backschues.NET - qmail 1.03 all in one (aio) patch usage

backschues.NET

::: backschues.NET :::

Startseite

Services

Know-how
  qmail
    qmail aio patch
    qmail aio usage
    DomainKeys
    Greylisting
  Viren

Link-Sammlung

Impressum

Kontakt

::: Layout :::

Druckversion

::: Navigation :::

Suche

Sitemap

::: qmail 1.03 all in one (aio) patch usage :::

New/modified configuration options of the qmail all in one patch 16 [2008-08-11]
This are the new respectively modified configuration options.

antispoofing (qmail-smtpd)
Reserved ipadresses for ipranges or networks. qmail-smtpd will reject senders that have a remoteip not belonging to the defined networks defined for that emailaddress or domainname.
Networkaddresses are defined as x.y.z.t/a.b.c.d. A networkaddress x.x.x will be interpreted as x.x.x.0/255.255.255.0. x.y.z.128 will be interpreted as x.y.z.128/255.255.255.128. Generally if no netmask is given, all the nullbits on the right side from the given address are the same as in the mask.

dan@foo.com: 10.10.10/255.255.0.0 10.195.4
bar.org: 10.98.8.3

If the "MAIL FROM" is dan@foo.com it has to come from 10.10.10.0/255.255.0.0 or from 10.195.4.0/255.255.248.0. If "MAIL FROM" is from xxx@bar.org it has to be in the range 10.98.8.3/255.255.255.252.
Domains not mentioned are not rejected.
If the environment variable NOANTISPOOFING is set, antispoofing will be disabled.
authfaildelay (qmail-smtpd)
Delay in seconds after a failed SMTP AUTH session.
If the environment variable AUTHFAILDELAY is set, it overrides authfaildelay.
badheloext (qmail-smtpd)
Unacceptable HELO/EHLO greeting. qmail-smtpd will reject every HELO/EHLO greeting if the greeting is listed in badheloext and the the environment variable RELAYCLIENT is not set. A line in badheloext may be a case insensitive regular expression.
If the environment variable NOBADHELOEXT is set, badheloext will be disabled.
badheloint (qmail-smtpd)
Unacceptable HELO/EHLO greeting. qmail-smtpd will reject every HELO/EHLO greeting if the greeting is listed in badheloext and the the environment variable RELAYCLIENT is set. A line in badheloint may be a case insensitive regular expression.
If the environment variable NOBADHELOINT is set, badheloint will be disabled.
badmailfromext (qmail-smtpd)
Unacceptable envelope sender addresses. qmail-smtpd will reject every recipient address for a message if the envelope sender address is listed in badmailfromext and the the environment variable RELAYCLIENT is not set. A line in badmailfromext may be a case insensitive regular expression. Empty envelope senders will be skipped.
If the environment variable NOBADMAILFROMEXT is set, badmailfromext will be disabled.
badmailfromint (qmail-smtpd)
Unacceptable envelope sender addresses. qmail-smtpd will reject every recipient address for a message if the envelope sender address is listed in badmailfromint and the the environment variable RELAYCLIENT is set. A line in badmailfromint may be a case insensitive regular expression. Empty envelope senders will be skipped.
If the environment variable NOBADMAILFROMINT is set, badmailfromint will be disabled.
badmailtoext (qmail-smtpd)
Unacceptable envelope recipient addresses. qmail-smtpd will reject every sender address for a message if the envelope recipient address is listed in badmailtoext and the the environment variable RELAY CLIENT is not set. A line in badmailtoext may be a case insensitive regular expression.
If the environment variable NOBADMAILTOEXT is set, badmailtoext will be disabled.
badmailtoint (qmail-smtpd)
Unacceptable envelope recipient addresses. qmail-smtpd will reject every sender address for a message if the envelope recipient address is listed in badmailtoext and the the environment variable RELAY CLIENT is not set. A line in badmailtoext may be a case insensitive regular expression.
If the environment variable NOBADMAILTOINT is set, badmailtoint will be disabled.
badrmhostext (qmail-smtpd)
Unacceptable remote host in environment variable TCPREMOTEHOST. qmail-smtpd will reject every host if the host is listed in badrmhostext and the the environment variable RELAYCLIENT is not set. A line in badrmhostext may be a case insensitive regular expression.
If the environment variable NOBADRMHOSTEXT is set, badrmhostext will be disabled.
badrmhostint (qmail-smtpd)
Unacceptable remote host in environment variable TCPREMOTEHOST. qmail-smtpd will reject every host if the host is listed in badrmhostint and the the envi ronment variable RELAYCLIENT is set. A line in badrmhostint may be a case insensitive regular expression.
If the environment variable NOBADRMHOSTEXT is set, badrmhostext will be disabled.
bindroutes (qmail-remote)
Any mail sent from an specific source IP address will be sent from the given IP address.
The entry in bindroutes looks like this:

source ip:ip

Expample for bindroutes:

# network 10.x.x.x
10.:1.2.3.4
# network 10.10.x.x
10.10.:1.2.3.4
# network 10.10.10.x
10.10.10.:1.2.3.4
# host 10.10.10.10
10.10.10.10:1.2.3.4
# rest
:1.2.3.4
# don't send any mail to this
1.2.3.4:

If qmail-remote is not able to bind to that IP address then the message will stay in the queue until the problem has been corrected.
senderip overwrites bindroutes.
bouncemaxbytes (qmail-send)
Limit the size of bounces. Default: 50000 bytes.
clamd (qmail-smtpd)
ipaddress:port where clamd listens for connections. Each SMTP DATA stream will be send to clamd and scanned for viruses. Messages with viruses will be rejected.
If the environment variable NOCLAMD is set, it overrides clamd.
clamdfailreject (qmail-smtpd)
If set, qmail-smtpd temporary rejects all messages if clamd fails.
If the environment variable CLAMDFAILREJECT is set, it overrides clamdfailreject.
clientca.pem (qmail-smtpd)
Client CA to verify client certificates for SSL or TLS authenticated SMTP sessions (RFC 3207).
clientcert.pem (qmail-remote)
A list of Certificate Revocation Lists (CRLs). If present it should contain the CRLs of the CAs in clientca.pem and client certs will be checked for revocation.
clientcrl.pem (qmail-smptd)
A list of Certificate Revocation Lists (CRLs). If present it should contain the CRLs of the CAs in clientca.pem and client certs will be checked for revocation.
databeforegreet (qmail-smtpd)
If set, qmail-smtpd disconnect clients which tried to send commands before qmail-smtpd sent its greeting.
If the environment variable DATABEFOREGREET is set, it overrides databeforegreet.
databytesmf (qmail-smtpd)
Maximum number of bytes allowed in a message dependent on MAIL FROM, or 0 for no limit.
The entry in databytesmf looks like this:

user@host:10485760

databytesmf overrides databytes.
If a message exceeds this limit, qmail-smtpd returns a permanent error code to the client.
databytesmf counts bytes as stored on disk, not as transmitted through the network. It does not count the qmail-smtpd Received line, the qmail-queue Received line, or the envelope.
If databytesmf is set, the Message Size Declaration SIZE in EHLO will be disabled.
If the environment variable DATABYTESMF is set to 0, it disables databytesmf.
databytesrcpt (qmail-smtpd)
Maximum number of bytes allowed in a message dependent on RCPT TO, or 0 for no limit.
The entry in databytesrcpt looks like this:

