Testing qmail, SMTP and auth
May 26, 2016 Roberto Puzzanghera45 comments
At this time /command/svcscanboot should have started qmail:
> ps axfww 1905 pts/1 Sl 0:00 /home/vpopmail/bin/vusaged 2008 pts/1 S 0:00 /bin/sh /command/svscanboot 2010 pts/1 S 0:00 \_ svscan /service 2012 pts/1 S 0:00 | \_ supervise qmail-smtpd 2029 pts/1 S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd 2013 pts/1 S 0:00 | \_ supervise log 2021 pts/1 S 0:00 | | \_ /usr/local/bin/multilog t /var/log/qmail/smtpd 2014 pts/1 S 0:00 | \_ supervise qmail-send 2027 pts/1 S 0:00 | | \_ qmail-send 2039 pts/1 S 0:00 | | \_ qmail-lspawn 2040 pts/1 S 0:00 | | \_ qmail-rspawn 2041 pts/1 S 0:00 | | \_ qmail-clean 2042 pts/1 S 0:00 | | \_ qmail-todo 2043 pts/1 S 0:00 | | \_ qmail-clean 2015 pts/1 S 0:00 | \_ supervise log 2025 pts/1 S 0:00 | | \_ /usr/local/bin/multilog t /var/log/qmail/send 2016 pts/1 S 0:00 | \_ supervise vpopmaild 2026 pts/1 S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l 0 -u 0 -g 0 0 89 /home/vpopmail/bin/vpopmaild 2017 pts/1 S 0:00 | \_ supervise log 2023 pts/1 S 0:00 | | \_ /usr/local/bin/multilog t /var/log/qmail/vpopmaild 2018 pts/1 S 0:00 | \_ supervise qmail-submission 2024 pts/1 S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.submission.cdb -c 20 -u 89 -g 89 0 587 /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2019 pts/1 S 0:00 | \_ supervise log 2022 pts/1 S 0:00 | | \_ /usr/local/bin/multilog t /var/log/qmail/submission 2020 pts/1 S 0:00 | \_ supervise clear 2011 pts/1 S 0:00 \_ readproctitle service errors: ...............................................................................................................................................
If everything is ok you should see something like this. There must be only dots in the readproctitle service errors line.
You can always clean the errors' line in this way:
svc -o /service/clear
or, if you're using my modified qmailctl file, you can do this:
qmailctl clear
Check the queue and the services uptime:
> qmailctl stat /service/qmail-send: up (pid 7987) 4 seconds /service/qmail-send/log: up (pid 6998) 1946 seconds /service/qmail-smtpd: up (pid 7989) 4 seconds /service/qmail-smtpd/log: up (pid 6995) 1946 seconds /service/qmail-submission: up (pid 7991) 4 seconds /service/qmail-submission/log: up (pid 6999) 1946 seconds /service/vpopmaild: up (pid 7993) 4 seconds /service/vpopmaild/log: up (pid 6997) 1946 seconds messages in queue: 0 messages in queue but not yet preprocessed: 0
Check that the up time increases by repeating the qmailctl stat command a couple of times. If something fails, check the logs.
The next two notes will show how to handle and eventually repair the queue.
swaks
swaks is a SMTP test tool that you can use to perform all the telnet tests that are described below.
Install as follows:
cd /usr/local/bin wget http://www.jetmore.org/john/code/swaks/latest/swaks chown root.root swaks chmod +x swaks
The usage is pretty simple. Adjust to your needs:
swaks \
--to someone@somewhere.net \
--from postmaster@yourdomain.xy \
--server localhost \
--port 587 \
--ehlo test \
-tls \
--auth login \
--auth-user postmaster@yourdomain.xy \
--auth-password [PASSWORD]
You may want to take a look to the reference manual: http://www.jetmore.org/john/code/swaks/latest/doc/ref.txt
Testing qmail delivery
Look at the TEST.deliver man page and do all suggested tests.
Testing SMTP connection
In this example [your-IP] is an IP that is allowed to use our MTA as a relay according to ~vpopmail/etc/tcp.smtp; usually it is 127.0.0.1 or an address on an allowed localnet such as 10.0.0.5 or 192.168.1.12
This test will fail if you try to use the MTA as an open relay, telnetting from the outnet without the SMTP authentication (see below).
