Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. User
ATTENTION Qmail GURUS: mail-mta/qmail & RBLs
jesse at wingnet
Sep 15, 2004, 8:51 AM
Post #1 of 6 (1258 views)
Permalink
Hello,

We've been compiling qmail by hand here at WingNET,
which is a royal pain. I've been looking at the
mail-mta/qmail port lately, and it looks perfect
(other than the fact that at least one patch has
changed locations since the -r15 ebuild),
but doesn't it make using rblsmtpd unreliable
due to the STARTTLS/SSL patch?

My understanding has always been that since rblsmtpd
has to run BEFORE qmail-smtpd, a valid user on a
blacklisted IP will be blocked before they can AUTH
via STARTTLS/SSL.

Is this true of the mail-mta/qmail port?

If so, how have you been dealing with this? Do you
just chalk it up as an acceptable risk? Do you use
some other form of RBL checking? Do you not use
RBLs at all?

I ask because I have a pair of patches (one for
qmail-smtpd and one for ucspi-tcp's rblsmtpd) that
make it possible to use rblsmtpd and qmail-smtpd
safely together. A successfull SMTP AUTH overrides
any RBL blacklist. Here's how it works:

My rblsmtpd.c patch basically allows rblsmtpd, if
the -p option is specified, to set the RBLID
environment variable INSTEAD of carrying on a dummy
SMTP conversation with the remote client. The
qmail-smtpd.c patch then acts appropriately on the
RBLID env variable to block or allow the email message
based on whether or not the remote client auths
successfully.

Note well: The attached patch's RBLID environment
variable is NOT compatible with the RBLID patch by
Marcus Stumpf, found here:

http://www.lamer.de/maex/creative/software/qmail/103-rblid/

See attached for patches to rblsmtpd.c
and qmail-smtpd.c to allow use of rblsmtpd _WITH_ SMTP AUTH.


Is there any interest in including these patches in the
mail-mta/qmail port? I wrote this patch back in late 2003,
and I haven't tested it yet against mail-mta/qmail, but if
there is interest then I would be more than happy to do the
work necessary to get it commited to CVS.

Thanks!

--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net

Attached Files:

Re: ATTENTION Qmail GURUS: mail-mta/qmail & RBLs [ In reply to ]
ajai at bway
Sep 15, 2004, 8:35 PM
Post #2 of 6 (1243 views)
Permalink
On Wed, 15 Sep 2004, Jesse Guardiani wrote:

> If so, how have you been dealing with this? Do you
> just chalk it up as an acceptable risk? Do you use
> some other form of RBL checking? Do you not use
> RBLs at all?

I am in a similar position. Ill be building a new mail server and am using
Gentoo for the first time for the base OS. I note there are several qmail
packages available but Im not sure which version has all the patches we
need.

Ideally, I would like to have the following:

tcpserver with the MySQL patch

qmail package with chkusr, SMTP auth, SSL and tarpitting patches

Im currently using rblsmtpd with the sbl-xbl RBL and would like that too.


> Is there any interest in including these patches in the
> mail-mta/qmail port? I wrote this patch back in late 2003,
> and I haven't tested it yet against mail-mta/qmail, but if
> there is interest then I would be more than happy to do the
> work necessary to get it commited to CVS.

Yes, I would be very interested in helping put together the ultimate qmail
package - maybe using USE flags to apply various patches or what?


--
Aj.
Sys. Admin / Developer

--
gentoo-user@gentoo.org mailing list
Re: ATTENTION Qmail GURUS: mail-mta/qmail & RBLs [ In reply to ]
jesse at wingnet
Sep 15, 2004, 10:20 PM
Post #3 of 6 (1248 views)
Permalink
On Wednesday 15 September 2004 11:35 pm, Ajai Khattri wrote:
> On Wed, 15 Sep 2004, Jesse Guardiani wrote:
>
> > If so, how have you been dealing with this? Do you
> > just chalk it up as an acceptable risk? Do you use
> > some other form of RBL checking? Do you not use
> > RBLs at all?
>
> I am in a similar position. Ill be building a new mail server and am using
> Gentoo for the first time for the base OS. I note there are several qmail
> packages available but Im not sure which version has all the patches we
> need.

I've found today that I'm having to make copies of the major programs
(ucspi-tcp,qmail,vpopmail,qmailadmin,courier-imap,etc...) in /usr/local/portage/...
because we REQUIRE subtle differences from what is the default in Gentoo.

Oh well...

The good news is that I got my patches working with the Gentoo standard
qmail code. I need to test it still, but it should work fine.


