[vchkpw] vpopmail 5.4.14 && valias
Two topics:1. Last chatter on vpopmail 5.4.14 was about a month ago with hints that it would be a few days to fix a few configure quirks. Were other issues discovered? What's expected new in 5.4.14 and what's the status of it?2. valias- migrating 3 CDB-based mail systems to one MySQL-based system for ease of management and some better services. I figure as a result of the greater quantity of users and domains, MySQL is a plus. Is there a benefit to using valias as well (keeping in mind domain.com/user/.qmail doesn't end up in the database). Is there a performance hit this is attempting to solve? I've generally used files. If I use valias instead, can I still on occasion add a maildrop line or some sort of executed command into the valias table? How easy is that to do? Can it do Maildir deliveries instead of forwards to other e-mail addresses?Thanks in advance,-M
[vchkpw] vpopmail extensions not working correctly
I am using 5.4.15 vpopmail and I've noticed that extensions aren't quite working right. If I send mail to [EMAIL PROTECTED] I get mail going to my inbox and blackberry. If I send mail to [EMAIL PROTECTED] I get mail going only to my inbox.# cat /home/vpopmail/domains/mydomain.com/.qmail-michael &[EMAIL PROTECTED] &[EMAIL PROTECTED] qmail-send logs: bytes 1329 from <[EMAIL PROTECTED]> qp 7661 uid 89 starting delivery 77: msg 374730 to local [EMAIL PROTECTED] delivery 77: success: did_0+0+1/And that's it. When I send to just 'michael', it then creates a new message to remote [EMAIL PROTECTED], as it should. but sending to michael-testing doesn't.That doesn't seem right. -M
Re: [vchkpw] vpopmail extensions not working correctly
Seemed to always work with previous versions however.and if that's the case, why does it process the forward? The problem is that it's doing one line of the .qmail-michael but not the second.-MChris Pugh <[EMAIL PROTECTED]> wrote: Er, Mike ..Wouldn't that due to the fact that ..home/vpopmail/domains/mydomain.com/.qmail-michaelandhome/vpopmail/domains/mydomain.com/.qmail-michael-testingare two *entirely separate* accounts?C. --- Michael Krieger wrote:> I am using 5.4.15 vpopmail and I've noticed that > extensions aren't quite working right. If I send> mail to [EMAIL PROTECTED] I get mail going to my> inbox and blackberry. If I send mail to> [EMAIL PROTECTED] I get mail going only> to my inbox.> > # cat> /home/vpopmail/domains/mydomain.com/.qmail-michael > &[EMAIL PROTECTED]> &[EMAIL PROTECTED] > > qmail-send logs:> bytes 1329 from qp 7661 uid> 89> starting delivery 77: msg 374730 to local> [EMAIL PROTECTED]> delivery 77: success: did_0+0+1/> > And that's it. When I send to just 'michael', it> then creates a new message to remote> [EMAIL PROTECTED], as it should. but sending> to michael-testing doesn't.> > That doesn't seem right.> -M> > __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[vchkpw] Fwd: vpopmail 5.4.15/qmailadmin 1.2.x - was: Crashes and Bugs?
Note: Crossposting this as it seems to be related to vpopmailI still had my 5.4.13 (patched with Shupp's patch to bring it somewhere in the middle of where it is now) source. I changed qmailadmin's Makefile to replace the -I and -L's for vpopmail's includes/libraries and did a 'cp config.h vpopmail_config.h' in the vpopmail-5.4.13 folder. The result? It now works perfectly again, displaying the aliases without segfaulting. It's displaying the autoresponders without segfaulting as well. However it's staticly linked with 5.4.13, which isn't ideal (and shouldn't be needed of course). No other changes have been made. I'm imagining some quirk that was introduced that is affecting qmailadmin? I have the ltrace/strace's (see some of the previous messages).PS: Sorry to everyone for debugging aloud, but hopefully it helps someone.-MMichael
Krieger <[EMAIL PROTECTED]> wrote:Seems that qsort is returning a void in the case of the aliases according to ltrace (gdb doesn't seem to be giving me much useful, so I'm sticking to strace/ltrace).837 readdir(0x807a440) = 0x807a52c 837 readdir(0x807a440) = NULL 837 closedir(0x807a440) = 0 837 qsort(0x807a240, 0, 4,
0x8062510) = 837 strcpy(0xb140, NULL 837 --- SIGSEGV (Segmentation fault) --- 837 +++ killed by SIGSEGV +++ any ideas?Michael Krieger <[EMAIL PROTECTED]> wrote: It seems to be dying as such (trying to get a backtrace, but debugging cgi's isn't exactly easy unless someone has an idea). Of course editing for the domain, but the length is the same.strace: 21422 geteuid32() = 89 21422 chdir("/home/vpopmail/domains/test1.mydomains.com") = 0 21422 open("/home/vpopmail/domains/test1.mydomains.com/.qmailadmin-limits", O_RDONLY) = -1
ENOENT (No such file or directory) 21422 open("/home/vpopmail/etc/vlimits.default", O_RDONLY) = 521422 fstat64(5, {st_mode=S_IFREG|0644, st_size=1143, ...}) = 0 21422 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 21422 read(5, "# Default limits file. This file is used for domains without a\n# .qmailadmin-limits file.\n\n# maximums for each ac count type, -1 = unlimited\nmaxpopaccounts\t\t-1\nmaxforwards\t\t-1\nmaxautoresponders\t-1\nmaxmailinglists\t\t-1\n\n# quota for ent ire domain, in megabyte"..., 4096) = 1143 21422 read(5, "", 4096) = 0 21422 close(5) = 0 21422 munmap(0x4001a000,
4096) = 0 21422 geteuid32() = 89 21422 getpid() = 21422 21422 open("/home/vpopmail/domains/test1.mydomains.com/vpasswd.cdb", O_RDONLY) = 521422 lseek(5, 8, SEEK_SET) = 8 21422 read(5, "\3\t\0\0\2\0\0\0", 8) = 8 21422 lseek(5, 2307, SEEK_SET) = 2307 21422 read(5, "\00188T}\10\0\0", 8) = 8 21422 lseek(5, 2173, SEEK_SET) = 2173 21422 read(5, "\n\0\0\0t\0\0\0", 8)
= 8 21422 read(5, "postmaster", 10) = 10 21422 read(5, "*** SNIP ***" , 116) = 116 21422 close(5) = 0 21422 open("/home/vpopmail/domains/test1.mydomains.com/.qmailadmin-limits", O_RDONLY) = -1 ENOENT (No such file or directory) 21422 open("/home/vpopmail/etc/vlimits.default", O_RDONLY) = 5 21422 fstat64(5, {st_mode=S_IFREG|0644, st_size=1143, ...}) = 0 21422 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 21422 read(5, "# Default limits file. This file is used for domains without a\n# .qmailadmin-limits file.\n\n# maximums for each account type, -1 = unlimited\nmaxpopaccounts\t\t-1\nmaxforwards\t\t-1\nmaxautoresponders\t-1\nmaxmailinglists\t\t-1\n\n# quota for entire domain, in
megabyte"..., 4096) = 1143 21422 read(5, "", 4096) = 0 21422 close(5) = 0 21422 munmap(0x4001a000, 4096) = 0 21422 chdir("/home/vpopmail/domains/test1.mydomains.com") = 0 21422 open("/home/vpopmail/domains/test1.mydomains.com/postmaster/Maildir/1141140624.qw", O_RDONLY) = 5 21422 fstat64(5, {st_mode=S_IFREG|0600, st_size=43, ...}) = 0 21422 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001a000 21422 read(5, "ip_addr=72.59.3.44&returntext=&returnhttp=\n", 4096) = 43 21422
close(5) = 0 21422 munmap(0x4001a000, 4096) = 0 21422 time(NULL) = 1141140718 21422 open("/home/vpopmail/domains/test1.mydomains.com", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 5 21422 fs
[vchkpw] qmailadmin 1.2.10 vpopmail 5.4.15 segfaults on forwards page
I've spent the past few days working on this problem for a good 8 hours a day, so figure I'll send it back to the list for some insight.This is using no valias code, so it should be using vpalias.c. I'm using standard qmail aliases.I'm getting qmailadmin segfaulting when handling forwards, most obviously is viewing the forward list even. My debugging has taken me to the final call to 'alias_line = valias_select_all_next(alias_name);' when alias_name is the final alias in the set, or when the set is empty (no aliases at all).If I make it stop running (through code hacks) valias_select_all_next one short of the number of aliases, all works well with no problems no matter what I do in qmailadmin. However, when it continues, it tends to continue but corrupt other areas, such as segfaulting on a fclose() in send_template_now() mainly. There seems to be some sort of overrun going on here but I can't seem to find it to my displeasure.Is anyone else seeing these issues? Any ideas on a solution? I'm looking to vpalias.c for solutions and have been fiddling with that code as well with no real success, as everything seems alright.qmailadmin 1.2.10 : '--enable-htmldir=/var/www' '--enable-cgibindir=/var/www/cgi-bin' '--enable-help' '--enable-cgipath=/cgi-bin/qmailadmin' '--enable-domain-autofill'\" vpopmail 5.4.15 : '--enable-qmail-ext' '--enable-auth-module=cdb' '--enable-logging=y'Debian 3.1Thanks in advance folks,-M
Re: [vchkpw] Why not disconnect after rejection/limit ?
Yes. RFC 2821 ( http://www.faqs.org/rfcs/rfc2821.html ) states as follows (note the words 'MUST NOT')3.9 Terminating Sessions and Connections An SMTP connection is terminated when the client sends a QUIT command. The server responds with a positive reply code, after which it closes the connection. An SMTP server MUST NOT intentionally close the connection except: - After receiving a QUIT command and responding with a 221 reply. - After detecting the need to shut down the SMTP service and returning a 421 response code. This response code can be issued after the server receives any command or, if necessary, asynchronously from command receipt (on the assumption that the client will receive it after the next command is issued). In particular, a server that closes connections in response to commands that are not understood is in violation of this specification. Servers are expected to be tolerant of unknown commands, issuing a 500 reply and awaiting further instructions from the client. An SMTP server which is forcibly shut down via external means SHOULD attempt to send a line containing a 421 response code to the SMTP client before exiting. The SMTP client will normally read the 421 response code after sending its next command. SMTP clients that experience a connection close, reset, or other communications failure due to circumstances not under their control (in violation of the intent of this specification but sometimes unavoidable) SHOULD, to maintain the robustness of the mail system, treat the mail transaction as if a 451 response had been received and act accordingly.Ibiltari <[EMAIL PROTECTED]> wrote: Hi,I'm trying to fine tune my mail system, and looking at howqmail-smtpd/vchkpw handle rejected mail i started thinking; whyqmail-smtp doesn't disconnect after the intrusion threshold? it keepsrejecting messages (from the spammer normally) and eating cpu and bandwhit. Perhaps there is a good reason to don't disconnect but i thinkit could be a nice feature too.any opinion about this?Ion
Re: [vchkpw] Why not disconnect after rejection/limit ?
