Testing qmail, SMTP and auth

August 15, 2021 Roberto Puzzanghera 110 comments

At this time /command/svcscanboot should have started qmail:

> ps axfww

20017 ?        Ss     0:00 /bin/sh /command/svscanboot 
20019 ?        S      0:00  \_ svscan /service 
20021 ?        S      0:00  |   \_ supervise qmail-submission 
20032 ?        S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -R -l smtp.mydomain.tld -x /home/vpopmail/etc/tcp.submission.cdb -c 200 -u 89 -g 89 0 587 /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 
20022 ?        S      0:00  |   \_ supervise log 
20045 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t s16777215 /var/log/qmail/submission 
20023 ?        S      0:00  |   \_ supervise qmail-smtpd 
20035 ?        S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -R -l smtp.mydomain.tld -x /home/vpopmail/etc/tcp.smtp.cdb -c 200 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd /bin/true 
20024 ?        S      0:00  |   \_ supervise log 
20034 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t n5 s16777215 /var/log/qmail/smtpd n5 s16777215 -* +* qlog* !/usr/local/bin/archive_qmail_qlog /var/log/qmail/smtpd/qlog 
13965 ?        S      0:00  |   \_ supervise vusaged 
13977 ?        Sl     0:05  |   |   \_ /home/vpopmail/bin/vusaged 
13966 ?        S      0:00  |   \_ supervise log 
13980 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t /var/log/qmail/vusaged
20025 ?        S      0:00  |   \_ supervise vpopmaild 
20033 ?        S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -H -R -l 0 -u 0 -g 0 0 89 /home/vpopmail/bin/vpopmaild 
20026 ?        S      0:00  |   \_ supervise log 
20040 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t /var/log/qmail/vpopmaild 
20027 ?        S      0:00  |   \_ supervise clear 
20028 ?        S      0:00  |   \_ supervise qmail-smtpsd 
20047 ?        S      0:00  |   |   \_ /usr/local/bin/sslserver -seV -Rp -l smtp.mydomain.tld -Xx /home/vpopmail/etc/tcp.smtp.cdb -c 200 -u 89 -g 89 0 smtps /var/qmail/bin/qmail-smtpd /bin/true 
20029 ?        S      0:00  |   \_ supervise log 
20041 ?        S      0:00  |   |   \_ /usr/local/bin/multilog t n5 s16777215 /var/log/qmail/smtpsd n5 s16777215 -* +* qlog* !/usr/local/bin/archive_qmail_qlog /var/log/qmail/smtpsd/qlog 
20030 ?        S      0:00  |   \_ supervise qmail-send 
20036 ?        S      0:00  |   |   \_ qmail-send 
20052 ?        S      0:00  |   |       \_ qmail-lspawn | /home/vpopmail/bin/vdelivermail '' delete
20053 ?        S      0:00  |   |       \_ qmail-rspawn 
20054 ?        S      0:00  |   |       \_ qmail-clean 
20055 ?        S      0:00  |   |       \_ qmail-todo 
20056 ?        S      0:00  |   |       \_ qmail-clean 
20031 ?        S      0:00  |   \_ supervise log 
20042 ?        S      0:00  |       \_ /usr/local/bin/multilog t s16777215 /var/log/qmail/send 
20020 ?        S      0:00  \_ readproctitle service errors: ...............................................................................................................................................................

If everything is ok you should see something like this. There must be only dots in the readproctitle service errors line.

You can always clean the errors' line in this way:

svc -o /service/clear

or, if you're using my modified qmailctl file, you can do this:

qmailctl clear

Check the queue and the services uptime:

> qmailctl stat

qmail-smtpd:           [ up ] (pid 20035)   0 day(s), 00:02:13 
qmail-smtpd/log:       [ up ] (pid 20034)   0 day(s), 00:02:13 
qmail-smtpsd:          [ up ] (pid 20047)   0 day(s), 00:02:13 
qmail-smtpsd/log:      [ up ] (pid 20041)   0 day(s), 00:02:13 
qmail-submission:      [ up ] (pid 20032)   0 day(s), 00:02:13 
qmail-submission/log:  [ up ] (pid 20045)   0 day(s), 00:02:13 
qmail-send:            [ up ] (pid 20036)   0 day(s), 00:02:13 
qmail-send/log:        [ up ] (pid 20042)   0 day(s), 00:02:13 
vpopmaild:             [ up ] (pid 20033)   0 day(s), 00:02:13 
vpopmaild/log:         [ up ] (pid 20040)   0 day(s), 00:02:13
vusaged:               [ up ] (pid 13977)   0 day(s), 00:02:13 
vusaged/log:           [ up ] (pid 13980)   0 day(s), 00:02:13

dovecot status:        [ down ] 
clamd status:          [ down ] 
freshclam status:      [ down ] 
spamd status:          [ down ] 
solr status:           [ down ] 
httpd status:          [ down ] 
mariadb status:        [ down ] 
fail2ban status:       [ down ] 

ClamAV database updated at: 2021-09-28 12:40:15 
Total Domains: 16 

messages in queue: 0 
messages in queue but not yet preprocessed: 0

Check that the up time increases by repeating the qmailctl stat command a couple of times. If something fails, check the logs.

The next two notes will show how to handle and eventually repair the queue.

swaks

swaks is a SMTP test tool that you can use to perform all the telnet tests that are described below.

Install as follows:

cd /usr/local/bin
wget http://www.jetmore.org/john/code/swaks/latest/swaks
chown root.root swaks
chmod +x swaks

The usage is pretty simple. Adjust to your needs:

swaks \
        --to someone@somewhere.net \
        --from postmaster@mydomain.tld \
        --server localhost \
        --port 587 \
        --ehlo test \
        -tls \
        --auth login \
        --auth-user postmaster@mydomain.tld \
        --auth-password [PASSWORD]

You may want to take a look at the reference manual: http://www.jetmore.org/john/code/swaks/latest/doc/ref.txt

Testing the qmail delivery

Look at the TEST.deliver man page and do all suggested tests.

Testing the SMTP connection

In this example [your-IP] is an IP that is allowed to use our MTA as a relay according to ~vpopmail/etc/tcp.smtp; usually it is 127.0.0.1 or an address on an allowed localnet such as 10.0.0.5 or 192.168.1.12

This test will fail if you try to use the MTA as an open relay, telnetting from the outnet without the SMTP authentication (see below).

> telnet [your IP] 25

Trying [your IP]...
Connected to qmail.mydomain.tld.
Escape character is '^]'.
220 smtp.mydomain.tld ESMTP
mail from:<user@mydomain.tld>
250 ok
rcpt to:<someone@somewhere.net>
250 ok
data
354 go ahead
subject: This is the subject
to: someone@somewhere.net
from: user@mydomain.tld

This is the msg body FOLLOWING A BLANK LINE
.
250 ok 1286469273 qp 31969
quit
221 www.mydomain.tld
Connection closed by foreign host.

***********

Of course it may happen that something goes wrong

> telnet [your IP] 25

Trying [your IP]...
Connected to [yout IP].
Escape character is '^]'.
Connection closed by foreign host.

Let's check the smtp log:

> more /var/log/qmail/smtpd/current

@400000004cb7145314702f74 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libcrypt.so.1: failed to map segment from shared object: Cannot allocate memory

If you see an error like this, your softlimit is too low. Try to increase it editing /var/qmail/supervise/qmail-smtpd/run

***********

> more /var/log/qmail/smtpd/current

@400000004cc5baaf076df464 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libmysqlclient.so.16: cannot open shared object file: No such file or directory

I faced this error in a 64b virtual mail server. Mysql was in a different virtual server and the mysql dir was mounted locally but qmail-smtp cannot load it. I fixed this error by copying (not linking!) the library inside the guest in this way:

cp -p /usr/local/mysql/lib/libmysqlclient.so.16.0.0 /usr/lib64/libmysqlclient.so.16

***********

Check if the messages has been sent by opening /var/log/qmail/send/current

***********

Try to send a message to yourself and look for the message in the Maildir/new folder:

> telnet [your IP] 25

Trying [your IP]...
Connected to qmail.mydomain.tld.
Escape character is '^]'.
220 smtp.mydomain.tld ESMTP
mail from:<user@mydomain.tld>
250 ok
rcpt to:<user@mydomain.tld>
250 ok
data
354 go ahead
subject: This is the subject
to: user@mydomain.tld
from: user@mydomain.tld

This is the msg body FOLLOWING A BLANK LINE
.
250 ok 1286469273 qp 31969
quit
221 www.mydomain.tld
Connection closed by foreign host.

> ls -l /home/vpopmail/domains/mydomain.tld/user/Maildir/new
total 4
-rw------- 1 vpopmail vchkpw  211 2010-12-09 13:22 1291897368.13072.qmail,S\=211

Testing the vpopmail authentication

> telnet [your-IP] 89

Trying [your-IP]...
Connected to [your-IP].
Escape character is '^]'.
+OK
login userid@mydomain.tld PASSWORD
+OK+
vpopmail_dir /home/vpopmail
domain_dir /home/vpopmail/domains/mydomain.tld
uid 89
gid 89
name userid
comment userName userSurname
quota NOQUOTA
user_dir /home/vpopmail/domains/mydomain.tld/userid
encrypted_password $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
clear_text_password xxxxxxxxxxxxxxxxx
no_password_change 0
no_pop 0
no_webmail 0
no_imap 0
bounce_mail 0
no_relay 0
no_dialup 0
user_flag_0 0
user_flag_1 0
user_flag_2 0
user_flag_3 0
no_smtp 0
domain_admin_privileges 0
override_domain_limits 0
no_spamassassin 0
delete_spam 0
no_maildrop 0
system_admin_privileges 0
.
quit
+OK
Connection closed by foreign host.

Testing chkuser

If you perform this test from localhost or from one of the localnets that are allowed to relay according to ~vpopmail/etc/tcp.smtp...

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

...before continuing, you have to deny yourself from relaying. Clean and reload tcp.smtp:

cd ~vpopmail/etc
mv tcp.smtp tcp.smtp.bck
touch tcp.smtp
qmailctl cdb

Now we are ready for the test.

No valid MX test, mailbox syntax test

chkuser rejects the messages if the MX record in the from field is non existent. This is a rare case since spammers will try to use your own domain in the from field.

