Talk:Qmail, Mail toaster
m (Unprotected "Talk:Qmail, Mail toaster") |
|||
Line 272: | Line 272: | ||
# note: $quarantine_* does not determine whether mail is delivered | # note: $quarantine_* does not determine whether mail is delivered | ||
− | # to | + | # to it an incoming SMTP connection, but it's a lie - Qmail's native auth module might support it, but authvchkpw doesn't. At best, this means that incoming clients will pause for about 3 seconds while they fail out on CRAM-MD5 authentication before they fall back on LOGIN or PLAIN (either of which work fine). At worst (so far, I've only seen this with the Pegasus mail client), they'll just bomb out completely and refuse to send mail. |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
After issuing a '''make patch''', cd'ing to work/qmail-1.03, and patching with [[media:Qqxrc.patch.txt]], patch with [[media:Qmail-noCRAM-MD5.patch.txt]] to fix the issue and make authentication smooth, fast, and reliable. | After issuing a '''make patch''', cd'ing to work/qmail-1.03, and patching with [[media:Qqxrc.patch.txt]], patch with [[media:Qmail-noCRAM-MD5.patch.txt]] to fix the issue and make authentication smooth, fast, and reliable. |
Revision as of 11:15, 22 February 2009
Contents |
no, really
no, really, the comma shouldn't be there. (or the title should be "what it is, and what we are doing here" without the question mark). I used to be a spelling and grammar nazi in a past life.
-d.
bad comma
You're going to have to back that up with an external link to a well-accepted style guide that clearly states that using a comma there is wrong, and even then I don't promise to care. =) --Jimbo 20:36, 15 Dec 2004 (EST)
grammar nazi bs
http://cctc2.commnet.edu/grammar/commas.htm
while not incorrect to use the comma there, it makes for bad scanning.
-d.
full path
I'm not well up on wiki etiquette so I just thought I'd add a comment here on a small change I made.
I added two /etc/ to the following section to ensure the command will work correctly when executed outside of the /etc directory
ph34r# rehash ph34r# cat /etc/tcp.smtp | tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp
Also for some reason I couldn't get make enable-qmail to execute. It was probably something I was doing wrong but should anyone run into similar difficulty just check out the file work/qmail-enable inside the qmail+smtp_auth+tls ports directory.
Its easy enough to read what it does and then execute the commands for disabling sendmail and enabling qmail manually.
P.S. Great guide, it was very helpful, Eoin
that's odd
Huh - that's odd (that make qmail-enable ran into problems). Never seen that before. And your change was good, thanks. =) --Jimbo 10:59, 7 Jun 2005 (EDT)
oddly enough
so for giggles, i'm installing a listserv (using mailman...i'll let you know how ti works out) and I'm using FreeBSD for the hell of it. and I am also having problems doing a make enable-qmail. going into the work dir doesn't shed any light on the matter as the only thing in there is:
# ls -la total 28 drwxr-xr-x 3 root wheel 512 Jul 13 16:18 . drwxr-xr-x 3 root wheel 512 Jul 13 16:18 .. -rw-r--r-- 1 root wheel 0 Jul 13 16:18 .build_done.qmail-smtp_auth+tls-1.03.20020519_1._var_qmail -rw-r--r-- 1 root wheel 0 Jul 13 16:18 .configure_done.qmail-smtp_auth+tls-1.03.20020519_1._var_qmail -rw-r--r-- 1 root wheel 0 Jul 13 16:18 .extract_done.qmail-smtp_auth+tls-1.03.20020519_1._var_qmail -rw-r--r-- 1 root wheel 0 Jul 13 16:18 .patch_done.qmail-smtp_auth+tls-1.03.20020519_1._var_qmail -rw-r--r-- 1 root wheel 311 Jul 13 16:18 SMTP_AUTH+TLS.readme -rw-r--r-- 1 root wheel 2639 Jul 13 16:18 pkg-install drwxr-xr-x 2 root wheel 16896 Jul 13 16:18 qmail-1.03
so what does enable-qmail do (as a target to make) that just a make install doesn't?
See the directory that I bolded in your ls output there? That's where the goodies are. That's how the work directory from a built port always looks. But in this case, what you actually want to look at is files/enable-qmail.in. What it does is, so far as I can tell, is just make sure that the mail command gets realiased to qmail from whatever it was aliased to before, by the means of copying a conf file. From looking at the Makefile, though, it looks as though the qmail-enable target may not even exist anymore; it looks like an installation of qmail since 1.03_3 will probably make a /var/qmail/scripts directory instead, from which you can run the script /var/qmail/scripts/enable-qmail. Lemme know what you find out, okay? --Jimbo 00:00, 14 Jul 2005 (EDT)
It might be worth mentioning that if vpopmail is ever upgraded then you need to manually reset the file attributes of /usr/local/vpopmail/bin/vchkpw or users will have login troubles.
