Setting the tcprules files for qmail

January 21, 2024 by Roberto Puzzanghera 15 comments

TCP connections targeting tcpserver or sslserver can denied or allowed given several connection informations, like the client's IP address. tcprules allows to define rules for incoming TCP connections to decided whether they finally will result in an active TCP session. If accepted, several environment settings can be given; typically used by the invoked server application.

Configuring the standard SMTP service on port 25 in tcp.smtp ensures that only localhost and authorized IPs can use the SMTP service as an outgoing relay. We will accept inbound messages from outside as long as the recipient domain is included in the file /var/qmail/control/rcpthosts. When someone sends a message to a domain name not listed in rcpthosts, qmail will respond with “Sorry, that domain isn’t in my list of allowed rcpthosts (#5.7.1)”.

When you enable SMTP authentication on port 587, remote users who successfully authenticate will be allowed to send messages using our MTA.

Setup

Create your /var/qmail/control/tcp.smtp file. You can change the location of that file provided that you set your run file and the qmailctl script accordingly. This file should list all the static IPs of your machines that you want to allow to relay out to the internet. For example: to allow relaying for localhost and the localnet 10.0.0.x edit your tcp.smtp as follows:

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

add any other IP later, whenever you want. To give a client relay access, add an entry to the tcp.smtp like:

<IP address of client>:allow,RELAYCLIENT=""

Now build the tcp.smtp.cdb. Each time you modify tcp.smtp you have to compile the cdb file

cd /var/qmail/control
tcprules tcp.smtp.cdb tcp.smtp.tmp < tcp.smtp

Or, if you are using my qmailctl script

> qmailctl cdb
Updated tcp.smtp.cdb. 
Updated tcp.submission.cdb.

This is an example of tcp.smtp file:

0.0.0.0:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
xxx.xxx.xxx.xxx:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
10.0.0.:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
127.:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
:allow,CHKUSER_WRONGRCPTLIMIT="3"

As you can see, the localhost, the internal subnet 10.0.0., and the external server's IP are allowed to use the MTA as a relay (RELAYCLIENT=""), and do not face a GREETDELAY.

All other clients are allowed to send us emails (:allow), will face a GREETDELAY specified in the qmail-smtpd run script, and are not allowed to use our MTA as a relay.

Since we want to allow ourselves to use our MTA as a remote relay, the tcp.submission rules have to be simply:

:allow,CHKUSER_WRONGRCPTLIMIT="3"

And nobody is allowed to use the submission service (port 587) as an open relay without authentication.

Comments

tcprules problem

Hi there,

Having installed the ucspi-tcp6-1.06.tgz, i noticed that tcprules ignores hosts and applies all the enviroment variable for all ( :allow...)

for example

if i have the tcp.submission file

x.x.x.x.x:allow,RBLSMTPD="",CHKUSER_WRONGRCPTLIMIT="3",SMTPD_GREETDELAY="0"

Then tcprules applies the rules to all hosts instead of x.x.x.x.x

I finaly managed to execute tcprules (ucspi-tcp6-1.02) , i produced the cdb and moved to the newest email server (ucspi-tcp6-1.06)

Is this a bug ?

Reply |

tcprules problem

And you didn't define a default rule at all? 

I don't know if it's a bug, we should look at the code to see what it does when a default rule is not defined... Anyway I think that defining a default rule such as

:allow

should be a good practice

Reply |

tcprules problem

i also tried with the

:allow

in the bottom of the file, but the result was the same.

Hosts are ignored and all the env variables are applied as if there were no hosts rules but just :allow

using ucspi-tcp6-1.02

# tcprulescheck tcp.submission.cdb
default:
allow connection

using ucspi-tcp6-1.06

# tcprulescheck tcp.submission.cdb
rule :
set environment variable RBLSMTPD=
set environment variable CHKUSER_WRONGRCPTLIMIT=3
set environment variable SMTPD_GREETDELAY=0
allow connection

Reply |

tcprules problem

you are not declaring TCPREMOTEIP, so it always prints the default rule. This is the usage as per man page:

# TCPREMOTEIP=1.2.3.4 tcprulescheck tcp.smtp.cdb  
rule 1.2.3.4:
set environment variable RBLSMTPD=
set environment variable SMTPD_GREETDELAY=0
set environment variable RELAYCLIENT=
allow connection

Reply |

tcprules problem

tcp.submission

x.x.x.x:allow,RBLSMTPD="",CHKUSER_WRONGRCPTLIMIT="3",SMTPD_GREETDELAY="0"
:allow
# TCPREMOTEIP=x.x.x.x tcprulescheck tcp.submission.cdb
rule :
set environment variable RBLSMTPD=
set environment variable CHKUSER_WRONGRCPTLIMIT=3
set environment variable SMTPD_GREETDELAY=0
allow connection

There is no host definition at all.

Reply |

tcprules problem

apparently this output is not compatible with your tcp source file, as that is not the default defined rule...

Reply |

tcprules problem

yes, that is the problem.

i did not missed anything during the qmail installation. I followed all the instructions in this web site.

Hopefully, i have an older installation of qmail and the other tools, as i referred in my first post and i can compile my tcprules there and move them back to the new one (new server)

Reply |

tcprules problem

did you recompile your tcprules after last modification?

Reply |

tcprules problem

#tcprules /home/vpopmail/etc/tcp.submission.cdb /home/vpopmail/etc/tcp.submission.cdb.tmp < /home/vpopmail/etc/tcp.submission

what i do whenever i make changes in  /home/vpopmail/etc/tcp.submission

Reply |

tcprules problem

i have followed all the instructions of this web site, page by page

did i miss something?

Reply |

tcprules problem

how can I know if you missed something :-)

Reply |

Greetdelay

Hello Roberto

Thanks for your job, you help many lost people, like me !

Is this line,

0.0.0.0:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0" 

disable to all public internet IP, greetdelay effect ?

Is this disable greet delay, because you set to zero seconds ?

Thanks

Marco Varanda

Reply |

Greetdelay

It disables the greetdelay just for the mentioned IP 0.0.0.0 which is server's IP, because it has 0 value.

Edit: setting GREETDELAY in your tcp rules overwrites the default value in your qmail-smtpd run file

Reply |

Greetdelay

Sorry for insistence,

I think 0.0.0.0 is reference to any public IP.

In other words, if my IP try to send data before greetings, 0.0.0.0 will accept with no delay.

Am I wrong ?

- varanda

Reply |

Greetdelay

no, 0.0.0.0 is the IP of your localhost (if not sure you can google for it)

Reply |