Jeremy Kister <[EMAIL PROTECTED]> wrote: On 3/3/2006 10:28 AM, Michael Krieger wrote:>An SMTP server MUST NOT intentionally close the connection except:>- After receiving a QUIT command and responding with a 221 reply.> - After detecting the need to shut down the SMTP service and returning a 421 response code. This response code can be issued after the server receives any command or, if necessary, asynchronously from command receipt (on the assumption that the client will receive it after the next command is issued).Not to turn this into a RFC contest on the wrong mailing list, but we must be interpreting that differently --my qmail-1.03.isp.patch will close a connection after a defined number of errors. I claim RFC 2821 #3.9 compatibility, because before closing the connection, I send a 400 error. I have the 'need' to close the connection, because I no longer want to hear from this abuser, and he is automatically entered into tcp.smtp.cdb for rejection.I'm not saying that you shouldn't do that. All I'm saying is that the RFC states that you should not intentionally kill the SMTP connection unless 1. the client sends a quit and you ack it with a 221. 2. the SMTP __service__ needs to shut down. Note that the second one is not you wanting to shut down the connection, but rather the service restarting for example.Now what you choose to do is up to you. In practice, the remote mailer in real-world situations will assume a disconnection beyond both of your control and try again in a wee bit, so it's deemed okay by some. That doesn't make it right by the standard, but then again, these are 'Requests For Comments' as a way to set an agreed upon standard. You can religiously follow them or veer from them, but it's safe to assume that they represent what most people are doing with their systems and how it's "supposed" to work.So is there a reason not to do it? Yes the RFC suggests that this shouldn't happen if you can help it and have another way to do it. Is there a reason to do it? You cite bandwidth and CPU usage, as well as generally hostile Internet behaviour. So throw a coin and see what is more important to you.I'd argue that you may find it more beneficial to add a qmail-smtpd.c code hack to keep a count of rcpt commands and issue a 5xx reply when there's a good number, placing this code before chkuser so that it eats up next to no CPU usage. In terms of bandwidth, it's probably minimal. There are already patches for tarpitting and having a max rcpts, so it should be easy to modify to increment on failed rcpts and avoid the overhead of a vpopmail lookup, favouring a simple if failed > 10, err_pissoff(). That'll reuduce any CPU overhead and the bandwidth will be minimal.Then of course block for future connections if you wish (but I'd argue again that odds are it's some automated hacked Spam bot on an innocent system that picked up your domain randomly or from a list and will never come back after a few minutes anyway.) We've tried keeping blacklists for a while, but they tend to block real people too, who we will never see the attack from again. Temporary blocks are okay, but in most cases, you'll never see the abusive system again.So anyway- RFC says one thing, but you do as you wish. That's always the case on the Internet. -M
Re: [vchkpw] Transfering vpopmail domains
Rick Macdougall wrote:> devnull wrote:>> I've tryed to modify by hand the passwd and the>> passwd.cdb files changing the path but it dont>> work any suggestion?> You'll need to modify the /var/qmail/users/assign> file as well as the vpasswd files.devnull-Your solution of using vadduser in a script worksbecause it is properly updating the cdb file.vpopmail will use the cdb file if they are available,and if not, generate from the vpasswd file. It soundslike you edited vpasswd, and modified the cdb file (whichdefinately won't work, as the index will be off in thelength changes). If you just edit vpasswd, on the nextadd/delete user, it will undo your change, because it willread in the cdb file and write out vpasswd and vpasswd.cdb.The solution? rm ~vpopmail/domains/*/vpasswd.cdb. Modify~vpopmail/domains/*/vpasswd with the proper paths. Alsomodify ~vpopmail/domains/*/.qmail-default to properly pointto the new vdelivermail location, and make sure the maildirfor default delivery if not bounce-no-mailbox has the newpath. Also update ~vpopmail/domains/*/.qmail-* to havethe proper aliases (if you have them to maildirs from oldvpopmail versions) and point to the proper location for ezmlmand autorespond if that changed. Finally edit ~vpopmail/domains/*/*/.qmailto make sure the maildir delivery lines are all pointing tothe right location.I'm not sure how chkuser will mix into this (it may want thecdb files), so if the cdb files don't regenerate for you, justrun vmoduser on each postmaster user toggling a flag (then putit back), such as the no_imap flag. That should regenerate thecdb properly from vpasswd text file.-M
Re: [vchkpw] Re: what's this 'vpopmailctl' stuff? (Was: [vchkpw] 552 message too large error)
Potential answer to the parent question below. Now, re vpopmailctl:vpopmailctl is a script provided by some distros, that ultimately is more like a qmailctl but not for each component. All it does is run svc for these pop3 and pop3ds. It really sholdn't be named vpopmailctl, but so be it. stop -- stops mail service (pop3 connections refused) start -- starts mail service (pop3 connection accepted) pause -- temporarily stops pop3 service cont -- continues paused pop3 service stat -- displays status of pop3 service restart -- stops and restarts pop3d Databytes is not used by qmail-send or anything other than qmail-smtpd. It should take effect on all future SMTP connections.If it doesn't, then you probably have DATABYTES= set in your tcp.smtp file, or maybe in the run script of qmail-smtpd. According to the man pages "If the environment variable DATABYTES is set, it overrides databytes."Also check the softlimit memory limit, though that doesn't seem to be your issue, but any change in databytes should then make sure the memory limit is high enough.-MJeremy Kitchen <[EMAIL PROTECTED]> wrote: On Wednesday 08 March 2006 03:13, Michele Virgilio wrote:> > Did you reload qmail after changing the databytes value?>> Yes, i did a #qmailctl restart and a #vpopmailctl restart without success,> then a full reboot, but the error is still there :(forgive my ignorance, but I don't understand where people are getting this 'vpopmailctl restart' idea at.vpopmail is a set of 'one shot' programs, there are no long running processes. What does this magical 'vpopmailctl' script even do?-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob.
Re: [vchkpw] IMAP connections fail after undetermined period.
Check your connection limits to the MySQL server. Seems to occasionally happen when a flood of smtp connections or pop connections opens up a lot of MySQL backends. Essentially it means that it tried to run its database queries and the server isn't there and has broken or didn't accept the connection.-M james cooke <[EMAIL PROTECTED]> wrote: Hello,After a few hours of running - I haven't narrowed it down to a certain time, it seems to vary - IMAP connections fail with: dovecot: Mar 08 16:29:59 Error: auth(default): vmysql: sql error[3]: MySQL server has gone awaySetup is FreeBSD 5.4, qmail 1.03, vpopmail 5.4.13, dovecot 1.0, mysql 5.0.18.I thought the issue was with the imap server, but it occurred with courier-imap also.Auth with pop3 continues to work, and if I reset dovecot then imap begins to work again temporarily, as it did with courier-imap.I'm assuming this might be some sort of MySQL version or connection timeout issue, but I'm at a loss on where to go from here, I'm fairly new to this area in general, any feedback would be very welcome.Thanks, James Cooke
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
I should ask- Is the domain set the 'bounce-no-mailbox' or do you have a catch all account? If you have a catch-all account, checkuser disables itself (as all recipients are valid). Disable the catch-all account if any and then see if it works.-M"tonix (Antonio Nati)" <[EMAIL PROTECTED]> wrote:>[EMAIL PROTECTED] qmail-1.03]# ./qmail-smtpd>220 mail.leeevans.org ESMTP>mail from [EMAIL PROTECTED]>250 ok>rcpt to:[EMAIL PROTECTED]>250 ok>quit
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
#ifndef TLSThis means that it will only run chkuser if you didn't compile it with TLS support, which you might have done. If TLS is defined, I don't see chkuser being included in the executable. You need the chkuser calls in the TLS/SSL section as well.This is not an if structure as it would be in regular code. This is a compiler direction, that tells it to completely ignore those parts at COMPILE TIME. Meaning, that those parts may never get included... ever... in the executable.Of course I'm making an assumption that TLS is defined :)-M Lee Evans <[EMAIL PROTECTED]> wrote: > You could post here (or send me) the routine where chkuser is > called (both for sender and recipients), just to see what to change.I have attached snippets from qmail-smtpd.c showing the send &
rcpt routinesand chkuser code I hope this is what you meant. > [Is chkuser.h included in a valid point within qmail-smtpd.c?]I have:#include "fd.h"#include "dns.h"#include "spf.h"/*chkuser*/#include "chkuser.h"ThanksLeevoid smtp_mail(arg) char *arg;{ int r; rcptcounter = 0 ; if (!addrparse(arg)) { err_syntax(); return; } /*chkuser*/ if (chkuser_sender (&addr) != CHKUSER_OK) { return; } /*chkuser end*/ flagbarf = bmfcheck(); switch(mfcheck()) {case DNS_HARD: err_hmf(); return;case DNS_SOFT: err_smf(); return;case DNS_MEM: die_nomem(); } flagbarfspf = 0; if (spfbehavior && !relayclient) {switch (r = spfcheck()){ case SPF_OK: env_put2("SPFRESULT","pass"); break; case SPF_NONE: env_put2("SPFRESULT","none"); break; case SPF_UNKNOWN: env_put2("SPFRESULT","unknown");
break; case SPF_NEUTRAL: env_put2("SPFRESULT","neutral"); break; case SPF_SOFTFAIL: env_put2("SPFRESULT","softfail"); break; case SPF_FAIL: env_put2("SPFRESULT","fail"); break; case SPF_ERROR: env_put2("SPFRESULT","error"); break;}switch (r){ case SPF_NOMEM:die_nomem(); case SPF_ERROR:if (spfbehavior < 2) break ;out ("451 SPF lookup failure (#4.3.0)\r\n");return; case SPF_NONE: case SPF_UNKNOWN:if (spfbehavior < 6) break ; case SPF_NEUTRAL:if (spfbehavior < 5) break ; case SPF_SOFTFAIL:if (spfbehavior < 4) break ; case SPF_FAIL:if (spfbehavior < 3) break ;if (!spfexplanation(&spfbarfmsg)) die_nomem();if (!stralloc_0(&spfbarfmsg)) die_nomem();flagbarfspf = 1;} } else
env_unset("SPFRESULT"); seenmail = 1; if (!stralloc_copys(&rcptto,"")) die_nomem(); if (!stralloc_copys(&mailfrom,addr.s)) die_nomem(); if (!stralloc_0(&mailfrom)) die_nomem(); out("250 ok\r\n");}void smtp_rcpt(arg) char *arg; { rcptcounter++; if (!seenmail) { err_wantmail(); return; } if (checkrcptcount() == 1) { err_syntax(); return; } if (!addrparse(arg)) { err_syntax(); return; } if (flagbarf) { err_bmf(); return; } if (flagbarfspf) { err_spf(); return; } if (relayclient) {--addr.len;if (!stralloc_cats(&addr,relayclient)) die_nomem();if (!stralloc_0(&addr)) die_nomem(); } else#ifndef TLSif (!addrallowed()) { err_nogateway(); return; }/*chkuser*/switch (chkuser_realrcpt (&mailfrom, &addr)) {case CHKUSER_KO: return; break;case CHKUSER_RELAYING: --addr.len; if
(!stralloc_cats(&addr,relayclient)) die_nomem(); if (!stralloc_0(&addr)) die_nomem(); break;}/*end chkuser*/#elseif (!addrallowed()) { if (ssl) { STACK_OF(X509_NAME) *sk;X509 *peercert;stralloc tlsclients = {0};struct constmap maptlsclients;int r;SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_cb);if ((sk = SSL_load_client_CA_file("control/clientca.pem")) == NULL) { err_nogateway(); return; }SSL_set_client_CA_list(ssl, sk); if((control_readfile(&tlsclients,"control/tlsclients",0) != 1) || !constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0)) { err_nogateway(); return; }SSL_renegotiate(ssl);SSL_do_handshake(ssl);ssl->state = SSL_ST_ACCEPT;
SSL_do_handshake(ssl);if ((r = SSL_get_verify_result(ssl)) != X509_V_OK) {out("553 no valid cert for gatewaying: "); out(X509_verify_cert_error_string(r)); out(" (#5.7.1)\r\n"); return; }if (peercert = SSL_get_peer_certificate(ssl)) {char emailAddress[256]; X509_NAME_get_text_by_NID(X509_get_subject_name( SSL_get_peer_certificate(ssl)), NID_pkcs9_emailAddress, emailAddress, 256); if (!stralloc_copys(&clientcert, emailAddress)) die_nomem(); if (!constmap(&maptlsclients,clientcert.s,clientcert.len)){ err_nogwcert(); return; } relayclient = ""; } else { err_nogwcert(); return; } } else { err_nogateway(); return; } }#endif if (!stralloc_cats(&rcptto,"T")) die_n
[vchkpw] Transition from pop-before-smtp
I've got a much older mail system running vpopmail/qmail that was created some time ago. We have been encouraging new settings on users for some time, including using their full e-mail address instead of just the username to authenticate, as well as enabling smtp authentication.As with any transition, it's a slow process that nobody seems to care much about until it stops working.The vipmap situation (default domains) was easy, as I document below incase it helps anyone. The SMTP authentication I seem to be having a bit more trouble with. Of course many users don't use our smtp servers at all and instead use their ISPs. Yet vpopmail opens POP for everyone. What I want to know is to have a log entry (probably the from address) every time a user: - is allowed to relay through our mail server (so has RELAYCLIENT set) - did not authenticate (so TCPREMOTEINFO does not have their username) -
sends to an e-mail address not in rcpthosts (so relays)Any ideas how we'd implement that? Are any existing contributions useful here?To find people who are using vipmap and not specifying their domain (with a % or @), we implemented the following code in vpopmail.c's parse_email() function instead of just vset_default_domain(). FILE *; and if ( (domain == NULL) || (strlen(domain)<1) ) { vset_default_domain(domain); = fopen("/tmp/legacyipalias", "a"); fprintf(,"[EMAIL PROTECTED]", user, domain, get_remote_ip()); fclose(); = NULL; } else { // not needed since it'll just return, but just in case vset_default_domain(domain); }
Re: [vchkpw] Virtual SMTP Greeting?