> Ideally, I would like to have the following:
>
> tcpserver with the MySQL patch
>
> qmail package with chkusr, SMTP auth, SSL and tarpitting patches
>
> Im currently using rblsmtpd with the sbl-xbl RBL and would like that too.

You need my patches then. Otherwise, if your user is on a blocked IP
he/she won't even get a chance to AUTH. My patch fixes this, and adds
some nice RBL logging as well.


> > Is there any interest in including these patches in the
> > mail-mta/qmail port? I wrote this patch back in late 2003,
> > and I haven't tested it yet against mail-mta/qmail, but if
> > there is interest then I would be more than happy to do the
> > work necessary to get it commited to CVS.
>
> Yes, I would be very interested in helping put together the ultimate qmail
> package - maybe using USE flags to apply various patches or what?

Geez, not me. I'm interested in getting my patches commited to
the ucspi-tcp and qmail ports, but no way am I interested in
straightening out the vpopmail mess. Too many differing opinions
and too much crappy code (vpopmail, specifically. It's too bad
there's nothing better out there that offers the same features.)

--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net


--
gentoo-user@gentoo.org mailing list
Re: ATTENTION Qmail GURUS: mail-mta/qmail & RBLs [ In reply to ]
ajai at bway
Sep 16, 2004, 7:06 AM
Post #4 of 6 (1244 views)
Permalink
On Thu, 16 Sep 2004, Jesse Guardiani wrote:

> Geez, not me. I'm interested in getting my patches commited to
> the ucspi-tcp and qmail ports, but no way am I interested in
> straightening out the vpopmail mess. Too many differing opinions
> and too much crappy code (vpopmail, specifically. It's too bad
> there's nothing better out there that offers the same features.)

I forgot to mention, I used vpopmail with qmail all the time.

While I agree with you, there has been some good progress on vpopmail too.
Firstly, the code was forked off into a sourceforge project and away from
the Inter7 guys.

Secondly, the code has been cleaned up, bugs fixed and now new features
are started to be worked on. I would reconmmend you check out the
sourceforge version of vpopmail. Qmailadmin was also forked and moved to
sourceforge however, there is work on a PHP-based interface now.


--
Aj.
Sys. Admin / Developer

--
gentoo-user@gentoo.org mailing list
Re: ATTENTION Qmail GURUS: mail-mta/qmail & RBLs [ In reply to ]
jesse at wingnet
Sep 16, 2004, 8:05 AM
Post #5 of 6 (1242 views)
Permalink
Ajai Khattri wrote:

> On Thu, 16 Sep 2004, Jesse Guardiani wrote:
>
>> Geez, not me. I'm interested in getting my patches commited to
>> the ucspi-tcp and qmail ports, but no way am I interested in
>> straightening out the vpopmail mess. Too many differing opinions
>> and too much crappy code (vpopmail, specifically. It's too bad
>> there's nothing better out there that offers the same features.)
>
> I forgot to mention, I used vpopmail with qmail all the time.
>
> While I agree with you, there has been some good progress on vpopmail too.
> Firstly, the code was forked off into a sourceforge project and away from
> the Inter7 guys.

I'm aware of that. That's one of the reasons why I'm still using
it on my servers, and not going with Postfix or something. They've
got a long way to go before I say "man, that's some nice clean code",
though. Have you seen the soft domain quota code? It's pathetic!
I pitched a fit when the inter7 folks committed that code.

And sadly, I think they'll need to make all of the configure options
run-time configurable (vs. compile time) before vpopmail becomes
really easy to install via something like Portage.

But back to the topic: I'll try to make my patches available later
today and submit a bug at bugs.gentoo.org.

--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net



--
gentoo-user@gentoo.org mailing list
Re: Re: ATTENTION Qmail GURUS: mail-mta/qmail & RBLs [ In reply to ]
ajai at bway
Sep 23, 2004, 3:44 PM
Post #6 of 6 (1246 views)
Permalink
On Thu, 16 Sep 2004, Jesse Guardiani wrote:

> I'm aware of that. That's one of the reasons why I'm still using
> it on my servers, and not going with Postfix or something. They've
> got a long way to go before I say "man, that's some nice clean code",
> though. Have you seen the soft domain quota code? It's pathetic!
> I pitched a fit when the inter7 folks committed that code.

The point is though that the folks working on the sourceforge version are
much more active and respond to patches (unlike the inter7 guys who seem
to just sit on stuff).

> And sadly, I think they'll need to make all of the configure options
> run-time configurable (vs. compile time) before vpopmail becomes
> really easy to install via something like Portage.

Have you looked at the latest configure options? Its much better than the
stock inter7 code...

--
Aj.
Sys. Admin / Developer

--
gentoo-user@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal