qmail

Setting up your firewall with fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

I will show shortly how to install and configure fail2ban to ban malicious IPs, expecially those related to the qmail-dnsrbl patch. This will avoid to be banned ourselves by spamhaus, which is free up to 100.000 queries per day.

Roundcube webmail

Roundcube is a full featured webmail with a nice interface.

RoundCube 0.8 showing its new skin

Installing and configuring Spamassassin

SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. SpamAssassin runs on a server, and filters spam before it reaches your mailbox.

Upgrading spamassassain to version 3.4.0

The release of version 3.4.0 was announced on Feb 11 2014. There are a few optional dependeces while dependency on the following Perl modules were dropped: Net::Ident, IP::Country::Fast and IP::Country. In addition, if you want to install the optional module Geo::IP you have to install GeoIP (here is the package link for slackware users) as well.

Here is how to update quickly:

qmailctl stop
spamdctl stop
perl -MCPAN -e shell
cpan> o conf prerequisites_policy ask
cpan> force notest install Geo::IP IO::Socket::IP Net::Patricia NetAddr::IP
cpan> force notest install  Mail::SpamAssassin Mail::SpamAssassin::Plugin::Razor2
cpan> quit
sa-update
spamdctl start
qmailctl start

Sieve interpreter & Dovecot ManageSieve

The Pigeonhole project provides Sieve support as a plugin for Dovecot's Local Delivery Agent (LDA) and also for its LMTP service. The plugin implements a Sieve interpreter, which filters incoming messages using a script specified in the Sieve language. The Sieve script is provided by the user and, using that Sieve script, the user can customize how incoming messages are handled. Messages can be delivered to specific folders, forwarded, rejected, discarded, etc.

Dovecot Managesieve Server is a service used to manage a user's Sieve script collection.

 

ezmlm-web

ezmlm-web is a web interface for the administration of ezmlm mailing lists.

Patching qmail

Changelog

The complete changelog is inside the patch file.

  • 2014-04-14
    -added qmail-maxrcpt patch, which allows you to set a limit on how many recipients are specified
  • 2014-03-10
    -added qmail-smtpd-liberal-lf patch, which allows qmail-smtpd to accept messages that are terminated with a single \n instead of the required \r\n sequence. This should avoid some "read failed" reject.
  • 2013-12-30
    -added qmail-SRS patch. You have to install libsrs2 now.
    -the character "=" in the sender address is now considered valid by chkuser in order to accept SRS
  • 2013-12-18
    -added qmail-date-localtime patch
    -added qmail-hide-ip patch
    -the original greetdelay by e.h. has been replaced with the improved patch by John Simpson. Now
    communications trying to send commands before the greeting will be closed. Premature disconnections will be
    logged as well.
    -CHKUSER_SENDER_FORMAT enabled to reject fake senders without any domain declared (like <foo>)
    -chkuser logging: I slightly modified the log line adding the variables' name just to facilitate its interpretation
    -added qmail-moreipme patch
    -added qmail-dnsbl patch (more info here)
  • 2013-12-05
    added two patches to make qmail rfc2821 compliant
  • 2013-11-23
    any-to-cname patch added

I have created a combined patch including the latest versions of several commonly-used qmail patches:

[Follow the patch details here]

Other patches:

Merry Christmas and happy new... patch!

These days I had the opportunity to exchange ideas with a friend out there and take a look at his work and his customized jumbo patch. Some of the patches I came across have appeared to me very useful and I convinced myself to add some of them into my package.

The changelog is quite long this time! :)

Have fun!

smtp-auth + qmail-tls (starttls) + forcetls patch for qmail

I have put into a package the latest version of the following patches for netqmail-1.06. You may be interested to the combined patch I have put together here.

qmail-authentication

Provides cram-md5, login, plain authentication support.

qmail-tls

Implements SSL or TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA.

force-tls

Optionally gets qmail to require TLS before authentication to improve security.

Howto avoid being "cut off" by spamhaus.org

As you probably know spamhaus limits your smtp and DNS traffic (http://www.spamhaus.org/organization/dnsblusage/ for more info) and in case of big servers this can be a serious problem.

Luckily, Costel Balta sent me a solution to the problem that I'm going to copy below. In short, he suggests to dinamically create firewall rules via iptables (or better shorewall) to avoid connections from suspicious IPs in order to decrease the number of requests to the RBL lists of about 80%.

ipsets and swatch are also needed to manage iptables rules and scan your logs respectively.

A big thanks to Costel Balta for the following tutorial; this is not the first time that he posts an original idea.

Configuring DKIM for qmail

This note concerns the DKIM patch embedded in my combined patch (more info here). This topic is advanced and you can skip it at the beginning.

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. The validation technique is based on public-key cryptography: Responsibility is claimed by the signer by adding a domain name to the message and then also affixing a digital signature of it and the message. The value is placed in the DKIM-Signature: header field. The verifier recovers the signer's public key using the DNS, and then verifies the signature.

You are invited to take a look to the man pages starting from dkim(8) and spawn-filter(8).

Acknowlegments

I would like to address a special thank to Manvendra Bhangui, the author of the DKIM patch, for kindly assisting me during all the configuration.

Syndicate content