user@host:10485760

databytesrcpt overrides databytes.
If a message exceeds this limit, qmail-smtpd returns a permanent error code to the client.
databytesrcpt counts bytes as stored on disk, not as transmitted through the network. It does not count the qmail-smtpd Received line, the qmail-queue Received line, or the envelope.
If databytesrcpt is set, the Message Size Declaration SIZE in EHLO will be disabled.
If the environment variable DATABYTESRCPT is set to 0, it disables databytesrcpt.
dh1024.pem (qmail-smtpd)
If these 1024 bit DH parameters are provided, qmail-smtpd will use them for TLS sessions instead of gen erating one on-the-fly (which is very timeconsuming).
dh512.pem (qmail-smtpd)
512 bit counterpart for dh1024.pem.
extraqueue (qmail-queue)
If the control file extraqueue exists, its content is added to recipient list. It´s a replacemant for QUEUE_EXTRA (see FAQ 8.2).
extraremote (qmail-rspawn)
Use qmail-remote wrapper script qmail-remote.extra.
Please set qmail-remote.extra permissions to -rwxr-xr-x (0755) and don't forget to call the orignal qmail-remote at the end at the wrapper script.
greetdelay (qmail-smtpd)
Delay in seconds in a SMTP session after greeting.
If the environment variable GREETDELAY is set, it overrides greetdelay.
helodelay (qmail-smtpd)
Delay in seconds in a SMTP session after HELO.
If the environment variable HELODELAY is set, it overrides helodelay.
helodnschkext (qmail-smtpd)
If set, qmail-smtpd tries to resolve the HELO/EHLO greeting, if the environment variable RELAYCLIENT is not set. It can be handy when you want to filter out spamhosts.
If the environment variable HELODNSCHKEXT is set, it overrides helodnschkext.
helodnschkint (qmail-smtpd)
If set, qmail-smtpd tries to resolve the HELO/EHLO greeting, if the environment variable RELAYCLIENT is set. It can be handy when you want to filter out spamhosts.
If the environment variable HELODNSCHKINT is set, it overrides helodnschkint.
maxrecipients (qmail-smtpd)
The number of RCPT TOs qmail-smtpd will accept in a SMTP session. maxrecipients defaults is set to 100.
If the environment variable MAXRECIPIENTS is set,it overrides maxrecipients.
mfcheck (qmail-smtpd)
If set, qmail-smtpd tries to verify the the envelope from address.
If set to 1 qmail-smtpd tries to resolve the domain of the envelope from address. If set to 2 qmail-smtpd tries to resolve the domain of the envelope from address and, if the environment variable RELAYCLIENT is not set, qmail-smtpd makes a SMTP callback to verify the envelope from address. It can be handy when you want to filter out spamhosts.
If the environment variable MFCHECK is set, it overrides mfcheck.
mfdelay (qmail-smtpd)
Delay in seconds in a SMTP session after MAIL FROM.
If the environment variable MFDELAY is set, it overrides mfdelay.
moreipme (qmail-send)
IP addresses which the system not detects but which should be treated as local. notipme takes precedence over moreipme.
nosignhosts (qmail-remote/qmail-smtpd)
Exclusions of remote hosts for Bounce Address Tag Validation (BATV) that do not work with signed addresses.
Attention: If a host has more that one hostname, please list them all in "nosigndoms".
nosignmydoms (qmail-remote)
Exclusions of domains you host for Bounce Address Tag Validation (BATV).
notipme (qmail-send)
IP addresses which the system detects but which should not be treated as local. notipme takes precedence over moreipme.
IP addresses can be specified as individual addresses in the usual dotted-quad format, or as entire networks using a slash followed by the full dotted-quad netmask.

127.0.0.1
127.0.0.1/255.255.255.255
127.0.0.0/255.0.0.0
10.0.0.0/255.255.255.0

An individual address is treated exactly like a network with a mask of 255.255.255.255. Addresses of interfaces found on the system are added with their individual addresses. In addition, these addresses are implicitly added:

0.0.0.0
127.0.0.0/255.0.0.0

So the list of system addresses (the "ipme" list) is, in order, 127.0.0.0/255.0.0.0, 0.0.0.0, then all actual interfaces on the system in the order they are reported, then the contents of the "moreipme" file. The list of excluded addresses (the "notipme" list) is just the contents of the "notipme" file.
If an address appears in both the ipme list and the notipme list, the entry with the longest netmask wins. If the netmask lengths are the same, notipme wins.
For example, if the ipme list has 127.0.0.0/255.0.0.0 and notipme has 127.0.0.2, then 127.0.0.2 will not be considered me because the entry in notipme has a 32-bit mask. If the notipme list has 127.0.0.0/255.0.0.0, all of 127.* will not be considered me.
You can run the program "ipmeprint" from the source directory to see what interfaces qmail is detecting or finds in moreipme.
You can run the program "ipmetest" from the source directory to test your configuration. It takes as its first and only parameter an IP address to test, and prints either "me" or "not me".
originipfield (qmail-queue)
If the control file originipfield is set or if the environment variable ORIGINIPFIELD is set, a "X-Originating-IP" header will be added to every relayed mail. If the environment variable ORIGINIPFIELD is set, it overrides the control file originipfield.
outgoingip (qmail-remote)
IP address to be used on outgoing connections. Default: system-defined. The value 0.0.0.0 is equivalent to the system default.
rcptdelay (qmail-smtpd)
Delay in seconds in a SMTP session after RCPT TO.
If the environment variable RCPTDELAY is set, it overrides rctpdelay.
recipientchk (qmail-smtpd)
If set, qmail-smtpd checks recipient address during the SMTP or QMTP protocol conversation.
If set to 1 qmail-smtpd checks against system accounts. If set to 2 qmail-smtpd checks against fastforward compatible cdbs. The cdbs are defined in recipients.
If the environment variable RECIPIENTCHK is set, it overrides recipientchk.
recipientchkdelay (qmail-smtpd)
Delay in seconds after a failed recipient address check to prevent dictionary attacks.
If the environment variable RECIPIENTCHKDELAY is set, it overrides recipientchkdelay.
recipients (qmail-smtpd)
List of fastforward compatible cdbs with full-qualified SMTP addresses to be allowed for SMTP reception (RCPT to: ). The path to a cdb has to be referenced relative to qmail's home directory. qmail-recipients may be used to construct a users/recipients.cdb from users/recipients. A typical recipients file looks like:

users/recipients.cdb
etc/fastforward.cdb

qmail-smtpd will reject a message for recip@domain if the full-qualified recipient address is not included in any of recipients cdb's.
In order to allow the unrestricted reception for a complete domain, the wildcard format !@domain can be used. For performance reasons it is adviceable, to place this information at the beginning of the first cdb.
The qmail-smtpd recipients mechanism supports qmail's address extension (VERP). Unqualified envelope recipients are appended with @localhost.
rsa512.pem (qmail-smtpd)
If this 512 bit RSA key is provided, qmail-smtpd will use it for TLS sessions instead of generating one on- the-fly.
secauthext (qmail-smtpd)
If set, SMTP AUTH is only allowed until TLS/SSL session started and the the environment variable RELAYCLIENT is set.
If the environment variable SECAUTHEXT is set, it overrides secauthext.
secauthint (qmail-smtpd)
If set,SMTP AUTH is only allowed until TLS/SSL session started and the the environment variable RELAYCLIENT is not set.
If the environment variable SECAUTHINT is set, it overrides secauthint.
secauthremote (qmail-remote)
If set, SMTP AUTH to remote SMTP server is only allowed until TLS/SSL session started.
senderip (qmail-remote)
Any mail sent from an email address in the given domain will be sent from the given IP address.

The entry in senderip looks like this:

domain:ip

If qmail-remote is not able to bind to that IP address then the message will stay in the queue until the problem has been corrected.
servercert.pem (qmail-smtpd)
server certificate for qmail-smtpd. This means you can get SSL or TLS encrypted and authenticated SMTP sessions between the MTAs and from MUA to MTA (RFC 3207).
signkey (qmail-remote/qmail-smtpd)
Key for Bounce Address Tag Validation (BATV) signing.
signkeystale (qmail-smtpd)
Stale of key for Bounce Address Tag Validation (BATV) signing.
smtproutes (qmail-remote)
To add remote SMTP authentication add the clear username and the clear password after the relay seperated by a space. e.g.

internal.example.com:external.example.com:26 username password
straightfallback (qmail-remote)
If set, qmail-remote uses the fallback host defined in smtproutes immediately after a temporary error code, too.
tarpitcount (qmail-smtpd)
It's the practice of inserting a small sleep in an SMTP session for each RCPT TO after some set number of RCPT TOs. tarpitcount is the number of RCPT TOs you accept before you start tarpitting, tarpitcount defaults to 0, which means no tarpitting.
If the environment variable TARPITCOUNT is set, it overrides tarpitcount.
tarpitdelay (qmail-smtpd)
It's the practice of inserting a small sleep in an SMTP session for each RCPT TO after some set number of RCPT TOs. tarpitdelay is the number of seconds of delay to introduce after each subsequent RCPT TO. tarpitdelay defaults is set to 5.
If the environment variable TARPITDELAY is set, it overrides tarpitdelay.
timeoutclamd (qmail-smtpd)
Number of seconds qmail-smtpd will wait for clamd connections. Default: 60.
timeoutmfcheck (qmail-smtpd)
Number of seconds qmail-smtpd will wait for SMTP callback connections. Default: 60.
tlsclients (qmail-smtpd)
A client certificate email-address has to match a line in tlsclients for SSL or TLS authenticated SMTP sessions (RFC 3207).
tlsclientciphers (qmail-remote)
A set of OpenSSL client cipher strings. Multiple ciphers contained in a string should be separated by a colon.
tlshosts/<FQDN>.pem (qmail-remote)
qmail-remote requires authentication from servers for which this certificate exists (<FQDN> is the fullyqualified domain name of the server). One of the dNSName or the CommonName attributes have to match.
WARNING: This option may cause mail to be delayed, bounced, doublebounced, or lost.
tlsremote (qmail-remote)
If set, TLS to remote SMTP server is allowed.
tlsserverciphers (qmail-smtpd)
openssl cipher server strings for SSL or TLS encrypted and authenticated SMTP sessions (RFC 3207).
tlssmtpext (qmail-smtpd)
If set and the the environment variable RELAYCLIENT is not set, TLS to remote SMTP server is allowed.
If the environment variable TLSSMTPEXT is set, it overrides tlssmtpext.
tlssmtpint (qmail-smtpd)
If set and the the environment variable RELAYCLIENT is set, too, TLS to remote SMTP server is allowed.
If the environment variable TLSSMTPINT is set, it overrides tlssmtpint.

