|
|
|
|
|
|
| Author |
Message |
Jonathan de Boyne Pollard
*nix forums beginner
Joined: 07 Jan 2005
Posts: 49
|
 Posted: Fri Jan 07, 2005 6:51 pm Post subject:
No smtp greeting
|
|
|
CR> /usr/local/bin/tcpserver -v -H -R -l "$LOCAL" \
CR> -x /etc/tcp.smtp.cdb \
CR> -c "$MAXSTMPD" -u "$QMAILDUID" -g "$NOFILESGID" \
CR> 0 smtp /var/qmail/bin/qmail-smtpd
CR> 1724 ? S 0:00 \
CR> /usr/local/bin/tcpserver -v -H -R -l atheris.itsconnect.com \
CR> -x /etc/tcp.smtp.cdb \
CR> -c -u 1002 -g 102 \
CR> 0 smtp /var/qmail/bin/qmail-smtpd
What you need is a "tcpserver" that actually performs error checking on
its command line options.
<URL:http://homepages.tesco.net./~J.deBoynePollard/Softwares/ucspi/#option-checks> |
|
| Back to top |
|
 |
Jonathan de Boyne Pollard
*nix forums beginner
Joined: 07 Jan 2005
Posts: 49
|
| Posted: Fri Jan 07, 2005 6:51 pm Post subject:
Re: hostname / domain (basic questions...)
|
|
|
SS> c> Putting drmemory.starband.net.mshome.net into control/me...
This is why "qmail-inject" is using
<swani@drmemory.starband.net.mshome.net> as your mailbox name. I'm
guessing that the correct contents of "control/me" should be
"drmemory.starband.net".
SS> c> Your host's fully qualified name in DNS is
drmemory.starband.net.mshome.net.
And this is why "config" thought in the first place that "control/me"
should contain that. "dnsfq" performed a name->address->name mapping on
"drmemory.starband.net." and came back at the end with
"drmemory.starband.net.mshome.net.".
SS> Sometime long ago, I put HOSTNAME=drmemory.starband.net into the
SS> /etc/sysconfig/networks file.
This, in combination with either with a wildcard or a badly edited
"zone" file, is why your "hostname" command is behaving as it does when
you use its "-f" option, and why "config" did the same.
SS> Don't know if that was wise or not, [...]
It wasn't. You should, at the very least, have put a dot on the end to
make it into an actual fully-qualified domain name if it being a
fully-qualified domain name was your intention. (There are
disadvantages having your hostname be a fully-qualified domain name,
note. A few softwares expect the hostname to not be fully qualified,
and become quite upset if it is.)
<URL:http://menandmice.com./online_docs_and_faq/glossary/fqdn.htm>
SS> but it seemed to work with postfix.
Postfix has funny ideas about domain name qualification. This is but
one of them. The rest of the world ("qmail", the "hostname" command,
Sendmail, "exim", and so forth) assume that gethostname()/uname()
returns a local nickname, which they then pass through various
contortions to invoke DNS name qualification (gethostbyname(),
dns_ptr(dns_ip()), and so forth) to obtain the actual full host name.
You've seen the results that your configuration yields with "qmail" and
with the "hostname" command. Postfix, in contrast, assumes that
gethostname() returns the full host name directly, and by default
derives everything else from that ($myorigin::=$myhostname,
$mydomain::=$myhostname minus the first label,
$mydestination::=$myhostname amongst others, and so forth) with no
attempt to run it through any DNS name qualification procedures first.
Because your hostname wasn't a local nickname, Postfix happened to work.
SS> The hostname I see is being set in sysconfig. But where does that
SS> mshome.net part come from?
grep domain /etc/resolv.conf
SS> What should /etc/hosts actually contain?
The contents of "/etc/hosts" are irrelevant to your problem. In fact,
they are largely irrelevant to your entire use of "qmail".
SS> What hostname should I be setting in sysconfig?
Either (read this *carefully*) "drmemory.starband.net." or "drmemory".
SS> Should I run ./config-fast?