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 mydomain.tld ESMTP
mail from: unexistent@fakedomain.xxx
550 5.1.8 sorry, can't find a valid MX for sender domain (chkuser)
mail from: unexistent@fake_domain.xxx
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)
quit

No mailbox test

qmail/control/rcpthosts file determines whether the recipient will be accepted: it will be accepted if and only if the domain of the address given in the RCPT TO command is listed in rcpthosts. Anyway chkuser is programmed to reject the messages for non existent users of these domains:

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 mydomain.tld ESMTP
mail from: someone@gmail.com
250 ok
rcpt to: nobody@mydomain.tld
550 5.1.1 sorry, no mailbox here by that name (chkuser)
quit

No rcpt hosts test

To allow clients to send outgoing messages through this MTA, you must authorize the relay from their IP addresses inside tcp.smtp:

111.222.333.444:allow,RELAYCLIENT=""

In this case we have purged tcp.smtp, so we are allowed to send messages only to local users (domains inside rcpthosts) and chkuser can't find the external domain in his list of allowed rcpthosts

> telnet [yourIP] 25
Trying [yourIP]...
Connected to [yourIP].
Escape character is '^]'.
220 mydomain.tld ESMTP
mail from: someone@gmail.com
250 ok
rcpt to: someone@gmail.com
553 5.7.1 sorry, that domain isn't in my list of allowed rcpthosts (chkuser)
quit

In addition look for chkuser messages inside the smtp log /var/log/qmail/smtp/current.

Don't forget to restore the tcp.smtp

rm tcp.smtp
mv tcp.smtp.bck tcp.smtp
qmailctl cdb

Testing smtp-auth and TLS

Let's suppose that you have enabled the submission service (port 587). If you have enabled smtp-auth on port 25 replace 587 with 25 below.

Check that auth and TLS are present:

> telnet [your-IP] 587

Trying [your-IP]...
Connected to [your-IP].
Escape character is '^]'.
220 smtp.mydomain.tld ESMTP
EHLO test
250-smtp.mydomain.tld
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 3000000
mail from:someone@somewhere.net
530 Authorization required (#5.7.1)
AUTH PLAIN
538 auth not available without TLS (#5.3.3)
STARTTLS
220 ready for tls
?(?S^F?^@???^\?^^CR?^??*LV^?^Y+
^W^C^A^@ o?^?&@?????^N^?>??^?.d[^ZE?^?2^?^F^?Xr?XN^W^C^A^@P?^?^?4H&>/4^UG^?^??Njg^]?^_^F;@?^T?^?
^@i?>r^F??g4??{^C??bc^^N?^Qb???^@?n^???8`?W^\?5?^?^HT?F^?X?(^?+
^W^C^A^@ ?+^??2??W]^Y??}?^?^B^[??n?w^?qs^???^N^B^[^W^C^A^@@^CC3^?f?^Y.^?^?x#?j?^D?+?u^F^?^H?0^?^U??^@i?c$
^CConnection closed by foreign host.

The server seems to correctly provide STARTTLS and AUTH support. As you can see the authorization is required and the auth is not available without TLS. When the server is "ready for tls" the connection goes encrypted and you have to quit with a ^C.

Be aware that you can choose between 3 authentication methods:

  1. PLAIN (unsecure without TLS)
  2. LOGIN (unsecure without TLS)
  3. CRAM-MD5 (more secure, but not nedeed with TLS)

Since we support TLS I use to disable CRAM-MD5 in my run file. So we will test just LOGIN and PLAIN. If you want to enable CRAM-MD5 refer to the README.auth file.

Testing the relay with AUTH LOGIN

- Encoding the login -

To test the AUTH LOGIN" method (it is safe since the entire connection is secure) you have to encode the BASE64 string of the username, let's say "test@test.net", and the password, let's say "test" as shown below.

> printf "test@test.net" | base64
dGVzdEB0ZXN0Lm5ldA==
> printf "test" | base64
dGVzdA==

Thus, the username "test@test.net" translates to "dGVzdEB0ZXN0Lm5ldA==" and the corresponding password "test" becomes "dGVzdA=="

- Testing the relay -

Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented:

> openssl s_client -starttls smtp -crlf -connect [your-IP]:587

CONNECTED(00000003)                                                                                                                        
depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.mydomain.tld/emailAddress=postmaster@mydomain.tld                              
verify error:num=18:self signed certificate                                                                                                
verify return:1
depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.mydomain.tld/emailAddress=postmaster@mydomain.tld
verify return:1
---
Certificate chain
 0 s:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.mydomain.tld/emailAddress=postmaster@mydomain.tld
   i:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.sagredo.eu/emailAddress=postmaster@mydomain.tld
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.mydomain.tld/emailAddress=postmaster@mydomain.tld
issuer=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourname.net/emailAddress=postmaster@yourname.net
---
No client certificate CA names sent
---
SSL handshake has read 1650 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Start Time: 1292613625
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
EHLO test 
250-sagredo.eu 
250-PIPELINING 
250-8BITMIME 
250-AUTH LOGIN PLAIN CRAM-MD5 
250 SIZE 25000000 
AUTH LOGIN 
334 VXNlcm5hbWU6 
dGVzdEB0ZXN0Lm5ldA== 
334 UGFzc3dvcmQ6 
dGVzdA== 
235 ok, go ahead (#2.0.0)

Testing the relay with AUTH PLAIN

- Encoding the login -

The correct form of the AUTH PLAIN is "\0authentication-id\0passwd'" where \0 is the null byte. If the username is "test@test.net" and the password is "test" you have to encode the BASE64 string of "\0test@test.net\0test":

> printf "\0test@test.net\0test" | base64
AHRlc3RAdGVzdC5uZXQAdGVzdA==

- Testing the relay -

Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented:

> openssl s_client -starttls smtp -crlf -connect [your-IP]:587

CONNECTED(00000003)
[THE SAME AS AUTH LOGIN BEFORE]
---
250 AUTH LOGIN PLAIN
AUTH PLAIN AHRlc3RAdGVzdC5uZXQAdGVzdA==

Troubleshooting

If something goes wrong you can always log the smtp conversation running qmail-smtpd in conjunction with Bernstein's recordio program (hopefully from the command line):

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 submission \
    /usr/local/bin/recordio \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

You can also use strace to better investigate how the smtpd session is going on:

# strace -Ff -o /tmp/strace.log -p <tcpserver-pid>

You can quickly get the qmail-smtpd tcpserver's ip as follows:

# ps axf|grep tcpserver|grep 25
26194 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l yourdomain.tld -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd

Testing TLS (1.3) capabilities

You can check the server's TLS 1.3 capabilities and vulnerabilities using the testssl.sh script from Dirk Wetter.

Download as follows

git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh

Check that your submission port offers TLS 1.3 and that all SSL are banned

> ./testssl.sh -t smtp localhost:587

Testing protocols via sockets

SSLv2      not offered (OK) 
SSLv3      likely not offered (OK), received 4xx/5xx after STARTTLS handshake, rerun with DEBUG>=2 or --ssl-native 
TLS 1      offered (deprecated) 
TLS 1.1    offered (deprecated) 
TLS 1.2    offered (OK) 
TLS 1.3    offered (OK): final

You should check the same with the option --ssl-native to confirm that SSLv3 is not offered.

The script allows you to test other ports and your connection more deeply. Look at all possibilities offered

./testssl.sh --help
Configuring
autorespond
qmail | vpopmail
add a comment

Comments

qq_temporary_problem_(#4.3.0)

Herbert May 3, 2023 17:12

Hi Roberto,

Mailserver is working mostly as expected but with some EMails I get the following error:

qlogenvelope: result=accepted code=250 reason=rcptto

So far everything seems to be ok but then:

qlogreceived: result=rejected code=451 reason=queuedelay detail=qq_temporary_problem_(#4.3.0)

Any ideas?

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Roberto Puzzanghera Herbert May 3, 2023 17:17

Hi Herbert, 

are you using the latest patch? Are you verifing dkim?

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Herbert Roberto Puzzanghera May 4, 2023 07:36

...after some more testing the problem is not the EMailaddress itself because the users receives "standard EMails"

The problem seems to be related to Mailinglists only.....

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Roberto Puzzanghera Herbert May 4, 2023 08:14

You should do an strace of the tcpserver process. Send yourself an email to one of your m/l and log the results in this way

strace -fF -o strace.log -p [qmail-smtpd_Process_ID]

do not post it as a comment here because it will be very long :-). Post it to pastebin or somewhere else please

Edit: before the strace, try the other solution below. If it doesn't solve do the strace

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Herbert Roberto Puzzanghera May 4, 2023 11:31

....what a stupid mistake!!! I'm really sorry!

yes - the user who runs qmail-smtpd is vpopmail and the cache directory had wrong permissions!

I was sure that I corrected permissons on the directory because I had permission problems some time ago.

But for me it was strange that everything worked except emails from mailing lists.

Now its working!

Anyway - thanks for your efforts!

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Roberto Puzzanghera Herbert May 4, 2023 11:35

great to hear that your problem is solved!

The control/cache dir is assigned to vpopmail by default. I assume that you changed its ownership...

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Herbert Roberto Puzzanghera May 31, 2023 14:42

...and another correction......make setup from qmail changes ownership to postfix! - NOT system update

Regards,

Herbert

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Roberto Puzzanghera Herbert June 1, 2023 21:18

I released a new combined patch where the IDs of vpopmail are determined dinamically

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Herbert Roberto Puzzanghera June 2, 2023 06:32

Thanks Roberto!

I think this will help some people because not all will run vpopmail:vchkpw on ID's 89:89 and then they will run into same problem like me.

Great work! As always! :-)

Regards,

Herbert

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Roberto Puzzanghera Herbert May 31, 2023 18:22

When you make setup, you change the uid/gid of control/cache to 89:89, which is vpopmail:vchkpwd in my guide, but not for you.

If you don't want to patch hier.c accordingly, you should delete your postfix user and group, assign those IDs to vpopmail and rebuild the IDs of the vpopmail directory.

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Herbert Roberto Puzzanghera May 31, 2023 14:33

Hi Roberto,

now I know why /var/qmail/control/cache had wrong owner!

I did a system update fron Rocky Linux 8.7 to 8.8 and the owner was changed from vpopmail to postfix again!

Postfix is not running and I don't know what causes this chage because UID of postfix (89) and vpopmail (3008) is different.

...and I was right when I remembered that I changed ownership of the directory before the error occured :-)  ...so - system update was the cause....

Only wanted to inform you - maybe someone has the same problem and this information is useful.

Regards,

Herbert

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Herbert Roberto Puzzanghera May 4, 2023 09:45

...sent you the download links for strace and log to your "notes-Email-address" because I can't remove private information

It is qmail with latest patch - somehow I didn't find exact error message from log in strace with the newest patch???

