v. 2023.11.20 Combined patch for netqmail-1.06 by Roberto Puzzanghera [roberto dot puzzanghera at sagredo dot eu] More info at https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html ========================================================================================================== = This patch puts together * Erwin Hoffmann's qmail-authentication patch v. 0.8.3, which updates the patches provided by Krysztof Dabrowski and Bjoern Kalkbrenner. It provides cram-md5, login, plain authentication support for qmail-smtpd and qmail-remote. http://www.fehcom.de/qmail/smtpauth.html##PATCHES * Frederik Vermeulen's qmail-tls patch v. 20200107 implements SSL or TLS encrypted and authenticated SMTP. The key is now 4096 bit long and the cert will be owned by vpopmail:vchkpw http://inoa.net/qmail-tls/ The file update_tmprsadh was modified to chown all .pem files to vpopmail. * Marcel Telka's force-tls patch v. 2016.05.15 optionally gets qmail to require TLS before authentication to improve security. You have to declare FORCETLS=0 if you want to allow the auth without TLS https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06_force-tls/force-tls_marcel.patch * Antonio Nati's chkuser patch v. 2.0.9 performs, among the other things, a check for the existence of recipients during the SMTP conversation, bouncing emails of fake senders. http://opensource.interazioni.it/qmail/chkuser.html Small adjustments and a bug fix by Luca Franceschini here https://notes.sagredo.eu/files/qmail/patches/dmind/20190807/: Now CHKUSER_DISABLE_VARIABLE, CHKUSER_SENDER_NOCHECK_VARIABLE, CHKUSER_SENDER_FORMAT_NOCHECK, CHKUSER_RCPT_FORMAT_NOCHECK and CHKUSER_RCPT_MX_NOCHECK can be defined at runtime level as well. * Flavio Curti's qmail-queue-custom-error patch enables simscan and qmail-dkim to return the appropriate message for each e-mail it refuses to deliver. https://notes.sagredo.eu/files/qmail/patches/qmail-queue-custom-error-v2.netqmail-1.05.patch * Christophe Saout's qmail-SPF rc5 patch Modified by Manvendra Bhangui to make it IPv4-mapped IPv6 addresses compliant. checks incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers. http://www.saout.de/misc/spf/ * Marcelo Coelho's qmail-SRS patch implements Sender Rewriting Scheme fixing SPF break upon email forwarding. http://www.mco2.com.br/opensource/qmail/srs/ * Christopher K. Davis' oversize dns patch enables qmail to handle large DNS packets. https://notes.sagredo.eu/files/qmail/patches/qmail-bigdns-103.patch * Jul's reread-concurrency v.2 patch rereads control/concurrencylocal and control/concurrencyremote files when qmail-send receives a HUP signal. http://js.hu/package/qmail/index.html * Johannes Erdfelt's Big Concurrency patch sets the spawn limit above 255 https://notes.sagredo.eu/files/qmail/patches/big-concurrency.patch * Mihai Secasiu's Big Concurrency fix v.1.0 patch fixes a compiler error if you set concurrency higher than 509 in conf-spawn. http://patchlog.com/linux/qmail-big-concurrency/ * Bill Shupp's netqmail-maildir++.patch adds maildirquota support to qmail-pop3d and qmail-local. Fixed a bug where the filesize part of the S= component of the Maildir++ compatible filename is wrong (tx MG). More info here: https://notes.sagredo.eu/en/qmail-notes-185/installing-dovecot-and-sieve-on-a-vpopmail-qmail-server-28.html#comment995 https://notes.sagredo.eu/files/qmail/patches/netqmail-maildir.patch * Kyle B. Wheeler's "Better qmail-smtpd Logging" v.5 patch facilitates diagnostics of qmail-smtpd logging its actions and decisions (search for a line with qmail-smtp:) http://www.memoryhole.net/qmail/#logging * John Simpson's (?) Greeting delay patch adds a user-definable delay after SMTP clients have initiated SMTP sessions, prior to qmail-smtpd responding with "220 ESMTP". It can reject connections from clients which tried to send commands before greeting. https://notes.sagredo.eu/files/qmail/patches/qmail-greetdelay.patch * Manvendra Bhangui's DKIM and SURBL filter v.1.43 patch adds DKIM signing & verification and