No. You should edit "control/me", "control/defaultdomain", and
"control/locals". |
|
| Back to top |
|
|
Jonathan de Boyne Pollard
*nix forums beginner
Joined: 07 Jan 2005
Posts: 49
|
| Posted: Fri Jan 07, 2005 6:51 pm Post subject:
Re: excessive recursion
|
|
|
KM> something strange is going on.
Indeed. You have an error logged with the words "Remote host said:" in
it, followed by the error message text from the remote host that is
clearly from Sendmail, and yet you've decided to ask about your "qmail"
system in the "qmail" support forum. |
|
| Back to top |
|
|
Jonathan de Boyne Pollard
*nix forums beginner
Joined: 07 Jan 2005
Posts: 49
|
| Posted: Fri Jan 07, 2005 6:51 pm Post subject:
Re: possible spam w/ Delivered-To line?
|
|
|
CC> You have not shown any evidence that spammers are relaying messages
CC> through your qmail server.
Actually, pre-adding a "Delivered-To:" is a new variation on the old
"Have an innocent intermediary deliver the payload to the victim in a
bounce message." trick that UBM senders have recently begun to use.
A few people vilify MTS softwares that check the local parts of mailbox
names after accepting a message, on the grounds that UBM senders exploit
this to have the intermediaries generate bounce messages containing the
payload and directed at the real targets, ignoring the fact that having
the SMTP Relay server run in a context where it does not have privileged
access to other user accounts is an advance in the state of the art. I
predict that on the exact same grounds those people will soon begin
vilifying MTS softwares that have a "Delivered-To:" loop detection
mechanism. Have their way, and we'll be back where we were in the
1980s, with no loop detection and with SMTP Relay servers that run with
elevated privileges, in no time. |
|
| Back to top |
|
|
Jonathan de Boyne Pollard
*nix forums beginner
Joined: 07 Jan 2005
Posts: 49
|
| Posted: Fri Jan 07, 2005 6:51 pm Post subject:
Re: Audubon autoresponder
|
|
|
JN> I've also managed to figure out that the audubon@neodata.com address
JN> is NOT subscribed to the list. It probably never was, since ezmlm is
JN> careful enough to not allow "broken autoresponder" subscriptions.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/djb-qsecretary.html#Flaws> |
|
| Back to top |
|
|
Jonathan de Boyne Pollard
*nix forums beginner
Joined: 07 Jan 2005
Posts: 49
|
| Posted: Fri Jan 07, 2005 6:51 pm Post subject:
Re: Little patch for setting the From:
|
|
|
BL> it's a fact that NAT will always have some "advantage" for a
BL> sysadmin like the false feeling of security of the box behind.
X> if we all had public IP's setting up an SMB server to put files on
X> would be that much harder, as now you can have someone in India
X> connect to it.
Wrong. That's exactly the false feeling of security that NAT inspires
that Benoit was referring to.
NAT implies the use of non-public IP addresses, and the supposed feeling
of security is actually derived from that rather than from NAT /per
se/. But often that hypothetical Person in India can also connect to a
machine with a non-public IP address. Non-public and site-local IP
addresses are not magic pixie dust. There's nothing inherently special
about them that makes them unreachable. The thing that makes them
unreachable is not "RFC 1918 has a magic incantation in it that casts a
spell on the world" but the simple presence of rules in border routers
that say "filter out traffic with these IP addresses in it". And it's
just as easy to have a rule that says to filter out 2001:04F8::/32 (a
company's global unicast address space) traffic as it is to have a rule
that says to filter out FEC0::/16 (site local address space) traffic.
The router doesn't care about the actual numbers. So it's just as easy to
use public IP addresses, and secure that SMB server from (direct) outside
access by filtering out traffic using those addresses, as it is to use
non-public IP addresses, and secure it from (direct) outside access by
filtering out traffic using those addresses. Furthermore: The argument
that the well-known non-public IP address ranges are already universally
filtered out, making using them the easier option to employ, is quite
easily demonstrated to be based upon a premise that is actually false in
practice.
Here's an eye-opener for those sitting behind mass-market routers that
perform NAT, assigning 192.168.0.0/16 IP addresses to their machines:
Find out whether your router happily transmits 10.0.0.0/8, or
172.16.0.0/12, or 127.0.0.0/8 traffic between you and the rest of
Internet. If so, ask yourself what, exactly, is making all of those "a
secure address range" that "someone outside of your network cannot reach".
