Patch di qmail

• Scarica l'ultima versione della patch combinata per netqmail-1.06 v. 2023.03.18 (MD5).
• Changelog
• Readme

Changelog

• Mar 18, 2023
  - bugfix in dkimverify.cpp: now it checks if k= tag is missing (tx Raisa for providing detailed info)
  - redundant esmtp-size patch removed, as the SIZE check is already done by the qmail-authentication patch (tx Ali Erturk TURKER) diff here
• Mar 14, 2023
  - The split_str function in dknewkey was modified in order to work on debian 11 (tx J)
• Mar 12, 2023
  - The mail headers will change from "ESMTPA" to "ESMTPSA" when the user is authenticated via starttls/smtps (tx Ali Erturk TURKER)
  diff here
• Mar 1, 2023
  - added qmail-fastremote patch (tx Ali Erturk TURKER for the advise)
  - qmail-remote CRLF removed (replaced by fastremote)
• Feb 27, 2023
  - Now qmail-remote is rfc2821 compliant even for implicit TLS (SMTPS) connections (tx Ali Erturk TURKER)
• Feb 24, 2023
  - several missing references to control/badmailto and control/badmailtonorelay files were corrected to control/badrcptto and control/badrcpttonorelay (tx Ali Erturk TURKER) diff here
• Feb 19, 2023
  - dkim patch upgraded to v. 1.37
  * ed25519 support​ (RFC 8463)
  * old yahoo's domainkeys stuff removed (no longer need the libdomainkeys.a library)

Ho creato un pacchetto con le ultime versioni di alcune patch di uso comune. Queste le patch incluse nel pacchetto:

• qmail-authentication
• qmail-tls
• force-tls
• chkuser
• qmail queue custom error
• qmail-SPF
• qmail-SRS
• oversize DNS
• reread concurrency
• big concurrency
• big concurrency fix
• maildir++
• Better qmail-smtpd logging
• SMTP HELO/EHLO Greeting delay
• DKIM
• EXT-TODO
• BIG-TODO
• qmail-inject-null-sender
• doublebounce-trim
• qmail-taps-extended
• outgoingip
• qmail-rfc2821
• smtpd-502-to-500
• qmail-dnsbl
• qmail-moreipme
• qmail-hide-ip-headers
• qmail-date-localtime
• qmail-liberal-lf
• qmail-maxrcpt
• qmail-empf
• qregex
• brtlimit
• validrcptto
• reject-relay-test
• qlog
• reject null senders
• remove-cname-check
• any-to-cname
• rcptcheck
• qmail-channels
• qmail-remote-logging
• CVE-2005-1513
• qmail-spp
• fastremote

[Vedi i dettagli sulla patch applicata qui]

Altre patch:

• Patch con solo smtp-auth, tls e force-tls
• Directory con tutte le patch

Sei invitato a dare un'occhiata alla prossima pagina di questa guida, che si propone di presetare alcuni test di funzionamento di queste patch alla fine.

Installazione della libreria libsrs2

• Scaricare da qui: http://www.libsrs2.org/

Questa libreria è un prerequisito della patch SRS, che è inclusa nella mia patch combinata. E' obbligatoria l'installazione, altrimenti la compilazione andrà in errore.

wget http://www.libsrs2.org/srs/libsrs2-1.0.18.tar.gz
tar xzf libsrs2-1.0.18.tar.gz
cd libsrs2-1.0.18
./configure
make
make install
ldconfig
cd ../

Accertiamoci che la libreria libsrs2 sia stata effettivamente linkata, altrimenti andremo incontro a un crash e riavvio infinito di qmail-send con una quantità crescente di processi avviati che porterà in breve a un auto-DoS:

> ldconfig -p|grep libsrs2
        libsrs2.so.0 (libc6,x86-64) => /usr/local/lib/libsrs2.so.0
        libsrs2.so (libc6,x86-64) => /usr/local/lib/libsrs2.so

