First, excellent work on the gentoo qmail ebuild, very impressive. In my attempts to implement spam abatement measures however, I am finding it a little more difficult to add anti-spam measures to the run-qmailsmtpd file now. In particular, I am interested in rejecting SMTP connections at the network level from hosts with bad DNS, as documented at Chris Hardie's webpage listed above. In addition, it would be nice to have a variable in conf-smtpd to turn on recordio for testing the anti-spam measures once in place (as I do now on a production BSD box I oversee). So as per the suggestion from the top of run-qmailsmtpd(1) I am filing these requests in bugzilla for future reference. Thanks again for such a well designed and thought out approach to implementing qmail on Gentoo. Best regards, Steven Boothe (1) # If you need to edit this file, please look at editing conf-smtpd and # conf-common first. If you still need to change this file, you should # probably file a bug on the bugzilla saying what you wanted to change so that # modification can be make possible via the configuration files Reproducible: Always Steps to Reproduce: 1. 2. 3.
i'm trying to get around to updating the qmail builds to include the SPAMCONTROL patches. that's a better long term route, however for the moment, which items that Chris Hardie mentions are you interested in? if you write up some snippets to include into the conf-smtpd I'll gladly review them and provide constructive critiscm as how to make them as widely usable as possible so they can be used in Gentoo.
Hi Robin. Thanks for all the great work you all are involved in with Gentoo. Here's the URL to the section of Chris Hardie's webpage I am interested in: http://www.chrishardie.com/tech/qmail/qmail-antispam.html#sysadminoptions and specifically with interest in implementing this part (note my code snippet at the end): Rejecting SMTP connections at the network level from hosts with bad DNS It is becoming common for the default installation of many Unix operating systems like FreeBSD and Linux to include a mechanism to block network traffic based on certain criteria, commonly referred to "host-based access control"... ... One can also achieve this using the ucspi-tcp package's tcpserver (now the recommended alternative to inetd), by enabling the "-p" option, for paranoid, e.g. in /service/qmail-smtpd/run, you might have: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` exec softlimit -m 3000000 \ tcpserver -v -p -x /etc/qmail/tcp.smtp.cdb \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ ### begin code snippet sh -c 'test -z "$TCPREMOTEHOST" \ && echo "451 bad reverse DNS" \ || exec /var/qmail/bin/qmail-smtpd' 2>&1 ### end code snippet after 'exec'. This basically tells tcpserver to remove the environment variable "TCPREMOTEHOST" if it can't resolve the reverse DNS, and then not to run qmail-smtpd if TCPREMOTE HOST isn't populated. (Thanks to Mike Jimenez for noting that only using tcpserver -p isn't enough, and to Gerrit Pape for suggesting the above code snippet. Thanks to Jerry Amundson for updating it to include a useful error message for the connecting SMTP server.) " So here's what I am thinking, what if make that snippet into one line, and associate it with one of those pre/post variables? Now if only this fever (103 yesterday) would go away so that I can think straight enough to figure out which one. :-S Something like this maybe(?): # Stuff to run before tcpserver. # For example, the following would attempt to verify reverse DNS before # allowing an inbound SMTP connection. #QMAIL_TCPSERVER_PRE="sh -c 'test -z "$TCPREMOTEHOST" && echo "451 bad reverse DNS" || exec" What do you think? I might give this a test if I'm still up for it after sitting here to write this much... :-) /me checks my temperature again...
Well I just finished testing the following in conf-smtpd: QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} sh -c 'test -z "$TCPREMOTEHOST" && echo "451 bad reverse DNS" || exec rblsmtpd -r dsn.rfc-ignorant.org -r sbl.spamhaus.org -r list.dsbl.org -r bl.spamcop.net" Any subsequent attempt to start qmail produces the following stat: poretz root # qmailctl stat /service/qmail-send: up (pid 15214) 57 seconds /service/qmail-send/log: up (pid 15216) 57 seconds /service/qmail-smtpd: up (pid 15881) 0 seconds /service/qmail-smtpd/log: up (pid 15225) 57 seconds messages in queue: 10 messages in queue but not yet preprocessed: 0 poretz root # Thanks for looking into this, Steven
At the very minimum I'd just like to be able to have the equivalent working for my run script: #!/bin/sh exec /usr/bin/softlimit -m 8000000 \ /usr/bin/tcpserver -H -R -v -p -x /etc/tcp.smtp.cdb \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ sh -c 'test -z "$TCPREMOTEHOST" && echo "451 bad reverse DNS" \ || exec /var/qmail/bin/qmail-smtpd 2>&1 Unfortunately, due to the beautifully and appreciated new gentooish run scripts, setting this up to work has all but proved impossible for me. The works fine on my openbsd box at work, and I have a feeling it would work fine if I installed qmail from source according LWQ... Sorry. I shouldn't complain. I'm extremely grateful for the work you all are doing. I really do appreciate the work going into making the run scripts gentooish - really. It's just that I'm stuck between wondering if I go ahead and implement from scratch, how long will it be until I want to turn around and redo things to benefit from your excellent efforts... BTW, have you looked into running TLS with that spam-control patch? Seems that last I recall that patch wasn't compatible with the TLS patch... I'm not sure how far along you are, but you certainly have my respect. That is one mother of a patch the last I looked at it...
Also, in looking into the spamcontrol patch, I notice the following statement: "In this case, qmail-smtpd receives all OUTGOING E-Mails from the local environment and delivers them to MTAs on the Internet. Additionally, qmail-smtpd should solely receive those INCOMING Internet E-Mails which are targeted for the local E-Mail systems. In particular, Qmail should not forward any E-Mail to third party MTAs." (http://www.fehcom.de/qmail/spamcontrol/README_spamcontrol.html) It's that last sentence that concerns me since this is exactly what we use it for where I work. We use it as a gateway/firewall of sorts between our specialized MTA for satellite email, and the rest of the world...
Is this still an issue with -r16?
No response. Please reopen if you've comments.