Testing qmail, SMTP and auth

At this time /command/svcscanboot should have started qmail:

> ps axfww

 1905 pts/1    Sl     0:00 /home/vpopmail/bin/vusaged
 2008 pts/1    S      0:00 /bin/sh /command/svscanboot
 2010 pts/1    S      0:00  \_ svscan /service
 2012 pts/1    S      0:00  |   \_ supervise qmail-smtpd
 2029 pts/1    S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd
 2013 pts/1    S      0:00  |   \_ supervise log
 2021 pts/1    S      0:00  |   |   \_ /usr/local/bin/multilog t /var/log/qmail/smtpd
 2014 pts/1    S      0:00  |   \_ supervise qmail-send
 2027 pts/1    S      0:00  |   |   \_ qmail-send
 2039 pts/1    S      0:00  |   |       \_ qmail-lspawn 
 2040 pts/1    S      0:00  |   |       \_ qmail-rspawn
 2041 pts/1    S      0:00  |   |       \_ qmail-clean
 2042 pts/1    S      0:00  |   |       \_ qmail-todo
 2043 pts/1    S      0:00  |   |       \_ qmail-clean
 2015 pts/1    S      0:00  |   \_ supervise log
 2025 pts/1    S      0:00  |   |   \_ /usr/local/bin/multilog t /var/log/qmail/send
 2016 pts/1    S      0:00  |   \_ supervise vpopmaild
 2026 pts/1    S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -H -R -l 0 -u 0 -g 0 0 89 /home/vpopmail/bin/vpopmaild
 2017 pts/1    S      0:00  |   \_ supervise log
 2023 pts/1    S      0:00  |   |   \_ /usr/local/bin/multilog t /var/log/qmail/vpopmaild
 2018 pts/1    S      0:00  |   \_ supervise qmail-submission
 2024 pts/1    S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.submission.cdb -c 20 -u 89 -g 89 0 587 /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true
 2019 pts/1    S      0:00  |   \_ supervise log
 2022 pts/1    S      0:00  |   |   \_ /usr/local/bin/multilog t /var/log/qmail/submission
 2020 pts/1    S      0:00  |   \_ supervise clear
 2011 pts/1    S      0:00  \_ readproctitle service errors: ...............................................................................................................................................

If everything is ok you should see something like this. There must be only dots in the readproctitle service errors line.

You can always clean the errors' line in this way:

svc -o /service/clear

or, if you're using my modified qmailctl file, you can do this:

qmailctl clear

Check the queue and the services uptime:

> qmailctl stat

/service/qmail-send: up (pid 7987) 4 seconds
/service/qmail-send/log: up (pid 6998) 1946 seconds
/service/qmail-smtpd: up (pid 7989) 4 seconds
/service/qmail-smtpd/log: up (pid 6995) 1946 seconds
/service/qmail-submission: up (pid 7991) 4 seconds
/service/qmail-submission/log: up (pid 6999) 1946 seconds
/service/vpopmaild: up (pid 7993) 4 seconds
/service/vpopmaild/log: up (pid 6997) 1946 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

Of course, you’ll only see the submission service lines if qmail-submission is included in the svclist line in /usr/local/bin/qmailctl. Check that the up time increases by repeating the qmailctl stat command a couple of times. If something fails, check the logs.

The next two notes will show how to handle and eventually repair the queue.

swaks

swaks is a SMTP test tool that you can use to perform all the telnet tests that are described below.

Install as follows:

cd /usr/local/bin
wget http://www.jetmore.org/john/code/swaks/latest/swaks
chown root.root swaks
chmod +x swaks

The usage is pretty simple. Adjust to your needs:

swaks \
        --to someone@somewhere.net \
        --from postmaster@yourdomain.xy \
        --server localhost \
        --port 587 \ 
        --ehlo test \
        -tls \
        --auth login \
        --auth-user postmaster@yourdomain.xy \
        --auth-password [PASSWORD]

You may want to take a look to the reference manual: http://www.jetmore.org/john/code/swaks/latest/doc/ref.txt

Testing qmail delivery

Look at the TEST.deliver man page and do all suggested tests.

