Testing qmail, SMTP and auth

At this time /command/svcscanboot should have started qmail:

> ps axfww

  137 ?        Sl     0:32 /home/vpopmail/bin/vusaged 
20017 ?        Ss     0:00 /bin/sh /command/svscanboot 
20019 ?        S      0:00  \_ svscan /service 
20021 ?        S      0:00  |   \_ supervise qmail-submission 
20032 ?        S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -R -l smtp.mydomain.tld -x /home/vpopmail/etc/tcp.submission.cdb -c 200 -u 89 -g 89 0 587 /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 
20022 ?        S      0:00  |   \_ supervise log 
20045 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t s16777215 /var/log/qmail/submission 
20023 ?        S      0:00  |   \_ supervise qmail-smtpd 
20035 ?        S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -R -l smtp.mydomain.tld -x /home/vpopmail/etc/tcp.smtp.cdb -c 200 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd /bin/true 
20024 ?        S      0:00  |   \_ supervise log 
20034 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t n5 s16777215 /var/log/qmail/smtpd n5 s16777215 -* +* qlog* !/usr/local/bin/archive_qmail_qlog /var/log/qmail/smtpd/qlog 
20025 ?        S      0:00  |   \_ supervise vpopmaild 
20033 ?        S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -H -R -l 0 -u 0 -g 0 0 89 /home/vpopmail/bin/vpopmaild 
20026 ?        S      0:00  |   \_ supervise log 
20040 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t /var/log/qmail/vpopmaild 
20027 ?        S      0:00  |   \_ supervise clear 
20028 ?        S      0:00  |   \_ supervise qmail-smtpsd 
20047 ?        S      0:00  |   |   \_ /usr/local/bin/sslserver -seV -Rp -l smtp.mydomain.tld -Xx /home/vpopmail/etc/tcp.smtp.cdb -c 200 -u 89 -g 89 0 smtps /var/qmail/bin/qmail-smtpd /bin/true 
20029 ?        S      0:00  |   \_ supervise log 
20041 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t n5 s16777215 /var/log/qmail/smtpsd n5 s16777215 -* +* qlog* !/usr/local/bin/archive_qmail_qlog /var/log/qmail/smtpsd/qlog 
20030 ?        S      0:00  |   \_ supervise qmail-send 
20036 ?        S      0:00  |   |   \_ qmail-send 
20052 ?        S      0:00  |   |       \_ qmail-lspawn | /home/vpopmail/bin/vdelivermail '' delete
20053 ?        S      0:00  |   |       \_ qmail-rspawn 
20054 ?        S      0:00  |   |       \_ qmail-clean 
20055 ?        S      0:00  |   |       \_ qmail-todo 
20056 ?        S      0:00  |   |       \_ qmail-clean 
20031 ?        S      0:00  |   \_ supervise log 
20042 ?        S      0:00  |       \_ /usr/local/bin/multilog t s16777215 /var/log/qmail/send 
20020 ?        S      0:00  \_ readproctitle service errors: ...............................................................................................................................................................

If everything is ok you should see something like this. There must be only dots in the readproctitle service errors line.

You can always clean the errors' line in this way:

svc -o /service/clear

or, if you're using my modified qmailctl file, you can do this:

qmailctl clear

Check the queue and the services uptime:

> qmailctl stat

qmail-smtpd:           [ up ] (pid 20035)   0 day(s), 00:02:13 
qmail-smtpd/log:       [ up ] (pid 20034)   0 day(s), 00:02:13 
qmail-smtpsd:          [ up ] (pid 20047)   0 day(s), 00:02:13 
qmail-smtpsd/log:      [ up ] (pid 20041)   0 day(s), 00:02:13 
qmail-submission:      [ up ] (pid 20032)   0 day(s), 00:02:13 
qmail-submission/log:  [ up ] (pid 20045)   0 day(s), 00:02:13 
qmail-send:            [ up ] (pid 20036)   0 day(s), 00:02:13 
qmail-send/log:        [ up ] (pid 20042)   0 day(s), 00:02:13 
vpopmaild:             [ up ] (pid 20033)   0 day(s), 00:02:13 
vpopmaild/log:         [ up ] (pid 20040)   0 day(s), 00:02:13

dovecot status:        [ down ] 
clamd status:          [ down ] 
freshclam status:      [ down ] 
spamd status:          [ down ] 
vusaged status:        [ up ] 
httpd status:          [ down ] 
mariadb status:        [ down ] 
fail2ban status:       [ down ] 

ClamAV database updated at: 2021-09-28 12:40:15 
Total Domains: 16 

messages in queue: 0 
messages in queue but not yet preprocessed: 0

Check that the up time increases by repeating the qmailctl stat command a couple of times. If something fails, check the logs.

The next two notes will show how to handle and eventually repair the queue.

`swaks`

Info: http://www.jetmore.org/john/code/swaks/

swaks is a SMTP test tool that you can use to perform all the telnet tests that are described below.

Install as follows:

cd /usr/local/bin
wget http://www.jetmore.org/john/code/swaks/latest/swaks
chown root.root swaks
chmod +x swaks

The usage is pretty simple. Adjust to your needs:

swaks \
        --to someone@somewhere.net \
        --from postmaster@mydomain.tld \
        --server localhost \
        --port 587 \
        --ehlo test \
        -tls \
        --auth login \
        --auth-user postmaster@mydomain.tld \
        --auth-password [PASSWORD]

You may want to take a look at the reference manual: http://www.jetmore.org/john/code/swaks/latest/doc/ref.txt

Testing `qmail` delivery

Look at the TEST.deliver man page and do all suggested tests.

Testing SMTP connection

In this example [your-IP] is an IP that is allowed to use our MTA as a relay according to ~vpopmail/etc/tcp.smtp; usually it is 127.0.0.1 or an address on an allowed localnet such as 10.0.0.5 or 192.168.1.12

This test will fail if you try to use the MTA as an open relay, telnetting from the outnet without the SMTP authentication (see below).

> telnet [your IP] 25

Trying [your IP]...
Connected to qmail.mydomain.tld.
Escape character is '^]'.
220 smtp.mydomain.tld ESMTP
mail from:<user@mydomain.tld>
250 ok
rcpt to:<someone@somewhere.net>
250 ok
data
354 go ahead
subject: This is the subject
to: someone@somewhere.net
from: user@mydomain.tld

This is the msg body FOLLOWING A BLANK LINE
.
250 ok 1286469273 qp 31969
quit
221 www.mydomain.tld
Connection closed by foreign host.

***********

Of course it may happen that something goes wrong

> telnet [your IP] 25

Trying [your IP]...
Connected to [yout IP].
Escape character is '^]'.
Connection closed by foreign host.

Let's check the smtp log:

> more /var/log/qmail/smtpd/current

@400000004cb7145314702f74 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libcrypt.so.1: failed to map segment from shared object: Cannot allocate memory

If you see an error like this, your softlimit is too low. Try to increase it editing /var/qmail/supervise/qmail-smtp/run

***********

> more /var/log/qmail/smtpd/current

@400000004cc5baaf076df464 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libmysqlclient.so.16: cannot open shared object file: No such file or directory

I faced this error in a 64b virtual mail server. Mysql was in a different virtual server and the mysql dir was mounted locally but qmail-smtp cannot load it. I fixed this error by copying (not linking!) the library inside the guest in this way:

cp -p /usr/local/mysql/lib/libmysqlclient.so.16.0.0 /usr/lib64/libmysqlclient.so.16

***********

Check if the messages has been sent by opening /var/log/qmail/send/current

***********

Try to send a message to yourself and look for the message in the Maildir/new folder:

> telnet [your IP] 25

Trying [your IP]...
Connected to qmail.mydomain.tld.
Escape character is '^]'.
220 smtp.mydomain.tld ESMTP
mail from:<user@mydomain.tld>
250 ok
rcpt to:<user@mydomain.tld>
250 ok
data
354 go ahead
subject: This is the subject
to: user@mydomain.tld
from: user@mydomain.tld

This is the msg body FOLLOWING A BLANK LINE
.
250 ok 1286469273 qp 31969
quit
221 www.mydomain.tld
Connection closed by foreign host.