SURBL filtering support to qmail. qmail-dk is based on Russ Nelson's patch: http//:www.qmail.org/qmail-1.03-dk-0.54.patch qmail-dkim uses hacked libdkim libraries from libdkim project at http://libdkim.sourceforge.net/ surbfilter is built on djb functions and some functions have been ruthlessly borrowed from qmail surbl interface by Pieter Droogendijk and the surblhost program at http://surblhost.sourceforge.net/ (file hier.c modified to chown /var/qmail/control/cache and subdirs to vpopmail) http://sourceforge.net/projects/indimail/files/netqmail-addons/qmail-dkim-1.0/ https://notes.sagredo.eu/files/qmail/patches/ANNOUNCE.surblfilter * Claudio Jeker and Andre Oppermann's EXTTODO patch (release 5. Jan. 2003) addresses a problem known as the silly qmail (queue) problem https://notes.sagredo.eu/files/qmail/patches/exttodo.README https://notes.sagredo.eu/files/qmail/patches/ext_todo-20030105.patch * Russell Nelson's big-todo patch makes qmail use a hashing mechanism in the todo folder similar to that used in the rest of the queue https://notes.sagredo.eu/files/qmail/patches/big-todo.103.patch * Stephane Cottin's qmail-inject-null-sender patch (let's call it in this way) prevents qmail-inject from rewriting the null sender, fixing an issue with sieve vacation/reject messages. More info here: http://www.dovecot.org/list/dovecot/2009-June/040811.html https://notes.sagredo.eu/files/qmail/patches/qmail-inject-null-sender.patch * Russell Nelson's (modified by Charles Cazabon) doublebounce-trim patch, which updates the original version by Russel Nelson prevents double bounces from hitting your queue a second time provided that you delete the first line from /var/qmail/control/doublebounceto https://notes.sagredo.eu/files/qmail/patches/doublebounce-trim.patch * Inter7's qmail-taps-extended patch https://notes.sagredo.eu/files/qmail/patches/qmail-tap.diff Extended by Michai Secasiu (http://patchlog.com/patches/qmail-taps-extended/) Provides the ability to archive each email that flows through the system. Archiving only messages from or to certain email addresses is possible as well. https://notes.sagredo.eu/files/qmail/patches/qmail-taps-extended-full.patch * Andy Repton's outgoingip patch (adjusted by Sergio Gelato) by default all outgoing emails are sent through the first IP address on the interface. In case of a multiple IP server this patch makes qmail send outgoing emails with the IP eventually stored in control/outgoingip. The ehlo domain is NOT modified by this patch. https://notes.sagredo.eu/files/qmail/patches/outgoingip.patch Robbie Walker provided a patch to correct qmail-qmqpc.c's call to timeoutconn(), because the function signature was modified by the original outgoingip patch https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment373 * Matthias Andree's qmail-rfc2821 patch makes qmail rfc2821 compliant https://notes.sagredo.eu/files/qmail/patches/qmail-1.03-rfc2821.diff Ali Erturk TURKER added implicit TLS (SMTPS) support https://notes.sagredo.eu/files/qmail/patches/aet_qmail_remote_smtps_correction_202302271346.patch * Jonathan de Boyne Pollard's smtpd-502-to-500 patch makes qmail rfc2821 compliant https://notes.sagredo.eu/files/qmail/patches/smtpd-502-to-500.patch * Fabio Busatto's qmail-dnsbl patch allows you to reject spam and virus looking at the sender's ip address. Modified by Luca Franceschini to add support for whitelists, TXT and A queries, configurable return codes 451 or 553 with custom messages http://qmail-dnsbl.sourceforge.net/ * Scott Gifford's qmail-moreipme patch v. 0.6 prevents a problem caused by an MX or other mail routing directive instructing qmail to connect to itself without realizing it's connecting to itself, saving CPU time. https://notes.sagredo.eu/files/qmail/patches/moreipme.README https://notes.sagredo.eu/files/qmail/patches/qmail-1.03-moreipme-0.6.patch * Alex Nee's qmail-hide-ip-headers patch It will hide your Private or Public IP in the email Headers when you are sending Mail as a Relay