Nel caso si fosse optato per l'installazione delle libsrs2 con un pacchetto fornito dalla propria distribuzione Linux, è possibile che le librerie si trovino in /usr/lib e non su /usr/local/lib. In tal caso controllate l'effettiva esistenza del file /usr/local/include/srs2.h; se non lo trovate modificate manualmente il file srs.c presente nella cartella sorgente di netqmail in questo modo:

#include </usr/local/include/srs2.h>
#include </usr/include/srs2.h>

Applicare la patch

wget https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06/roberto-netqmail-1.06.patch-2023.03.01.gz
cd netqmail-1.06
gunzip -c ../roberto-netqmail-1.06.patch-latest.gz | patch

Configurazione di chkuser

• Maggiori informazioni qui: http://opensource.interazioni.it/qmail/chkuser/documentation/chkuser_settings.html

La patch combinata che hai scaricato e applicato ha chkuser abilitato e configurato come segue; chkuser eseguirà il controllo dell'esistenza del destinatario (recipient verification) e il MAV (Mail From: Address Verification).

E' possibile personalizzare la configurazione modificando ilo file chkuser_settings.h prima della compilazione di qmail. CHKUSER_STARTING_VARIABLE deve essere decommentato per far si che chkuser sia abilitato.

#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

Decommentando questo si abilita il controllo della validità della sintassi nel nome utente e nel dominio dell'indirizzo del mittente. Con questo abilitato verranno respinti i client fasulli e anche quelli senza alcun dominio nell'envelope.

#define CHKUSER_SENDER_FORMAT

Decommentando questo si abilita il controllo dell'esistenza del record MX nel DNS del dominio del destinatario

#define CHKUSER_RCPT_MX

Decommentando questo si abilita il controllo del record MX per l'indirizzo del mittente

#define CHKUSER_SENDER_MX

Questo ammette la presenza dei caratteri "#" e "+" nell'indirizzo email del mittente. E' usato dai prodotti SRS (Sender Rewriting Scheme).

Per quanto rigusarda la mia MTA, questo ha risolto un messaggio di rigetto del tipo "invalid sender address format" innescato da un indirizzo email di una mailing list gestita da mailman.

#define CHKUSER_ALLOW_SENDER_SRS

Configurazione della patch force-tls

Le impostazioni predefinite della pacth prevedono che l'autenticazione sia proibita se non si presenta il comando STARTTLS. Se invece si vuole consentire le connessione non c4riptate con TLS, è sufficiente porre

export FORCETLS=0

nel proprio run file (vedere dopo). Valori diversi da 0 o nessuna dichiarazione forzano il TLS prima dell'atutenticazione.

Configurazione di qmail-auth

Come impostazione predefinita l'autenticazione viene eseguita in modalità LOGIN o PLAIN. Sei invitato a leggere il file README.auth per ulteriori dettagli riguuardanti l'utilizzo della variabile di ambiente SMTPAUTH, specialmente sei interessato a usare CRAM-MD5.

Ricompilazione di qmail

Coloro che stanno facendo una nuova installazione di qmail possono ora compilare come segue

make setup check

e passare al paragrafo successivo (Creare la SSL key).

Coloro che invece hanno già qmail in esecuzione e stanno ricompilando per un aggiornamento dovrebbero stoppare qmail prima di installare.

La patch BIG-TODO che è stata applicata può richiedere che la coda venga rigenerata, la prima volta che la si usa. Pertanto è bene essere consapevoli che tutti i messaggi nella coda verranno distrutti quando questa viene cancellata prima dell'installazione di qmail.

Per sapere se vi sono messaggi in coda digitare questo comando:

> qmailctl stat

/service/qmail-send: up (pid 18127) 6 seconds
/service/qmail-send/log: up (pid 18134) 6 seconds
/service/qmail-smtpd: up (pid 18126) 6 seconds
/service/qmail-smtpd/log: up (pid 18135) 6 seconds
/service/qmail-submission: up (pid 18131) 6 seconds
/service/qmail-submission/log: up (pid 18132) 6 seconds
/service/vpopmaild: up (pid 18129) 6 seconds
/service/vpopmaild/log: up (pid 18128) 6 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

Comunque, se non si deve gestire un server di grandi dimensioni, si può sempre usare la versione della mia patch combinata che non contiene la patch BIG-EXT-TODO.

