March 17, 2022 Roberto Puzzanghera 81 comments
- Inter7's original page
- Combined patch v. 2022.03.17
- More info here
Vpopmail provides an easy way to manage virtual email domains and non /etc/passwd email accounts on your mail servers.
The purpose of this note is to show how to use
Mysql as the authentication system. Having a users database also offers the advantage of communicating with the database via
PHP, and creating web-based user interfaces to manage accounts.
The patch we'll apply is the result of the following bunch of patches:
- sql-aliasdomains patch, which makes
vpopmailsave the aliasdomains to
MySQL. This makes the
dovecotsql auth driver aware of the aliasdomains, provided that you modify the sql query as well (see the
dovecotpage for more info).
- defaultdelivery patch, which makes
vpopmailto copy your favourite delivery agent (stored in QMAILDIR/control/defauldelivery) into the .qmail-default file of any newly created domain, overriding the default
vpopmail's behaviour, where
vpopmailcopies its delivery agent
vdelivermail. You have to configure with
--enable-defaultdeliveryto enable this.
If the functionality is disabled (
--disable-defaultdelivery, which is the default option)
vdelivermailis installed with the "delete" option instead of "bounce-no-mailbox", which is not reasonable anymore.
- dovecot-pwd_query patch
If you want to use the
dovecot's sql auth driver with one table for each domain (
--disable-many-domains) you have to heavily customize your password query. With this patch
vpopmailinstalls the sql procedure and functions in the database when you create a new domain. The procedure can be called by
dovecotto perform the auth.
The sql stuff supports aliasdomains and
mysqllimits and will be loaded from
~/vpopmail/etc/pwd-query_disable-many-domains.sql. You can customize the sql procedure editing this file.
You have to configure with
--enable-mysql-bin=PATHas we have to install the procedure calling the
mysqlbin as a shell command (no way to load an sql query from a file in C language, comments welcome).
- vusaged configure patch
It seems that at least on Debian 11
vusagedrefuses to run the configure successfully, as the
mysqllibraries are not linked (
configure: error: No vauth_getpw in libvpopmail). After some inspection, I noticed that avoiding the break of the configure command, the following make command will find
libmysqlclientand compile with no problems, and the program works as expected.
autoreconf -f -iinto the
vusageddirectory is needed before configuring, as the
configure.acscript was modified.
- recipient check patch. It can be used with Erwin Hoffmann's s/qmail to accomplish the recipient check. Not important in my installation, look at doc/README.vrcptcheck for more info.
- gcc-10-compat patch, which gets vpopmail to compile with
February 26, 2022 Roberto Puzzanghera 0 comments
The RFC-821 Section 3.5 states that
The sender-SMTP MUST ensure that the <domain> parameter in a HELO command is a valid principal host domain name for the client host. As a result, the receiver-SMTP will not have to perform MX resolution on this name in order to validate the HELO parameter.
The HELO receiver MAY verify that the HELO parameter really corresponds to the IP address of the sender. However, the receiver MUST NOT refuse to accept a message, even if the sender's HELO command fails verification.
Not denying clients with a bad
HELO/EHLO DNS can be also considered a wise thing, just not to update too frequently our whitelist for those clients who don't set up their
On the other hand, it is a matter of fact that most spammers use fake domains -very often our own domains-, or even random strings or not solving domains, as their
For example, consider the following log lines (I have plenty of them in my logs):
2022-02-01 10:19:53.142643500 helo-dns-check: HELO [yq3H9cDKgS] from [126.96.36.199] doesn't solve 2022-02-01 09:53:05.772497500 helo-dns-check: HELO [sagredo.eu] is a local domain but IP [188.8.131.52] is not a RELAYCLIENT
I think that at least such kind of failures should be blocked. I'll explain below how to set up a filter which deny clients with these particular
- not solving
HELO/EHLOs, i.e. random strings or domains with no
Arecord at all.
HELO/EHLOs containing one of our domains, when the
DNSdoesn't solve to one of our
RELAYCLIENTis not defined;
- clients whose
Arecord doesn't match the domain in their
HELO/EHLO. This is completely against
RFC-821, so my configuration will not refuse these connections, just log them.
February 11, 2022 Roberto Puzzanghera 7 comments
Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again after a delay, and if sufficient time has elapsed, the email will be accepted.
While greylisting is not effective as in the past, it still cut a certain fraction of the total spam.
qmail-spp greylisting plugin
I introduce here how
greylisting can be implemented on
qmail by means of another qmail-spp plugin, which saves the data in
MySQL. Having the data in
MySQL is useful to measure how much spam is blocked by
- More info here
- Author: Manuel Mausz
March 9, 2021 Roberto Puzzanghera 40 comments
Those who are still using the
vpopmail auth driver should consider a migration to another backend, as on January 4, 2021
dovecot-2.3.13 was released and the
vpopmail auth driver removed (more info here).
I'll show below how to support domain aliases with the sql driver both with all domains in the same
vpopmail table and with one table for each domain (
--disable-many-domains). You can find how to setup the driver in this page. A short reference to
vconvert program is presented toward the bottom of this page, in case one is planning to switch to sql.
If you browse the comments below you'll find some other nice solutions to replace the
- Tyler Simpkin posted his auth.lua file (enhanced by Rick Richards to work with encrypted passwords)
- Laurent Bercot posted a solution based on passwd-file driver
- Pablo Murillo improved the sql password_query to work with one table for each domain
- erdgeist showed how to convert cdb accounts to postgres
As some commentators have pointed out, switching to the
dovecot's sql auth driver can be painful if one has domain aliases. I will show below how to make
dovecot aware of the
aliasdomains, so that a user who tries to login with a domain alias can pass the authentication.
The idea is to save the pairs alias/domain in a new "aliasdomains"
MySQL table, for example:
MariaDB [vpopmail]> SELECT * FROM aliasdomains; +----------------------+----------------------+ | alias | domain | +----------------------+----------------------+ | alias.net | realdomain.net | +----------------------+----------------------+
...and then modify the
sql query in order to select the user's domain from this table in case the domain is an alias or from the
vpopmail table otherwise.
vpopmail so that it will transparently do the sql stuff when creating/deleting the alias in the usual way by means of the