Announce: QSP - Qmail Spamkiller Project

[Boris Köster]

Hello ,

Spamkiller engine for QMAIL with SHA authentication and more


I would like to announce my QSP - a new approach in blocking SPAM with
SHA authentication, special support for mailinglists, individual
templates and so on Its
a very modular system comes with rich API to make your own extensions.

I wrote this modules and libraries for python because I am really angry against spam 
and its
time to stop this with some intelligent and new ways and without the
usage of online-blacklists and so on.

Detailed project informations: www.x-itec.de/QSP

Source and Download available at the beginning of 09/2001

Tested with more than 90.000 mails at the moment.
Status: Development, SHA authentication is complete, working on the
next module for mailinglists.

If you want to read more about this interesting project, see my
project page. If you want to test it just for fun, send me a mail *ggg
to [EMAIL PROTECTED] - if the system is enabled, you will get an
authorization request. Otherwise there is a bug again -((

The project is free for download in 09/2001 and comes with source and
documentation. Pyhton required.


--
Boris Köster [MCSE, CNA]
void SurfTo ( http://www.x-itec.de ){ thanks(0);exit(0); }

Maintainer of the FreeBSD IPSEC-MiniHowTo
Mantainer of QSP - QMail Spamkiller Project

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello Russell,

Saturday, June 02, 2001, 5:38:43 AM, you wrote:

RN Boris writes:
RN   I really can´t hear the qmail is the most secure bla bla anymore,
RN   really.

RN Why?  It's true.

Yes it is true, and qmail is great, but it would be better to make a
better documentation for qmail, and to offer bundles with a single
makefile.

My english is not very good, sorry.

I mean qmail has better arguments as security only.

Why no one makes a package with all you need to download and
install, here is a suggestion:

- qmail
- the tcpserver
- something good for pop before smtp
- vpopmail
- good tools for blocking spam, blocking mails from open relays, and
so on
- and other additions from other people i do not know

There should be one file to download and the makefile should do nearly
everything neccessary. I should not spend days to understand the
different modules as a newbie, it takes too much time.

RN   At the moment I am evaluating qmail, and there
RN   are some things I am missing from sendmail.

RN Like what?

See above, a better installation, better documentation. I have written
in my linux/unixbook a chapter about the installation and
configuratio of qmail in a production environment, covering all
neccessary topics (german language) but its too much for the stressed administrator.

Strange argument, I know. I am a user only in this case.

Putting a lot of snippets togeter for one package is not a bad idea
and would give a boost to qmail (i think).


--
Boris

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello List,

Saturday, June 02, 2001, 7:24:56 AM, you wrote:

 I like sendmail, its slow - yes, but it is powerful and this silly
 bugs are fixed fast. Its just some C-Code, everyone knows this.

LM Yeah, it is only a few hundred thousand lines of code, and you should have
LM looked through it for bugs or exploits before you compiled it, right?  It

Well, this is a strange argument, sorry.

There is no product without any errors, maybe a hello world program.
If you write it in c++, its a design problem if you use a try..catch..
within the main clause or not, for example.

There are a lot of security bugs everywhere in a lot of programs, the most of them are
non-critical to critical, and some fanatic people are screaming about some really
silly problems.

Software engineering is a living process. Bugs are normal, the are
reported and then fixed. Thats all, there are some more important
things in live as  i am the master i have found a (silly) bug.

The peoples are screaming if they found a bug, they are the masters,
but its just a bug, and after the bug is fixed, the problem is over.

If you will find 100 bugs in sendmail they are fixed then after
reporting them. The games is over, the problem is solved. The admin
updates, and thats all. The day continues.

Bugs are +just bugs+ and the are fixed after reporting them.


--
Boris

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello List,

Saturday, June 02, 2001, 7:24:56 AM, you wrote:


LM If you bought (OK, got for free) a car, and it exploded, leaving you
LM burned, then you waited a week to get a new car mailed to you, then you

The car is not exploding, someone comes and looks at your car. He is
searching and searching and searching until he finds a silly bug like
the fuel meter showes something wrong, this could be a security risk
but in fact the men is driving the car years without a problem. Some
month he updates the car (new version) and thats all.


