ucspi-tcp6

Hello, I'm having issues with tcpserver and SMTP.

I ran: telnet localhost 25 -> everything works fine and responds quickly (due to the tcp.smtp configuration)

172.31.51.21:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
0.0.0.0:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
127.:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
:allow,CHKUSER_WRONGRCPTLIMIT="3"

But if I make a connection from host 172.31.51.21, I get a 30-second delay until receiving the 220 mihost.com ESMTP response.

I checked the rules:

TCPREMOTEIP=172.31.51.21 tcprulescheck /var/qmail/control/tcp.smtp.cdb 
tcprulescheck: info: TCPREMOTEIP: 172.31.51.21 TCPREMOTEHOST: 
rule 172.31.51.21:
set environment variable RELAYCLIENT=
set environment variable SMTPD_GREETDELAY=0
allow connection

Any idea what it could be?

tcpserver -v -R -l mihost.com -x /var/qmail/control/tcp.smtp.cdb -c 200 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd /bin/true

Thanks

sorry if I ask, but the only cause that comes in mind is that the compilation of tcp.smtp.cdb failed due to some syntax error in the file, so tcp.smtp is not aligned with the cdb file.

do you get any error when you do qmailctl cdb?

I add -H parameter at tcpserver  and fix it, but i dont´t know if is correct

Regards

weird... -H in capital letter is not an option according to the official guide here https://www.fehcom.de/ipnet/tcpserver.html 

man tcpserver

      -H     Do not look up the remote host name

Thank you. So you could have a dns delay, that you could spot with strace

Hello, I am installing ucspi-tcp6-1.13.04 on Debian 12. The compilation works fine, but the installation fails (the symbolic links are not created in /usr/local/bin).
To fix this issue, I made a change in the package/upgrade file. I am attaching a patch with the modification I made. I send patch to developer!

To apply :

cd  net/ucspi-tcp6/ucspi-tcp6-1.13.04/package
patch upgrade < patch-ln-upgrade.patch

Copy this lines into patch-ln-upgrade.patch

--- upgrade     2025-08-01 08:20:57.965031960 -0300 
+++ upgrade1    2025-08-01 08:21:32.769252507 -0300 
@@ -105,7 +105,7 @@ 
    for j in $commands 
    do 
      k=${j%:} 
-      [ "$j" = "$k:" ] && \ 
+      [ "$j" = "$k" ] && \ 
      shout "linking command $k into $i" && \ 
      safe rm -f $i/$k'{new}' && \ 
      safe ln -s $command/$k $i/$k'{new}' && \

thanks for letting me know. Now the links are created.

Do you get this error as well?

package/man: Setting manual man-dir: /usr/share/man. 
make: *** No rule to make target 'addcr.1', needed by 'addcr.0'.  Stop. 
package/man: fatal: cannot make

This is a log with no error,  source code patched before compilation.
https://pastebin.com/HqLVXV6q

But if I try to compile it again, I get the error you mentioned. (But can't try fix)

package/man: Setting manual man-dir: /usr/share/man. 
make: *** No hay ninguna regla para construir el objetivo 'addcr.1', necesario para 'addcr.0'.  Alto. 
package/man: fatal: cannot make

I informed Erwin Hoffmann about the issue. I think he will correct it as soon as possible

I'm following these steps in Slackware current but it stopped in chkshsg error:

./chkshsgr: error while loading shared libraries: libdnsresolv.so: cannot open shared object file: No such file or directory

libdnsresolv.so is inside /usr/local/qlibs. I added that dir in my /etc/ld.so.conf and runned "ldconfig". And the library was found.

I suppose that I have to adjust the fehqlibs installation path to avoid this error...

uh... I get the same error with slackware current with latest fehqlibs... I have to investigate...

Sorry ,  is it support to get real IP under loadblance?

LB => mail server(ucspi-tcp6).

I think no, but you should ask to the author of the program

How about installing ucspi-ssl? https://www.fehcom.de/ipnet/ucspi-ssl.html

if I remember well (correct me if I am wrong) ucspi-ssl is needed to encrypt a connection on 465 port, but in my installation I already have the 587 port TLS secured (qmail-tls patch), so I think this is not needed here.

Update is needed. New version available: 1.10.6. It requires the installation of fehQlibs-12.

https://www.fehcom.de/ipnet/ucspi-tcp6.html

https://www.fehcom.de/ipnet/qlibs.html

Thank you, I knew about this new feqlibs based version... is it working fine for you?

Hello ,

I have a problem with rblsmptd on Centos 7.2 and Centos 7.3. Perhaps this problem is related to ucspi-tcp6 with patch given above.

After starting /usr/local/bin/rblsmtp I got error:

kernel: rblsmtpd[27381]: segfault at 0 ip 0000000000405fe8 sp 00007fff6a8fe698 error 4 in rblsmtpd[400000+a000]

..but wiith following installation everithing works fine:

cd /usr/local/src/
tar -xzvf ucspi-tcp-0.88.tar.gz
cd ucspi-tcp-0.88
patch < /usr/local/src/netqmail-1.06/other-patches/ucspi-tcp-0.88.errno.patch
make
make setup check

I had this problem with  ucspi-tcp6-1.12.3.tgz. When I was executing tcprules:

tcprules: error while loading shared libraries: libqlibs.so

But with your solution with 0.88 version + patch now is working ok, thanks!