> telnet [your IP] 25 Trying [your IP]... Connected to qmail.yourdomain.net. Escape character is '^]'. 220 mail.yourdomain.net ESMTP mail from:<user@yourdomain.net> 250 ok rcpt to:<someone@somewhere.else.net> 250 ok data 354 go ahead subject: This is the subject to: someone@somewhere.else.net from: user@yourdomain.net This is the msg body FOLLOWING A BLANK LINE . 250 ok 1286469273 qp 31969 quit 221 www.yourdomain.net Connection closed by foreign host.
***********
Of course it may happen that something goes wrong
> telnet [your IP] 25 Trying [your IP]... Connected to [yout IP]. Escape character is '^]'. Connection closed by foreign host.
Let's check the smtp log:
> more /var/log/qmail/smtpd/current @400000004cb7145314702f74 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libcrypt.so.1: failed to map segment from shared object: Cannot allocate memory
If you see an error like this, your softlimit is too low. Try to increase it editing /var/qmail/supervise/qmail-smtp/run
***********
> more /var/log/qmail/smtpd/current @400000004cc5baaf076df464 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libmysqlclient.so.16: cannot open shared object file: No such file or directory
I faced this error in a 64b virtual mail server. Mysql was in a different virtual server and the mysql dir was mounted locally but qmail-smtp cannot load it. I fixed this error copyng (not linking!) the library inside the guest in this way:
cp -p /usr/local/mysql/lib/libmysqlclient.so.16.0.0 /usr/lib64/libmysqlclient.so.16
***********
Check if the messages has been sent opening /var/log/qmail/send/current
***********
Try to send a message to yourself and look for the message in the Maildir/new folder:
> telnet [your IP] 25 Trying [your IP]... Connected to qmail.yourdomain.net. Escape character is '^]'. 220 mail.yourdomain.net ESMTP mail from:<user@yourdomain.net> 250 ok rcpt to:<user@yourdomain.net> 250 ok data 354 go ahead subject: This is the subject to: user@yourdomain.net from: user@yourdomain.net This is the msg body FOLLOWING A BLANK LINE . 250 ok 1286469273 qp 31969 quit 221 www.yourdomain.net Connection closed by foreign host. > ls -l /home/vpopmail/domains/yourdomain.net/user/Maildir/new total 4 -rw------- 1 vpopmail vchkpw 211 2010-12-09 13:22 1291897368.13072.qmail,S\=211
Testing vpopmail auth
> telnet [your-IP] 89 Trying [your-IP]... Connected to [your-IP]. Escape character is '^]'. +OK login userid@yourdomain.net PASSWORD +OK+ vpopmail_dir /home/vpopmail domain_dir /home/vpopmail/domains/yourdomain.net uid 89 gid 89 name userid comment userName userSurname quota NOQUOTA user_dir /home/vpopmail/domains/yourdomain.net/userid encrypted_password $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx clear_text_password xxxxxxxxxxxxxxxxx no_password_change 0 no_pop 0 no_webmail 0 no_imap 0 bounce_mail 0 no_relay 0 no_dialup 0 user_flag_0 0 user_flag_1 0 user_flag_2 0 user_flag_3 0 no_smtp 0 domain_admin_privileges 0 override_domain_limits 0 no_spamassassin 0 delete_spam 0 no_maildrop 0 system_admin_privileges 0 . quit +OK Connection closed by foreign host.
Testing chkuser
If you perform this test from localhost or from one of the localnets that are allowed to relay according to ~vpopmail/etc/tcp.smtp...
10.0.0.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT=""
...before continuing, you have to deny yourself from relaying. Clean and reaload tcp.smtp:
cd ~vpopmail/etc mv tcp.smtp tcp.smtp.bck touch tcp.smtp qmailctl cdb
Now we are ready for the test.
No valid MX test, mailbox syntax test
chkuser rejects the messages if the MX record in the from field is non existent. This is a rare case since spammers will try to use your own domain in the from field.