The argument in favour of using RFC 1918 non-public IP addresses is that
public IP version 4 addresses are *hard to obtain*. If they were easy
to obtain, there would be no reason to favour non-public IP addresses
over public IP addresses in this context, since it is equally easy to
render either one unreachable.
Over the past few years I've been carefully recommending, as best
practice, that proxy servers be configured to listen on
"non-publically-reachable IP addresses" rather than "RFC 1918 IP
addresses", because it was pointed out that "reserved by RFC 1918" and
"unreachable" are not synonymous. |
|
| Back to top |
|
|
Mark Lundquist
*nix forums beginner
Joined: 07 Jan 2005
Posts: 6
|
| Posted: Fri Jan 07, 2005 6:54 pm Post subject:
RE: maildirmake difficulties
|
|
|
| Quote: | From: Charles Cazabon [mailto:qmail@discworld.dyndns.org]
[...snip]
For normal user maildirs, you want $HOME/Maildir or similar. For
a virtual
domain, that might be $HOME/users/username/ (like with vmailmgr, for
instance) -- i.e., maildirs do not have to be named "Maildir".
|
True, but watch out... if you're using qmail-popup/qmail-pop3d, it has to be
the same for everybody.
~ Mark |
|
| Back to top |
|
|
Mark Lundquist
*nix forums beginner
Joined: 07 Jan 2005
Posts: 6
|
| Posted: Fri Jan 07, 2005 7:05 pm Post subject:
RE: maildirmake difficulties
|
|
|
| Quote: | From: Mark Lundquist [mailto:ml@wrinkledog.com]
Well, I guess you don't have "." on your path.
Bourne shells:
PATH=".:$PATH"
export PATH
csh:
set path = (. $path)
rehash
|
I guess that was more academic/illustrative than practical. Tying to teach
you a little Unix. See below...
| Quote: |
Or just invoke it as "/var/qmail/bin/maildirmake" (assuming qmail
installed
in the standard place).
|
More practically, add /var/qmail/bin to your path (see above). Then you can
invoke it as plain-ol' "maildirmake" from then on.
cheers,
~ml |
|
| Back to top |
|
|
Kyle Wheeler
*nix forums Guru Wannabe
Joined: 07 Jan 2005
Posts: 208
|
| Posted: Fri Jan 07, 2005 7:44 pm Post subject:
Re: maildirmake difficulties
|
|
|
On Friday, January 7 at 01:42 PM, quoth Charles Cazabon:
| Quote: | Is it really necessary for the person who the "Maildir" is for
execute maildirmake? Can I just create the directories as needed
and then ensure that the owner is the user for which the "Maildir"
has been created?
Yes, you can do this. It's just that a common pitfall is to change the
ownership of the maildir, but forget to change the ownership of the
subdirectories inside it (i.e., forget to make the chown recursive).
|
To add to what Charles said, if your users will all be system users (not
virtual users), then a convenient way to ensure that they all will have
a Maildir in their home directory (when they are created) with the
correct permissions is to create (as root) a Maildir in /etc/skel/. In
many Unixes, including (I believe) RedHat, the files in /etc/skel/ are
re-created in the home directories of all new users---this directory
frequently contains a default .login and similar files. Once you do
that, every new user you create on the machine will automatically have a
Maildir created for them in their home directory, and all the
permissions and whatnot for it will be correct. This doesn't affect
already existing users, of course.
~Kyle
--
It is easier to be critical than to be correct.
-- Benjamin Disraeli |
|
| Back to top |
|
|
Bruce Larson
*nix forums beginner
Joined: 07 Jan 2005
Posts: 11
|
| Posted: Fri Jan 07, 2005 8:26 pm Post subject:
Re: maildirmake difficulties
|
|
|
On Fri, 7 Jan 2005 13:42:44 -0600, Charles Cazabon
<qmail@discworld.dyndns.org> wrote:
| Quote: | Most likely a problem with that user's PATH. The current working directory is
generally /not/ in PATH for security reasons. If you try
as this user and run it with the directory explicit (i.e.
