Re: [vchkpw] vpopmail sans qmail.

[John Simpson]

On 2006-12-30, at 1938, Christopher Chan wrote:


When a scripter manages to stuff your queues with over 500k  
messages of rubbish, the last thing you want to do is to let any of  
it out let alone wait for it to disappear. The queues need to be  
cleared right away before you get even more bogged down.


i'm thinking of writing a patch for qmail-send, where if the  
timestamp on a mess file is older than DOUBLE the value of control/ 
queuelifetime, it would delete the message BEFORE attempting one last  
delivery... i think this would be a huge help in cleaning up cases  
like this without having to shut down qmail-send.


i know, more patches...

i didn't realize that postfix didn't have support for virtual  
domains. this would be a show-stopper for me installing it on my  
own server, or on a client's server.


postfix has its own virtual mail backend...but you had to build the  
tables and management scripts/tools yourself. Its virtual mail  
backend provides the structure but you had to fill it in.


ah... so it's basically like what qmail is without vpopmail. it all  
makes sense now...


why not just write something similar to vpopmail, but which works  
using whatever low-level mechanism postfix provides to handle  
virtual mailboxes? or if there is no such support, add it in?


:D. I am sure someone must have built something like that...it is  
only probably not as well known as vpopmail.


it may not be as well known as vpopmail, but google knows about it  
and that's all that really counts. i did a search for postfix  
virtual domain management interface and came up with this site,  
which sounds like vpopmail and qmailadmin rolled into one:


http://www.postfixvirtual.net/

and i think this thread has pretty much played itself out in terms of  
being relevant to vpopmail, so i'm going to end here (although if  
anybody else is interested in seeing how this turns out, speak up and  
let us know you care.) either way, i am interested in whether you try  
this or not, and if so, what kind of results you have with it. if the  
thread dies, please let me know via direct email.


take care.


| John M. Simpson---   KG4ZOW   ---Programmer At Large |
| http://www.jms1.net/ [EMAIL PROTECTED] |

| http://video.google.com/videoplay?docid=-4312730277175242198 |





PGP.sig
Description: This is a digitally signed message part

Re: [vchkpw] vpopmail sans qmail.

[Christopher Chan]

... You apparently do the way it was formerly done too at the outfit; 
generate cdb and then scp the cdb file across to relevant boxes. What 
did you do to ensure that it is an atomic operation on the push/copy 
out to mailhub?


the mailbox server sends the file using a command line this:

cat file | ssh -I id_dsa_blah [EMAIL PROTECTED] filename

the SSH key is in the authorized_keys file on the mailhub, with a forced 
command which uses the original command as a filename... it makes sure 
the filename is one of a small number it recognizes, and then runs a 
specific handler for each file. for validrcptto.cdb it does this:


case validrcptto.cdb )
cat  validrcptto.new
chmod 644 validrcptto.new
mv validrcptto.new validrcptto.cdb
;;

and /var/qmail/control/validrcptto.cdb is a symlink to the file in 
this non-root user's home directory.


other files which need to be atomically updated work the same way.


Interesting. Thank you.



for my needs and my clients' needs, my patches are the best solution. 
they may not be for everybody, which is why i'll explain the 
differences between validrcptto.cdb and chkusr, but i don't claim 
either one to be better than the other. different people have 
different needs.


Yes, so long as you do not need the 'instant' creation of accounts or 
what not, your system will do fine for those who have a controlled 
generation of the cdb files.


i've never had anybody get upset over a ten-second delay (which is 
actually why i wrote the onchange patch, to kick off this whole 
distribution process... the delay was previously up to one minute, and 
even that i never heard any complaints about.)


If only we could build a cdb file in ten seconds...we have too many 
records do to it in that space of time.





For your traffic patterns, cdb will probably do. The outfit I worked 
for handled on a daily average, 200 million SMTP connections or over 8 
million connections hourly. It was not acceptable to spend minutes 
pushing the cdb file across for the mailhubs and probably still is. 
(Please don't give me the get proper hardware. If I could have gotten 
more servers or replacements that had better disk i/o...)


actually, once the process started, the new cdb files were active on the 
mailhubs in under five seconds. i'm not running a system the size of 
gmail, and i doubt anybody else on this list is either.


:D I am sure that the outfit would be very pleased to be compared to Gmail.




ROTFL. I have done sendmail, postfix and qmail. qmail is the best in 
that it is simple and elegant. I had colleagues who would not touch 
qmail with a ten foot pole. They did not care to delve into the 
internals of qmail and qmail is a pain if you have to go in the clear 
out spam. sendmail and postfix are much better in the queue management 
area.


after i wrote the validrcptto.cdb patch and stopped accepting messages 
for non-existent mailboxes to start with, it's rare for my queue to have 
more than five messages in it. i saw the same results with my clients' 
servers, when i upgraded them to use the validrcptto.cdb feature.


This is fine for low trafic sites. When I was still working for that 
outfit, the problem was to keep the spam away from existing mailboxes 
and preferably not even allowing it into the queues.





Stopping qmail-send to scrounge out spam and then making sure you 
delete the stuff properly and do not end up with a corrupt queue is 
not their cup of tea since it is something they have to do regularly 
(yes...partly free webmail provider).


if they can identify the messages they don't want (using grep or 
whatever) then instead of DELETING them, they can simply touch the 
mess/*/___ files with an old timestamp (i use 1998-01-01 00:00:00 for 
this) and then kick the queue by sending an ALRM signal to qmail-send.


what happens is that qmail-send will try each message exactly one more 
time, and then delete it through the normal timeout mechanism.


which means that, for individual spam-deletion cases, qmail-queue never 
needs to be stopped at all.


the only time i ever stop a queue is if the filesystem has filled up and 
caused real corruption.


