Re: [vchkpw] chkuser wrongly accept emails for default@
Sorry to take so long to put in my comments on this thread... tonix (Antonio Nati) wrote: Anyway, I'm planning to add an option excluding any acceptance for default user (I'm thinking this since two years, but I've forgot to do until now) . This has nothing to do with the bounce string. Well, I don't think it should be an option. Vpopmail requires the file .qmail-default to exist, and uses it for its own purposes. You can't have a 'default' user or alias on a vpopmail system. I considered changing the operation of valias_select to ignore the .qmail_default file, but found that vpopmail (and very likely qmailadmin) already use it to retrieve data from .qmail_default. I suggest chkuser should always ignore the .qmail_default file. I don't see any reason to check for the content of alias, looking for a bouncing string. Apart .qmail-default, I don't see a reason why a .qmail-ALIAS should contain a bouncing string. I'm not quite sure I understand how this follows along with the next sentence. One thought... If a .qmail file contains a bouncesaying command then you need to accept that message and let the bounce get sent. If the administrator doesn't want to send bounces they shouldn't be using bouncesaying. Instead, we should find a standard notation to identify a custom reject string for a single user. Something that can be put inside .qmail-ALIAS or inside user's .qmail-default. If such a notation is identified, rcpt is rejected with this message. Remember valias_select, which chkuser uses to see if there is an alias returns the first database entry, or the first line of the .qmail-ALIAS file. There is very little extra cost to using a comment in the database or .qmail-ALIAS file. For example: .qmail-closed-account might contain: # chkuser reject 550 go away spammer! Qmail / vdelivermail will simply ignore the comment. Chkuser, can read the first line of the alias and take action based on its contents. I suggest you first look for the string 'chkuser'. If that is found the rest of the line is a command for chkuser. If the first word after the comment marker is not chkuser then the mail is accepted by the alias. You are welcome to read the entire alias if the first line indicates a need. It must be valid if executed by qmail or vdelivermail, so every line you use may need to be a qmail comment. Stephane Bouvard (ML) wrote: Anyway, for me, if a .qmail-xyz specify bounce-no-mailbox for any reason, i do not see why chkuser should accept the mail and let qmail bounce it as it's easy to avoid... it's an opengate for spammers. I strongly disagree. If the system administrator puts bouncesaying in a .qmail file you must assume they want to send a bounce message. Thanks, Rick
[vchkpw] SMTP_VRFY supported?
Hello, I'm trying to use a mail filter appliance with a qmail/vpopmail (gentoo) install and am running into a issue with the filter generating excessive email accounts due to the way qmail handles invalid email addresses. I'm familiar with the chkuser 2 patch and have tried it with little success. I am using TLS on my system and the chkuser patch works exactly one time then begins rejecting even valid addresses. The vendor that makes the filter suggested using SMTP_VRFY but I'm unable to find a way to implement this in qmail/vpopmail. Can anyone here point me in the right direction? Thanks, Matt Kane [EMAIL PROTECTED]
Re: [vchkpw] SMTP_VRFY supported?
Hello, I'm trying to use a mail filter appliance with a qmail/vpopmail (gentoo) install and am running into a issue with the filter generating excessive email accounts due to the way qmail handles invalid email addresses. I'm familiar with the chkuser 2 patch and have tried it with little success. I am using TLS on my system and the chkuser patch works exactly one time then begins rejecting even valid addresses. The vendor that makes the filter suggested using SMTP_VRFY but I'm unable to find a way to implement this in qmail/vpopmail. Can anyone here point me in the right direction? Sounds like there's something funky going on with the chkuser patch for you - do you have the same problem when not using TLS? I'm not a chkuser expert, but have you double-checked your chkuser settings? Qmail implements SMTP_VRFY, but it doesn't actually do anything. DJB (rightly, IMHO) decided that it didn't make sense to let people constantly hammer your system with VRFY commands to determine who was or wasn't a valid user, and so (per the RFC) qmail's VRFY implementation responds with a message that indicates a non-answer (252 send some mail, i'll try my best) and doesn't actually indicate whether the address is valid or not. Chkuser can result in giving the same information, as it will reject non-valid users, but this at least forces spammers to try to send mail, and get rejections (and possibly dropped altogether) rather than just scanning a qmail SMTP server... Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
Re: [vchkpw] SMTP_VRFY supported?