`/var/qmail/bin/maildirmake ./Maildir`), does it work? If so, that's the
problem. You can add /var/qmail/bin/ to the user's path, or symlink the
command to somewhere else that already is in their path.
Thank you Charles. I thought it was a PATH issue but my Unix skills |
are 5 years rusty and for the life of me I could not remember how to
append to the PATH environment variable.
| Quote: | Yes, you can do this. It's just that a common pitfall is to change the
ownership of the maildir, but forget to change the ownership of the
subdirectories inside it (i.e., forget to make the chown recursive).
Understood. Only a couple of my email users will have access to the |
server and therefore cannot create their own Maildir's, but that can
be automated and managed.
| Quote: | The two have totally different meanings. The first is a file or directory
named Maildir in the current directory, the latter is a file or directory
named Maildir in the root directory.
Thanks again for the Unix review... I guess my skills got a little |
rustier then I thought over the last 5 + years... That and I have a
tendancy to try to do to many things at once. Thanks for your patient
assistance.
Cheers,
Bruce |
|
| Back to top |
|
|
Bruce Larson
*nix forums beginner
Joined: 07 Jan 2005
Posts: 11
|
| Posted: Fri Jan 07, 2005 8:39 pm Post subject:
Re: maildirmake difficulties
|
|
|
On Fri, 7 Jan 2005 15:44:58 -0500, Kyle Wheeler
<kyle-qmail@memoryhole.net> wrote:
| Quote: | To add to what Charles said, if your users will all be system users (not
virtual users), then a convenient way to ensure that they all will have
a Maildir in their home directory (when they are created) with the
correct permissions is to create (as root) a Maildir in /etc/skel/. In
many Unixes, including (I believe) RedHat, the files in /etc/skel/ are
re-created in the home directories of all new users---this directory
frequently contains a default .login and similar files. Once you do
that, every new user you create on the machine will automatically have a
Maildir created for them in their home directory, and all the
permissions and whatnot for it will be correct. This doesn't affect
already existing users, of course.
Thank you Kyle. Yes Redhat does provide the facility of a preset |
skeleton directory structure for new users. However, my situation is
one where a few of the users will be on the system but most will be
virtual, in that they do not have system accounts.
Cheers,
Bruce |
|
| Back to top |
|
|
Chris Berry
*nix forums addict
Joined: 08 Jan 2005
Posts: 81
|
| Posted: Sat Jan 08, 2005 1:42 am Post subject:
Re: deny sending to internet users based on email address
|
|
|
Although I tend to agree with Charles sentiments about employee trust,
I've found this a fairly common request from management. This cannot be
implemented using pure qmail, however if you set up a second smtpd
listener on port 26 that is local only, then block port 25 for those
users with an authenticating firewall it will effectively create the
situation you're looking for.
Chris Berry
chris_berry@jm-associates.com
Systems Administrator
JM Associates & Coast Business Service
"FIRE! READY! AIM! -Poor management process exemplified"
Charles Cazabon wrote:
| Quote: | Winanjaya <winanjaya@lippogeneral.com> wrote:
I have 5 email addresses that need to be denied sending email to internet
users, they are as follow:
user1@mydomain.com
user3@mydomain.com
user5@mydomain.com
user7@mydomain.com
user8@mydomain.com
they are DHCP users, so their IP not assigned in tcp.smtp .. but I'm very
worry that these 5 email addresses being used in a authorised PC which has
static IP and allowed to send email to everybody in the world .. how to deal
with this?
Sit down with the people who have those addresses, and tell them "You are not
allowed to send mail to the rest of the internet". Then, monitor your logs,
and if they break the rules, revoke their accounts.
Or, since you don't trust them, revoke their accounts now, before they cause a
problem.
.. is it possible for me to a list those email addresses into a
file (ie. badsender) .. then ask qmail to read that file (ie. badsender) ..
with the following condition: if they send email to internet user then they
will be rejected ..
No, qmail does not support that -- but even if it did, they could simply
change their MUA settings and send mail using a different address, so it
wouldn't help.
