Re: [vchkpw] Re: [toaster] filtering outgoing emails
On 2006-10-25, at 1756, Howard Jones wrote: I've just started using qpsmtpd to do SMTP AUTH against my vpopmail users with vchkpw, to avoid running a patched qmail-smtpd[1]... [1] actually, it's to avoid having to reconcile SMTP AUTH patches with chkuser, which I already use, and couldn't live without. I run qmail-smtpd with chkuser for the 'public' MX SMTP service, and qpsmtpd for my local user's relay SMTP server, with auth and SSL. you are aware that there are other patches out there which do the same thing that chkuser does, which do work with AUTH, TLS, and SSL, and which don't rely specifically on vpopmail (i.e. when you upgrade vpopmail you don't have to re-compile qmail)? i mention this because i wrote such a patch- instead of looking directly at vpopmail's files (or mysql database, or however you have vpopmail configured) it reads a single cdb file where the keys are email addresses, and the values (for now) are ignored. it also handles -default addresses in the expected manner (i.e. if the validrcptto.cdb file contains [EMAIL PROTECTED], qmail-smtpd will accept [EMAIL PROTECTED].) i also have a combined patch which includes this one, plus all of the other standard things people seem to look for when patching qmail- TLS (both inbound and outbound), AUTH (both inbound and outbound), SPF with logging, my AUTH_SET patch (which allows you to add, change, or delete environment variables when a successful AUTH command is sent, and have those changes take effect where appropriate), badmailfrom/badrcptto with regular expressions, the ext_todo patch (which breaks qmail-send into two programs so that classifications and deliveries don't hold each other up, the so-called silly qmail syndrome), a patch which i've written but not yet documented which handles the AUTH command using a cdb file rather than calling an external program, and more. my server has been very happily using this combined patch for several months, rejecting messages sent to non-existent mailboxes while still supporting STARTTLS and AUTH. i have an entire web site devoted to this stuff, here are two pages to start with: http://qmail.jms1.net/patches/validrcptto.cdb.shtml http://qmail.jms1.net/patches/combined.shtml you may have other reasons for wanting to stick with chkuser, but you should at least look at other options (if you haven't already done so.) -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: [toaster] filtering outgoing emails
John Simpson wrote: you may have other reasons for wanting to stick with chkuser, but you should at least look at other options (if you haven't already done so.) I haven't bothered before now, but now that's two (different?) patchsets to try out for TLS+AUTH+chkuser+etc+etc :-) The last time I looked around, the only chkuser-equivalents I could find depended on reading vpopmail's mysql databases directly, which wasn't much help for our cdb-based installation. Thanks for the pointer - SPF is another thing I've been meaning to look into, so I guess it's time to build a test machine. Cheers, Howie
Re: [vchkpw] Re: [toaster] filtering outgoing emails
On 2006-10-25, at 1614, Ingo Claro wrote: Jeff Koch escribió: We are getting demands from large ISP's - Comcast, AOL, ATT - that we spam filter all outgoing email. We're using simscan to filter incoming email but I think that misses email generated by our customers and autoresponders. Can it be accomplished by modifying /home/vpopmail/etc/tcp.smtp ? How are other qmail users handling this? i'm also interested in this feature. Have you found how to filter outgoing messages? for incoming messages I use maildrop you can still use simscan. the trick is to make your customers send their mail through simscan. i always did this by blocking outbound traffic to port 25/tcp at the router, unless the source IP was one of my mail servers. this leaves the users no choice but to use your mail server- and if all of your servers' SMTP services run the messages through simscan, all of your users' outgoing mail will be scanned while coming into your server, and your server will only send the clean mail out to the internet. some users will grumble about it, but once they figure out how to change their settings, most of them will never have to mess with it again. you will find two types of people who need special handling: - some users may be required to use a specific mail server at their office for outbound mail. these users should talk to their company's IT department about how to use an SMTP service on a port number other than 25- preferably one which requires AUTH, and is encrypted. if this is not available, make an exception in your filter which allows outbound traffic to port 25 on that company's SMTP server so that these employees can do their jobs, but you are still blocking outbound traffic to port 25 everywhere else in the world. - spammers who can no longer send mail directly out... these users should die a slow painful death. forcing them to send their outbound mail through your server also allows you to easily track how much mail they're sending- and if your company charges a fee for cleaning up after a spammer (i always charged 10 cents per message) it makes it very easy to document how much spam they sent and know how much to charge them for your time dealing with other ISPs' complaints and getting your servers' IP addresses removed from the blacklists. and yes, the cleanup fee does work, especially if you have a credit card number on file for a customer. we had a user who actually sent almost 3,500 messages out before i locked him out- we charged his credit card $349 and change, and when he tried to challenge it with his bank, we sent the bank a copy of our agreement and a list of the messages he sent- the bank ended up confirming the charge and we did get the money. (this was in florida, usa, the laws may be different where you are.) -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: [toaster] filtering outgoing emails
John Simpson wrote: On 2006-10-25, at 1614, Ingo Claro wrote: Jeff Koch escribió: We are getting demands from large ISP's - Comcast, AOL, ATT - that we spam filter all outgoing email. We're using simscan to filter incoming email but I think that misses email generated by our customers and autoresponders. Can it be accomplished by modifying /home/vpopmail/etc/tcp.smtp ? How are other qmail users handling this? i'm also interested in this feature. Have you found how to filter outgoing messages? for incoming messages I use maildrop you can still use simscan. the trick is to make your customers send their mail through simscan. [snip] I'm not sure that spam-filtering outgoing mail is a good idea-- I've never run into an implementation that doesn't annoy legitimate customers sending legitimate mail-- and simscan is, as far as I know, specifically designed not to allow it. If RELAYCLIENT is set, simscan checks for viruses but it doesn't run SpamAssassin. Am I missing something? David
Re: [vchkpw] Re: [toaster] filtering outgoing emails
On Wed, 2006-10-25 at 17:21 -0400, David Chaplin-Loebell wrote: John Simpson wrote: On 2006-10-25, at 1614, Ingo Claro wrote: Jeff Koch escribió: We are getting demands from large ISP's - Comcast, AOL, ATT - that we spam filter all outgoing email. We're using simscan to filter incoming email but I think that misses email generated by our customers and autoresponders. Can it be accomplished by modifying /home/vpopmail/etc/tcp.smtp ? How are other qmail users handling this? i'm also interested in this feature. Have you found how to filter outgoing messages? for incoming messages I use maildrop you can still use simscan. the trick is to make your customers send their mail through simscan. [snip] I'm not sure that spam-filtering outgoing mail is a good idea-- I've never run into an implementation that doesn't annoy legitimate customers sending legitimate mail-- and simscan is, as far as I know, specifically designed not to allow it. If RELAYCLIENT is set, simscan checks for viruses but it doesn't run SpamAssassin. Am I missing something? Yeah, Free ISPs who have spammers sign up. I've been fighting with this for quite a while. I've ended up having multiple qmail installs to do this. One to receive the email, one to spam scan it and relay it out. This seems to work well, I check the queues and clear out those emails and users - block those sending IP's if necessaary. My big problem is - how do I convert a single email with 50 TO: addresses into ONE email to be spam scanned? I think I need to run a different email server for the intital queue - but this then brings up questions like, how do I use SMTP AUTH with, say, Exim, and vpopmail? The whole spam/antivirus requirements have turned a nice 'email server' into a multiple install/multiple queue hell - and I only have about 2k regular users. Rick
Re: [vchkpw] Re: [toaster] filtering outgoing emails
Rick Romero wrote: I think I need to run a different email server for the intital queue - but this then brings up questions like, how do I use SMTP AUTH with, say, Exim, and vpopmail? I've just started using qpsmtpd to do SMTP AUTH against my vpopmail users with vchkpw, to avoid running a patched qmail-smtpd[1]. qpsmtpd has many spam-filtering plugins, and several queueing plugins, including one for qmail and one for any SMTP server (effectively as a proxy). It's fairly easy to extend too, if you know perl. I added a check module to allow our backup MX to only accept mail for a list of known accounts with an afternoon's work. Seperating your SMTP services into relay, inbound, and backup MX makes life a lot easier for enforcing mail policies, IMHO. It's worth a look, perhaps. Howie. [1] actually, it's to avoid having to reconcile SMTP AUTH patches with chkuser, which I already use, and couldn't live without. I run qmail-smtpd with chkuser for the 'public' MX SMTP service, and qpsmtpd for my local user's relay SMTP server, with auth and SSL.
Re: [vchkpw] Re: [toaster] filtering outgoing emails
Howard Jones wrote: Howie. [1] actually, it's to avoid having to reconcile SMTP AUTH patches with chkuser, which I already use, and couldn't live without. I run qmail-smtpd with chkuser for the 'public' MX SMTP service, and qpsmtpd for my local user's relay SMTP server, with auth and SSL. Hi, You should look at Bill's Toaster then, it has all of the above plus badmailfrom/to regex, qmail-pop3d maildir++ support, TLS support etc all built into one clean patch. http://www.shupp.org Regards, Rick
