tomclegg.net


Diary
Examples
    256-router
    adzap
    apache-double-reverse
    cacti-adodb-php4
    debian-quota
    diskonmodule
    dollarsperbyte
    dynip
    ezmlm-linux
    fbsdhabits
    freebsdclone
    macbook-quantal-sound
    maildirpop3d-awfulhak
    mandy
    md
    mrtg
    net-snmp
    nodefaultroute
    oracle9i
    oracle9i-bsd5
    oracle9i-client
    oracle9i-nat
    php-cgi
    php-commandline
    php-image
    php-kics
    php-mini_httpd
    pinouts
    pizzaperdollar
    plesk-symlink-php
    pxe
    qmail-linux
  >qmail-qfilter<
    racoon-sonicwall
    redundant-vpn
    rewriterule
    seahorse-workaround
    setting-locale-failed
    smalldog
    snmpv3-cacti
    spamassassin
    squid-tproxy
    supfile
    suse73
    svc-nmbd
    svc-smbd
    svc-smtpd
    switch-virtualbox-virsh
    toyotastereo
    vm
    vn-file
    wmp-invalid
    xcode-remote-install
    xen-eth0-renamed
    xen-monowall
    xen3-ubuntu-dapper
    zz-update-grub-fail
Hire Tom
Mostly Mozart
Patches
School
Scrapbook
Software
Telephones




colocation
comments
davidireland
edsgranola
faq
funsites
goodlooking
goodmovies
google-earth-saucy-amd64
houserules
liberating
resume
resume2
scratch
shopping
snacks
todo
university
warisbogus

Installing qmail-qfilter
Posted March 15, 2004

This is a quick guide to installing qmail-qfilter on a FreeBSD or similar system.

qmail-qfilter provides a convenient way to pass each incoming email message through a series of filters, each of which may reject or modify the message. This happens before the message enters the queue, so rejects do not become bounce messages. Instead, the client is told immediately that the message was not accepted.

Filters

In order to test your qmail-qfilter system, you will install two filters: badhelohost and badptr.

  • Both filters assume you are using tcpserver -R. They assume that a message whose most recent Received: line contains a username, like "(example@192.168.2.1)", can only come from an authenticated user, so it will never be rejected.
     
  • badhelohost rejects mail from clients whose HELO strings appear in your control files. Such clients almost exclusively send viruses or spam.
     
  • If yahoo.com is in /var/qmail/control/badhelohosts, then badhelohost also rejects mail from hosts which say "HELO yahoo.com" but do not have PTR and A records showing that they belong to yahoo.com.
    Warning: if yahoo.com is in your helomustmatchptr file, you will not be able to receive mail during DNS outages from any client who says "HELO yahoo.com". Yahoo's mail servers say HELO with their real hostnames, so this is not a problem. Hotmail's servers actually do say "HELO hotmail.com" though, so mail from Hotmail users will be delayed during DNS outages. Also, you should make sure you use "tcpserver -h".
  • badptr rejects mail from hosts whose PTR records match strings and regular expressions in /var/qmail/control/badptr.

Method

  1. Make sure your qmail binaries incorporate the QMAILQUEUE patch.

    • If you use FreeBSD and you have not installed qmail yet:
      echo WITH_QMAILQUEUE_PATCH=yes >> /etc/make.conf
      cd /usr/ports/mail/qmail
      make install
    • If you use FreeBSD and you have already installed the qmail and portupgrade ports:
      echo WITH_QMAILQUEUE_PATCH=yes >> /etc/make.conf
      portupgrade -f qmail
    • If you are installing qmail from source:
      tar xzf qmail-1.03.tar.gz
      cd qmail-1.03
      fetch http://www.qmail.org/qmailqueue-patch
      patch <qmailqueue-patch
      # apply other patches here
      make setup check
  2. Install qmail-qfilter.
    mkdir -p /usr/local/src
    cd /usr/local/src
    fetch http://untroubled.org/qmail-qfilter/qmail-qfilter-1.5.tar.gz
    tar xzf qmail-qfilter-1.5.tar.gz
    cd qmail-qfilter-1.5
    make
    ./installer
  3. Create a log file, /var/log/qfilter. This will be used by filters you download from http://tomclegg.net/software/.
    touch /var/log/qfilter
    chown qmaild /var/log/qfilter
    echo '/var/log/qfilter qmaild:wheel 644 2 * @T00 J' >>/etc/newsyslog.conf
  4. Create a /var/qmail/filter directory to store your filters in.
    mkdir /var/qmail/filter
  5. Install the qfilter-badhelohost and qfilter-badptr filters.
    cd /var/qmail/filter
    fetch http://tomclegg.net/software/qfilter-badhelohost
    chmod +x qfilter-badhelohost
    fetch http://tomclegg.net/software/qfilter-badptr
    chmod +x qfilter-badptr
  6. Set up "qmail-smtpd-filter". This specifies which filters qmail-smtpd will use.
    cat <<EOF >>/usr/local/bin/qmail-smtpd-filter
    #!/bin/sh
    exec /usr/local/bin/qmail-qfilter \
     /var/qmail/filter/qfilter-badhelohost \
     -- /var/qmail/filter/qfilter-badptr
    EOF
    chmod +x /usr/local/bin/qmail-smtpd-filter
  7. Set the QMAILQUEUE environment variable. Add this to the top of /service/qmail-smtpd/run (or whatever script is responsible for starting your tcpserver on port 25).
    export QMAILQUEUE="/usr/local/bin/qmail-smtpd-filter"
  8. Restart your smtp server.
    svc -t /service/qmail-smtpd
  9. Test your smtp server by sending mail to it from another machine.

Tests

Make sure you are using tcpserver's "-R" and "-h" options!

Assuming "example.com" is in rcpthosts or morercpthosts or locals...

This should succeed.

HELO foo
AUTH LOGIN
[valid authentication here]
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.

This should succeed.

HELO anything.not.in.rcpthosts.etc.example.org
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.

This should fail because the HELO string has no dots.

HELO foo
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.

This should fail because the HELO string is in rcpthosts or morercpthosts or locals.

HELO example.com
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.

This should fail because the HELO string consists of only digits and dots.

HELO 192.168.2.1
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.

This should fail because the HELO string consists of only digits and dots.

HELO 192....
MAIL FROM:<test@example.com>
RCPT TO:<test@example.com>
DATA
.