|
|
Qmail,
D. J. Bernstein's
alternative to the well known
Sendmail-MTA,
has turned out and proven to be a more than worthy replacement for
the latter. Its modern, modular, flexible, extendable, light-weight
structure more than once made it the first choice when selecting a
MTA. This page holds some notes and patches of mine
which reflect certain needs and experiences over the last couple of years.
- Spam Control & SMTP-AUTH unified patch
-
Two of the most important necessities over the last years have been
the problem having to deal with spam and the requirement to have certain
users to relay, that is, send their mail through a particular host
even if they connect to it from a remote network entity.
Let's start with spam. Spam (UEM) is terrible and has to be fought.
And even if it isn't fought it has to be dealt with somehow.
There are many interesting and effective solutions for the user
end, like
procmail
and other mail filters for modern
MUAs. However, using them still allows the
mail to reach your host which causes completely uncessary traffic
and may also cost you a lot of money. Erwin Hoffman's
spamcontrol,
consisting of a number of patches, counters spam
attacks by modifying Qmail's SMTP-daemon to reject incoming
mails according to several mechanisms, the sender, recipient,
source and destination address being only a few. spamcontrol
does not possess artificial intelligence and does not synchronize
with remote spam databases, but is controlled by local include-
and exclude list which also permit pattern matching and regular
expressions.
When used with
tcpserver,
which is advisable anyway, Qmail's SMTP-server can be told to relay
incoming mail to remote hosts. This should be quite comfortable and
satisfying a feature for most static scenarios. However, if the
source addresses are not known in advance, this methods silently
resigns. Here, too, spamcontrol comes in handily, since it can be
explicitely told to accept mail from a certain sender (which does
not have to exist necessarily). All the user's
MUA
would have to provide is a particular "MAIL FROM:"-token which it
sends anyway. Since this can be faked and misused easily it often
appears more appropriate to use authentication instead, and that's what
SMTP AUTH
is all about.Before being permitted to relay their mail the respective
senders have to send a login/password pair.
There are many patches for Qmail which support PLAIN and LOGIN
passwords, but these should be left alone. Instead CRAM-MD5 passwords
should be used to encrypt the password before sending it over the
network.
Krzysztof Dabrowski
offers a
a patch for Qmail's SMTP-daemon
which enables it to relay mail after authenticating successfully.
He also provides
a utility called cmd5checkpw
to handle user names and passwords in a separate database (that is,
a plain text file).
Unfortunately, more than one patch rarely applies smoothly to the
same file. That's why a
unified patch
has been created
to deal with both disjoint patches, spamcontrol as well as SMTP AUTH.
It also instructs qmail-smtpd to be a little more talkative when asked
for help (SMTP code 214). Note, that you still need the original files of
the patches to extract the utilities and modified man pages.
- cmd5checkpw
-
Debugging information sometimes comes in very handily, in particular,
if security and authentification is concerned.
cmd5checkpw
(see above)
is a fine utility, but does not provide any output.
This patch
simply employs syslog(3) to log whether or not a user has successfully
authenticated using LOGIN, PLAIN or CRAM-MD5 for SMTP AUTH.
- checkpassword
-
checkpassword
is a small utilities which can be used to check user names and passwords
against the system password file. It is the recommended companion of
Qmail's POP3-server. If you do not want to use system passwords for your
POP3-users, but prefer an external password database, you need
a small patch
for checkpassword.
|