RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 02.15 10/03/2006, you wrote: #ifndef TLS This means that it will only run chkuser if you didn't compile it with TLS support, which you might have done. If TLS is defined, I don't see chkuser being included in the executable. You need the chkuser calls in the TLS/SSL section as well. This is not an if structure as it would be in regular code. This is a compiler direction, that tells it to completely ignore those parts at COMPILE TIME. Meaning, that those parts may never get included... ever... in the executable. Of course I'm making an assumption that TLS is defined :) -M Yes, I agree with this observation. But I want to tell something more: I don't understand why, in this phase, someone is still checking for TLS code. The TLS phase has already been done initially, so I find all this TLS code here to be completely useless from an analytic point of view. Infact, Shupp's version of this code in the same point has zero code related to TLS. I find that if you DELETE all the code related to TLS, within this routine smtp_mail(), you'll semplify all. Tonino Lee Evans <[EMAIL PROTECTED]> wrote: > You could post here (or send me) the routine where chkuser is > called (both for sender and recipients), just to see what to change. I have attached snippets from qmail-smtpd.c showing the send & rcpt routines and chkuser code I hope this is what you meant. > [Is chkuser.h included in a valid point within qmail-smtpd.c?] I have: #include "fd.h" #include "dns.h" #include "spf.h" /*chkuser*/ #include "chkuser.h" Thanks Lee void smtp_mail(arg) char *arg; { int r; rcptcounter = 0 ; if (!addrparse(arg)) { err_syntax(); return; } /*chkuser*/ if (chkuser_sender (&addr) != CHKUSER_OK) { return; } /*chkuser end*/ flagbarf = bmfcheck(); switch(mfcheck()) { case DNS_HARD: err_hmf(); return; case DNS_SOFT: err_smf(); return; case DNS_MEM: die_nomem(); } flagbarfspf = 0; if (spfbehavior && !relayclient) { switch (r = spfcheck()) { case SPF_OK: env_put2("SPFRESULT","pass"); break; case SPF_NONE: env_put2("SPFRESULT","none"); break; case SPF_UNKNOWN: env_put2("SPFRESULT","unknown"); break; case SPF_NEUTRAL: env_put2("SPFRESULT","neutral"); break; case SPF_SOFTFAIL: env_put2("SPFRESULT","softfail"); break; case SPF_FAIL: env_put2("SPFRESULT","fail"); break; case SPF_ERROR: env_put2("SPFRESULT","error"); break; } switch (r) { case SPF_NOMEM: die_nomem(); case SPF_ERROR: if (spfbehavior < 2) break ; out ("451 SPF lookup failure (#4.3.0)\r\n"); return; case SPF_NONE: case SPF_UNKNOWN: if (spfbehavior < 6) break ; case SPF_NEUTRAL: if (spfbehavior < 5) break ; case SPF_SOFTFAIL: if (spfbehavior < 4) break ; case SPF_FAIL: if (spfbehavior < 3) break ; if (!spfexplanation(&spfbarfmsg)) die_nomem(); if (!stralloc_0(&spfbarfmsg)) die_nomem(); flagbarfspf = 1; } } else env_unset("SPFRESULT"); seenmail = 1; if (!stralloc_copys(&rcptto,"")) die_nomem(); if (!stralloc_copys(&mailfrom,addr.s)) die_nomem(); if (!stralloc_0(&mailfrom)) die_nomem(); out("250 ok\r\n"); } void smtp_rcpt(arg) char *arg; { rcptcounter++; if (!seenmail) { err_wantmail(); return; } if (checkrcptcount() == 1) { err_syntax(); return; } if (!addrparse(arg)) { err_syntax(); return; } if (flagbarf) { err_bmf(); return; } if (flagbarfspf) { err_spf(); return; } if (relayclient) { --addr.len; if (!stralloc_cats(&addr,relayclient)) die_nomem(); if (!stralloc_0(&addr)) die_nomem(); } else #ifndef TLS if (!addrallowed()) { err_nogateway(); return; } /*chkuser*/ switch (chkuser_realrcpt (&mailfrom, &addr)) { case CHKUSER_KO: return; break; case CHKUSER_RELAYING: --addr.len; if (!stralloc_cats(&addr,relayclient)) die_nomem(); if (!stralloc_0(&addr)) die_nomem(); break; } /*end chkuser*/ #else if (!addrallowed()) { if (ssl) { STACK_OF(X509_NAME) *sk; X509 *peercert; stralloc