Testing SMTP connection

In this example [your-IP] is an IP that is allowed to use our MTA as a relay according to ~vpopmail/etc/tcp.smtp; usually it is 127.0.0.1 or an address on an allowed localnet such as 10.0.0.5 or 192.168.1.12

This test will fail if you try to use the MTA as an open relay, telnetting from the outnet without the SMTP authentication (see below).

> telnet [your IP] 25

Trying [your IP]...
Connected to qmail.yourdomain.net.
Escape character is '^]'.
220 mail.yourdomain.net ESMTP
mail from:<user@yourdomain.net>
250 ok
rcpt to:<someone@somewhere.else.net>
250 ok
data
354 go ahead
subject: This is the subject
to: someone@somewhere.else.net
from: user@yourdomain.net

This is the msg body FOLLOWING A BLANK LINE
.
250 ok 1286469273 qp 31969
quit
221 www.yourdomain.net
Connection closed by foreign host.

***********

Of course it may happen that something goes wrong

> telnet [your IP] 25

Trying [your IP]...
Connected to [yout IP].
Escape character is '^]'.
Connection closed by foreign host.

Let's check the smtp log:

> more /var/log/qmail/smtpd/current

@400000004cb7145314702f74 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libcrypt.so.1: failed to map segment from shared object: Cannot allocate memory

If you see an error like this, your softlimit is too low. Try to increase it editing /var/qmail/supervise/qmail-smtp/run

***********

> more /var/log/qmail/smtpd/current

@400000004cc5baaf076df464 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libmysqlclient.so.16: cannot open shared object file: No such file or directory

I faced this error in a 64b virtual mail server. Mysql was in a different virtual server and the mysql dir was mounted locally but qmail-smtp cannot load it. I fixed this error copyng (not linking!) the library inside the guest in this way:

cp -p /usr/local/mysql/lib/libmysqlclient.so.16.0.0 /usr/lib64/libmysqlclient.so.16

***********

Check if the messages has been sent opening /var/log/qmail/send/current

***********

Try to send a message to yourself and look for the message in the Maildir/new folder:

> telnet [your IP] 25

Trying [your IP]...
Connected to qmail.yourdomain.net.
Escape character is '^]'.
220 mail.yourdomain.net ESMTP
mail from:<user@yourdomain.net>
250 ok
rcpt to:<user@yourdomain.net>
250 ok
data
354 go ahead
subject: This is the subject
to: user@yourdomain.net
from: user@yourdomain.net

This is the msg body FOLLOWING A BLANK LINE
.
250 ok 1286469273 qp 31969
quit
221 www.yourdomain.net
Connection closed by foreign host.

> ls -l /home/vpopmail/domains/yourdomain.net/user/Maildir/new
total 4
-rw------- 1 vpopmail vchkpw  211 2010-12-09 13:22 1291897368.13072.qmail,S\=211

Testing vpopmail auth

> telnet [your-IP] 89

Trying [your-IP]...
Connected to [your-IP].
Escape character is '^]'.
+OK
login userid@yourdomain.net PASSWORD
+OK+
vpopmail_dir /home/vpopmail
domain_dir /home/vpopmail/domains/yourdomain.net
uid 89
gid 89
name userid
comment userName userSurname
quota NOQUOTA
user_dir /home/vpopmail/domains/yourdomain.net/userid
encrypted_password $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
clear_text_password xxxxxxxxxxxxxxxxx
no_password_change 0
no_pop 0
no_webmail 0
no_imap 0
bounce_mail 0
no_relay 0
no_dialup 0
user_flag_0 0
user_flag_1 0
user_flag_2 0
user_flag_3 0
no_smtp 0
domain_admin_privileges 0
override_domain_limits 0
no_spamassassin 0
delete_spam 0
no_maildrop 0
system_admin_privileges 0
.
quit
+OK
Connection closed by foreign host.

Testing chkuser

If you perform this test from localhost or from one of the localnets that are allowed to relay according to ~vpopmail/etc/tcp.smtp...

