RE: [vchkpw] chkusr on gateway mx?
Ajai Khattri wrote: > On Tue, 15 Feb 2005, Jason Wilkinson wrote: > >> This is was thinking about doing. I'm not sure why everybody is >> replicating the database and mail structure when you can just export >> it via NFS (assuming you're on the local net) and be reading live >> data. > > Its not a good idea because if your primary goes down you're screwed. > > (At least with using rsync you have a backup that still does chkusr > on incoming mail even if your primary MX is hosed). If my primary goes down...I'm screwed in more ways than this. :)
RE: [vchkpw] chkusr on gateway mx?
On Tue, 15 Feb 2005, Jason Wilkinson wrote: > This is was thinking about doing. I'm not sure why everybody is replicating > the database and mail structure when you can just export it via NFS > (assuming you're on the local net) and be reading live data. Its not a good idea because if your primary goes down you're screwed. (At least with using rsync you have a backup that still does chkusr on incoming mail even if your primary MX is hosed). -- Aj. ([EMAIL PROTECTED]) Systems Administrator / Developer
RE: [vchkpw] chkusr on gateway mx?
Charles J. Boening wrote: >> Paul Theodoropoulos wrote: >>> is there any way to run chkusr on these 'gateway' MX servers? i use >>> MySQL authentication. The mysql server is the pop server, and i >>> replicate that on the primary MX (where the majority of mail comes >>> in). is there any way to 'hook' into the authentication info in the >>> replicated database directly? that woudl be ideal, as it should be >>> quite fast. >>> >> This isn't possible with the current version of chkuser. I'm wanting >> to do the exact same thing. Vpopmail currently needs access to 1) the >> authentication scheme (MySQL in your case) 2) the file system (to >> check the ~qmail/control files and .qmail- files for aliases and >> catchalls) > If this is the case, why not NFS mount (read-only) the real vpopmail > directory structure so you can do CHKUSR lookups. If it's read-only > then there shouldn't be any impact other than network traffic to the > real backend server. > This is was thinking about doing. I'm not sure why everybody is replicating the database and mail structure when you can just export it via NFS (assuming you're on the local net) and be reading live data. As for the database, you can configure vpopmail to use any MySQL server when checking. Just have it call over to it's neighbor instead of checking itself.
RE: [vchkpw] chkusr on gateway mx?
thanks to everyone for the insights. while i still think it's kind of 'ugly' to have to replicate a portion of the vpopmail directory structure on my MXes, i suppose the benefits will surely outweigh the 'ugliness'. At 03:07 PM 2/14/2005, you wrote: We are doing exactly this with our gateway MX server. First we replicate the MySQL database then we use rsync running every 30 minutes to just sync the first couple of directory levels from the /home/vpopmail/domains/x/domain.com on the vpopmail server (this picks up the aliases, mailing lists and autoresponder names) and the /var/qmail/users/assign file. chkuser works perfectly at the MX server. SMTPROUTES sends everything to the vpop server. We do virus filtering and spam analysis on the MX server and the balance on the pop server. Basically, we just sync enough over to the MX server so chkuser can work. At 03:00 PM 2/14/2005, you wrote: Paul Theodoropoulos wrote: > is there any way to run chkusr on these 'gateway' MX servers? i use > MySQL authentication. The mysql server is the pop server, and i > replicate that on the primary MX (where the majority of mail comes > in). is there any way to 'hook' into the authentication info in the > replicated database directly? > that woudl be ideal, as it should be quite fast. > This isn't possible with the current version of chkuser. I'm wanting to do the exact same thing. Vpopmail currently needs access to 1) the authentication scheme (MySQL in your case) 2) the file system (to check the ~qmail/control files and .qmail- files for aliases and catchalls) Also, keep in mind that you can set up vpopmail/chkuser to check against the primary MySQL database. There is no need to replicate it. I've been told that the Antonio wants to build client/server functionality into chkuser but hasn't been able to find the time. I for one look forward to seeing it. Best Regards, Jeff Koch, Intersessions Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com
RE: [vchkpw] chkusr on gateway mx?
If this is the case, why not NFS mount (read-only) the real vpopmail directory structure so you can do CHKUSR lookups. If it's read-only then there shouldn't be any impact other than network traffic to the real backend server. Charlie -Original Message- From: Jason Wilkinson [mailto:[EMAIL PROTECTED] Sent: Monday, February 14, 2005 12:01 PM To: vchkpw@inter7.com Subject: RE: [vchkpw] chkusr on gateway mx? Paul Theodoropoulos wrote: > is there any way to run chkusr on these 'gateway' MX servers? i use > MySQL authentication. The mysql server is the pop server, and i > replicate that on the primary MX (where the majority of mail comes > in). is there any way to 'hook' into the authentication info in the > replicated database directly? > that woudl be ideal, as it should be quite fast. > This isn't possible with the current version of chkuser. I'm wanting to do the exact same thing. Vpopmail currently needs access to 1) the authentication scheme (MySQL in your case) 2) the file system (to check the ~qmail/control files and .qmail- files for aliases and catchalls) Also, keep in mind that you can set up vpopmail/chkuser to check against the primary MySQL database. There is no need to replicate it. I've been told that the Antonio wants to build client/server functionality into chkuser but hasn't been able to find the time. I for one look forward to seeing it.
RE: [vchkpw] chkusr on gateway mx?
We are doing exactly this with our gateway MX server. First we replicate the MySQL database then we use rsync running every 30 minutes to just sync the first couple of directory levels from the /home/vpopmail/domains/x/domain.com on the vpopmail server (this picks up the aliases, mailing lists and autoresponder names) and the /var/qmail/users/assign file. chkuser works perfectly at the MX server. SMTPROUTES sends everything to the vpop server. We do virus filtering and spam analysis on the MX server and the balance on the pop server. Basically, we just sync enough over to the MX server so chkuser can work. At 03:00 PM 2/14/2005, you wrote: Paul Theodoropoulos wrote: > is there any way to run chkusr on these 'gateway' MX servers? i use > MySQL authentication. The mysql server is the pop server, and i > replicate that on the primary MX (where the majority of mail comes > in). is there any way to 'hook' into the authentication info in the > replicated database directly? > that woudl be ideal, as it should be quite fast. > This isn't possible with the current version of chkuser. I'm wanting to do the exact same thing. Vpopmail currently needs access to 1) the authentication scheme (MySQL in your case) 2) the file system (to check the ~qmail/control files and .qmail- files for aliases and catchalls) Also, keep in mind that you can set up vpopmail/chkuser to check against the primary MySQL database. There is no need to replicate it. I've been told that the Antonio wants to build client/server functionality into chkuser but hasn't been able to find the time. I for one look forward to seeing it. Best Regards, Jeff Koch, Intersessions
RE: [vchkpw] chkusr on gateway mx?
On Mon, 14 Feb 2005, Jason Wilkinson wrote: > 2) the file system (to check the > ~qmail/control files and .qmail- files for aliases and catchalls) rsync is your friend ;-) --
Re: [vchkpw] chkusr on gateway mx?
On Mon, 14 Feb 2005, Paul Theodoropoulos wrote: > is there any way to run chkusr on these 'gateway' MX servers? i use MySQL > authentication. The mysql server is the pop server, and i replicate that on > the primary MX (where the majority of mail comes in). is there any way to > 'hook' into the authentication info in the replicated database directly? > that woudl be ideal, as it should be quite fast. > > but reading the docs, it appears i have to install vpopmail on the server > that's going to run chkusr, and i don't much like the idea of that. i'm a > tad worried that i might suddenly find all incoming messages being > delivered to 'local' and going to the bit-bucket if i turn on chkusr. but > that's just wild speculation at this point - i haven't yet installed > chkusr, pending some insight on the matters above. We are running vpopmail (with chkusr) on a backup MX with a replicated MySQL database. This setup works well. We do a daily rsync of .qmail files (not the maildirs, just the structure). Qmail on that server is configured to relay to our primary MX but not before chkusr gets to do its thing on incoming mail - this is stopped a lot of spam coming through our backup MX. --
RE: [vchkpw] chkusr on gateway mx?
Paul, I would think you're ok putting vpopmail on your gateway servers. Remember, the CHKUSR patch is only checking that the user exists to vpopmail. I take it you're using the smtproutes file to forward to the real server behind the gateway boxes? If so, you should be just fine. It's not going to do local delivery unless you specifically add the domain to your gateway box. Just make sure you configure vpopmail for mysql and that you configure it to look at your real mysql server on the backend. I would really like to see a CHKUSR patch that could check another SMTP server. Then gateway machines could just make the SMTP connection to the backend SMTP machine and validate the user. This would make it work across multiple backend servers. I know quite a few people running non-nix mail servers on 2k boxes. When will they learn? :) Just to make sure, when you implement, send some test messages and watch closely. You'll know right away if there's a problem. Good luck, Charlie -Original Message- From: Paul Theodoropoulos [mailto:[EMAIL PROTECTED] Sent: Monday, February 14, 2005 10:12 AM To: vchkpw@inter7.com Subject: [vchkpw] chkusr on gateway mx? I'm a little confused about implementation of chkusr. i really want to implement it, as i'm tired of my paid bandwidth being chewed up by spammers sending tens of thousands of messages to non-existent addresses. instead of having a single, all-in-one server doing everything, i have three 'gateway' MX servers that messages come into first. they then relay the messages to a dedicated spam/clam server for filtering. from there, messages are delivered to the pop server, where customers pick them up. is there any way to run chkusr on these 'gateway' MX servers? i use MySQL authentication. The mysql server is the pop server, and i replicate that on the primary MX (where the majority of mail comes in). is there any way to 'hook' into the authentication info in the replicated database directly? that woudl be ideal, as it should be quite fast. but reading the docs, it appears i have to install vpopmail on the server that's going to run chkusr, and i don't much like the idea of that. i'm a tad worried that i might suddenly find all incoming messages being delivered to 'local' and going to the bit-bucket if i turn on chkusr. but that's just wild speculation at this point - i haven't yet installed chkusr, pending some insight on the matters above. any help appreciated. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com
Re: [vchkpw] chkusr on gateway mx?
Ken Jones wrote: You could try one of the goodrcptto patches to qmail-smtpd. We have one we use for gateways to exchange servers. Basicly, you export a list of users to a file. Put that file on the gateway machines. With our patch we build a goodrcptto.cdb file. Then qmail-smtpd checks the cdb file and rejects it if it does not exist. I have a qmail+vpopmail+qmail-scanner+clamav+kav+spamassassin server running this kind of gateway to an exchange server. And have been asked to setup this exact thing. I'd be very interested if you could you provide some links / more information? Kris
Re: [vchkpw] chkusr on gateway mx?
At 10:42 AM 2/14/2005, you wrote: You could try one of the goodrcptto patches to qmail-smtpd. We have one we use for gateways to exchange servers. Basicly, you export a list of users to a file. Put that file on the gateway machines. With our patch we build a goodrcptto.cdb file. Then qmail-smtpd checks the cdb file and rejects it if it does not exist. Ken Jones thanks. static db's just won't work - too many customers adding/deleting email addresses throughout the day. it needs to be a 'live' lookup of what's on the systems. plus, i thought all the goodrcptto systems broke catchalls? Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com
Re: [vchkpw] chkusr on gateway mx?
On Mon, 14 Feb 2005, Paul Theodoropoulos wrote: but reading the docs, it appears i have to install vpopmail on the server that's going to run chkusr, and i don't much like the idea of that. i'm a tad worried that i might suddenly find all incoming messages being delivered to 'local' and going to the bit-bucket if i turn on chkusr. but that's just wild speculation at this point - i haven't yet installed chkusr, pending some insight on the matters above. I'm doing that on one box now, soon to be two once my buddy gets his LVM setup done. I have the db replicated on the mxer, and I have a periodic cron job on the main server doing a find for all the .qmail files. I also have a cron job on the mxer that pulls everything in that "find" list over. Sounds odd, but the "find, then xfer w/rsync" method is much faster than doing a straight rsync of the dir structure and .qmail files. Anyhow as for chkuser, all you need is to copy over your rcpthosts and morercpthosts.cdb. As long as you DO NOT have those domains in locals or virtualdomains, you're good to go. Been running this for about two months now and it's done wonders for cutting down the amount of queued crap on the backup mxer. Charles any help appreciated. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com
Re: [vchkpw] chkusr on gateway mx?
On Feb 14, 2005, at 10:11 AM, Paul Theodoropoulos wrote: but reading the docs, it appears i have to install vpopmail on the server that's going to run chkusr, and i don't much like the idea of that. i'm a tad worried that i might suddenly find all incoming messages being delivered to 'local' and going to the bit-bucket if i turn on chkusr. but that's just wild speculation at this point - i haven't yet installed chkusr, pending some insight on the matters above. I could be wrong with some of my answers, but here's what I understand... The chkuser patch needs to load the .qmail-default file for each domain to determine whether the domain has a catchall set or not. Domains with catchalls accept all mail, so there isn't anything for chkuser to do. Even if you are using vpopmail with the MySQL backend and aliases stored in the valias table, ezmlm mailing lists remain as .qmail files. It would theoretically be possible to have qmailadmin "mirror" them in the valias table, as long as all changes to the list settings were made in qmailadmin only. If lots of users will be moving in this direction, perhaps we should explore storing the default delivery setting in the database instead of the .qmail-default files. We could just use the '[EMAIL PROTECTED]' entry in the valias table, but we would have to filter it out of the normal valias lookups... The only other possible table would be limits, since there's already an entry for each domain. I've also thought about storing it (default delivery) in a separate file (necessary for CDB backend), to make it easier for people to customize their .qmail-default files. I had planned to add a new option to vdelivermail (instead of deleted, bounce-no-mailbox, etc.) of 'file' to indicate that it was stored externally. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
RE: [vchkpw] chkusr on gateway mx?
Paul Theodoropoulos wrote: > is there any way to run chkusr on these 'gateway' MX servers? i use > MySQL authentication. The mysql server is the pop server, and i > replicate that on the primary MX (where the majority of mail comes > in). is there any way to 'hook' into the authentication info in the > replicated database directly? > that woudl be ideal, as it should be quite fast. > This isn't possible with the current version of chkuser. I'm wanting to do the exact same thing. Vpopmail currently needs access to 1) the authentication scheme (MySQL in your case) 2) the file system (to check the ~qmail/control files and .qmail- files for aliases and catchalls) Also, keep in mind that you can set up vpopmail/chkuser to check against the primary MySQL database. There is no need to replicate it. I've been told that the Antonio wants to build client/server functionality into chkuser but hasn't been able to find the time. I for one look forward to seeing it.
Re: [vchkpw] chkusr on gateway mx?
On Monday 14 February 2005 12:11 pm, Paul Theodoropoulos wrote: > I'm a little confused about implementation of chkusr. i really want to > implement it, as i'm tired of my paid bandwidth being chewed up by spammers > sending tens of thousands of messages to non-existent addresses. > > instead of having a single, all-in-one server doing everything, i have > three 'gateway' MX servers that messages come into first. they then relay > the messages to a dedicated spam/clam server for filtering. from there, > messages are delivered to the pop server, where customers pick them up. > > is there any way to run chkusr on these 'gateway' MX servers? i use MySQL > authentication. The mysql server is the pop server, and i replicate that on > the primary MX (where the majority of mail comes in). is there any way to > 'hook' into the authentication info in the replicated database directly? > that woudl be ideal, as it should be quite fast. > > but reading the docs, it appears i have to install vpopmail on the server > that's going to run chkusr, and i don't much like the idea of that. i'm a > tad worried that i might suddenly find all incoming messages being > delivered to 'local' and going to the bit-bucket if i turn on chkusr. but > that's just wild speculation at this point - i haven't yet installed > chkusr, pending some insight on the matters above. > > any help appreciated. You could try one of the goodrcptto patches to qmail-smtpd. We have one we use for gateways to exchange servers. Basicly, you export a list of users to a file. Put that file on the gateway machines. With our patch we build a goodrcptto.cdb file. Then qmail-smtpd checks the cdb file and rejects it if it does not exist. Ken Jones