Client. https://notes.sagredo.eu/files/qmail/patches/qmail-hide-ip-headers.patch * John Saunders' qmail-date-localtime patch causes the various qmail programs to generate date stamps in the local timezone. https://notes.sagredo.eu/files/qmail/patches/qmail-date-localtime.patch * Dean Gaudet's qmail-liberal-lf patch v. 0.95 allow qmail-smtpd to accept messages that are terminated with a single \n instead of the required \r\n sequence. http://www.arctic.org/~dean/patches/qmail-0.95-liberal-lf.patch * Michael Samuel's maxrcpt patch allows you to set a limit on how many recipients are specified for any one email message by setting control/maxrcpt. RFC 2821 section 4.5.3.1 says that an MTA MUST allow at least 100 recipients for each message, since this is one of the favourite tricks of the spammer. https://notes.sagredo.eu/files/qmail/patches/maxrcpt.patch * Inter7's qmail-eMPF patch More info: https://notes.sagredo.eu/files/qmail/patches/empf.README eMPF follows a set of administrator-defined rules describing who can message whom. With this, companies can segregate various parts of their organizations email activities, as well as provide a variety of security-enhancing services. https://notes.sagredo.eu/files/qmail/patches/qmail-empf.patch * qregex (by Andrew St. Jean http://www.arda.homeunix.net/downloads-qmail/, contributors: Jeremy Kitchen, Alex Pleiner, Thanos Massias. Original patch by Evan Borgstrom) adds the ability to match address evelopes via Regular Expressions (REs) in the qmail-smtpd process. Added new control file 'badhelonorelay', control/badmailto renamed control/badrcptto (Tx Luca Franceschini). * brtlimit Luca Franceschini derived this patch from https://notes.sagredo.eu/files/qmail/patches/goodrcptto-12.patch added control/brtlimit and BRTLIMIT variable to limit max invalid recipient errors before closing the connection (man qmail-control) * validrcptto https://notes.sagredo.eu/files/qmail/patches/validrcptto.README Luca Franceschini grabbed the code from several patches with additional features: http://qmail.jms1.net/patches/validrcptto cdb.shtml, https://notes.sagredo.eu/files/qmail/patches/goodrcptto-ms-12.patch, http://patch.be/qmail/badrcptto.html It works in conjunction with chkuser with both cdb and mysql accounts. * reject-relay-test by Russell Nelson It gets qmail to reject relay probes generated by so-called anti-spammers. These relay probes have '!', '%' and '@' in the local (username) part of the address. https://notes.sagredo.eu/files/qmail//patches/qmail-smtpd-relay-reject.patch * Luca Franceschini added DISABLETLS environment variable, useful if you want to disable TLS on a desired port added FORCEAUTHMAILFROM environment variable to REQUIRE that authenticated user and 'mail from' are identical added SMTPAUTHMETHOD, SMTPAUTHUSER and SMTP_AUTH_USER env variables for external plugins (see http://qmail-spp.sourceforge.net/doc/) * fixed little bug in 'mail from' address handling patch by Andre Opperman at http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function * Luca Franceschini's qlog patch smtpd logging with fixed format. An entry 'qlogenvelope' is generated after accepting or rejecting every recipients in the envelope phase. * Luca Franceschini's reject null senders patch useful in special cases if you temporarily need to reject the null sender (although breaks RFC compatibility). You just need to put 1 (actually any number different from 0) in your control/rejectnullsenders or define REJECTNULLSENDERS to reject the null sender with 421 error message. * Luca Franceschini's remove-cname-check patch Removed dns_cname call in qmail-remote.c instead of changing the funcion in dns.c,in case another patch requires dns_cname(). https://notes.sagredo.eu/files/qmail/patches/remove-cname-check.patch More info here https://lists.gt.net/qmail/users/138190 * Jonathan de Boyne Pollard's any-to-cname patch avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response buffer. https://notes.sagredo.eu/files/qmail/patches/any-to-cname.patch * Luca Franceschini's