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

...before continuing, you have to deny yourself from relaying. Clean and reaload tcp.smtp:

cd ~vpopmail/etc
mv tcp.smtp tcp.smtp.bck
touch tcp.smtp
qmailctl cdb

Now we are ready for the test.

No valid MX test, mailbox syntax test

chkuser rejects the messages if the MX record in the from field is non existent. This is a rare case since spammers will try to use your own domain in the from field.

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 yourdomain.net ESMTP
mail from: unexistent@fakedomain.xxx
550 5.1.8 sorry, can't find a valid MX for sender domain (chkuser)
mail from: unexistent@fake_domain.xxx
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)
quit

No mailbox test

qmail/control/rcpthosts file determines whether the recipient will be accepted: it will be accepted if and only if the domain of the address given in the RCPT TO command is listed in rcpthosts. Anyway chkuser is programmed to reject msg for non existent users of these domains:

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 yourdomain.net ESMTP
mail from: someone@gmail.com
250 ok
rcpt to: nobody@yourdomain.net
550 5.1.1 sorry, no mailbox here by that name (chkuser)
quit

No rcpt hosts test

To allow clients to send outgoing messages through this MTA, you must authorize the relay from their IP addresses inside tcp.smtp:

111.222.333.444:allow,RELAYCLIENT=""

In this case we have purged tcp.smtp, so we are allowed to send messages only to local users (domains inside rcpthosts) and chkuser can't find the external domain in his list of allowed rcpthosts

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 yourdomain.net ESMTP
mail from: someone@gmail.com
250 ok
rcpt to: someone@gmail.com
553 5.7.1 sorry, that domain isn't in my list of allowed rcpthosts (chkuser)
quit

In addition look for chkuser messages inside the smtp log /var/log/qmail/smtp/current.

Don't forget to restore the tcp.smtp

rm tcp.smtp
mv tcp.smtp.bck tcp.smtp
qmailctl cdb

Testing smtp-auth and TLS

Let's suppose that you have enabled the submission service (port 587). If you have enabled smtp-auth on port 25 replace 587 with 25 below.

Check that auth and TLS are present:

> telnet [your-IP] 587

Trying [your-IP]...
Connected to [your-IP].
Escape character is '^]'.
220 smtp.yourdomain.net ESMTP
EHLO test
250-smtp.yourdomain.net
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 3000000
250 AUTH LOGIN PLAIN
mail from:someone@somewhere.net
530 Authorization required (#5.7.1)
AUTH PLAIN
538 auth not available without TLS (#5.3.3)
STARTTLS
220 ready for tls
�(�S^F�^@���^\�^^CR�^��*LV^ߣ^Y+
^W^C^A^@ o�^�&@�����^N^�>��^�.d[^ZE�^�2^�^F^�Xr�XN^W^C^A^@P�^ҿ^�4H&>/4^UG^�^?�Njg^]�^_^F;@�^T�^�
^@i�>r^F��g4��{^C��bc^^N�^Qb���^@�n^���8`�W^\�5�^�^HT�F^�X�(^�+
^W^C^A^@ �+^��2��W]^Y��}�^�^B^[��nȠw^�qs^?��^N^B^[^W^C^A^@@^CC3^�f�^Y.^�^�x#�j�^D�+�u^F^�^H�0^�^U��^@i�c$
^CConnection closed by foreign host.

The server seems to correctly provide STARTTLS and AUTH support. As you can see the authorization is required and the auth is not available without TLS. When the server is "ready for tls" the connection goes encrypted and you have to quit with a ^C.

Be aware that you can choose between 3 authentication methods:

  1. PLAIN (unsecure without TLS)
  2. LOGIN (unsecure without TLS)
  3. CRAM-MD5 (more secure, but not nedeed with TLS)

Since we support TLS I use to disable CRAM-MD5 in my run file. So we will test just LOGIN and PLAIN. If you want to enable CRAM-MD5 refer to the README.auth file.

Testing the relay with "AUTH LOGIN"

- Encoding the login -

To test the "AUTH LOGIN" method (it is safe since the entire connection is secure) you have to encode the BASE64 string of the username, let's say "test@test.net", and the password, let's say "test" as shown below.