Enable new features of the qmail all in one patch

Alternative qmail-queue program with custom error message
Starts the program set in the variable QMAILQUEUE insteat of bin/qmail-queue. To create a custom error message, write the message to STDERR and exit with code 82. The format of the custom error message looks like this:

D<Custom fatal error message>
Z<Custom temporary failure message>
QMAILRRTDENYALL
If QMAILRRTDENYALL is set in the environment, then each individual recipient address will be accepted, but the whole message will be rejected, to stop attackers from probing for valid addresses. It's still possible to probe by sending empty, single-recipient messages, and then sending the real message with all the recipients that weren't rejected.
RCPTCHECK
If RCPTCHECK is set, for each 'rcpt to:' that qmail-smtpd receives, it will fork/exec the programm RCPTCHECK. RCPTCHECK is run in the same environment as qmail-smtpd. Additionally SENDER is set to the envelope from (mail from:) and RECIPIENT is set to the envelope recipient (for the current rcpt to:). Based on the return code (exit value) of RCPTCHECK, the rcpt to: address will either be accepted or rejected as follows:

100: recipient is rejected with "553 sorry, no mailbox here by that name. (#5.1.1)"
111: connection is dropped with a temporary error "421 unable to verify recipient (#4.3.0)"
120: connection is dropped with a temporary error "421 unable to execute recipient check (#4.3.0)"
All others: recipient is accepted.
120 is used internally if RCPTCHECK cannot be executed.

SMTP callout can be realised with the following small shell script:
(echo "HELO `hostname -f`"; echo "MAIL FROM: <>"; echo "RCPT TO: $RECIPIENT"; echo "QUIT";)| nc -w 60 internalmx.example.com 25 | grep "User is unknown" && exit 100 | grep "Connection timed out" && exit 111
SMTP authentication (local)
To enable local SMTP authentication invoke qmail-smtpd in the following way:

inetd:
smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env /var/qmail/bin/qmail-smtpd <hostname of your mailserver> /bin/checkpassword /bin/true

tcpserver:
ulimit -v 32768
exec /usr/bin/tcpserver \
-l `head -1 /var/qmail/control/me` \
-u `id -u qmaild` -g `id -g qmaild` \
-c `head -1 /var/qmail/control/concurrencyincoming` \
-R -v -x /etc/tcp.smtp.cdb 0 smtp \
/var/qmail/bin/tcp-env \
/var/qmail/bin/qmail-smtpd \
`head -1 /var/qmail/control/me` \
/bin/checkpassword/bin/true 2>&1 | \
/var/qmail/bin/splogger qmail &
TLS/SSL SMTP sessions
To enable TLS/SSL SMTP sessions you have to create a self-signed certificate with make cert. This script creates the certificates servercert.pem and clientcert.pem in your qmail control directory with the right permissions automatically. Execute update_tmprsadh.sh in your crontab daily to update temporary RSA and DH keys instead of (slow) on-the-fly generation by qmail-smptd. To activate SMTP over TLS via port 465 set the environment variable SMTPS.

::: Hotlinks :::

WebCam
Sie wollen sehen, wie es draußen bei uns aussieht?

Link-Sammlung
Ihr Wegweiser im Internet