> telnet [yourIP] 25 Trying [yourIP]... Connected to [yourIP]. Escape character is '^]'. 220 yourdomain.net ESMTP mail from: unexistent@fakedomain.xxx 550 5.1.8 sorry, can't find a valid MX for sender domain (chkuser) mail from: unexistent@fake_domain.xxx 553 5.1.7 sorry, mailbox syntax not allowed (chkuser) quit
No mailbox test
qmail/control/rcpthosts file determines whether the recipient will be accepted: it will be accepted if and only if the domain of the address given in the RCPT TO command is listed in rcpthosts. Anyway chkuser is programmed to reject msg for non existent users of these domains:
> telnet [yourIP] 25 Trying [yourIP]... Connected to [yourIP]. Escape character is '^]'. 220 yourdomain.net ESMTP mail from: someone@gmail.com 250 ok rcpt to: nobody@yourdomain.net 550 5.1.1 sorry, no mailbox here by that name (chkuser) quit
No rcpt hosts test
To allow clients to send outgoing messages through this MTA, you must authorize the relay from their IP addresses inside tcp.smtp:
111.222.333.444:allow,RELAYCLIENT=""
In this case we have purged tcp.smtp, so we are allowed to send messages only to local users (domains inside rcpthosts) and chkuser can't find the external domain in his list of allowed rcpthosts
> telnet [yourIP] 25 Trying [yourIP]... Connected to [yourIP]. Escape character is '^]'. 220 yourdomain.net ESMTP mail from: someone@gmail.com 250 ok rcpt to: someone@gmail.com 553 5.7.1 sorry, that domain isn't in my list of allowed rcpthosts (chkuser) quit
In addition look for chkuser messages inside the smtp log /var/log/qmail/smtp/current.
Don't forget to restore the tcp.smtp
rm tcp.smtp mv tcp.smtp.bck tcp.smtp qmailctl cdb
Testing smtp-auth and TLS
Let's suppose that you have enabled the submission service (port 587). If you have enabled smtp-auth on port 25 replace 587 with 25 below.
Check that auth and TLS are present:
> telnet [your-IP] 587
Trying [your-IP]...
Connected to [your-IP].
Escape character is '^]'.
220 smtp.yourdomain.net ESMTP
EHLO test
250-smtp.yourdomain.net
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 3000000
mail from:someone@somewhere.net
530 Authorization required (#5.7.1)
AUTH PLAIN
538 auth not available without TLS (#5.3.3)
STARTTLS
220 ready for tls
?(?S^F?^@???^\?^^CR?^??*LV^?^Y+
^W^C^A^@ o?^?&@?????^N^?>??^?.d[^ZE?^?2^?^F^?Xr?XN^W^C^A^@P?^?^?4H&>/4^UG^?^??Njg^]?^_^F;@?^T?^?
^@i?>r^F??g4??{^C??bc^^N?^Qb???^@?n^???8`?W^\?5?^?^HT?F^?X?(^?+
^W^C^A^@ ?+^??2??W]^Y??}?^?^B^[??n?w^?qs^???^N^B^[^W^C^A^@@^CC3^?f?^Y.^?^?x#?j?^D?+?u^F^?^H?0^?^U??^@i?c$
^CConnection closed by foreign host.
The server seems to correctly provide STARTTLS and AUTH support. As you can see the authorization is required and the auth is not available without TLS. When the server is "ready for tls" the connection goes encrypted and you have to quit with a ^C.
Be aware that you can choose between 3 authentication methods:
- PLAIN (unsecure without TLS)
- LOGIN (unsecure without TLS)
- CRAM-MD5 (more secure, but not nedeed with TLS)
Since we support TLS I use to disable CRAM-MD5 in my run file. So we will test just LOGIN and PLAIN. If you want to enable CRAM-MD5 refer to the README.auth file.
Testing the relay with "AUTH LOGIN"
- Encoding the login -
To test the "AUTH LOGIN" method (it is safe since the entire connection is secure) you have to encode the BASE64 string of the username, let's say "test@test.net", and the password, let's say "test" as shown below.