When a scripter manages to stuff your queues with over 500k messages of 
rubbish, the last thing you want to do is to let any of it out let alone 
wait for it to disappear. The queues need to be cleared right away 
before you get even more bogged down.





Don't give tell me about qmHandle. That script is broken and will 
leave you with corrupt bounce messages under certain conditions 
besides being awfully slow.


i've never used qmhandle.

i wrote my own qfixq script years ago, and tested the living daylights 
out of it. and since releasing it, whenever somebody reports a problem 
with it, i fix it and release a new version immediately. the version on 
my web site has been free of any reported bugs since 2005-08-30, and the 
only change since then was to add an empty option to 

Re: [vchkpw] vpopmail sans qmail.

[John Simpson]

On 2006-12-25, at , Christopher Chan wrote:


... So it appears to me that your comment (whose connection pool  
might become overloaded) indicates you have no idea what I meant  
by 'connection pooling'. This is software on the mailhub side, not  
the mysql server side, that addresses mysql's poor connection  
handling performance.


you are correct, i wasn't aware of any way to do this on the client  
side. this reminds me of the IMAP connection pooling program that  
some people use with courier-imap.


... You apparently do the way it was formerly done too at the  
outfit; generate cdb and then scp the cdb file across to relevant  
boxes. What did you do to ensure that it is an atomic operation on  
the push/copy out to mailhub?


the mailbox server sends the file using a command line this:

cat file | ssh -I id_dsa_blah [EMAIL PROTECTED] filename

the SSH key is in the authorized_keys file on the mailhub, with a  
forced command which uses the original command as a filename... it  
makes sure the filename is one of a small number it recognizes, and  
then runs a specific handler for each file. for validrcptto.cdb it  
does this:


case validrcptto.cdb )
cat  validrcptto.new
chmod 644 validrcptto.new
mv validrcptto.new validrcptto.cdb
;;

and /var/qmail/control/validrcptto.cdb is a symlink to the file in  
this non-root user's home directory.


other files which need to be atomically updated work the same way.

for my needs and my clients' needs, my patches are the best  
solution. they may not be for everybody, which is why i'll explain  
the differences between validrcptto.cdb and chkusr, but i don't  
claim either one to be better than the other. different people  
have different needs.


Yes, so long as you do not need the 'instant' creation of accounts  
or what not, your system will do fine for those who have a  
controlled generation of the cdb files.


i've never had anybody get upset over a ten-second delay (which is  
actually why i wrote the onchange patch, to kick off this whole  
distribution process... the delay was previously up to one minute,  
and even that i never heard any complaints about.)



For your traffic patterns, cdb will probably do. The outfit I  
worked for handled on a daily average, 200 million SMTP connections  
or over 8 million connections hourly. It was not acceptable to  
spend minutes pushing the cdb file across for the mailhubs and  
probably still is. (Please don't give me the get proper hardware.  
If I could have gotten more servers or replacements that had better  
disk i/o...)


actually, once the process started, the new cdb files were active on  
the mailhubs in under five seconds. i'm not running a system the size  
of gmail, and i doubt anybody else on this list is either.



ROTFL. I have done sendmail, postfix and qmail. qmail is the best  
in that it is simple and elegant. I had colleagues who would not  
touch qmail with a ten foot pole. They did not care to delve into  
the internals of qmail and qmail is a pain if you have to go in the  
clear out spam. sendmail and postfix are much better in the queue  
management area.


after i wrote the validrcptto.cdb patch and stopped accepting  
messages for non-existent mailboxes to start with, it's rare for my  
queue to have more than five messages in it. i saw the same results  
with my clients' servers, when i upgraded them to use the  
validrcptto.cdb feature.



Stopping qmail-send to scrounge out spam and then making sure you  
delete the stuff properly and do not end up with a corrupt queue is  
not their cup of tea since it is something they have to do  
regularly (yes...partly free webmail provider).


if they can identify the messages they don't want (using grep or  
whatever) then instead of DELETING them, they can simply touch the  
mess/*/___ files with an old timestamp (i use 1998-01-01 00:00:00 for  
this) and then kick the queue by sending an ALRM signal to qmail-send.


what happens is that qmail-send will try each message exactly one  
more time, and then delete it through the normal timeout mechanism.


which means that, for individual spam-deletion cases, qmail-queue  
never needs to be stopped at all.


the only time i ever stop a queue is if the filesystem has filled up  
and caused real corruption.



Don't give tell me about qmHandle. That script is broken and will  
leave you with corrupt bounce messages under certain conditions  
besides being awfully slow.


i've never used qmhandle.

i wrote my own qfixq script years ago, and tested the living  
daylights out of it. and since releasing it, whenever somebody  
reports a problem with it, i fix it and release a new version  
immediately. the version on my web site has been free of any reported  
bugs since 2005-08-30, and the only change since then was to add an  
empty option to just plain delete everything in the queue, and to  
add a check to 

Re: [vchkpw] vpopmail sans qmail.

[Christopher Chan]

John Simpson wrote:

On 2006-12-22, at 1006, Christopher Chan wrote:

John Simpson wrote:


http://qmail.jms1.net/patches/validrcptto.cdb.shtml


There is a better patch for vpopmail support in qmail. A mysql patch 
that goes straight the vpopmail mysql database but I am not sure of 
its location. The writer even rebuffed one of Inter7's developers when 
someone floated the idea of qmail supporting vpopmail's mysql tables 
and the developer said he would write it since he was not aware of the 
patch's existence. So I believe the Inter7 guy drop it right then and 
there or maybe not. I believe it is this one here and the writer was 
Italian: http://www.interazioni.it/opensource/chkusr/


that's all well and good, IF your incoming mail always arrives on the 
same machine where vpopmail is running, IF you don't mind re-compiling 
qmail everytime vpopmail is upgraded, and IF you keep your user 
information in a mysql database.


