Patching qmail

Changelog

The complete changelog is inside the patch file.

  • 2014-11-20
    -the SSLv3 connection upon the auth was switched off because of security reasons (thanks to Florian)
  • 2014-11-15
    -modified the QUEUE_EXTRA variable in extra.h to record the Message-ID in the qmail-send's log. Thanks to Simone for the hint.
  • 2014-04-14
    -added qmail-maxrcpt patch, which allows you to set a limit on how many recipients are specified
  • 2014-03-10
    -added qmail-smtpd-liberal-lf patch, which allows qmail-smtpd to accept messages that are terminated with a single \n instead of the required \r\n sequence. This should avoid some "read failed" reject.
  • 2013-12-30
    -added qmail-SRS patch. You have to install libsrs2 now.
    -the character "=" in the sender address is now considered valid by chkuser in order to accept SRS
  • 2013-12-18
    -added qmail-date-localtime patch
    -added qmail-hide-ip patch
    -the original greetdelay by e.h. has been replaced with the improved patch by John Simpson. Now
    communications trying to send commands before the greeting will be closed. Premature disconnections will be
    logged as well.
    -CHKUSER_SENDER_FORMAT enabled to reject fake senders without any domain declared (like <foo>)
    -chkuser logging: I slightly modified the log line adding the variables' name just to facilitate its interpretation
    -added qmail-moreipme patch
    -added qmail-dnsbl patch (more info here)
  • 2013-12-05
    added two patches to make qmail rfc2821 compliant
  • 2013-11-23
    any-to-cname patch added

I have created a combined patch including the latest versions of several commonly-used qmail patches:

[Follow the patch details here]

Other patches:

You're invited to take a look at the next page of this guide, which presents several tests for these patches toward the bottom of the page.

NB: first of all, you must have a valid MX record for you /var/qmail/control/me domain, otherwise you''ll get errors when trying to send to ~alias/qmail-log (more info here).

Installing libdomainkeys

This library is a prerequisite of the DKIM patch by Manvendra Bhangui, which is part of my package. You must compile this, otherwise the compilation will break.

cd /usr/local/src
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/tar/libdomainkeys-0.69.tar.gz
tar xzf libdomainkeys-0.69.tar.gz
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/libdomainkeys-0.69.diff
ln -s libdomainkeys-0.69 libdomainkeys
cd libdomainkeys
chown -R root.root .
patch < ../libdomainkeys-0.69.diff
make
cd ../

Installing libsrs2

This library is a prerequisite of the SRS patch, which is part of my package. You must install this, otherwise the compilation will break.

wget http://www.libsrs2.org/srs/libsrs2-1.0.18.tar.gz
tar xzf libsrs2-1.0.18.tar.gz
cd libsrs2-1.0.18
./configure
make
make install
ldconfig
cd ../

Be sure that libsrs2 is actually linked, otherwise you are going to have a qmail-send infinite crash and finally an auto-DoS:

> ldconfig -p|grep libsrs2
        libsrs2.so.0 (libc6,x86-64) => /usr/local/lib/libsrs2.so.0
        libsrs2.so (libc6,x86-64) => /usr/local/lib/libsrs2.so

In case you decided to install the libsrs2 library by means of a package provided by your Linux distribution, you should check the path where the library was installed. Check if the file /usr/local/include/srs2.h actually exists; if not you may have to modify the srs.c in the netqmail source dir as follows:

#include </usr/local/include/srs2.h>
#include </usr/include/srs2.h>

Apply the patch

wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06.patch-latest.gz
cd netqmail-1.06
gunzip -c ../roberto-netqmail-1.06.patch-latest.gz | patch

Configuring chkuser

The combined patch you downloaded has chkuser enabled. It’s configured to perform recipient verification and MAV (Mail From: Address Verification). 

You can customize your configuration by editing the chkuser_settings.h file (in /usr/local/src/netqmail-1.06) before compiling qmail. In order to enable chkuser, the following line must be commented out:

#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

Uncomment to enable the check of user and domain format for sender address. This will reject fake senders without any domain declared (like <foo>).

#define CHKUSER_SENDER_FORMAT

Uncomment to enable checking of domain MX for rcpt addresses

#define CHKUSER_RCPT_MX

Uncomment to enable checking of domain MX for sender address

#define CHKUSER_SENDER_MX

This enables usage of "#" and "+" characters within sender address. It is used by SRS (Sender Rewriting Scheme) products.

As far as my MTA Is concerned, this solved an "invalid sender address format" reject message prompted by an email address of a mailman mailing list..