...and I have this in the run file but nothing changed:

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering
export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter
export SURBLQUEUE=/var/qmail/bin/simscan # remove if below options are enabled
#export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim after sublfilter
#export DKIMQUEUE=/var/qmail/bin/simscan # simscan is executed after qmail-dkim
# DKIM verification. Use carefully
#export DKIMVERIFY="FGHKLMNOQRTVWp"
# This is to allow msg without "subject" in the h= list
# export UNSIGNED_SUBJECT=1
# This is to avoid verification of outgoing messages
#export RELAYCLIENT_NODKIMVERIFY=1

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Herbert Roberto Puzzanghera May 4, 2023 06:11

Hi Roberto,

tried then new patch and the old one - same error and only with one address so far.

This is the DKIM part of my run file. Imho I am not verifying dkim but maybe I missed something:

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering
export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter
#export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim after sublfilter
export DKIMQUEUE=/var/qmail/bin/simscan # simscan is executed after qmail-dkim
# DKIM verification. Use carefully
#export DKIMVERIFY="FGHKLMNOQRTVWp"
# This is to allow msg without "subject" in the h= list
# export UNSIGNED_SUBJECT=1
# This is to avoid verification of outgoing messages
#export RELAYCLIENT_NODKIMVERIFY=1

Reply | Permalink

qq_temporary_problem_(#4.3.0)

Roberto Puzzanghera Herbert May 4, 2023 08:04

probably you are missing this one, as your mails are not processed by simscan after SURBL

export SURBLQUEUE=/var/qmail/bin/simscan # executes simscan after SURBL

This line is useless, as dkim is not executed after SURBL

export DKIMQUEUE=/var/qmail/bin/simscan # simscan is executed after qmail-dkim

Reply | Permalink

What is qq_internal_bug_?

J March 16, 2023 06:26

My email server works fine but for some incoming emails, qmail server simply rejects for some reason. What might be causing this?

/var/log/qmail/smtpd/current

qlogreceived: result=rejected code=451 reason=queuedelay detail=qq_internal_bug_(#4.3.0) .....
qmail-smtpd: message delayed (qq internal bug (#4.3.0)): .....

Reply | Permalink

What is qq_internal_bug_?

Roberto Puzzanghera J March 18, 2023 07:48

New combined patch released with fix to this issue

Reply | Permalink

What is qq_internal_bug_?

Roberto Puzzanghera J March 17, 2023 18:07

Hi J, another user reported the same error. I think it is a qmail-dkim issue. You should disable the verification, or downgrade the qmail patch for the time being

Reply | Permalink

What is qq_internal_bug_?

Ali Erturk TURKER Roberto Puzzanghera March 18, 2023 03:37

It is definitely a qmail-dkim issue.

The qmail-dkim.c code segfaults somewhere and the kernel issues a SIGSEGV signal which is caught by 

sigbug() functon in qmail-dkim.c (via sig_catch(SIGSEGV,f);) and then the program

terminates with die(81, 0); which is reported by "case 81: return "Zqq internal bug (#4.3.0)";"

While Manvendra Bhangui debugs this issue, people can use Kyle Wheeler's DKIM wrapper

for signing outgoing mail, if they don't want to rebuild qmail.

AET

Reply | Permalink

What is qq_internal_bug_?

Roberto Puzzanghera Ali Erturk TURKER March 18, 2023 06:43

Hi Ali, Manvendra already updated his dkim patch. The segfault happened when the signature missed the k flag. I'll update my combined patch later

Reply | Permalink

What is qq_internal_bug_?

Ali Erturk TURKER Roberto Puzzanghera March 18, 2023 07:08

I'm glad to hear that. Thanks Manvendra for the quick response.

And for the curious, segfault was due to a null pointer dereference on line 1126 of dkimverify.cpp:

if (!strcmp(values[3], "ed25519")) {

which is corrected as:

if (values[3] && !strcmp(values[3], "ed25519")) {

Regards

AET

Reply | Permalink

What is qq_internal_bug_?

Manvendra Ali Erturk TURKER March 18, 2023 10:28

The analysis by Ali is correct. values[3] is null because there isn't any k= tag in the DNS selector txt record. Now RFC6376 says that k= tag is optional and if not specified it should default to rsa

   k= Key type (plain-text; OPTIONAL, default is "rsa").  Signers and
      Verifiers MUST support the "rsa" key type.  The "rsa" key type
      indicates that an ASN.1 DER-encoded [ITU-X660-1997] RSAPublicKey
      (see [RFC3447], Sections 3.1 and A.1.1) is being used in the "p="
      tag.  (Note: the "p=" tag further encodes the value using the
      base64 algorithm.)  Unrecognized key types MUST be ignored.

There were two changes made to dkimverify.cpp to allow the DNS selector record not to have k= tag

First change was

    if (values[3] == NULL)
        method = DKIM_ENCRYPTION_RSA; /*- equivalent to k=rsa in selector */

Second change was to bypass string comparision

        if (values[3] && !strcmp(values[3], "ed25519")) {

instead of

        if (!strcmp(values[3], "ed25519")) {

Reply | Permalink

What is qq_internal_bug_?

Roberto Puzzanghera J March 16, 2023 07:29

As you know, that error code is not documented at all in the source code. I did a grep "qq internal bug" in my logs of the last 10 years and didn't find a single occurrence.

I googled a bit and found that it seems to be related to a broken queue. I would try to rebuild the queue.

I leave here what I've found (I'm sure that you already got these discussions in your googling)

https://lists.archive.carbon60.com/qmail/users/8046?do=post_view_threaded

https://www.mail-archive.com/qmail@id.wustl.edu/msg12778.html

Please let me know if you solve by rebuilding the queue

Reply | Permalink

What is qq_internal_bug_?

Manvendra Roberto Puzzanghera March 18, 2023 10:08

qq_internal_bug is not because of a broken queue. It happens when qmail-queue or any program executed by setting QMAILQUEUE env variable dies because of a signal like SIGBUS, SIGSEGV.

In our case qmail-dkim was segfaulting because of a null pointer access. This is what qmail-dkim and many of qmail programs do to catch signals generated becuase of doing something illegal in the code.

void
sig_bugcatch(void (*f) ())

    sig_catch(SIGILL, f);
    sig_catch(SIGABRT, f);
    sig_catch(SIGFPE, f);
    sig_catch(SIGBUS, f);
    sig_catch(SIGSEGV, f);
#ifdef SIGSYS
    sig_catch(SIGSYS, f);
#endif
#ifdef SIGEMT
    sig_catch(SIGEMT, f);
#endif
}       

Reply | Permalink

keep getting 421 unable to read controls

GoofY March 5, 2023 20:28

Hi Roberto,

I've installed qmail per your site allready a couple of times, but now I hit an issue I can't find out myself (or with google).

I've tried with Ubuntu 22.04 3 times and with Debian 11 2 times and every time I can't get past the 'telnet 127.0.0.1 25' command.

it's output is on all occasions, do you have a clou as to where to look for this issue?:

root@mail:~# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
421 unable to read controls (#4.3.0)
Connection closed by foreign host.
root@mail:~#

Reply | Permalink

strace shows some clues as to why telnet 127.0.0.1 25 is failing with 421 read control error

GoofY GoofY March 5, 2023 23:24

hi,

after looking at some more debuging, I found that some files aren't in the location it's supposed to be:

15251 openat(AT_FDCWD, "/usr/lib64/tls/x86_64/x86_64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
15251 stat("/usr/lib64/tls/x86_64/x86_64", 0x7ffe4ebff790) = -1 ENOENT (No such file or directory)

The file libssl.so.1.1 is available but not in that dir, also some others like cryptossl.so.1.1 and mariadb.so.3. I fixed that quick and dirty with making a symlink:

ln -s /usr/lib/x86_64-linux-gnu /usr/lib64/tls/x86_64/x86_64

That fixed that part of the errors.

The trace than only complained about certain files not being in /var/qmail/control, eg: smtpgreeting, localiphost and some more. It could find however control/me an control/maxrcpt, so my guess it's not related to that but I'm not certain.

Here is the last part of the strace, unfortunately I can't find why it's throwing the  '421 unable to read controls' ...:

15251 openat(AT_FDCWD, "control/maxrcpt", O_RDONLY|O_NONBLOCK) = 3
15251 read(3, "25\n", 64) = 3
15251 close(3) = 0
15251 openat(AT_FDCWD, "control/rcpthosts", O_RDONLY|O_NONBLOCK) = 3
15251 read(3, "my.fqdn.org\n", 64) = 16
15251 read(3, "", 64) = 0
15251 close(3) = 0
15251 openat(AT_FDCWD, "control/morercpthosts.cdb", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
15251 openat(AT_FDCWD, "control/smtpplugins", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
15251 select(3, NULL, [2], NULL, {tv_sec=1200, tv_usec=0}) = 1 (out [2], left {tv_sec=1199, tv_usec=999996})
15251 write(2, "qlogenvelope: result=rejected co"..., 265) = 265
15251 select(3, NULL, [2], NULL, {tv_sec=1200, tv_usec=0}) = 1 (out [2], left {tv_sec=1199, tv_usec=999998})
15251 write(2, "\n", 1) = 1
15251 select(3, NULL, [2], NULL, {tv_sec=1200, tv_usec=0}) = 1 (out [2], left {tv_sec=1199, tv_usec=999998})
15251 write(2, "qmail-smtpd: unable to read cont"..., 79) = 79
15251 select(2, NULL, [1], NULL, {tv_sec=1200, tv_usec=0}) = 1 (out [1], left {tv_sec=1199, tv_usec=999995})
15251 write(1, "421 unable to read controls (#4."..., 38) = 38
15251 exit_group(1) = ?
15251 +++ exited with 1 +++

Do you maybe have an idea as to why it comes with 421 unable to read controls?

Reply | Permalink

strace shows some clues as to why telnet 127.0.0.1 25 is failing with 421 read control error

Roberto Puzzanghera GoofY March 6, 2023 13:47

I think you miss the smtpplugins control file while qmail-spp is enabled in your run file. Touch that file and it will be solved.

My fault. I modified the qmail-smtpd run file with qmail-spp enabled by default

Reply | Permalink

strace shows some clues as to why telnet 127.0.0.1 25 is failing with 421 read control error

GoofY Roberto Puzzanghera March 6, 2023 15:16

Hi Roberto,

thanks for pointing it out. Solved!

