qmail Digest 13 Sep 1999 10:00:01 -0000 Issue 758
Topics (messages 30155 through 30172):
Problems while downloading E-Mails with Outlook-Express
30155 by: Ruben van der Leij <[EMAIL PROTECTED]>
Strange open relay problem with qmail due to bad configuration.
30156 by: James Smallacombe <[EMAIL PROTECTED]>
30170 by: "Petr Novotny" <[EMAIL PROTECTED]>
30171 by: Sebastian Andersson <[EMAIL PROTECTED]>
Should qmail-103.patch be applied to ucspi-tcp?
30157 by: "John K. Chester" <[EMAIL PROTECTED]>
30160 by: Peter van Dijk <[EMAIL PROTECTED]>
Big mama ISP server
30158 by: Paul Gregg <[EMAIL PROTECTED]>
Still 533
30159 by: "Tetsu Ushijima" <[EMAIL PROTECTED]>
Strange problems...
30161 by: Dmitry Niqiforoff <[EMAIL PROTECTED]>
Outlook Groupware Functions
30162 by: Jason Haar <[EMAIL PROTECTED]>
30163 by: "Mr. Christopher F. Miller" <[EMAIL PROTECTED]>
30165 by: "D. W. Wieboldt" <[EMAIL PROTECTED]>
30167 by: Sam <[EMAIL PROTECTED]>
30168 by: Ruben van der Leij <[EMAIL PROTECTED]>
30169 by: Ruben van der Leij <[EMAIL PROTECTED]>
qmail & relay detection
30164 by: "Cris Daniluk" <[EMAIL PROTECTED]>
30166 by: "Peter Samuel" <[EMAIL PROTECTED]>
Return Receipts
30172 by: "Bongo" <[EMAIL PROTECTED]>
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To bug my human owner, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
On Sat, Sep 11, 1999 at 07:38:12PM +0200, Cyril Bitterich wrote:
> weiss, was gemeint ist, aber keiner kann's so richtig griffig
> formulieren=
> ..
> Vielleicht sollte ich's mal mit "learning by doing" versuchen???
>
> I would like to know why Outlook could take this for a problem. Might it
> be that the Problem derives form two IP-Pakets that divided the message
> in one ending with a dot and one starting with a dot?
The exact description of the problem is: when one packet ends with a dot,
and the next fragment starts with a dot, outlook stops reading input as
mail, and returns to command mode. The next word isn't part of normal
popserver/popclient communications, and outlook aborts with an error.
> The curious thing with the whole thing is that the above text is in
> message nr. 29 and not nr 30 as you could think from the error message.
It (incorrectly) assumes message 29 is done, and starts waiting for message
30, when it thinks an error occurred.
> And it seems that this Problem does not occur when using an ethernet
> connection but does when using a dial-up line.
You have differente MTU's for dial-in and ethernet (576 and 1500)
> I know that this is not an outlook-probs list. But maybe you can help me
> in some way.
There are no solutions. You can forcefeed all incoming mail through a filter
which removes double dots. That will destroy some attachments.
You can tell people to use another mailer (all outlook express versions
suffer from this problem).
You can't download the source and fix it yourself.
If people insist on using outlook they will have no choice but to accept
this kind of thing happening once in a while.
You can sue MICROS~1.
I'm sorry if this sounds final, but you, from your side, cannot work around
a bug which makes your clients mailprogram stop listening. About the only
workaround is for to forward the message to the client's account using pine,
mutt or the like, and hope the extra headers will shift the double dot away
from the boundary of two packets. But that's a manual workaround. If you
have 17000 clients (like I do) it's a lot of extra work.
--
Ruben
--
Eat more memory!
On Sun, 12 Sep 1999, Sebastian Andersson wrote:
> I just got a nasty letter from ORBS telling me that one of my SMTP
> servers was an open relay.
>
> The host was a secondary mailserver for some of our domains and it had
> no hosts in locals and a correctly configured rcpthosts. Its virtualhosts
> was also empty and it was not configured to allow percent hack.
> Still <user%domain@[ipnumber]>, where ipnumber was the hosts IP number,
> was allowed stright through.
>
> me was set to a local domain, where another server was was primary and that
> server was configured to allow relaying for this server.
>
> [ipnumber] was changed to the default domain and that was in the rcpthosts
> file so it was ok. The message was forwarded to the primary smtp server for
> that domain and that server saw that the mail came from an authorized
> relayer and past it along...