--
Boris

Re[4]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello Johan,


JA Not quite. More like someone inspects your free car and finds a button
JA that can make it explode. Maybe he pushes the button, maybe not. Maybe he
JA pushes the button on someone else's car. Are you willing to take that
JA risk? I can imagine two situations where that would be the case: either

Well, there is no button with a text like press me here -) for
the public.

If we are talking about the security of a product, we have several
things to take a look at. Internal security (a mailserver-only
solution, mailserver+webserver, n mailservers, persons who access the
mail queue as root). External security. Buffer overflows, chroot
problems, jail problems, password problems. Design specific topics,
what is secure, what is not secure, what can be implemented, what is
not secure.

As root i can read all the messages in clear text, sendmail or qmail -
a security risk? An attack to privacy? Or just a design problem?
Or is it not a design problem, its just normal?

Security is relative.


--
Boris

Re: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello Dave,

DS Anyone want to takes bets on whether qmail has unsafe signal handlers?

DS -Dave

I really can´t hear the qmail is the most secure bla bla anymore,
really.

I like sendmail, its slow - yes, but it is powerful and this silly
bugs are fixed fast. Its just some C-Code, everyone knows this.

At the moment I am evaluating qmail, and there
are some things I am missing from sendmail.

When I was using sendmail on my FreeBSD Server, it has never been
hacked, very strange ugh?



--
Boris

Re[2]: Hoew to Queue only mail

[Boris]

Hello Tim,

Tuesday, April 10, 2001, 7:18:36 AM, you wrote:

Yes, thats what I mean. I was thinking that qmail is delivering to
both mx servers at the same time for backup reasons -) *ggg

Need some sleep -)

Bo

Re[2]: Hoew to Queue only mail

[Boris]

Hello Tim,

Tuesday, April 10, 2001, 12:16:31 AM, you wrote:

TL On Mon, Apr 09, 2001 at 02:33:45AM -0600, Kashan Sadiq wrote:
 If there are two servers running qmail on both of them. One is
 primary and the second is backup mail server which is for use of Queueing
 only. Now how would the mails on secondary mail server transfer to primary
 mail server and then stores in user accounts automatically.

TL 1. Make sure you have MX records in DNS for both servers.

TL 2. On the backup mail server, put the domain names you will accept
TLmail for in the .../qmail/control/rcpthosts file.
TL 3. Make sure those domain names are /not/ in .../qmail/control/locals or
TL.../qmail/control/virtualdomains.

TL That's it. The secondary will accept mail, queue it, and send it to the
TL primary automatically. It's up to the primary to deliver the mail.

TL Tim


The topic "backup mailserver" is very interesting. The external SMTP
Server delivers automatically to ALL MX Servers of a domain? It would
be interesting to know.


--
Boris

Re[2]: From sendmail to qmail

[Boris]

Hello Frank,

Sunday, April 08, 2001, 3:23:36 PM, you wrote:



 Is there an option for qmail? I only found some ugly
 patches/scripts/workarounds?

FT There are patches that do this. If they are ugly, I don't know.

Ugly is the wrong word. I do not like to use patches and tools, this
increases network documentation and costs a lot of time. At the moment
of writing, i have learned a lot about qmail and its really
interesting, but there are still things to solve for me.

At the moment, qmail runs very well. Now i have to do some
testings with smtp auth. I want to let in mails to rpcthosts and if
the mail is not for these domains, an authorisation is required. I
hope that this feature is possible.

- dns-check: done with tcpserver
- badmailfrom: done
- smtp redirect: done

- smtp auth: todo
- virtual domains: todo
- rbl/orbs: done with tcpserver/rblsmtpd... but i am not sure about the orbs patch, 
use or
not to use -(

--
Boris

poplock with qmail problem

[Boris]

Hello

I post this problem to the list maybe another person had the same
problem?