#define CHKUSER_ALLOW_SENDER_SRS

force-tls variables

By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do

export FORCETLS=0

in your run file. Values other than 0 (or not declaring this variable at all) will force TLS before the auth.

qmail-auth variables

By default the auth is allowed with LOGIN or PLAIN mechanism. You are invited to look at the README.auth file for further details concerning the use of the SMTPAUTH environment variable, expecially if you want to use CRAM-MD5.

Recompiling qmail

The BIG-TODO patch included in my combined patch may require that your queue be rebuilt. So be aware that all existing messages in the queue will be destroyed when you erase the queue below.

To discover if your qmail has messages in the queue:

> qmailctl stat

/service/qmail-send: up (pid 18127) 6 seconds
/service/qmail-send/log: up (pid 18134) 6 seconds
/service/qmail-smtpd: up (pid 18126) 6 seconds
/service/qmail-smtpd/log: up (pid 18135) 6 seconds
/service/qmail-submission: up (pid 18131) 6 seconds
/service/qmail-submission/log: up (pid 18132) 6 seconds
/service/vpopmaild: up (pid 18129) 6 seconds
/service/vpopmaild/log: up (pid 18128) 6 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

If this will be the first time you install the combined patch (which contains the BIG-TODO patch), you’ll need to take these steps:

qmailctl stop
rm -r /var/qmail/queue

Now compile qmail:

make

If qmail is running stop the services before installing:

qmailctl stop

Finally install and start  qmail:

make setup check
qmailctl start

Creating an SSL key file

If you don’t want to enable SMTP relay (using SMTP/TLS access), you can skip this section.

To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs qmail-smtpd, in our case vpopmail.

> make cert

Generating a 1024 bit RSA private key
..................++++++
.......++++++
writing new private key to '/var/qmail/control/servercert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italy
Locality Name (eg, city) []:Cagliari
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:smtp.yourdomain.net
Email Address []:postmaster@yourdomain.net

> make tmprsadh
> chown vpopmail.vchkpw /var/qmail/control/*.pem

It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.

Now let’s create a cronjob to update the certificate every day:

> crontab -e

03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1

Important: If you run qmail-submission as a user other than vpopmail, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.

Combined patch details

qmail-authentication

It provides cram-md5, login, plain authentication support for qmail-smtpd (port 587) and qmail-remote.

qmail-tls

It implements SSL or TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA. I have adjusted the file update_tmprsadh to chown the .pem files to vpopmail, which runs qmail-smtpd.
The SSLv3 connection was switched off because of security reasons (thanks to Florian).

You may be interested to take a look to the page concerning smtp-auth and TLS testing here.

force-tls

optionally gets qmail to require TLS before authentication to improve security.

chkuser

performs recipient verification and Mail From: Address Verification (MAV).

You may be interested to take a look to this page concerning chkuser testing.

qmail-queue-custom-error.patch

Enables simscan and qmail-dkim to return the appropriate message for each e-mail it refuses to deliver. Simscan rejects with the name of the virus or the spam-score; qmail-dkim rejects with the verification failure message.

qmail-SPF

  • Author: Christophe Saout. Patch modified by Manvendra Bhangui to make it IPv4-mapped IPv6 addresses compliant.
  • Info: http://www.saout.de/misc/spf/
  • Version rc5

It can check incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers.

qmail-SRS

implements Sender Rewriting Scheme fixing SPF break upon email forwarding. To enable SRS read carefully the configuration instructions above.

Oversize DNS

This patch enables qmail to handle large DNS packets.

Reread concurrency patch

rereads control/concurrencylocal and control/concurrencyremote files when qmail-send receives a HUP signal.

Big Concurrency patch

It sets the spawn limit above 255.

Big Concurrency fix

Fixes a compiler error if you set concurrency higher than 509 in /usr/local/src/netqmail-1.06/conf-spawn.

maildir++ patch

adds maildirquota support to qmail-pop3d and qmail-local.

Better qmail-smtpd Logging patch

Facilitates diagnosing qmail-smtpd logging its actions and decisions (search for a line starting with qmail-smtp:). This is useful for discovering fake IP addresses with bad HELO’s when qmail-smtpd doesn’t log anything.

Greeting delay patch

  • Author: John Simpson (?)
  • Download here
  • More info here

adds a user-definable delay after SMTP clients have initiated SMTP sessions, prior to qmail-smtpd responding with "220 ESMTP". It can reject connections from clients which tried to send commands before greeting. You can control the delay via the environment variable SMTPD_GREETDELAY (was GREETDELAY in the original patch). A value of SMTPD_GREETDELAY=”30” will delay qmail-smtpd’s response for 30 seconds.