If it ain't broke...I don't see why people would want to upgrade 
vpopmail unless there is a security fix or a feature that they need. 
Realistically, it cannot be as bad as you make it.




most ISPs handle a large enough volume of email that they have several 
internet-facing servers which handle the flood of incoming mail, and 
forward the legitimate messages to an internal machine which contains 
the mailboxes. the one mailbox machine will be running vpopmail, but the 
other internet-facing servers (i call them mailhubs) are generally not 
running vpopmail, which means they are not able to check recipients or 
process AUTH commands against the vpopmail information.


i've seen people get around this using mysql, both by having the 
mailhubs connect across the network to a database server, and by setting 
up mysql servers on the mailhubs and replicating the data. but what if 
the company isn't using mysql in the first place? (i spent eight years 
building and running ISPs with this exact scenario- multiple mailhubs, 
no mysql. yes, we had a customer database- but that was for billing, and 
it wasn't directly involved with the mechanics of the systems themselves.)


my validrcptto.cdb and auth.cdb patches get around these problems by 
storing the list of valid recipient addresses and the list of valid 
userid/password pairs in cdb files, and just copying those files from 
the mailbox server out to the mailhubs whenever they change. PLUS, the 
fact that they're cdb files means that the lookups happen without the 
added overhead of having to open a connection to a mysql server (whose 
connection pool might become overloaded in case of a spam flood.)


I will pit my four years in my previous job as a MTA admin in a SME 
email service provider that handles in total over 40 million mailboxes 
against your eight years running and building ISPs. The same two stage 
delivery system is used too. I have dealt with both types of 
environments. An older system built cdb files for deployment to the 
frontline mailhubs. The newer systems had mysql servers for the 
frontline mailhubs. I get the impression you have not seen mysql 
connection pooling in acton. When I joined, they used sendmail frontline 
hubs patched to support mysql databases with cdb support being later 
added by me for the older system. The sendmail patch had no connection 
pooling support and so it would open a new mysql connection to the mysql 
server and yes, this meant that the mysql server would become overloaded 
in the case of a spam flood. There was, for example, one set of 5 
frontline servers handling up to 600 connections each using one mysql 
server and another set of 4 frontline servers also doing 600 connections 
using another mysql server. I did a trial with postfix with its mysql 
and mysql connection pooling support because I got tired of manually 
taking care of the queues due to the mysql servers being overloaded and 
due to the many security holes that were being discovered in sendmail 
8.12.x. postfix replaced sendmail very soon after the first trial run.


mysql connection pooling makes a huge difference. Those two mysql 
servers under the sendmail system would be pushed till they had only 10% 
cpu idle resources being reported and they were still not delivering 
because mysql just cannot handle a large number of connections that are 
being set up and torn down at the same time. With the postfix system 
using postfix's builtin connection pooling support, just ONE mysql 
server is enough to the mysql query load for all eleven boxes at full 
load (all connections available taken and a tcp syn queue backlog of 
over 1024 per box) without breaking a sweat. Lowest cpu idle registered 
on the mysql server is 80%. Connection pooling is king. The bottleneck 
now is not the mysql server but the mailhubs themselves. So it appears 
to me that your comment (whose connection pool might become 
overloaded) indicates you have no idea what I meant by 'connection 
pooling'. This is software on the mailhub side, not the 

Re: [vchkpw] vpopmail sans qmail.

[John Simpson]

On 2006-12-22, at 1006, Christopher Chan wrote:

John Simpson wrote:


http://qmail.jms1.net/patches/validrcptto.cdb.shtml


There is a better patch for vpopmail support in qmail. A mysql  
patch that goes straight the vpopmail mysql database but I am not  
sure of its location. The writer even rebuffed one of Inter7's  
developers when someone floated the idea of qmail supporting  
vpopmail's mysql tables and the developer said he would write it  
since he was not aware of the patch's existence. So I believe the  
Inter7 guy drop it right then and there or maybe not. I believe it  
is this one here and the writer was Italian: http:// 
www.interazioni.it/opensource/chkusr/


that's all well and good, IF your incoming mail always arrives on the  
same machine where vpopmail is running, IF you don't mind re- 
compiling qmail everytime vpopmail is upgraded, and IF you keep your  
user information in a mysql database.


most ISPs handle a large enough volume of email that they have  
several internet-facing servers which handle the flood of incoming  
mail, and forward the legitimate messages to an internal machine  
which contains the mailboxes. the one mailbox machine will be running  
vpopmail, but the other internet-facing servers (i call them  
mailhubs) are generally not running vpopmail, which means they are  
not able to check recipients or process AUTH commands against the  
vpopmail information.


i've seen people get around this using mysql, both by having the  
mailhubs connect across the network to a database server, and by  
setting up mysql servers on the mailhubs and replicating the data.  
but what if the company isn't using mysql in the first place? (i  
spent eight years building and running ISPs with this exact scenario-  
multiple mailhubs, no mysql. yes, we had a customer database- but  
that was for billing, and it wasn't directly involved with the  
mechanics of the systems themselves.)