Quoting Joshua Megerman [EMAIL PROTECTED]: Sounds like there's something funky going on with the chkuser patch for you - do you have the same problem when not using TLS? I'm not a chkuser expert, but have you double-checked your chkuser settings? The only extra setting I'm using is the CHKUSER_ENABLE_UIDGID. From what I've read on the Interazioni site this option will cause issues wtih TLS. I enabled this because qmail-smtpd was unable to run vchkpw without it enabled. I assume this is because of users/group permission but even with the qmail vpopmail user in the same group vchkpw didn't run. I don't have it enabled, and I have no problems running qmail-smtpd as vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS patch set are you using? Qmail implements SMTP_VRFY, but it doesn't actually do anything. DJB (rightly, IMHO) decided that it didn't make sense to let people constantly hammer your system with VRFY commands to determine who was or wasn't a valid user, and so (per the RFC) qmail's VRFY implementation responds with a message that indicates a non-answer (252 send some mail, i'll try my best) and doesn't actually indicate whether the address is valid or not. Chkuser can result in giving the same information, as it will reject non-valid users, but this at least forces spammers to try to send mail, and get rejections (and possibly dropped altogether) rather than just scanning a qmail SMTP server... This makes sense but doesn't chkuser essentially do the same thing SMTP_VRFY would do? Yes and no. The VRFY command is outside of sending mail - a rogue client could connect to the SMTP server, and after issuing a HELO/EHLO greeting, just run repeated VRFY commands to see if a user is valid or not. Chkuser operates in the RCPT phase of the conversation, so a client has to start with a MAIL FROM command, which can be checked, and then each RCPT command can either be accepted or rejected - and chkuser can also be configured to reject ALL users after a certain number of invalid ones, preventing spam to real users if fake ones are also sent. It's a fine line, but it can make a difference. Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
[vchkpw] Anti-spam solution - favs?
I've got vpopmail/netqmail built using typical clamav and spamassassin (clamd, spamd). I've got XBL filtering and CHKUSER enabled on smtp. I'm actively training my Bayes filters. I do not use verified sender or SPF. Spamassassin's local.cf look like this: required_score 6 rewrite_header Subject [SPAM] report_safe 0 use_pyzor 0 use_razor2 1 use_dcc 0 dcc_home /var/dcc skip_rbl_checks 0 rbl_timeout 3 score RCVD_IN_BL_SPAMCOP_NET 2 use_bayes 1 bayes_auto_learn 1 bayes_path /home/spamd/.spamassassin/bayes I STILL find a good bit of spam is getting through. (pharma, mortgages, stock hype, etc) I wonder whether there are other/better anti-spam tools I should use to cull the spam more effectively. Suggestions most welcome.
Re: [vchkpw] Anti-spam solution - favs?
ISP Lists wrote: I've got vpopmail/netqmail built using typical clamav and spamassassin (clamd, spamd). I've got XBL filtering and CHKUSER enabled on smtp. I'm actively training my Bayes filters. I do not use verified sender or SPF. Spamassassin's local.cf look like this: required_score 6 rewrite_header Subject [SPAM] report_safe 0 use_pyzor 0 use_razor2 1 use_dcc 0 dcc_home /var/dcc skip_rbl_checks 0 rbl_timeout 3 score RCVD_IN_BL_SPAMCOP_NET 2 use_bayes 1 bayes_auto_learn 1 bayes_path /home/spamd/.spamassassin/bayes I STILL find a good bit of spam is getting through. (pharma, mortgages, stock hype, etc) I wonder whether there are other/better anti-spam tools I should use to cull the spam more effectively. Suggestions most welcome. Are you using any SARE rules? Grey listing may also help, for the time being anyway. A simple greet pause might help as well. Grey listing and greet pause will depend on the spam you are receiving. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
[vchkpw] Gray list
Hello I wonder if there is a way to implement a gray list on a specific ip only running qmail. I have multiple IPs but only some are accepting mail and not all of them want to have gray list enable. Thanks, Remo
Re: [vchkpw] Gray list
Remo Mattei wrote: Hello I wonder if there is a way to implement a gray list on a specific ip only running qmail. I have multiple IPs but only some are accepting mail and not all of them want to have gray list enable. Thanks, Remo If you are running Bill's toaster then it would be an easy matter to install the grey listing patch he has and rewrite the mysql queries to only grey list on one (or more) local IP addresses. Regards, Rick
Re: [vchkpw] Gray list
yes I am running Bill's one. I will look at that option thanks, Remo Rick Macdougall wrote: Remo Mattei wrote: If you are running Bill's toaster then it would be an easy matter to install the grey listing patch he has and rewrite the mysql queries to only grey list on one (or more) local IP addresses. Regards, Rick !DSPAM:465218d740966779283779!
[vchkpw] vpopmail 5.4.19 released
http://vpopmail.sf.net 5.4.19 - released 21-May-07 Release Notes: We have a couple of bug fixes and a lot of new stuff that has been laying around the tracker for quite some time, so I am marking this release a development release. If you can give it a try on a non-production server, please let us know how it works out. Once I get a couple of bug fixes, or reports of normal operation I'll release a stable version. Changelog: Rick WIdmer - update to aclocal 1.9.5, automake 1.9.5, autoconf 2.59 to match my system - Don't set LocalPort to a real port number so the default case has a chance to identify how vchkpw was called. - ./configure tells status of onchange script setting - Fix rights problem with alias commands. - thanks Alessio Cecchi - Only report out of order entries when sorting files once per file - make pop syslog ./configure setting report itself like the rest of the choices - Make error messages more consistant (P/O checking Jonathan's bug report) Harm van Tilborg, Quinn Comendant - Do not allow delete of catchall address within account. [1511531] Bill Shupp - enable-onchange-script defaults to no. NOTE: Still need to supress error message if file not found. - Fix bug in output format of list_alias - Remove unneeded AC_DEFINE_UNQUOTED from ONCHANGE_SCRIPT in configure - Port remaining spamassassin code from 5.5 branch to stable-5_4. - Add new --enable-maildrop option, and new NO_MAILDROP bit flag. - New Documentation: README.maildrop, README.spamassassin - Sample maildroprc files for both 1.x and 2.x (maildrop/*) Fabio Busatto - #include stdio.h at top of vpopmail.h blaze_cs - Ldap back end reads config parms from a file at runtime. [1056529][1476647] Stoyan Marinov (smarinov) - add %m$t style for SQL queries format string [1236349] - connect to mysql with a unix socket [1437085]
[vchkpw] WARNING for CVS users!
I am in the process of moving head to a new 'V5.5.1-obsolete' branch, which will be ignored in the future; moving the existing stable_5_4 branch to head, and ending work in stable_5_4. All future development of vpopmail will be in the HEAD branch. This should be helpful to those who have been getting the wrong version when checking out from CVS. If you have anything that needs to be checked in, you have 24 hours or so before I end stable_5_4. It is already too late for dev_5_5 as I have already tagged the end of its line. If you have a copy of stable_5_4 that does not have changes that need to be committed, please be discard it and check out HEAD before you start to work! Thanks, Rick
Re: [vchkpw] WARNING for CVS users!
VERY IMPORTANT NOTE FOR CVS USERS!!! If you are using vpopmail CVS please do a new checkout from HEAD before you do anything else. As of now 5.5 is gone. HEAD points to the very latest 5.4.19, and I will be starting 5.4.20 with a bug I just found while verifying that I have all the files in HEAD. If you must write patches to the stable-5_4 branch, let me know and I will merge them to head. Even better, post to HEAD, or send me the patch. Thanks, Rick Rick Widmer wrote: I am in the process of moving head to a new 'V5.5.1-obsolete' branch, which will be ignored in the future; moving the existing stable_5_4 branch to head, and ending work in stable_5_4. All future development of vpopmail will be in the HEAD branch. This should be helpful to those who have been getting the wrong version when checking out from CVS. If you have anything that needs to be checked in, you have 24 hours or so before I end stable_5_4. It is already too late for dev_5_5 as I have already tagged the end of its line. If you have a copy of stable_5_4 that does not have changes that need to be committed, please be discard it and check out HEAD before you start to work! Thanks, Rick
Re: [vchkpw] vpopmail 5.4.19 released
I checked the link below but there is no 5.4.19 version.. I wanted to check what needs to be done to upgrade to this version from 5.4.17 thanks, Remo Rick Widmer wrote: http://vpopmail.sf.net 5.4.19 - released 21-May-07 Release Notes: We have a couple of bug fixes and a lot of new stuff that has been laying around the tracker for quite some time, so I am marking this release a development release. If you can give it a try on a non-production server, please let us know how it works out. Once I get a couple of bug fixes, or reports of normal operation I'll release a stable version. Changelog: Rick WIdmer - update to aclocal 1.9.5, automake 1.9.5, autoconf 2.59 to match my system - Don't set LocalPort to a real port number so the default case has a chance to identify how vchkpw was called. - ./configure tells status of onchange script setting - Fix rights problem with alias commands. - thanks Alessio Cecchi - Only report out of order entries when sorting files once per file - make pop syslog ./configure setting report itself like the rest of the choices - Make error messages more consistant (P/O checking Jonathan's bug report) Harm van Tilborg, Quinn Comendant - Do not allow delete of catchall address within account. [1511531] Bill Shupp - enable-onchange-script defaults to no. NOTE: Still need to supress error message if file not found. - Fix bug in output format of list_alias - Remove unneeded AC_DEFINE_UNQUOTED from ONCHANGE_SCRIPT in configure - Port remaining spamassassin code from 5.5 branch to stable-5_4. - Add new --enable-maildrop option, and new NO_MAILDROP bit flag. - New Documentation: README.maildrop, README.spamassassin - Sample maildroprc files for both 1.x and 2.x (maildrop/*) Fabio Busatto - #include stdio.h at top of vpopmail.h blaze_cs - Ldap back end reads config parms from a file at runtime. [1056529][1476647] Stoyan Marinov (smarinov) - add %m$t style for SQL queries format string [1236349] - connect to mysql with a unix socket [1437085] !DSPAM:46525044116511472261733!