> printf "test@test.net" | base64 dGVzdEB0ZXN0Lm5ldA== > printf "test" | base64 dGVzdA==
Thus, the username "test@test.net" translates to "dGVzdEB0ZXN0Lm5ldA==" and the corresponding password "test" becomes "dGVzdA=="
- Testing the relay -
Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented:
> openssl s_client -starttls smtp -crlf -connect [your-IP]:587
CONNECTED(00000003)
depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net
verify return:1
---
Certificate chain
0 s:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net
i:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.sagredo.eu/emailAddress=postmaster@yourdomain.net
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net
issuer=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourname.net/emailAddress=postmaster@yourname.net
---
No client certificate CA names sent
---
SSL handshake has read 1650 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key-Arg : None
Start Time: 1292613625
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 AUTH LOGIN PLAIN
AUTH LOGIN
334 VXNlcm5hbWU6
Testing the relay with "AUTH PLAIN"
- Encoding the login -
The correct form of the AUTH PLAIN is "\0authentication-id\0passwd'" where \0 is the null byte. If the username is "test@test.net" and the password is "test" you have to encode the BASE64 string of "\0test@test.net\0test":
> printf "\0test@test.net\0test" | base64 AHRlc3RAdGVzdC5uZXQAdGVzdA==
- Testing the relay -
Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented:
> openssl s_client -starttls smtp -crlf -connect [your-IP]:587 CONNECTED(00000003) [THE SAME AS AUTH LOGIN BEFORE] --- 250 AUTH LOGIN PLAIN AUTH PLAIN AHRlc3RAdGVzdC5uZXQAdGVzdA==
Sorry,_no_mailbox_here_by_that_name._(#5.1.1)
Many folllowers of this guide posted me a message complaining that they get an error like that in their log, or that the log@theirdomain.xy doesn't receive the emails. Please read this before posting, please. It is a fictitious mailbox, just a trick to improve the qmail-send log.
Troubleshooting
If something goes wrong you can always log the smtp conversation running qmail-smtpd in conjunction with Bernstein's recordio program (hopefully from the command line):
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 submission \
/usr/local/bin/recordio \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1
You can also use strace to better investigate how the smtpd session is going on:
# strace -Ff -o /tmp/strace.log -p <tcpserver-pid>
You can quickly get the qmail-smtpd tcpserver's ip as follows:
# ps axf|grep tcpserver|grep 25 26194 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l yourdomain.tld -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd
qmail notes
Pay me a coffee:
Other contents
Recent comments
qmail-smtpd and OAUTH
March 2, 2021 10:29
problem with passwords containing special characters like %
March 2, 2021 10:24
qmail-smtpd and OAUTH
March 1, 2021 15:22
problem with passwords containing special characters like %
February 28, 2021 12:26
problem with passwords containing special characters like %
February 26, 2021 22:02
problem with passwords containing special characters like %
February 26, 2021 10:05
What about using --disable-many-domains on vpopmail configure ?
February 22, 2021 16:49
aliasdomain patch compilation issue
February 21, 2021 16:28
aliasdomain patch compilation issue
February 21, 2021 14:35
Lua backend
February 16, 2021 16:07
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
Testing the SMTP port 25
Kenny Lee September 4, 2020 12:32
Hi Mr Roberto,
after i touch a new file for "tcp.smtp" then run qmailctl cdb .. i start telnet to my server with 25 as below:
2 questions need your help:
1. why CHKUSER unable to block unknown sender while telnet?
2. i checked on Send log file, the server able to block nobody email address with "no_mailbox_here_by_that_name", but why CHKUSER unable to block while i was doing telnet that time?
Thank you
Reply | Permalink
Testing the SMTP port 25
Roberto Puzzanghera Kenny Lee September 4, 2020 13:02
so what do you have in your tcp.smtp? you cannot have it blank
1. chkuser will block unexistent recipient and unexistent sender domains, but of course it cannot say anything about sender username (unexistent@gmail.com is good).
2. chkuser is disabled for RELAYCLIENT ip, according to your tcprules
PS be aware that such things are already mentioned in the present guide :-)
Reply | Permalink
Testing the SMTP port 25
Kenny Lee Roberto Puzzanghera September 4, 2020 13:30
Hi Mr Roberto,
Actually i followed the steps on your "Testing chkuser", my existing tcp.smtp got info inside such as:
after that, i moved the file to a tmp file, then touch a new empty file for tcp.smtp, then do telnet... so suppose chkuser able to rejected the messages if the MX record in the from field is non existent, right? or any settings i need to look into to start chkuser? i checked my SMTP log file, inside no have this "chkuser" word occurred. anyway is it got related to that file "chkuser_settings.h"?