Just ignore it. In a world where machines could do only one thing due to a lack of power, machines greeted with their own name, which was where you want to deliver to. These days, where hundreds of domains can operate on one machine, this greeting just allows you to identify the server. It is not required, nor does it matter. this should NOT affect your Spam score, especially considering this is on your SMTP server, which is when you are receiving mail and not sending it.-MJeremy Oddo <[EMAIL PROTECTED]> wrote: Hi All--Sorry if this has been brought up in the past...I've beenoff the list for a couple years.Lately, our mail has had trouble getting to Yahoo, Hotmail,and a smaller ISP. Sometimes the mail ends up in the spamfolders so I know our mail is getting to their box. Ichecked the big blacklist sites and we are not listed. Ithen ran our domain through the test athttp://www.dnsreport.com/. Everything came up clean exceptfor two things:1. No SPF record (which I've fixed)2. Mail server host name in greetingBecause I'm using Vpopmail with virtual domains, my mailserver address doesn't match my host address name in theSMTP greeting.Does anyone know how to fix this? Is there even a fix for it?Thanks for the help.
Re: [vchkpw] relay, smtp after pop
SMTP Authentication seems to be the norm these days, and I'd encourage it. Now if only M$ would make it the default or easier than going into advanced settings when adding an account (and also the port 587 option).-M Jeremy Kitchen <[EMAIL PROTECTED]> wrote: On Friday 24 March 2006 09:52, Jeremy Kitchen wrote:> If it doesn't, just tell your users to make sure if they see it happen to> hit send/receive and try again. Or switch to an smtp auth based solution> if it's that big of a problem.wow, I can't believe I didn't mention this before:a third option is to have them stop using that pile of doo known as outlook.now to find my coffe...-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob.
Re: [vchkpw] relay, smtp after pop
Keeping in mind most SMTP uses CRAM-MD5 or some equivalent these days with some portion of challenge/response from the server for authentication details... this of course happens automatically.Some e-mail clients will go kicking and screaming on self-signed certificates, particularly in a virtualhosting environment where the common name needs to be a wildcard (*) for users to access the mail server under their own domains.I love the paranoia around sniffing that many parties with an invested interest have encouraged. In the end, your data transmits with some encryption on passwords from your PC, through a private network of your ISP who has tens if not hundreds of thousands of clients, then onto MCI/Verizon and other key players in core bandwidth into some datacenter. Nobody of which has any care what your e-mail looks like. Don't get me wrong, I'm all for encryption, but on services like e-mail it seems a bit excessive in favour of a challenge/response authentication. Besides- these days odds are your PC will be infected and e-mail read on there rather than over the wire where it passes by your ISP aggregated with tons of other traffic at a few hundred Mbit/s. Just my 2c. Both are solutions to the problem, but 587 is more to avoid port 25 blocking by many ISPs as well as to run a SMTP service without ident/hostname lookups to ensure a speedier connection for mail senders, while keeping this on the ports that other mail servers send to.-MJeremy Kitchen <[EMAIL PROTECTED]> wrote: On Friday 24 March 2006 10:31, Michael Krieger wrote:> SMTP Authentication seems to be the norm these days, and I'd encourage it.> Now if only M$ would make it the default or easier than going into> advanced settings when adding an account (and also the port 587 option).why use port 587? the 'use secure connection' is right there, and if you're doing any passing of authentication tokens across the wire, you should be encrypting it.that's just my two cents.-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]In the beginning was The Word and The Word was Content-type: text/plain -- The Word of Bob.
Re: [vchkpw] relay, smtp after pop
I know that it was broken on one of our mail servers a few years ago (where it advertised it but then didn't authenticate properly) and we got <10% of users properly authenticating and >90% of them not (these are if I recall correctly and are of course rough numbers. The general observation I find is that most mail clients use as much of the protocol as they know.So no claim/fact that's enough to go by, but pop RECORDIO on your pop or smtp server, and tail -F (capital to follow the file name itself) the current file and see how many of your authentications are mangled, be it by challenge-response or that are short and plain text. There may be more recognizable sections to look at.-MPaul Theodoropoulos <[EMAIL PROTECTED]> wrote: At 10:48 AM 3/24/2006, Michael Krieger wrote:>Keeping in mind most SMTP uses CRAM-MD5 or some equivalent these >days with some portion of challenge/response from the server for >authentication details... this of course happens automatically.do you have a source for the claim of 'most'? just curious.Paul Theodoropouloshttp://www.anastrophe.comhttp://www.smileglobal.comhttp://www.forumgarden.com
Re: [vchkpw] relay, smtp after pop
i don't use smtp auth, so i wouldn't know. i thought you were claiming that most providers these days are doing smtp auth. I was stating that most mail CLIENTS (Outlook, Thunderbird, etc) tend to prefer any mangled authentication method in favour of sending a password in clear text, based on my observations. Even better, many (especially newer ones) tend to use challenge/response algorithms for SMTP-Auth for example, which ensure one-time use, and prevent creating an open relay if the connection is viewed.Now, I'd also argue (unrelated to my previous e-mail) that more and more ISPs are turning to SMTP Authentication and blocking port 25. This number is growing, but based on the customers who contact us, there seems to be more regions with this upcoming issue. Mainly this is to prevent worms from sending mail on their own (port 25 blocking).The SMTP Authentication is more popular because mail no longer comes from an IP, but instead comes from an e-mail address. With pop before smtp, you know that 123.123.123.123 has a virus or is relaying Spam through your server, or is producing a lot of bounces, who's settings can be easily obtained and used via MAPI. With smtp authentication, you see in the headers that the user is [EMAIL PROTECTED]@123.123.123.123 and that's on mail that goes out, Spam reports that comes back, etc. It associates the connection with a username in addition to an IP, which is really what matters. it's reliableExcept when it's done in the wrong order, which some mail clients do... or if a users' IP changes. , it's simple, it's low overheadYou sure about that? Every successful POP/IMAP authentication will do a CDB lookup for the IP address, and if not found will add it to the open-smtp file, expire old entries, and then rebuild the CDB file. CDB is fast to read, but building it, while not very slow, isn't super-quick. Each future POP authentication will update the expire time of the open-smtp entry and rebuild the CDB file again. So for every pop authentication you have a CDB rebuild, versus a CDB read. [note to see the benefit of not updating it, you'd need to phase it out and then disable the feature or it'll happen anyway]. . if someone believes their email is important enough that someone would want to sniff the line to get it, then they should be using PGP or some other means of making the actual content secure.It's deceptive and lying to the user really to use SSL and think it's secure. While your [not you, but the gp] mail server may have the TLS patch and SSL ports, others may not. So you encrypt your super-secret message thinking it's going from your computer to the end encrypted... but it's not. It's encrypted to your mail relay. Then it's decrypted and put onto disk in CLEAR TEXT. At which point it's then sent to another mail server... which could be encrypted or not. In the end, the plain text insecure file sits on a final mail server, and then is picked up by the user, likely unencrypted and stored unencrypted on a workstation that's probably not secure.In any case, the point is that no matter how you look at it, SSL from the client to mail relay or client to POP server is one part of the process, and creates a false sense of security. in my opinion, of course.Naturally... Of course most of what I say is my opinion on the matter. I'm sure there are many schools of thought, but we've transitioned mostly from POP-before-smtp. It's difficult, and has been YEARS in the works to detect and transition users (similarly difficult was moving from ip aliased domains to using [EMAIL PROTECTED] authentication). The end result is that it's easier to track down and follow mail when it needs to happen.-M
Re: [vchkpw] relay, smtp after pop
I have my clients use port 587 whenever possible, because I use RBLs on port 25 that block some dynamic address ranges.Is there a better practice for this?I'd also recommend turning of hostname lookups and identd lookups in tcpserver's command line.You may want to look at the REQUIREAUTH patch (I had to modify it slightly to make it work with newer smtpauth versions) as well, making sure that only smtp authentication can be used on port 587. While spammers don't submit mail to 587 to date, who knows when that may start. Plus, it lets me ensure that nobody is using the pop-before-smtp on port 587. When we have them on the phone and are changing settings, might as well check 'enable authentication'Some discussion is here about using SSL instead ('requires a secure connection'), but that's up to
you. Some versions of outlook confuse users with 'use secure password authentication SPA' which works with exchange servers... Every time I told soemone to turn on SSL, SPA was turned on and it didn't authenticate properly.-M
Re: [vchkpw] relay, smtp after pop
To correct myself... Each future POP authentication will update the expire time of the open-smtp entry and rebuild the CDB file again.I don't believe it actually rebuilds the CDB file here, but it does update the open-smtp file with the new timestamp for the expiry. In any case, any change to the IP list and it updates the CDB file. So for every pop authentication you have a CDB rebuild, versus a CDB read. And adjust list line per above.CDB is great for mail, because it needs to be updated only when an account is added or password is changed. It's made for reading, and a lot of reading, as well as updating without causing issues. Fast lookups. As that database gets big and filled with IPs, rebuilding it can begin to slow down.-M
Re: [vchkpw] relay, smtp after pop