It failed in finding fehqlibs

which version of ucspi-tcp6 are you using?

I tried both ucspi-tcp6-1.02.tgz and  ucspi-tcp6-1.04.tgz. After starting command from terminal I got this:

[root@mailsrv ucspi-tcp6-1.04]# /usr/local/bin/rblsmtpd
Segmentation fault

and in logs I had this:

kernel: rblsmtpd[27381]: segfault at 0 ip 0000000000405fe8 sp 00007fff6a8fe698 error 4 in rblsmtpd[400000+a000]

Also, I am using Centos7 x86_64.

Thank you,

Alex

I don't think this is the proper way to test rblsmtpd from the command line, as it runs at least a prog. Take a look to the man page

Unfortunately, this error:

rblsmtpd[10523]: segfault at 0 ip 0000000000406028 sp 00007fff37919388 error 4 in rblsmtpd[400000+a000] 

still exists when is run by qmail. Server continually deny messages with 451 code.

ok, can you share your run file, please?

Sure, here it is:

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`

# This enables chkuser

export CHKUSER_START=ALWAYS

# This turns off TLS on port 25

export DISABLETLS="1"

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \

    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
    /usr/local/bin/rblsmtpd -W \
        -b -r zen.spamhaus.org \
        -b -r bl.spamcop.org \
    /var/qmail/bin/qmail-smtpd 2>&1

I, also tried with differnet links other than zen.spamhaus.org and bl.spamcop.org.

did you define the GREETDELAY variable? This is important since you have the -W parameter and rblsmtps is looking for a non null value

Also consider that the reference page for rblsmtpd is changed like follows http://www.fehcom.de/ipnet/ucspi-tcp6/rblsmtpd.html (I'm going to correct mypage as well)

I removed -W  and output was the same. I also tried with GREETDELAY variable, but without success.

I think there is some problem with my OS distribution (Centos 7) and ucspi-tcp6, because when I run command from terminal with installed ucspi-tcp-0.88 I get following message: 

[root@mailsrv ucspi-tcp-88]# /usr/local/bin/rblsmtpd
rblsmtpd: usage: rblsmtpd [ -b ] [ -R ] [ -t timeout ] [ -r base ] [ -a base ] smtpd [ arg ... ]

I also tried, qmail-rblcheck addon and it works fine, so I will switch to it until I find solution.

Thank you very much for your help,

Alex

I also get an error like that when running rblsmtpd from command line, but I think it can be normal, as some environment variables that the program is expecting are missing.

If you decide to switch to another RBL program, I suggest you to consider qmail-dnsbl (http://notes.sagredo.eu/node/162) as qmail-rblcheck's configuration that I present here is not fully tested (I played with it ages ago) and I guess it is not even maintained these days

Thank you very much, qmail-rblcheck works excellent

I just made some test with rblsmtpd and it works as expected. 

Let me know if solve, or if you find a way to test it from the command line

Hi, I'm trying to secure as deeply as possible my centos 6.7 mailbox. I still have to compile the latest qmail patched version from Roberto, in the meanwhile I upgraded from ucspi-ssl-0.84 to ucspi-ssl-0.95b, in order to secure my sslserver-based submission services (465 / 587). Will let you know how it works; any other security hint is warmly welcome ;-)

When doing

package/install

Install ucspi-tcp6
----
./load chkshsgr
/usr/bin/ld: cannot find crt1.o: No such file or directory
/usr/bin/ld: cannot find crti.o: No such file or directory
/usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.7/libgcc.a when searching for -lgcc
/usr/bin/ld: cannot find -lgcc
/usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.7/libgcc_s.so when searching for -lgcc_s /usr/bin/ld: cannot find -lgcc_s
/usr/bin/ld: cannot find -lc
/usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.7/libgcc.a when searching for -lgcc
/usr/bin/ld: cannot find -lgcc
/usr/bin/ld: skipping incompatible /usr/lib/gcc/i486-linux-gnu/4.7/libgcc_s.so when searching for -lgcc_s /usr/bin/ld: cannot find -lgcc_s
/usr/bin/ld: cannot find crtn.o: No such file or directory
collect2: error: ld returned 1 exit status
make: *** [chkshsgr] Error 1
compile: fatal: cannot make it-base

I have solve problem with remove option  into src/conf-ld  "-m64 "

I would try to reinstall glibc, as crti.o is part of that pkg..

take a look at this as well: http://stackoverflow.com/questions/6329887/compiling-problems-cannot-find-crt1-o, http://stackoverflow.com/questions/91576/crti-o-file-missing

compiles ok under amd64

under i386 debian it's still giving me this:

./load chkshsgr
/usr/bin/ld: i386 architecture of input file `chkshsgr.o' is incompatible with i386:x86-64 output
collect2: error: ld returned 1 exit status
make: *** [chkshsgr] Error 1
compile: fatal: cannot make it-base

maybe the library was written with 64 bit support in mind....

In 32bit system, you have to remove the flag "-m64"  in src/conf-ld.

Then try package/install again, and it will be ok.

I'm successfully compiling both on 64 and 32 bit.

In case you are not interested in the new IPv6 features of ucspi-tcp6, you can try to install the old bernstein's ucspi-tcp 0.88 program, following this page of my guide.