[vchkpw] bug in 'vdominfo -n'?

2010-07-06 Thread Lars Uhlmann 
I'm not sure that the following behavior is by purpose, but it makes
'vdominfo' confusing:

$ vdominfo |egrep -A 4 '^domain:\ mydomain'
,-
| domain: mydomain.com
| uid:12345
| gid:12345
| dir:/srv/vpopmail/domains/mydomain.com
| users:  1
| --
| domain: mydomain.de (alias of mydomain.com)
| uid:12345
| gid:12345
| dir:/srv/vpopmail/domains/mydomain.com
| users:  1
`-

But if I use the '-n' option to get only domain names the result is
unexpected:

$ vdominfo -n |egrep '^mydomain'
,-
| mydomain.com
| mydomain.com
`-

Ok, I'm using an old version of vpopmail (5.4.10) and this issue has
probably been gone. But if not, can somebody explain the different
output?

Regards,
Lars Uhlmann

!DSPAM:4c3338f532711001834612!

[vchkpw] no spam and virus scan for authenticated users

2008-12-17 Thread Lars Uhlmann 
Excuse me if this question is already answered (if so just point me
there). Is it possible to tell simscan skip scanning on authenticated
(=relay) connections?

best regards,
Lars

!DSPAM:4948f93d32312016118559!

[vchkpw] [chkuser] suggestions for future changes

2006-09-20 Thread Lars Uhlmann 
On Tue, 22 Aug 2006 13:19:32 +0200 tonix (Antonio Nati) [EMAIL PROTECTED] 
wrote:

 I've noticed some spam sending hosts, which use e.g.
 localhost/ 127.0.0.1
 as their sender MX. When my mailserver tries to verify the
 sending account via bounce check (connecting to 127.0.0.1),
 the rcpt to: check is ok, because chkuser accepts unknown
 rcpt to's from localhost. Is there a settings to get rid of
 that?
   
Better would be a patch to qmail-smtpd that only accepted
localhost and 127.0.0.1 as the HELO name on connections from
127.0.0.1.  I don't know enough about chkuser to answer your
original question.
  
  This would be one possibility but in this case the mail is already
  in the local queue - what we try to prevent. I think an extended
  chkuser patch is the better way. While chkuser already checks for
  an existing MX-record it could easily test the received A-Record
  against 127.0.0.0/8, RFC1918 or in case of a fqdn is it resolveable
  at all.
  
  If you send me more details on how check should be done, I could try
  to put in in 2.0.10 version of chkuser.

My comment above was not quite correkt. I suggest to realize it this
way:

1) Test for a valid MX-RR (RFC 1035, para. 3.3.9)

   A MX-Record must contain a host name, not an IP address.

   This could be a compile time option (MX_STRICT_FQDN_CHECK ;-)
   log rejects with meaningful messages
   (e.g. Sender MX (domain.tld MX=1.2.3.4) violates RFC1035, 3.3.9

2) Do an A-RR lookup with the acquired fqdn and test the resolved IP
   against any of the following scopes[0] (reject on match).

   Private Use IP addresses:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

   Autoconfiguration IP Addresses:

169.254.0.0 - 169.254.255.255

   Loopback IP addresses:

127.0.0.0 - 127.255.255.255

   log rejects with meaningful messages
   (e.g. Sender MX (fastmail.com - MX=we-dont-accept-mail.fastmail.com - 
A=127.0.0.1) never reachable)

   This could be compile time option(s) too or (what I prefer) a file
   loaded at runtime (e.g. $QMAIL_ROOT/control/chkuser_bad_mx_ip). The
   latter solution lets you add or remove ranges without recompiling
   (e.g. for smtpds in private LANs)

   Example for 'chkuser_bad_mx_ip' (I prefer the CIDR notation)
   ,-
   | # do we need comments? would be really nice ;-)
   | # RFC1018
   | 10.0.0.0/8
   | 172.16.0.0/12
   | 192.168.0.0/16
   | 
   | # windows auto config range
   | 169.254.0.0/16
   | 
   | # loopback
   | 127.0.0.0/8
   | 
   | # this is my day off ;-)
   | 0.0.0.0/0
   `-


Problem: How do we handle multiple MX records? I think we only take care
of the best prioritized record because this is the one nearly always
used.

regards
 Lars

[0] http://www.iana.org/faqs/abuse-faq.htm#SpecialUseAddresses

[vchkpw] Re: Unable to login with POP

2006-09-20 Thread Lars Uhlmann 
On Wed, 20 Sep 2006 12:55:05 +0300, Cantemir wrote:

 [html chunk]

My brain lacks of a HTML parser. If you expect fast help please provide
your question/informations in a suitable way. The common and preferred
content type is and stays 'text/plain'.

 /usr/lib/mysql/libmysqlclient.so.14: no version information available

Sounds like the installed mysql library isn't the same vpopmail is
compiled with. Did you build vpopmail on another host with a different
version of mysql?

What prints:

# ls -ld /usr/lib/mysql/libmysqlclient.so.14

HTH
Lars

Re: [vchkpw] QMail Forward

2006-08-17 Thread Lars Uhlmann 
 /var/control/smtproutes
 or
 /var/qmail/control/smtproutes

If »qmail« is installed under '/var/qmail' then it is
'/var/qmail/control/smtproutes'. The file 'smtproutes' may not exist so
just create it. For a description on how to set routes see the man page
of qmail-remote(8).

HTH
Lars

Re: [vchkpw] chkuser + localhost as sender MX

2006-08-16 Thread Lars Uhlmann 
On Wed, 16 Aug 2006 09:07:28 -0700 Tom Collins [EMAIL PROTECTED] wrote:

  I've noticed some spam sending hosts, which use e.g. localhost/ 
  127.0.0.1
  as their sender MX. When my mailserver tries to verify the sending
  account via bounce check (connecting to 127.0.0.1), the rcpt to:
  check is ok, because chkuser accepts unknown rcpt to's from
  localhost. Is there a settings to get rid of that?
 
 Better would be a patch to qmail-smtpd that only accepted localhost  
 and 127.0.0.1 as the HELO name on connections from 127.0.0.1.  I  
 don't know enough about chkuser to answer your original question.

This would be one possibility but in this case the mail is already in
the local queue - what we try to prevent. I think an extended chkuser
patch is the better way. While chkuser already checks for an existing
MX-record it could easily test the received A-Record against
127.0.0.0/8, RFC1918 or in case of a fqdn is it resolveable at all.

regards,
Lars Uhlmann

[vchkpw] [vpopmail] handle 'postmaster' as non existing user (reject mails)

2006-05-09 Thread Lars Uhlmann 
We only need this mailbox for »qmailadmin« to log in. Is it possible to
treat this account as non existing? I've tried a domain-global
'.qmail-postmaster' (... bounce-no-mailbox) and a '.qmail' (same content)
inside the folder 'postmaster' but nothing worked.

regards
   Lars

[vchkpw] Re: [vpopmail] handle 'postmaster' as non existing user (reject mails)

2006-05-09 Thread Lars Uhlmann 
On Tue, 09 May 2006 10:47:30 -0400, Michael Krieger wrote:

 I'd point you to the RFCs that state that the postmaster must exist and
 should accept mail, but since you're asking, you probably don't really
 mind.

You're right but I think RFC822 should be worked over. Problems with UBE
and SPAM were 1982 not even theoretically existing.

I'd like it better this way:
I have several domains with the same MX RR(s). The domain the MX host(s)
belong to has a case insensitiv 'postmaster' mailbox. It is filtered for
SPAM/Viruses (rejected with a meaningful message) and checked once a day.
Most if not all problems the appropriate clause in RFC822 is defined for
are technical by nature. For all other concerns this account can help too.

regards
  Lars

[vchkpw] Re: [vpopmail] handle 'postmaster' as non existing user (reject mails)

2006-05-09 Thread Lars Uhlmann 
On Tue, 09 May 2006 17:18:15 +0200, tonix (Antonio Nati) wrote:

Now I'd imagine the main frontline you'd want to investigate is 
chkuser.c if you use it.  By line 567, it's got a user and domain 
split.  Under case 10, it actually does the user check, so just have 
it test the user for 'postmaster' and return a failed 'user does not exist'.
 
 It could be more easy to set the BOUNCE_FLAG on for each postmaster, 
 and message will be rejected.

