 612 503
Fax : +49 2233 612 513
Mail : [EMAIL PROTECTED]
GPG-Fingerprint: D190 09C6 FCDF D0B4 3A44 FB6E 440E C024 7E27 ACCF
http://www.intergenia.de
Vorstand:
Andreas Niehaus - Frank Gross - Jochen Berger - Oliver Drifthaus
Dr. Stephan Göbel - Thomas Strohe
Aufsichtsratsvorsitz: Claudius Schmalschläger
Gerichtsstand: HRB Köln 58428 - Umsatzsteuer-ID: DE216740823
Bankverbindung: Sparkasse Waldkirchen
BLZ: 740 512 30 - Kto. Nr.: 919 85 65
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGUxkPRA7AJH4nrM8RAnJHAKCVmjqViYbsf9yiYsfpP9N7TUBSdwCgiEO3
kIL90NDLRTLWU+vJA/oR+Q8=
=gpXB
-END PGP SIGNATURE-
Re: [vchkpw] SMTP_VRFY supported?
Jens & Josh,
Thanks a ton for all your help. I pieced together everything and was
able to make tls & chkuser happy by doing the following:
running qmail-smtp as the vpopmail user
changing ownership of /var/qmail/control/servercert.pem to
qmaild.vpopmail (440)
compiled chkuser2 patch without the uid/gid switching
My logging issues were due to not having generated the cdb files in
/etc/tcprules.d (tcp.qmail-smtp.cdb); once I created these files the
logging started working right away. Looks like everything else was
simple a permissions problem. This was a lot harder to figure out
without logging. Once I got logging working correctly the problem made
itself obvious.
Thanks again for all your help.
Matt
Jens Ott - intergenia AG wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Kane schrieb:
Quoting Joshua Megerman <[EMAIL PROTECTED]>:
I don't have it enabled, and I have no problems running qmail-smtpd as
vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS
patch set are you using?
I am using the Gentoo ebuild and I have read all the negative
information reguarding the state of the ebuild but as I am new to Gentoo
and qmail I thought it would be a good route for me. As such, I'm not
to sure how to answer the TLS patch question.
I do believe I've ran my issue down to a permissions problem. When I
run qmail-smtpd as the vpopmail user & group chkuser works but TLS does
not. The opposite happens when it is ran as the qmail user. I have
edited /etc/group and added qmaild to the vpopmail group and vpopmail to
the qmaild group (qmail-smtpd was set to run as ${QMAILDUID} by default)
but that did not fix the problem.
The issue I'm experiencing is compounded by the fact that I'm running
qmail-smtpd with chkuser on port 2525 so as not to affect users on the
standard port. I have been thus far unable to make logging of the
second service work so I can't tell what file(s) are being permission
restricted.
If you're running default-setup in gentoo:
mkdir /service/$YOURSERVICENAME/log
and create a file
/service/$YOURSERVICENAME/log/run
with the following contents
- SNIP
#!/bin/sh
# Gentoo Startup script for qmail's SMTP daemon (logging)
# $Header:
# /home/cvsroot/gentoo-x86/net-mail/qmail/files/run-qmailsmtpdlog,v 1.1
# 2003/11/30 11:32:06 robbat2 Exp $
SERVICE=smtp
source /var/qmail/bin/qmail-config-system && \
exec /usr/bin/setuidgid qmaill /usr/bin/multilog \
${LOG_OPTS} ${LOG_DEST}2
- --- SNAP --
make it executable (chmod +x) and you'll have your log in
/var/log/qmail/qmail-smtpd2/current
If anyone has any suggestions as to what file permissions I could check
out, I'm all ears. Thanks again for all your help Josh.
Maybe try "chmod g+s /var/vpopmail/bin/vchkpw"
Matt
This message was sent using IMP, the Internet Messaging Program.
- --
Jens Ott
Leiter Operations
intergenia Webhosting AG
Daimlerstr. 9-11
50354 Hürth
Tel. : +49 2233 612 503
Fax : +49 2233 612 513
Mail : [EMAIL PROTECTED]
GPG-Fingerprint: D190 09C6 FCDF D0B4 3A44 FB6E 440E C024 7E27 ACCF
http://www.intergenia.de
Vorstand:
Andreas Niehaus - Frank Gross - Jochen Berger - Oliver Drifthaus
Dr. Stephan Göbel - Thomas Strohe
Aufsichtsratsvorsitz: Claudius Schmalschläger
Gerichtsstand: HRB Köln 58428 - Umsatzsteuer-ID: DE216740823
Bankverbindung: Sparkasse Waldkirchen
BLZ: 740 512 30 - Kto. Nr.: 919 85 65
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGUxkPRA7AJH4nrM8RAnJHAKCVmjqViYbsf9yiYsfpP9N7TUBSdwCgiEO3
kIL90NDLRTLWU+vJA/oR+Q8=
=gpXB
-END PGP SIGNATURE-