DKIM and SURBL patch

adds DKIM signing & verification support to qmail at both qmail-smtpd and qmail-remote/local level and SURBL filtering support to qmail.  
The file hier.c modified to chown /var/qmail/control/cache and subdirs to vpopmail.

EXT-TODO patch

addresses a problem known as the silly qmail (queue)  problem.

BIG-TODO patch

Makes qmail use a hashing mechanism in the todo folder similar to that used in the rest of the queue.

qmail-inject-null-sender patch

Prevents qmail-inject from rewriting the null sender, fixing an issue with sieve vacation/reject messages.

doublebounce-trim patch

Prevents double bounces from hitting your queue a second time provided that you delete the first line from /var/qmail/control/doublebounceto

esmtp-size patch

Enables qmail-smtpd to reject messages if they’re larger than the maximum number of bytes allowed (you can set this value in the /var/qmail/control/databytes control file).

qmail-tap

Provides the ability to archive each email that flows through the system.

qmail-remote CRLF patch

Enables qmail-remote to handle CR (\r) properly, always sending the line breaks as CRLF (\r\n) and avoiding to double the CR (like qmail-remote normally does). This often caused me a broken header when forwarding messages by means of a sieve rule.

outgoingip patch

  • Author: Andy Repton (adjusted by Sergio Gelato)
  • Original patch: http://www.qmail.org/outgoingip.patch
  • Robbie Walker provided a patch to correct qmail-qmqpc.c's call to timeoutconn(), because the function signature was modified by the original outgoingip patch

By default all outgoing emails are sent through the first IP address on the interface. In case of a multiple IP server this patch makes qmail send outgoing emails with the IP eventually stored in control/outgoingip. The ehlo domain is NOT modified by this patch.

qmail-bounce patch

limits the size of bounces. The default limit for bounces is 50000 bytes, but you can create a file in crontrol/bouncemaxbytes in order to change that number.

qmail-smtpd pid, qp log patch

makes qmail-smtpd log a line similar to the following:

@4000000039b89c95026a89b4 mail recv: pid 8155 from <name@domain.xy> qp 8157

The pid allows you to match the message up with a given tcpserver process and the qp lets you find a particular delivery.

any-to-cname

avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response  buffer.

qmail-rfc2821 patch

makes qmail rfc2821 compliant

smtpd-502-to-500 patch

  • Author: Jonathan de Boyne Pollard
  • Original patch: local copy
  • More info here

makes qmail rfc2821 compliant

qmail-dnsbl patch

allows you to reject spam and virus looking at the sender's ip address. Added a line to make qmail-smtpd log the reject reason as well as the envelope to facilitate diagnostics.

qmail-moreipme patch

prevents a problem caused by an MX or other mail routing directive instructing qmail to connect to itself without realizing it's connecting to itself, saving CPU time.

qmail-hide-ip-headers

  • Author: Alex Nee
  • Download here

It will hide your Private or Public IP in the email Headers when you are sending Mail as a Relay Client.

qmail-date-localtime patch

  • Author: John Saunders
  • Download here

causes the various qmail programs to generate date stamps in the local timezone.

qmail-liberal-lf patch

allows qmail-smtpd to accept messages that are terminated with a single \n instead of the required \r\n  sequence.

qmail-maxrcpt

allows you to set a limit on how many recipients are specified for any one email message by setting control/maxrcpt. RFC 2821 section 4.5.3.1 says that an MTA MUST allow at least 100 recipients for each message, since this is one of the favourite tricks of the spammer.
I slightly modified the patch also to log its response.

queue-extra

I modified extra.h to record the Message-ID in the qmail-send log as explained here towards the bottom of the page. An alias ~alias/.qmail-log had to be added as well to store the awk command with the regex which retrieves the Message-ID.
Thanks to Simone for the hint.

Be aware that you must have a valid MX record for your FQDN (look at /var/qmail/control/me).

