Re: [vchkpw] tcp.smtp / open-smtp rule precedence
On Fri, 16 Jan 2004, Mauricio Teixeira (listas) wrote: Em Sex, 2004-01-16 às 14:24, Chris Hardie escreveu: Hmm, if it's in the run file, isn't it still subject to the rules of tcpserver, in terms of the impact the environment variables have? Perhaps The variable is used by qmail-smtpd to determine how it will queue the mesage. tcpserver does not know anything about it. qmail-qsmtpd/run follows: ...snip... QMAILQUEUE=bin/qmail-scanner-queue.pl export QMAILQUEUE I was able to clarify why running qmail-scanner globally doesn't solve the problem. The RELAYCLIENT environment variable is still being set via open-smtp, and so qmail-scanner still refuses to examine mail from IPs which have been the source of a successful POP session when roaming users is enabled. So again, a POP user is able to unintentionally override the environment settings in tcp.smtp that should presumably take precedence. Chris
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
On Sun, 2004-01-18 at 14:49, Chris Hardie wrote: I was able to clarify why running qmail-scanner globally doesn't solve the problem. The RELAYCLIENT environment variable is still being set via open-smtp, and so qmail-scanner still refuses to examine mail from IPs which have been the source of a successful POP session when roaming users is enabled. So again, a POP user is able to unintentionally override the environment settings in tcp.smtp that should presumably take precedence. yes, which is what I also said in different reply to you. In that reply, I also gave you a few pointers on what you might be able to do to make this all work for you. -Jeremy -- Jeremy Kitchen [EMAIL PROTECTED]
[vchkpw] tcp.smtp / open-smtp rule precedence
Hi folks. We're experiencing a weird issue related to the open-smtp / roaming users feature of vpopmail. We have a line in our ~vpopmail/etc/tcp.smtp file that looks like this: 12.161.105.140:allow,MFCHECK=0,RBLSMTPD=,QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl The notable part for my question is that we want to accept mail from this server and run it through qmail-scanner. qmail-scanner.pl will process the message as long as RELAYCLIENT is not set for the connecting host, which, as you can see above, it is not. BUT, we have a meddlesome user on 12.161.105.140 who is popping into vpopmail, which has the allow roaming users flag set. As soon as this user does that, an entry is created in the tcp.smtp database for that user, as reflected in the open-smtp file: 12.161.105.140:allow,RELAYCLIENT=,RBLSMTPD= 1074272408 The result is that the users pop / roaming action is disabling qmail-scanner for all mail from that server. In general, the issue is that a user popping in from an IP that has a line in the main ~vpopmail/etc/tcp.smtp can override the rule for that IP. I realize this could be discussed on any number of lists (tcpserver, qmail-scanner, etc.), but I *think* this is just a matter of precedence in the way tcprules is run to incorporate the ~vpopmail/etc/tcp.smtp file AND the roaming user entry that's added by vpopmail. So I'm hoping it might be worth exploring here since other vpopmail users may want to override tcpserver environment variables with the main tcp.smtp file. This seems to be the relevant part of vpopmail.c: strncpy(bin0, TCPRULES_PROG, BUFF_SIZE); strncpy( bin1, TCP_FILE, BUFF_SIZE); strncat( bin1, .cdb, BUFF_SIZE); strncpy( bin2, TCP_FILE, BUFF_SIZE); strncat( bin2, relay_template, BUFF_SIZE); binqqargs[0] = bin0; binqqargs[1] = bin1; binqqargs[2] = bin2; binqqargs[3] = 0; execv(*binqqargs,binqqargs); But I'm not quite clear on how tcprules is processing / ordering the ruleset when a roaming user triggers this action. I scanned the archives and couldn't find a reference to this problem, but apologizes if it's been discussed under a different set of keywords. Any thoughts? Thanks, Chris
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
Em Sex, 2004-01-16 às 14:10, Chris Hardie escreveu: The result is that the users pop / roaming action is disabling Why don't you enable qmail-scanner globally? I put QMAILQUEUE=bin/qmail-scanner-queue.pl into /service/qmail-smtpd/run before smtpd initialization, in a way it's used by all connections. If you want some other connection NOT to use the scanner,you would have to specify it in tcp.smtp My 2c. -- [] Mauricio Teixeira - Maceió/AL/Brazil [] * Este e-mail serve apenas para listas!!! * [] * This e-mail is for mailing lists only!!! *
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
On Fri, 2004-01-16 at 11:10, Chris Hardie wrote: We have a line in our ~vpopmail/etc/tcp.smtp file that looks like this: 12.161.105.140:allow,MFCHECK=0,RBLSMTPD=,QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl BUT, we have a meddlesome user on 12.161.105.140 who is popping into vpopmail, which has the allow roaming users flag set. As soon as this user does that, an entry is created in the tcp.smtp database for that user, as reflected in the open-smtp file: 12.161.105.140:allow,RELAYCLIENT=,RBLSMTPD= 1074272408 The result is that the users pop / roaming action is disabling qmail-scanner for all mail from that server. In general, the issue is that a user popping in from an IP that has a line in the main ~vpopmail/etc/tcp.smtp can override the rule for that IP. Interesting indeed! I would simply disable pop-before-smtp for this user. Look at vmoduser. Then, add RELAYCLIENT= to your original line, and call it good. -Jeremy -- Jeremy Kitchen Systems Administrator [EMAIL PROTECTED] Kitchen @ #qmail on EFNet - Join the party! . Inter7 Internet Technologies, Inc. www.inter7.com 866.528.3530 toll free 847.492.0470 int'l 847.492.0632 fax GNUPG key ID: 93BDD6CE
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