> printf "test@test.net" | base64
dGVzdEB0ZXN0Lm5ldA==
> printf "test" | base64
dGVzdA==

Thus, the username "test@test.net" translates to "dGVzdEB0ZXN0Lm5ldA==" and the corresponding password "test" becomes "dGVzdA=="

- Testing the relay -

Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented:

> openssl s_client -starttls smtp -crlf -connect [your-IP]:587

CONNECTED(00000003)                                                                                                                        
depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net                              
verify error:num=18:self signed certificate                                                                                                
verify return:1
depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net
verify return:1
---
Certificate chain
 0 s:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net
   i:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.sagredo.eu/emailAddress=postmaster@yourdomain.net
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net
issuer=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourname.net/emailAddress=postmaster@yourname.net
---
No client certificate CA names sent
---
SSL handshake has read 1650 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Start Time: 1292613625
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 AUTH LOGIN PLAIN
AUTH LOGIN
334 VXNlcm5hbWU6 <---- it is a BASE64 encoded string 'Username:'
dGVzdEB0ZXN0Lm5ldA== <---- it is a BASE64 encoded string 'test@test.net'
334 UGFzc3dvcmQ6 <---- it is a BASE64 encoded string 'Password:'
dGVzdA== <---- it is a BASE64 encoded string 'test' (the user password in this example)
235 ok, go ahead (#2.0.0)
mail from:yourself@somedomain.net
250 ok
rcpt to:someone@somewhere.net
250 ok
data
354 go ahead
subject: smtp-auth + tls test
to:someone@somewhere.net
from:yourself@somedomain.net

This is the body FOLLOWING A BLANK LINE
.
250 ok 1292613846 qp 14123
quit
221 smtp.yourdomain.net
closed

Testing the relay with "AUTH PLAIN"

- Encoding the login -

The correct form of the AUTH PLAIN is "\0authentication-id\0passwd'" where \0 is the null byte. If the username is "test@test.net" and the password is "test" you have to encode the BASE64 string of "\0test@test.net\0test":

> printf "\0test@test.net\0test" | base64
AHRlc3RAdGVzdC5uZXQAdGVzdA==

- Testing the relay -

Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented:

> openssl s_client -starttls smtp -crlf -connect [your-IP]:587

CONNECTED(00000003)
[THE SAME AS AUTH LOGIN BEFORE]
---
250 AUTH LOGIN PLAIN
AUTH PLAIN AHRlc3RAdGVzdC5uZXQAdGVzdA==  <---- it is a BASE64 encoded string '\0test@test.net\0test'
235 ok, go ahead (#2.0.0)
mail from:yourself@somedomain.net
250 ok
rcpt to:someone@somewhere.net
250 ok
data
354 go ahead
subject: smtp-auth + tls test
to:someone@somewhere.net
from:yourself@somedomain.net

This is the body FOLLOWING A BLANK LINE
.
250 ok 1292613846 qp 14123
quit
221 smtp.yourdomain.net
closed

Sorry,_no_mailbox_here_by_that_name._(#5.1.1)

Many folllowers of this guide posted me a message complaining that they get an error like that in their log, or that the log@theirdomain.xy doesn't receive the emails. Please read this before posting, please. It is a fictitious mailbox, just a trick to improve the qmail-send log.

Troubleshooting

If something goes wrong you can always log the smtp conversation running qmail-smtp in conjunction with Bernstein's recordio program (hopefully from the command line):

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 submission \
    /usr/local/bin/recordio \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

or you can use strace to better investigate how the smtpd session is going on.