In definitiva è necessario lanciare questo comando la prima volta che si installa la patch con la BIG-TODO:

qmailctl stop
rm -r /var/qmail/queue

Ora ricompiliamo qmail:

make

Se qmail è in esecuzione arrestare i servizi prima dell'installazione:

qmailctl stop

Infine installare qmail e poi avviarlo:

make setup check
qmailctl start

Creare la SSL key

SE non hai intenzione di costruire un un open relay (che consente l'invio di email connettendosi da remoto con accesso smtp/tls) puoi saltare questo punto.

Per mettere in sicurezza l'autenticazione smtp bisogna creare un certificato SSL. Il certificato deve essere di proprietà dell'utente sotto il quale viene eseguito qmail-smtpd, nel nostro caso vpopmail.

# make cert

Generating a 1024 bit RSA private key
..................++++++
.......++++++
writing new private key to '/var/qmail/control/servercert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italy
Locality Name (eg, city) []:Cagliari
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:smtp.yourdomain.net
Email Address []:postmaster@yourdomain.net

# make tmprsadh
# chown vpopmail.vchkpw /var/qmail/control/*.pem

E' importante che il "Common Name" corrisponda al nome a dominio del server che viene usato come relay.

Ora creiamo un cronjob che aggiorni giornalmente il certificato:

# crontab -e

03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1

Importante: se si sta usando la mia patch e nella vostra installazione qmail-submission viene lanciato sotto un utente diverso da vpopmail (diversamente da quanto suggerito in questa guida), è necessario modificare di conseguenza il file update_tmprsadh, altrimenti è possibile eccedere il timeout della connessione a causa della mancanza dei privilegi di lettura del certificato.

Installazione di un certificato SSL valido

Non appena il server è funzionante sarà il caso di ritornare qui per installare un certificato valido fornito da Let's Encrypt. Si veda questa pagina al proposito.

La patch in dettaglio

qmail-authentication

• Author: Erwin Hoffmann (updates the previous work of Krysztof Dabrowski and Bjoern Kalkbrenner)
• Version 0.8.3 (23.08.2015)
• Info: https://www.fehcom.de/qmail/smtpauth.html
• README.auth

It provides cram-md5, login, plain authentication support for qmail-smtpd (port 587) and qmail-remote.

Added FORCEAUTHMAILFROM environment variable to REQUIRE that authenticated user and 'mail from' are identical.

Added SMTPAUTHMETHOD, SMTPAUTHUSER and SMTP_AUTH_USER env variables for external plugins (see http://qmail-spp.sourceforge.net/doc/)

qmail-tls

• Author: Frederik Vermeulen
• Info: http://inoa.net/qmail-tls/
• Version 20200107
• added DISABLETLS environment variable, useful if you want to disable TLS on a desired port

It implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA. I have adjusted the file update_tmprsadh to chown the .pem files to vpopmail, which runs qmail-smtpd.

You may be interested to take a look to the page concerning smtp-auth and TLS testing here.

force-tls

• Author: Marcel Telka
• Download
• Version: 2016.05.15

optionally gets qmail to require TLS before authentication to improve security.
You have to declare FORCETLS=0 if you want to allow the auth without TLS

chkuser

• Author: Antonio Nati
• Info: http://opensource.interazioni.it/qmail/chkuser.html
• Version 2.0.9

performs recipient verification and Mail From: Address Verification (MAV).

Small adjustments and a bug fix by Luca Franceschini here. Now CHKUSER_DISABLE_VARIABLE, CHKUSER_SENDER_NOCHECK_VARIABLE, CHKUSER_SENDER_FORMAT_NOCHECK,
CHKUSER_RCPT_FORMAT_NOCHECK and CHKUSER_RCPT_MX_NOCHECK can be defined at runtime level as well.