The qmail-send log now appears as follows:

2014-11-05 12:00:47.930384500 status: local 1/10 remote 1/20
2014-11-05 12:00:47.952694500 delivery 11: success: Received:_(qmail_17359_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17359_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_from_unknown_(HELO_mx.test.net)_(1.2.3.4)/Received:_from_unknown_(HELO_mx.test.net)_(1.2.3.4)/__by_0_with_ESMTPS_(DHE-RSA-AES256-GCM-SHA384_encrypted);_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17349_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17349_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_from_unknown_(HELO_mail-wg0-f47.google.com)_(74.125.82.47)/Received:_from_unknown_(HELO_mail-wg0-f47.google.com)_(74.125.82.47)/__by_0_with_ESMTPS_(RC4-SHA_encrypted);_5_Nov_2014_12:00:46_+0100/Received:_by_mail-wg0-f47.google.com_with_SMTP_id_a1so597995wgh.6/Received:_by_mail-wg0-f47.google.com_with_SMTP_id_a1so597995wgh.6/Received:_by_mail-wg0-f47.google.com_with_SMTP_id_a1so597995wgh.6/________for_<info@test.net>;_Wed,_05_Nov_2014_03:00:48_-0800_(PST)/X-Received:_by_10.180.23.98_with_SMTP_id_l2mr4797959wif.51.1415185247978;_Wed,/X-Received:_by_10.180.23.98_with_SMTP_id_l2mr4797959wif.51.1415185247978;_Wed,/Received:_by_10.27.203.139_with_HTTP;_Wed,_5_Nov_2014_03:00:47_-0800_(PST)/Received:_by_10.27.203.139_with_HTTP;_Wed,_5_Nov_2014_03:00:47_-0800_(PST)/Date:_Wed,_5_Nov_2014_12:00:47_+0100/Message-ID:_<CAD=Xf-WdCFwED9DiMqRj=bUR5RsRA9mPah1OXgA-tB1ffk-3sw@mail.gmail.com>/Message-ID:_<CAD=Xf-WdCFwED9DiMqRj=bUR5RsRA9mPah1OXgA-tB1ffk-3sw@mail.gmail.com>/Subject:_dasda/From:_xxx_<someone@@gmail.com>/From:_xxx_<someone@gmail.com>/To:_info@test.net/---/did_0+0+2/
2014-11-05 12:00:47.952726500 status: local 0/10 remote 1/20
2014-11-05 12:00:48.326103500 delivery 12: success: 1.2.3.4_accepted_message./Remote_host_said:_250_ok_1415185248_qp_17366/

Comments

qmail-send fail

Dear Roberto

I completely followed your notes, my email server can send email to another domain but cannot deliver to local account.

I've try to send from huyenha to nxhuy (2 accounts already created and loged in sucsessful) but it said: 

failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/

qmail-send log:

@4000000054832f6635627354 new msg 2754774
@4000000054832f6635627b24 info msg 2754774: bytes 1228 from <huyenha@4trust.vn> qp 2158 uid 89
@4000000054832f6635627f0c starting delivery 1: msg 2754774 to local log@4trust.vn
@4000000054832f6635627f0c status: local 1/10 remote 0/20
@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local nxhuy@4trust.vn
@4000000054832f66356282f4 status: local 2/10 remote 0/20
@4000000054832f66358539ac delivery 2: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@4000000054832f6635e71474 status: local 1/10 remote 0/20
@4000000054832f6635f5b2a4 delivery 1: success: Received:_(qmail_2158_invoked_by_uid_89);_6_Dec_2014_11:31:24_-0500/Received:_(qmail_2158_invoked_by_uid_89);_6_Dec_2014_11:31:24_-0500/Received:_by_simscan_1.4.0_ppid:_2149,_pid:_2151,_t:_0.0077s/Received:_by_simscan_1.4.0_ppid:_2149,_pid:_2151,_t:_0.0077s/Received:_from_unknown_(HELO_mail.4trust.vn)_()/Received:_from_unknown_(HELO_mail.4trust.vn)_()/__by_0_with_SMTP;_6_Dec_2014_11:31:24_-0500/Date:_Sat,_06_Dec_2014_23:31:24_+0700/From:_huyenha@4trust.vn/To:_nxhuy@4trust.vn/Subject:_Re:_Fwd:_ssdfadf/In-Reply-To:_<e8dd61a49b9a353705819b4d656a3cbc@4trust.vn>/References:_<01988b8baeb0552fb9b3e52dbf482e6a@4trust.vn>/_<e8dd61a49b9a353705819b4d656a3cbc@4trust.vn>/Message-ID:_<8e9696acc4134d69e84119c5567ac871@4trust.vn>/Message-ID:_<8e9696acc4134d69e84119c5567ac871@4trust.vn>/---/did_0+0+2/
@4000000054832f6635f62bbc status: local 0/10 remote 0/20
@4000000054832f670250cbdc bounce msg 2754774 qp 2167
@4000000054832f670250d3ac end msg 2754774

Please help me!