I have installed poplock 204 on my machine. I followed all the steps
in the INSTALL file as following:


inetd.conf (added log..authpre.. from poplock)

pop3stream  tcp nowait  root/var/qmail/bin/qmail-popup bastion.local
host /usr/sbin/logpopauth-pre /usr/local/bin/checkpassword /usr/bin/logpopauth-p
ost /var/qmail/bin/qmail-pop3d Maildir


startserver.bat (added relaylock)

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
/usr/local/bin/tcpserver -p -v -x /var/qmail/tcp.smtp.cdb \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/sbin/relaylock /usr/local/bin/rblsmtpd \
-r blackholes.mail-abuse.org \
-r dialups.mail-abuse.org \
-r 'relays.mail-abuse.org: Ihr Mailserver steht auf einer Blackliste, Zustellung
 nicht m\xf6glich, siehe URL:http://www.mail-abuse.org/cgi-bin/nph-rss?%IP%' \
/var/qmail/bin/qmail-smtpd 21


---

changed syslog.conf to read from pipe, later checked to read from
var/log/maillog, no success.


Normally I would assume that if I check mail from 192.168.0.1 that


bastion# /usr/bin/showallowed
ipaddr (and netmask)  access window expires
  
127.0.0.1 never


would show an additional line for 192.168.0.1

but there is no way.


I really did everything possible of my knowledge, now I really need help.

Hints, tips and so on welcome.

Flamings, silly "read the dox" are going to /dev/NULL.


bastion# uname -a
FreeBSD bastion.localhost 4.2-STABLE FreeBSD 4.2-STABLE #1: Tue Feb 13 01:57:37
GMT 2001 [EMAIL PROTECTED]:/usr/src/sys/compile/bk3  i386


--
Boris

Re[4]: From sendmail to qmail

[Boris]

Hello Frank,

Saturday, April 07, 2001, 12:07:18 AM, you wrote:

FT Boris [EMAIL PROTECTED] writes:


FT This looks like a mixture of tcpserver's access rules and the badmailfrom
FT control file of qmail.

Ok, I have understand, interesting.

There are some things I have problems with. At first, IP/DNS Checking
of the sender.

In sendmail, I just enter this:

define(`_IP_LOOKUP_',1)dnl
define(`_DNSVALID_',1)dnl

Thats all to check for valid ip/dns of the sender.

Is there an option for qmail? I only found some ugly
patches/scripts/workarounds?

To prevent me agains spammers, in sendmail I just setup this options:

FEATURE(dnsbl,`rbl.maps.vix.com',`Rejected - see  http://www.mail-abuse.org/rbl/
')dnl
FEATURE(dnsbl,`dul.mail-abuse.org',`Dialup - see http://www.mail-abuse.org/dul/'
)dnl
FEATURE(dnsbl,`relays.mail-abuse.org',`Open relay - see http://www.mail-abuse.or
g/rss/')dnl
FEATURE(dnsbl,`input.orbs.org',`Open relay - see http://www.orbs.org/')dnl


I have not found any options in qmail for similar things.

Any comments are welcome to help me out with qmail - but i dont want
to install thousands of patches, scripts and tools.

It would be great to read some useful suggestions for a fast and
restorable way.

Thanks for your (hopefully) comments.

--
Boris

Re[5]: From sendmail to qmail

[Boris]

Hello Boris,

Saturday, April 07, 2001, 5:46:31 PM, you wrote:



B To prevent me agains spammers, in sendmail I just setup this options:

B FEATURE(dnsbl,`rbl.maps.vix.com',`Rejected - see  http://www.mail-abuse.org/rbl/
B ')dnl
B FEATURE(dnsbl,`dul.mail-abuse.org',`Dialup - see http://www.mail-abuse.org/dul/'
B )dnl
B FEATURE(dnsbl,`relays.mail-abuse.org',`Open relay - see http://www.mail-abuse.or
B g/rss/')dnl
B FEATURE(dnsbl,`input.orbs.org',`Open relay - see http://www.orbs.org/')dnl

Just for the archive, I found a way for the rbl checking now.