Thank you
Reply | Permalink
Testing the SMTP port 25
Roberto Puzzanghera Kenny Lee September 4, 2020 13:57
I think that this is due to the fact that you are using the wrong patch, which doesn't include chkuser.
At any rate I strongly suggest to have a look at chkuser_settings.h
Reply | Permalink
Testing the SMTP port 25
Kenny Lee Roberto Puzzanghera September 7, 2020 05:21
Hi Roberto,
oh .. ya ... i forgot i just patched on smtp-auth + qmail-tls + forcetls only... sorry about this issue.
anyway thanks.
Reply | Permalink
Broken link
Gabriel Torres December 21, 2019 02:41
Hi Roberto,
The following link is broken:
refer to the README.auth file.
Reply | Permalink
qmail with TLSv1.3
Tony Fung March 25, 2019 06:58
Hi,
I am trying to have TLSv1.3 can be used with your guide. With openssl updated to version 1.1.1b and ucspi-tcp6 updated to vesion 1.10.2 (from www.fehcom.de), then test the SMTP connection with the underneath command:
It is found that the Protocol of SSL-Session is TLSv1.3, see the following captured lines.
Does that mean the qmail setup is TLSv1.3 functional?
Reply | Permalink
qmail with TLSv1.3
Roberto Puzzanghera Tony Fung March 25, 2019 08:12
yes it does
Reply | Permalink
libssl error
Ralph August 12, 2018 15:28
Hello Roberto,
i have installed the qmail server on a new server with debian 9
swaks ... --tls gives me following error in subbmission/current
Any suggestion is greatly appreciated
Reply | Permalink
libssl error
Roberto Puzzanghera Ralph August 13, 2018 12:24
honestly, I'm not sure that the qmail-tls patch is openssl-1.1 compliant. But if you upgraded your Debian over an old qmail installation you should recompile
Please let me know if you solve
Reply | Permalink
libssl error
Roberto Puzzanghera Roberto Puzzanghera August 13, 2018 18:32
Yes, qmail-tls breaks with openssl-1.1. Someone submitted some changes to the author f.v. but we have to wait. Look here https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218590
I tried myself to include those changes without success, for the moment. I hope someone could help... in the meantime the DKIM part is already 1.1 compliant
Reply | Permalink
libssl error
Ralph Roberto Puzzanghera August 13, 2018 19:36
needed to incrase softlimit to 6MB, no it runns with
Ralph
Reply | Permalink
libssl error
Roberto Puzzanghera Ralph August 13, 2018 20:20
Yes... I didn't notice that it was the qmail log and not the compilation log
Reply | Permalink
chkuser with catchalls
M G January 16, 2018 06:27
I've been using this awesome guide to migrate to a new server and I certainly appreciate it! One issue I have is I have some users who have domains with a catch-all, so their vpopmail/domains/0/domain.com/.qmail-default contains something like:
paul@domain.com is a valid account; if I send mail to paul@domain.com it will work. However, if I send mail to samjoe@domain.com, I get:
If I strace qmail-smtp, I see it trying to stat /home/vpopmail/domains/0/domain.com/.qmail-samjoe, then it does a mysql query, then returns the no such user - I never see it looking at /home/vpopmail/domains/0/domain.com/.qmail-default
Do catch-alls work with chkuser? I can't figure it out..
Reply | Permalink
chkuser with catchalls
Roberto Puzzanghera M G January 19, 2018 12:41
Sorry for the late reply, I was not so well these days..
I think that chkuser breaks this functionality, because it acts at qmail-smtpd level, then before the delivery.
Reply | Permalink
chkuser with catchalls
M G Roberto Puzzanghera January 20, 2018 22:11
Not a problem! I figured it out after reading the checkuser code. It's the CHKUSER_START variable in qmail-smtpd/run, if set to "DOMAIN" instead of "ALWAYS" it'll check the .qmail-default for each domain. If the file has 'bounce' in it, then it'll reject users who don't exist, otherwise it'll accept all.
Reply | Permalink
STARTTLS connection respond slow - qmail-smtp process 100percent
Marc March 22, 2016 12:20
Hello Roberto,
i have installed the qmail server on a new server - everything went fine except the STARTSSL authentification is not working well.
When i ran the command "openssl s_client -starttls smtp -crlf -connect localhost:587" i get the message "CONNECTED(00000003)" then 30 second to 60 seconds nothing happened and then i got the view of the certificate. In the meantime i see the qmail-smtp process working with 100%. Sending Mails In and Out is working but it takes the same amount of time and the qmail-smtp process working on full load. Sometimes i got a timeout with the mail client. I have tried it with 2 different certificates and it is always the same. Do you have an idea what went wrong or how i can track this? Thanks.
Reply | Permalink
openssl s_client hangs after CONNECTED(00000003)
Norbert Marc May 27, 2017 13:03
Hi Roberto,Issuing the command
openssl s_client -starttls smtp -showcerts -connect mx-exchanger.tld:465results in a openssl hang. Below is the relevant strace section. 175 seconds is when I interrupted the process.What happens in the line directly above it?
18722 0.000025 read(3, "-----BEGIN RSA PRIVATE KEY-----\n[data]"..., 4096) = 4096 18722 0.000066 close(3) = 0 18722 0.000022 munmap(0x7f1034714000, 4096) = 0 18722 0.000026 open("control/tlsserverciphers", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file or directory) 18722 0.000091 fcntl(0, F_GETFL) = 0x2 (flags O_RDWR) 18722 0.000022 fcntl(0, F_SETFL, O_RDWR|O_NONBLOCK) = 0 18722 0.000022 fcntl(1, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK) 18722 0.000022 fcntl(1, F_SETFL, O_RDWR|O_NONBLOCK) = 0 18722 0.000048 read(0, 0x1f2b440, 11) = -1 EAGAIN (Resource temporarily unavailable) 18722 0.000034 select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left {1024, 593952}) 18722 175.406256 read(0, "", 11) = 0 18722 0.000116 fcntl(0, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK) 18722 0.000083 fcntl(0, F_SETFL, O_RDWR) = 0 18722 0.000069 fcntl(1, F_GETFL) = 0x2 (flags O_RDWR) 18722 0.000065 fcntl(1, F_SETFL, O_RDWR) = 0 18722 0.000226 select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1199, 999994}) 18722 0.000108 write(1, "454 TLS connection failed (#4.3.0)\r\n", 36) = 36 18722 0.000144 select(3, NULL, [2], NULL, {1200, 0}) = 1 (out [2], left {1199, 999995}) 18722 0.000081 write(2, "qmail-smtpd: read failed: (null) from 162.144.50.129 to (null) helo (null)\n", 75) = 75 18722 0.000076 exit_group(1) = ? 18722 0.000423 +++ exited with 1 +++Reply | Permalink
Delay due to missing dh2048.pem file
Norbert Norbert May 27, 2017 13:31
strace before and after adding a separate dh2048.pem in /var/qmail/control
Before:
18332 0.000106 open("control/dh2048.pem", O_RDONLY) = -1 ENOENT (No such file or directory) 18332 35.148926 write(1, "[data]\n\23\rLet's Encrypt1#0!\6\3U\4\3\23\32Let's Encrypt Authority X30\[data]\23\four.mx-exchanger.tld0\202"..., 3345) = 3345 18332 0.000057 read(0, 0x117a443, 5) = -1 EAGAIN (Resource temporarily unavailable)After:
18445 0.000094 open("control/dh2048.pem", O_RDONLY) = 3 18445 0.000030 fstat(3, {st_mode=S_IFREG|0644, st_size=424, ...}) = 0 18445 0.000024 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f23450ed000 18445 0.000023 read(3, "-----BEGIN DH PARAMETERS-----\n[data]"..., 4096) = 424 18445 0.000044 close(3) = 0 18445 0.000021 munmap(0x7f23450ed000, 4096) = 0 18445 0.007885 write(1, "[data]\n\23\rLet's Encrypt1#0!\6\3U\4\3\23\32Let's Encrypt Authority X30\[data]\23\four.mx-exchanger.tld0\202"..., 3345) = 3345 18445 0.000045 read(0, 0xb38443, 5) = -1 EAGAIN (Resource temporarily unavailable)This seems to be new behavior (after upgrading from a 2015 install) . Why is it not using the dh parameters included in servercert.pem any longer?
Reply | Permalink
if you are strictly following
roberto puzzanghera Norbert May 27, 2017 14:37
if you are strictly following my guide and have my combined patch installed, and then using ucspi-tcp6, you should connect to 587 port (submission service) instead of 465, which goes with ucspi-ssl. I suppose that in your previous configuration you were using something like ucspi-ssl
Reply | Permalink
Hi Marc, are you running
roberto puzzanghera Marc March 22, 2016 13:05
Hi Marc, are you running qmail-smtpd as vpopmail?
Reply | Permalink
Hello Roberto,
Marc roberto puzzanghera March 22, 2016 13:33
Hello Roberto,
i'm running qmail-smtpd as vpopmail user.
Reply | Permalink
What the logs say? I would
roberto puzzanghera Marc March 22, 2016 13:40
What the logs say? I would check the ownership of the certificate and eventually try to debug with strace
Reply | Permalink
chkuser problem
miz October 9, 2015 15:06
I have a long time issue that is driving me crazy. I recompiled netqmail with Roberto's full patch, in order to update the qmail-auth patch and trying to secure my server as mush as possibile. I ran into the same problem occurred during the installation of the server, so I tried to gather some more infos.
The problem is related to chkuser; if I use the qmail-smtpd binary file from the compilation, chkuser is always accepting email, even if for non-existend users::
If I replace the qmail-smtpd binary file with the one from the qmail-1.03-26.el6.art.x86_64.rpm, WITHOUT changing anything else (NO configuration or run file change at all), chkuser is working fine:
Any suggestion is greatly appreciated !
Reply | Permalink
how do you run qmail-smtp?
roberto puzzanghera miz October 9, 2015 15:58
how do you run qmail-smtp and chkuser? are you using my configuration and running qmail-smtp as vpopmail?
Reply | Permalink
Hello Roberto,
miz roberto puzzanghera October 15, 2015 15:18
Hello Roberto,
after recompliation of netqmail with your latest patch everything works fine ! I think some issues could be related to the latest qmail-authentication v. 0.8.3 fixes.
Thank you, as always !
Reply | Permalink
DKIM TEST?
Fabiano Heringer July 21, 2013 01:34
Hi, great tutorial! thanks!
Everything worked like a charm, but i tested DKIM sending mail for sa-test@sendmail.net, and I got NO PRESENT for DKIM.
That´s someway to test it?
Thanks
Reply | Permalink
Yes, read this
roberto puzzanghera Fabiano Heringer July 21, 2013 10:41
Yes, read this http://notes.sagredo.eu/node/92
Reply | Permalink
SPF problem
Bogdan April 10, 2013 17:45
Hello,
I have encountered a problem with SPF checking using your qmail installation.
Every SPF check is like this:
using spfquery command, the result is OK.
Do you have any suggestions on how to fix this, so the IPv4 is detected correctly, without "::ffff:" prefix ?
Thank you!
Reply | Permalink
@SPF problem
roberto puzzanghera Bogdan April 10, 2013 18:47
unfortunately i've no suggestions, I think that the error is due to the prefix.. it's a very old patch. By the way it appears that the spfquery program was not written by the same author of the qmail-SPF patch
let me know if you manage to solve :)
Reply | Permalink
After further research I did
Bogdan roberto puzzanghera April 10, 2013 19:16
After further research I did manage to solve the problem.
tcpserver was transforming IPv4 into IPv6 format
The fix was to add in /var/qmail/supervise/qmail-smtpd/run "-4" at the tcpserver command. This forces the use of IPv4 IPs only.
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \/usr/local/bin/tcpserver -4 -v -H -R -l 0 \ .....
Reply | Permalink
qmail-pop3d issue
roberto puzzanghera January 28, 2013 14:13
Today I released a new combined patch which fixes this issue on qmail-pop3d. Many clients were tested and everything seems to be working fine now.
Reply | Permalink
Unable to auth pop3 from email client
Anonymous December 6, 2012 08:30
Hello all,
Every thing is working perfectly while I test from command line (SMTP, Auth SMTP and POP3) but while I configure in email client ie MS Outlook. I'm not able to make auth pop3 and retrieve mail from server. but Auth SMTP is work perfectly using same username and password as my incoming mail server. but while I test from command line using telnet I'm able to auth(login and access mail) pop3. I tried both /home/vpopmail/bin/vchkpw and /home/vpopmail/bin/vpopmaild on vpopmail run file can any one help me to resolve this problem.