tlsclients = {0}; struct constmap maptlsclients; int r; SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_cb); if ((sk = SSL_load_client_CA_file("control/clientca.pem")) == NULL) { err_nogateway(); return; } SSL_set_client_CA_list(ssl, sk); if((control_readfile(&tlsclients,"control/tlsclients",0) != 1) || !constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0)) { err_nogateway(); return; } SSL_renegotiate(ssl); SSL_do_handshake(ssl); ssl->state = SSL_ST_ACCEPT; SSL_do_handshake(ssl); if ((r = SSL_get_verify_result(ssl)) != X509_V_OK) {out("553 no valid cert for gatewaying: "); out(X509_verify_cert_error_string(r)); out(" (#5.7.1)\r\n"); return; } if (peercert = SSL_get_peer_certificate(ssl)) {char emailAddress[256]; X509_NAME_get_text_by_NID(X509_get_subject_name( SSL_get_peer_certificate(ssl)), NID_pkcs9_emailAddress, emailAddress, 256); if (!stralloc_copys(&clientcert, emailAddress)) die_nomem(); if (!constmap(&maptlsclients,clientcert.s,clientcert.len)) { err_nogwcert(); return; } relayclient = ""; } else { err_nogwcert(); return; } } else
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
> #ifndef TLS > > This means that it will only run chkuser if you didn't > compile it with TLS support, which you might have done. If > TLS is defined, I don't see chkuser being included in the > executable. You need the chkuser calls in the TLS/SSL > section as well. > This is not an if structure as it would be in regular code. > This is a compiler direction, that tells it to completely > ignore those parts at COMPILE TIME. Meaning, that those > parts may never get included... ever... in the executable. > Of course I'm making an assumption that TLS is defined :) Thanks - that makes sense. I *am* building with TLS support, so I guess that explains it. Should I include the same code after #else if (!addrallowed()) Or does it need to go somewhere else? Thanks Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
#ifndef TLSThis means that it will only run chkuser if you didn't compile it with TLS support, which you might have done. If TLS is defined, I don't see chkuser being included in the executable. You need the chkuser calls in the TLS/SSL section as well.This is not an if structure as it would be in regular code. This is a compiler direction, that tells it to completely ignore those parts at COMPILE TIME. Meaning, that those parts may never get included... ever... in the executable.Of course I'm making an assumption that TLS is defined :)-M Lee Evans <[EMAIL PROTECTED]> wrote: > You could post here (or send me) the routine where chkuser is > called (both for sender and recipients), just to see what to change.I have attached snippets from qmail-smtpd.c showing the send & rcpt routinesand chkuser code I hope this is what you meant. > [Is chkuser.h included in a valid point within qmail-smtpd.c?]I have:#include "fd.h"#include "dns.h"#include "spf.h"/*chkuser*/#include "chkuser.h"ThanksLeevoid smtp_mail(arg) char *arg;{ int r; rcptcounter = 0 ; if (!addrparse(arg)) { err_syntax(); return; } /*chkuser*/ if (chkuser_sender (&addr) != CHKUSER_OK) { return; } /*chkuser end*/ flagbarf = bmfcheck(); switch(mfcheck()) {case DNS_HARD: err_hmf(); return;case DNS_SOFT: err_smf(); return;case DNS_MEM: die_nomem(); } flagbarfspf = 0; if (spfbehavior && !relayclient) {switch (r = spfcheck()){ case SPF_OK: env_put2("SPFRESULT","pass"); break; case SPF_NONE: env_put2("SPFRESULT","none"); break; case SPF_UNKNOWN: env_put2("SPFRESULT","unknown"); break; case SPF_NEUTRAL: env_put2("SPFRESULT","neutral"); break; case SPF_SOFTFAIL: env_put2("SPFRESULT","softfail"); break; case SPF_FAIL: env_put2("SPFRESULT","fail"); break; case SPF_ERROR: env_put2("SPFRESULT","error"); break;}switch (r){ case SPF_NOMEM:die_nomem(); case SPF_ERROR:if (spfbehavior < 2) break ;out ("451 SPF lookup failure (#4.3.0)\r\n");return; case SPF_NONE: case SPF_UNKNOWN:if (spfbehavior < 6) break ; case SPF_NEUTRAL:if (spfbehavior < 5) break ; case SPF_SOFTFAIL:if (spfbehavior < 4) break ; case SPF_FAIL:if (spfbehavior < 3) break ;if (!spfexplanation(&spfbarfmsg)) die_nomem();if (!stralloc_0(&spfbarfmsg)) die_nomem();flagbarfspf = 1;} } else env_unset("SPFRESULT"); seenmail = 1; if (!stralloc_copys(&rcptto,"")) die_nomem(); if (!stralloc_copys(&mailfrom,addr.s)) die_nomem(); if (!stralloc_0(&mailfrom)) die_nomem(); out("250 ok\r\n");}void smtp_rcpt(arg) char *arg; { rcptcounter++; if (!seenmail) { err_wantmail(); return; } if (checkrcptcount() == 1) { err_syntax(); return; } if (!addrparse(arg)) { err_syntax(); return; } if (flagbarf) { err_bmf(); return; } if (flagbarfspf) { err_spf(); return; } if (relayclient) {--addr.len;if (!stralloc_cats(&addr,relayclient)) die_nomem();if (!stralloc_0(&addr)) die_nomem(); } else#ifndef TLSif (!addrallowed()) { err_nogateway(); return; }/*chkuser*/switch (chkuser_realrcpt (&mailfrom, &addr)) {case CHKUSER_KO: return; break;case CHKUSER_RELAYING: --addr.len; if (!stralloc_cats(&addr,relayclient)) die_nomem(); if (!stralloc_0(&addr)) die_nomem(); break;}/*end chkuser*/#elseif (!addrallowed()) { if (ssl) { STACK_OF(X509_NAME) *sk;X509 *peercert;stralloc tlsclients = {0};struct constmap maptlsclients;int r;SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_cb);if ((sk = SSL_load_client_CA_file("control/clientca.pem")) == NULL) { err_nogateway(); return; }SSL_set_client_CA_list(ssl, sk); if((control_readfile(&tlsclients,"control/tlsclients",0) != 1) || !constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0)) { err_nogateway(); return; }SSL_renegotiate(ssl);SSL_do_handshake(ssl);ssl->state = SSL_ST_ACCEPT; SSL_do_handshake(ssl);if ((r = SSL_get_verify_result(ssl)) != X509_V_OK) {out("553 no valid cert for gatewaying: "); out(X509_verify_cert_error_string(r)); out(" (#5.7.1)\r\n"); return; }if (peercert = SSL_get_peer_certificate(ssl)) {char emailAddress[256]; X509_NAME_get_text_by_NID(X509_get_subject_name( SSL_get_peer_certificate(ssl)), NID_pkcs9_emailAddress, emailAddress, 256); if (!stralloc_copys(&clientcert, emailAddress)) die_nomem(); if (!constmap(&maptlsclients,clientcert.s,clientcert.len)){ err_nogwcert(); return; } relayclient = ""; } else { err_nogwcert(); return; } } else { err_nogateway(); return; } }#endif if (!stralloc_cats(&rcptto,"T")) die_n
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
> You could post here (or send me) the routine where chkuser is > called (both for sender and recipients), just to see what to change. I have attached snippets from qmail-smtpd.c showing the send & rcpt routines and chkuser code I hope this is what you meant. > [Is chkuser.h included in a valid point within qmail-smtpd.c?] I have: #include "fd.h" #include "dns.h" #include "spf.h" /*chkuser*/ #include "chkuser.h" Thanks Lee void smtp_mail(arg) char *arg; { int r; rcptcounter = 0 ; if (!addrparse(arg)) { err_syntax(); return; } /*chkuser*/ if (chkuser_sender (&addr) != CHKUSER_OK) { return; } /*chkuser end*/ flagbarf = bmfcheck(); switch(mfcheck()) { case DNS_HARD: err_hmf(); return; case DNS_SOFT: err_smf(); return; case DNS_MEM: die_nomem(); } flagbarfspf = 0; if (spfbehavior && !relayclient) { switch (r = spfcheck()) { case SPF_OK: env_put2("SPFRESULT","pass"); break; case SPF_NONE: env_put2("SPFRESULT","none"); break; case SPF_UNKNOWN: env_put2("SPFRESULT","unknown"); break; case SPF_NEUTRAL: env_put2("SPFRESULT","neutral"); break; case SPF_SOFTFAIL: env_put2("SPFRESULT","softfail"); break; case SPF_FAIL: env_put2("SPFRESULT","fail"); break; case SPF_ERROR: env_put2("SPFRESULT","error"); break; } switch (r) { case SPF_NOMEM: die_nomem(); case SPF_ERROR: if (spfbehavior < 