Reply | Permalink

Chkuser and relay client

Raya December 14, 2022 14:33

Hi Roberto,

Thank you for this great documentation
I have a problem when RELAY client sends an e-mail to an unknown local user. Please help me to understand my problem
If .qmail-default file for domain contains:

| /home/vpopmail/bin/vdelivermail '' delete

- the message dissapears with no notification to the client
There is the record in the log that the message is delivered.
/var/log/qmail/send/current:

info msg 16520515: bytes 186 from <nobody@mydomain.tld> qp 3563 uid 89
2022-12-14 11:56:33.507987500 starting delivery 1: msg 16520515 to localmydomain.tld-nobody@mydomain.tld
2022-12-14 11:56:33.507987500 status: local 1/10 remote 0/20
2022-12-14 If .qmail_default contains: 11:56:33.512732500 delivery 1: success: did_0+0+1/

if .qmail-default file for domain contains:

|/var/qmail/bin/preline -f /usr/local/dovecot/libexec/dovecot/deliver -d $EXT@$USER

- the message remains in the queue
and there is the record in the dovecot.log
/var/log/dovecot/dovecot.log:

auth-worker(1233): Info: conn unix:auth-worker (pid=1232,uid=1008):
auth-worker<1>: sql(nobody@mydomain.tld) : unknown user

Reply | Permalink

Chkuser and relay client

Roberto Puzzanghera Raya December 14, 2022 15:45

I can't perform tests in this moment, but chkuser should notify that the user does not exist during the SMTP session. Are you sure that you have chkuser enabled?

PS Sorry, chkuser is disabled by default for RELAYCLIENT. You can enable it via tcprules

Reply | Permalink

Chkuser and relay client

Raya Roberto Puzzanghera December 14, 2022 21:01

Thank you for your answer
How can I enable CHKUSER for RELAYCLIENT via tcprules?

Reply | Permalink

Chkuser and relay client

Roberto Puzzanghera Raya December 15, 2022 09:31

I don't recall now and I am out of home. Check the settings

Reply | Permalink

Chkuser and relay client

Raya Roberto Puzzanghera December 15, 2022 12:11

I could not enable chkuser for relayclient via tcprules. I was forced to delete localnet from relayclient to solve the problem. Thank you for your help.

Reply | Permalink

Chkuser and relay client

Roberto Puzzanghera Raya December 17, 2022 13:51

I see the problem. Actually there was an ancient modification of mine which prevented chkuser to do the receipt check also for RELAYCLIENTs provided that the variable CHKUSER_DISABLE_VARIABLE is commented out.

Try to use this new patch where I have corrected the problem and commented out that variable https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06/roberto-netqmail-1.06.patch-2022.12.17.gz

Reply | Permalink

Chkuser and relay client

Raya Roberto Puzzanghera December 21, 2022 11:56

Thank you so much! It is working now

Reply | Permalink

Chkuser and relay client

Roberto Puzzanghera Raya December 14, 2022 15:38

Hi, if you want to have bounces change the vdelivermail option to bounce-no-mailbox instead of delete. Of course in this way the forged sender will receive tons of spam

Reply | Permalink

Testing chkuser: 554 SMTP protocol violation

numattic May 27, 2022 23:05

Roberto,

In "No valid MX test, mailbox syntax test", my test looks like this:

# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
mail from: unexistent@fakedomain.xxx
554 SMTP protocol violation
Connection closed by foreign host.

About the only info for SMTP protocol violation was related to large attachments or "talking before greeting", which aren't the case here.

Any ideas?

Reply | Permalink

Testing chkuser: 554 SMTP protocol violation

Roberto Puzzanghera numattic May 28, 2022 07:49

Hi, it appears that you are sending the "mail from" before the server's greeting. This is the greeting of my server, which is not received immediately because of the greetdelay feature

220 smtp.sagredo.eu ESMTP

So the "554 SMTP protocol violation" reject is normal.

Reply | Permalink

Testing submission port error

khchan October 13, 2021 15:16

When I perform telnet testing as below, I've hit a error:

telnet localhost 587
Trying 127.0.0.1...
Connected to 127.0.0.1
Escape character is '^]'.
220 localhost ESMTP
EHLO test
250-localhost
250-STARTTLS
250-PIPELINING
250-8BITMIME
250 SIZE 20000000
STARTTLS
220 ready for tls
cG9zdG1hc3RlckBjbG9jYWxob3N0LmNvbQ==
454 TLS connection failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (#4.3.0)
Connection closed by foreign host.

Reply | Permalink

Testing submission port error

Roberto Puzzanghera khchan October 13, 2021 15:58

The telnet session is useless when you go encrypted. Try to do the same with an openssl session like this

openssl s_client -starttls smtp -crlf -connect localhost:587

swaks can do it for you as explained at the top of this page

Reply | Permalink

Testing submission port error

khchan Roberto Puzzanghera October 14, 2021 02:42

The swak and openssl s_client with error and info below:

===start===

swaks \
> --to postmaster@abc.com \
> --from postmaster@abc.com \
> --server localhost \
> --port 587 \
> --ehlo test \
> -tls \
> --auth login \
> --auth-user postmaster@abc.com \
> --auth-password abc12345
=== Trying localhost:587...
*** Error connecting to localhost:587:
*** IO::Socket::INET6: connect: Connection refused

===end===
===start===

openssl s_client -starttls smtp -crlf -connect localhost:587
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = STATE, L = STATE LOCAL, O = *, CN = *, emailAddress = postmaster@abc.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = STATE, L = STATE LOCAL, O = *, CN = *, emailAddress = postmaster@abc.com
verify return:1
---
Certificate chain
0 s:C = US, ST = STATE, L = STATE LOCAL, O = *, CN = *, emailAddress = postmaster@abc.com
i:C = US, ST = STATE, L = STATE LOCAL, O = *, CN = *, emailAddress = postmaster@abc.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFsTCCA5mgAwIBAgIUG1uEYYGgzRW2hXPxPbYbYpWByV4wDQYJKoZIhvcNAQEL
BQAwaDELMAkGA1UEBhMCTVkxDjAMBgNVBAgMBUpPSE9SMRQwEgYDVQQHDAtKT0hP
UiBCQUhSVTEKMAgGA1UECgwBKjEKMAgGA1UEAwwBKjEbMBkGCSqGSIb3DQEJARYM
Y2toQG15c3FsLmNjMB4XDTIxMTAxMzEzMzM1M1oXDTMxMTAyMTEzMzM1M1owaDEL
MAkGA1UEBhMCTVkxDjAMBgNVBAgMBUpPSE9SMRQwEgYDVQQHDAtKT0hPUiBCQUhS
VTEKMAgGA1UECgwBKjEKMAgGA1UEAwwBKjEbMBkGCSqGSIb3DQEJARYUS2toQG15
c3FsLmNjMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvnwKqXvb24sz
mtcsvvKbmAfKCsGJWnFT7/f8vdzIGbJhd6FhOhZB+8tSRn9p68oo9oNZ0b0lc2ZA
TnVzljBUnlyqVXxL6bYzQcLupgITszhYtKRpsUSv93vpjWZM0re2Uj+zcsmZ0z7F
urYA43t9EFN503C25JblhvrLV9XLLol3AiY/AuQ2GpyN4rIDo/ljmk2gdQSEtO9A
rgqvkisCP48y3UAI9B6yMm72UGtBMdD7270zQcIHocJle+guN0VvSuzO5HU9rKFj
am1YwedVH/YCCM3qtX0c58cUOtAm+9X5uf10Uzrm5HDXaPXQRbtTRIdfW7uFgGat
YE2UawBGfdmqTdIk6VOKIUinPeBCkmAKMcgZKsvlZwKSmbCZx5EPvvj64hZbfOBu
LFwQHUByIsaHjoch0pSsTjjkYlkGFbKQXi88SHbGFFLgzYw2tM9akQCujz8qE4Mo
Nsg4TWvHJZdyIPtOJhe7oljdHeTx7bq7ODmvg9+dQ1UrjQc3jSG0Q0gaFZT87Y1D
A9y5tU99z+CDm5omFfFKbWWD3L1Rj8wpzF7TiAWoqO3Yz1NH6sCeONmrX+DrGbxB
WDFvwQLhoNwmF5Q3ptDrA9Jpl1LVf7W5+NjDimgpi95PyPwtlYqEAYdQDus958LN
1IIH5q2ONZ7g9S2RVGIJX/VqMcyKqo0CAwEAAaNTMFEwHQYDVR0OBBYEFAjKIGbO
rd9OG4gW1P+TPQZEdOPvMB8GA1UdIwQYMBaAFAjKIGbOrd9OG4gW1P+TPQZEdOPv
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADWb0gxwHV7pimpn
9YgpTILtQ2gwS5JF7KBbAn68zwKsN/Tk5Fpjm6ZIE0lNdpGF45yG/wiJdcvCKZ9/
rbprnuR1A8IJUzZG+35z9K7w6QPdbDdlXFfW/xhug+JdfLIyyR4HmamU0Ip9aYXx
ALtBcxZAYHm8nBVFtiQhw2l2VMA7ogcjxcylrQacKSfynAmpYMJCNXk9cXgtusNd
n5X/jgf6eDFXSm3TUVVZ2u2WSn4i2ZZ7RAwWlqsEH9i1OwQDuQ3QSNHsiGSX/6zP
YC6RgtJhUm11RDjxvORZ8Nb7oGfZNTL8RLuWT375FjaszLDnhqga0wnplU3oSR5I
43Zwnyr0kOc/lmajLC3wgC3IejTHE8X7nevJ1vznVRO2PMi5PlfL4kY9+STpZv/v
uAqPMNCw2FPcuuzskUzJulnZdnaQ8Fv576N+v8Ad814VqvGe+gvRBO/b8oHULfKk
xm9NW/8tazQKoV0p5Sn3ve9iNuhfBvuS3W0wunp/H04JhIP87t5Qeou3/ul6xDHk
1eu+nlTlD4HeY8DNwhOTXvt8AoH+wpGvChGM1NUdRZSEZhwVSQIRzDbt3eTejeoq
wzcwu9xxL6pckr1m5i0uN/04jTD15ph6D+aE+TP6Z/jueaqGllVAi6A68HnGg9NE
G9CgnmchlGrO9zgzk5mQGjBxEAL3
-----END CERTIFICATE-----
subject=C = US, ST = STATE, L = STATE LOCAL, O = *, CN = *, emailAddress = postmaster@abc.com

issuer=C = US, ST = STATE, L = STATE LOCAL, O = *, CN = *, emailAddress = postmaster@abc.com