On Fri, 16 Jan 2004, Mauricio Teixeira (listas) wrote: Em Sex, 2004-01-16 às 14:10, Chris Hardie escreveu: The result is that the users pop / roaming action is disabling Why don't you enable qmail-scanner globally? I put QMAILQUEUE=bin/qmail-scanner-queue.pl into /service/qmail-smtpd/run before smtpd initialization, in a way it's used by all connections. If you want some other connection NOT to use the scanner,you would have to specify it in tcp.smtp Hmm, if it's in the run file, isn't it still subject to the rules of tcpserver, in terms of the impact the environment variables have? Perhaps you could paste in /service/qmail-smtpd/run. Chris
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
On Fri, 16 Jan 2004, Jeremy Kitchen wrote: I would simply disable pop-before-smtp for this user. Look at vmoduser. Then, add RELAYCLIENT= to your original line, and call it good. I see why that would work (though I think you didn't mean the part about putting RELAYCLIENT= in tcp.smtp, as that disables qmail-scanner), but it doesn't seem to scale very well. As other users on 12.161.105.140 do the same thing, we'd have to watch for them and vmoduser each one. Chris
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
Em Sex, 2004-01-16 às 14:24, Chris Hardie escreveu: Hmm, if it's in the run file, isn't it still subject to the rules of tcpserver, in terms of the impact the environment variables have? Perhaps The variable is used by qmail-smtpd to determine how it will queue the mesage. tcpserver does not know anything about it. qmail-qsmtpd/run follows: - #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` QMAILQUEUE=bin/qmail-scanner-queue.pl export QMAILQUEUE if [ -z $QMAILDUID -o -z $NOFILESGID -o -z $MAXSMTPD -o -z $LOCAL ]; then echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in echo /var/qmail/supervise/qmail-smtpd/run exit 1 fi if [ ! -f /var/qmail/control/rcpthosts ]; then echo No /var/qmail/control/rcpthosts! echo Refusing to start SMTP listener because it'll create an open relay exit 1 fi exec /usr/local/bin/softlimit -m 6400 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -S -x /etc/tcp.smtp.cdb \ -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /usr/local/bin/rblsmtpd -r relays.ordb.org -r sbl.spamhaus.org -r bl.spamcop.net \ /var/qmail/bin/qmail-smtpd 21 -- [] Mauricio Teixeira - Maceió/AL/Brazil [] * Este e-mail serve apenas para listas!!! * [] * This e-mail is for mailing lists only!!! *
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
On Fri, 2004-01-16 at 11:25, Chris Hardie wrote: On Fri, 16 Jan 2004, Jeremy Kitchen wrote: I would simply disable pop-before-smtp for this user. Look at vmoduser. Then, add RELAYCLIENT= to your original line, and call it good. I see why that would work (though I think you didn't mean the part about putting RELAYCLIENT= in tcp.smtp, as that disables qmail-scanner), but it doesn't seem to scale very well. As other users on 12.161.105.140 do the same thing, we'd have to watch for them and vmoduser each one. well then you'll have to either: a) vmoduser all of them and force the other clients on that IP to use SMTP auth. b) set up another qmail-smtpd service specifically for the server you want to have all mail from scanned with qmail-scanner, and configure that server to use your new qmail-smtpd service. there's no other way to do it, since tcpserver doesn't know which client is which, it just knows IPs, and since you pointed out that qmail-scanner doesn't run if the RELAYCLIENT is set, then having them both on the same port/ip is not possible. -Jeremy -- Jeremy Kitchen Systems Administrator [EMAIL PROTECTED] Kitchen @ #qmail on EFNet - Join the party! . Inter7 Internet Technologies, Inc. www.inter7.com 866.528.3530 toll free 847.492.0470 int'l 847.492.0632 fax GNUPG key ID: 93BDD6CE
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
On Fri, 2004-01-16 at 11:31, Jeremy Kitchen wrote: and since you pointed out that qmail-scanner doesn't run if the RELAYCLIENT is set, then having them both on the same port/ip is not possible. ahem, it runs. it just doesn't do anything. *MORE REDBULL* -Jeremy -- Jeremy Kitchen Systems Administrator [EMAIL PROTECTED] Kitchen @ #qmail on EFNet - Join the party! . Inter7 Internet Technologies, Inc. www.inter7.com 866.528.3530 toll free 847.492.0470 int'l 847.492.0632 fax GNUPG key ID: 93BDD6CE
Re: [vchkpw] tcp.smtp / open-smtp rule precedence
On Jan 16, 2004, at 10:10 AM, Chris Hardie wrote: BUT, we have a meddlesome user on 12.161.105.140 who is popping into vpopmail, which has the allow roaming users flag set. As soon as this user does that, an entry is created in the tcp.smtp database for that user, as reflected in the open-smtp file: 12.161.105.140:allow,RELAYCLIENT=,RBLSMTPD= 1074272408 I don't think it's an unreasonable request for us to modify vpopmail so that the rules in tcp.smtp take precedence over the rules established by open-smtp. The actual code to change is in update_rules(). I was under the impression that the first line to match an IP was the one selected. If that's the case, then processing tcp.smtp first, followed by open-smtp (which is how it works now) should work correctly. I see two options: 1) keep track of all IPs listed in tcp.smtp when sending that data to tcprules, and ignore entries that match those IPs when processing open-smtp. 2) send entries from open-smtp to tcprules FIRST, followed by the rules in tcp.smtp. I don't personally use roaming users, so I don't know the full details of how it works. If someone can provide more information, it should be possible to modify vpopmail to handle this situation. Also, if anyone can think of a reason that rules in tcp.smtp SHOULDN'T override entries in open-smtp, then please speak up now. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