unless you're doing it in mysql. which works dandy.You sure about that?the MySQL open relay database would speed up the cleanup of old entries and the updates making that pretty quick, but ultimately it needs to make that a cdb file that sets relayclient for tcpserver to execute qmail-smtpd doesn't it? Still building a CDB file regularly. -M
Re: [vchkpw] relay, smtp after pop
no, no cdb rebuilding at all. this is with the patches to do so of course. my vpopmail tcp.smtp.cdb file hasn't been touched in just over three years. Good to know- thanks for the correction.of course, i have lots more mysql transactions going on all the time, but have had no performance problems associated with it. I suppose so, but benchmarks are all specific to any setup as well. Didn't know there were patches to do this (to qmail-smtpd or to tcpserver)? I guess the big question is why add that dependency? Why have all that database activity and connection requirement when you could just pass a password along... But then you can see from previous messages that I promote the smtp-auth these days-M
Re: [vchkpw] qmail-inject deferrals
Jeremy Kister <[EMAIL PROTECTED]> wrote: I'm using qmail and vpopmail in a rather large environment. I've always got several hundred messages in my queues because of unparsable header fields.delivery 50391: deferral: qmail-inject:_fatal:_unable_to_parse_this_line:/Return-Path:_Received:_from_wctc.net.airstream.mail8.psmtp.com_(wctc.net.airstream.mail8.psmtp.com_[63.240.161.100])_by_mx1.extreme-hosting.net_with_smtp;_mrt,_24_2006_3:13:50_-0100/system_error/I do not want to fixup broken messages with new-inject, and I because qmail-inject is giving a fatal error, vdelivermail should also.It should be noted that this is saying that the header is invalid. Note return-path is blank, and fails to contain a newline. I'd fix the problem- being whatever is accepting this mail message into your queue in the first place.We sometimes get these when people try to inject into php scripts by making a from address contain newlines and the programmer is an idiot and doesn't check this. In theory, qmail-smtpd should turn down the message when it comes in. So I guess the question is where is it coming from?I wouldn't 'fix' this header, as it's malformed to start with.-M
RE: [vchkpw] Re: 5.4.15 onchange patch
The reason I mention this is that I'm having a bugger of a job getting my code that implements skel dirs to work with vqadmin - it works fine from the command line (as root) but I get a permission denied error when executing from vqadmin.Have you thought at all about just wrapping your qmail programs executed from tcpserver and doing it at run-time instead of account creation?Example that I use for creating an IMAP folder structure for use with bincimap # /var/qmail/bin/linkwrapper # #!/bin/sh test -d IMAPdir || mkdir IMAPdir test -e IMAPdir/INBOX || ln -sf ../Maildir IMAPdir/INBOX exec $@Then in my service run file, I have tcpserver \ /home/vpopmail/bin/vchkpw \ /var/qmail/bin/linkwrapper \ /var/qmail/bin/bincimapdI don't see why you couldn't do the same with your pop daemon or smtp daemon to do some basic parameters (and maybe extend it to keep additional information).Something to consider. On a run of qmail-smtpd, test the timestamp of a file to the cdb file and rebuild if needed.-M
Re: [vchkpw] Patch to create IMAPdir
Did you see my post last night about the same issue and wrapping a shell script and exec call around bincimap? It means you don't have to deal with this problem for pop/smtp uses, but only imap.Why modify vpopmail to do something specific to another program?-MRobin Bowes <[EMAIL PROTECTED]> wrote: Hi all,After struggling for sometime to get skeldir functionality to work, I'vegiven up for now.The primary reason for wanting skeldirs was so that new accounts couldbe created with IMAPdir support for use with bincimap.The following patch modifies vpopmail to create an IMAPdir directory.It also modifies r_chown to work correctly with symlinks (required sinceIMAPdir contains a symlink IMAPdir/INBOX -> ../Maildir/)R.--- vpopmail-5.4.15/vpopmail.c
2006-01-17 11:30:52.0 -0800+++ vpopmail-5.4.15-IMAPdir/vpopmail.c 2006-03-27 11:30:50.0 -0800@@ -1298,11 +1298,16 @@ while((mydirent=readdir(mydir))!=NULL){ if ( strncmp(mydirent->d_name,".", 2)!=0 && strncmp(mydirent->d_name,"..", 3)!=0 ) {- stat( mydirent->d_name, &statbuf);- if ( S_ISDIR(statbuf.st_mode) ) {-r_chown( mydirent->d_name, owner, group);+ lstat( mydirent->d_name, &statbuf);+ // don't recurse into symlinks - just chown symlink to owner:group+ if ( S_ISLNK(statbuf.st_mode) ) {+lchown(mydirent->d_name,owner,group); } else {-chown(mydirent->d_name,owner,group);+if ( S_ISDIR(statbuf.st_mode) ) {+ r_chown( mydirent->d_name, owner, group);+} else {+ chown(mydirent->d_name,owner,group);+} } } }@@ -2115,7
+2120,7 @@ struct vqpasswd *mypw; char calling_dir[MAX_BUFF]; char domain_dir[MAX_BUFF];- const char *dirnames[] = {"Maildir", "Maildir/new", "Maildir/cur",+ const char *dirnames[] = {"Maildir", "IMAPdir", "Maildir/new","Maildir/cur","Maildir/tmp"}; int i;@@ -2175,6 +2180,16 @@ } }+ // Add the symlink IMAPdir/INBOX -> ../Maildir/+ if (symlink("../Maildir/", "IMAPdir/INBOX") == -1) {+fprintf(stderr, "make_user_dir: failed to symlink %s\n","IMAPdir/INBOX");+/* back out of changes made above */+chdir("..");+vdelfiles(username);+chdir(calling_dir);+return(NULL);+ }+ /* set permissions on the user's dir */ r_chown(".", uid, gid);
Re: [vchkpw] Re: 5.4.15 onchange patch
It is indeed possible to use wrappers as you do, but this adds overheadto every invocation of [insert progran here] which I'd rather avoid. How much overhead do you think executing a shell script and an internal call to test implements? How often do you think IMAP connections are made? Think of all the calls that already wrap around shells. Think of how many exec calls (or their variiants in this case) are made to run tcpserver, authentication programs, bincimap-up, and bincimapd? Why not modify bincimap or bincimap-up to do the same thing on invocation and provide the patch to the bincimap folks instead- a likely better way to do things.Just don't get caught up in the hype as to how much faster c programs are- when the shell is probably kept in memory, and the stat calls used by test are cached, this isn't a huge performance hit- especially for a connection like imap that is more persistant.I run about 10K+ users on bincimap through this linkwrapper and generally see almost no load... I know that's vague, but I've never benchmarked the use with or without a simple shell script.It's incredibly easy to add or modify functionality to qpsmtpdbecause of the plugin hooks that are built-in. I'd suggest that: 1. qpsmtpd lacks many plugins and doesn't seem to have a lot of support in the community, along with the various plugin methods to qmail-smtpd. I'm sure there's a good chunk of overhead in there as well, not to mention difficulties like plugin ordering, etc. 2. vpopmail manages qmail users and delivers mail. I'm weary of making it even more of a kitchen sink to start adding plugins and management functions that would likely be used by a small number. It's still changing considerably between major releases.Anyway, I've solved the IMAPdir issue a different way (see separate post). Saw it- thumbs up. Glad you solved your issue.-M
Re: [vchkpw] rblsmtpd with vchkpw
Use a scoring based RBL check. rblsmtpd denies all connections existing in RBLs You could modify it to do a scoring algorithm if you wanted, finding only the popular entries. SpamAssassin (with simscan) will do what you want, adding a score based on the credibility and error rates of each RBL. So something in one RBL will have a higher Spam score (and combined with other features may throw it over the edge), but something in three RBLs will be enough to reject the message.You could of course just find RBLs that don't block your customers or have good removal rules.-M Fernando Milovich <[EMAIL PROTECTED]> wrote: I mean bypass RBL is the client is authenticated. But it seems to be no possibly.This problem is because our customers use ISP connections like ADSL and Dial Up and these connections are blocked by CBL at spamhaus.orgI think i´ll have to change the RBL checker.Thanks so much.- Original Message - From: "John Simpson" To: Sent: Monday, April 03, 2006 7:18 PMSubject: Re: [vchkpw] rblsmtpd with vchkpw
Re: [vchkpw] Force Auth from all but localhost
You'd want something like http://www.netable.com/~dburkes/qmail-smtpd-requireauth/dist/qmail-smtpd-requireauth-0.30.tar.gz to do it. Note that this patch is against old/different versions of the auth patch, so you'll have to just use it as a guide and do it by hand. In specific, and if I recall correctly, authd is renamed and you have to move a define for requireauth up a bit higher in the file. If you need a hand with that let me know. Then add REQUIREAUTH="" to your tcp.smtp file.You _DO NOT_ want to have this on port 25 for the default connection if you're receiving mail from others. It is useful for port 587 or some other submission port where you don't want non-authenticated mail to come through, so that you don't have to worry about Spam on these ports, and always know you have a user [useful for domainkeys for example to make sure that the auth user is always set].localhost:allowmy.class.c.:allow:allow,REQUIREAUTH=""-MSascha Ebach <[EMAIL PROTECTED]> wrote: Hi,how can I enforce that everybody (except localhost) has to authenticate via smtp auth. The way I have it configured now is that all that are not in rcpthosts have to authenticate, but all that are in rcpthosts can be send email without auth. How can I change that?Thank you.--Sascha Ebach Digitale Wertsch�pfungHugo-Junkers-Str. 26 50739 K�lnTel: 0221 / 5994393Fax: 0221 / 5994394mailto:[EMAIL PROTECTED]Web: http://www.digitale-wertschoepfung.de
Re: [vchkpw] Best way to receive mail on TWO servers
Yes. Set up a new copy of qmail in a different folder other than /var/qmail [or your current location] (see conf-*), as otherwise you can't have two running on the same machine, unless they point to the same queue and all.Bring up tcpserver for the second installation on a different port- if you care to take over a valid but lesser used port, try 26.Then add an smtproute (man qmail-remote for details) for :localhost:26 [do check the syntax] to route all mail to that smtp server.Of course, if you loose the mail, you still loose the mail. I'd advise delivering to a maildir locally and maybe using some of the many tools to send a mail queue from a maildir to a relay instead, leaving a copy of the mail for safekeeping.-MJeremy Oddo <[EMAIL PROTECTED]> wrote: Does anyone have suggestions for sending all incoming mailto two servers?I have a vpopmail server in place. I want to replace it withan upgraded server. I want both to receive mail for a bit soI can test the new server. I only have one external IPaddress. Is there a way to tell the first server to send theincoming mail over to the new server?Thanks.
[vchkpw] problem overriding qmailadmin limits at authentication?