2) break ; out ("451 SPF lookup failure (#4.3.0)\r\n"); return; case SPF_NONE: case SPF_UNKNOWN: if (spfbehavior < 6) break ; case SPF_NEUTRAL: if (spfbehavior < 5) break ; case SPF_SOFTFAIL: if (spfbehavior < 4) break ; case SPF_FAIL: if (spfbehavior < 3) break ; if (!spfexplanation(&spfbarfmsg)) die_nomem(); if (!stralloc_0(&spfbarfmsg)) die_nomem(); flagbarfspf = 1; } } else env_unset("SPFRESULT"); seenmail = 1; if (!stralloc_copys(&rcptto,"")) die_nomem(); if (!stralloc_copys(&mailfrom,addr.s)) die_nomem(); if (!stralloc_0(&mailfrom)) die_nomem(); out("250 ok\r\n"); } void smtp_rcpt(arg) char *arg; { rcptcounter++; if (!seenmail) { err_wantmail(); return; } if (checkrcptcount() == 1) { err_syntax(); return; } if (!addrparse(arg)) { err_syntax(); return; } if (flagbarf) { err_bmf(); return; } if (flagbarfspf) { err_spf(); return; } if (relayclient) { --addr.len; if (!stralloc_cats(&addr,relayclient)) die_nomem(); if (!stralloc_0(&addr)) die_nomem(); } else #ifndef TLS if (!addrallowed()) { err_nogateway(); return; } /*chkuser*/ switch (chkuser_realrcpt (&mailfrom, &addr)) { case CHKUSER_KO: return; break; case CHKUSER_RELAYING: --addr.len; if (!stralloc_cats(&addr,relayclient)) die_nomem(); if (!stralloc_0(&addr)) die_nomem(); break; } /*end chkuser*/ #else if (!addrallowed()) { if (ssl) { STACK_OF(X509_NAME) *sk; X509 *peercert; stralloc tlsclients = {0}; struct constmap maptlsclients; int r; SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_cb); if ((sk = SSL_load_client_CA_file("control/clientca.pem")) == NULL) { err_nogateway(); return; } SSL_set_client_CA_list(ssl, sk); if((control_readfile(&tlsclients,"control/tlsclients",0) != 1) || !constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0)) { err_nogateway(); return; } SSL_renegotiate(ssl); SSL_do_handshake(ssl); ssl->state = SSL_ST_ACCEPT; SSL_do_handshake(ssl); if ((r = SSL_get_verify_result(ssl)) != X509_V_OK) {out("553 no valid cert for gatewaying: "); out(X509_verify_cert_error_string(r)); out(" (#5.7.1)\r\n"); return; } if (peercert = SSL_get_peer_certificate(ssl)) {char emailAddress[256]; X509_NAME_get_text_by_NID(X509_get_subject_name( SSL_get_peer_certificate(ssl)), NID_pkcs9_emailAddress, emailAddress, 256); if (!stralloc_copys(&clientcert, emailAddress)) die_nomem(); if (!constmap(&maptlsclients,clientcert.s,clientcert.len)) { err_nogwcert(); return; } relayclient = ""; } else { err_nogwcert(); return; } } else { err_nogateway(); return; } } #endif if (!stralloc_cats(&rcptto,"T")) die_nomem(); if (!stralloc_cats(&rcptto,addr.s)) die_nomem(); if (!stralloc_0(&rcptto)) die_nomem(); out("250 ok\r\n"); }
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 20.32 09/03/2006, you wrote: mail.leeevans.org > > If you compiled it with standard chkuser_settings.h, you > should see some logs during this emulated session. > > I have doubts chkuser code is called. I have the same doubts. I have CHKUSER_ENABLE_LOGGING CHKUSER_LOG_VALID_RCPT and CHKUSER_LOG_VALID_SENDER all defined. I don't see anything related to chkuser in /var/log/qmail/qmail-smtpd/current when processing mail. It's a very crude test, I know, but if I do 'strings qmail-smtpd | grep chkuser' it returns the various SMTP error codes/messages chkuser would produce so I know the code is at least in there somewhere You could post here (or send me) the routine where chkuser is called (both for sender and recipients), just to see what to change. [Is chkuser.h included in a valid point within qmail-smtpd.c?] Tonino Thanks Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
I should ask- Is the domain set the 'bounce-no-mailbox' or do you have a catch all account? If you have a catch-all account, checkuser disables itself (as all recipients are valid). Disable the catch-all account if any and then see if it works.-M"tonix (Antonio Nati)" <[EMAIL PROTECTED]> wrote:>[EMAIL PROTECTED] qmail-1.03]# ./qmail-smtpd>220 mail.leeevans.org ESMTP>mail from [EMAIL PROTECTED]>250 ok>rcpt to:[EMAIL PROTECTED]>250 ok>quit