my validrcptto.cdb and auth.cdb patches get around these problems by  
storing the list of valid recipient addresses and the list of valid  
userid/password pairs in cdb files, and just copying those files from  
the mailbox server out to the mailhubs whenever they change. PLUS,  
the fact that they're cdb files means that the lookups happen without  
the added overhead of having to open a connection to a mysql server  
(whose connection pool might become overloaded in case of a spam flood.)


the down side is that you have to write some scripts to generate  
the validrcptto.cdb and auth.cdb files in the first place, and copy  
them out to the mailhubs. however, my web site also has working  
mkvalidrcptto and mkauth scripts, along with a web page which  
explains how to use ssh to push the files out to your mailhubs... so  
while it may not be brain dead easy, it's certainly not as  
difficult as setting up and maintaining replication between mysql  
servers.


for my needs and my clients' needs, my patches are the best solution.  
they may not be for everybody, which is why i'll explain the  
differences between validrcptto.cdb and chkusr, but i don't claim  
either one to be better than the other. different people have  
different needs.


postfix trumps chkusr/chkuser just as chkusr/chkuser trumps the cdb  
check.


everybody has their own opinions... mine happen to be the exact  
opposite of what you've written here.


First, chkusr vs rcptto.cdb. tcpserver + qmail-smtpd means a fresh  
fork for each new connection. The cdb rcptto means a disk access  
for each rcpt to check and regular rebuilds of the cdb database.  
chkusr/chkuser helps by keeping I/O of disk (okay we can contest  
whether looking up cdbs is better than looking up mysql tables or  
not but I think it is fair game to say that mysql lookups are more  
likely to be disk I/O free) and by not needing regular rebuilds of  
a cdb file. In fact, it offers instant/real-time user existence  
checks.


until you build in the overhead of mysql replication (or even worse,  
qmail-smtpd connecting to a mysql server across the network.)


open() takes less CPU and less time than mysql_connect(), even if the  
mysql server is on the same machine (because open() only involves  
qmail-smtpd and the kernel, while mysql_connect() also involves  
mysqld, which may already be busy with other clients, witness the  
complains about this very issue on the courier-imap list.)


and in the case of a file like validrcptto.cdb, which would be used  
constantly on a busy server, the file's data blocks would be in the  
kernel's disk cache 99% of the time, so there is almost never any  
wait for a disk to rotate- any disk reads are satisfied from the  
kernel's disk cache. if anything, i think the chances of a single  
file already being cached in the kernel's disk cache are higher than  
the chances of a mysql server having the right rows from the right  
table in memory, plus be idle at the right time and be able to answer  
qmail-smtpd's queries 

Re: [vchkpw] vpopmail sans qmail.

[John Simpson]

On 2006-12-18, at 0444, Christopher Chan wrote:

Darrel O'Pry wrote:

I'm currently considering replacing qmail in my mail systems.
I was wondering if anyone had tried vpopmail with postfix or exim and
what their experiences were.


Yeah, I use vpopmail with postfix. Love it. postfix user existence  
checks mean I don't have large queues.


funny, i've been doing the same thing using qmail (making sure  
recipient email addresses exist before accepting a RCPT command in  
the SMTP conversation) for over a year now.


http://qmail.jms1.net/patches/validrcptto.cdb.shtml

--
| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/   [EMAIL PROTECTED] |
--
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.  |
--




PGP.sig
Description: This is a digitally signed message part

Re: [vchkpw] vpopmail sans qmail.

[Christopher Chan]

John Simpson wrote:

On 2006-12-18, at 0444, Christopher Chan wrote:

Darrel O'Pry wrote:

I'm currently considering replacing qmail in my mail systems.
I was wondering if anyone had tried vpopmail with postfix or exim and
what their experiences were.


Yeah, I use vpopmail with postfix. Love it. postfix user existence 
checks mean I don't have large queues.


funny, i've been doing the same thing using qmail (making sure recipient 
email addresses exist before accepting a RCPT command in the SMTP 
conversation) for over a year now.


Yes. with a patch. I know patches exist. I have nothing against qmail. I 
will recommend qmail where it is most suitable...as the mta for outgoing 
mails for a mailing list or as the second stage in the inbound system 
due to dot-qmail which is a delivery system that is second to none.




http://qmail.jms1.net/patches/validrcptto.cdb.shtml


There is a better patch for vpopmail support in qmail. A mysql patch 
that goes straight the vpopmail mysql database but I am not sure of its 
location. The writer even rebuffed one of Inter7's developers when 
someone floated the idea of qmail supporting vpopmail's mysql tables and 
the developer said he would write it since he was not aware of the 
patch's existence. So I believe the Inter7 guy drop it right then and 
there or maybe not. I believe it is this one here and the writer was 
Italian: http://www.interazioni.it/opensource/chkusr/


postfix trumps chkusr/chkuser just as chkusr/chkuser trumps the cdb check.

First, chkusr vs rcptto.cdb. tcpserver + qmail-smtpd means a fresh fork 
for each new connection. The cdb rcptto means a disk access for each 
rcpt to check and regular rebuilds of the cdb database. chkusr/chkuser 
helps by keeping I/O of disk (okay we can contest whether looking up 
cdbs is better than looking up mysql tables or not but I think it is 
fair game to say that mysql lookups are more likely to be disk I/O free) 
and by not needing regular rebuilds of a cdb file. In fact, it offers 
instant/real-time user existence checks.


postfix improves on this by 1) no new fork for each connection (except 
perhaps initially if handling hundreds or thousands of connections right 
after startup of postfix) and 2) by using mysql connection pooling which 
means you don't hammer the mysql server into the ground with the 
constant setting up and breaking down of connections. This is without 
including all the great anti-spam features that postfix provides too.