Interesting problem..qmailadmin-limits is my default that has disable_imap set for the domain. Naturally that should make new accounts have that limit.Sadly though, I want some people to use imap. So I clear the flags (-x) with vmoduser, but the disable_imap still holds true, rejecting the login.I don't recall it working that way before. Is this something new?-M
[vchkpw] Corrupt return-path help? [OT]
Somewhat off-topic, but I'm imagining that somewhere in the mix is where this is all beginning.This is an example of a [junk but unscanned] message [slightly edited for the actual e-mail addresses, though mostly should be the same] that was received. You'll notice the Return-Path: fails to have any data or a newline after it, being prepended to a received line that already exists.I then get this in my qmail log file: qmail-inject:_fatal:_unable_to_parse_this_line:/Return-Path:_Received:_...when it tries to forward the mail based on a .qmail file.So my question is where would this be allowed into the system? Shouldn't qmail-smtpd (and simscan) be adding a proper return path based on the senders' from address when it passes it along for the initial delivery?Received: (qmail 27397 invoked by uid 89); 8 May 2006 13:12:31 -0400Received: by simscan 1.2.0 ppid: 27387, pid: 27395, t: 0.0977s scanners: clamav: 0.88.2/m:38/d:1448DomainKey-Status: no signatureReceived: from unknown (HELO 211.57.43.201) (211.57.43.201) by suede.mydomain.com with SMTP; 8 May 2006 13:12:28 -0400Received-SPF: neutral (suede.mydomain.com: 211.57.43.201 is neither permitted nor denied by SPF record at _spf.google.com)Return-Path: Received: from keith.lloyd.com (keith.lloyd.com [158.222.0.2]) by mailgate.yorkinternet.net with ESMTP; May, 08 2006 12:03:14 PM -0300Received: from mail.bellsouth.com (mail.bellsouth.com [139.76.165.130]) by mail.landg.com with smtp; May, 08 2006 10:54:17 AM -0300From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Atuh stock is on the move !!! Could double in a week qqklSender: [EMAIL PROTECTED] <[EMAIL PROTECTED]>Mime-Version: 1.0Content-Type: text/html; charset="iso-8859-1"Date: Mon, 8 May 2006 12:12:27 -0500X-Mailer: Microsoft Outlook Build 10.0.2616Any help is apprecaited,-M
Re: [vchkpw] Corrupt return-path help? [OT]
Sorry- I meant shouldn't this be added by qmail-local on delivery. I guess I am trying to figure out why it isn't properly adding it.-MMichael Krieger <[EMAIL PROTECTED]> wrote: Somewhat off-topic, but I'm imagining that somewhere in the mix is where this is all beginning.This is an example of a [junk but unscanned] message [slightly edited for the actual e-mail addresses, though mostly should be the same] that was received. You'll notice the Return-Path: fails to have any data or a newline after it, being prepended to a received line that already exists.I then get this in my qmail log file: qmail-inject:_fatal:_unable_to_parse_this_line:/Return-Path:_Received:_...when it tries to forward the mail based on a .qmail file.So my question is where would this be allowed into the system? Shouldn't qmail-smtpd (and simscan) be adding a proper return path based on the senders' from address when it passes it along for the initial delivery?Received: (qmail 27397 invoked by uid 89); 8 May 2006 13:12:31 -0400Received: by simscan 1.2.0 ppid: 27387, pid: 27395, t: 0.0977s scanners: clamav: 0.88.2/m:38/d:1448DomainKey-Status: no signatureReceived: from unknown (HELO 211.57.43.201) (211.57.43.201) by suede.mydomain.com with SMTP; 8 May 2006 13:12:28 -0400Received-SPF: neutral (suede.mydomain.com: 211.57.43.201 is neither permitted nor denied by SPF record at _spf.google.com)Return-Path: Received: from keith.lloyd.com (keith.lloyd.com [158.222.0.2]) by mailgate.yorkinternet.net with ESMTP; May, 08 2006 12:03:14 PM -0300Received: from mail.bellsouth.com (mail.bellsouth.com [139.76.165.130]) by mail.landg.com with smtp; May, 08 2006 10:54:17 AM -0300From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Atuh stock is on the move !!! Could double in a week qqklSender: [EMAIL PROTECTED] <[EMAIL PROTECTED]>Mime-Version: 1.0Content-Type: text/html; charset="iso-8859-1"Date: Mon, 8 May 2006 12:12:27 -0500X-Mailer: Microsoft Outlook Build 10.0.2616Any help is apprecaited,-M
Re: [vchkpw] Corrupt return-path help? [OT]
The message comes in properly (or so it seems) and into qmail-local and then vdelivermail. It reads a .qmail file that says &[EMAIL PROTECTED] and has a second line with the maildir. The first one [the inject] is failing, which vdelivermail is supposed to be handling.Is this a bug in vdelivermail? The message into vdelivermail seems to have a valid return-path, and coming out of vdelivermail into qmail-inject appears to blank the line but not remove it: Return-Path: Received: from keit-MMichael Krieger <[EMAIL PROTECTED]> wrote: Somewhat off-topic, but I'm imagining that somewhere in the mix is where this is all beginning.This is an example of a [junk but unscanned] message [slightly edited for the actual e-mail addresses, though mostly should be the same] that was received. You'll notice the Return-Path: fails to have any data or a newline after it, being prepended to a received line that already exists.I then get this in my qmail log file: qmail-inject:_fatal:_unable_to_parse_this_line:/Return-Path:_Received:_...when it tries to forward the mail based on a .qmail file.So my question is where would this be allowed into the system? Shouldn't qmail-smtpd (and simscan) be adding a proper return path based on the senders' from address when it passes it along for the initial delivery?Received: (qmail 27397 invoked by uid 89); 8 May 2006 13:12:31 -0400Received: by simscan 1.2.0 ppid: 27387, pid: 27395, t: 0.0977s scanners: clamav: 0.88.2/m:38/d:1448DomainKey-Status: no signatureReceived: from unknown (HELO 211.57.43.201) (211.57.43.201) by suede.mydomain.com with SMTP; 8 May 2006 13:12:28 -0400Received-SPF: neutral (suede.mydomain.com: 211.57.43.201 is neither permitted nor denied by SPF record at _spf.google.com)Return-Path: Received: from keith.lloyd.com (keith.lloyd.com [158.222.0.2]) by mailgate.yorkinternet.net with ESMTP; May, 08 2006 12:03:14 PM -0300Received: from mail.bellsouth.com (mail.bellsouth.com [139.76.165.130]) by mail.landg.com with smtp; May, 08 2006 10:54:17 AM -0300From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Atuh stock is on the move !!! Could double in a week qqklSender: [EMAIL PROTECTED] <[EMAIL PROTECTED]>Mime-Version: 1.0Content-Type: text/html; charset="iso-8859-1"Date: Mon, 8 May 2006 12:12:27 -0500X-Mailer: Microsoft Outlook Build 10.0.2616Any help is apprecaited,-M
[vchkpw] vpopmail 5.4.16 locking issue?
Seem to be having an issue since vpopmail 5.4.16 and qmailadmin 1.2.10.The first operation tends to work alright, such as creating a user, deleting a user, or so on, however the second fails. Even changing a password fails.If I delete the .vpasswd.lock file everything goes through... for one more usage.I scanned through vcdb.c and didn't see anything, and I'm looking through vpopmail.c now. Any ideas on this one?-M
Re: [vchkpw] vpopmail 5.4.16 locking issue?
Permissions in the answer. .vpasswd.lock is being created 000 by vpopmail.I made a patch to add the mode to it. Since it's being created by vpopmail, it should be 600. It seems it's not only qmailadmin that is doing this, but also vadduser for example is making a 000 lock file.Patch attached,-MMichael Krieger <[EMAIL PROTECTED]> wrote: Seem to be having an issue since vpopmail 5.4.16 and qmailadmin 1.2.10.The first operation tends to work alright, such as creating a user, deleting a user, or so on, however the second fails. Even changing a password fails.If I delete the .vpasswd.lock file everything goes through... for one more usage.I scanned through vcdb.c and didn't see anything, and I'm looking through vpopmail.c now. Any ideas on this one?-M vpopmail-5.4.16-lockperm.patch.gz Description: 3462119702-vpopmail-5.4.16-lockperm.patch.gz
Re: [vchkpw] Corrupt return-path help? [OT]
5.4.15- the one that was current beyond a couple days ago.-MTom Collins <[EMAIL PROTECTED]> wrote: On May 8, 2006, at 12:08 PM, Michael Krieger wrote:> Is this a bug in vdelivermail?� The message into vdelivermail seems to > have a valid return-path, and coming out of vdelivermail into > qmail-inject appears to blank the line but not remove it: Return-Path: > Received: from keitWhat version of vpopmail? vdelivermail went through huge changes in 5.4.11.--Tom Collins - [EMAIL PROTECTED]QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Re: [vchkpw] [vpopmail] handle 'postmaster' as non existing user (reject mails)
Easiest thing to do is add a .qmail file in the postmaster directory stating '|/bin/true delete' to scrap the message [just sets it as deleted by default].Now I'd imagine the main frontline you'd want to investigate is chkuser.c if you use it. By line 567, it's got a user and domain split. Under case 10, it actually does the user check, so just have it test the user for 'postmaster' and return a failed 'user does not exist'.I'd point you to the RFCs that state that the postmaster must exist and should accept mail, but since you're asking, you probably don't really mind.-MLars Uhlmann <[EMAIL PROTECTED]> wrote: We only need this mailbox for �qmailadmin� to log in. Is it possible totreat this account as non existing? I've tried a domain-global'.qmail-postmaster' (... bounce-no-mailbox) and a '.qmail' (same content)inside the folder 'postmaster' but nothing worked.regards Lars
Re: [vchkpw] [vpopmail] handle 'postmaster' as non existing user (reject mails)
Ken Jones <[EMAIL PROTECTED]> wrote:I've been thinking of setting up all new domains with thisway. Nobody really reads postmaster email.I do see the occasional person who does, but it's rare. I like the 'set the bounce flag' idea suggested in this thread. Postmaster should have the bounce message flag set, so that it's not even accepted by chkuser at the smtp level, as opposed to accepting the mail and then bouncing it.the code in chkuser is: if (user_passwd->pw_gid & BOUNCE_MAIL), so it seems to take it into account.Personally I wouldn't worry about running vdelivermail. If it's set with a bounce_mail flag as in chkuser (which I'd guess most people use) then it'll never run vdelivermail anyway, and any locally inserted mail would have the extra vdelivermail execution- but that'll be rare if ever.-M
Re: [vchkpw] Corrupt return-path help? [OT]
Have the same thing with a message with a CTRL-Z in the from/reply-to line. it's fine as a local delivery, but since forwards even within the same domain go in &[EMAIL PROTECTED] then it gets called with qmail-inject. > From: "Eva Andrews" <)^Z>> X-Mailer: The Bat! (v2.00.9) Business> Reply-To: "Eva Andrews" <)^Z>>>qmail-inject:_fatal:_unable_to_parse_this_line:/From:_"Eva_Andrews"_<)_>/user>>_does_not_exist,_but_will_deliver_to_/home/vpopmail/domains/domain.ca/>>bob//system_error/I don't think this is directly linked to the previous malformed e-mail that had no Return-Path but instead had Return-Path: Received, as this has a ^Z in the mail from whereas the e-mail before seemed to have normal characters... unless it's all-round the use of qmail-inject as Jeremy suggests.-M
[vchkpw] Crash in qmailadmin 1.2.10/vpopmail 5.4.16 adding first forward
Seems there's a crash in qmailadmin/vpopmail still when adding only the first forward in a domain. The second works fine, but deleting the first and recreating it even shows an internal server error.I'll have another look at the source, but I think there's still some bugs left to squash.-M
Re: [vchkpw] Crash in qmailadmin 1.2.10/vpopmail 5.4.16 adding first forward
Ken- a segfault patch against 5.4.16 is attached.Since mydir is static (and hence survives the function call), if max_names is null (which happens if there are no aliases on the domain), then mydir has been closed, but mydir is not set to NULL. Hence when it does a second itteration of the function as qmailadmin will, it will segfault since it's not null, yet is closed.See attached,I also attached my patch from earlier regarding forcing at least read/write permissions on the lock file, as I'm finding qmailadmin is creating them with no permissions (likely relating to a umask or something Debian related, so it's always best to force the permissions of the lock file).-MMichael Krieger <[EMAIL PROTECTED]> wrote: Seems there's a crash in qmailadmin/vpopmail still when adding only the first forward in a domain. The second works fine, but deleting the first and recreating it even shows an internal server error.I'll have another look at the source, but I think there's still some bugs left to squash.-M vpalias.segfault.crash.20060509.patch.gz Description: 3308966721-vpalias.segfault.crash.20060509.patch.gz vpopmail-5.4.16-lockperm.patch.gz Description: 3462119702-vpopmail-5.4.16-lockperm.patch.gz
Re: [vchkpw] Vpopmail With Only One Domain and POP Logins
You're looking for vipmap and the --enable-ip-alias-domain configure option: # --enable-ip-alias-domains # Enable mapping of default domain via reverse ip lookup table.See README.ipaliasdomains for more information in the vpopmail distribution.You want to add a record (vipmap -h for details) for your primary domain name to your IP address that they'll use to connect (or for each IP address) on your server.-MKen Schweigert <[EMAIL PROTECTED]> wrote: I'm migrating a client's mail server to a qmail+vpopmail setupfollowing the directions at http://www.shupp.org/toaster . They had aqmail+system-level-account setup before.My question: since this is the only domain that will be on the box,is there a way to allow the users to login as just their login name asopposed to complete email address? This would make the migration tonseasier since I wouldn't have to go to every user's machine (over ahundred) and walk them through changing the client settings. If theycould still be able to login as 'sallysue' instead of'[EMAIL PROTECTED]' there wouldn't need to be any changes on theirend.Thanks!-ken schweigert
[vchkpw] qmailmrtg7 simscan patch update.
