[vchkpw] qmail send service is not running
Dear all, My qmail send service is no trunning. Help!!! Manish Jain(Network Administrator)C-DAC "Anusandhan Bhawan"C-56/1, Sector-62, Noida- 210307Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct) [EMAIL PROTECTED]
Re: [vchkpw] vdelivermail strangeness over nfs
On 4/12/05, Tom Collins [EMAIL PROTECTED] wrote: On Apr 12, 2005, at 6:59 AM, John Chess wrote: Running lsof on the nfs mount, it looks like vdelivermail is walking the entire user directory tree on the nfs server. After sending a test mail to [EMAIL PROTECTED], an lsof shows: You probably have domain quotas enabled, and it's checking usage. If you're not using domain quotas (AFAIK, they don't work), then recompile vpopmail with that feature disabled. Make sure both servers are set in the same time zone with clocks relatively in sync. It could be that one thinks the maildirsize file is old and should be updated. That's exactly what the problem was- ntpd had died on that box, and the clock drifted enough to confuse it. Thank you for your help! I misspoke when I said that vdelivermail was walking the entire user directory. What I meant to say is that it was walking the entire _domain_ directory, looking in each user's directory. I'm still puzzled by this. Do you think domain quotas are causing this? JC
Re: [vchkpw] qmail send service is not running
My suggestion would be to run it. You may find that after you run it, it is running. If that fails, please provide slightly more information about your problem, my psychic powers must be dwindling. :) Jonathan. Dear all, My qmail send service is no trunning. Help!!! Manish Jain (Network Administrator) C-DAC Anusandhan Bhawan C-56/1, Sector-62, Noida- 210307 Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct) [EMAIL PROTECTED]
[vchkpw] schemacheck
i'm recently using vpomail with ldap... i would like to know why must i have to use schemacheck off in slapd.conf
Re: [vchkpw] qmail send service is not running
have you started it ever ? :-)) - Original Message - From: Manish Jain To: vchkpw@inter7.com Sent: Wednesday, April 13, 2005 10:32 AM Subject: [vchkpw] qmail send service is not running Dear all, My qmail send service is no trunning. Help!!! Manish Jain(Network Administrator)C-DAC "Anusandhan Bhawan"C-56/1, Sector-62, Noida- 210307Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct) [EMAIL PROTECTED]
[vchkpw] How I can deny smtp request from a known IP address
I am facing aproblem that from an IP address SPAM is coming to my qmail server. How I can deny smtp request from a known IP address. Please HELP!!! Manish Jain(Network Administrator)C-DAC "Anusandhan Bhawan"C-56/1, Sector-62, Noida- 210307Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct) Blank Bkgrd.gif
Re: [vchkpw] How I can deny smtp request from a known IP address
Title: Blank Add a line like ip:deny in your tcp.smtp file and rebuild it. Stoyan On Wed, 2005-04-13 at 15:08, Manish Jain wrote: I am facing aproblem that from an IP address SPAM is coming to my qmail server. How I can deny smtp request from a known IP address. Please HELP!!! Manish Jain (Network Administrator) C-DAC Anusandhan Bhawan C-56/1, Sector-62, Noida- 210307 Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct) Blank Bkgrd.gif signature.asc Description: This is a digitally signed message part
Re: [vchkpw] How I can deny smtp request from a known IP address
Hi! Urgent, huh? :-) I suppose the fastest way is by blocking it with pf, ipf, ipfw, iptables, ... (depending on the platform you are using) Greets, Bernd On Wed, 2005-04-13 at 17:38 +0530, Manish Jain wrote: I am facing aproblem that from an IP address SPAM is coming to my qmail server. How I can deny smtp request from a known IP address. Please HELP!!! Manish Jain (Network Administrator) C-DAC Anusandhan Bhawan C-56/1, Sector-62, Noida- 210307 Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct)
Re: [vchkpw] How I can deny smtp request from a known IP address
Ok, this might be even faster ;-) Greets, Bernd On Wed, 2005-04-13 at 15:13 +0300, Stoyan Marinov wrote: Add a line like ip:deny in your tcp.smtp file and rebuild it. Stoyan On Wed, 2005-04-13 at 15:08, Manish Jain wrote: I am facing aproblem that from an IP address SPAM is coming to my qmail server. How I can deny smtp request from a known IP address. Please HELP!!! Manish Jain (Network Administrator) C-DAC Anusandhan Bhawan C-56/1, Sector-62, Noida- 210307 Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct)
Re: [vchkpw] vdelivermail strangeness over nfs
On Apr 13, 2005, at 4:41 AM, John Chess wrote: I misspoke when I said that vdelivermail was walking the entire user directory. What I meant to say is that it was walking the entire _domain_ directory, looking in each user's directory. I'm still puzzled by this. Do you think domain quotas are causing this? I know domain quotas are causing that. Turn them off. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] How I can deny smtp request from a known IP address