Testing SPF

  • Basic informations about SPF here

First of all, check the header of your incoming messages. For email senders who don’t have SPF enabled, you should find a Received-SPF header that looks something like this:

Received-SPF: none (0: domain at <some domain> does not designate permitted sender hosts)

For email senders who have SPF enabled, you’ll see a header that looks something like this:

Received-SPF: pass(0: SPF record at <some domain> designates x.x.x.x as permitted sender)

SPF behavior of your mail server is controlled by the file /var/qmail/control/spfbehavior. You can specify a value between 0 and 6:

  • 0 disabled (Default). Never do SPF lookups, don't create Received-SPF headers
  • 1 selects 'annotate-only' mode,  where  qmail-smtpd  will  annotate  incoming  email with Received-SPF fields, but will not reject any messages. 
  • 2 will produce temporary failures on DNS lookup problems so you can make sure you always have meaningful Received-SPF headers. 
  • 3 selects  'reject'  mode,  where  incoming  mail  will be rejected if the SPF record says 'fail'. 
  • 4 selects a more stricter rejection mode, which is like 'reject' mode, except that incoming mail will also be rejected when the SPF record says 'softfail'. 
  • 5 will also reject when the SPF record says 'neutral'
  • 6 if no SPF records are available at all (or a syntax error was encountered).

You can override the value in /var/qmail/control/spfbehavior by setting the SPFBEHAVIOR environment variable (typically in /etc/tcprules.d/tcp.smtp or, if you’ve used these notes as your guide, in ~/vpopmail/etc/tcp.smtp).

Values higher than 3 are strongly discouraged. You probably will want to go with 2 or 3. To run a rejection test, use the highest value (6 ) and restart qmail. Then, from a remote IP address, try telnetting into your mail server and sending a message using a fake email address:

> telnet qmail.yourserver.net 25
Trying [remote-IP]...
Connected to [remote-IP].
Escape character is '^]'.
220 qmail.yourserver.net ESMTP
mail from: test@nospfdomain.net
250 ok
rcpt to: user@yourdomain.net
550 See http://spf.pobox.com/why.html?sender=test%40nospfdomain.net&ip=[sender-IP]&receiver=0 (#5.7.1)
quit
221 qmail.yourserver.net
Connection closed by foreign host.

Remember to restore to 2 or 3 your /var/qmail/control/spfbehavior file.

Comments

Hello all,

Every thing is working perfectly while I test from command line (SMTP, Auth SMTP and POP3) but while I configure in email client ie MS Outlook. I'm not able to make auth pop3 and retrieve mail from server. but Auth SMTP is work perfectly using same username and password as my incoming mail server. but while I test from command line using telnet I'm able to auth(login and access mail) pop3. I tried both /home/vpopmail/bin/vchkpw and /home/vpopmail/bin/vpopmaild on vpopmail run file can any one help me to resolve this problem.

Thanks in advance.

When Telnet  to pop3, it works but receives double +OK  +OK after entering "pass password" and other commands. See below conversition.

+OK <681.1355813384@domain.co.uk>
user postmaster@domain.co.uk
+OK
pass password
+OK
+OK
list
+OK
+OK
1  990

.
.
dele 1
+OK
+OK
quit
+OK
+OK

qmail-pop3d and vpopmail:vchkpw seems to be working via remote telnet.

When Mail Client used such as Outlook auth pop3 does hang. I have also tested it with other email clients but no avail! 

"Receiving' reported error (0x8004210A) : 'The operation timed out waiting for a response from the receiving (POP) server."

Here is below mail server side conversition between Outlook and Mail Server

@4000000050d0165622025a2c tcpserver: pid 3185 from 11.111.111.111
@4000000050d016562202a84c tcpserver: ok 3185 0:22.222.22.222:110 :11.111.111.111::3168
@4000000050d016562337869c 3185 > +OK <3185.1355814476@domain.co.uk>
@4000000050d016562468daac 3185 < USER postmaster@domain.co.uk
@4000000050d0165624699244 3185 > +OK
@4000000050d0165625b43ab4 3185 < PASS password
@4000000050d0165626937ef4 3185 > +OK
@4000000050d01656269386c4 3185 > +OK
@4000000050d0165627f80c4c 3185 < STAT
@4000000050d0165627f8cbb4 3185 > +OK +OK 0  0
@4000000050d0165627f8cf9c 3185 >
@4000000050d0169227a58b34 3185 < [EOF]
@4000000050d0169227a87934 3185 > [EOF]
@4000000050d0169227a9965c tcpserver: end 3185 status 256
@4000000050d0169227a9c924 tcpserver: status: 0/10

Unfortunately I can't be of any help as I'm not using qmail-pop3d since a long time.. anyway I would give dovecot's pop3 service a chance..