IM2000 does not appear to be happening, DJB apparently will not make any 
more improvements to qmail to deal with today's Internet and I do not 
fancy mixing a bunch of patches to get similar functionality on 
tcpserver's less efficient architecture (one fork per new connection).


One of these days I am going to try to make dot-qmail/qmail-users 
support for postfix and see how much more fanatic some qmail guys are 
about qmail than I was. I can boast the ability to install qmail without 
even looking at the documentation and the ability to split a qmail 
queue's directory structure across different disks to get better 
delivery performance besides using the multiple qmail queue method. And 
having qmail patched and tuned to be able to push over a thousand 
qmail-remotes while under constant injections via qmail-smtpd and 
qmail-qmtpd non-stop.


I probably know/understand qmail better than you do. So if you are 
running a site with low traffic, by all means, continue using your 
patched qmail that requires you to stop the queue (and sometimes even 
the tcpserver for qmail-smtpd) before you can do any clean up of the 
queue and that might get you blocked for being 'abusive' because it 
opened up 120 connections to the same mx for whatever reason you got 
that composition of emails in the queue. I, for my part, cannot 
recommend qmail except for cases where it does not need an uber number 
of patches to be acceptable and does not require queue clean up and its 
delivery behaviour is tolerable. Sigh. But I am more inclined to teach 
others how to use qmail since it is so SIMPLE. When will spammers disappear?

Re: [vchkpw] vpopmail sans qmail.

[Rick Romero]

Christopher Chan wrote:




http://qmail.jms1.net/patches/validrcptto.cdb.shtml


There is a better patch for vpopmail support in qmail. A mysql patch 
that goes straight the vpopmail mysql database but I am not sure of 
its location. The writer even rebuffed one of Inter7's developers when 
someone floated the idea of qmail supporting vpopmail's mysql tables 
and the developer said he would write it since he was not aware of the 
patch's existence. So I believe the Inter7 guy drop it right then and 
there or maybe not. I believe it is this one here and the writer was 
Italian: http://www.interazioni.it/opensource/chkusr/


postfix trumps chkusr/chkuser just as chkusr/chkuser trumps the cdb 
check.


First, chkusr vs rcptto.cdb. tcpserver + qmail-smtpd means a fresh 
fork for each new connection. The cdb rcptto means a disk access for 
each rcpt to check and regular rebuilds of the cdb database. 
chkusr/chkuser helps by keeping I/O of disk (okay we can contest 
whether looking up cdbs is better than looking up mysql tables or not 
but I think it is fair game to say that mysql lookups are more likely 
to be disk I/O free) and by not needing regular rebuilds of a cdb 
file. In fact, it offers instant/real-time user existence checks.


In addition, I believe Matt Simerson authored a tcpserver mysql patch to 
allow the removal of cdb files altogether.  http://www.tnpi.biz - it's 
great for heavily loaded servers, because constantly recompiling that 
damn file with multiple processes tends to corrupt it.


I love qmail too, but I'm with ya on all the 'unapproved' patches and 
it's concurrency limitations.


Rick

Re: [vchkpw] vpopmail sans qmail.

[Christopher Chan]

In addition, I believe Matt Simerson authored a tcpserver mysql patch to 
allow the removal of cdb files altogether.  http://www.tnpi.biz - it's 
great for heavily loaded servers, because constantly recompiling that 
damn file with multiple processes tends to corrupt it.


Eh? Rebuilding it while multiple processes are accessing it corrupts 
it?!? Or multiple processes trying to rebuild the same file?




I love qmail too, but I'm with ya on all the 'unapproved' patches and 
it's concurrency limitations.


The mysql side of things could be alleviated by using sqlrelay. Don't 
hammer mysql. Hammer sqlrelay instead :)


Christopher

Re: [vchkpw] vpopmail sans qmail.

[Rick Romero]

Christopher Chan wrote:


In addition, I believe Matt Simerson authored a tcpserver mysql patch 
to allow the removal of cdb files altogether.  http://www.tnpi.biz - 
it's great for heavily loaded servers, because constantly recompiling 
that damn file with multiple processes tends to corrupt it.


Eh? Rebuilding it while multiple processes are accessing it corrupts 
it?!? Or multiple processes trying to rebuild the same file?
I believe it's multiple processes trying to rebuild the same file.  I've 
had a corrupted cdb for a long time - from courier POP auths.  I've 
never fixed it because I also have the mysql patches, and SMTP Auth in 
place.  
Everything works, so I'm not touching it until I completely rebuild that 
system :)




I love qmail too, but I'm with ya on all the 'unapproved' patches and 
it's concurrency limitations.


The mysql side of things could be alleviated by using sqlrelay. Don't 
hammer mysql. Hammer sqlrelay instead :)
Oh EXCELLENT tip.  I thought replicating the database to each server was 
the best solution, sqlrelay looks like it'll make things even better.


Thanks Christopher

Re: [vchkpw] vpopmail sans qmail.

[Christopher Chan]

Rick Romero wrote:

Christopher Chan wrote:


In addition, I believe Matt Simerson authored a tcpserver mysql patch 
to allow the removal of cdb files altogether.  http://www.tnpi.biz - 
it's great for heavily loaded servers, because constantly recompiling 
that damn file with multiple processes tends to corrupt it.


Eh? Rebuilding it while multiple processes are accessing it corrupts 
it?!? Or multiple processes trying to rebuild the same file?
I believe it's multiple processes trying to rebuild the same file.  I've 
had a corrupted cdb for a long time - from courier POP auths.  I've 
never fixed it because I also have the mysql patches, and SMTP Auth in 
place.  Everything works, so I'm not touching it until I completely 
rebuild that system :)


Heh. I do the same with postfix. SMTP-AUTH against vpopmail tables is a 
no brainer.