An update on the qmailmrtg7 simscan patch.Remove the following (line 280) } else if ((tmpstr1 = strstr(TmpBuf, ":RELAYCLIENT:"))!=NULL) { // just log message ++tclean;as this is logging outgoing messages and hence making the numbers look lower than they are.The new patch should first check for rejection, then for tagging, otherwise for clean, since spam scanning doesn't run when relayclient is set.-M
Re: [vchkpw] restrict users
Remember- they can set the header To/From to be whatever they want, unless you want to scan the whole message. You can with reasonable ease probably get this going with the envelope from/to.This would probably be a custom job.How I'd approach it: - use the REQUIREAITH patch (note that it no longer works with smtpauth and so on, but it's three lines so if you change the variable names around you'll be good to go) on a submission port - add some code to the mail_rcpt() command if requireauth is true and the requireauth test succeeds [it would be tested at mail_from if requireauth is set, so just check if requireauth is set in the rcpt command], to read one of the vpopmail USER_# flags and if it's set, compare the @mydomain.com in the envelope from with the @authenticateddomain.com in RELAYCLIENT, failing on the mail from otherwise. If you're not wanting to only have them send to their own domain, just test for the few domains you want in sequence.A hack I know, but should be able to implement it in just a few minutes.-MCristi Tauber <[EMAIL PROTECTED]> wrote: hello,i have qmail + vpopmail installed. is there a way to restrict some users of one domain (i have many domains spread on 4 email servers in different locations) to send mail only to some specific domains (the ones in our company) not to the whole world ? remember that i want only some users of one domain to be restricted and some of the same domain to be able to send mail without restrictions ? and is there a way to have a copy of all sent emails of a certain user ? (qmail does this but i have to recompile it , and is not only for one user but for all traffic )thankscristi---This message and its contents have been scanned and certified fortransmission as being free from malicious code by <>. Thismessage may contain confidential, privileged or other legally protectedinformation. It is intended for the addressee(s) only. If you are not theaddressee, or someone the addressee authorized to receive this message, youare prohibited from copying, distributing or otherwise using it. Pleasenotify the sender and return it.Thank you.
[vchkpw] dot-qmail ordering
Hi Folks,I've been browsing the qmailadmin/vpopmail code and see that there's no effort to enforce order in dot-qmail files. Adding lines to a dot-qmail file is just an append to the end of the file it seems with valias_insert and so on [at least in vpalias it is for the files/cdb backend].I'm looking to add some additional features that depend on order. The main one is a script I've written that checks for existing Spam headers, and should they not exist, checks the mail through SpamAssassin's spamc and exits 99 to stop processing the dot-qmail file or exits cleanly.The reasoning for this is that I want Maildir delivery's first, delivering properly to the user in question. I then want to run my |ifnotspam command. If it exits 99 (yes it's definately Spam), I don't want to forward the mail, and don't want to autorespond to it. Yes I realize this isn't perfect and may have the occasional bit of real mail not forwarded. Even more important is the autoresponding, as I find users who set vacation messages can often have hundreds of e-mails per day, many of which are Spam.Some users have spam scanning with Simscan, but others don't and don't want it. At the same time, I don't want to forward or autorespond (with the mail attached) to mail that if SA thinks will be Spam, so will other major providers.Now the reasoning isn't too bad, but it depends on the following: 1. vpopmail sorting .qmail and .qmail-* files after it writes them -OR- vpopmail inserting lines in the right place as opposed to appending 2. qmailadmin having a 'add before remote' option that will, if autorespond/forward is set, add a customized line to the dot-qmail file in the right place [using the abilities above] of properly ordering dot-qmail files.Obviously both would need to take into account extra things like keeping maildrop and any custom commands above the |ifnotspam command.Now the second part I don't see as too difficult, as it could check using the valias_* functions to see if the command already exists, and if not add it [as well as remove it in the case of removing a forward/autoresponder, just to clean up]. This would just be adding an extra valias_insert call with a fixed define.It's the ability to add in a proper order that I'm curious about. Anyone already tried it? Should I give the code a good hacking? See anything else I could affect in doing this?I think it's a really valuable feature, and should be easy enough to implement.-=-=-=-=-As a side note, in qmailadmin's autorespond.c, shouldn't these be in the opposite order to prevent any temporary failures after closing the .qmail file without the message file existing yet? * Make the autoresponder .qmail file * Make the autoresponder message file-M
Re: [vchkpw] Unwanted Local Delivery
for i in `cat /var/qmail/control/{more,}rcpthosts`; do host -t MX $i | egrep "mail1.thiscouldbeme.com|mail2.thiscouldbemetoo.com" 2>&1 || echo $idoneDone- will echo everything that does not include your _expression_ in its MX record. If it has no matches, grep exits 1 and will trigger the echo. If it matches at least one, then you're set. You can make more complex expressions or do more tests if you'd like.-MTom Collins <[EMAIL PROTECTED]> wrote: On May 19, 2006, at 12:46 AM, Andy BIERLAIR wrote:> How can I force vpopmail/qmail to deliver it to the right MX instead > to a> local zombie domain?You can't.You possibly need to write an auditing program that goes through the domains in your rcpthosts and morercpthosts and makes a list of domains
that don't list you as an MX.--Tom Collins - [EMAIL PROTECTED]QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
RE: [vchkpw] Unwanted Local Delivery
Title: Ingo Claro
Why would you want to do MX lookups on every incoming connection.If you _REALLY_ want to, look at the mfcheck patch for qmail-smtpd. While this does it for the mail from, you could enhance it to check for each rcpt, as well as look up MX. Remember that if no MX exists, you should look up the A record for the domain name itself. You will also need to follow any MX record and convert it to an IP. Also keep in mind that your DNS servers may cache for double your TTL on the domains you host, so this won't help you much for quick changes- just long term effects.Since it doesn't do any quick changes due to caching on your Internal DNS systems, you might as well run a script every day (or more often or less often) to just do lookups of domains in your rcpthosts and notify you if any of the IPs aren't in your subnet, or if you use the same MX for all of them, you can get away with just looking up the MX [knowing that you have MXs, you can
skip the other lookups and followup lookups mentioned above].Who said anything about switching off local delivery? How would that help you? You could do the lookups and then create a report of unmatching MX records and send it to your e-mail.I'd ___HIGHLY___ discourage, if not downright call you names, if you were to automate the removal of these domains (vdeldomain) or any sort of automatic disabling. Realize that DNS isn't perfect. Network connectivity isn't perfect. Domains are left to expire and then renewed after a few days. Users may transition to another ISP and DNS caches may point to your server for days if not weeks. One may change a setting by accident.In any case, in all of these cases, you don't want to delete the mail, settings, users/forwards/lists, or prevent any delivery of mail. You'll have a lot more pissed off clients if you do that.Just run a script daily to notify you of
domains that don't have you listed as your MX (keeping in mind grepping out things like localhost or the shortname of your server, or being aware of any subdomains and how that can affect things) but are in your rcpthosts. Use this e-mail to contact users and make educated decisions as to what actions to take, including potentially sending the user their mail, or encouraging them to login to a webmail system to get it before you delete it.Cheers-MAndy BIERLAIR <[EMAIL PROTECTED]> wrote:So you say that there is no option to simply switch off local delivery and treat everything as coming from the outside? I guess I have to live with that :) How would I do the script based idea below realtime based? I mean, each time an email is sent from the smtp. Thanks,AndyFrom: Ingo Claro [mailto:[EMAIL PROTECTED] Sent: Friday, May 19, 2006 18:12 To: vchkpw@inter7.com Subject: Re: [vchkpw] Unwanted Local Delivery to get only the domains that don't matches you should do: host -t MX $i | egrep "mail1.thiscouldbeme.com|mail2.thiscouldbemetoo.com" > /dev/null 2>&1 || echo $i regards, Ingo Claro
F. Gerente de Operaciones [EMAIL PROTECTED] (+56-2) 43 00 155Certificado ISO 9001:2000Michael Krieger escribi�: for i in `cat /var/qmail/control/{more,}rcpthosts`; do host -t MX $i | egrep "mail1.thiscouldbeme.com|mail2.thiscouldbemetoo.com" 2>&1 || echo $i done Done- will echo everything that does not include your _expression_ in its MX record. If it has no matches, grep exits 1 and will trigger the echo. If it matches at least one, then you're set. You can make more complex expressions or do more tests if you'd like. -M Tom Collins <[EMAIL PROTECTED]> wrote: On May 19, 2006, at 12:46 AM, Andy BIERLAIR wrote: > How can I force vpopmail/qmail to deliver it to the right MX instead > to a > local zombie domain? You can't. You possibly need to write an auditing program that goes through the domains in your rcpthosts and morercpthosts and makes a list of domains that don't list you as an MX. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
[vchkpw] Misc Bugfixes- update, cleanup
Hey folks,I've submitted a few bugfixes against 5.4.16 to fix: - a crash when there are no names and one is using the cdb module- qmailadmin can cause this one as well as the command line programs - a series of lockfile permissions fixes when using the locking to... 1. comply with the man pages': "mode MUST be specified when O_CREAT is in the flags, and is ignored otherwise" which suggests that mode should be specified in those cases, and 2. prevents lock files from (on my base Debian system) being created with 000 and then failing on all future attempts after the first one to obtain a lock on the file as a result of a lack of permission.I advise seeing if you have any ~vpopmail/domain/*/.vpasswd.lock files and removing them if they do not have at least some permission.These seem to clear up all of the issues I've noticed with vpopmail-5.4.16 at this time [fortunately that big bugfix last release helped as well].Think we may be ready for 5.4.17 soon? I want to make sure these get in there.-M vpopmail-5.4.16-20060605.bugfixes.gz Description: 3200796762-vpopmail-5.4.16-20060605.bugfixes.gz