if it is a massive spam, better filter it out with packet filter - iptables, ipchains pf etc, it depends from the OS you're using. the fastest possible (the command is under linux) way to effective block is with route route add -host 1.1.1.1 gw 127.0.0.1 the line in tcp.smtp (and rebuild with qmailctl cdb) also works, but is not as effective as packet filtering - if your server is having a considerable load just to deny the conenctions. i've been in such trouble - there are guys which are trying to send to womehting like a wordlist of names, one connection per [EMAIL PROTECTED], and the server was about 3 times heavier load than usual - the guy(gal? gay?) was quite fast. wwell edi Bernd wrote: Ok, this might be even faster ;-) Greets, Bernd On Wed, 2005-04-13 at 15:13 +0300, Stoyan Marinov wrote: Add a line like ip:deny in your tcp.smtp file and rebuild it. Stoyan On Wed, 2005-04-13 at 15:08, Manish Jain wrote: I am facing aproblem that from an IP address SPAM is coming to my qmail server. How I can deny smtp request from a known IP address. Please HELP!!! Manish Jain (Network Administrator) C-DAC Anusandhan Bhawan C-56/1, Sector-62, Noida- 210307 Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct)
Re: [vchkpw] How I can deny smtp request from a known IP address
It's also a solution, but this way the connections will be accepted by the tcpserver and a qmail-smtpd process will be started. I wouldn't do it this way. Stoyan On Wed, 2005-04-13 at 15:48, Boris Pavlov wrote: if it is a massive spam, better filter it out with packet filter - iptables, ipchains pf etc, it depends from the OS you're using. the fastest possible (the command is under linux) way to effective block is with route route add -host 1.1.1.1 gw 127.0.0.1 the line in tcp.smtp (and rebuild with qmailctl cdb) also works, but is not as effective as packet filtering - if your server is having a considerable load just to deny the conenctions. i've been in such trouble - there are guys which are trying to send to womehting like a wordlist of names, one connection per [EMAIL PROTECTED], and the server was about 3 times heavier load than usual - the guy(gal? gay?) was quite fast. wwell edi Bernd wrote: Ok, this might be even faster ;-) Greets, Bernd On Wed, 2005-04-13 at 15:13 +0300, Stoyan Marinov wrote: Add a line like ip:deny in your tcp.smtp file and rebuild it. Stoyan On Wed, 2005-04-13 at 15:08, Manish Jain wrote: I am facing aproblem that from an IP address SPAM is coming to my qmail server. How I can deny smtp request from a known IP address. Please HELP!!! Manish Jain (Network Administrator) C-DAC Anusandhan Bhawan C-56/1, Sector-62, Noida- 210307 Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct) signature.asc Description: This is a digitally signed message part
Re: [vchkpw] Upgrading from qmail to qmail+vpopmail.
Aran Clary Deltac wrote: Hi all - I've just joined the vpopmail list because of a pressing issue and I need some guidance. I've been running a dedicated gentoo server for about a year now. All e-mail has been handled by qmail and delivered to local user accounts. I have the possibility of hosting a client that requires 10k+ e-mail accounts. I really don't want to make system accoutns for each e-mail account, so I found vpopmail. I just want to make sure I am not doing something dumb. Here's the configure I am useing: (vpopmail 5.4.10) ./configure --enable-roaming-users --enable-auth-module=mysql --enable-sql-logging --enable-mysql-limits --enable-valias --enable-many-domains --enable-domainquotas I enabled all these extra ones because most of them seemed like interesting features that I _might_ want at some point. I believe domain quotas are broken, I would personally not run sql-logging, you don't need it and it will tax SQL on a busy server. With 10k users doing mysql auth your SQL server will be busy enough. Running 'make' looks good. Now, I have no clue if running 'make install-strip' will blow up my current production qmail. I'd like to install vpopmail and migrate my settings to it without loosing mail in the process. Until you use vpopmail/bin/* to add users vpopmail will have no effect on your server setup. Until you add vdelivermail into your .qmail-default file, vpopmail will have no effect on your delivery. Your only hitch here (from my experience, YMMV) is popping. You will want to have two pop servers running as you slowly migrate since the auth mechanisim will be different between a pure qmail and a vpopmail server. If you migrate overnight, one big migration, you can avoid this. That was the approach I took. Since you have few users now, and will have 10k later, I would opt for the one sweeping migration. DAve
Re: [vchkpw] How I can deny smtp request from a known IP address
