November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

qmail toaster

qmail is a secure, reliable, efficient and simple MTA written by Dan J. Bernstein. It has been security bug free since 1998 and is freely available.

But vanilla qmail does not support security mechanisms like SMTP authentication or support for SSL/TLS. While it supports RBL via tcpserver, it has no Anti-Spam-Features like checking the Envelope-From or tarpitting SMTP-connections. It further has no hook for Virus-Scanners or Spam-Filters. And last but not least it misses some nice-to-have features.

Nevertheless qmail is one of the best choices for running an MTA.

There are several patches and patch collections that add single or multiple extensions to qmail. This zeitform qmail toaster is another one. Check what we provide and use this patch if you see it fit your needs. You are welcome.

top

FEATURE OVERVIEW

The zeitform qmail toaster adds the following features to qmail:

ANTI-SPAM AND ANTI-VIRUS

  • Block executable attachments at SMTP level
  • Hook for qmail-queue replacement (via QMAILQUEUE) enables qmail to run a virus scanner and/or spam filter on every message [*]
  • Check for resolvable domain within the Envelope-From
  • Tarpit SMTP dialog for a large number of mail recipients
  • Filter bad HELO-strings, envelope senders and recipients based on regular expressions

SECURITY ENHANCEMENTS

  • Support for STARTTLS and SMTP over SSL/TLS as Client and Server
  • SMTP authentication via LOGIN, PLAIN or CRAMMD5
  • POP3 authentication via CRAM-MD5

OTHER ENHANCEMENTS

  • Standard compliant ESMTP SIZE command
  • CAPA command for POP3
  • Skip over MX servers that greet with 4xx or 5xx and try next MX (RFC-2821 compliance)
  • Support for Maildir++ (maildirquota) for vpopmail
  • Check existence of vpopmail user before accepting message at SMTP level

BUGFIXES AND WORKAROUNDS

  • Compile with the new glibc (2.3.1 or newer) [*]
  • Fixe a bug when .qmail contains only tabs within a line [*]
  • Recognize 0.0.0.0 as local IP address. This prevents spammers to spoof [*]
  • Support the sendmail -f flag [*]
  • Improve ISO C conformance [*]
  • Handle oversized DNS packets
  • Return correct number of messages on POP3 STAT command
  • Linux: reliability for EXT2 and ReiserFS

All features marked [*] are also included in netqmail-1.05.

top

DOWNLOAD

Download the following files:

top

INSTALLATION

Install qmail as explained in Life with qmail.

If everything works correctly install the patches:

cd qmail-1.03
patch -p0 < ../zeitform-qmail-toaster-0.21.patch
make
make setup check

top

USAGE AND CONFIGURATION

The zeitform qmail toaster adds or modifies the following configuration files:

Table 1: configuration files
signatures signatures of executable content to block
badhelo containing regular expressions of bad HELO strings
badmailfrom containing regular expressions of bad senders
badmailto containing regular expressions of bad recipients
databytes max message size for incoming SMTP
clientcert.pem SSL certificate when acting as SMTP client
servercert.pem SSL certificate when acting as SMTP server
dh1024.pem 1024 bit DH key
dh512.pem 512 bit DH key
rsa512.pem 512 bit RSA key
clientca.pem list of CAs for client authentication
clientcrl.pem list of CRLS for client authentication
tlsclients list of E-Mail addresses for client authentication
tlsclientciphers list of openssl cipher strings for client
tlsserverciphers list of openssl cipher strings for server
tlshosts/* certificates for servers with required authentication

And it adds the following environment variables:

Table 2: environment variables
EXECUTABLEOK signatures of executable content to block
QMAILQUEUE path to qmail-queue replacement
DATABYTES overwrite control/databytes
NOBADHELO diables the checking of HELO strings
SMTPS starts SMTP over TLS

BLOCK EXECUTABLE ATTACHMENTS

The blocking of executable attachments is controlled with the configuration file control/signatures. This file contains BASE64 signatures of the MIME attachments you want to block. To create own signatures look at the raw mail and include the significant bytes of the attachment’s first line into the control file. The following example blocks Windows executables and includes signatures for Zip-Archives:

cat <<EOF >/var/qmail/control/signatures
# Windows executables seen in active virii
TVqQAAMAA
TVpQAAIAA
# Additional windows executable signatures not yet 
# seen in virii
TVpAALQAc
TVpyAXkAX
TVrmAU4AA
TVrhARwAk
TVoFAQUAA
TVoAAAQAA
TVoIARMAA
TVouARsAA
TVrQAT8AA
# .ZIPfile signature seen in SoBig.E and mydoom:
#UEsDBBQAA
#UEsDBAoAAA
EOF

To disable the blocking of executables set the environment variable EXECUTABLEOK.