I realise that in qmail-send

I realise that in qmail-send log:

@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local nxhuy@4trust.vn

must be:

@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local 4trust.vn-nxhuy@4trust.vn

So I delete the domain and re-add, now it can deliver to local account.

But that generate another error that can't deliver to "log alias" for qmail-tap function

@400000005483d6841bf4da4c new msg 2754788
@400000005483d6841bf4de34 info msg 2754788: bytes 628 from <huyenha@4trust.vn> qp 11658 uid 89
@400000005483d6841bf4e21c starting delivery 1: msg 2754788 to local 4trust.vn-log@4trust.vn
@400000005483d6841bf4e604 status: local 1/10 remote 0/20
@400000005483d6841bf4e9ec starting delivery 2: msg 2754788 to local 4trust.vn-nxhuy@4trust.vn
@400000005483d6841bf4e9ec status: local 2/10 remote 0/20
@400000005483d6841ccb8f24 delivery 1: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@400000005483d6841ccb96f4 status: local 1/10 remote 0/20
@400000005483d6841cced314 delivery 2: success: did_0+0+1/
@400000005483d6841cced6fc status: local 0/10 remote 0/20
@400000005483d6842401182c bounce msg 2754788 qp 11669
@400000005483d6842401c40c end msg 2754788

I think this is because my

I think this is because my patch creates an alias /var/qmail/alias/.qmail-log which uses the same address of your tap address (http://notes.sagredo.eu/node/82#queue-extra). This alias is needed to improve the log of qmail send. You can solve by changing the tap address


qmail-log alias

Hi Roberto ,

I have followed your excellent guide and installed my server. The issues is for every mail that is sent or received it is trying to send a copy to some log alias. How can I disable that . Below is the message transcript.

Hi. This is the qmail-send program at akhurathacpl.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <log@akhurathacpl.com>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <support@akhurathacpl.com> Received: (qmail 11804 invoked by uid 89); 12 Dec 2014 13:46:33 +0530 Received: by simscan 1.4.0 ppid: 11796, pid: 11799, t: 0.0938s scanners: attach: 1.4.0 clamav: 0.98.5/m:55/d:19764 spam: 3.4.0 Received: from unknown (HELO mail.akhurathacpl.com) (::1) by 0 with SMTP; 12 Dec 2014 13:46:33 +0530 Received-SPF: unknown (0: No IP address in conversation) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_354b252cc407d8efce244ea9bc720ecc" Date: Fri, 12 Dec 2014 13:46:20 +0530 From: support@akhurathacpl.com To: support@akhurathacpl.com Subject: test mail Message-ID: <0703b9b216a5918c3639dcf4dad7d264@akhurathacpl.com> X-Sender: support@akhurathacpl.com User-Agent: Roundcube Webmail/1.0.3 --=_354b252cc407d8efce244ea9bc720ecc Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII test --=_354b252cc407d8efce244ea9bc720ecc Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"> <html><body style=3D'font-size: 10pt; font-family: Verdana,Geneva,sans-seri= f'> <p>test</p> <div>&nbsp;</div> </body></html> --=_354b252cc407d8efce244ea9bc720ecc--

Request your help in this regards

Thanks

you can revert this patch

you can revert this patch http://notes.sagredo.eu/node/82#queue-extra

anyway I think you have deleted the ~alias/.qmail-log alias or you don't have a valid mx for your control/me domain. Actually this is not a real mailbox but an alias created in order to improve the qmail-send log, so you may want to continue to use it


qmail-log alias

ahhh now I get you , actually this is a newly created server and I have still not pointed the mx to the new servers ip . Let me check by doing point the valid MX to the server .

Thanks a lot for your precious guidance as always you are a real life saver

I think you have a valid mx

I think you have a valid mx for for your domain

$ dig akhurathacpl.com mx

; <<>> DiG 9.9.6-P1 <<>> akhurathacpl.com mx                                                                                                                                                  
;; global options: +cmd                                                                                                                                                                       
;; Got answer:                                                                                                                                                                                
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36916                                                                                                                                     
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:  0                                                                                                                          
                                                                                                                                                                                              
;; QUESTION SECTION:                                                                                                                                                                          
;akhurathacpl.com.              IN      MX                                                                                                                                                    
                                                                                                                                                                                              
;; ANSWER SECTION:                                                                                                                                                                            
akhurathacpl.com.       3600    IN      MX      10 mail.net4india.com.

;; Query time: 288 msec
;; SERVER: 213.205.32.70#53(213.205.32.70)
;; WHEN: Fri Dec 12 14:03:12 CET 2014
;; MSG SIZE  rcvd: 65

and are you sure you are

and are you sure you are using my patch? I can't see chkuser in action... is it enabled?