Thanks in advance.
Reply | Permalink
POP3 not working, However, SMTP and SMTPS working
Orbit Anonymous December 18, 2012 08:27
When Telnet to pop3, it works but receives double +OK +OK after entering "pass password" and other commands. See below conversition.
qmail-pop3d and vpopmail:vchkpw seems to be working via remote telnet.
When Mail Client used such as Outlook auth pop3 does hang. I have also tested it with other email clients but no avail!
"Receiving' reported error (0x8004210A) : 'The operation timed out waiting for a response from the receiving (POP) server."
Here is below mail server side conversition between Outlook and Mail Server
Reply | Permalink
POP3 not working, However, SMTP and SMTPS working
Orbit Orbit January 21, 2013 16:52
Patching qmail-pop3d.c with following
-void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }+void okay(arg) char *arg; { my_puts("+OK \r\n"); flush(); }
It is tested on live qmail+vpopmail server port 110 and 995 with stunnel. it seems to be working perfectly. Thanks to Simplex and Roberto
Reply | Permalink
POP3 not working, However, SMTP and SMTPS working
Orbit Orbit January 21, 2013 17:29
Further my previous post
Above patch to "qmail-pop3d.c", after intensive test, is found to be not working as expected.
After auth pop3d , email moves to "cur" folder from "new" under /Maildir even though email client is configured not to "Leave a copy of messages on server".
Regards,
Reply | Permalink
I had the same issue when
simplex Orbit January 20, 2013 16:04
I had the same issue when compiling only qmail with the patches included here
the problem is that qmail-popup.c or qmail-pop3d.c print after the pass is sent +OK twice,
If you do a diff on the original netqmail files and the patched ones you will see what i'm talking about:
The MUA expects only one +OK from pop3d.
So I think the problem is in qmail-pop3d.c
maybe this line from the patched qmail-pop3d.c
void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }In any case I just replaced the patched qmail files (qmail-popup.c or qmail-pop3d.c) with the original ones since the only difference I noticed was the function puts renamed to my_puts. and I recompiled. And it worked.
Reply | Permalink
yes, you are right.
roberto puzzanghera simplex January 20, 2013 20:15
yes, you are right. Modifying like this
-void okay(arg) char *arg; { substdio_puts(&ssout,"+OK \r\n"); my_puts("+OK \r\n"); flush(); }+void okay(arg) char *arg; { my_puts("+OK \r\n"); flush(); }
seems to solve.
fyi, both the dkim and maildir++ patches modifies qmail-pop3d, so I think you shouldn't replace the patched files with the original ones, because there are other changes there.
Before releasing a new patch can you make a test with this one or adjust yourself qmail-pop3d.c?
Reply | Permalink
thanks for the contribution.
roberto puzzanghera simplex January 20, 2013 19:00
thanks for the contribution. I'm going to test qmail-pop3d as soon as possible and eventually provide a new patch :)
Reply | Permalink
Unfortunately I can't
roberto puzzanghera Orbit December 18, 2012 09:30
Unfortunately I can't be of any help as I'm not using qmail-pop3d since a long time.. anyway I would give dovecot's pop3 service a chance..
Reply | Permalink
got status11 in qmail-smtp log
Anonymous roberto puzzanghera June 5, 2015 14:28
Hello, i cand not telnet on port 25 becouse i get a disconect message and no mail can arrive .
Escape character is '^]'.
Connection closed by foreign host.
here are some logs
Any ideeas?
Reply | Permalink
is there any firewall?
roberto puzzanghera Anonymous June 5, 2015 14:41
is there any firewall?
Reply | Permalink
no, no firewall
Anonymous roberto puzzanghera June 8, 2015 05:40
no, no firewall
Reply | Permalink
was the IP 89.137.228.94 in
roberto puzzanghera Anonymous June 8, 2015 14:27
was the IP 89.137.228.94 in your tests above the one you where you were connecting from?
are you using my qmail patch and installation?
can you post a telnet session?
Reply | Permalink
yes this was my ipi
Anonymous roberto puzzanghera June 24, 2015 09:41
yes this was my ip
i redirected port 25 to 587 and now everything is working ... don`t know what was wrong with port 25
Reply | Permalink