That's it! Shame on me. ;)

$ vmoduser -v
,-
| version: 5.4.10
| vmoduser: usage: [options] email_addr or domain (for each user in domain)
| ...
| the following options are bit flags in the gid int field ...
| ...
|  -b ( bounce all mail )
| ...
`-

It was too easy to find out. ;)

regards
  Lars

[vchkpw] [chkusr] valid Sender-MX

2006-04-28 Thread Lars Uhlmann 
The Sender-MX-Check needs some enhancements. ;)
Spammers mostly use RFC1918-adresses or unresolveable names as MX-RR, e.g.:

@  IN  MX  $PRI   127.0.0.1
@  IN  MX  $PRI   has.no.a-record.
@  IN  MX  $PRI   has.rfc1918.a-record.

latest examples (all of the domains below are only used to deliver SPAM):

$ dig MX radiocompa.com
,-
| ;; ANSWER SECTION:
| radiocompa.com. 86289   IN   MX   0 127.0.1.51.
`-

or:

$ dig MX fflowershop.com 
,-
| ;; ANSWER SECTION:
| fflowershop.com.3600IN   MX   10 localhost.fabulous.com.
`-
$ dig A localhost.fabulous.com @ns1.darkbluesea.com
,-
| ;; ANSWER SECTION:
| localhost.fabulous.com. 3600IN   A127.0.0.1
`-

If I had the time and better C skills, I  would add the tests myself but... ;)

regards,
  Lars

[vchkpw] Re: vadddomain error

2006-04-28 Thread Lars Uhlmann 
On Mon, 10 Apr 2006 16:05:37 +0800, Oliver A. Rojo wrote:

 Hi! im trying to add a domain with numbers say 123domain.com. It says:
 
 vpgsql: error creating table '123domain_com': ERROR:  syntax error at or 
 near 1 at character 14

I'm not really familiar with postgresql but iirc table names must start
with a letter or an underscore.

HTH
Lars

Re: [vchkpw] OT, but abuse related

2005-09-27 Thread Lars Uhlmann 
On Tue, 27 Sep 2005 09:52:39 -0700
Clayton Weise [EMAIL PROTECTED] wrote:

 I know this is way off topic, but there are a lot of really smart
 people on this list so I'm hoping to get some ideas here.  I've got a
 web server that has some kind of formmail-esque script that is being
 horribly abused but I can't find it.  The server (shut down qmail-send
 on it for now) is spewing out messages by the hundreds, if not
 thousands, and I can't seem to center down on which site has the
 offending script.  Again, it's pretty off topic but I'm just looking
 for some help here... please.

To get the path of the script whose sending mail you could do this:

Write a wrapper for qmail-inject. From within the wrapper you'll find
the path of the caller script in the environment variable $PWD (assuming
bourne[again]shell)

here is a wrapper example:

,-[ qmail-inject.wrapper ]
| #! /bin/bash
| 
| ORIG_INJECT=/var/qmail/bin/qmail-inject.djb_original
| RETURN_PATH=[EMAIL PROTECTED]
| TMPFILE=`tempfile`
| DATETIME=`date +%d.%m.%Y %H:%M:%S`
| 
| # send desired information to myself
| # first the mail header
| echo From: [EMAIL PROTECTED] $TMPFILE
| echo To: [EMAIL PROTECTED] $TMPFILE
| echo -ne Subject: [$DATETIME] something meaningful\n\n $TMPFILE
| 
| # now the message body
| echo -e PWD: $PWD\n $TMPFILE
| echo -e \n- original e-mail below -\n $TMPFILE
|
| # save the original message for our mail and pass ist on to the real 
qmail-inject
| tee -a $TMPFILE | $ORIG-INJECT -f$RETURN_PATH
|
| # send the log mail
| $ORIG-INJECT  $TMPFILE
| rm -f $TMPFILE
| 
| # local logging
| /usr/bin/logger -p mail.info -t qmail-wrapper command line parameters: $*
`-

Don't forget to change the symbolic link /usr/sbin/sendmail (normally
linked to $QMAILDIR/bin/sendmail) to $QMAILDIR/bin/qmail-inject. If
the link stays unchanged and the script uses /usr/bin/sendmail 
»qmail-inject« is invoked by $QMAILDIR/bin/sendmail and therefore $PWD
will be equal to $QMAILDIR/bin.

HTH
Lars

[vchkpw] [chkuser] qutoacheck with catchall accounts

2005-05-22 Thread Lars Uhlmann 
Hi,

i'm using netqmail 1.05 with qmail-toaster-0.7.2.patch.bz2. This works
great but I have a little problem with 'chkuser':
A recipient is only checked if the domain has bouncing enabled. Is it
possible to check an users quota if the domain has a catch-all account?
Or with other words, can I compile 'chkuser' with CHKUSER_ALWAYS_ON but
have mails with unknown local parts delivered to the target
from.qmail-default instead of rejecting them?

TIA
Lars Uhlmann