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
mail.leeevans.org > > If you compiled it with standard chkuser_settings.h, you > should see some logs during this emulated session. > > I have doubts chkuser code is called. I have the same doubts. I have CHKUSER_ENABLE_LOGGING CHKUSER_LOG_VALID_RCPT and CHKUSER_LOG_VALID_SENDER all defined. I don't see anything related to chkuser in /var/log/qmail/qmail-smtpd/current when processing mail. It's a very crude test, I know, but if I do 'strings qmail-smtpd | grep chkuser' it returns the various SMTP error codes/messages chkuser would produce so I know the code is at least in there somewhere Thanks Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 18.08 09/03/2006, you wrote: > Did you try what's suggested in > http://www.interazioni.it/opensource/chkuser/documentation/faq, > running manually qmail-smtpd? > > Did you check which is the user qmail-smtpd is running as? > > Tonino My qmail-smtpd is running through TCP Server as usver vpopmail and group vchkpw If I run manually I have no evidence of chkuser: [EMAIL PROTECTED] qmail-1.03]# ./qmail-smtpd 220 mail.leeevans.org ESMTP mail from [EMAIL PROTECTED] 250 ok rcpt to:[EMAIL PROTECTED] 250 ok quit 221 mail.leeevans.org If you compiled it with standard chkuser_settings.h, you should see some logs during this emulated session. I have doubts chkuser code is called. Tonino Regards Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 18.08 09/03/2006, you wrote: > Did you try what's suggested in > http://www.interazioni.it/opensource/chkuser/documentation/faq, > running manually qmail-smtpd? > > Did you check which is the user qmail-smtpd is running as? > > Tonino My qmail-smtpd is running through TCP Server as usver vpopmail and group vchkpw If I run manually I have no evidence of chkuser: [EMAIL PROTECTED] qmail-1.03]# ./qmail-smtpd 220 mail.leeevans.org ESMTP mail from [EMAIL PROTECTED] 250 ok rcpt to:[EMAIL PROTECTED] 250 ok quit 221 mail.leeevans.org What does contain .qmail-default for that domain? Tonino Regards Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
> Did you try what's suggested in > http://www.interazioni.it/opensource/chkuser/documentation/faq, > running manually qmail-smtpd? > > Did you check which is the user qmail-smtpd is running as? > > Tonino My qmail-smtpd is running through TCP Server as usver vpopmail and group vchkpw If I run manually I have no evidence of chkuser: [EMAIL PROTECTED] qmail-1.03]# ./qmail-smtpd 220 mail.leeevans.org ESMTP mail from [EMAIL PROTECTED] 250 ok rcpt to:[EMAIL PROTECTED] 250 ok quit 221 mail.leeevans.org Regards Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 17.43 09/03/2006, you wrote: > You should give more informations... > > Have you tried what's suggested in > http://www.interazioni.it/opensource/chkuser/documentation/faq > /enabling.html ? Thank you for the response. Sorry about not providing enough information I have followed the instructions at the above URL I have two domains on my server at this time, one of which is setup with bounce-no-mailbox and one which is not. For testing purposes I am trying to send email to "[EMAIL PROTECTED]" where domain.com is configured with bounce-no-mailbox. As shown: [EMAIL PROTECTED] qmail-1.03]# cat /home/vpopmail/domains/domain.com/.qmail-default | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox [EMAIL PROTECTED] qmail-1.03] This is confirmed as shortly after sending test email I receive an email at the account I use for envelope from: saying: <[EMAIL PROTECTED]>: Sorry, no mailbox here by that name. vpopmail (#5.1.1) As would be expected without the chkuser package. I also tried to recompile after setting the option CHKUSER_ALWAYS_ON to see if this would make a difference, but there was no change to the behaviour Did you try what's suggested in http://www.interazioni.it/opensource/chkuser/documentation/faq, running manually qmail-smtpd? Did you check which is the user qmail-smtpd is running as? Tonino Regards Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