Hello, i cand not telnet on port 25 becouse i get a disconect message and no mail can arrive .

Escape character is '^]'.
Connection closed by foreign host.

here are some logs

@4000000055717f060cbd19cc tcpserver: pid 24793 from 89.137.228.94
@4000000055717f060cbecb64 tcpserver: ok 24793 0:188.241.220.26:25 :89.137.228.94::41430
@4000000055717f060d0f50ac tcpserver: end 24793 status 11
@4000000055717f060d0f604c tcpserver: status: 0/20
@4000000055717f693a003694 tcpserver: status: 1/20
@4000000055717f693a03769c tcpserver: pid 24817 from 89.137.228.94
@4000000055717f693a051894 tcpserver: ok 24817 0:188.241.220.26:25 :89.137.228.94::41431
@4000000055717f693a54461c tcpserver: end 24817 status 11
@4000000055717f693a544dec tcpserver: status: 0/20
@4000000055717f6d109527c4 tcpserver: status: 1/20
@4000000055717f6d109867cc tcpserver: pid 24818 from 89.137.228.94
@4000000055717f6d109a1194 tcpserver: ok 24818 0:188.241.220.26:25 :89.137.228.94::41432
@4000000055717f6d10e78d84 tcpserver: end 24818 status 11
@4000000055717f6d10e79d24 tcpserver: status: 0/20
@4000000055717f9129acf7dc tcpserver: status: 1/20
@4000000055717f9129b02c2c tcpserver: pid 24820 from 89.137.228.94
@4000000055717f9129b1d5f4 tcpserver: ok 24820 0:188.241.220.26:25 :89.137.228.94::41434
@4000000055717f9129fe6f54 tcpserver: end 24820 status 11
@4000000055717f9129fe7ef4 tcpserver: status: 0/20
@40000000557180d409990224 tcpserver: status: 1/20
@40000000557180d4099c74f4 tcpserver: pid 25079 from 89.137.228.94
@40000000557180d4099e3244 tcpserver: ok 25079 0:188.241.220.26:25 :89.137.228.94::41439
@40000000557180d409ec5244 tcpserver: end 25079 status 11
@40000000557180d409ec61e4 tcpserver: status: 0/20

Any ideeas?

is there any firewall? 

no, no firewall

was the IP 89.137.228.94 in your tests above the one you where you were connecting from?

are you using my qmail patch and installation?

can you post a telnet session?

yes this was my ip

i redirected port 25 to 587 and now everything is working ... don`t know what was wrong with port 25

I had the same issue when compiling only qmail with the patches included here

the problem is that qmail-popup.c or qmail-pop3d.c print after the pass is sent +OK twice,

If you do a diff on the original netqmail files and the patched ones you will see what i'm talking about:

The MUA expects only one +OK from pop3d.

So I think the problem is in qmail-pop3d.c

maybe this line from the patched  qmail-pop3d.c 

void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }

In any case I just replaced the patched qmail files (qmail-popup.c or qmail-pop3d.c) with the original ones since the only difference I noticed was the function puts renamed to my_puts. and I recompiled. And it worked.

thanks for the contribution. I'm going to test qmail-pop3d as soon as possible and eventually provide a new patch :)

yes, you are right. Modifying like this

-void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }
+void okay(arg) char *arg; { my_puts("+OK \r\n"); flush(); }

seems to solve.

fyi, both the dkim and maildir++ patches modifies qmail-pop3d, so I think you shouldn't replace the patched files with the original ones, because there are other changes there.

Before releasing a new patch can you make a test with this one or adjust yourself qmail-pop3d.c?

Patching qmail-pop3d.c  with following

-void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }
+void okay(arg) char *arg; { my_puts("+OK \r\n"); flush(); }

It  is tested on live qmail+vpopmail server port 110 and 995 with stunnel. it seems to be working perfectly. Thanks to Simplex and Roberto

Further my previous post

Above patch to "qmail-pop3d.c", after intensive test, is found to be not working as expected.

