Announce: QSP - Qmail Spamkiller Project
Hello , Spamkiller engine for QMAIL with SHA authentication and more I would like to announce my QSP - a new approach in blocking SPAM with SHA authentication, special support for mailinglists, individual templates and so on Its a very modular system comes with rich API to make your own extensions. I wrote this modules and libraries for python because I am really angry against spam and its time to stop this with some intelligent and new ways and without the usage of online-blacklists and so on. Detailed project informations: www.x-itec.de/QSP Source and Download available at the beginning of 09/2001 Tested with more than 90.000 mails at the moment. Status: Development, SHA authentication is complete, working on the next module for mailinglists. If you want to read more about this interesting project, see my project page. If you want to test it just for fun, send me a mail *ggg to [EMAIL PROTECTED] - if the system is enabled, you will get an authorization request. Otherwise there is a bug again -(( The project is free for download in 09/2001 and comes with source and documentation. Pyhton required. -- Boris Köster [MCSE, CNA] void SurfTo ( http://www.x-itec.de ){ thanks(0);exit(0); } Maintainer of the FreeBSD IPSEC-MiniHowTo Mantainer of QSP - QMail Spamkiller Project
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello Russell, Saturday, June 02, 2001, 5:38:43 AM, you wrote: RN Boris writes: RN I really can´t hear the qmail is the most secure bla bla anymore, RN really. RN Why? It's true. Yes it is true, and qmail is great, but it would be better to make a better documentation for qmail, and to offer bundles with a single makefile. My english is not very good, sorry. I mean qmail has better arguments as security only. Why no one makes a package with all you need to download and install, here is a suggestion: - qmail - the tcpserver - something good for pop before smtp - vpopmail - good tools for blocking spam, blocking mails from open relays, and so on - and other additions from other people i do not know There should be one file to download and the makefile should do nearly everything neccessary. I should not spend days to understand the different modules as a newbie, it takes too much time. RN At the moment I am evaluating qmail, and there RN are some things I am missing from sendmail. RN Like what? See above, a better installation, better documentation. I have written in my linux/unixbook a chapter about the installation and configuratio of qmail in a production environment, covering all neccessary topics (german language) but its too much for the stressed administrator. Strange argument, I know. I am a user only in this case. Putting a lot of snippets togeter for one package is not a bad idea and would give a boost to qmail (i think). -- Boris
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello List, Saturday, June 02, 2001, 7:24:56 AM, you wrote: I like sendmail, its slow - yes, but it is powerful and this silly bugs are fixed fast. Its just some C-Code, everyone knows this. LM Yeah, it is only a few hundred thousand lines of code, and you should have LM looked through it for bugs or exploits before you compiled it, right? It Well, this is a strange argument, sorry. There is no product without any errors, maybe a hello world program. If you write it in c++, its a design problem if you use a try..catch.. within the main clause or not, for example. There are a lot of security bugs everywhere in a lot of programs, the most of them are non-critical to critical, and some fanatic people are screaming about some really silly problems. Software engineering is a living process. Bugs are normal, the are reported and then fixed. Thats all, there are some more important things in live as i am the master i have found a (silly) bug. The peoples are screaming if they found a bug, they are the masters, but its just a bug, and after the bug is fixed, the problem is over. If you will find 100 bugs in sendmail they are fixed then after reporting them. The games is over, the problem is solved. The admin updates, and thats all. The day continues. Bugs are +just bugs+ and the are fixed after reporting them. -- Boris
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello List, Saturday, June 02, 2001, 7:24:56 AM, you wrote: LM If you bought (OK, got for free) a car, and it exploded, leaving you LM burned, then you waited a week to get a new car mailed to you, then you The car is not exploding, someone comes and looks at your car. He is searching and searching and searching until he finds a silly bug like the fuel meter showes something wrong, this could be a security risk but in fact the men is driving the car years without a problem. Some month he updates the car (new version) and thats all. -- Boris
Re[4]: Oops,I guess Sendmail wasn't secure after all...
Hello Johan, JA Not quite. More like someone inspects your free car and finds a button JA that can make it explode. Maybe he pushes the button, maybe not. Maybe he JA pushes the button on someone else's car. Are you willing to take that JA risk? I can imagine two situations where that would be the case: either Well, there is no button with a text like press me here -) for the public. If we are talking about the security of a product, we have several things to take a look at. Internal security (a mailserver-only solution, mailserver+webserver, n mailservers, persons who access the mail queue as root). External security. Buffer overflows, chroot problems, jail problems, password problems. Design specific topics, what is secure, what is not secure, what can be implemented, what is not secure. As root i can read all the messages in clear text, sendmail or qmail - a security risk? An attack to privacy? Or just a design problem? Or is it not a design problem, its just normal? Security is relative. -- Boris
Re: Oops,I guess Sendmail wasn't secure after all...
