Installing qmail-qfilter
Posted March 15, 2004
This is a quick guide to installing qmail-qfilter on a FreeBSD or similar system.
qmail-qfilter provides a convenient way to pass each incoming email message through a series of filters, each of which may reject or modify the message. This happens before the message enters the queue, so rejects do not become bounce messages. Instead, the client is told immediately that the message was not accepted.
Filters
In order to test your qmail-qfilter system, you will install two filters: badhelohost and badptr.
- Both filters assume you are using
tcpserver -R. They assume that a message whose most recent Received: line contains a username, like "(example@192.168.2.1)", can only come from an authenticated user, so it will never be rejected.
badhelohost rejects mail from clients whose HELO strings appear in your control files. Such clients almost exclusively send viruses or spam.
- If
yahoo.com is in /var/qmail/control/badhelohosts, then badhelohost also rejects mail from hosts which say "HELO yahoo.com" but do not have PTR and A records showing that they belong to yahoo.com. Warning: if yahoo.com is in your helomustmatchptr file, you will not be able to receive mail during DNS outages from any client who says "HELO yahoo.com". Yahoo's mail servers say HELO with their real hostnames, so this is not a problem. Hotmail's servers actually do say "HELO hotmail.com" though, so mail from Hotmail users will be delayed during DNS outages. Also, you should make sure you use "tcpserver -h".
badptr rejects mail from hosts whose PTR records match strings and regular expressions in /var/qmail/control/badptr.
Method
- Make sure your qmail binaries incorporate the QMAILQUEUE patch.
- If you use FreeBSD and you have not installed qmail yet:
echo WITH_QMAILQUEUE_PATCH=yes >> /etc/make.conf
cd /usr/ports/mail/qmail
make install
- If you use FreeBSD and you have already installed the
qmail and portupgrade ports:
echo WITH_QMAILQUEUE_PATCH=yes >> /etc/make.conf
portupgrade -f qmail
- If you are installing qmail from source:
tar xzf qmail-1.03.tar.gz
cd qmail-1.03
fetch http://www.qmail.org/qmailqueue-patch
patch <qmailqueue-patch
# apply other patches here
make setup check
- Install qmail-qfilter.
mkdir -p /usr/local/src
cd /usr/local/src
fetch http://untroubled.org/qmail-qfilter/qmail-qfilter-1.5.tar.gz
tar xzf qmail-qfilter-1.5.tar.gz
cd qmail-qfilter-1.5
make
./installer
- Create a log file,
/var/log/qfilter. This will be used by filters you download from http://tomclegg.net/software/.
touch /var/log/qfilter
chown qmaild /var/log/qfilter
echo '/var/log/qfilter qmaild:wheel 644 2 * @T00 J' >>/etc/newsyslog.conf
- Create a
/var/qmail/filter directory to store your filters in.
mkdir /var/qmail/filter
- Install the
qfilter-badhelohost and qfilter-badptr filters.
cd /var/qmail/filter
fetch http://tomclegg.net/software/qfilter-badhelohost
chmod +x qfilter-badhelohost
fetch http://tomclegg.net/software/qfilter-badptr
chmod +x qfilter-badptr
- Set up "qmail-smtpd-filter". This specifies which filters qmail-smtpd will use.
cat <<EOF >>/usr/local/bin/qmail-smtpd-filter
#!/bin/sh
exec /usr/local/bin/qmail-qfilter \
/var/qmail/filter/qfilter-badhelohost \
-- /var/qmail/filter/qfilter-badptr
EOF
chmod +x /usr/local/bin/qmail-smtpd-filter
- Set the
QMAILQUEUE environment variable. Add this to the top of /service/qmail-smtpd/run (or whatever script
is responsible for starting your tcpserver on port 25).
export QMAILQUEUE="/usr/local/bin/qmail-smtpd-filter"
- Restart your smtp server.
svc -t /service/qmail-smtpd
- Test your smtp server by sending mail to it from another machine.
Tests
Make sure you are using tcpserver's "-R" and "-h" options!
Assuming "example.com" is in rcpthosts or morercpthosts or locals...
This should succeed.
HELO foo
AUTH LOGIN
[valid authentication here]
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.
This should succeed.
HELO anything.not.in.rcpthosts.etc.example.org
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.
This should fail because the HELO string has no dots.
HELO foo
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.
This should fail because the HELO string is in rcpthosts or
morercpthosts or locals.
HELO example.com
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.
This should fail because the HELO string consists of only digits and dots.
HELO 192.168.2.1
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.
This should fail because the HELO string consists of only digits and dots.
HELO 192....
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.
|