Yes, chkuser in action, this

Yes, chkuser in action, this is qmail-smtpd log:

@4000000054832fc82cfe8ff4 tcpserver: status: 1/20
@4000000054832fc82cffbcbc tcpserver: pid 2222 from ::1
@4000000054832fc82d009f4c tcpserver: ok 2222 0:::1:25 :::1::40420
@4000000054832fc82d3d331c CHKUSER accepted sender: from <huyenha@4trust.vn|remoteinfo/auth:|chkuser-identify:> remote <helo:mail.4trust.vn|remotehostname:unknown|remotehostip:::1> rcpt <> : accepted any sender always
@4000000054832fc82d66a47c CHKUSER accepted rcpt: from <huyenha@4trust.vn|remoteinfo/auth:|chkuser-identify:> remote <helo:mail.4trust.vn|remotehostname:unknown|remotehostip:::1> rcpt <nxhuy@4trust.vn> : found existing recipient
@4000000054832fc8304afbd4 simscan:[2222]:RELAYCLIENT:0.0045s:-:::1:huyenha@4trust.vn:nxhuy@4trust.vn
@4000000054832fc83547c734 mail recv: pid 2222 from <huyenha@4trust.vn> qp 2224
@4000000054832fc83547cb1c qmail-smtpd: message accepted: huyenha@4trust.vn from ::1 to nxhuy@4trust.vn helo mail.4trust.vn
@4000000054832fc907f41454 tcpserver: end 2222 status 0
@4000000054832fc907f41c24 tcpserver: status: 0/20

can you show your

can you show your control/defaultdelivery?


 Now it

 Now it is:
|/var/qmail/bin/preline -f /usr/local/dovecot/libexec/dovecot/deliver -d $EXT@$USER

I also tried "| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox"

But the result is the same error

the content of the

the content of the defaultdelivery is

| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox

without quotes, right?


dovecot issue?

It can be a dovecot issue (you should also look for dovecot-lda errors, expecially in the sql driver).

But it's strange that you can't have it working when using vpopmail as deliver. Are there any .qmail overriding the defaultdelivery?

Let's fix vpopmail first of all.


I've change the

I've change the control/defaultdelivery and ~vpopmail/domains/4trust.vn/.qmail_default to | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox"

But the error is still the same :(

do you have double quotes?

do you have double quotes at the end of that line?


Sorry, It's my mistake, i've

Sorry, It's my mistake, i've remove the double quote and re-test. The error is still there.

Could it be a qmail's error?

can you send me in a private

can you send me in a private msg an strace of smtp session?


Hi, have you passed the

Hi, have you passed the vpopmail login test from the command line?


I've follow your vpopmail

I've follow your vpopmail auth test at http://notes.sagredo.eu/node/22#vpopmail

the result is ok

telnet localhost 89
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK
login nxhuy@4trust.vn 123456
+OK+
vpopmail_dir /home/vpopmail
domain_dir /home/vpopmail/domains/4trust.vn
uid 89
gid 89
name nxhuy
comment nxhuy
quota 524288000S
user_dir /home/vpopmail/domains/4trust.vn/nxhuy
encrypted_password $1$uk0Fi8aE$USOXMa6g9i0Rjgd9vgLx2/
clear_text_password 123456
no_password_change 0
no_pop 0
no_webmail 0
no_imap 0
bounce_mail 0
no_relay 0
no_dialup 0
user_flag_0 0
user_flag_1 0
user_flag_2 0
user_flag_3 0
no_smtp 0
domain_admin_privileges 0
override_domain_limits 0
no_spamassassin 0
delete_spam 0
no_maildrop 0
system_admin_privileges 0
.

forcetls patch

Can you pls let me know how to remove the ForceTls patch from the big patch? I need the auth to work without tls.

Thank you!

read above! :)

read above! :)


DKIM and SRS = fail :-(

Hi,

if you use SRS, DKIM filter fails, as it sets original SENDER domain instead of that specified in SRS. Any suggestions how to fix it?

cheers and thanks for your patches!

S.

Can you post how the headers

Can you post how the headers look like when we you use SRS?

I contacted M.Banghui, the author of the DKIM patch, and he told me that he can fix it.


Sure :)

The DKIM is getting _SENDER  - and SRS is providing to qmail an original Sender domain, instead of the one taken from /var/qmail/control/srs_domain

BTW, why don't you move your awesome patchset to github? It would make things much easier :)

I would declare I can work on IPv6 part, as it is the only (but big) missing thing from your patches.

cheers,

S

Hi, can you do a cut&paste of

Hi, can you do a cut&paste of the headers?