Hello Dave, DS Anyone want to takes bets on whether qmail has unsafe signal handlers? DS -Dave I really can´t hear the qmail is the most secure bla bla anymore, really. I like sendmail, its slow - yes, but it is powerful and this silly bugs are fixed fast. Its just some C-Code, everyone knows this. At the moment I am evaluating qmail, and there are some things I am missing from sendmail. When I was using sendmail on my FreeBSD Server, it has never been hacked, very strange ugh? -- Boris
Re[2]: Hoew to Queue only mail
Hello Tim, Tuesday, April 10, 2001, 7:18:36 AM, you wrote: Yes, thats what I mean. I was thinking that qmail is delivering to both mx servers at the same time for backup reasons -) *ggg Need some sleep -) Bo
Re[2]: Hoew to Queue only mail
Hello Tim, Tuesday, April 10, 2001, 12:16:31 AM, you wrote: TL On Mon, Apr 09, 2001 at 02:33:45AM -0600, Kashan Sadiq wrote: If there are two servers running qmail on both of them. One is primary and the second is backup mail server which is for use of Queueing only. Now how would the mails on secondary mail server transfer to primary mail server and then stores in user accounts automatically. TL 1. Make sure you have MX records in DNS for both servers. TL 2. On the backup mail server, put the domain names you will accept TLmail for in the .../qmail/control/rcpthosts file. TL 3. Make sure those domain names are /not/ in .../qmail/control/locals or TL.../qmail/control/virtualdomains. TL That's it. The secondary will accept mail, queue it, and send it to the TL primary automatically. It's up to the primary to deliver the mail. TL Tim The topic "backup mailserver" is very interesting. The external SMTP Server delivers automatically to ALL MX Servers of a domain? It would be interesting to know. -- Boris
Re[2]: From sendmail to qmail
Hello Frank, Sunday, April 08, 2001, 3:23:36 PM, you wrote: Is there an option for qmail? I only found some ugly patches/scripts/workarounds? FT There are patches that do this. If they are ugly, I don't know. Ugly is the wrong word. I do not like to use patches and tools, this increases network documentation and costs a lot of time. At the moment of writing, i have learned a lot about qmail and its really interesting, but there are still things to solve for me. At the moment, qmail runs very well. Now i have to do some testings with smtp auth. I want to let in mails to rpcthosts and if the mail is not for these domains, an authorisation is required. I hope that this feature is possible. - dns-check: done with tcpserver - badmailfrom: done - smtp redirect: done - smtp auth: todo - virtual domains: todo - rbl/orbs: done with tcpserver/rblsmtpd... but i am not sure about the orbs patch, use or not to use -( -- Boris
poplock with qmail problem
Hello I post this problem to the list maybe another person had the same problem? I have installed poplock 204 on my machine. I followed all the steps in the INSTALL file as following: inetd.conf (added log..authpre.. from poplock) pop3stream tcp nowait root/var/qmail/bin/qmail-popup bastion.local host /usr/sbin/logpopauth-pre /usr/local/bin/checkpassword /usr/bin/logpopauth-p ost /var/qmail/bin/qmail-pop3d Maildir startserver.bat (added relaylock) QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` /usr/local/bin/tcpserver -p -v -x /var/qmail/tcp.smtp.cdb \ -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \ /usr/sbin/relaylock /usr/local/bin/rblsmtpd \ -r blackholes.mail-abuse.org \ -r dialups.mail-abuse.org \ -r 'relays.mail-abuse.org: Ihr Mailserver steht auf einer Blackliste, Zustellung nicht m\xf6glich, siehe URL:http://www.mail-abuse.org/cgi-bin/nph-rss?%IP%' \ /var/qmail/bin/qmail-smtpd 21 --- changed syslog.conf to read from pipe, later checked to read from var/log/maillog, no success. Normally I would assume that if I check mail from 192.168.0.1 that bastion# /usr/bin/showallowed ipaddr (and netmask) access window expires 127.0.0.1 never would show an additional line for 192.168.0.1 but there is no way. I really did everything possible of my knowledge, now I really need help. Hints, tips and so on welcome. Flamings, silly "read the dox" are going to /dev/NULL. bastion# uname -a FreeBSD bastion.localhost 4.2-STABLE FreeBSD 4.2-STABLE #1: Tue Feb 13 01:57:37 GMT 2001 [EMAIL PROTECTED]:/usr/src/sys/compile/bk3 i386 -- Boris
Re[4]: From sendmail to qmail