rcptcheck patch (based on original patch from Jay Soffian (http://www.soffian.org/downloads/qmail/qmail-smtpd-doc.html) Originally designed for the purpose of receipt validation, it can also be used to limit the numbr of email a given IP and/or auth-user and/or domain can send in a given time interval. It has to be used in conjuction with the rcptcheck-overlimit.sh LF's script https://notes.sagredo.eu/files/qmail/rcptcheck-overlimit.sh https://notes.sagredo.eu/files/qmail/patches/rcptcheck.patch * Reed Sandberg's qmail-channels patch Allows you to add an arbitrary number of supplemental remote queues, each distinguished by a list of recipient domains and separate throttling (concurrency) capabilities. This patch also allows dynamic throttling of the concurrency control files so you can just send qmail-send a HUP signal instead of restarting the service every time. This patch is useful when some email providers complain of too many emails receveid at the same time (in case of news letters for instance). Look here for more info https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment1328 Edit conf-channels before compiling: Total number of channels (queues) available for delivery. Must be at least 2, and anything above 2 are considered supplemental channels. http://www.thesmbexchange.com/eng/qmail-channels_patch.html * Endersys R&D team's qmail-remote-logging patch gets qmail-remote to log sender, recipient and IP adddress all together in the "Delivery success/failure" line https://web.archive.org/web/20120530051612/http://blog.endersys.com/2009/12/qmail-canonicalised-recipient-logging-and-more-patch/ * notqmail.org's cve-2005-1513 patch addresses a vulnerability issue spotted by Georgi Guninski in 2005 https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt * Pawel Foremski's qmail-spp patch v. 0.42, which provides plug-in support for qmail-smtpd. It allows you to write external programs and use them to check SMTP command argument validity. The plug-in can trigger several actions, like denying a command with an error message, logging data, adding a header and much more. The qmail-spp functionality is disabled by default, so that it will be transparent for ancient users of this patch. If you want to enable qmail-spp just export the variable ENABLE_SPP in your run file. Note that the variable NOSPP is not available here. More info here http://qmail-spp.sourceforge.net * Bruce Guenter's qmail-1.03-fastremote-3 patch While sending individual messages with qmail consumes very little CPU, sending multiple large messages in parallel can effectively DoS a sender due to inefficiencies in qmail-remote's "blast" function. In its original form, this function scans the message one byte at a time to escape leading periods and newlines, as required by SMTP. This patch modifies blast to scan the message in larger chunks. I have benchmarked before and after, and the change reduced the CPU time consumed by qmail-remote by a factor of 10. http://untroubled.org/qmail/qmail-1.03-fastremote-3.patch = Disclaimer This patch comes with the usual warranty: it works for me, it may not work for you, use at your own risk etc. etc. :) Comments, suggestions, criticisms are always welcome! = Usage * Install libsrs2 wget https://notes.sagredo.eu/files/qmail/tar/libsrs2-1.0.18.tar.gz tar xzf libsrs2-1.0.18.tar.gz cd libsrs2-1.0.18 ./configure make make install ldconfig cd ../ * Apply the patch and compile wget https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06.patch-latest.gz wget http://qmail.org/netqmail-1.06.tar.gz tar xzf netqmail-1.06.tar.gz cd netqmail-1.06 chown -R root:root . gunzip -c ../roberto-netqmail-1.06.patch-latest.gz | patch make make setup check * You have to export SMTPAUTH in your run file if you want to do the auth * You have to export SURBL=1 in your run file if you want to enable SURBL * /var/qmail/control/cache must be owned by the user who runs qmail-smtpd, vpopmail:vchkpwd in my case. Change the permissions according to your qmail configuration.