I love qmail too, but I'm with ya on all the 'unapproved' patches and 
it's concurrency limitations.


The mysql side of things could be alleviated by using sqlrelay. Don't 
hammer mysql. Hammer sqlrelay instead :)
Oh EXCELLENT tip.  I thought replicating the database to each server was 
the best solution, sqlrelay looks like it'll make things even better.


Thanks Christopher


You are welcome Rick. I would still keep a slave or two around :). Don't 
let the sudden huge decrease in load make you do drastic reductions in 
mysql server instances :D.

Re: [vchkpw] vpopmail sans qmail.

[DAve]

Christopher Chan wrote:

John Simpson wrote:

On 2006-12-18, at 0444, Christopher Chan wrote:

Darrel O'Pry wrote:

I'm currently considering replacing qmail in my mail systems.
I was wondering if anyone had tried vpopmail with postfix or exim and
what their experiences were.


Yeah, I use vpopmail with postfix. Love it. postfix user existence 
checks mean I don't have large queues.


How? I have looked for this several times in the past few years and not 
seen it. Other than the postfix.txt on the inter7 website, but nothing 
substantial about how it is done, caveats, etc.




funny, i've been doing the same thing using qmail (making sure 
recipient email addresses exist before accepting a RCPT command in the 
SMTP conversation) for over a year now.


Yes. with a patch. I know patches exist. I have nothing against qmail. I 
will recommend qmail where it is most suitable...as the mta for outgoing 
mails for a mailing list or as the second stage in the inbound system 
due to dot-qmail which is a delivery system that is second to none.




Uh oh, I feel it coming

soapbox
Patch smatch, if it's a patch everyone gets to beat qmail up and scream 
at each other about what a wasted never updated POS qmail is. So patches 
are bad bad bad. Only software that is poor and decrepit uses patches. 
But, let someone add that patch to the source code and bundle up a new 
package and suddenly every new user who posts a question is told You 
need the latest version. I have seen this many many times on many many 
maillists.


We have not had to make a security update to our qmail installs in the 5 
years we have been running them. All it took was running patch  
somediff a few times ONCE during the initial install.


Lets be honest here, most minor version upgrades in OSS are the result 
of contributed patches (developer or user). Yet no one is claiming that 
vpopmail/postfix/perl/ruby/python is a patchy POS after we see the 
developers accepting patches from users and rolling out an upgrade.


I propose that someone create a shell script that installs qmail and a 
set of user selected Modules chosen from a menu. Vpopmail could be a 
Module, chkuser could be a Module, bigip could be a Module.


You could even rerun the script to add/subtract Modules, much like 
Apache Toolbox. Maybe then people would get over their aversion to 
patches in qmail.

/soapbox

Thank you, I feel better, you may return to your regularly scheduled 
list mail.


DAve

--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

Re: [vchkpw] vpopmail sans qmail.

[Rick Romero]

DAve wrote:



soapbox
Patch smatch, if it's a patch everyone gets to beat qmail up and 
scream at each other about what a wasted never updated POS qmail is. 
So patches are bad bad bad. Only software that is poor and decrepit 
uses patches. But, let someone add that patch to the source code and 
bundle up a new package and suddenly every new user who posts a 
question is told You need the latest version. I have seen this many 
many times on many many maillists.


We have not had to make a security update to our qmail installs in the 
5 years we have been running them. All it took was running patch  
somediff a few times ONCE during the initial install.


Lets be honest here, most minor version upgrades in OSS are the result 
of contributed patches (developer or user). Yet no one is claiming 
that vpopmail/postfix/perl/ruby/python is a patchy POS after we see 
the developers accepting patches from users and rolling out an upgrade.
I think it would be nice to feel like to owner/author of qmail was 
actually behind it.   And to do that, he should be improving upon it - 
that is, accepting at least the patches that we all use.  Obviously it's 
not a complete product, unless you can point me to a substantial 'stock 
qmail' userbase.
Nobody can even provide binaries for the 'lessers' among us - so they 
will never use it.




I propose that someone create a shell script that installs qmail and a 
set of user selected Modules chosen from a menu. Vpopmail could be a 
Module, chkuser could be a Module, bigip could be a Module.
You could even rerun the script to add/subtract Modules, much like 
Apache Toolbox. Maybe then people would get over their aversion to 
patches in qmail.

/soapbox

Check out Matt Simerson's Mail::Toaster - I think the back end is even 
in CPAN now..

www.tnpi.biz.

I've totally felt like a 'Matt schill' lately, but IMHO what he has done 
just rocks.


Rick
Thank you, I feel better, you may return to your regularly scheduled 
list mail.


DAve

Re: [vchkpw] vpopmail sans qmail.

[DAve]

Rick Romero wrote:

DAve wrote:



soapbox
Patch smatch, if it's a patch everyone gets to beat qmail up and 
scream at each other about what a wasted never updated POS qmail is. 
So patches are bad bad bad. Only software that is poor and decrepit 
uses patches. But, let someone add that patch to the source code and 
bundle up a new package and suddenly every new user who posts a 
question is told You need the latest version. I have seen this many 
many times on many many maillists.


We have not had to make a security update to our qmail installs in the 
5 years we have been running them. All it took was running patch  
somediff a few times ONCE during the initial install.