USING A QMAIL-QUEUE REPLACEMENT

To use a replacement for qmail-queue set the environment variable QMAILQUEUE to the path of the queue replacement. A good example is Qmail-Scanner. It allows you to run all incoming messages though one or more virus scanners (like Clam AntiVirus or a variety of commercial products) and/or SpamAssassin for spam filtering.

CHECKING THE ENVELOPE-FROM

If you receive mail from user@domain.com and the mail can not be delivered to the recipient it must be bounced. If domain.com does not exist, qmail sends a doublebounce.

As most spammers fake the sender address — even to non-existent ones — it can be reasonable to check if the Envelope-From’s domain exists.

If domain.com can’t be resolved via DNS, qmail will not accept the message for delivery.

TARPITTING

Regular users won’t send messages to a large number of recipients, spammers do. To make life a bit more uneasy for spammers, tarpitting inserts a small delay between accepting recipients. With this feature qmail can be configured to inserts delays after a certain number of recipients is exceeded.

CHECKING HELO-STRINGS, SENDERS AND RECIPIENTS WITH REGULAR EXPRESSIONS

Vanilla qmail can filter incoming mails based on a list of bad senders in the file control/badmailfrom, but does not support regular expression.

With this patch control/badmailfrom is expanded to understand regular expressions and the files control/badmailto and control/badhelo are added that keep a regex based list of bad recipients and bad HELO-strings. For further details see the file README.qregex. Some examples:

# example for "badhelo"
# block host strings with no dot (not a FQDN)
!\.
# example for "badmailfrom"
# drop everything containing the word spam
.*spam.*
# force users to fully qualify themselves
# (ie deny "user", accept "user@domain")
!@
# example for "badmailto"
# must not contain invalid characters, brakets or multiple @'s
[!%#:*^(){}]
@.*@

SMTP AND POP3 PROTOCOL EXTENSIONS

SMTP AUTH adds authentication to the STMP protocol and to qmail-smtpd in special. This enables selective relaying for users on dynamic IP addresses. The applied patch supports authentication via PLAIN, LOGIN or CRAM-MD5 SASL. All mechanisms but CRAM-MD5 send the password unencrypted and should be avoided in unencrypted SMTP sessions.

SMTP SIZE adds the SIZE sommand to qmail. qmail does by default limit the size of incoming messages by the amount of bytes given in control/databytes, but does not publish this limit. SMTP clients that observe the SIZE value would not start the DATA phase for larger messages. This saves traffic.

STARTTLS adds SSL/TLS encryption to the SMTP session after the command is issued. Please see README.tls for details and configuration issues.

Example:

220 mail.zeitform.de ESMTP
EHLO host.de
250-mail.zeitform.de
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250-8BITMIME
250 SIZE 50000000

POP3 CAPA is a command that shows the capabilities of a POP3 server. vanila qmail does not offer this command. It is required to propagate the AUTH methods.

POP3 AUTH offers SASL authentication via CRAM-MD5. While this is not strictly necessary as APOP provides a secure way of authentication (without plaintext password), some clients support it and it is considered more secure than APOP. Using CRAM-MD5 authentication with vpopmail required a patch for vchkpw.

Example:

+OK <23137.1078842811@guildenstern.zeitform.de>
CAPA
+OK Capability list follows
TOP
UIDL
LAST
USER
APOP
SASL CRAM-MD5

For further information on the protocols POP3 and SMTP:

VPOPMAIL SUPPORT

The zeitform qmail toaster adds Maildir++ quota support to qmail. This improves the interoperability with vpopmail.

If a message arrives for a recipient address that has no valid user associated (neither as POP3 account nor as forward to a different address) vpopmail may deliver this message to a catch-all account (e.g. postmaster) or bounce the message as being not deliverable (bounce-no-mailbox). With the chkuser patch this check can be done at SMTP level, i.e. after the client issued the RCPT TO command. If a message would be undeliverable, qmail-smtpd will answer with a error message instead of accepting the message and handling the bounce. With the increase of spam this looks like a better approach.

RCPT TO:<non-existant@domain.com>
550 sorry, no mailbox here by that name (#5.1.1 - chkusr)

top

LICENSE

Most of the patches within the zeitform qmail toaster are from other people. Most of them did not include any copyright or license information. So if you are in trouble, contact them for their lines of code.

This documentation and the merging of all patches was done by us. So we have some copyright after all. Where it applies, the license is either the GNU GPL or the GNU FDL, whichever fits better.

THE PATCH IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE PATCH OR THE USE OR OTHER DEALINGS IN THE PATCH.

top

REFERENCES AND CREDITS

The zeitform qmail toaster uses the patches, code or advice from a variety of people (in alphabetical order). The original patches are given as reference where it is possible.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>