qmail is a secure, reliable, efficient and simple MTA written by Dan J. Bernstein. It has been security bug free since 1998 and is freely available.
But vanilla qmail does not support security mechanisms like SMTP authentication or support for SSL/TLS. While it supports RBL via tcpserver, it has no Anti-Spam-Features like checking the Envelope-From or tarpitting SMTP-connections. It further has no hook for Virus-Scanners or Spam-Filters. And last but not least it misses some nice-to-have features.
Nevertheless qmail is one of the best choices for running an MTA.
There are several patches and patch collections that add single or multiple extensions to qmail. This zeitform qmail toaster is another one. Check what we provide and use this patch if you see it fit your needs. You are welcome.
FEATURE OVERVIEW
The zeitform qmail toaster adds the following features to qmail:
ANTI-SPAM AND ANTI-VIRUS
- Block executable attachments at SMTP level
- Hook for qmail-queue replacement (via
QMAILQUEUE
) enables qmail to run a virus scanner and/or spam filter on every message [*] - Check for resolvable domain within the Envelope-From
- Tarpit SMTP dialog for a large number of mail recipients
- Filter bad HELO-strings, envelope senders and recipients based on regular expressions
SECURITY ENHANCEMENTS
- Support for
STARTTLS
and SMTP over SSL/TLS as Client and Server - SMTP authentication via LOGIN, PLAIN or CRAM–MD5
- POP3 authentication via CRAM-MD5
OTHER ENHANCEMENTS
- Standard compliant ESMTP
SIZE
command CAPA
command for POP3- Skip over MX servers that greet with 4xx or 5xx and try next MX (RFC-2821 compliance)
- Support for Maildir++ (maildirquota) for vpopmail
- Check existence of vpopmail user before accepting message at SMTP level
BUGFIXES AND WORKAROUNDS
- Compile with the new glibc (2.3.1 or newer) [*]
- Fixe a bug when
.qmail
contains only tabs within a line [*] - Recognize 0.0.0.0 as local IP address. This prevents spammers to spoof [*]
- Support the sendmail
-f
flag [*] - Improve ISO C conformance [*]
- Handle oversized DNS packets
- Return correct number of messages on POP3
STAT
command - Linux: reliability for EXT2 and ReiserFS
All features marked [*] are also included in netqmail-1.05.
DOWNLOAD
Download the following files:
- zeitform-qmail-toaster-0.21.patch
- README.zeitform (included in above patch)
INSTALLATION
Install qmail as explained in Life with qmail.
If everything works correctly install the patches:
cd qmail-1.03 patch -p0 < ../zeitform-qmail-toaster-0.21.patch make make setup check
USAGE AND CONFIGURATION
The zeitform qmail toaster adds or modifies the following configuration files:
signatures |
signatures of executable content to block |
badhelo |
containing regular expressions of bad HELO strings |
badmailfrom |
containing regular expressions of bad senders |
badmailto |
containing regular expressions of bad recipients |
databytes |
max message size for incoming SMTP |
clientcert.pem |
SSL certificate when acting as SMTP client |
servercert.pem |
SSL certificate when acting as SMTP server |
dh1024.pem |
1024 bit DH key |
dh512.pem |
512 bit DH key |
rsa512.pem |
512 bit RSA key |
clientca.pem |
list of CAs for client authentication |
clientcrl.pem |
list of CRLS for client authentication |
tlsclients |
list of E-Mail addresses for client authentication |
tlsclientciphers |
list of openssl cipher strings for client |
tlsserverciphers |
list of openssl cipher strings for server |
tlshosts/* |
certificates for servers with required authentication |
And it adds the following environment variables:
EXECUTABLEOK |
signatures of executable content to block |
QMAILQUEUE |
path to qmail-queue replacement |
DATABYTES |
overwrite control/databytes |
NOBADHELO |
diables the checking of HELO strings |
SMTPS |
starts SMTP over TLS |
BLOCK EXECUTABLE ATTACHMENTS
The blocking of executable attachments is controlled with the configuration file control/signatures
. This file contains BASE64 signatures of the MIME attachments you want to block. To create own signatures look at the raw mail and include the significant bytes of the attachment’s first line into the control file. The following example blocks Windows executables and includes signatures for Zip-Archives:
cat <<EOF >/var/qmail/control/signatures # Windows executables seen in active virii TVqQAAMAA TVpQAAIAA # Additional windows executable signatures not yet # seen in virii TVpAALQAc TVpyAXkAX TVrmAU4AA TVrhARwAk TVoFAQUAA TVoAAAQAA TVoIARMAA TVouARsAA TVrQAT8AA # .ZIPfile signature seen in SoBig.E and mydoom: #UEsDBBQAA #UEsDBAoAAA EOF
To disable the blocking of executables set the environment variable EXECUTABLEOK
.
USING A QMAIL-QUEUE REPLACEMENT
To use a replacement for qmail-queue set the environment variable QMAILQUEUE
to the path of the queue replacement. A good example is Qmail-Scanner. It allows you to run all incoming messages though one or more virus scanners (like Clam AntiVirus or a variety of commercial products) and/or SpamAssassin for spam filtering.
CHECKING THE ENVELOPE-FROM
If you receive mail from user@domain.com
and the mail can not be delivered to the recipient it must be bounced. If domain.com
does not exist, qmail sends a doublebounce.
As most spammers fake the sender address — even to non-existent ones — it can be reasonable to check if the Envelope-From’s domain exists.
If domain.com
can’t be resolved via DNS, qmail will not accept the message for delivery.