You may be interested to take a look to this page concerning chkuser testing.

qmail-queue-custom-error.patch

• Author: Flavio Curti
• Download

Enables simscan and qmail-dkim to return the appropriate message for each e-mail it refuses to deliver. Simscan rejects with the name of the virus or the spam-score; qmail-dkim rejects with the verification failure message.

qmail-SPF

• Author: Christophe Saout. Patch modified by Manvendra Bhangui to make it IPv4-mapped IPv6 addresses compliant.
• Info: http://www.saout.de/misc/spf/
• Version rc5

It can check incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers.

qmail-SRS

• Author: Marcelo Coelho
• Info: http://www.mco2.com.br/opensource/qmail/srs/

implements Sender Rewriting Scheme fixing SPF break upon email forwarding. To enable SRS read carefully the configuration instructions above.

Oversize DNS

• Author: Christopher K. Davis
• Info: http://www.ckdhr.com/ckd/qmail-103.patch (local copy)

This patch enables qmail to handle large DNS packets.

Reread concurrency patch

• Author: Jul
• Version: 2
• Patch

rereads control/concurrencylocal and control/concurrencyremote files when qmail-send receives a HUP signal.

Big Concurrency patch

• Author: Johannes Erdfelt
• Patch

It sets the spawn limit above 255.

Big Concurrency fix

• Author: Mihai Secasiu
• Patch
• Info: http://patchlog.com/linux/qmail-big-concurrency/

Fixes a compiler error if you set concurrency higher than 509 in /usr/local/src/netqmail-1.06/conf-spawn.

maildir++ patch

• Author: Bill Shupp
• Version:  20050125
• Patch

adds maildirquota support to qmail-pop3d and qmail-local.
Fixed a bug where the filesize part of the S=<filesize> component of the Maildir++ compatible filename is wrong (tx MG). More info here.

Better qmail-smtpd Logging patch

• Author: Kyle B. Wheeler
• Version: 5
• Info: http://www.memoryhole.net/qmail/#logging

Facilitates diagnosing qmail-smtpd logging its actions and decisions (search for a line starting with qmail-smtp:). This is useful for discovering fake IP addresses with bad HELO’s when qmail-smtpd doesn’t log anything.

Greeting delay patch

• Author: John Simpson (?)
• Patch
• More info here

adds a user-definable delay after SMTP clients have initiated SMTP sessions, prior to qmail-smtpd responding with "220 ESMTP". It can reject connections from clients which tried to send commands before greeting. You can control the delay via the environment variable SMTPD_GREETDELAY (was GREETDELAY in the original patch). A value of SMTPD_GREETDELAY=”30” will delay qmail-smtpd’s response for 30 seconds.

DKIM and SURBL patch

• Author: Manvendra Bhangui (a big thanks for the support)
• qmail-dkim uses hacked libdkim libraries from libdkim project at http://libdkim.sourceforge.net/
  surbfilter is built on djb functions and some functions have been ruthlessly borrowed from qmail surbl
  interface by Pieter Droogendijk and the surblhost program at http://surblhost.sourceforge.net/
• Version: 1.39
• DKIM configuration
• SURBL configuration
• ANNOUNCE.surblfilter
• Original patch

adds DKIM signing & verification support to qmail at both qmail-smtpd and qmail-remote/local level and SURBL filtering support to qmail.  
The file hier.c modified to chown /var/qmail/control/cache and subdirs to vpopmail.

EXT-TODO patch

• Authors: Claudio Jeker and Andre Oppermann
• Release: 5. Jan. 2003
• Patch
• README

addresses a problem known as the silly qmail (queue)  problem.