It seems to be that I need this package http://cr.yp.to/ucspi-tcp.html
and to intall a ruleset first for valid IPs to the "tcpserver". After that i can try
something like this

tcpserver -p -v -x/etc/tcp.smtp.cdb -u1007 -g1007 0 25 \
rblsmtpd qmail-smtpd 21

described in this howto: 
http://www.summersault.com/chris/techno/qmail/qmail-antispam.html


I am not only waiting for answers - if i find the answer by myself i
post it of course for the archives to other qmail-newbies as me.

The only problem left is the dns checking thingy.

--
Boris [MCSE, CNA]
...
 X-ITEC : Consulting * Programming * Net-Security * Crypto-Research
: [PRIVATE ADDRESS:] 
    : Boris Kster eMail [EMAIL PROTECTED] http://www.x-itec.de 
: Grne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400
: 101  PERFECTION - SECURITY - STABILITY - FUNCTIONALITY 
:..

Everything I am writing is (c) by Boris Kster and may not be 
rewritten or distributed in any way without my permission.  

From sendmail to qmail

[Boris]

Greetings.

I am writing a small book about Linux/FreeBSD since 1999 (just for
fun, maybe it will be released someadays, maybe not, who knows).

Currently i try to find out the advantages of qmail. It took me some
time to get it working, but I am very surprised about the speed. I
have changed my production server in realtime from sendmail to qmail.
It was not easy, but I have it done. And I was not required to delete
sendmail.

There are some  things I need to know about qmail to complete my work on
this chapter.

* First, I need to know is there a similar way to stop spammers as in
sendmail with /etc/access. This is a very important feature to me. I
dont want to use procmail or similar for such a feature, is there an
option for it?

* Is there a way to forward all outgoing mails to a specific SMTP?

* Are there somewhere detailed instructions about implementing
RBL/ORBS?

* I have read some solution about SMTP AUTH and I need to know what
the people outside are using to stop spammers and to authenticate
users before they are allowed to send e-mails. What are the currently
most used solutions? I have found some, but I would like to know what
is used in real environments.

It would be great for detailed informations, because its not very easy
to find all neccessary informations.

Thanks for your time.

--
Boris [MCSE, CNA]
...
 X-ITEC : Consulting * Programming * Net-Security * Crypto-Research
: [PRIVATE ADDRESS:] 
: Boris Kster eMail [EMAIL PROTECTED] http://www.x-itec.de 
: Grne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400
: 101  PERFECTION - SECURITY - STABILITY - FUNCTIONALITY 
:..

Everything I am writing is (c) by Boris Kster and may not be 
rewritten or distributed in any way without my permission.  

Re[2]: From sendmail to qmail

[Boris]

Hello Brett,

Friday, April 06, 2001, 7:05:27 PM, you wrote:

BR Believe it or not, all the answers to your questions can be found at
BR http://www.qmail.org/top.html !

hmm, ok. h

Re[2]: From sendmail to qmail

[Boris]

Hello Charles,

thankyou for your answer, that will help me a lot.

CC Boris [EMAIL PROTECTED] wrote:
 

 * First, I need to know is there a similar way to stop spammers as in
 sendmail with /etc/access.

CC Many people on this list will not be familiar with the detailed workings of
CC sendmail; in general, we run qmail because (among other reasons) we don't want
CC to have to learn sendmail's byzantine configuration.  Please explain how 
CC this works with sendmail; then we can tell you if there's a qmail equivalent.

Ok I will show you an example. I think its very important to
understand both MTAs to decide whats really better in what situation
but this is another story.

Here is an example of the access file.