Lets be honest here, most minor version upgrades in OSS are the result 
of contributed patches (developer or user). Yet no one is claiming 
that vpopmail/postfix/perl/ruby/python is a patchy POS after we see 
the developers accepting patches from users and rolling out an upgrade.
I think it would be nice to feel like to owner/author of qmail was 
actually behind it.   And to do that, he should be improving upon it - 
that is, accepting at least the patches that we all use.  Obviously it's 
not a complete product, unless you can point me to a substantial 'stock 
qmail' userbase.
Nobody can even provide binaries for the 'lessers' among us - so they 
will never use it.


Point taken, but the constant qmail is patchy as an excuse to belittle 
the software and it's users is getting on my nerves of late. I have also 
found myself falling into the if you can't build an email server, you 
shouldn't be administering one camp, blame it on the fact that I deal 
weekly with mis-configured Exchange servers and Barracuda installs. I 
ranted 8^o






I propose that someone create a shell script that installs qmail and a 
set of user selected Modules chosen from a menu. Vpopmail could be a 
Module, chkuser could be a Module, bigip could be a Module.
You could even rerun the script to add/subtract Modules, much like 
Apache Toolbox. Maybe then people would get over their aversion to 
patches in qmail.

/soapbox

Check out Matt Simerson's Mail::Toaster - I think the back end is even 
in CPAN now..

www.tnpi.biz.

I've totally felt like a 'Matt schill' lately, but IMHO what he has done 
just rocks.


Never feel bad for giving good advice. We already have a standard 
install procedure we use, or we would likely be running Matt's Toaster 
as well. I have never heard anything bad about it.


DAve
--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

Re: [vchkpw] vpopmail sans qmail.

[Darrel O'Pry]

On Mon, 2006-12-18 at 17:44 +0800, Christopher Chan wrote:
 Darrel O'Pry wrote:
  I'm currently considering replacing qmail in my mail systems.
  
  I was wondering if anyone had tried vpopmail with postfix or exim and
  what their experiences were.
snip



  I'd like to make the mail server change without changing my user
  management tool set. I've got too much tied to vpopmail. 
 
 You can inject mails from postfix one at a time into qmail and then 
 qmail will send it the normal way. Or you get yourself a delivery agent 
 that understands vpopmail or dot-qmail...

I'm less concerned about the smtp end of the equation. I'm more
interested in the deliver half of the equation. After all that is what
vpopmail plays a part in, and that is the part of the system I hope to
keep. I do radius and ftp authentication against it.

Currently I use vpopmail with mysql. I'm thinking I can use the vpopmail
table for delivery from postfix. I was wondering if anyone else had
attempted it yet. It seems like it would be an easy thing to do...

Re: [vchkpw] vpopmail sans qmail.

[Darrel O'Pry]

On Fri, 2006-12-22 at 11:02 -0600, Rick Romero wrote:
 I think it would be nice to feel like to owner/author of qmail was 
 actually behind it.   And to do that, he should be improving upon it - 
 that is, accepting at least the patches that we all use.  Obviously it's 
 not a complete product, unless you can point me to a substantial 'stock 
 qmail' userbase.
 Nobody can even provide binaries for the 'lessers' among us - so they 
 will never use it.

my rant

These couple lines are the crux of the problem for my higher ups. They
feel that there is not central driving force behind qmail on a fast
moving internet. It lacks user and general support base. It doesn't come
with our linux distribution, and it can't receive support from
packagers. If they want qmail support its one more vendor in the loop. 
I've got to interface with the business guys. 

Qmail's licensing is prohibitive to it's long term viability and Dan
Bernstein will drive his own software out of existence by not being a
responsible maintainer. I believe he wants it this way. 

5 nay 10 years ago almost... qmail was the bomb sniggety in a world of
defunct sendmails. It was fast, efficient, and simple to administer. Now
it shows its age. It's apparent that it isn't well maintained except for
a community that strongly believes in it, and for good reason. The
problems with qmail are not technical, they're political.

/myrant

ne ways, I have to migrate away from my beloved qmail. I'm not too happy
about it. 

Re: [vchkpw] vpopmail sans qmail.

[DAve]

Darrel O'Pry wrote:

On Fri, 2006-12-22 at 11:02 -0600, Rick Romero wrote:
I think it would be nice to feel like to owner/author of qmail was 
actually behind it.   And to do that, he should be improving upon it - 
that is, accepting at least the patches that we all use.  Obviously it's 
not a complete product, unless you can point me to a substantial 'stock 
qmail' userbase.
Nobody can even provide binaries for the 'lessers' among us - so they 
will never use it.


my rant

These couple lines are the crux of the problem for my higher ups. They
feel that there is not central driving force behind qmail on a fast
moving internet. It lacks user and general support base. It doesn't come
with our linux distribution, and it can't receive support from
packagers. If they want qmail support its one more vendor in the loop. 
I've got to interface with the business guys. 


I would contact one of the many commercial entities currently supporting 
qmail (how about Inter7?).


Your example would mean that you have to pay for both developer support 
and vendor support with something like Redhat. Redhat could always say 
it's a sendmail issue or it's a Postfix issue.


The stated problem of DJB not supporting qmail removes that, it is 
unlikely that anyone is the qmail commercial support community would say 
contact DJB, we can't fix that. In my experience just the opposite 
would happen, the qmail support community would respond sure we can 
change that. Look at what they already support.


Many people point to the myriad number of patches for qmail and proclaim 
it's out of date, it takes so many patches to do anything. I believe 
it is more a case of so many patches, I can configure/engineer almost 
any solution with qmail.


Just my thoughts and I should probably let the thread die. But if 
support is your stumbling block I would contact a commercial qmail 
support company, like the one running this list, and at least get a 
quote and a contract to review.


No, I don't work for inter7, I've not contracted with inter7 for 
support, they are not paying me to promote them. Though, I did take 
their offer for free stuff on the website and got some cool sh*t once ;^)


DAve



--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

Re: [vchkpw] vpopmail sans qmail.