Perhaps it would help if you would explain why you have five users who should
be allowed to send intranet mail, and who are given access to workstations and
servers, but who cannot be trusted to send internet email.
Charles |
|
|
| Back to top |
|
|
David Dyer-Bennet
*nix forums beginner
Joined: 08 Jan 2005
Posts: 5
|
| Posted: Sat Jan 08, 2005 6:33 am Post subject:
Adding smtp auth
|
|
|
I'm rebuilding my servers, hence my email setup, and hence looking at
making changes (since changing just one thing at a time is really too
simple  ) (Okay, since I'll have them out of service for testing
anyway, it's a good time to make other changes too.)
Change 1: I think I want to add smpt auth capability. I support some
roving users, and as I understand it that's the easiest way to make
their setup portable (they don't have to find/guess what a working
outbound smtp server is for their boxes at each IP provider they work
through). There appear to be multiple smtp auth patches; is there a
clear consensus on one being "the" smtp auth patch this week? I think
I want to use Bruce Guenter's mailfront stuff anyway, and I need to
keep using vmailmgr (so far as I can tell vmailmgr is the only way to
support *both* local users *and* virtual users on the same box). So
does using mailfront settle my smtp auth decision? Survivably?
Change 2: I'm currently using qpsmtpd. I'm not sure that's worth the
cost. The big thing I think I'm winning on by using it is the ability
to block based on name-based blocking lists -- especially some of the
ones from rfc-ignorant.org. (I initially started using qpsmtpd for
spf, but on consideration I don't think I care any more.) Hence
mailfront being considered. The loop blocking gets the one crucial
thing, spammers whose bouncing messages try to go to 127.* and loop
forever.
Thought 3: Is it worth it / easy enough to support some kind of
encryption of links for smtp sending and pop pickup? Most importantly
for the password in smtp auth and in pop?
Other than that, looks like I'm starting from netqmail-1.05 and adding
patches from there. I don't need some of the patches I had in before
I now think, which simplifies things some. With the level of patching
I'm doing, debian packages aren't so attractive for this application
to me, so I think I'm just building from source as I always have.
I've been scanning this list pretty erratically the last few years and
posting hardly at all, so I may have missed important changes /
revolutions / discoveries when they happened and not caught them in my
quick research the last few days. So what else should I be thinking
about?
--
David Dyer-Bennet, <mailto:dd-b@dd-b.net>, <http://www.dd-b.net/dd-b/>
RKBA: <http://noguns-nomoney.com/> <http://www.dd-b.net/carry/>
Pics: <http://dd-b.lighthunters.net/> <http://www.dd-b.net/dd-b/SnapshotAlbum/>
Dragaera/Steven Brust: <http://dragaera.info/> |
|
| Back to top |
|
|
David Dyer-Bennet
*nix forums beginner
Joined: 08 Jan 2005
Posts: 5
|
| Posted: Sat Jan 08, 2005 6:52 am Post subject:
Re: Virus bounces - best practice
|
|
|
Kiril Todorov <voland@shadowblade.net> writes:
| Quote: | Payal Rathod wrote:
What is the actual purpose of two MXes then?
-Payal
Well, the purpose is obvious - if something happens with your primary
mail server, the senders will have another choice to try to send you
mail.
There probably was some benefit of this feature some time ago.
Nowadays it's mostly useless.
|
Huh; I depend upon it heavily, and in fact one of my major annoyances
is people not sending to the secondary MX if the primary is down.
They are both under my control and have identical anti-spam settings,
so.
--
David Dyer-Bennet, <mailto:dd-b@dd-b.net>, <http://www.dd-b.net/dd-b/>
RKBA: <http://noguns-nomoney.com/> <http://www.dd-b.net/carry/>
Pics: <http://dd-b.lighthunters.net/> <http://www.dd-b.net/dd-b/SnapshotAlbum/>
Dragaera/Steven Brust: <http://dragaera.info/> |
|
| Back to top |
|
|
Kyle Wheeler
*nix forums Guru Wannabe
Joined: 07 Jan 2005
Posts: 208
|
| Posted: Sat Jan 08, 2005 7:30 am Post subject:
Re: Adding smtp auth
|
|
|
On Saturday, January 8 at 01:33 AM, quoth David Dyer-Bennet:
| Quote: | Change 1: I think I want to add smpt auth capability. I support some
roving users, and as I understand it that's the easiest way to make
their setup portable (they don't have to find/guess what a working
outbound smtp server is for their boxes at each IP provider they work
through). There appear to be multiple smtp auth patches; is there a
clear consensus on one being "the" smtp auth patch this week? I think
I want to use Bruce Guenter's mailfront stuff anyway, and I need to
keep using vmailmgr (so far as I can tell vmailmgr is the only way to
support *both* local users *and* virtual users on the same box). So
does using mailfront settle my smtp auth decision? Survivably?