> ls -l /home/vpopmail/domains/mydomain.tld/user/Maildir/new
total 4
-rw------- 1 vpopmail vchkpw  211 2010-12-09 13:22 1291897368.13072.qmail,S\=211

Testing `vpopmail` auth

> telnet [your-IP] 89

Trying [your-IP]...
Connected to [your-IP].
Escape character is '^]'.
+OK
login userid@mydomain.tld PASSWORD
+OK+
vpopmail_dir /home/vpopmail
domain_dir /home/vpopmail/domains/mydomain.tld
uid 89
gid 89
name userid
comment userName userSurname
quota NOQUOTA
user_dir /home/vpopmail/domains/mydomain.tld/userid
encrypted_password $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
clear_text_password xxxxxxxxxxxxxxxxx
no_password_change 0
no_pop 0
no_webmail 0
no_imap 0
bounce_mail 0
no_relay 0
no_dialup 0
user_flag_0 0
user_flag_1 0
user_flag_2 0
user_flag_3 0
no_smtp 0
domain_admin_privileges 0
override_domain_limits 0
no_spamassassin 0
delete_spam 0
no_maildrop 0
system_admin_privileges 0
.
quit
+OK
Connection closed by foreign host.

Testing `chkuser`

If you perform this test from localhost or from one of the localnets that are allowed to relay according to ~vpopmail/etc/tcp.smtp...

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

...before continuing, you have to deny yourself from relaying. Clean and reaload tcp.smtp:

cd ~vpopmail/etc
mv tcp.smtp tcp.smtp.bck
touch tcp.smtp
qmailctl cdb

Now we are ready for the test.

No valid MX test, mailbox syntax test

chkuser rejects the messages if the MX record in the from field is non existent. This is a rare case since spammers will try to use your own domain in the from field.

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 mydomain.tld ESMTP
mail from: unexistent@fakedomain.xxx
550 5.1.8 sorry, can't find a valid MX for sender domain (chkuser)
mail from: unexistent@fake_domain.xxx
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)
quit

No mailbox test

qmail/control/rcpthosts file determines whether the recipient will be accepted: it will be accepted if and only if the domain of the address given in the RCPT TO command is listed in rcpthosts. Anyway chkuser is programmed to reject the messages for non existent users of these domains:

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 mydomain.tld ESMTP
mail from: someone@gmail.com
250 ok
rcpt to: nobody@mydomain.tld
550 5.1.1 sorry, no mailbox here by that name (chkuser)
quit

No rcpt hosts test

To allow clients to send outgoing messages through this MTA, you must authorize the relay from their IP addresses inside tcp.smtp:

111.222.333.444:allow,RELAYCLIENT=""

In this case we have purged tcp.smtp, so we are allowed to send messages only to local users (domains inside rcpthosts) and chkuser can't find the external domain in his list of allowed rcpthosts

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 mydomain.tld ESMTP
mail from: someone@gmail.com
250 ok
rcpt to: someone@gmail.com
553 5.7.1 sorry, that domain isn't in my list of allowed rcpthosts (chkuser)
quit

In addition look for chkuser messages inside the smtp log /var/log/qmail/smtp/current.

Don't forget to restore the tcp.smtp

rm tcp.smtp
mv tcp.smtp.bck tcp.smtp
qmailctl cdb

Testing `smtp-auth` and `TLS`

Let's suppose that you have enabled the submission service (port 587). If you have enabled smtp-auth on port 25 replace 587 with 25 below.