[Christopher Chan]

I'm less concerned about the smtp end of the equation. I'm more
interested in the deliver half of the equation. After all that is what
vpopmail plays a part in, and that is the part of the system I hope to
keep. I do radius and ftp authentication against it.

Currently I use vpopmail with mysql. I'm thinking I can use the vpopmail
table for delivery from postfix. I was wondering if anyone else had
attempted it yet. It seems like it would be an easy thing to do...


Here is how I do it. It is not pretty if you depend on dot-qmail.

courier-authlib 0.58 + maildrop is my tool for local delivery.

You have to patch courier-authlib to get full vpopmail support 
(figures...there seems to be animosity between Sam and vpopmail?) which 
is a simple patch:


http://wiki.centos.org/HowTos/vpopmail?action=AttachFiledo=gettarget=courier-authlib-vpopmail.patch

You then have to compile maildrop 2.0.2 against courier-authlib so that 
it can use courier-authlib to pick up its settings from vpopmail.


So your lda is basically maildrop. The entire dot-qmail/qmail-users 
mechanism is completely bypassed :(.


master.cf:
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vpopmail argv=/usr/local/bin/maildrop -d ${recipient}


main.cf:
virtual_transport = maildrop
maildrop_destination_recipient_limit = 1
virtual_alias_domains = /var/qmail/control/rcpthosts
virtual_mailbox_maps = proxy:mysql:/etc/postfix/rrm_static
virtual_alias_maps = proxy:mysql:/etc/postfix/valias # if needed


rrm_static:
domain = /var/qmail/control/rcpthosts

hosts = localhost

user = vpopmail
password = vpopmailpass

dbname = vpopmail

query = select concat(pw_name, '@', pw_domain) from vpopmail where 
pw_name = '%u' and pw_domain = '%d'


result_format = [EMAIL PROTECTED]


valias:
domain = /var/qmail/control/rcpthosts
hosts = localhost

user = vpopmail
password = vpopmailpass

dbname = vpopmail

query = select valias_line from valias where alias = '%u' and domain = '%d'

Re: [vchkpw] vpopmail sans qmail.

[Christopher Chan]

DAve wrote:

Christopher Chan wrote:

John Simpson wrote:

On 2006-12-18, at 0444, Christopher Chan wrote:

Darrel O'Pry wrote:

I'm currently considering replacing qmail in my mail systems.
I was wondering if anyone had tried vpopmail with postfix or exim and
what their experiences were.


Yeah, I use vpopmail with postfix. Love it. postfix user existence 
checks mean I don't have large queues.


How? I have looked for this several times in the past few years and not 
seen it. Other than the postfix.txt on the inter7 website, but nothing 
substantial about how it is done, caveats, etc.


Please see my post to Darrel. The caveat for the way I do it currently 
is you lose qmail-users and dot-qmail. Until someone writes a 
qmail-lspawn for postfix...you can only use maildrop + courier-authlib.






funny, i've been doing the same thing using qmail (making sure 
recipient email addresses exist before accepting a RCPT command in 
the SMTP conversation) for over a year now.


Yes. with a patch. I know patches exist. I have nothing against qmail. 
I will recommend qmail where it is most suitable...as the mta for 
outgoing mails for a mailing list or as the second stage in the 
inbound system due to dot-qmail which is a delivery system that is 
second to none.




Uh oh, I feel it coming


:)



soapbox
Patch smatch, if it's a patch everyone gets to beat qmail up and scream 
at each other about what a wasted never updated POS qmail is. So patches 
are bad bad bad. Only software that is poor and decrepit uses patches. 
But, let someone add that patch to the source code and bundle up a new 
package and suddenly every new user who posts a question is told You 
need the latest version. I have seen this many many times on many many 
maillists.


We have not had to make a security update to our qmail installs in the 5 
years we have been running them. All it took was running patch  
somediff a few times ONCE during the initial install.


Lets be honest here, most minor version upgrades in OSS are the result 
of contributed patches (developer or user). Yet no one is claiming that 
vpopmail/postfix/perl/ruby/python is a patchy POS after we see the 
developers accepting patches from users and rolling out an upgrade.



'I' don't mind patches. I, however, would rather point new ones to 
postfix than go through the whole patched qmail thing because after 
patching, qmail ceases to be simple. Might as well have them wrap their 
heads around postfix.

Re: [vchkpw] vpopmail sans qmail.

[Christopher Chan]

Darrel O'Pry wrote:

I'm currently considering replacing qmail in my mail systems.

I was wondering if anyone had tried vpopmail with postfix or exim and
what their experiences were.


Yeah, I use vpopmail with postfix. Love it. postfix user existence 
checks mean I don't have large queues. vpopmail + mysql + postfix in my 
configuration.




I'd like to make the mail server change without changing my user
management tool set. I've got too much tied to vpopmail. 


You can inject mails from postfix one at a time into qmail and then 
qmail will send it the normal way. Or you get yourself a delivery agent 
that understands vpopmail or dot-qmail...


It would be nice if there was an option for vpopmail to manage the 
/var/qmail/control/* files without qmail actually installed...for 
postfix I just need the contents of locals and rcpthosts...really just 
rcpthosts

[vchkpw] vpopmail sans qmail.

[Darrel O'Pry]

I'm currently considering replacing qmail in my mail systems.

I was wondering if anyone had tried vpopmail with postfix or exim and
what their experiences were.

I'd like to make the mail server change without changing my user
management tool set. I've got too much tied to vpopmail. 

.darrel.