Hello Frank, Saturday, April 07, 2001, 12:07:18 AM, you wrote: FT Boris [EMAIL PROTECTED] writes: FT This looks like a mixture of tcpserver's access rules and the badmailfrom FT control file of qmail. Ok, I have understand, interesting. There are some things I have problems with. At first, IP/DNS Checking of the sender. In sendmail, I just enter this: define(`_IP_LOOKUP_',1)dnl define(`_DNSVALID_',1)dnl Thats all to check for valid ip/dns of the sender. Is there an option for qmail? I only found some ugly patches/scripts/workarounds? To prevent me agains spammers, in sendmail I just setup this options: FEATURE(dnsbl,`rbl.maps.vix.com',`Rejected - see http://www.mail-abuse.org/rbl/ ')dnl FEATURE(dnsbl,`dul.mail-abuse.org',`Dialup - see http://www.mail-abuse.org/dul/' )dnl FEATURE(dnsbl,`relays.mail-abuse.org',`Open relay - see http://www.mail-abuse.or g/rss/')dnl FEATURE(dnsbl,`input.orbs.org',`Open relay - see http://www.orbs.org/')dnl I have not found any options in qmail for similar things. Any comments are welcome to help me out with qmail - but i dont want to install thousands of patches, scripts and tools. It would be great to read some useful suggestions for a fast and restorable way. Thanks for your (hopefully) comments. -- Boris
Re[5]: From sendmail to qmail
Hello Boris, Saturday, April 07, 2001, 5:46:31 PM, you wrote: B To prevent me agains spammers, in sendmail I just setup this options: B FEATURE(dnsbl,`rbl.maps.vix.com',`Rejected - see http://www.mail-abuse.org/rbl/ B ')dnl B FEATURE(dnsbl,`dul.mail-abuse.org',`Dialup - see http://www.mail-abuse.org/dul/' B )dnl B FEATURE(dnsbl,`relays.mail-abuse.org',`Open relay - see http://www.mail-abuse.or B g/rss/')dnl B FEATURE(dnsbl,`input.orbs.org',`Open relay - see http://www.orbs.org/')dnl Just for the archive, I found a way for the rbl checking now. It seems to be that I need this package http://cr.yp.to/ucspi-tcp.html and to intall a ruleset first for valid IPs to the "tcpserver". After that i can try something like this tcpserver -p -v -x/etc/tcp.smtp.cdb -u1007 -g1007 0 25 \ rblsmtpd qmail-smtpd 21 described in this howto: http://www.summersault.com/chris/techno/qmail/qmail-antispam.html I am not only waiting for answers - if i find the answer by myself i post it of course for the archives to other qmail-newbies as me. The only problem left is the dns checking thingy. -- Boris [MCSE, CNA] ... X-ITEC : Consulting * Programming * Net-Security * Crypto-Research : [PRIVATE ADDRESS:] : Boris Kster eMail [EMAIL PROTECTED] http://www.x-itec.de : Grne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400 : 101 PERFECTION - SECURITY - STABILITY - FUNCTIONALITY :.. Everything I am writing is (c) by Boris Kster and may not be rewritten or distributed in any way without my permission.
From sendmail to qmail
Greetings. I am writing a small book about Linux/FreeBSD since 1999 (just for fun, maybe it will be released someadays, maybe not, who knows). Currently i try to find out the advantages of qmail. It took me some time to get it working, but I am very surprised about the speed. I have changed my production server in realtime from sendmail to qmail. It was not easy, but I have it done. And I was not required to delete sendmail. There are some things I need to know about qmail to complete my work on this chapter. * First, I need to know is there a similar way to stop spammers as in sendmail with /etc/access. This is a very important feature to me. I dont want to use procmail or similar for such a feature, is there an option for it? * Is there a way to forward all outgoing mails to a specific SMTP? * Are there somewhere detailed instructions about implementing RBL/ORBS? * I have read some solution about SMTP AUTH and I need to know what the people outside are using to stop spammers and to authenticate users before they are allowed to send e-mails. What are the currently most used solutions? I have found some, but I would like to know what is used in real environments. It would be great for detailed informations, because its not very easy to find all neccessary informations. Thanks for your time. -- Boris [MCSE, CNA] ... X-ITEC : Consulting * Programming * Net-Security * Crypto-Research : [PRIVATE ADDRESS:] : Boris Kster eMail [EMAIL PROTECTED] http://www.x-itec.de : Grne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400 : 101 PERFECTION - SECURITY - STABILITY - FUNCTIONALITY :.. Everything I am writing is (c) by Boris Kster and may not be rewritten or distributed in any way without my permission.