> You should give more informations... > > Have you tried what's suggested in > http://www.interazioni.it/opensource/chkuser/documentation/faq > /enabling.html ? Thank you for the response. Sorry about not providing enough information I have followed the instructions at the above URL I have two domains on my server at this time, one of which is setup with bounce-no-mailbox and one which is not. For testing purposes I am trying to send email to "[EMAIL PROTECTED]" where domain.com is configured with bounce-no-mailbox. As shown: [EMAIL PROTECTED] qmail-1.03]# cat /home/vpopmail/domains/domain.com/.qmail-default | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox [EMAIL PROTECTED] qmail-1.03] This is confirmed as shortly after sending test email I receive an email at the account I use for envelope from: saying: <[EMAIL PROTECTED]>: Sorry, no mailbox here by that name. vpopmail (#5.1.1) As would be expected without the chkuser package. I also tried to recompile after setting the option CHKUSER_ALWAYS_ON to see if this would make a difference, but there was no change to the behaviour Regards Lee
Re: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
Lee Evans wrote: Hi, I'm hoping somebody will be able to help me with a problem I appear to be having with chkuser 2.0. ---snip--- However - if I run the new qmail-smtpd binary to check the funcationality as recommended it does not appear to be doing any rcpt to: checks - an ok result is returned no matter what username I supply before a valid rcpt host. Can anyone make any suggestions as to what I can do to try and locate the problem? Hi, What's in your .qmail-default file ? If it doesn't contain bounce-no-mailbox on the first line, it's going to accept everything. Regards, Rick
Re: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 17.13 09/03/2006, you wrote: Hi, I'm hoping somebody will be able to help me with a problem I appear to be having with chkuser 2.0. I built my qmail installation from the qmailrocks bundle, which I've done a few times in the past so I haven't had any problems there. I was looking for a suitalbe solution to block SMTP delivery to unknown local recipients and I would prefer to use chkuser instead of the what appears to be a suitalbe alternative, validrcptto, as I anticipate quite a high number of users and regular updates to accounts & aliases. With validrcppto I need to build & maintain another user database outside of the vpopmail configuration. I have downloded the latest tarball of chkuser and followed the installation instructions. The patches would not apply to my qmailrocks source, so I implemented the changes by hand. Initially compilation failed due to repeated dns.o references, that was my fault and was easily repaired. The changes also seem to have affected the compliation of spfquery.c - I managed to fix this though and compliation now appears to be successful. However - if I run the new qmail-smtpd binary to check the funcationality as recommended it does not appear to be doing any rcpt to: checks - an ok result is returned no matter what username I supply before a valid rcpt host. Can anyone make any suggestions as to what I can do to try and locate the problem? You should give more informations... Have you tried what's suggested in http://www.interazioni.it/opensource/chkuser/documentation/faq/enabling.html ? Tonino Thanks Lee