Re: [vchkpw] double_free_or_corruption
Upgrade to 5.4.16 and add the patch I posted earlier today to fix some outstanding bugs (one additional crash on no aliases, and then a CDB fix). A lot of bugs were fixed in 5.4.15 that are probably causing issues in many vpopmail functions. Getting support for old versions will be a challenge for you I'm sure. It should be a drop-in replacement in the toaster with the new version.-MPablo Povarchik <[EMAIL PROTECTED]> wrote: Hello We are having this on a couple of servers:@4000448365ad3882b29c delivery 11617: deferral:lseek_errno=29/mail_is_looping/***_glibc_detected_***_/home/vpopmail/bin/vdelivermail:_double_free_or_corruption_(fasttop):_0x089080c0_***/===_Backtrace:_=//lib/libc.so.6[0x9c4124]//lib/libc.so.6(__libc_free+0x77)[0x9c465f]//home/vpopmail/bin/vdelivermail[0x8049bd4]//home/vpopmail/bin/vdelivermail[0x8048c2b]/===_Memory_map:_/00111000-00114000_rwxp_00111000_00:00_0_/00943000-0095d000_r-xp__08:03_1081379/lib/ld-2.3.5.so/0095d000-0095e000_r-xp_00019000_08:03_1081379/lib/ld-2.3.5.so/0095e000-0095f000_rwxp_0001a000_08:03_1081379/lib/ld-2.3.5.so/00961000-00a84000_r-xp__08:03_1081407/lib/libc-2.3.5.so/00a84000-00a86000_r-xp_00123000_08:03_1081407/lib/libc-2.3.5.so/00a86000-00a88000_rwxp_00125000_08:03_1081407/lib/libc-2.3.5.so/00a88000-00a8a000_rwxp_00a88000_00:00_0_/00ae3000-00ae8000_r-xp__08:03_1082423/lib/libcrypt-2.3.5.so/00ae8000-00ae90 00_r-xp_4000_08:03_1082423/lib/libcrypt-2.3.5.so/00ae9000-00aea000_rwxp_5000_08:03_1082423/lib/libcrypt-2.3.5.so/00aea000-00b11000_rwxp_00aea000_00:00_0_/00c2-00c29000_r-xp__08:03_1081456/lib/libgcc_s-4.0.2-20051126.so.1/00c29000-00c2a000_rwxp_9000_08:03_1081456/lib/libgcc_s-4.0.2-20051126.so.1/00c97000-00c98000_r-xp_00c97000_00:00_0__[vdso]/00d1a000-00d2c000_r-xp__08:03_1081410/lib/libnsl-2.3.5.so/00d2c000-00d2d000_r-xp_00011000_08:03_1081410/lib/libnsl-2.3.5.so/00d2d000-00d2e000_rwxp_00012000_08:03_1081410/lib/libnsl-2.3.5.so/00d2e000-00d3_rwxp_00d2e000_00:00_0_/08048000-08054000_r-xp__08:03_44204044___/home/vpopmail/bin/vdelivermail/08054000-08055000_rwxp_c000_08:03_44204044___/home/vpopmail/bin/vdelivermail/08055000-0805c000_rwxp_08055000_00:00_0_/08908000-08929000_rwxp_08908000_00:00_0__[heap]/b7e0-b7e21000_rwxp_b7e0_00 :00_0_/b7e21000-b7f0_---p_b7e21000_00:00_0_/bff3f000-bff55000_rwxp_bff3f000_00:00_0__[stack]/Aack,_child_crashed._(#4.3.0)/Fedora 4glibc-2.3.5-10.3 (updating does not solve)Linux servername 2.6.15-1.1831_FC4smp #1 SMP Tue Feb 7 13:48:31 EST 2006i686 i686 i386 GNU/Linuxnetqmailvpopmail 5.4.13 shupp toaster mainlyIt happens here on forwards with vdelivermail:[EMAIL PROTECTED] [/home/vpopmail/domains/maildomain.com]# cat .qmail-default| /home/vpopmail/bin/vdelivermail '' [EMAIL PROTECTED][EMAIL PROTECTED] [/home/vpopmail/domains/maildomain.com]#names munged of courseAny help will be very appreciated, we are stuck hereThanks! -- Pablo Povarchik - FuturaHost.ComCEOManaged hosting services, the core of our work+- Web Hosting - Dedicated Servers - Colocation (AS39317) --+| [EMAIL PROTECTED] - http://www.futurahost.com/ - (+39) 0461 592710| Special! Get a Full Cabinet + 10Mbps full burst for only EUR 1,099 per month| in our London (UK) facilities. Availability also in Fremont CA, USA.+---+
Re: [vchkpw] Misc Bugfixes- update, cleanup
Tom Collins <[EMAIL PROTECTED]> wrote:One question related to the vpalias.c fix. Why is mydir static? It's always set to NULL before that function exits. Wouldn't making it not static and initializing it to NULL make more sense?mydir was static in vpopmail-5.4.16, so I didn't set that. Looking at it now, I'm not really sure why. From the same token, I'm not sure if it's worth changing. Possibly to ensure that mydir is closed on any second itteration in case it hits one of those returns?-M
Re: [vchkpw] concurrency
In theory, ther'es always potential, particularly when dealing with files on disk. One program could in theory do one thing and not another.The MySQL database should deal with its own concurrency. The CDB database has .vpasswd.lock files when updating the password files.You probably don't have to worry about corrupting anything, but in theory one could get system time and do something unexpected on the other, particularly in deleting and creating folders. That's usually not that important. Odds are that's never going to happen that you do two opposite actions on the same [EMAIL PROTECTED] at the same time.Odds are, you won't cause any harm.-MJeremy Kitchen <[EMAIL PROTECTED]> wrote: On Wednesday 05 July 2006 11:39, [EMAIL PROTECTED] wrote:> Hello,>> Can we run the commands in:>/home/vpopmail/bin> concurrently?> For instance, can someone run> vadduser [EMAIL PROTECTED] password_foo> at the time when someone else run:> vadduser [EMAIL PROTECTED] password_bar> ?depends on what they do.If they will modify the same files, you shouldn't. Otherwise, sure.For example.you can run vadddomain and vadduser (with a different domain) at the same time, but you shouldn't run two vaddusers on the same domain at the same time, etc. There's locking involved that prevents them from stepping on each other, but I don't know if they will just see the file as locked and bomb out, or wait for the lock to clear, etc.-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]http://www.pirate-party.us/ -- defend your rights
[vchkpw] Simscan Crucial matching bug
So an interesting bug in simscan I noticed when at a clients' today. She said that she was getting tons of Spam- a good 20 times what she should rightfully get. All obvious Spam as well. Looking in the headers, it's not being scanned by spamc, despite the domain being in simcontrol.The answer? They were sending mail to [EMAIL PROTECTED] Sending mail to [EMAIL PROTECTED] works as expected, but not in all caps. I'm assuming this matching is case sensitive, and since qmail and as far as I know the RFCs for mail, don't distinguish case, shouldn't that mean that simscan doesn't either?At present, varying case of the domain can disable virus and spam scanning. In theory that could be used to infect PCs who believe that they are safe (though I'm not overly concerned about the security implications as much as the effective working of this).I haven't looked at detail at the code, but will gladly do so first thing next week, unless someone else knows the easy fix.I'm guessing we just need to convert the string to lowercase at the top of per_domain_email_lookup() [and possibly per_domain_lookup() if we don't lowercase the parameter]. Possibly even just set it in set_per_domain?Haven't looked at the bigger picture as I mentioned, but wanted to point that one out. Will investigate and post. Probably a very easy fix.-M
Re: [vchkpw] concurrency
[EMAIL PROTECTED] wrote:As for (1), SQL database and CDB have their own mechanism to serialize the concurrent access, so we will not worry about it.Well SQL has its own locking, be it table or row level that will prevent a single domain from being updated at the same time. For example, an update and a delete will either update and then delete, or delete and then fail on an update. Either way, it does the right thing.As for (2), there may be a chance of conflict in theory, because vpop commands do not implement the mechanism to avoid the concurrent access.But, in the real world, it is the rare case that the same folder is created/deleted at the same time.When would you create a user and delete them at the exact same time? Either the user exists or doesn't. Whatever state you end up in is probably sane, and odds are you won't do multiple actions as each depend on the opposite state.So, we need not to worry about the concurrent usage of vpop commands.Is my understanding correct?A big question is what harm can you cause? Concurrency can always lead to unpredictability, unless you lock the whole process. Even then, you could issue a command that negates the command before it (as a whole). Worst case updating a password for an e-mail address fails because the e-mail address is deleted... so it probably doesn't matter what the password is. Worst case you are updating a domain and it gets deleted, so again, who cares about the update- and occurring in the other order is fine too.Vpopmail will prevent corruption of your data, by using locking if needed (or depend on locking of a DB system). It will lock .qmail files when it writes them. Everything else shouldn't really matter. Maildir if it doesn't exist will be created, but you shouldn't get to that state.In a database, concurrency has issues. The textbook example is subtracting from an account balance, where if two programs update the balance at the same time (through two transactions), then they can cause problems (currbal=100, currbal-50, currbal-10 -=- possible outcomes are 90, 50, or 40). In this case, multiple updates to the same datum are uncommon, and any irregularity is still something the user wanted.-M
Re: [vchkpw] That domain isn't in my list of allowed rcpthosts
tcpserver uses one CDB file- that being a compiled database in CDB format with the keys (domains) and their values.Whichever file is in your -x parameter for tcpserver is the one that is used. The other is not used at all by your SMTP server.Given that, vpopmail has a neat feature of POP-before-SMTP which adds IPs of authenticated users into a file called 'open-smtp', often in the ~vpopmail/etc folder. After writing to this file, it then wants to put the list of IPs into your CDB file. It includes the original CDB, and generates and appends the lines as it places them into the CDB file.This is where " --enable-tcpserver-file=PATH File where tcpserver -x relay information is stored /home/vpopmail/etc/tcp.smtp." comes in in vpopmail configuration. vpopmail takes in this file, appends the lines it would from open-smtp, and then outputs a cdb file, if --enable-roaming-users is enabled. That CDB file is exactly what you entered when you configured vpopmail, with the addition of .cdb.So to recap: - tcpserver uses what you specify on the -x parameter - vpopmail takes etc/open-smtp, combines it with the value of enable-tcpserver-file - vpopmail outputs enable-tcpserver-file's value + '.cdb' onto the end of it - IN THEORY, and for a properly working roaming users setup, tcpserver's -x paramter should point to enable-tcpserver-file's value + '.cdb'.If you don't use roaming users, put the tcpserver's -x file wherever you want, and that'll be what will be used, as vpopmail does not affect it.-Muro jotne <[EMAIL PROTECTED]> wrote: I had to put the 196.168.2 (the LAN) in /etc/tcp.smtp. However, I still have 172.16.0 (DMZ, where the mail server is) in /home/vpopmail/etc/tcp.smtp. Now it works, but I would sleep better if I understood how vpopmail uses the two files /etc/tcp.smtp and /home/vpopmail/etc/tcp.smtp. I mistakenly thought that /home/vpopmail/etc/tcp.smtp overroled /etc/tcp.smtp, but apparently it doesn't. I woluld be thankful if somebody in the know would care to explain how the two files are related. Best regards.
Re: [vchkpw] How can I have my mail server checked whether helo address of sender mail servers has fully-qualified domain name or not ?