|
Yes. Mailfront supports smtp auth---you don't have to do any patching of
anything to get it to work. And as I recall it uses the same checkpasswd
interface, so any checkpasswd-compatible tool that vmailmgr provides
should work.
| Quote: | Change 2: I'm currently using qpsmtpd. I'm not sure that's worth the
cost. The big thing I think I'm winning on by using it is the ability
to block based on name-based blocking lists -- especially some of the
ones from rfc-ignorant.org. (I initially started using qpsmtpd for
spf, but on consideration I don't think I care any more.) Hence
mailfront being considered. The loop blocking gets the one crucial
thing, spammers whose bouncing messages try to go to 127.* and loop
forever.
|
Qmail should be able to detect those loops - if not, something is wrong.
I don't know much about qpsmtpd, but if you don't think you get much
benefit from it's features: don't use it. The fewer programs that get
run, the faster and harder-to-break your system will be.
| Quote: | Thought 3: Is it worth it / easy enough to support some kind of
encryption of links for smtp sending and pop pickup? Most importantly
for the password in smtp auth and in pop?
|
YES.
Strictly speaking, there is a form of SMTP AUTH that keeps your password
reasonably secure (CRAM-MD5 authentication)---there are others, but
that's the one that's in most of the qmail smtp-auth stuff. And it's
fine as far as it goes, but I feel more secure using something more
standard like SSL (note: this feeling has no real cryptography
background). It seems to me that SSL is more widely supported by mail
clients than CRAM-MD5 or more exotic authentication mechanisms, so for
compatability, that's a plus.
Beyond that, connection encryption is useful mostly to give you some
sense of privacy, knowing that you're doing all you can short of GPG- or
S/MIME-encryption to ensure that only the destination gets to read your
email. Realistically, if you're sending to external addresses, not all
servers support the STARTTLS command, so your message may be sent in
clear-text at some point, so the assurance only applies strictly to
messages internal to your system.
Anyway, it's relatively easy. I believe mailfront can do SSL encryption
for incoming connections (thus protecting SMTP-AUTH passwords), and if
that's all you want then it's probably sufficient. If you want outgoing
connections to be encrypted if possible, then you'll need to patch
qmail. The standard patch seems to be Frederik Vermeulen's patch,
available from qmail.org. I've used it for years without trouble.
Personally, I view the STARTTLS and SMTP-AUTH patches to qmail as
*nearly* non-optional for a mail system that is connected to the general
internet, though mailfront should provide most of what you need there.
| Quote: | Other than that, looks like I'm starting from netqmail-1.05 and adding
patches from there. I don't need some of the patches I had in before
I now think, which simplifies things some. With the level of patching
I'm doing, debian packages aren't so attractive for this application
to me, so I think I'm just building from source as I always have.
|
Probably a good idea.
| Quote: | I've been scanning this list pretty erratically the last few years and
posting hardly at all, so I may have missed important changes /
revolutions / discoveries when they happened and not caught them in my
quick research the last few days. So what else should I be thinking
about?
|
Depends on what you need. May I recommend Russ Nelson's anti-virus
(well, anti-windows-executables) patch?
~Kyle
--
If A equals success, then the formula is A=X+Y+Z. X is work. Y is play. Z
is keep your mouth shut.
-- Albert Einstein |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Tue Dec 02, 2008 5:30 am | All times are GMT
|
|
Repair Bad Credit | Credit Card Debt Consolidation | Loans | Credit Counseling | Credit Cards
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Qmail