TARPITTING
Regular users won’t send messages to a large number of recipients, spammers do. To make life a bit more uneasy for spammers, tarpitting inserts a small delay between accepting recipients. With this feature qmail can be configured to inserts delays after a certain number of recipients is exceeded.
CHECKING HELO-STRINGS, SENDERS AND RECIPIENTS WITH REGULAR EXPRESSIONS
Vanilla qmail can filter incoming mails based on a list of bad senders in the file control/badmailfrom
, but does not support regular expression.
With this patch control/badmailfrom
is expanded to understand regular expressions and the files control/badmailto
and control/badhelo
are added that keep a regex based list of bad recipients and bad HELO-strings. For further details see the file README.qregex
. Some examples:
# example for "badhelo" # block host strings with no dot (not a FQDN) !\.
# example for "badmailfrom" # drop everything containing the word spam .*spam.* # force users to fully qualify themselves # (ie deny "user", accept "user@domain") !@
# example for "badmailto" # must not contain invalid characters, brakets or multiple @'s [!%#:*^(){}] @.*@
SMTP AND POP3 PROTOCOL EXTENSIONS
SMTP AUTH adds authentication to the STMP protocol and to qmail-smtpd in special. This enables selective relaying for users on dynamic IP addresses. The applied patch supports authentication via PLAIN, LOGIN or CRAM-MD5 SASL. All mechanisms but CRAM-MD5 send the password unencrypted and should be avoided in unencrypted SMTP sessions.
SMTP SIZE adds the SIZE sommand to qmail. qmail does by default limit the size of incoming messages by the amount of bytes given in control/databytes
, but does not publish this limit. SMTP clients that observe the SIZE value would not start the DATA phase for larger messages. This saves traffic.
STARTTLS adds SSL/TLS encryption to the SMTP session after the command is issued. Please see README.tls
for details and configuration issues.
Example:
220 mail.zeitform.de ESMTP EHLO host.de 250-mail.zeitform.de 250-STARTTLS 250-AUTH LOGIN CRAM-MD5 PLAIN 250-AUTH=LOGIN CRAM-MD5 PLAIN 250-PIPELINING 250-8BITMIME 250 SIZE 50000000
POP3 CAPA is a command that shows the capabilities of a POP3 server. vanila qmail does not offer this command. It is required to propagate the AUTH methods.
POP3 AUTH offers SASL authentication via CRAM-MD5. While this is not strictly necessary as APOP provides a secure way of authentication (without plaintext password), some clients support it and it is considered more secure than APOP. Using CRAM-MD5 authentication with vpopmail required a patch for vchkpw
.
Example:
+OK <23137.1078842811@guildenstern.zeitform.de> CAPA +OK Capability list follows TOP UIDL LAST USER APOP SASL CRAM-MD5
For further information on the protocols POP3 and SMTP:
- RFC 2821: Simple Mail Transfer Protocol
- RFC 2554: SMTP Service Extension for Authentication
- RFC 1939: Post Office Protocol – Version 3
- RFC 1734: POP3 AUTHentication command
- RFC 2195: IMAP/POP AUTHorize Extension for Simple Challenge/Response
- RFC 2104: HMAC: Keyed-Hashing for Message Authentication
- RFC 2595: Using TLS with IMAP, POP3 and ACAP
- RFC 2222: Simple Authentication and Security Layer (SASL)
- E-Mail Protokolle (German)
VPOPMAIL SUPPORT
The zeitform qmail toaster adds Maildir++ quota support to qmail. This improves the interoperability with vpopmail.
If a message arrives for a recipient address that has no valid user associated (neither as POP3 account nor as forward to a different address) vpopmail may deliver this message to a catch-all account (e.g. postmaster) or bounce the message as being not deliverable (bounce-no-mailbox
). With the chkuser patch this check can be done at SMTP level, i.e. after the client issued the RCPT TO command. If a message would be undeliverable, qmail-smtpd will answer with a error message instead of accepting the message and handling the bounce. With the increase of spam this looks like a better approach.
RCPT TO:<non-existant@domain.com> 550 sorry, no mailbox here by that name (#5.1.1 - chkusr)
LICENSE
Most of the patches within the zeitform qmail toaster are from other people. Most of them did not include any copyright or license information. So if you are in trouble, contact them for their lines of code.
This documentation and the merging of all patches was done by us. So we have some copyright after all. Where it applies, the license is either the GNU GPL or the GNU FDL, whichever fits better.
THE PATCH IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE PATCH OR THE USE OR OTHER DEALINGS IN THE PATCH.
REFERENCES AND CREDITS
The zeitform qmail toaster uses the patches, code or advice from a variety of people (in alphabetical order). The original patches are given as reference where it is possible.
- Matthias Andree: rfc2821
- Nagy Balazs: mfcheck
- Evan Borgstrom: qregex
- James Craig Burley: isoc
- Tom Clegg: pop3d-capa
- Christopher K. Davis: oversizedns
- Frank Denis: link-sync
- Phil Edwards: errno
- Scott Gifford: 0.0.0.0
- Bruce Guenter: qmailqueue
- Will Harris: size
- Erwin Hoffmann: smtp-auth, size-bugfix
- Andrew St. Jean: qregex (update)
- Chris Johnson: tarpit
- Vladimir Kabanov: valuable advice
- Dwayne Koonce: pop3d-stat
- Antonio Nati: chkusr
- David Phillips: sendmail-flagf
- Alex Pleiner: popup_cram-md5
- Dave Sill: Life with qmail
- Bill Shupp: maildir++
- Erik Sjoelund: qmail-local-fix
- Frederik Vereulen: tls
Recent Comments