After auth pop3d , email moves to "cur" folder from "new" under /Maildir even though email client is configured not  to "Leave a copy of messages on server".

Regards,

Today I released a new combined patch which fixes this issue on qmail-pop3d. Many clients were tested and everything seems to be working fine now.

Hello,

I have encountered a problem with SPF checking using your qmail installation.

Every SPF check is like this:

Received: from unknown (HELO xxxxxx) (::ffff:190.249.131.119)
Received-SPF: unknown (0: No IP address in conversation)

using spfquery command, the result is OK.

Do you have any suggestions on how to fix this, so the IPv4 is detected correctly, without "::ffff:" prefix ?

Thank you!

unfortunately i've no suggestions, I think that the error is due to the prefix.. it's a very old patch. By the way it appears that the spfquery program was not written by the same author of the qmail-SPF patch

let me know if you manage to solve :)

After further research I did manage to solve the problem.

tcpserver was transforming IPv4 into IPv6 format

The fix was to add in /var/qmail/supervise/qmail-smtpd/run  "-4" at the tcpserver command. This forces the use of IPv4 IPs only.

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \    
/usr/local/bin/tcpserver -4 -v -H -R -l 0 \ .....

Hi, great tutorial! thanks!

Everything worked like a charm, but i tested DKIM sending mail for sa-test@sendmail.net, and I got NO PRESENT for DKIM.

That´s someway to test it?

Thanks

I have a long time issue that is driving me crazy. I recompiled netqmail with Roberto's full patch, in order to update the qmail-auth patch and trying to secure my server as mush as possibile. I ran into the same problem occurred during the installation of the server, so I tried to gather some more infos.

The problem is related to chkuser; if I use the qmail-smtpd binary file from the compilation, chkuser is always accepting email, even if for non-existend users::

@400000005617b9e91c82f91c CHKUSER accepted sender: from <xxxx@domain.net|remoteinfo/auth:xxxx@domain.net|chkuser-identify:> remote <helo:[192.168.11.143]|remotehostname:unknown|remotehostip:192.168.11.143> rcpt <> : accepted any sender always
@400000005617b9e91c9281ac CHKUSER accepted any rcpt: from <xxxx@domanin.net|remoteinfo/auth:xxxx@domain.net|chkuser-identify:> remote <helo:[192.168.11.143]|remotehostname:unknown|remotehostip:192.168.11.143> rcpt <dsaasddsa@sinapto.net> : accepted any recipient for this domain

If I replace the qmail-smtpd binary file with the one from the qmail-1.03-26.el6.art.x86_64.rpm, WITHOUT changing anything else (NO configuration or run file change at all), chkuser is working fine:

@400000005617ba170152ef94 CHKUSER accepted sender: from <xxxx@domain.net:xxxx@domain.net:> remote <[192.168.11.143]:unknown:192.168.11.143> rcpt <> : accepted any sender always
@400000005617ba170191449c CHKUSER rejected rcpt: from <xxxx@domain.net:xxxx@domain.net:> remote <[192.168.11.143]:unknown:192.168.11.143> rcpt <dsaasddsa@sinapto.net> : not existing recipient

Any suggestion is greatly appreciated !

how do you run qmail-smtp and chkuser? are you using my configuration and running qmail-smtp as vpopmail?

Hello Roberto,

after recompliation of netqmail with your latest patch everything works fine ! I think some issues could be related to the latest qmail-authentication v. 0.8.3 fixes.

Thank you, as always !

Hello Roberto,

i have installed the qmail server on a new server - everything went fine except the STARTSSL authentification is not working well.

When i ran the command "openssl s_client -starttls smtp -crlf -connect localhost:587" i get the message "CONNECTED(00000003)" then 30 second to 60 seconds nothing happened and then i got the view of the certificate. In the meantime i see the qmail-smtp process working with 100%. Sending Mails In and Out is working but it takes the same amount of time and the qmail-smtp process working on full load. Sometimes i got a timeout with the mail client. I have tried it with 2 different certificates and it is always the same. Do you have an idea what went wrong or how i can track this? Thanks.