Well, yeah... This is a major hole. Plug it up by taking the host A's
ip/name out of the relay host's list of allowed relay clients. It'll
still receive email from that host, but will only deliver it locally.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12 Sep 99, at 12:15, Sebastian Andersson wrote:
> I just got a nasty letter from ORBS telling me that one of my SMTP
> servers was an open relay.
If you told us the IP of your machine so that we could look up on
the ORBS site the exact problem, we could be more helpful.
> The host was a secondary mailserver for some of our domains and it had no
> hosts in locals and a correctly configured rcpthosts. Its virtualhosts was
> also empty and it was not configured to allow percent hack. Still
> <user%domain@[ipnumber]>, where ipnumber was the hosts IP number, was
> allowed stright through.
>
> me was set to a local domain, where another server was was primary and
> that server was configured to allow relaying for this server.
What I guess you describe is that: Somewhere inside your
network, you have an open relay (addressable from internet). Your
blacklisted machine is a smart host for that open relay.
You can't do anything about that problem on the border qmail. You
need to fix the smtp machine inside the network.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBN9y6EVMwP8g7qbw/EQL3uQCeMTa9Xf79pDJVzfYYsib4DVG1vmEAoNy/
CtqTkIS+obknLwVpeAMue7oW
=16kv
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
[Tom Waits]
On Mon, Sep 13, 1999 at 09:47:14AM +0100, Petr Novotny wrote:
> If you told us the IP of your machine so that we could look up on
> the ORBS site the exact problem, we could be more helpful.
>
I guess I didn't express myself clear enough. The problem is fixed.
I just thought someone might be interested since one usualy think one
is protected when one uses qmail's rcpthosts file.
The problem was that my secondary mail server allowed third party relaying
of this form <user%domain@[ipnumber]> where ipnumber is my secondary mail
server's ipnumber and the primary mailserver allows percent hack for allowed
relayers. The reason this was worked, was because "me" was set to the domain
name that the server was secondary mailserver for and not the hostname.
The problem could be solved in three ways:
* changing me to something that the mailhost was primary for (like its
hostname).
* Turning off percent hack at the primary mailserver.
* Don't accepting the secondary mailserver as an allowed relayer at the
primary mailserver.
I choose the first option. The second option will be implemented
shortly when we upgrade the primary mailserver.
/Sebastian
I am running qmail-1.03, and have just applied the AOL patch which I
obtained from qmail.org (file qmail-103.patch). I note that ucspi-tcp
has its own copy of dns.c (content identical to dns.c supplied with
qmail-1.03). Should the patch also be applied to ucspi-tcp? I can't
find any mention of this in the documentation.
--
---------------------------------------------------------------
John K. Chester email [EMAIL PROTECTED]
phone 212-792-2036 fax 212-253-4290
---------------------------------------------------------------
On Sun, Sep 12, 1999 at 10:19:07AM -0400, John K. Chester wrote:
> I am running qmail-1.03, and have just applied the AOL patch which I
> obtained from qmail.org (file qmail-103.patch). I note that ucspi-tcp
> has its own copy of dns.c (content identical to dns.c supplied with
> qmail-1.03). Should the patch also be applied to ucspi-tcp? I can't
> find any mention of this in the documentation.
Since tcpclient and tcpserver only do A and PTR lookups, the chance of a
DNS reply >512 bytes is much smaller than with qmail, which does MX
lookups.
But I think it should be possible, yes. It's not a bad idea anyway :)
Greetz, Peter
--
| 'He broke my heart, | Peter van Dijk |
I broke his neck' | [EMAIL PROTECTED] |
nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |
http://www.nognikz.mdk.nu/ | Hardbeat@undernet - #groningen/#kinkfm/#vdh |
Ira Abramov <[EMAIL PROTECTED]> wrote:
> at 150K users, the loads on my server aren't impressive, I'm guessing
> Israeli users surf and chat more than write Emails, possibly because of
> the software limitations (very few Right-to-left clients available, fewer
> agree on the encoding of the characters)
> My bosses are quite happy with an outgoing Qmail server, so now I want to
> make all other functions work on Qmail (local delivery, virtual domains,
> pop, ETRN users moving to AUTORUN etc.)