-Eoin
Great Guide but I am having problems with SqWebmail Portion, it seems now that the in the ports tree when you install sqwebmail you get courier-authdaemond installed instead of sqwebmail-authdaemond, and I can not find anywhere the PREFIX script I need to replace in the .sh files, and I notice that courier-authdaemond has PREFIX already set to /usr/local already.......so I thought I was good to go.
but after I start the daemons and point my browser to Sqwebmail I get a 500 error with: The webmail system is temporarily unavailable. An error occured in function write: Socket is not connected?
I notice that in the courier-authdaemond.sh there is a setting for socket with the base directory being $authbase/run/socket however there is not a socket file or folder in /var/run
Any Thoughts?
- J
are you sure that $authbase == /var/run? I'd do a "find / | grep socket" to see where it might be..
--Dave 23:42, 14 Sep 2005 (EDT)
Here is the output:
nusparky# find / | grep socket /usr/include/netgraph/bluetooth/include/ng_btsocket.h /usr/include/netgraph/bluetooth/include/ng_btsocket_hci_raw.h /usr/include/netgraph/bluetooth/include/ng_btsocket_l2cap.h /usr/include/netgraph/bluetooth/include/ng_btsocket_rfcomm.h /usr/include/netgraph/ng_ksocket.h /usr/include/netgraph/ng_socket.h /usr/include/netgraph/ng_socketvar.h /usr/include/sys/socket.h /usr/include/sys/socketvar.h /usr/local/man/man1/socket.1.gz /usr/local/bin/socket /usr/local/lib/perl5/site_perl/5.8.7/mach/sys/socket.ph /usr/local/lib/perl5/site_perl/5.8.7/mach/sys/socketvar.ph /usr/local/share/doc/socket /usr/local/share/doc/socket/README / ......the rest are documents or in the ports tree ^C nusparky# nusparky# nusparky#
Any ideas?
-J
maybe something else is holding the socket open? I'm guessing you've got sqwebmail tied into apache -- is your apache config ok? I don't run webmail myself so I probably won't be much help.
--Dave 09:47, 15 Sep 2005 (EDT)
have you tried to ps waux | grep authdaemon?
Try to start the authdaemon - /usr/local/etc/rc.d/(whatever)daemond.sh start - and then ps waux | grep authdaemon. Is it running?
If it isn't, you're going to need to figure out why. Usually the easiest way to deal with that PREFIX crap is just to snip it out and sub in the /usr/local/ hard-coded. --Jimbo 02:07, 16 Sep 2005 (EDT)
lsof to find open sockets maybe
might want to use lsof to see what's holding the socket open too...
--Dave 11:56, 17 Sep 2005 (EDT)
this article should be updated...
...unfortunately, until i reinstall freebsd on a sparc at work, i have no bsd to do it with; the make qmail-enable thing doesn't work (i do the qmailrocks.org install myself....although i've been playing with postfix recently, and i'm going to install zimbra on my new listserver (why i moved my x86-64 box to CentOS instead of FreeBSD)....
--Dave 23:56, 3 Jan 2006 (EST)
Checking Environment Variables
Note to self: checking the environment variable TCPREMOTEINFO is a better way to check for authenticated SMTP, but qsheff doesn't pass that along - you'd need to wrap BEFORE qsheff, not after, in order to pick up on that. Which is beginning to beg the point of using qsheff at all... here is a complete list of environment variables present when qmail-queue is run:
TCPLOCALPORT=2525 USER=yourmom SSH_CLIENT='24.168.100.50 3295 22' MACHTYPE=i386 MAIL=/var/mail/mom TCPREMOTEIP=70.150.138.10 VENDOR=intel SHLVL=2 HOME=/root PROTO=TCP SSH_TTY=/dev/ttyp0 PAGER=more PS1='$ ' OPTIND=1 PS2='> ' GROUP=wheel LOGNAME=mom TERM=xterm BLOCKSIZE=K TCPREMOTEPORT=1935 PPID=92605 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/root/bin REMOTEHOST=24.168.100.50 TCPLOCALIP=66.154.114.98 SHELL=/bin/csh HOST=blackbox.tehinterweb.net IFS=' ' OSTYPE=FreeBSD TCPLOCALHOST=mail.jrssystems.net PWD=/home/mom TCPREMOTEINFO=jim@jrssystems.net SSH_CONNECTION='24.168.100.50 3295 66.154.114.98 22' FTP_PASSIVE_MODE=YES HOSTTYPE=FreeBSD EDITOR=vi
No black magic. So - ditch qsheff entirely and simply wrap qmail-queue itself?
ENVs to particularly note: TCPREMOTEINFO, TCPREMOTEIP
Final note for the night: don't see why not do my own standalone wrapper; mail got delivered fine while I was piping environment variables to a text file and piping STDIN to qmail-queue just now. No black magic a'tall, I don't know why wrapping qmail-queue wasn't seeming to work for me the last time I tried it; maybe I just didn't have the permissions set so that my wrapper would execute then?