BIG-TODO patch

• Author: Russell Nelson
• Patch

Makes qmail use a hashing mechanism in the todo folder similar to that used in the rest of the queue.

qmail-inject-null-sender patch

• Author: Stéphane Cottin
• Patch
• More info here

Prevents qmail-inject from rewriting the null sender, fixing an issue with sieve vacation/reject messages.

doublebounce-trim patch

• Authors: Russell Nelson (modified version by Charles Cazabon)
• Patch

Prevents double bounces from hitting your queue a second time provided that you delete the first line from /var/qmail/control/doublebounceto

qmail-taps-extended

• Author: Inter7
• Patch
• Extended by Michai Secasiu (http://patchlog.com/patches/qmail-taps-extended/)

Provides the ability to archive each email that flows through the system. Archiving only messages from or to certain email addresses is possible as well.

qmail-remote CRLF patch

• Author: Rolf Eike Beer
• http://opensource.sf-tec.de/qmail/ (diff)

Enables qmail-remote to handle CR (\r) properly, always sending the line breaks as CRLF (\r\n) and avoiding to double the CR (like qmail-remote normally does). This often caused me a broken header when forwarding messages by means of a sieve rule.

outgoingip patch

• Author: Andy Repton (adjusted by Sergio Gelato)
• Patch
• Robbie Walker provided a patch to correct qmail-qmqpc.c's call to timeoutconn(), because the function signature was modified by the original outgoingip patch

By default all outgoing emails are sent through the first IP address on the interface. In case of a multiple IP server this patch makes qmail send outgoing emails with the IP eventually stored in control/outgoingip. The ehlo domain is NOT modified by this patch.

qmail-rfc2821 patch

• Author: Matthias Andree
• Patch
• More info here

makes qmail rfc2821 compliant.

Ali Erturk TURKER added implicit TLS (SMTPS) support (patch here).

smtpd-502-to-500 patch

• Author: Jonathan de Boyne Pollard
• Patch
• More info here

makes qmail rfc2821 compliant

qmail-dnsbl patch

• Author: Fabio Busatto
• Download: http://qmail-dnsbl.sourceforge.net/ (local copy)
• Modified by Luca Franceschini to add support for whitelists, TXT and A queries, configurable return codes 451 or 553 with custom messages
• More info here

allows you to reject spam and virus looking at the sender's ip address. Added a line to make qmail-smtpd log the reject reason as well as the envelope to facilitate diagnostics.

qmail-moreipme patch

• Author: Scott Gifford
• Version: 0.6
• More info here
• Configuration
• Patch

prevents a problem caused by an MX or other mail routing directive instructing qmail to connect to itself without realizing it's connecting to itself, saving CPU time.

qmail-hide-ip-headers

• Author: Alex Nee
• Patch

It will hide your Private or Public IP in the email Headers when you are sending Mail as a Relay Client.

qmail-date-localtime patch

• Author: John Saunders
• Patch

causes the various qmail programs to generate date stamps in the local timezone.

qmail-liberal-lf patch

• author: Dean Gaudet
• version: 0.95
• download: http://www.arctic.org/~dean/patches/qmail-0.95-liberal-lf.patch (local copy)

allows qmail-smtpd to accept messages that are terminated with a single \n instead of the required \r\n  sequence.

qmail-maxrcpt

• author: Michael Samuel
• Patch

allows you to set a limit on how many recipients are specified for any one email message by setting control/maxrcpt. RFC 2821 section 4.5.3.1 says that an MTA MUST allow at least 100 recipients for each message, since this is one of the favourite tricks of the spammer.
I slightly modified the patch also to log its response.

qmail-eMPF patch

• Author: Inter7
• Download
• README

eMPF follows a set of administrator-defined rules describing who can message whom.  With this, companies can segregate various parts of their organizations email activities, as well as provide a variety of security-enhancing services.

It's useful in case of spammed servers, to temporarily stop outgoing messages. It adds a line like this in your qmail-smtp log:

2015-03-30 18:05:54.442596500 policy_check: remote someone@somewhere.xy -> local user@yourdomain.xy (UNAUTHENTICATED SENDER)
2015-03-30 18:05:54.442612500 policy_check: policy allows transmission

qregex

• By  Andrew St. Jean. Contributors: Jeremy Kitchen, Alex Pleiner, Thanos Massias. Original patch by Evan Borgstrom)
• More info: http://www.arda.homeunix.net/downloads-qmail/
• README

adds the ability to match address evelopes via Regular Expressions (REs) in the qmail-smtpd process.