192.168.0 RELAY
127.0.0.1 RELAY
From:[EMAIL PROTECTED]   550 Spam denied
From:[EMAIL PROTECTED] 550 SPAM F*CK YOU SH*T SPAMMER
From:[EMAIL PROTECTED] 550 SPAMMER BUY YOURSELF
From:[EMAIL PROTECTED] 550 LOAN YOURSELF, SPAMMER
From:[EMAIL PROTECTED] 550 F*** YOU SPAMMER
oo.net  550 SPMMMEE

It looks like as if this file is similar as the rpcthosts (?) file on
qmail, but its not the same. I relay incoming mails from my 192.168.0
class c network as well as localhost mails.

But if there is coming a mail from "from:..." the mail will be
rejected, and if there is a hostname only, the complete host is denied
to send us any mails.

This file has nothing to do with outgoing mails.

I use this file to setup a mini-light spamfilter and to setup general
relaying rules. Fetchmail delivers the mail to sendmail (at the moment
to qmail, hahah) so the relaying is allowed. I think its very easy to
setup and very easy to handle.

Is there a qmail thingy to do the same?


 * Is there a way to forward all outgoing mails to a specific SMTP?

CC Yes, smtproutes.  It's trivial.  `man qmail-remote` for details.

Aha, very interesting to know.

 * Are there somewhere detailed instructions about implementing
 RBL/ORBS?

CC Yes, in many places, including djb's site and www.qmail.org.

Ok. Thanks.

 * I have read some solution about SMTP AUTH and I need to know what
 the people outside are using to stop spammers and to authenticate
 users before they are allowed to send e-mails. What are the currently
 most used solutions?

CC There are SMTP-AUTH patches for qmail.  Two other techniques widely employed
CC include selective relaying by IP address, and SMTP-after-POP3/SMTP-after-IMAP.

CC Charles

There is a perl module somewhere I have seen on the qmail page I think
I will try this first.

Thanks for you answers, they helped me a lot. The next step is to find
out how are virtual users working (users without system accounts).

After that I think I have completed this part.

Qmail is nice, but sendmail is not bad at all i was using sendmail a
long time without any problems.

Sometimes I think the qmail-people think that sendmail is an enemy to
qmail, but I cant understand this.


--
Boris

Re: qmail under NAT

[Boris Krivulin]

 Make sure you either handle identd or *reject* port 113 connects on
 the outside IP, or outside mail will take a long time.

Things are starting to work, (like pieces of TEST.deliver and TEST.receive) but they 
are 
^really^ slow.  Even local tests in TEST.deliver. It takes about 5-10 minutes before 
mail 
arrives in /var/spool/mail.   Can you suggest remedies ?  Also, what do you mean by 
"handle" 
ident  -- where can I read about problems between identd and qmail ?  I would like to 
keep 
identd, since most IRC servers want it.

Thanks for your help, 
Boris

qmail under NAT

[Boris Krivulin]

Hi,

I would like to run qmail behind NAT.  The local machine is called 'galois',
with ip number 192.168.1.6.   The router is locally called 'euler', and
globally is accessible by 'hypervolume.com'.  

I have set up port forwarding (port 25) from euler to galois. I have ^not^ 
declared an MX -- do I need it if I have only one real IP address ?

Also, what do I put in controls/me ? 'galois' or 'hypervolume.com' ?
What else am I missing to get this working ?

Thank you,
Boris

unsubscried

[boris]

HI

I want to stop to subscried at this mailing list

thanks

Boris

qmail unsubscried

[boris]

Re: check HOST in dot-qmail

[Boris Atanassov]

Check the ip-chains howto to disable access from the outside to the SMTP port.
--Bobby

Patrick Berry wrote:

 I've set up an alias to allow mail to be sent to all the people in our
 office.  I would like to protect this alias from the 'outside'...

 Would there be any problems with just doing a simple check ala
 if [ $HOST != freestyleinteractive.com ]
 go away
 else
 everything is cool and go ahead and deliver
 fi

 Is there something bad that could happen that I might be over looking in my
 approach?  Would it be best to execute an external shell script from the
 dot-qmail file and check the return value of that script and then decide
 what to do?

 Pat
 --
 Freestyle Interactive | http://www.freestyleinteractive.com | 415.778.0610