AHA there is one bit of magic: qmail-queue actually READS its STDOUT to get addressing information normally; that's how bcc works. Example:
open (FH, "<&=1"); @so = <FH>; close (FH);
in a wrapper will get you the following in @so, from a message bcc'ed to yourmom@momscrib.com:
Fdad@pimpshack.netTyourmom@momscrib.com
Harrrr....
--Jimbo 02:58, 21 Feb 2006 (EST)
Okay FOR REAL final line for the night: turns out that trying to get Perl to write to a child's STDOUT is beyond fucking painful. However it looks like /usr/ports/mail/qmail-qfilter will do the job nicely, it can be compiled as a plain (brown) wrapper with a minor alteration to the source code and takes a "get out of here you jackass" exit code (31) or a silent drop exit code (99) so there's good range of functionality.
it runs like this: put a shell script in place of qmail-queue like so:
#!/bin/sh exec /path/to/qmail-qfilter \ /path/to/spamc -- \ /path/to/reject-message-with-spamrating-over-5 -- \ /path/to/reject-message-with-unwantedkeyword -- \ /path/to/reject-message-with-sobig
Sheesh. It's 5AM again. =( --Jimbo 05:00, 21 Feb 2006 (EST)
Confirmed. qmail-qfilter works fine. Just need to rework maildump.pl to dump the message to STDOUT instead of trying to feed it to qmail-queue directly by itself. --Jimbo 05:15, 21 Feb 2006 (EST)
SETUID perl?
probably will need to compile a new version of Perl from ports with MAKE -DENABLESUIDPERL=yes so's we can run the scanner as vpopmail / vchkpw, if you want to run the script setuid (as vpopmail, so it can deliver mail to normal MTA-accessible maildirs). It's better and easier to use sudo, IF you have the option - but if sudo craps out on you and starts acting buggy (it has happened to me on some servers but not others), running setuid IS a workable fallback option.
qqxrc.patch
save this (gotten from http://www.wijata.com/software/#QMAIL) as /home/[yourname]/qqxrc.patch
cd /usr/ports/mail/qmail-tls make config : make sure to select the SMTP_AUTH knob and the RCDLINK knob; optionally you may choose to select the local-time knob also - DON'T select the double-bounce knob unless you want to patch by hand, the automated patch will FAIL if you do. make fetch make patch cd work/qmail-1.0.3 patch < /home/[yourname]/qqxrc.patch cd ../.. make install
now you can make install as normal
to use it, create /var/qmail/control/qqxrcode and populate it like so:
32 Message permanently rejected (Virus detected) 33 Message permanently rejected (Spam detected)
Net result: exiting from a filter program with a 32 or 33 gets you the above messages.
Normal SMTP 554 is from an exit 31, so I'd recommend sticking stuff in between 32 and 40.
smartscan.pl
#!/usr/bin/perl ### ### Smartscanner.pl ### ### VERSION 2.1 ### 2006 Feb 28 ### ### (c) 2004,2006 JRS System Solutions ### all rights reserved under BSD license - ### you may use this code as long as this header remains ### intact. ### # $postmaster is the address which will receive warnings. # THIS SHOULD NOT BE AN ADDRESS AT A DOMAIN # HANDLED BY THIS MAILSERVER! ENDLESS LOOPS # COULD LOCK UP YOUR SERVER! # $postmaster = 'postmaster@ph34r.tehinterweb.net'; # Don't forget to use visudo to allow qmaild to run maildir # as vpopmail! # $delivery_agent = "/usr/local/bin/sudo -u vpopmail /usr/local/bin/maildir"; # run antivirus / antispam scanners on mail delivered # via SMTP AUTH connection? # $virus_scan_auth = 1; $spam_scan_auth = 0; # note: $quarantine_* does not determine whether mail is delivered # to it an incoming SMTP connection, but it's a lie - Qmail's native auth module might support it, but authvchkpw doesn't. At best, this means that incoming clients will pause for about 3 seconds while they fail out on CRAM-MD5 authentication before they fall back on LOGIN or PLAIN (either of which work fine). At worst (so far, I've only seen this with the Pegasus mail client), they'll just bomb out completely and refuse to send mail. After issuing a '''make patch''', cd'ing to work/qmail-1.03, and patching with [[media:Qqxrc.patch.txt]], patch with [[media:Qmail-noCRAM-MD5.patch.txt]] to fix the issue and make authentication smooth, fast, and reliable. ph34r# '''cd /usr/ports/mail/qmail''' ph34r# '''make patch''' ph34r# '''cd work/qmail-1.03''' ph34r# '''patch < /home/username/qqxrc.patch''' ph34r# '''patch < /home/username/qmail-noCRAM-MD5.patch''' Now you can proceed with the actual building and installation of the port.