BlankI am facing aproblem that from an IP address SPAM is coming to my qmail server. How I can deny smtp request from a known IP address. Manish, this is really off-topic and doesn't have much to do with vpopmail. In any case, check out the -x switch to tcpserver. Aran Please HELP!!! Manish Jain (Network Administrator) C-DAC Anusandhan Bhawan C-56/1, Sector-62, Noida- 210307 Ph: 91 120 2402551-60 (Extn.- 718) 91 120 2402563 (Direct)
Re: [vchkpw] How I can deny smtp request from a known IP address
yep, the best is to drop silently the packets from the offending host, causing timeouts to the attacker, with a packet filter. still, iptables or pf are not an option sometimes. Stoyan Marinov wrote: OK, you're right. It really doesn't start a qmail-smtpd process. Anyway I don't like it and I won't use it. Stoyan On Wed, 2005-04-13 at 16:18, Boris Pavlov wrote: /do not be so sure - it will not permit a tcp conversation;).and it is easier to use, and, besides, (almost) all of the unixes have route or similar, which is not the case with packet filters. quickdirty, but works fine, works with anything (even with water) - for me. tested. wwell edi Stoyan Marinov wrote: / [cut]
Re: [vchkpw] Upgrading from qmail to qmail+vpopmail.
On Apr 13, 2005, at 9:26 AM, DAve wrote: Your only hitch here (from my experience, YMMV) is popping. You will want to have two pop servers running as you slowly migrate since the auth mechanisim will be different between a pure qmail and a vpopmail server. Not true. I'm pretty sure that if you run qmail-pop3d as root, vchkpw can authenticate system users as well as virtual ones. Look at the --enable-system-user (or some similar wording) option on the vpopmail build. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
[vchkpw] SMTP Abuse
Hi, Today I start to get something like that in my qmail-smtpd log: @4000425d5b4710447784 CHKUSER rejected rcpt: from :: remote mailstep.com: unknown:128.241.88.105 rcpt [EMAIL PROTECTED] : not existing recipient @4000425d5b47106c75cc tcpserver: status: 3/20 @4000425d5ba019eb855c CHKUSER rejected rcpt: from :: remote mail.7cv.com: unknown:221.122.46.226 rcpt [EMAIL PROTECTED] : not existing recipient It's clear that someone are trying to use my server to send SPAM. Thanks to CHKUSER to block this attempts. So, It's drive me crazy cause I can't figure how it happen. In a desperate attempt to stop this I simple block a few hundreds of IPs in tcp.smtp file, but it's not a solution. My log now got this: @4000425d5b3300cf1994 tcpserver: end 24918 status 25600 @4000425d5b3300cf6b9c tcpserver: status: 2/20 @4000425d5b331f231f6c tcpserver: status: 3/20 @4000425d5b331f2336dc tcpserver: pid 24920 from 66.160.106.130 @4000425d5b331f234294 tcpserver: deny 24920 0:x.x.x.x:25 :66.160.106.13 0::32301 And I know that the IP's used can change... I think that somebody with some user password for smtp is making this, but I can't determine from where or which account he is using. I have no logs for smpt-auth user success or failed... Please, somebody could give me some light to stop that? Cheers, -- Walter.
Re: [vchkpw] SMTP Abuse
On Wednesday 13 April 2005 1:01 pm, you wrote: Hi, Today I start to get something like that in my qmail-smtpd log: snip And I know that the IP's used can change... I think that somebody with some user password for smtp is making this, but I can't determine from where or which account he is using. I have no logs for smpt-auth user success or failed... Please, somebody could give me some light to stop that? You probably are receiving a dictionary scan from infected PC's. Be sure to use rblsmtpd against one or more of the good rbl sites. Another thing you can do is scan for frequent IP's to bad users in the smtp log files and build new tcp.smtp deny lines. Ken Jones
Re: [vchkpw] SMTP Abuse
Ken, Thanks for your help. You probably are receiving a dictionary scan from infected PC's. Be sure to use rblsmtpd against one or more of the good rbl sites. I have tried this before write here. So maybe too much rbl's, look: #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver \ -v -H -R -l 0 \ -x /etc/tcprules/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /usr/local/bin/rblsmtpd -b -C \ -r list.dsbl.org:Your mail server is listed in DSBL list. \ -r bl.spamcop.net:Your mail server is listed in Spamcop blocklist. \ -r relays.ordb.org:Your mail server is an OPEN RELAY (ORDB list). \ -r sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus. \ -r blackholes.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -r dialups.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -t 5 \ /var/qmail/bin/qmail-smtpd \ /var/vpopmail/bin/vchkpw /bin/true 21 Another thing you can do is scan for frequent IP's to bad users in the smtp log files and build new tcp.smtp deny lines. Yes. That what I'm doing: 4.:deny 12.:deny 130-159.:deny 80-89.:deny and so on... But there is a way to determine if the spammer are using an account on my server, with password, to do that? So I can change the password and block him. Thanks, -- Walter.