> right now an ugly 8 meg password file with a 6 meg shadow sidekick are
> pushed around the servers with scp. I'm going to move delivery and RADIUS
> auth all to RDBMs... (anyone done this? It's really hard to find useful
> info about this online... should I patch them all to lookup CDB files, or
> lookup an SQL server maybe?)
> the main question I'd like to pose to people, because getting sun machines
> just for tests is too expensive an option here, has anyone compared the
> speed advantage or loss when moving between the following setups:
> 1. current: sendmail delivers to a local in-house agent written in C (15k
> tool) that tests for a vacation flag for a user, then delivers to a two
> level hashed spool directory (/var/spool/mail/u/s/username) mounted from a
> net appliance box after checking mail quota limits (not standard fs
> quota). a second machine servers pop with qpopper.
> 2. wanted: qmail uses qmail-users or an external lookup (of CDB or some
> SQL?) to deliver to a a single-UID hash of maildirs if within quota, while
> checking for a vacation flag and executing if necessary. POP is served
> from another machine using qmail-pop3d. no dialup users have a UID or an
> entry in the /etc/passwd (YEAH!!!)
> is qmail-pop3d up to such volumes? is the 2-order growth in number of
> directories and files on the fileserver a speed damper? should I let qmail
> deliver to the existing hash and keep Qualcomm's popper poppin'?
> all sugestions and experianced tips are welcome, on-list or off it. TIA!
> Ira.
> (Oh yeah, and Russel, if you have a ready-made solution you can offer for
> a fee, send me an offer!)
Your (2) wanted isn't that difficult to do. We have a MySQL DB holding
account details of all users and our mailhub uses the ~alias/.qmail-default
to deliver all mail to a custom built program which then
a) Checks to see if the hash directory exists /u/domain.com/u/s/username
and if so delivers to the Maildir in that directory (mail would
have been sent to [EMAIL PROTECTED])
b) If not, then it performs a Mysql lookup to see if the account exists
and isn't disabled or locked. If ok then makes the directory and performs
as a) above.
c) If a and b fail then bounces the message with No such user.
checkpoppasswd currectly is custom written to check the same DB (but for speed
I'm going to change it so that cron produces a cdb of the password file).
Both smtp and pop3 run on the same box and we've 7,500 users now (not one of
them involved any human intervention in setting up the account or management
of the mailhub).
As regards, speed advantage. On the delivery, you should be able to use
a slightly modified version of your existing C delivery program. As such
you won't see any great speed difference, other than less memory usage
overall. On the Pop3 your checkpasswd is going to be your potential slow
problem (which is why I need to get away from direct DB querying).
Paul Gregg
--
Email pgregg at tibus.net T: +44 (0) 1232 424190 | CLUB24 INTERNET |
Technical Director F: +44 (0) 1232 424709 | Free Access |
The Internet Business Ltd W: http://www.tibus.net | www.club24.co.uk |
Paul Farber writes:
> still getting my ass kicked by qmail. I've gotten it down to one file...
> if rcpthosts exists then I get the 533 (#5.7.1) not allowed message.
You should track down what's really happened:
1. Make sure you are logging tcpserver's activity.
2. From the tcpserver's log, identify the IP address from
which a relaying was attempted.
3. For the IP address identified, try out rules for tcpserver
with the tcprulescheck program. Does it say RELAYCLIENT
will be set?
> there are no log file entries, and I am running tcpserver with -v -H -R.
There should be some log messages from tcpserver. But beaware
that the log file for tcpserver is not always the same as the
one for qmail-send. With the -v option, tcpserver puts log
messages on its standard error. So the actual log file location
depends on how you start tcpserver, which you should know.
--
Tetsu Ushijima
Hello!
I'm using QMAIL and UW-IMAP patched for mailbox format. There are complaints from
our users that they're unable to delete some messages using IMAP. They mark message as
"deleted" in their mail agent, and when they do "folder compact" it remains undeleted
and unmarked as deleted. When I look into their homedir where mailbox file resides,
there are some files with long names which looks like temporary files (with "$" in
filenames). When I delete them, all the problems disappear until next such situation.
Does anybody know what can be the source of this problem? Any suggestions about how
to resolve the problem?
--
________________________________________________________
Regards, Dmitry Niqiforoff [tel. +7 8462 427427]
Kraft-S, Ltd.
Samara, Russia
On Sat, Sep 11, 1999 at 02:15:56AM +0200, Stephan Hadan wrote:
> I really don't want to use M$ Exchange to use the wanted features of
> Outlook.