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2391 bytes and written 402 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
250 SIZE 20000000
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 92832980EC6FBC68F7A62D157443E10E54742F4C4E925504B5E7B0B503E79DF8
Session-ID-ctx: 
Resumption PSK: 038C9458CC32B077062FDFFF6A2F922488002A87C031559D60061794DF1E8F00191B5F222F2C71846F78584D413FDDD2
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 3a 8b 30 2b 8e 40 50 d8-a8 9f 00 db 8a 52 fe d8 :.0+.@P......R..
0010 - 36 aa 1a d9 77 a5 81 db-60 a7 af af 04 82 6b 5a 6...w...`.....kZ
0020 - a0 c4 aa 47 9c fe 9a 85-c9 61 05 40 82 ff 94 27 ...G.....a.@...'
0030 - 7c 1e 25 93 f6 40 34 8a-fe 51 cf 2c 96 f0 64 a4 |.%..@4..Q.,..d.
0040 - 79 6d fb 3a f7 d8 f4 9c-5e 84 a6 95 f0 53 e3 30 ym.:....^....S.0
0050 - b4 7e 87 1f e2 3a de cb-b1 d8 cd f2 23 33 78 99 .~...:......#3x.
0060 - 23 ca 13 f8 97 df 2e 65-61 28 17 38 0f b2 f7 f3 #......ea(.8....
0070 - 2e 40 2b f6 1e bb 84 6f-25 1f 0d 88 69 f5 5b 38 .@+....o%...i.[8
0080 - cf e9 6d c3 53 e3 c3 74-3c d3 91 4e 26 01 c4 95 ..m.S..t<..N&...
0090 - 52 48 db f3 c1 a6 67 07-f1 a7 fa 49 0b 51 b2 cc RH....g....I.Q..
00a0 - 04 19 29 d0 a2 69 5c 69-37 a7 74 cd 50 a1 33 a5 ..)..i\i7.t.P.3.
00b0 - a8 e7 e6 91 e4 43 8b b9-99 8b c0 cb 27 51 4c c0 .....C......'QL.
00c0 - 93 db 87 6a 0b 15 f0 cc-f7 23 60 0f 29 8d 12 30 ...j.....#`.)..0

Start Time: 1634175480
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: BF77B20A63A7C8A431BF419B559210F85478CAF78C6373A1DE57E51973EFDCDB
Session-ID-ctx: 
Resumption PSK: 048AE90E3E16743C0F6F279664E1173EA338A90760F6E92476E8CCE5FDF9C5E71B2060F58C51ABB24C657F1F2AF0FD11
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 3a 8b 30 2b 8e 40 50 d8-a8 9f 00 db 8a 52 fe d8 :.0+.@P......R..
0010 - 22 11 b7 54 57 32 b0 50-c3 cb 18 15 29 aa f4 f2 "..TW2.P....)...
0020 - a1 fb 3f 87 ca e0 19 60-a2 a5 11 f2 37 99 bf de ..?....`....7...
0030 - 5b 6c 4c 61 0b cb d1 a5-b3 0a e1 88 33 96 f5 39 [lLa........3..9
0040 - d1 54 aa 0f 09 48 93 2c-fe af ae e6 9a b1 ff 44 .T...H.,.......D
0050 - 55 87 7d b0 c4 c5 90 94-b3 51 ad cc 3e 8f 5b d0 U.}......Q..>.[.
0060 - b0 a6 bd 5e 27 ab ce 90-60 94 5d e3 65 26 52 cf ...^'...`.].e&R.
0070 - ea 34 56 bc fc 3d 08 8e-93 fa 3f 1d da cb 83 1b .4V..=....?.....
0080 - 9a 76 b0 84 6e 44 2a b8-17 c7 f4 49 88 0f b7 55 .v..nD*....I...U
0090 - 2b b7 c7 36 aa c2 f2 83-d1 60 1f ab 86 82 4b 58 +..6.....`....KX
00a0 - 26 21 02 c4 aa e3 b6 f4-34 5f 27 bc 65 99 5c 43 &!......4_'.e.\C
00b0 - 2f 95 fd 38 83 8c 04 6e-53 b9 c6 b2 4e 5d ee 3c /..8...nS...N].<

Start Time: 1634175480
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK

===end===

Reply | Permalink

Testing submission port error

Roberto Puzzanghera khchan October 21, 2021 16:41

Sorry for the late response.

Are you sure that it's connecting via IPv4? My patch doesn't have IPv6. 

To force ipv4 add the -4 option to swaks

Reply | Permalink

problem with CHKUSER_SENDER_FORMAT

Jacky September 24, 2021 11:14

Hi all.

Today I have problem with mail account with double hyphen in domain(y--s.co.jp).

So how can I disable CHKUSER_SENDER_FORMAT for special domain only?

telnet xxx.xxx.xxx.xxx 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx
Escape character is '^]'.
220 xxx.xxx.xxx.xxx  ESMTP
ehlo
250-xxx.xxx.xxx.xxx Welcome to SMTP server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN CRAM-MD5
250 SIZE 20480000
mail from: test@y--s.co.jp
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)

Reply | Permalink

problem with CHKUSER_SENDER_FORMAT

Roberto Puzzanghera Jacky September 24, 2021 19:07

try to patch chkuser.c starting from line 330 in order to disable the else block like this

       if (strncmp (domain->s, "xn--", 4) == 0) { 
               if (strstr (&domain->s[4], "--") != NULL) 
                       return 0;
/*
       } else { 
               if (strstr (domain->s, "--") != NULL) 
                       return 0;
*/ 
       } 
       if (strstr (domain->s, ".-") != NULL) { 
               return 0; 
       }

This should get the program to allow double hyphens, provided that they are not in the 3rd and the 4th character of the domain

Reply | Permalink

problem with CHKUSER_SENDER_FORMAT

Roberto Puzzanghera Roberto Puzzanghera September 27, 2021 18:43

I pushed this patch into the combo

Reply | Permalink

problem with CHKUSER_SENDER_FORMAT

Roberto Puzzanghera Jacky September 24, 2021 18:54

Hi, I don't think that you can disable that for a specific domain only.

But if consecutive -- are allowed (?) the regular expression behind the CHKUSER_SENDER_FORMAT check should be adjusted.

I'll check it out in the following days.

Reply | Permalink

problem with CHKUSER_SENDER_FORMAT

Jacky Roberto Puzzanghera September 28, 2021 16:59

Thank you  Roberto very much.

and your patch. I patched to my mail server. it works well!!

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Newb July 27, 2021 15:10

While testing SMTP from myself to myself i got a error

421 unable to execute recipient check (#4.3.0)

Trying 94.152.212.46...
Connected to mail.zareckao.online.
Escape character is '^]'.
220 smtp.mail.zarecka.online ESMTP
from:<keeper24@mail.zareckao.online>
500 unrecognised (#5.5.2)
mail from:<keeper24@mail.zareckao.online>
250 ok
rcpt to:<keeper24@mail.zareckao.online>
421 unable to execute recipient check (#4.3.0)
Connection closed by foreign host.

In logs:

@400000006100118615a4756c qlogenvelope: result=rejected code=421 reason=rcptcheck detail=cannotexecute helo=5e98d42e.static.tld.pl mailfrom=keeper24@mail.zareckao.online rcptto=keeper24@mail.zareckao.online relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=94.152.212.46 localport=25 remoteip=94.152.212.46 remoteport=59430 remotehost=5e98d42e.static.tld.pl qp= pid=3688

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Roberto Puzzanghera Newb July 27, 2021 15:14

Try without those <> chars in the from field

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Newb Roberto Puzzanghera July 27, 2021 15:26

still same error

Trying 94.152.212.46...
Connected to mail.zareckao.online.
Escape character is '^]'.
220 smtp.mail.zarecka.online ESMTP
mail from:keeper24@mail.zareckao.online
250 ok
rcpt to:keeper24@mail.zareckao.online
421 unable to execute recipient check (#4.3.0)
Connection closed by foreign host.

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Roberto Puzzanghera Newb July 27, 2021 15:31

I mean FROM field, not MAIL FROM

PS using swaks would be of great help in testing and trouble shooting

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Newb Roberto Puzzanghera July 27, 2021 15:49

I tryied swaks and same error.

To: keeper24@mail.zareckao.online
*** MX Routing not available: requires Net::DNS. Using localhost as mail server
=== Trying localhost:25...
=== Connected to localhost.
<- 220 smtp.mail.zarecka.online ESMTP
-> EHLO hacked
<- 250-smtp.mail.zarecka.online
<- 250-PIPELINING
<- 250-8BITMIME
<- 250 SIZE 20000000
-> MAIL FROM:<root@hacked>
<- 250 ok
-> RCPT TO:<keeper24@mail.zareckao.online>
<** 421 unable to execute recipient check (#4.3.0)
-> QUIT
*** Remote host closed connection unexpectedly.

Qmail logs are telling that message is rejected because of rcptcheck 

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Roberto Puzzanghera Newb July 27, 2021 15:56

how are patching qmail? the patch process went well? do you have any smtp wrapper?

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Newb Roberto Puzzanghera July 27, 2021 16:10

>how are patching qmail? the patch process went well?

yes without errors

>do you have any smtp wrapper?

Nope

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Roberto Puzzanghera Newb July 27, 2021 16:11

can you post your smtpd/run and tcp.smtp files?

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Newb Roberto Puzzanghera July 27, 2021 16:34

qmail-smtpd/run

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
LOCAL=`head -1 /var/qmail/control/me`

# This enables greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
#export SURBL=1 # Comment out to enable SURBL filtering
#export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter
#export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim after sublfil ter
#export DKIMQUEUE=/var/qmail/bin/simscan # simscan is executed after qmail-d kim
# DKIM verification. Use carefully
#export DKIMVERIFY="FGHKLMNOQRTVWp"
# This is to allow msg without "subject" in the h= list
# export UNSIGNED_SUBJECT=1
# This is to avoid verification of outgoing messages
#export RELAYCLIENT_NODKIMVERIFY=1

# This turns off TLS on port 25
export DISABLETLS="1"

# Requires that authenticated user and 'mail from' are identical
#export FORCEAUTHMAILFROM="1"

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
export RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh
export RCPTCHECKRELAYCLIENT="1"

# This enables simscan debug
#export SIMSCAN_DEBUG=4

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" \
-x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
/var/qmail/bin/qmail-smtpd 2>&1

tcp.smtp

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Roberto Puzzanghera Newb July 27, 2021 16:54

I think that your tcp.smtp is not recongnizing localhost as a RELAYCLIENT. Try to do the test like this

telnel 0 25

or

telnet 127.0.0.1 25

This would explain why the rcptcheck patch is going to complain...

PS I would add

:allow

at the end as well

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Roberto Puzzanghera Newb July 27, 2021 16:51

the tcp.smtp is banning the outnet from connecting to your server, but I suppose that this is intentional

Are you doing the tests from localhost or from the outnet?