Re: [vchkpw] SMTP Abuse
If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging. Probably, as Ken is saying, are simply some viruses trying to guess recipients on your MX hosted domains. Tonino At 19.24 13/04/2005, you wrote: Ken, Thanks for your help. You probably are receiving a dictionary scan from infected PC's. Be sure to use rblsmtpd against one or more of the good rbl sites. I have tried this before write here. So maybe too much rbl's, look: #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver \ -v -H -R -l 0 \ -x /etc/tcprules/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /usr/local/bin/rblsmtpd -b -C \ -r list.dsbl.org:Your mail server is listed in DSBL list. \ -r bl.spamcop.net:Your mail server is listed in Spamcop blocklist. \ -r relays.ordb.org:Your mail server is an OPEN RELAY (ORDB list). \ -r sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus. \ -r blackholes.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -r dialups.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -t 5 \ /var/qmail/bin/qmail-smtpd \ /var/vpopmail/bin/vchkpw /bin/true 21 Another thing you can do is scan for frequent IP's to bad users in the smtp log files and build new tcp.smtp deny lines. Yes. That what I'm doing: 4.:deny 12.:deny 130-159.:deny 80-89.:deny and so on... But there is a way to determine if the spammer are using an account on my server, with password, to do that? So I can change the password and block him. Thanks, -- Walter.
Re: [vchkpw] SMTP Abuse
Hi Tonix, If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging. I setup this server using Shupp toaster. I don't know where chkuser are logging this information. Please, can you point me to the right direction? Anyway I'll go to re-read chkuser docs. I did that when I setup the toaster a few months ago. Probably, as Ken is saying, are simply some viruses trying to guess recipients on your MX hosted domains. Probably. But I getting this attack form several diferent IP's like: 82.148.41.149 202.56.230.13 62.210.190.2 67.104.181.51 205.211.164.226 131.211.194.57 and so many others... Multilog is rotating 1 Mb logs in a few minutes, but I get them all blocked. Thanks, -- Walter Souto R. Junior Bayweb Internet Consulting Tel/Fax: +55 (21) 2226-3625 Celular: +55 (21) 9323-7283
Re: [vchkpw] SMTP Abuse
Hi Tonix, If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging. Look at these entries from my smtpd log: @4000425d6a992de7abbc.s:@4000425d6a2c106b451c CHKUSER rejected rcpt: from :: remote fusion.fast-servers.net:unknown:72.9.240.14 rcpt [EMAIL PROTECTED] : not existing recipient @4000425d6a992de7abbc.s:@4000425d6a250b7faffc CHKUSER rejected rcpt: from :: remote mx03.scottish-southern.co.uk:unknown:161.12.6.161 rcpt [EMAIL PROTECTED] : not existing recipient rcpt: from :: have no user name. Is that the right place for this information. What I'm missing? Thanks, -- Walter.
Re: [vchkpw] SMTP Abuse
Walter Souto R. Junior wrote: Hi Tonix, If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging. Look at these entries from my smtpd log: @4000425d6a992de7abbc.s:@4000425d6a2c106b451c CHKUSER rejected rcpt: from :: remote fusion.fast-servers.net:unknown:72.9.240.14 rcpt [EMAIL PROTECTED] : not existing recipient @4000425d6a992de7abbc.s:@4000425d6a250b7faffc CHKUSER rejected rcpt: from :: remote mx03.scottish-southern.co.uk:unknown:161.12.6.161 rcpt [EMAIL PROTECTED] : not existing recipient rcpt: from :: have no user name. Is that the right place for this information. What I'm missing? Hi, Looks to me like someone used your domain(s) as the From address when sending out spam, those messages bounced to who ever the sent them to and now they are being returned (falsely, but what are you going to do about faked From addresses). Happens to us every so often as well, usually keeps up for about 12 hours on our servers, then slows down and stops. Happened Sunday night to us actually. Regards, Rick