Absolutely no way.
Outlook Professional is a MAPI mail client - that means it needs to talk to
a MAPI server - and the only ones available are on M$ platforms. To do
"proper" Internet-standards based Email in a company environment, there's
nothing that beats IMAP - but it's an Email protocol - not a Groupware one.
MS Outlook connected to MS Exchange server allows you to share calendars (so
you can plan meetings), share contacts lists and share messages via a Public
Folder system.
To do the same in an Internet-standards environment you'd need:
IMAP for Email
LDAP for addressbooks (although this isn't commonly used to allow users to
share personal addressbooks)
NNTP for sharing messages
- but there's NOTHING to do Calendars. That just hasn't come up.
I find that Outlook Express - which is free with Internet Explorer 4/5 - can
be used instead of Outlook Professional to do most of what Professional can
do. It's internal Calendar can even be used to plan meetings with other
Outlook Express users - the only thing it doesn't allow is for the user to
view anothers calendar - but that could be possible via Samba shares?
(getting out of my personal area here...).
Anyway, I manage an Exchange server here - and it's the ONLY thing I loose
sleep over. It's truly a "fair weather friend" - really good when it's going
- but if it dies - you wish you could just pick up and leave for another
job....
--
Cheers
Jason Haar
Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
Didn't I read in trade rags that HP was planning to release a
**drop in** alternative to Exchange by year end? I can't remember
if it was going to be Open Source or not.
cfm
On Mon, Sep 13, 1999 at 09:25:26AM +1200, Jason Haar wrote:
> On Sat, Sep 11, 1999 at 02:15:56AM +0200, Stephan Hadan wrote:
> > I really don't want to use M$ Exchange to use the wanted features of
> > Outlook.
>
>
> Absolutely no way.
>
> Outlook Professional is a MAPI mail client - that means it needs to talk to
> a MAPI server - and the only ones available are on M$ platforms. To do
--
Christopher F. Miller, Publisher [EMAIL PROTECTED]
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
1.207.657.5078 http://www.maine.com/
Database publishing, e-commerce, office/internet integration, Debian linux.
On Sun, Sep 12, 1999 at 05:06:24PM -0500, Mr. Christopher F. Miller wrote:
>
> Didn't I read in trade rags that HP was planning to release a
> **drop in** alternative to Exchange by year end? I can't remember
> if it was going to be Open Source or not.
If you are talking about OpenMail, it is already released for Linux. What
exactly it does I know not and can't spare the 200 megabytes or so to find
out. Also would not want to take down qmail to try it :-)
>
> cfm
>
> On Mon, Sep 13, 1999 at 09:25:26AM +1200, Jason Haar wrote:
> > On Sat, Sep 11, 1999 at 02:15:56AM +0200, Stephan Hadan wrote:
> > > I really don't want to use M$ Exchange to use the wanted features of
> > > Outlook.
> >
> >
> > Absolutely no way.
> >
> > Outlook Professional is a MAPI mail client - that means it needs to talk to
> > a MAPI server - and the only ones available are on M$ platforms. To do
>
> --
>
> Christopher F. Miller, Publisher [EMAIL PROTECTED]
> MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
> 1.207.657.5078 http://www.maine.com/
> Database publishing, e-commerce, office/internet integration, Debian linux.
--
D. W. Wieboldt - - - - - - - - - - [EMAIL PROTECTED]
This computer is running Linux! - - - - http://www.debian.org
Jason Haar writes:
> To do the same in an Internet-standards environment you'd need:
>
> IMAP for Email
> LDAP for addressbooks (although this isn't commonly used to allow users to
> share personal addressbooks)
> NNTP for sharing messages
Actually, with a smart IMAP server you don't need NNTP. Smart IMAP servers
can implement shared message folders.
--
Sam
On Mon, Sep 13, 1999 at 09:25:26AM +1200, Jason Haar wrote:
> - but there's NOTHING to do Calendars. That just hasn't come up.
There's an open specification for a calendar file format, vCal, which is
used by Netscape^H^H^H^H^H^H^H^HIplanet for their calendar-thingy. For
*nix-clients there's iCal, gnomecal and korganizer, and probably more. All
that is needed is for somebody to implement some protocol to share 'open',
common calenders, and a secure way to store private calenders. I think the
authors of the above three will pick up on this in *no* time. I've been
thinking about this for a couple of days. Perhaps I will cook up a draft
vcal:// spec, and make it a RFC, if that hasn't been done allready.