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Newb Roberto Puzzanghera July 27, 2021 18:04

my file tcp.smtp is now:

0.0.0.0:allow,RELAYCLIENT=""
10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""
:allow

i update cdb file and still same error :(

I telnet from localhost, not from outnet

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Roberto Puzzanghera Newb July 27, 2021 18:25

I think it is because you have this in your run file

export RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh
export RCPTCHECKRELAYCLIENT="1"

but you have not set the priviledges yet as explained later here https://notes.sagredo.eu/en/qmail-notes-185/limiting-the-number-of-emails-sent-by-a-given-auth-userdomainip-231.html

Can you comment out those 2 lines and restart qmail?

If this is the cause (I think yes) it's my fault, as I should have commented them initially in the docs

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Newb Roberto Puzzanghera July 27, 2021 20:09

Yes, it worked after comment out those 2 lines

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Roberto Puzzanghera Newb July 27, 2021 21:45

so you may have exceeded your overlimit. Check your control/relaylimits for localhost and the overlimit dir.

Check the overlimit config here https://notes.sagredo.eu/en/qmail-notes-185/limiting-the-number-of-emails-sent-by-a-given-auth-userdomainip-231.html 

Reply | Permalink

421 unable to execute recipient check (#4.3.0)

Anonymous Roberto Puzzanghera July 27, 2021 15:46

still same problem.

In qmail logs message is rejected because of rcptcheck

Reply | Permalink

mail not delivered

Nicolas July 10, 2021 15:40

I try on my new server the installation of qmail + your patch + vpopmail + simscan + dovecot. Now qmail is working but when I send an email to an account everything is fine except the message didn't arrive in user Maildir :)

This is the logs :

smtpd: 1625919639.832974 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=server5.radio-campus.org mailfrom=yyyyy@xxxxx.org rcptto=yyyyy@server7.xxxxxx.org relay=no rcpthosts= size=1201 authuser= authtype= encrypted= sslverified=no localip=delete localport=25 remoteip=delete remoteport=36136 remotehost=server5.xxxxx.org qp=429826 pid=429825

Jul 10 12:20:39 server7 qmail: 1625919639.924924 new msg 6029569
Jul 10 12:20:39 server7 qmail: 1625919639.924973 info msg 6029569: bytes 1753 from <yyyy@xxxx.org> qp 429831 uid 502
Jul 10 12:20:39 server7 qmail: 1625919639.924988 starting delivery 1: msg 6029569 to local yyyy@server7.xxxx.org
Jul 10 12:20:39 server7 qmail: 1625919639.924994 status: local 1/10 remote 0/20
Jul 10 12:20:39 server7 qmail: 1625919639.966971 delivery 1: success: did_1+0+0/
Jul 10 12:20:39 server7 qmail: 1625919639.967080 status: local 0/10 remote 0/20

normally the delivery success message means that the message file is inside Maildir/new/ folder but in fact there is no file.

If I do the same thing with postmaster@server7.xxxx.org the qmail server generate :

Jul 10 14:29:05 server7 qmail: 1625927345.242676 delivery 4: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/

the postmaster account exist and had been created with vadddomain command.

I am not using sql method.

Is there somewhere to search ?

Reply | Permalink

mail not delivered

Roberto Puzzanghera Nicolas July 10, 2021 17:40

Can you perform again the "telnet localhost 89" vpopmail test to check if it recognizes the yyyy@server7.xxxx.org account?

If the test succeds, what do you have in your .qmail-default file placed in server7.xxxx.org dir?

if you're delivering via dovecot, what does the dovecot-lda log say?

Reply | Permalink

Strange problem

Nicolas July 9, 2021 19:39

I installed netqmail + the latest complet patch 2021.06.19. I carefully followed the installation process and When I try to send an email to ther server I have these logs.

Jul 9 16:53:35 server7 smtpd: 1625849615.321404 qlogreceived: result=rejected code=451 reason=queuedelay detail=mail_server_temporarily_rejected_message_(#4.3.0) helo=smtpfb2-g21.free.fr mailfrom=nicolas@domain.org rcptto=ncroiset@server7.otherdomain.org relay=no rcpthosts= size=1342 authuser= authtype= encrypted= sslverified=no localip=195.xxx.1.232 localport=25 remoteip=212.27.42.10 remoteport=55346 remotehost=smtpfb2-g21.free.fr qp=167042 pid=167041
Jul 9 16:53:35 server7 smtpd: 1625849615.321432 qmail-smtpd: message delayed (mail server temporarily rejected message (#4.3.0)): nicolas@domain.org from 212.27.42.10 to ncroiset@server7.otherdomain.org helo smtpfb2-g21.free.fr

In which direction may I search ?

Reply | Permalink

Strange problem

Roberto Puzzanghera Nicolas July 9, 2021 20:24

have you performed all the tests mentioned in this "testing" page? if yes, what do you have in your QMAILQUEUE variable?

Reply | Permalink

Testing the SMTP port 25

Kenny Lee September 4, 2020 11:32

Hi Mr Roberto,

after i touch a new file for "tcp.smtp" then run qmailctl cdb .. i start telnet to my server with 25 as below:

220 mydomain.com ESMTP
mail from: anyone@anyone.com
250 ok
rcpt to: nobody@mydomain.com
250 ok
data
354 go ahead
subject: testing mail
to: nobody@mydomain.com
from: anyone@anyone.com

Testing mail
.
250 ok 1599214681 qp 32622
quit
221 mydomain.com

Connection to host lost.

2 questions need your help:

1. why CHKUSER unable to block unknown sender while telnet?

2. i checked on Send log file, the server able to block nobody email address with "no_mailbox_here_by_that_name", but why CHKUSER unable to block while i was doing telnet that time?

Thank you

Reply | Permalink

Testing the SMTP port 25

Roberto Puzzanghera Kenny Lee September 4, 2020 12:02

so what do you have in your tcp.smtp? you cannot have it blank

1. chkuser will block unexistent recipient and unexistent sender domains, but of course it cannot say anything about sender username (unexistent@gmail.com is good).

2. chkuser is disabled for RELAYCLIENT ip, according to your tcprules

PS be aware that such things are already mentioned in the present guide :-)

Reply | Permalink

Testing the SMTP port 25

Kenny Lee Roberto Puzzanghera September 4, 2020 12:30

Hi Mr Roberto,

Actually i followed the steps on your "Testing chkuser", my existing tcp.smtp got info inside such as:

192.168.1.:allow,RELAYCLIENT=""
127.0.0.1:allow,RELAYCLIENT=""

after that, i moved the file to a tmp file, then touch a new empty file for tcp.smtp, then do telnet... so suppose chkuser able to rejected the messages if the MX record in the from field is non existent, right? or any settings i need to look into to start chkuser? i checked my SMTP log file, inside no have this "chkuser" word occurred. anyway is it got related to that file "chkuser_settings.h"?

Thank you

Reply | Permalink

Testing the SMTP port 25

Roberto Puzzanghera Kenny Lee September 4, 2020 12:57

I think that this is due to the fact that you are using the wrong patch, which doesn't include chkuser.

At any rate I strongly suggest to have a look at chkuser_settings.h

Reply | Permalink

Testing the SMTP port 25

Kenny Lee Roberto Puzzanghera September 7, 2020 04:21

Hi Roberto,

oh .. ya ... i forgot i just patched on smtp-auth + qmail-tls + forcetls only... sorry about this issue.

anyway thanks.

Reply | Permalink

qmail with TLSv1.3

Tony Fung March 25, 2019 05:58

Hi,

I am trying to have TLSv1.3 can be used with your guide.  With openssl updated to version 1.1.1b and ucspi-tcp6 updated to vesion 1.10.2 (from www.fehcom.de), then test the SMTP connection with the underneath command:

openssl s_client -starttls smtp -crlf -connect :25

It is found that the Protocol of SSL-Session is TLSv1.3, see the following captured lines.

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1736 bytes and written 406 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
...
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 8B9890744E8B2358F41DE448A64CB26E67F53BCEED25DB23243C8C9AD0F0503E
    Session-ID-ctx:
    Resumption PSK: 86E2265F6043E491FC629454557CF18FD844E9832FD9E4718927A8D6DAE5E779544CCA21C943465EA3481289B1FE7AF8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)

Does that mean the qmail setup is TLSv1.3 functional?

Reply | Permalink

qmail with TLSv1.3

Roberto Puzzanghera Tony Fung March 25, 2019 07:12

yes it does

Reply | Permalink

libssl error

Ralph August 12, 2018 14:28

Hello Roberto,

i have installed the qmail server on a new server with debian 9

swaks ... --tls gives me following error in subbmission/current

Any suggestion is greatly appreciated

@400000005b7031251b5788dc tcpserver: status: 1/20
@400000005b7031251b5b9fbc tcpserver: pid 3336 from 127.0.0.1
@400000005b7031251b5d5d0c tcpserver: ok 3336 0:127.0.0.1:587 :127.0.0.1::45028
@400000005b7031251b6c87dc /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libssl.so.1.1: failed to map segment from shared object
@400000005b7031251b6f71f4 tcpserver: end 3336 status 32512

Reply | Permalink

libssl error

Roberto Puzzanghera Ralph August 13, 2018 11:24

honestly, I'm not sure that the qmail-tls patch is openssl-1.1 compliant. But if you upgraded your Debian over an old qmail installation you should recompile

Please let me know if you solve

Reply | Permalink

libssl error

Roberto Puzzanghera Roberto Puzzanghera August 13, 2018 17:32

Yes, qmail-tls breaks with openssl-1.1. Someone submitted some changes to the author f.v. but we have to wait. Look here https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218590

I tried myself to include those changes without success, for the moment. I hope someone could help... in the meantime the DKIM part is already 1.1 compliant

Reply | Permalink

libssl error

Ralph Roberto Puzzanghera August 13, 2018 18:36

needed to incrase softlimit to 6MB, no it runns with

# dpkg -l | grep ssl
ii libcrypt-ssleay-perl 0.73.04-2 amd64 OpenSSL support for LWP
ii libssl1.0-dev:amd64 1.0.2l-2+deb9u3 amd64 Secure Sockets Layer toolkit - development files
ii libssl1.0.2:amd64 1.0.2l-2+deb9u3 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.1:amd64 1.1.0f-3+deb9u2 amd64 Secure Sockets Layer toolkit - shared libraries
ii openssl 1.1.0f-3+deb9u2 amd64 Secure Sockets Layer toolkit - cryptographic utility

Ralph

Reply | Permalink

libssl error

Roberto Puzzanghera Ralph August 13, 2018 19:20

Yes... I didn't notice that it was the qmail log and not the compilation log

Reply | Permalink

chkuser with catchalls

M G January 16, 2018 05:27

I've been using this awesome guide to migrate to a new server and I certainly appreciate it! One issue I have is I have some users who have domains with a catch-all, so their vpopmail/domains/0/domain.com/.qmail-default contains something like:

| /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/0/domain.com/paul

paul@domain.com is a valid account; if I send mail to paul@domain.com it will work. However, if I send mail to samjoe@domain.com, I get: 

550 5.1.1 sorry, no mailbox here by that name (chkuser)

If I strace qmail-smtp, I see it trying to stat /home/vpopmail/domains/0/domain.com/.qmail-samjoe, then it does a mysql query, then returns the no such user - I never see it looking at /home/vpopmail/domains/0/domain.com/.qmail-default 

Do catch-alls work with chkuser? I can't figure it out..

