On 08/17/2012 10:33 AM, Allan Dukat wrote:
Hi everyone
I am about to migrate to a new netqmail-1.06 + chkuser-2.0.9release +
dovecot-2.1.9 + ezmlm-idx-7.1.1 + httpd-2.4.2 + qmailadmin-1.2.16 +
sqwebmail-5.5.3 + vpopmail-5.4.33 + vqadmin-2.3.7-server, which I have
compiled, and is now testing.
On my current server I am using the netqmail-1.05-validrcptto.cdb.patch
but I have decided to switch to chkuser.patch, so chkuser is new to me.
I have trouble making chkuser behave as desired:
When I send a mail to apa...@domain.dk, which is present in /etc/passwd,
I want chkuser to reject the mail at smtp-level, but it is accepted as
seen here:
/var/log/qmail/smtpd/current:
@40000000502e3f3009a4be0c CHKUSER accepted sender: from
<allan.du...@otherdomain.dk::> remote <:mail3.otherdomail.dk> rcpt <> :
sender accepted
@40000000502e3f3009a60244 CHKUSER accepted rcpt: from
<allan.du...@otherdomain.dk::> remote <:mail3.otherdomail.dk> rcpt
<apa...@domain.dk> : found existing recipient
/var/log/mail.log:
Aug 17 14:55:02 jmail qmail: 1345208102.166587 new msg 1573938
Aug 17 14:55:02 jmail qmail: 1345208102.166746 info msg 1573938: bytes
1532 from <allan.du...@otherdomain.dk> qp 1679 uid 1002
Aug 17 14:55:02 jmail qmail: 1345208102.168480 starting delivery 11: msg
1573938 to local apa...@domain.dk
Aug 17 14:55:02 jmail qmail: 1345208102.168563 status: local 1/10 remote
0/20
Aug 17 14:55:02 jmail qmail: 1345208102.171362 delivery 11: failure:
Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Aug 17 14:55:02 jmail qmail: 1345208102.171569 status: local 0/10 remote
0/20
Aug 17 14:55:02 jmail qmail: 1345208102.177127 bounce msg 1573938 qp 1682
Aug 17 14:55:02 jmail qmail: 1345208102.177233 end msg 1573938
$ grep ^# chkuser_settings.h
#define CHKUSER_VPOPMAIL
#define CHKUSER_DOMAIN_WANTED
#define CHKUSER_ENABLE_USERS
#define CHKUSER_ENABLE_ALIAS
#define CHKUSER_EZMLM_DASH '-'
#define CHKUSER_BOUNCE_STRING "bounce-no-mailbox"
#define CHKUSER_ENABLE_LOGGING
#define CHKUSER_LOG_VALID_RCPT
#define CHKUSER_MIN_DOMAIN_LEN 4
#define CHKUSER_LOG_VALID_SENDER
#define CHKUSER_RCPT_LIMIT_VARIABLE "CHKUSER_RCPTLIMIT"
#define CHKUSER_WRONGRCPT_LIMIT_VARIABLE "CHKUSER_WRONGRCPTLIMIT"
#define CHKUSER_MBXQUOTA_VARIABLE "CHKUSER_MBXQUOTA"
#define CHKUSER_ERROR_DELAY 1000
#define CHKUSER_RCPT_DELAY_ANYERROR
#define CHKUSER_SENDER_DELAY_ANYERROR
#define CHKUSER_ENABLE_EZMLM_LISTS
#define CHKUSER_IDENTIFY_REMOTE_VARIABLE "CHKUSER_IDENTIFY"
#define CHKUSER_USERS_DASH '-'
#define CHKUSER_MAILMAN_STRING "mailman"
#define CHKUSER_MAILMAN_DASH '-'
#define CHKUSER_DB_CLEANUP
#define CHKUSER_ERROR_DELAY_INCREASE 300
#define CHKUSER_NORCPT_STRING "550 5.1.1 sorry, no mailbox here by that
name (chkuser)\r\n"
#define CHKUSER_RESOURCE_STRING "451 4.3.0 system temporary unavailable,
try again later (chkuser)\r\n"
#define CHKUSER_MBXFULL_STRING "552 5.2.2 sorry, recipient mailbox is
full (chkuser)\r\n"
#define CHKUSER_MAXRCPT_STRING "550 5.5.3 sorry, reached maximum number
of recipients allowed in one session (chkuser)\r\n"
#define CHKUSER_MAXWRONGRCPT_STRING "550 5.5.3 sorry, you are violating
our security policies (chkuser)\r\n"
#define CHKUSER_DOMAINMISSING_STRING "550 5.1.2 sorry, you must specify
a domain (chkuser)\r\n"
#define CHKUSER_RCPTFORMAT_STRING "553 5.1.3 sorry, mailbox syntax not
allowed (chkuser)\r\n"
#define CHKUSER_RCPTMX_STRING "550 5.1.2 sorry, can't find a valid MX
for rcpt domain (chkuser)\r\n"
#define CHKUSER_SENDERFORMAT_STRING "553 5.1.7 sorry, mailbox syntax not
allowed (chkuser)\r\n"
#define CHKUSER_SENDERMX_STRING "550 5.1.8 sorry, can't find a valid MX
for sender domain (chkuser)\r\n"
#define CHKUSER_INTRUSIONTHRESHOLD_STRING "550 5.7.1 sorry, you are
violating our security policies (chkuser)\r\n"
#define CHKUSER_NORELAY_STRING "553 5.7.1 sorry, that domain isn't in my
list of allowed rcpthosts (chkuser)\r\n"
#define CHKUSER_RCPTMX_TMP_STRING "451 4.4.0 DNS temporary failure
(chkuser)\r\n"
#define CHKUSER_SENDERMX_TMP_STRING "451 4.4.0 DNS temporary failure
(chkuser)\r\n"
#define CHKUSER_MUSTAUTH_STRING "530 5.7.0 Authentication required
(chkuser)\r\n"
#define CHKUSER_ENABLE_DOUBLEBOUNCE_VARIABLE "CHKUSER_DOUBLEBOUNCE"
I have googled for an hour, and not found anything relevant, so please
help.
Thanks in advance
Kind regards
Allan Dukat
Hey Allan.
I don't know the answer to your situation off hand. It's interesting
though that chkuser would find local users, with no apparent way of
disabling that check. Perhaps there's something in the hosts
configuration that would defeat this. The Features page
(http://opensource.interazioni.it/qmail/chkuser/features.html) doesn't
appear to mention checking local user accounts at all.
Tonino (chkuser author) does hang around here, and I expect will chime
in on this. If you're want wanting an answer sooner, you should "use the
source, Luke". ;)
The server you've built is fairly close to a qmail-toaster
(http://wiki.qmailtoaster.com). As the project leader there, I'm curious
to know why you didn't choose to go that route. We aim to make QMT easy
to build and suitable for as many situations as we can. Care to comment?
BTW QMT uses a few other chkuser settings, for your consideration:
#define CHKUSER_ENABLE_USERS_EXTENSIONS
#define CHKUSER_ALLOW_SENDER_CHAR_1 '$'
#define CHKUSER_ALLOW_SENDER_CHAR_2 '%'
#define CHKUSER_ALLOW_SENDER_CHAR_3 '/'
#define CHKUSER_ALLOW_SENDER_CHAR_4 '?'
#define CHKUSER_ALLOW_SENDER_CHAR_5 '*'
#define CHKUSER_ALLOW_SENDER_CHAR_6 '^'
#define CHKUSER_ALLOW_SENDER_CHAR_7 '~'
#define CHKUSER_ALLOW_SENDER_CHAR_8 '&'
#define CHKUSER_ALLOW_SENDER_CHAR_9 '#'
#define CHKUSER_ALLOW_SENDER_CHAR_10 '='
#define CHKUSER_ALLOW_RCPT_CHAR_1 '$'
#define CHKUSER_ALLOW_RCPT_CHAR_2 '%'
#define CHKUSER_ALLOW_RCPT_CHAR_3 '/'
#define CHKUSER_ALLOW_RCPT_CHAR_4 '?'
#define CHKUSER_ALLOW_RCPT_CHAR_5 '*'
#define CHKUSER_ALLOW_RCPT_CHAR_6 '^'
#define CHKUSER_ALLOW_RCPT_CHAR_7 '~'
#define CHKUSER_ALLOW_RCPT_CHAR_8 '&'
#define CHKUSER_ALLOW_RCPT_CHAR_9 '#'
#define CHKUSER_ALLOW_RCPT_CHAR_10 '='
User extensions can be very useful to users who know how to apply them.
The special characters are legal, and use by blackberries periodically,
not in the normal account name but in a name that BBs generate for the
submission process. These might not a apply to your situations though.
Best of luck with your email endeavors.
Oh, and one more thing. You really should consider using spamdyke
(http://spamdyke.org). It's the single most effective spam fighting tool
available, and it only works with qmail (at this time).
--
-Eric 'shubes'
!DSPAM:502faa6f34212496012200!
