Adjusting the tcprules files for qmail

January 16, 2013 Roberto Puzzanghera15 comments

This is my tcprules file:

> more /home/vpopmail/etc/tcp.smtp

0.0.0.0:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
xxx.xxx.xxx.xxx:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
10.0.0.:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
127.:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0"
:allow

As you can see, the localhost, the internal subnet 10.0.0., and the external server's IP are allowed to use the MTA as a relay (RELAYCLIENT=""), and do not face a GREETDELAY.

All other clients are allowed to send us emails (:allow), will face a GREETDELAY specified in the qmail-smtpd run script, and are not allowed to use our MTA as a relay.

And since we want to allow ourselves to use our MTA as a remote relay, the tcp.submission rules have to be simply:

> more /home/vpopmail/etc/tcp.submission

:allow

And nobody is allowed to use the submission service (port 587) as an open relay without authentication.

Remember to generate the cdb files each time you make changes to your tcprules file:

> qmailctl cdb

Updated tcp.smtp.cdb.
Updated tcp.submission.cdb.

Comments

tcprules problem

Hi there,

Having installed the ucspi-tcp6-1.06.tgz, i noticed that tcprules ignores hosts and applies all the enviroment variable for all ( :allow...)

for example

if i have the tcp.submission file

x.x.x.x.x:allow,RBLSMTPD="",CHKUSER_WRONGRCPTLIMIT="3",SMTPD_GREETDELAY="0"

Then tcprules applies the rules to all hosts instead of x.x.x.x.x

I finaly managed to execute tcprules (ucspi-tcp6-1.02) , i produced the cdb and moved to the newest email server (ucspi-tcp6-1.06)

Is this a bug ?

Reply | Permalink

tcprules problem

And you didn't define a default rule at all? 

I don't know if it's a bug, we should look at the code to see what it does when a default rule is not defined... Anyway I think that defining a default rule such as

:allow

should be a good practice

Reply | Permalink

tcprules problem

i also tried with the

:allow

in the bottom of the file, but the result was the same.

Hosts are ignored and all the env variables are applied as if there were no hosts rules but just :allow

using ucspi-tcp6-1.02

# tcprulescheck tcp.submission.cdb
default:
allow connection

using ucspi-tcp6-1.06

# tcprulescheck tcp.submission.cdb
rule :
set environment variable RBLSMTPD=
set environment variable CHKUSER_WRONGRCPTLIMIT=3
set environment variable SMTPD_GREETDELAY=0
allow connection

Reply | Permalink

tcprules problem

you are not declaring TCPREMOTEIP, so it always prints the default rule. This is the usage as per man page:

# TCPREMOTEIP=1.2.3.4 tcprulescheck tcp.smtp.cdb  
rule 1.2.3.4:
set environment variable RBLSMTPD=
set environment variable SMTPD_GREETDELAY=0
set environment variable RELAYCLIENT=
allow connection

Reply | Permalink

tcprules problem

tcp.submission

x.x.x.x:allow,RBLSMTPD="",CHKUSER_WRONGRCPTLIMIT="3",SMTPD_GREETDELAY="0"
:allow
# TCPREMOTEIP=x.x.x.x tcprulescheck tcp.submission.cdb
rule :
set environment variable RBLSMTPD=
set environment variable CHKUSER_WRONGRCPTLIMIT=3
set environment variable SMTPD_GREETDELAY=0
allow connection

There is no host definition at all.

Reply | Permalink

tcprules problem

apparently this output is not compatible with your tcp source file, as that is not the default defined rule...

Reply | Permalink

tcprules problem

yes, that is the problem.

i did not missed anything during the qmail installation. I followed all the instructions in this web site.

Hopefully, i have an older installation of qmail and the other tools, as i referred in my first post and i can compile my tcprules there and move them back to the new one (new server)

Reply | Permalink

tcprules problem

did you recompile your tcprules after last modification?

Reply | Permalink

tcprules problem

#tcprules /home/vpopmail/etc/tcp.submission.cdb /home/vpopmail/etc/tcp.submission.cdb.tmp < /home/vpopmail/etc/tcp.submission

what i do whenever i make changes in  /home/vpopmail/etc/tcp.submission

Reply | Permalink

tcprules problem

i have followed all the instructions of this web site, page by page

did i miss something?

Reply | Permalink

tcprules problem

how can I know if you missed something :-)

Reply | Permalink

Greetdelay

Hello Roberto

Thanks for your job, you help many lost people, like me !

Is this line,

0.0.0.0:allow,RELAYCLIENT="",SMTPD_GREETDELAY="0" 

disable to all public internet IP, greetdelay effect ?

Is this disable greet delay, because you set to zero seconds ?

Thanks

Marco Varanda

Reply | Permalink

Greetdelay

It disables the greetdelay just for the mentioned IP 0.0.0.0 which is server's IP, because it has 0 value.

Edit: setting GREETDELAY in your tcp rules overwrites the default value in your qmail-smtpd run file

Reply | Permalink

Greetdelay

Sorry for insistence,

I think 0.0.0.0 is reference to any public IP.

In other words, if my IP try to send data before greetings, 0.0.0.0 will accept with no delay.

Am I wrong ?

- varanda

Reply | Permalink

Greetdelay

no, 0.0.0.0 is the IP of your localhost (if not sure you can google for it)

Reply | Permalink