Reply | Permalink

chkuser with catchalls

Roberto Puzzanghera M G January 19, 2018 11:41

Sorry for the late reply, I was not so well these days..

I think that chkuser breaks this functionality, because it acts at qmail-smtpd level, then before the delivery. 

Reply | Permalink

chkuser with catchalls

M G Roberto Puzzanghera January 20, 2018 21:11

Not a problem! I figured it out after reading the checkuser code. It's the CHKUSER_START variable in qmail-smtpd/run, if set to "DOMAIN" instead of "ALWAYS" it'll check the .qmail-default for each domain. If the file has 'bounce' in it, then it'll reject users who don't exist, otherwise it'll accept all.

Reply | Permalink

STARTTLS connection respond slow - qmail-smtp process 100percent

Marc March 22, 2016 11:20

Hello Roberto,

i have installed the qmail server on a new server - everything went fine except the STARTSSL authentification is not working well.

When i ran the command "openssl s_client -starttls smtp -crlf -connect localhost:587" i get the message "CONNECTED(00000003)" then 30 second to 60 seconds nothing happened and then i got the view of the certificate. In the meantime i see the qmail-smtp process working with 100%. Sending Mails In and Out is working but it takes the same amount of time and the qmail-smtp process working on full load. Sometimes i got a timeout with the mail client. I have tried it with 2 different certificates and it is always the same. Do you have an idea what went wrong or how i can track this? Thanks.

Reply | Permalink

openssl s_client hangs after CONNECTED(00000003)

Norbert Marc May 27, 2017 12:03

Hi Roberto,

Issuing the command openssl s_client -starttls smtp -showcerts -connect mx-exchanger.tld:465 results in a openssl hang. Below is the relevant strace section. 175 seconds is when I interrupted the process.

What happens in the line directly above it?

18722      0.000025 read(3, "-----BEGIN RSA PRIVATE KEY-----\n[data]"..., 4096) = 4096
18722      0.000066 close(3)            = 0
18722      0.000022 munmap(0x7f1034714000, 4096) = 0
18722      0.000026 open("control/tlsserverciphers", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
18722      0.000091 fcntl(0, F_GETFL)   = 0x2 (flags O_RDWR)
18722      0.000022 fcntl(0, F_SETFL, O_RDWR|O_NONBLOCK) = 0
18722      0.000022 fcntl(1, F_GETFL)   = 0x802 (flags O_RDWR|O_NONBLOCK)
18722      0.000022 fcntl(1, F_SETFL, O_RDWR|O_NONBLOCK) = 0
18722      0.000048 read(0, 0x1f2b440, 11) = -1 EAGAIN (Resource temporarily unavailable)
18722      0.000034 select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left {1024, 593952})
18722    175.406256 read(0, "", 11)     = 0
18722      0.000116 fcntl(0, F_GETFL)   = 0x802 (flags O_RDWR|O_NONBLOCK)
18722      0.000083 fcntl(0, F_SETFL, O_RDWR) = 0
18722      0.000069 fcntl(1, F_GETFL)   = 0x2 (flags O_RDWR)
18722      0.000065 fcntl(1, F_SETFL, O_RDWR) = 0
18722      0.000226 select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1199, 999994})
18722      0.000108 write(1, "454 TLS connection failed (#4.3.0)\r\n", 36) = 36
18722      0.000144 select(3, NULL, [2], NULL, {1200, 0}) = 1 (out [2], left {1199, 999995})
18722      0.000081 write(2, "qmail-smtpd: read failed: (null) from 162.144.50.129 to (null) helo (null)\n", 75) = 75
18722      0.000076 exit_group(1)       = ?
18722      0.000423 +++ exited with 1 +++

Reply | Permalink

Delay due to missing dh2048.pem file

Norbert Norbert May 27, 2017 12:31

strace before and after adding a separate dh2048.pem in /var/qmail/control

Before:

18332      0.000106 open("control/dh2048.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
18332     35.148926 write(1, "[data]\n\23\rLet's Encrypt1#0!\6\3U\4\3\23\32Let's Encrypt Authority X30\[data]\23\four.mx-exchanger.tld0\202"..., 3345) = 3345
18332      0.000057 read(0, 0x117a443, 5) = -1 EAGAIN (Resource temporarily unavailable)

After:

18445      0.000094 open("control/dh2048.pem", O_RDONLY) = 3
18445      0.000030 fstat(3, {st_mode=S_IFREG|0644, st_size=424, ...}) = 0
18445      0.000024 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f23450ed000
18445      0.000023 read(3, "-----BEGIN DH PARAMETERS-----\n[data]"..., 4096) = 424
18445      0.000044 close(3)            = 0
18445      0.000021 munmap(0x7f23450ed000, 4096) = 0
18445      0.007885 write(1, "[data]\n\23\rLet's Encrypt1#0!\6\3U\4\3\23\32Let's Encrypt Authority X30\[data]\23\four.mx-exchanger.tld0\202"..., 3345) = 3345
18445      0.000045 read(0, 0xb38443, 5) = -1 EAGAIN (Resource temporarily unavailable)

This seems to be new behavior (after upgrading from a 2015 install) . Why is it not using the dh parameters included in servercert.pem any longer?

Reply | Permalink

if you are strictly following

roberto puzzanghera Norbert May 27, 2017 13:37

if you are strictly following my guide and have my combined patch installed, and then using ucspi-tcp6, you should connect to 587 port (submission service) instead of 465, which goes with ucspi-ssl. I suppose that in your previous configuration you were using something like ucspi-ssl

Reply | Permalink

Hi Marc, are you running

roberto puzzanghera Marc March 22, 2016 12:05

Hi Marc, are you running qmail-smtpd as vpopmail?

Important: If you run qmail-submission as a user other than vpopmail, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.

Reply | Permalink

Hello Roberto,

Marc roberto puzzanghera March 22, 2016 12:33

Hello Roberto,

i'm running qmail-smtpd as vpopmail user.

Reply | Permalink

What the logs say? I would

roberto puzzanghera Marc March 22, 2016 12:40

What the logs say? I would check the ownership of the certificate  and eventually try to debug with strace

Reply | Permalink

chkuser problem

miz October 9, 2015 14:06

I have a long time issue that is driving me crazy. I recompiled netqmail with Roberto's full patch, in order to update the qmail-auth patch and trying to secure my server as mush as possibile. I ran into the same problem occurred during the installation of the server, so I tried to gather some more infos.

The problem is related to chkuser; if I use the qmail-smtpd binary file from the compilation, chkuser is always accepting email, even if for non-existend users::

@400000005617b9e91c82f91c CHKUSER accepted sender: from <xxxx@domain.net|remoteinfo/auth:xxxx@domain.net|chkuser-identify:> remote <helo:[192.168.11.143]|remotehostname:unknown|remotehostip:192.168.11.143> rcpt <> : accepted any sender always
@400000005617b9e91c9281ac CHKUSER accepted any rcpt: from <xxxx@domanin.net|remoteinfo/auth:xxxx@domain.net|chkuser-identify:> remote <helo:[192.168.11.143]|remotehostname:unknown|remotehostip:192.168.11.143> rcpt <dsaasddsa@sinapto.net> : accepted any recipient for this domain

If I replace the qmail-smtpd binary file with the one from the qmail-1.03-26.el6.art.x86_64.rpm, WITHOUT changing anything else (NO configuration or run file change at all), chkuser is working fine:

@400000005617ba170152ef94 CHKUSER accepted sender: from <xxxx@domain.net:xxxx@domain.net:> remote <[192.168.11.143]:unknown:192.168.11.143> rcpt <> : accepted any sender always
@400000005617ba170191449c CHKUSER rejected rcpt: from <xxxx@domain.net:xxxx@domain.net:> remote <[192.168.11.143]:unknown:192.168.11.143> rcpt <dsaasddsa@sinapto.net> : not existing recipient

Any suggestion is greatly appreciated !

Reply | Permalink

how do you run qmail-smtp?

roberto puzzanghera miz October 9, 2015 14:58

how do you run qmail-smtp and chkuser? are you using my configuration and running qmail-smtp as vpopmail?

Reply | Permalink

Hello Roberto,

miz roberto puzzanghera October 15, 2015 14:18

Hello Roberto,

after recompliation of netqmail with your latest patch everything works fine ! I think some issues could be related to the latest qmail-authentication v. 0.8.3 fixes.

Thank you, as always !

Reply | Permalink

DKIM TEST?

Fabiano Heringer July 21, 2013 00:34

Hi, great tutorial! thanks!

Everything worked like a charm, but i tested DKIM sending mail for sa-test@sendmail.net, and I got NO PRESENT for DKIM.

That´s someway to test it?

Thanks

Reply | Permalink

Yes, read this

roberto puzzanghera Fabiano Heringer July 21, 2013 09:41

Yes, read this http://notes.sagredo.eu/node/92

Reply | Permalink

SPF problem

Bogdan April 10, 2013 16:45

Hello,

I have encountered a problem with SPF checking using your qmail installation.

Every SPF check is like this:

Received: from unknown (HELO xxxxxx) (::ffff:190.249.131.119)
Received-SPF: unknown (0: No IP address in conversation)

using spfquery command, the result is OK.

Do you have any suggestions on how to fix this, so the IPv4 is detected correctly, without "::ffff:" prefix ?

Thank you!

Reply | Permalink

@SPF problem

roberto puzzanghera Bogdan April 10, 2013 17:47

unfortunately i've no suggestions, I think that the error is due to the prefix.. it's a very old patch. By the way it appears that the spfquery program was not written by the same author of the qmail-SPF patch

let me know if you manage to solve :)

Reply | Permalink

After further research I did

Bogdan roberto puzzanghera April 10, 2013 18:16

After further research I did manage to solve the problem.

tcpserver was transforming IPv4 into IPv6 format

The fix was to add in /var/qmail/supervise/qmail-smtpd/run  "-4" at the tcpserver command. This forces the use of IPv4 IPs only.

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \    
    /usr/local/bin/tcpserver -4 -v -H -R -l 0 \ .....

Reply | Permalink

qmail-pop3d issue

roberto puzzanghera January 28, 2013 13:13

Today I released a new combined patch which fixes this issue on qmail-pop3d. Many clients were tested and everything seems to be working fine now.