 

Hi Marc, are you running qmail-smtpd as vpopmail?

Important: If you run qmail-submission as a user other than vpopmail, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.

Hello Roberto,

i'm running qmail-smtpd as vpopmail user.

What the logs say? I would check the ownership of the certificate  and eventually try to debug with strace

Hi Roberto,

Issuing the command openssl s_client -starttls smtp -showcerts -connect mx-exchanger.tld:465 results in a openssl hang. Below is the relevant strace section. 175 seconds is when I interrupted the process.

What happens in the line directly above it?

18722      0.000025 read(3, "-----BEGIN RSA PRIVATE KEY-----\n[data]"..., 4096) = 4096
18722      0.000066 close(3)            = 0
18722      0.000022 munmap(0x7f1034714000, 4096) = 0
18722      0.000026 open("control/tlsserverciphers", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
18722      0.000091 fcntl(0, F_GETFL)   = 0x2 (flags O_RDWR)
18722      0.000022 fcntl(0, F_SETFL, O_RDWR|O_NONBLOCK) = 0
18722      0.000022 fcntl(1, F_GETFL)   = 0x802 (flags O_RDWR|O_NONBLOCK)
18722      0.000022 fcntl(1, F_SETFL, O_RDWR|O_NONBLOCK) = 0
18722      0.000048 read(0, 0x1f2b440, 11) = -1 EAGAIN (Resource temporarily unavailable)
18722      0.000034 select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left {1024, 593952})
18722    175.406256 read(0, "", 11)     = 0
18722      0.000116 fcntl(0, F_GETFL)   = 0x802 (flags O_RDWR|O_NONBLOCK)
18722      0.000083 fcntl(0, F_SETFL, O_RDWR) = 0
18722      0.000069 fcntl(1, F_GETFL)   = 0x2 (flags O_RDWR)
18722      0.000065 fcntl(1, F_SETFL, O_RDWR) = 0
18722      0.000226 select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1199, 999994})
18722      0.000108 write(1, "454 TLS connection failed (#4.3.0)\r\n", 36) = 36
18722      0.000144 select(3, NULL, [2], NULL, {1200, 0}) = 1 (out [2], left {1199, 999995})
18722      0.000081 write(2, "qmail-smtpd: read failed: (null) from 162.144.50.129 to (null) helo (null)\n", 75) = 75
18722      0.000076 exit_group(1)       = ?
18722      0.000423 +++ exited with 1 +++

strace before and after adding a separate dh2048.pem in /var/qmail/control

Before:

18332      0.000106 open("control/dh2048.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
18332     35.148926 write(1, "[data]\n\23\rLet's Encrypt1#0!\6\3U\4\3\23\32Let's Encrypt Authority X30\[data]\23\four.mx-exchanger.tld0\202"..., 3345) = 3345
18332      0.000057 read(0, 0x117a443, 5) = -1 EAGAIN (Resource temporarily unavailable)

After:

18445      0.000094 open("control/dh2048.pem", O_RDONLY) = 3
18445      0.000030 fstat(3, {st_mode=S_IFREG|0644, st_size=424, ...}) = 0
18445      0.000024 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f23450ed000
18445      0.000023 read(3, "-----BEGIN DH PARAMETERS-----\n[data]"..., 4096) = 424
18445      0.000044 close(3)            = 0
18445      0.000021 munmap(0x7f23450ed000, 4096) = 0
18445      0.007885 write(1, "[data]\n\23\rLet's Encrypt1#0!\6\3U\4\3\23\32Let's Encrypt Authority X30\[data]\23\four.mx-exchanger.tld0\202"..., 3345) = 3345
18445      0.000045 read(0, 0xb38443, 5) = -1 EAGAIN (Resource temporarily unavailable)

This seems to be new behavior (after upgrading from a 2015 install) . Why is it not using the dh parameters included in servercert.pem any longer?

if you are strictly following my guide and have my combined patch installed, and then using ucspi-tcp6, you should connect to 587 port (submission service) instead of 465, which goes with ucspi-ssl. I suppose that in your previous configuration you were using something like ucspi-ssl