Actually an help on the IPv6 patch would be appreciated, as I have not much time these days, and I'm not an IPv6 expert. As you probably know M.Banghui has merged an IPv6 patch in his DKIM/SURBL and my plan is to add it to my package soon or later :)


qmail-todo problem

Firslty, thanks Roberto for ur efforts of creating the patch, But i'm facing a critical problem after i patched qmail 1.6  with ur patch that i have found my server load reached to 250, and when i check the process found that qmail-todo consuming cpu terribly. But i don't know why this happened and what should i do, although i have applied the steps and installed qmail successfully.

Re: qmail-todo problem

Hi Kamal,

I assume that you erased your queue in this way before installing the todo-patched qmail for the first time:

qmailctl stop
rm -rf /var/qmail/queue
make setup check

If yes please post a

ps axfuww | grep qmail 

The best way to investigate what qmail-todo is doing is using strace:

strace -Ff -o /tmp/qmail-strace.log -p <pid_of_qmail-todo>

Re: qmail-todo problem

Hi Roberto,

Yes, I already erased the queue as you mentioned, I want to clear something i'm using the combined patch "roberto-netqmail1.06.patch-latest"  NOT todo-patch. but the problem with qmail-todo process that was consuming cpu.

Kindly find output details below,

strace.log
http://www.mediafire.com/view/9ptwzxri9xpptgr/qmail-strace.log

ps-axfuww.log
http://www.mediafire.com/view/1277h6de1g80xsn/ps-axfuww

Maybe a lbsrs problem did you

Maybe a lbsrs problem did you successfully installed it? did you ldconfig it?

 

I think it's not a libsrs

I think it's not a libsrs issue, as in that case the compilation itself will break


Re: qmail-todo problem

it seems to be an infinite loop...

when you stop qmail I would try to kill all those qmail-todo which doesn't belong to qmail-send anymore, and after that erase the existing queue, recompile and restart qmail


Re: qmail-todo problem

I realy did that, but unfortunately still the same, the load reached to 270,and server was going to explode.

SRS2

Hi,

I am trying out the latest patch with the SRS2. While compiling i had an error

/usr/bin/ld: cannot find -lsrs2
collect2: ld returned 1 exit status
make: *** [qmail-local] Error 1

In the beginning it cannot find the file srs2.h so i download it from http://www.filewatcher.com/p/libsrs2-dev_1.0.18-4_amd64.deb.14658/usr/include/srs2.h.html and copied it to /usr/local/include/

I am on CentOS 6 64 bits.

Thanks for helping.

nic

You need libsrs2

You have to install the libsrs2 libraries, not only the srs.h, see above. Check if they are installed in this way

ldconfig -p|grep libsrs2

Hello,Yes i

Hello,

Yes i did.

[root@beyond ~]# ldconfig -p|grep libsrs2
        libsrs2.so.0 (libc6,x86-64) => /usr/lib64/libsrs2.so.0

regards

nic

did you modify srs.c?

did you modify srs.c accordingly?


Didnt thought of doing that.

Didnt thought of doing that. What should i edit?

regards

nic

Nic, read above :)

Nic, read above :)


SSL CERTIFICATES

Hi roberto

I succesfully create the certificates and it works great, the only problem is that in mozilla-thunderbird, iphone, android show a warning because the certificate is not valid, configuring an exception it works. About it I have two questions.

First

Is there any chance to have differents certificates for every domain?

Second

If I buy a "valid certificate" can I just copy into the folder and it will work?

Thanks in advance

Enetcs as far as I know

Enetcs

as far as I know the e.h. auth patch works with a global certificate.

Yes you simply have to copy the certificate into that folder, but when you buy a valid certificate you also get an "intermidiate certificate" to be copied in the same folder, which assures that your cert is valid


CHKUSER patch - how to disable!!

imho, chkuser patch is way more problems than it's worth. It's blocking legit emails from namecheap, comodo, godaddy and others. How does one disable chkuser permenantly????? I've tried commenting out of my qmail-submission/run, and restarting qmail, chkuser still running. grrr.

can you please provide log

can you please provide log details about the rejections for such providers? thank you


chkuser silently dropping

chkuser silently dropping mail !  How do I completely disable chkuser??????????????????????