Reply | Permalink

Unable to auth pop3 from email client

Anonymous December 6, 2012 07:30

Hello all,

Every thing is working perfectly while I test from command line (SMTP, Auth SMTP and POP3) but while I configure in email client ie MS Outlook. I'm not able to make auth pop3 and retrieve mail from server. but Auth SMTP is work perfectly using same username and password as my incoming mail server. but while I test from command line using telnet I'm able to auth(login and access mail) pop3. I tried both /home/vpopmail/bin/vchkpw and /home/vpopmail/bin/vpopmaild on vpopmail run file can any one help me to resolve this problem.

Thanks in advance.

Reply | Permalink

POP3 not working, However, SMTP and SMTPS working

Orbit Anonymous December 18, 2012 07:27

When Telnet  to pop3, it works but receives double +OK  +OK after entering "pass password" and other commands. See below conversition.

+OK <681.1355813384@domain.co.uk>
user postmaster@domain.co.uk
+OK
pass password
+OK
+OK
list
+OK
+OK
1  990

.
.
dele 1
+OK
+OK
quit
+OK
+OK

qmail-pop3d and vpopmail:vchkpw seems to be working via remote telnet.

When Mail Client used such as Outlook auth pop3 does hang. I have also tested it with other email clients but no avail! 

"Receiving' reported error (0x8004210A) : 'The operation timed out waiting for a response from the receiving (POP) server."

Here is below mail server side conversition between Outlook and Mail Server

@4000000050d0165622025a2c tcpserver: pid 3185 from 11.111.111.111
@4000000050d016562202a84c tcpserver: ok 3185 0:22.222.22.222:110 :11.111.111.111::3168
@4000000050d016562337869c 3185 > +OK <3185.1355814476@domain.co.uk>
@4000000050d016562468daac 3185 < USER postmaster@domain.co.uk
@4000000050d0165624699244 3185 > +OK 
@4000000050d0165625b43ab4 3185 < PASS password
@4000000050d0165626937ef4 3185 > +OK 
@4000000050d01656269386c4 3185 > +OK 
@4000000050d0165627f80c4c 3185 < STAT
@4000000050d0165627f8cbb4 3185 > +OK +OK 0  0
@4000000050d0165627f8cf9c 3185 >
@4000000050d0169227a58b34 3185 < [EOF]
@4000000050d0169227a87934 3185 > [EOF]
@4000000050d0169227a9965c tcpserver: end 3185 status 256
@4000000050d0169227a9c924 tcpserver: status: 0/10

Reply | Permalink

POP3 not working, However, SMTP and SMTPS working

Orbit Orbit January 21, 2013 15:52

Patching qmail-pop3d.c  with following 

-void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }
+void okay(arg) char *arg; { my_puts("+OK \r\n"); flush(); }

It  is tested on live qmail+vpopmail server port 110 and 995 with stunnel. it seems to be working perfectly. Thanks to Simplex and Roberto

Reply | Permalink

POP3 not working, However, SMTP and SMTPS working

Orbit Orbit January 21, 2013 16:29

Further my previous post

Above patch to "qmail-pop3d.c", after intensive test, is found to be not working as expected.

After auth pop3d , email moves to "cur" folder from "new" under /Maildir even though email client is configured not  to "Leave a copy of messages on server".

Regards,

Reply | Permalink

I had the same issue when

simplex Orbit January 20, 2013 15:04

I had the same issue when compiling only qmail with the patches included here

the problem is that qmail-popup.c or qmail-pop3d.c print after the pass is sent +OK twice,

If you do a diff on the original netqmail files and the patched ones you will see what i'm talking about:

The MUA expects only one +OK from pop3d.

So I think the problem is in qmail-pop3d.c

maybe this line from the patched  qmail-pop3d.c  

void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }

In any case I just replaced the patched qmail files (qmail-popup.c or qmail-pop3d.c) with the original ones since the only difference I noticed was the function puts renamed to my_puts. and I recompiled. And it worked.

Reply | Permalink

yes, you are right.

roberto puzzanghera simplex January 20, 2013 19:15

yes, you are right. Modifying like this

-void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }
+void okay(arg) char *arg; { my_puts("+OK \r\n"); flush(); }

seems to solve.

fyi, both the dkim and maildir++ patches modifies qmail-pop3d, so I think you shouldn't replace the patched files with the original ones, because there are other changes there.

Before releasing a new patch can you make a test with this one or adjust yourself qmail-pop3d.c?

Reply | Permalink

thanks for the contribution.

roberto puzzanghera simplex January 20, 2013 18:00

thanks for the contribution. I'm going to test qmail-pop3d as soon as possible and eventually provide a new patch :)

Reply | Permalink

Unfortunately I can't

roberto puzzanghera Orbit December 18, 2012 08:30

Unfortunately I can't be of any help as I'm not using qmail-pop3d since a long time.. anyway I would give dovecot's pop3 service a chance..

Reply | Permalink

got status11 in qmail-smtp log

Anonymous roberto puzzanghera June 5, 2015 13:28

Hello, i cand not telnet on port 25 becouse i get a disconect message and no mail can arrive .

Escape character is '^]'.
Connection closed by foreign host.

here are some logs

@4000000055717f060cbd19cc tcpserver: pid 24793 from 89.137.228.94
@4000000055717f060cbecb64 tcpserver: ok 24793 0:188.241.220.26:25 :89.137.228.94::41430
@4000000055717f060d0f50ac tcpserver: end 24793 status 11
@4000000055717f060d0f604c tcpserver: status: 0/20
@4000000055717f693a003694 tcpserver: status: 1/20
@4000000055717f693a03769c tcpserver: pid 24817 from 89.137.228.94
@4000000055717f693a051894 tcpserver: ok 24817 0:188.241.220.26:25 :89.137.228.94::41431
@4000000055717f693a54461c tcpserver: end 24817 status 11
@4000000055717f693a544dec tcpserver: status: 0/20
@4000000055717f6d109527c4 tcpserver: status: 1/20
@4000000055717f6d109867cc tcpserver: pid 24818 from 89.137.228.94
@4000000055717f6d109a1194 tcpserver: ok 24818 0:188.241.220.26:25 :89.137.228.94::41432
@4000000055717f6d10e78d84 tcpserver: end 24818 status 11
@4000000055717f6d10e79d24 tcpserver: status: 0/20
@4000000055717f9129acf7dc tcpserver: status: 1/20
@4000000055717f9129b02c2c tcpserver: pid 24820 from 89.137.228.94
@4000000055717f9129b1d5f4 tcpserver: ok 24820 0:188.241.220.26:25 :89.137.228.94::41434
@4000000055717f9129fe6f54 tcpserver: end 24820 status 11
@4000000055717f9129fe7ef4 tcpserver: status: 0/20
@40000000557180d409990224 tcpserver: status: 1/20
@40000000557180d4099c74f4 tcpserver: pid 25079 from 89.137.228.94
@40000000557180d4099e3244 tcpserver: ok 25079 0:188.241.220.26:25 :89.137.228.94::41439
@40000000557180d409ec5244 tcpserver: end 25079 status 11
@40000000557180d409ec61e4 tcpserver: status: 0/20

Any ideeas?

Reply | Permalink

is there any firewall? 

roberto puzzanghera Anonymous June 5, 2015 13:41

is there any firewall? 

Reply | Permalink

no, no firewall

Anonymous roberto puzzanghera June 8, 2015 04:40

no, no firewall

Reply | Permalink

was the IP 89.137.228.94 in

roberto puzzanghera Anonymous June 8, 2015 13:27

was the IP 89.137.228.94 in your tests above the one  you were connecting from?

are you using my qmail patch and installation?

can you post a telnet session?

Reply | Permalink

yes this was my ipi

Anonymous roberto puzzanghera June 24, 2015 08:41

yes this was my ip

i redirected port 25 to 587 and now everything is working ... don`t know what was wrong with port 25

Reply | Permalink

add a comment
qmail notes

General notes

Preinstallation tasks

daemontools

fehQlibs

ucspi-tcp6

ucspi-ssl

qmail

vpopmail

Patching

Configuring

Testing

autorespond

ezmlm-idx

qmailadmin

Add-ons

RBL

Greetdelay

tcprules

SPF

DKIM

SURBL

Limiting per user/IP outgoing emails

Denying bad DNS HELOs

Greylisting

qmail-taps-extended

moreipme

qmHandle

queue-repair

vQadmin

ezmlm-browse

ezmlm-web

rblsmtpd

qmail-rblchk

Dovecot

Running

Testing

Filtering

Indexing

Expunging

vpopmail-auth driver removal

Spamassassin

Filtering networks

User Prefs

TxRep and Bayesian

Learning and reporting

DMARC

Roundcube

Plugins

ClamAV

clamav-unofficial-sigs

simscan

Testing

fail2ban

Installing a valid SSL certificate

ChangeLog

Need help?

Pay me a coffee:

PayPal - The safer, easier way to pay online.

LXC scripts

Introduction

Basic configuration files

Creating an unprivileged container

Scripts overview

Natting

Other contents

Converting a Linux installation to Slackware in OVH server

Running OpenBoard in a window

Migrating from Linux-VServer to LXC

Linux-VServer on Slackware

Running two php on the same server

rsync backup via ssh

Securing proftpd

Installing mariaDB

Setting up MySQL

SEO friendly URLs with apache mod_rewrite

Building your ownCloud

Building your own mozilla-sync server

Setting up Tex on Mediawiki

Slackware RSS feeds

English
Italiano
Recent comments

qq_temporary_problem_(#4.3.0)
June 2, 2023 06:32

qq_temporary_problem_(#4.3.0)
June 1, 2023 21:18

qq_temporary_problem_(#4.3.0)
May 31, 2023 18:22

qq_temporary_problem_(#4.3.0)
May 31, 2023 14:42

qq_temporary_problem_(#4.3.0)
May 31, 2023 14:33

Thank you! for all the documentation, patches and support
May 26, 2023 08:42

free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 15:25

free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 07:46

DKIM_BAD_SYNTAX - signature error: DKIM-Signature could not parse or has bad tags/values
May 15, 2023 16:00

DKIM_BAD_SYNTAX - signature error: DKIM-Signature could not parse or has bad tags/values
May 15, 2023 15:30

Tags

apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin

Recent posts

ChangeLog

Patching qmail

Installing a Let's Encrypt certificate for your qmail and dovecot servers

SURBL filtering configuration

Configuring DKIM for qmail

Configuring qmail

qmailadmin

Greylisting for qmail

Roundcube webmail

smtp-auth + qmail-tls + forcetls patch for qmail

RSS feeds