Added new control file 'badhelonorelay', control/badmailto renamed control/badrcptto (Tx Luca Franceschini).

brtlimit

• Author: Luca Franceschini, patch derived from goodrcptto-12.patch
• man qmail-smptd

adds control/brtlimit and BRTLIMIT variable to limit max invalid recipient errors before closing the connection.

validrcptto

• code grabbed by Luca Franceschini from several patches with additional features: http://qmail.jms1.net/patches/validrcptto.cdb.shtml, https://notes.sagredo.eu/files/qmail/patches/goodrcptto-ms-12.patch, http://patch.be/qmail/badrcptto.html. 

It works in conjunction with chkuser with both cdb and mysql accounts. Look here for details

reject-relay-test

• Author: Russell Nelson
• More info here

It gets qmail to reject relay probes generated by so-called anti-spammers. These relay probes have '!', '%' and '@' in the local (username) part of the address.

bug fixed in smtpd.c addrparse function

Fixed a little bug in 'mail from' address handling (see the patch by Andre Opperman at http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function)

qlog patch

• Author: Luca Franceschini

smtpd logging with fixed format (note: 'size' field is evaluated only when control/databytes or DATABYTES are set. An entry 'qlogenvelope' is generated after accepting or rejecting every recipients in the envelope phase, example:

qlogenvelope: result=rejected code=553 reason=rblreject detail=b.barracudacentral.org helo=test.machine.it mailfrom=test@domain.com rcptto=test@pippo.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=15.15.15.15 localport=25 remoteip=14.143.30.83 remoteport=57502 remotehost= qp= id=39156
qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=test mailfrom=test@test.com rcptto=test@pippo.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=15.15.15.15 localport=25 remoteip=12.181.218.154 remoteport=57742 remotehost= qp= pid=37357

an entry 'qlogreceived' is generated after DATA (message accepted o rejected by qmail-queue)

qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=test.machine.it mailfrom=test@domain.com rcptto=test@gmail.com relay=yes rcpthosts= size= authuser=pippo@pippo.com,pluto@pippo.com authtype=login encrypted=tls sslverified=no localip=192.168.200.162 localport=25 remoteip=192.168.200.162 remoteport=52602 remotehost= qp=30982 pid=30980

reject null senders patch

• by Luca Franceschini

useful in special cases if you temporarily need to reject the null sender (although breaks RFC compatibility). You just need to put 1 (actually any number different from 0) in your control/rejectnullsenders or defin REJECTNULLSENDERS to reject the null sender with a 421 error message.

remove-cname-check patch

• Author: Luca Franceschini
• Download
• More info here https://lists.gt.net/qmail/users/138190

Removed dns_cname call in qmail-remote.c instead of changing the funcion in dns.c,in case another patch requires dns_cname(). Avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response buffer.

any-to-cname patch

• Author: Jonathan de Boyne Pollard
• Download

Avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response buffer.

rcptcheck patch

• Author: Luca Franceschini (based on original patch from Jay Soffian - download)
• Download the patch
• Download the rcptcheck-overlimit.sh script
• More info here

Originally designed for the purpose of receipt validation, it can also be used to limit the number of email a given IP and/or auth-user and/or domain can send in a given time interval. It has to be used in conjuction with the rcptcheck-overlimit.sh LF's script.

qmail-channels

• Author: Reed Sandberg
• More info here
• Discussion and configuration here

Allows you to add an arbitrary number of supplemental remote queues, each distinguished by a list of recipient domains and separate throttling (concurrency) capabilities. This patch also allows dynamic throttling of the concurrency control files so you can just send qmail-send a HUP signal instead of restarting the service every time.

This patch is useful when some email providers complain of too many emails receveid at the same time (in case of news letters for instance).