You can simulate something like it with a cronjob, a shared file and some
scripting magic. Have a look at above three and their docs.
--
Ruben
--
Eat more memory!
On Mon, Sep 13, 1999 at 02:54:58AM +0200, Ruben van der Leij wrote:
> vcal:// spec, and make it a RFC, if that hasn't been done allready.
Which it turns out to be.
- [ICAL] specifies a core specification of objects, data types,
properties and property parameters;
- [ITIP] specifies an interoperability protocol for scheduling
between different implementations;
- [IMIP] specifies a messaging-based protocol binding for [ITIP].
Searching on URL below will point you to the right drafts.
http://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=calendar&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25
Netscape is working towards these standards, they say. M$ will probably
ignore them 'till they cannot ignore the standard without losing many
customers.
--
Ruben
--
Eat more memory!
I have in the past. Since, I try and avoid mail servers with VRFY.
-----Original Message-----
From: James J. Lippard [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 10, 1999 8:15 PM
To: [EMAIL PROTECTED]
Subject: Re: qmail & relay detection
I agree with Sam on this one. My experience supports his view. I've
never seen any systematic attempts to grab usernames via SMTP. I've seen
quite a few mailbombs with bounces, though.
Jim Lippard [EMAIL PROTECTED] http://www.discord.org/
Unsolicited bulk email charge: $500/message. Don't send me any.
PGP Fingerprint: 0C1F FE18 D311 1792 5EA8 43C8 7AD2 B485 DE75 841C
On Fri, 10 Sep 1999, Sam wrote:
> On Fri, 10 Sep 1999, Dave Sill wrote:
>
> > Sam <[EMAIL PROTECTED]> wrote:
> >
> > >[EMAIL PROTECTED] writes:
> > >
> > >> Anyhow, I realize that giving information "up front" on working
> > >> usernames on the system is probably at least a small security risk,
> > >> so I'd rather not do that,
> > >
> > >I've yet to see anyone make a cogent argument for this, instead of
> > >accepting it as a given.
> >
> > It's pretty obvious. Given two systems, one that advertises users and
> > one that doesn't, and an infinite supply of kiddie krackers doing
> > brute-force searches for accounts with easy-to-guess passwords, the
>
> It's much easier to scrape the same accounts from the web or Usenet.
>
> Furthermore, you ignored the rest of my post, which compared whatever
> miniscule benefit you get from practicing security through obscurity
> weighed against your server now being a willing accomplice in a
> denial-of-service attack. The same script kiddies are far less likely to
> select a nailed down service in order to mailbomb someone by proxy,
> instead it's much easier to shove a few thousand messages with a few
> thousand bad recipients into Qmail's queue, then sit back and watch Qmail
> unload a few million messages into the target's mailbox.
>
> > system that advertises usernames will be broken into first, on
> > average, because the crackers will waste less time trying to break
> > into nonexistent accounts.
>
> I've yet to hear of a single documented case of someone using sendmail in
> this fashion in order to crack into accounts. If a cracker wants to
> collect valid addresses to try to crack into, they're far less likely to
> start banging on port 25 which is usually logged on sendmail boxes, and be
> notices, instead of simply harvest the addresses off the search engines or
> Dejanews, which is virtually undetectable.
>
>
>
On Fri, 10 Sep 1999, James J. Lippard wrote:
> I agree with Sam on this one. My experience supports his view. I've
> never seen any systematic attempts to grab usernames via SMTP. I've seen
> quite a few mailbombs with bounces, though.
Funny you should mention this. Last week I received a request from
some folks asking me how much it would cost to modify qmail to extract
email addresses from various domains (aol, hotmail and juno). These
people were in the business of selling email addresses. I politely
told them where to go.
Regards
Peter
----------
Peter Samuel [EMAIL PROTECTED]
Technical Consultant or at present:
eServ. Pty Ltd [EMAIL PROTECTED]
Phone: +61 2 9206 3410 Fax: +61 2 9281 1301
"If you kill all your unhappy customers, you'll only have happy ones left"
I'm trying to setup qmail to handle delivery reports (return receipts,
etc)
In "Life with Qmail" it says to see ~~qreceipt
Anyone shed some light on what "~~qreceipt" is?
Thanks.