Why would you want to? First look at the RFC822 statement below.Also look at though, RFC 1123, stating:" The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification."I get a mix of valid and invalid HELOs, as well as many mail clients, such as outlook/thunderbird/etc just sending the Windows computer name.- This command is used to identify the sender-SMTP to thereceiver-SMTP. The argument field contains the host name ofthe sender-SMTP.The receiver-SMTP identifies itself to the sender-SMTP inthe connection greeting reply, and in the response to thiscommand.This command and an OK reply to it confirm that both thesender-SMTP and the receiver-SMTP are in the initial state,that is, there is no transaction in progress and all statetables and buffers are cleared.--M Bulent Guclu <[EMAIL PROTECTED]> wrote: Hello I use vpopmail5.4 I want my qmail-server to check whether helo address of sender smtp servers who send mails to my mail server is fully-qualified domain name or not. How can I do that as tcp.smtp file or qmail-smtpd file other method? Thanks
Re: [vchkpw] weird, disturbing error
Paul Theodoropoulos <[EMAIL PROTECTED]> wrote:pass theirpass-ERR aack, child crashedurk. so, on a hunch, on the new server i ran 'vpasswd theirpass' - exact same password. and after doing that, it worked fine.cd ~vpopmail/domainsrm ~vpopmail/domains/*/vpasswd.cdbfor i in `ls -ld *`; do echo $i; vmoduser -x [EMAIL PROTECTED]doneMaybe something with your CDB files is a bit strange, but it sounds like a rebuild did the trick. So rebuild away. If the cdb files don't exist, it'll do it from the text file. Note that the time between removing the cdb files and creating them who knows what'd happen to mail, so down the smtp server first.-M
Re: [vchkpw] weird, disturbing error
I'd be hesitant to rsync /usr/lib if it's ba enough to cause crashing errors like that. I'd be more interested in seeing you configure/recompile vpopmail with the existing headers/libraries in order to fix your problem rather than change your system and everything that depends on it.-MPaul Theodoropoulos <[EMAIL PROTECTED]> wrote: At 12:19 PM 8/4/2006, Paul Theodoropoulos wrote:>At 11:59 AM 8/4/2006, you wrote:>>i knew i would leave out critical information - darnit.i'm using mysql auth backend. so cdb files aren't used.>>i'm wonder though now - i merely rsynced the mysql heirarchy over to >the new server. perhaps doing a mysqldump and restore is what's called for.found the problem. there were some very small differences in the libraries between the two servers (likely due to the new server being a brand new install of solaris 9, while the 'old' server is merely at a recent solaris patch release of 9).i rsynced /usr/lib, and all is well now. likely something specifically to do with the md5 hash libraries.whew!Paul Theodoropouloshttp://www.anastrophe.com
[vchkpw] Simscan 'trap' addresses
Recently I've moved from adding some spammed addresses into badmailto, but am realizing that's a bit of a waste, as these same users usually turn around and Spam the recipients that are accepted.This got me thinking- doing a bit of this at the SMTP level and including the Spam scanner could be a neat idea.Picture this: 1. mail comes in matching a CDB file of recipients (regex of course to allow for some patterns with asterisks in the middle or so on) 2. Simscan identifies one of the one or many recipeints to be a Spamtrap e-mail address, and now knows this mail is likely Spam. 3. Simscan calls sa-learn with a high probabiliy (of course as simscan, which saves any permissions issues)... so sa-learn --spam (either -L or non--- non-locally may be nice since it is a Spam trap) 4. Simscan rejects the mail with a big 'piss off' style message... of course turned to something more standard- a 5xx response with a 'service unavailable' or something undescriptive.With the amount of mail I see going to [EMAIL PROTECTED], [EMAIL PROTECTED], etc that gets CCd to me, that'd be nice.Or maybe if folks worry about doing that, we could just store it in a maildir, but I'd say a trap hit is pretty good to mark as Spam, and not deliver to any of the other recipeints.Thoughts? Seems like an easy one to implement and a really good one to have.-M
Re: [vchkpw] Rethinking qmail : was Re: [vchkpw] how use chkuser on "dmz"
Look at QMAIL-SPP ( http://qmail-spp.sourceforge.net/ ). It provides a plugin for vpopmail and gets away from this patching situation. The idea is great, the implementation is good. A mix of this and the existing patches you may have is probably the best way to go. In the end, you make a perl script or something on the RCPT command that: a. matches a line with the domain of the RCPT command in the smtproutes file (making sure it has access to read it) b. if it exists, then opens a socket connection and begins connecting c. returns an accept, reject, or defer based on the output of the program- also possibly adds headers accordingly. The plugin infrastrucutre is really key. It's not as fast due to performance hits of launching these plugins, but it still makes it faster than many applications. It makes adding plugins as easy as adding a line to the text file. Think about even just a sleep() command in a shell file could be easily implemented. qmail has been around for a long time and hence has series of feature additions upon feature additions. But remember, these patches aren't fixing problems with qmail. There are very few actual PROBLEMS with qmail, and they're relatively minor and things that softlimit and equivalent fix. People add patches because they want features. Because there is no active development by the creator these have to be added themselves. You add the features you want in your qmail installation. Others have differing opinions as to what should be added. If you want to manipulate simple perl/shell/C scripts to SMTP conversations, install qmail-spp. Qmail doesn't have a need to change. It's still doing the task it was intended to very well. If another product suits your needs better, by all means go to it, but that doesn't mean qmail is bad. Also, patches allow you to add those features that others have wanted. In the old days, you had to program them yourself :) -M - Original Message From: tonix (Antonio Nati) <[EMAIL PROTECTED]> To: vchkpw@inter7.com Sent: Thursday, January 11, 2007 6:31:40 AM Subject: [vchkpw] Rethinking qmail : was Re: [vchkpw] how use chkuser on "dmz" I'm thinking to extend chkuser, and add an smtp fake delivery for checking recipients existance on end systems (i.e. when domains are external and use me as proxy SMTP). But I'm really tired to fight with qmail. Bernstein programming is accademic and heavy to use, license is criminal. Programming with patches over patches is painful. There is no fun to put new features on this old and overextimated product. You have to run several chained programs just to make an SMTP acceptance... I feel is time to migrate to another product, or is there anyone available to start a new project, that should rewrite a little by little qmail, and free all of us from this criminal license? Project should start with a "programmed way" to add new features and patch, then making a decent "configure", then starting to write new libraries and then substituting the old code, until we have a free mail system. Of course vpopmail would be a library integrated in this new product. I have thrown the first stone. Tonino At 00.25 11/01/2007, you wrote: >Hello all, > >I have this setup : mail coming to relay server located in DMZ, and >this server is relaying x domains to internal LAN mail server. >Im receiving lot of unwanted mails for nonexistent addresses. > >Ho I can handle it ? Chkuser is working fine when are domains on >server, but how I can "check" user existency on remote server ? >FYI: rsync of passwd.cdb is ok, but how check against aliases ? > >Please, I need some pointing where to look at. i fit is possible done >by chkuser or another way (qmail-ldap) > >Thank you > >Peter M.
Re: [vchkpw] which files truly determine "relay" into a qmail server
locals: Domains that the server should deliver as local rather than sending off to other people. When you send mail to your own domain, it knows to not deliver it to the MX of that domain by its presence in the locals file rcpthosts / morercpthosts: Domains that the SMTP daemon should receive mail for (allow) without the presence of RELAYCLIENT as set in tcp.smtp or by SMTP authentication. Domains in here will always be accepted, and domains not in here will be rejected unless relaying is allowed. morercpthosts is just a continuation, with your most popular domains to be in rcpthosts, just for speed of lookup. In modern fast systems, it doesn't matter. virtualdomains: A list of the prepended strings by domains, allowing the system to prepend an identifier based on the domain in question. This converts [EMAIL PROTECTED] to [EMAIL PROTECTED] for later processing. smtproutes: A list of domains and their artificial MX server to send mail to. Domains in here should also be in rcpthosts, but not treated as local. Use this if you are delivering mail to another MX for select domains, or if you have a smarthost. For domains that your mail server will accept mail from the Internet, see `cat rcpthosts morercpthosts`. -M - Original Message From: Dave Richardson <[EMAIL PROTECTED]> To: vchkpw@inter7.com Sent: Thursday, January 18, 2007 10:39:27 AM Subject: [vchkpw] which files truly determine "relay" into a qmail server I've been asked to admin an old, jumbled install of qmail/vpopmail (many are local users, many are vpopmail users with .cdb). I'm having a brain cramp because the install has domains splattered all over the following files: /var/qmail/control: locals rctphosts morercpthosts virtualdomains My exercise is to identify ONLY those domains that the server will actually accept delivery for from the Internet so that we can start pruning away the domains that seems to be lingering with no customers/accounts/purpose/etc. My intention/belief was that ONLY 'rcpthosts' and 'morerctphosts' govern which domains the server will accept delivery/relay for from the outside. Thus, I felt that if I built a master list from these two files, any other domains I might find are automatically "unused". However this install has a number of domains that are aliases in the 'locals' file to a single local account and the domains only seem to appear in 'locals'. Does 'locals' (or 'virtualdomains') in any way influence the relay decision to accept incoming mail? Or am I right that ONLY 'rcpthosts' and 'morercpthosts' define the permitted domains. Sorry for the long explanation, validation/help is much appreciated! Dave.
Re: [vchkpw] which files truly determine "relay" into a qmail server
Q: ONLY the content of the 'rcpthosts' and 'morercpthosts' (and any special cases in tcp.smtp) defines which domains' incoming mail will be accepted by SMTPd. True or False? FALSE: The contents of rcpthosts and morercpthosts define which domains mail is accepted by SMTP for [that part is right] however this is ONLY IF RELAYCLIENT is not set. If relayclient is set, either by smtp authentication patch,, via the tcp.smtp file, or the environment of tcpserver, this file is completely ignored and everything is accepted. If your 'special cases in tcp.smtp' meant that, then my answer is true. Q: Domains that appear in 'locals' or 'virtualdomains' (for presumed delivery on the local box) but DO NOT appear in rcpthosts/morercpthosts/tcp.smtp (and have no smtphosts controls) CANNOT receive mail directly under normal circumstances. True or False? FALSE: rcpthosts/morercpthosts is a qmail-smtp file. locals/virtualdomains is for qmail-send. The sendmail program wrapper, qmail-inject, and qmail-queue, also allow mail into the queue (through local means) and will use these files to direct them mail once it is in the queue. If your server doesn't use sendmail wrapper/qmail-queue/qmail-inject [such as for cron, local web server, local users], and never uses forwards as described in the next sentence, then smtp is the only entry point. Another entry point is dot-qmail files and other settings that may forward mail once it is in the queue, injecting a new message. While qmail-smtp may not accept mail for the destination of a forward, a forward will re-enter the queue since it's not going through qmail-smtpd, and the virtualhosts and locals files will be used to direct the mail. In summary, domains that appear in local/virtualdomains but do not appear in rcpthosts/etc have a VERY high probability of being misconfigured - with a likely root cause of improper/incomplete deletion of a domain from the system. True or False? (speculative answer, I understand) FALSE: Assuming of course these weren't added manually, configuration settings for alias domains weren't lost in an upgrade or something weird like that, these domains are unlikely to cause many problems ... --- unless they are domains you actually send mail to --- ... That being the key. If hotmail.com is in the locals file, you won't be able to get mail to hotmail at all, as it will treat it as local. Remember, some things are added to rcpthosts depending on the value used in the config of qmail itself (the final command you run to set up the control files with qmail). If you added something strange there, or if it auto-detected something that could be incorrect or misconfigured, then you will likely have some extra things around. The best practice is to clean up the control files and /var/qmail/users/assign to reflect your configuration in any case. In general, I don't see why you're asking if it's a problem, rather than just fixing your control files anyway? -M