Edit conf-channels before compiling: Total number of channels (queues) available for delivery. Must be at least 2, and anything above 2 are considered supplemental channels.

qmail-remote-logging

• Authors: Endersys R&D team
  More info here
  Download

Gets qmail-remote to log sender, recipient and IP adddress all together in the "Delivery success/failure" line

Here is the sample log lines:

@400000004b1bdd4d1f89d84c delivery 10: success: <From:owner-freebsd-current@freebsd.org_To:user@remotedomain.com>_193.140.X.X_accepted_message.
/Remote_host_said:_250_ok_1260117440_qp_15626/

@400000004b1bdbb8191f1954 delivery 6: failure: <From:a@surgate.net_To:test323232@remoteserver.com>_212.252.x._does_not_like_recipient.
/Remote_host_said:_550_non-existent_recipient/alici_bulunamadi/Giving_up_on_212.252.x.x/

cve-2005-1513 fix

• Author: notqmail.org
• Patch and info here

 addresses a vulnerability issue spotted by Georgi Guninski in 2005.

qmail-spp

• Author: Pawel Foremski
• Version: 0.42
• More info here

qmail-spp provides plug-in support for qmail-smtpd. It allows you to write external programs and use them to check SMTP command argument validity. The plug-in can trigger several actions, like denying a command with an error message, logging data, adding a header and much more.

The qmail-spp functionality is disabled by default, so that it will be transparent for ancient users of this patch. If you want to enable qmail-spp just export the variable ENABLE_SPP in your run file. Note that the variable NOSPP is not available here.

fastremote

• Author: Bruce Guenter
• Download original patch

While sending individual messages with qmail consumes very little CPU, sending multiple large messages in parallel can effectively DoS a sender due to inefficiencies in qmail-remote's "blast" function. In its original form, this function scans the message one byte at a time to escape leading periods and newlines, as required by SMTP.

This patch modifies blast to scan the message in larger chunks. Tests show that the change reduces the CPU time consumed by qmail-remote by a factor of 10.

./compile tls.c
./compile ssl_timeoutio.c
./load qmail-remote control.o constmap.o timeoutread.o \
timeoutwrite.o timeoutconn.o tcpto.o now.o dns.o ip.o \
tls.o ssl_timeoutio.o -L/usr/local/ssl/lib -lssl -lcrypto \
ipalloc.o ipme.o quote.o ndelay.a case.a sig.a open.a \
lock.a seek.a getln.a stralloc.a alloc.a substdio.a error.a \
str.a fs.a auto_qmail.o `cat dns.lib` `cat socket.lib`
qmail-remote.o: In function `quit':
qmail-remote.c:(.text+0x9c9): undefined reference to `SSL_get_state'
qmail-remote.o: In function `tls_init':
qmail-remote.c:(.text+0xd45): undefined reference to `OPENSSL_init_ssl'
qmail-remote.c:(.text+0xd4a): undefined reference to `TLS_client_method'
qmail-remote.c:(.text+0xd6b): undefined reference to `SSL_CTX_set_options'
qmail-remote.c:(.text+0xdb9): undefined reference to `SSL_CTX_set_post_handshake_auth'
qmail-remote.c:(.text+0xf5f): undefined reference to `OPENSSL_sk_num'
qmail-remote.c:(.text+0xf86): undefined reference to `OPENSSL_sk_value'
qmail-remote.c:(.text+0xfc1): undefined reference to `OPENSSL_sk_pop_free'
qmail-remote.c:(.text+0x11ac): undefined reference to `OPENSSL_init_ssl'
qmail-remote.c:(.text+0x11b1): undefined reference to `TLS_client_method'
qmail-remote.c:(.text+0x11ce): undefined reference to `SSL_CTX_set_options'
qmail-remote.c:(.text+0x1493): undefined reference to `OPENSSL_sk_pop_free'
qmail-remote.c:(.text+0x14c7): undefined reference to `OPENSSL_sk_pop_free'
tls.o: In function `ssl_error':
tls.c:(.text+0x65): undefined reference to `OPENSSL_init_ssl'
ssl_timeoutio.o: In function `ssl_timeoutrehandshake':
ssl_timeoutio.c:(.text+0x33f): undefined reference to `SSL_verify_client_post_handshake'
collect2: error: ld returned 1 exit status
Makefile:1445: recipe for target 'qmail-remote' failed
make: *** [qmail-remote] Error 1

cc -O2 -DTLS=20200107 -I/usr/local/include/