Check that auth and TLS are present:

> telnet [your-IP] 587

Trying [your-IP]...
Connected to [your-IP].
Escape character is '^]'.
220 smtp.mydomain.tld ESMTP
EHLO test
250-smtp.mydomain.tld
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 3000000
mail from:someone@somewhere.net
530 Authorization required (#5.7.1)
AUTH PLAIN
538 auth not available without TLS (#5.3.3)
STARTTLS
220 ready for tls
?(?S^F?^@???^\?^^CR?^??*LV^?^Y+
^W^C^A^@ o?^?&@?????^N^?>??^?.d[^ZE?^?2^?^F^?Xr?XN^W^C^A^@P?^?^?4H&>/4^UG^?^??Njg^]?^_^F;@?^T?^?
^@i?>r^F??g4??{^C??bc^^N?^Qb???^@?n^???8`?W^\?5?^?^HT?F^?X?(^?+
^W^C^A^@ ?+^??2??W]^Y??}?^?^B^[??n?w^?qs^???^N^B^[^W^C^A^@@^CC3^?f?^Y.^?^?x#?j?^D?+?u^F^?^H?0^?^U??^@i?c$
^CConnection closed by foreign host.

The server seems to correctly provide STARTTLS and AUTH support. As you can see the authorization is required and the auth is not available without TLS. When the server is "ready for tls" the connection goes encrypted and you have to quit with a ^C.

Be aware that you can choose between 3 authentication methods:

PLAIN (unsecure without TLS)
LOGIN (unsecure without TLS)
CRAM-MD5 (more secure, but not nedeed with TLS)

Since we support TLS I use to disable CRAM-MD5 in my run file. So we will test just LOGIN and PLAIN. If you want to enable CRAM-MD5 refer to the README.auth file.

Testing the relay with `AUTH LOGIN`

- Encoding the login -

To test the AUTH LOGIN" method (it is safe since the entire connection is secure) you have to encode the BASE64 string of the username, let's say "test@test.net", and the password, let's say "test" as shown below.

> printf "test@test.net" | base64
dGVzdEB0ZXN0Lm5ldA==
> printf "test" | base64
dGVzdA==

Thus, the username "test@test.net" translates to "dGVzdEB0ZXN0Lm5ldA==" and the corresponding password "test" becomes "dGVzdA=="

- Testing the relay -

Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented:

> openssl s_client -starttls smtp -crlf -connect [your-IP]:587

CONNECTED(00000003)                                                                                                                        
depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.mydomain.tld/emailAddress=postmaster@mydomain.tld                              
verify error:num=18:self signed certificate                                                                                                
verify return:1
depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.mydomain.tld/emailAddress=postmaster@mydomain.tld
verify return:1
---
Certificate chain
 0 s:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.mydomain.tld/emailAddress=postmaster@mydomain.tld
   i:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.sagredo.eu/emailAddress=postmaster@mydomain.tld
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.mydomain.tld/emailAddress=postmaster@mydomain.tld
issuer=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourname.net/emailAddress=postmaster@yourname.net
---
No client certificate CA names sent
---
SSL handshake has read 1650 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Start Time: 1292613625
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
EHLO test 
250-sagredo.eu 
250-PIPELINING 
250-8BITMIME 
250-AUTH LOGIN PLAIN CRAM-MD5 
250 SIZE 25000000 
AUTH LOGIN 
334 VXNlcm5hbWU6 
dGVzdEB0ZXN0Lm5ldA== 
334 UGFzc3dvcmQ6 
dGVzdA== 
235 ok, go ahead (#2.0.0)

Testing the relay with `AUTH PLAIN`

- Encoding the login -

The correct form of the AUTH PLAIN is "\0authentication-id\0passwd'" where \0 is the null byte. If the username is "test@test.net" and the password is "test" you have to encode the BASE64 string of "\0test@test.net\0test":