2013-10-11 12:39:48.373851500 tcpserver: status: 1/20

2013-10-11 12:39:48.374029500 tcpserver: pid 28172 from 208.65.144.245

2013-10-11 12:39:48.374142500 tcpserver: ok 28172 0:::ffff:192.184.84.112:587 :208.65.144.245::35583

2013-10-11 12:39:48.621588500 CHKUSER accepted sender: from <ehip1mxb2o0kj8twj5yh0wz9nvb9wa04-b@news.columbiarestaurant.com::> remote <p02c11m083.mxlogic.net:unknown:208.65.144.245> rcpt <> : accepted any sender always

2013-10-11 12:39:48.767883500 tcpserver: end 28172 status 02013-10-11 12:39:48.767910500 tcpserver: status: 0/20

what make you think that it's

what makes you think that it's a chkuser fault? this is not a rejection, and this is the log of port 587, but you said that you have some incoming legitimate email rejected, which should be received on port 25


It blocks legitimate emails,

It blocks legitimate emails, it just sucks. Shouldn't be included in the net-qmail patch.

Tried commenting out of my

Tried commenting out of my qmail/submission/run file, chkuser still running!

 

# cat /var/qmail/supervise/qmail-submission/run 

#!/bin/sh
QMAILDUID=`id -u vpopmail`NOFILESGID=`id -g vpopmail`MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`SOFTLIMIT=`cat /var/qmail/control/softlimit`
# You MUST export this, otherwise you'd get a 30 sec timeoutexport

SMTPAUTH=""
# This enables greetdelay for qmail-smtpd.export

SMTPD_GREETDELAY=0
# This enables chkuserexport

CHKUSER_START=NONE
# This enables simscan debug#export

SIMSCAN_DEBUG=2
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \    /usr/local/bin/tcpserver -v -H -R -l 0 \    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \    /var/qmail/bin/qmail-smtpd \    /home/vpopmail/bin/vchkpw /bin/true 2>&1

again, this is the submission

again, this is the submission service, which has nothing to do with incoming emails. In any case you have an error. Correct in this way

export CHKUSER_START=NONE

but be aware that this should be done on standard smtpd (port 25) service.


first of all, i think you can

first of all, i think you can try to take a look to the chkuser manual, to see how to fit it to your needs.

If you want to disable it, just comment it in your run file (in case you are following my configuration).

If you want to delete it from my package you have to look at the original patch and see what it modifies. I remember that it modifies only qmail-smtpd.c and the Makefile, apart from new created files. You can easily recognise the modifications because there is a comment more or less like "chkuser patch starts here"


qmail-qmqpc.c change needed

Hi Roberto,

First, thanks for the patch collection. I ran across an issue that I thought I would make you aware of: one of the patches in this collection modifies the function signature of timeoutconn.c/timeoutconn() . I assume it's one of the TLS or AUTH patches, but I haven't tried to figure it out. In any case, the patch adds an additional parameter to the signature which is not present in the original calls to timeoutconn() in qmail-qmqpc.c

None of the patches even touch qmail-qmqpc.c ( probably because very few people make use of it) but I actually use it for SMTP servers. Crypto can put quite a load on older hardware so I "spread the wealth" around with multiple smtp servers using QMQP to send the messages to my queue machine.

In any case, the fix is pretty straightforward and I am going to try and post the patch here in this comment:

diff netqmail-1.06/qmail-qmqpc.c netqmail-1.06.patched/qmail-qmqpc.c
0a1,20
>   /*** 2013-08-24 Robbie Walker <flyingamortgage@gmail.com>
>   DESCRIPTION: the great collection of patches from Roberto Puzzanghera [ http://notes.sagredo.eu/node/82 ]
>   includes changes to timeoutconn.c function signature as listed below. qmail-qmqpc.c also calls
>   timeoutconn and needs to be patched as well 
>   original timeoutconn() signature:
>   int timeoutconn(s,ip,port,timeout)
>   int s;
>   struct ip_address *ip;
>   unsigned int port;
>   int timeout;
>   
>   modifed timeoutconn() signature:
>   int timeoutconn(s,ip,outip,port,timeout)
>   int s;
>   struct ip_address *ip;
>   struct ip_address *outip;
>   unsigned int port;
>   int timeout;
>   */
>   
104a125,126
>   struct ip_address outip;
>   outip.d[0]=outip.d[1]=outip.d[2]=outip.d[3]=(unsigned char) 0;
112c134
<   if (timeoutconn(qmqpfd,&ip,PORT_QMQP,10) != 0) {
---
>   if (timeoutconn(qmqpfd,&ip,&outip,PORT_QMQP,10) != 0) {

Thanks for the fix

Hi Robbie, I'm going to add your fix in the next release that will be released in a few days

Thanks for the contribution :)