Re[2]: From sendmail to qmail
Hello Brett, Friday, April 06, 2001, 7:05:27 PM, you wrote: BR Believe it or not, all the answers to your questions can be found at BR http://www.qmail.org/top.html ! hmm, ok. h
Re[2]: From sendmail to qmail
Hello Charles, thankyou for your answer, that will help me a lot. CC Boris [EMAIL PROTECTED] wrote: * First, I need to know is there a similar way to stop spammers as in sendmail with /etc/access. CC Many people on this list will not be familiar with the detailed workings of CC sendmail; in general, we run qmail because (among other reasons) we don't want CC to have to learn sendmail's byzantine configuration. Please explain how CC this works with sendmail; then we can tell you if there's a qmail equivalent. Ok I will show you an example. I think its very important to understand both MTAs to decide whats really better in what situation but this is another story. Here is an example of the access file. 192.168.0 RELAY 127.0.0.1 RELAY From:[EMAIL PROTECTED] 550 Spam denied From:[EMAIL PROTECTED] 550 SPAM F*CK YOU SH*T SPAMMER From:[EMAIL PROTECTED] 550 SPAMMER BUY YOURSELF From:[EMAIL PROTECTED] 550 LOAN YOURSELF, SPAMMER From:[EMAIL PROTECTED] 550 F*** YOU SPAMMER oo.net 550 SPMMMEE It looks like as if this file is similar as the rpcthosts (?) file on qmail, but its not the same. I relay incoming mails from my 192.168.0 class c network as well as localhost mails. But if there is coming a mail from "from:..." the mail will be rejected, and if there is a hostname only, the complete host is denied to send us any mails. This file has nothing to do with outgoing mails. I use this file to setup a mini-light spamfilter and to setup general relaying rules. Fetchmail delivers the mail to sendmail (at the moment to qmail, hahah) so the relaying is allowed. I think its very easy to setup and very easy to handle. Is there a qmail thingy to do the same? * Is there a way to forward all outgoing mails to a specific SMTP? CC Yes, smtproutes. It's trivial. `man qmail-remote` for details. Aha, very interesting to know. * Are there somewhere detailed instructions about implementing RBL/ORBS? CC Yes, in many places, including djb's site and www.qmail.org. Ok. Thanks. * I have read some solution about SMTP AUTH and I need to know what the people outside are using to stop spammers and to authenticate users before they are allowed to send e-mails. What are the currently most used solutions? CC There are SMTP-AUTH patches for qmail. Two other techniques widely employed CC include selective relaying by IP address, and SMTP-after-POP3/SMTP-after-IMAP. CC Charles There is a perl module somewhere I have seen on the qmail page I think I will try this first. Thanks for you answers, they helped me a lot. The next step is to find out how are virtual users working (users without system accounts). After that I think I have completed this part. Qmail is nice, but sendmail is not bad at all i was using sendmail a long time without any problems. Sometimes I think the qmail-people think that sendmail is an enemy to qmail, but I cant understand this. -- Boris
Re: qmail under NAT
Make sure you either handle identd or *reject* port 113 connects on the outside IP, or outside mail will take a long time. Things are starting to work, (like pieces of TEST.deliver and TEST.receive) but they are ^really^ slow. Even local tests in TEST.deliver. It takes about 5-10 minutes before mail arrives in /var/spool/mail. Can you suggest remedies ? Also, what do you mean by "handle" ident -- where can I read about problems between identd and qmail ? I would like to keep identd, since most IRC servers want it. Thanks for your help, Boris
qmail under NAT
Hi, I would like to run qmail behind NAT. The local machine is called 'galois', with ip number 192.168.1.6. The router is locally called 'euler', and globally is accessible by 'hypervolume.com'. I have set up port forwarding (port 25) from euler to galois. I have ^not^ declared an MX -- do I need it if I have only one real IP address ? Also, what do I put in controls/me ? 'galois' or 'hypervolume.com' ? What else am I missing to get this working ? Thank you, Boris
unsubscried
HI I want to stop to subscried at this mailing list thanks Boris
qmail unsubscried
Re: check HOST in dot-qmail
Check the ip-chains howto to disable access from the outside to the SMTP port. --Bobby Patrick Berry wrote: I've set up an alias to allow mail to be sent to all the people in our office. I would like to protect this alias from the 'outside'... Would there be any problems with just doing a simple check ala if [ $HOST != freestyleinteractive.com ] go away else everything is cool and go ahead and deliver fi Is there something bad that could happen that I might be over looking in my approach? Would it be best to execute an external shell script from the dot-qmail file and check the return value of that script and then decide what to do? Pat -- Freestyle Interactive | http://www.freestyleinteractive.com | 415.778.0610