> printf "\0test@test.net\0test" | base64
AHRlc3RAdGVzdC5uZXQAdGVzdA==

- Testing the relay -

> openssl s_client -starttls smtp -crlf -connect [your-IP]:587

CONNECTED(00000003)
[THE SAME AS AUTH LOGIN BEFORE]
---
250 AUTH LOGIN PLAIN
AUTH PLAIN AHRlc3RAdGVzdC5uZXQAdGVzdA==

Troubleshooting

If something goes wrong you can always log the smtp conversation running qmail-smtpd in conjunction with Bernstein's recordio program (hopefully from the command line):

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 submission \
    /usr/local/bin/recordio \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

You can also use strace to better investigate how the smtpd session is going on:

# strace -Ff -o /tmp/strace.log -p <tcpserver-pid>

You can quickly get the qmail-smtpd tcpserver's ip as follows:

# ps axf|grep tcpserver|grep 25
26194 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l yourdomain.tld -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd

Testing TLS (1.3) capabilities

More info here

You can check the server's TLS 1.3 capabilities and vulnerabilities using the testssl.sh script from Dirk Wetter.

Download as follows

git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh

Check that your submission port offers TLS 1.3 and that all SSL are banned

> ./testssl.sh -t smtp localhost:587

Testing protocols via sockets

SSLv2      not offered (OK) 
SSLv3      likely not offered (OK), received 4xx/5xx after STARTTLS handshake, rerun with DEBUG>=2 or --ssl-native 
TLS 1      offered (deprecated) 
TLS 1.1    offered (deprecated) 
TLS 1.2    offered (OK) 
TLS 1.3    offered (OK): final

You should check the same with the option --ssl-native to confirm that SSLv3 is not offered.

The script allows you to test other ports and your connection more deeply. Look at all possibilities offered

./testssl.sh --help

Configuring

autorespond

add a comment

Comments

Chkuser and relay client

Raya December 14, 2022 15:33

Hi Roberto,

Thank you for this great documentation
I have a problem when RELAY client sends an e-mail to an unknown local user. Please help me to understand my problem
If .qmail-default file for domain contains:

| /home/vpopmail/bin/vdelivermail '' delete

- the message dissapears with no notification to the client
There is the record in the log that the message is delivered.
/var/log/qmail/send/current:

info msg 16520515: bytes 186 from <nobody@mydomain.tld> qp 3563 uid 89
2022-12-14 11:56:33.507987500 starting delivery 1: msg 16520515 to localmydomain.tld-nobody@mydomain.tld
2022-12-14 11:56:33.507987500 status: local 1/10 remote 0/20
2022-12-14 If .qmail_default contains: 11:56:33.512732500 delivery 1: success: did_0+0+1/

if .qmail-default file for domain contains:

|/var/qmail/bin/preline -f /usr/local/dovecot/libexec/dovecot/deliver -d $EXT@$USER

- the message remains in the queue
and there is the record in the dovecot.log
/var/log/dovecot/dovecot.log:

auth-worker(1233): Info: conn unix:auth-worker (pid=1232,uid=1008):
auth-worker<1>: sql(nobody@mydomain.tld) : unknown user

Testing qmail, SMTP and auth

swaks

Testing qmail delivery

Testing SMTP connection

Testing vpopmail auth

Testing chkuser

No valid MX test, mailbox syntax test

No mailbox test

No rcpt hosts test

Testing smtp-auth and TLS

Testing the relay with AUTH LOGIN

Testing the relay with AUTH PLAIN

Troubleshooting

Testing TLS (1.3) capabilities

Comments

qmail notes

LXC scripts

Other contents

Recent comments

Recent posts

`swaks`

Testing `qmail` delivery

Testing `vpopmail` auth

Testing `chkuser`

Testing `smtp-auth` and `TLS`

Testing the relay with `AUTH LOGIN`

Testing the relay with `AUTH PLAIN`