Hi all.
This is a bit unusual, I know. (Feel free to skip to "The actual issue").
Background:
Several years ago (in 2011), I made my "final" qmail installation.
I put up my recipe on my dedicated qmail Web-site, so I thought everything would be good.
Around 4 months later, an error in the HFS+ format caused my Web-directory to instantly disappear in probably less than a nanosecond.
All my Web-sites were lost.
The remaining part of the server was intact, though, so my servers kept running.
I managed to power down the server and make a DD backup of the remains.
I had some backups of mosts sites, but I had to purchase Data Rescue 3, so I could recover some of my latest Web-site work; I think I got around 50% restored (some of the sites were improved because of this event, though).
I also invested in a backup-utility and now run a daily rsync backup, so I've learned a few lessons. ;)
The actual issue:
Today, 4 years later, I subscribed to the debian-user mailing list, but my qmail could not send my posts to the lists.
It seems that my qmail does not have the "ANY DNS" patch, so I tried rebuilding my qmail, just to find out that the sources I've kept are not the sources that my currently running qmail was built from.
I get the following error:
"SMTP Protocol Error: 553 sorry, that domain isn't in my list of allowed rcpthosts; no valid cert for gatewaying (#5.7.1)"
After spending 14 days of trying to reconstruct the qmail using various patches, I think I need a little help identifying how I built the last one.
My setup:
I am denying any authorization/authentication on port 25.
I require secure authorization/authentication on port 587.
I have applied my own extension to RCPTCHECK, don't let this confuse you (I added extra environment variables).
If I telnet into port 587 and type 'ehlo testing', I get the following response:
---8<-----8<-----8<-----
250-example.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
--->8----->8----->8-----
Notice that there's no "AUTH=LOGIN PLAIN"
My environment variables for starting qmail-smtpd on port 25 are as follows:
---8<-----8<-----8<-----
ALLOW_INSECURE_AUTH=0
AUTH=0
DENY_TLS=1
FORCETLS=0
RCPTCHECK=/var/qmail/bin/rcptchk
REQUIRE_AUTH=0
SSL=0
TCPLOCALHOST=mail.example.com
TCPLOCALIP=10.0.1.0
TCPLOCALPORT=25
--->8----->8----->8-----
... and for port 587 ...
---8<-----8<-----8<-----
ALLOW_INSECURE_AUTH=0
AUTH=1
DENY_TLS=0
FORCETLS=1
REQUIRE_AUTH=1
SSL=0
TCPLOCALHOST=mail.example.com
TCPLOCALIP=10.0.1.0
TCPLOCALPORT=587
--->8----->8----->8-----
Notice in the environment variables that I do not use the patches that require me to set "SMTPAUTH=!" either.
The build-date is Dec. 7, 2011, which means the patches I used must be before that date.
Those alone should actually provide great info.
My actual question is:
Which patch(es) use "ALLOW_INSECURE_AUTH", "DENY_TLS" and "REQUIRE_AUTH" ?
Normally, I would only apply a minimum set of patches, which means I'm not likely to use a "combined patch".
Is it *only* the patches from John M. Simpson, or are there others too ?
-A lot of arrows point in that direction, which means that I might have stopped rolling my own recipe and used John's patches with my own RCPTCHECK added (I would expect that John's patch would include the "ANY DNS" patch, though).
Additional notes:
I moved from using my own password verification to using vpopmail, so I could easily use Dovecot and Squirrelmail.
Love
Jens
This is a bit unusual, I know. (Feel free to skip to "The actual issue").
Background:
Several years ago (in 2011), I made my "final" qmail installation.
I put up my recipe on my dedicated qmail Web-site, so I thought everything would be good.
Around 4 months later, an error in the HFS+ format caused my Web-directory to instantly disappear in probably less than a nanosecond.
All my Web-sites were lost.
The remaining part of the server was intact, though, so my servers kept running.
I managed to power down the server and make a DD backup of the remains.
I had some backups of mosts sites, but I had to purchase Data Rescue 3, so I could recover some of my latest Web-site work; I think I got around 50% restored (some of the sites were improved because of this event, though).
I also invested in a backup-utility and now run a daily rsync backup, so I've learned a few lessons. ;)
The actual issue:
Today, 4 years later, I subscribed to the debian-user mailing list, but my qmail could not send my posts to the lists.
It seems that my qmail does not have the "ANY DNS" patch, so I tried rebuilding my qmail, just to find out that the sources I've kept are not the sources that my currently running qmail was built from.
I get the following error:
"SMTP Protocol Error: 553 sorry, that domain isn't in my list of allowed rcpthosts; no valid cert for gatewaying (#5.7.1)"
After spending 14 days of trying to reconstruct the qmail using various patches, I think I need a little help identifying how I built the last one.
My setup:
I am denying any authorization/authentication on port 25.
I require secure authorization/authentication on port 587.
I have applied my own extension to RCPTCHECK, don't let this confuse you (I added extra environment variables).
If I telnet into port 587 and type 'ehlo testing', I get the following response:
---8<-----8<-----8<-----
250-example.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
--->8----->8----->8-----
Notice that there's no "AUTH=LOGIN PLAIN"
My environment variables for starting qmail-smtpd on port 25 are as follows:
---8<-----8<-----8<-----
ALLOW_INSECURE_AUTH=0
AUTH=0
DENY_TLS=1
FORCETLS=0
RCPTCHECK=/var/qmail/bin/rcptchk
REQUIRE_AUTH=0
SSL=0
TCPLOCALHOST=mail.example.com
TCPLOCALIP=10.0.1.0
TCPLOCALPORT=25
--->8----->8----->8-----
... and for port 587 ...
---8<-----8<-----8<-----
ALLOW_INSECURE_AUTH=0
AUTH=1
DENY_TLS=0
FORCETLS=1
REQUIRE_AUTH=1
SSL=0
TCPLOCALHOST=mail.example.com
TCPLOCALIP=10.0.1.0
TCPLOCALPORT=587
--->8----->8----->8-----
Notice in the environment variables that I do not use the patches that require me to set "SMTPAUTH=!" either.
The build-date is Dec. 7, 2011, which means the patches I used must be before that date.
Those alone should actually provide great info.
My actual question is:
Which patch(es) use "ALLOW_INSECURE_AUTH", "DENY_TLS" and "REQUIRE_AUTH" ?
Normally, I would only apply a minimum set of patches, which means I'm not likely to use a "combined patch".
Is it *only* the patches from John M. Simpson, or are there others too ?
-A lot of arrows point in that direction, which means that I might have stopped rolling my own recipe and used John's patches with my own RCPTCHECK added (I would expect that John's patch would include the "ANY DNS" patch, though).
Additional notes:
I moved from using my own password verification to using vpopmail, so I could easily use Dovecot and Squirrelmail.
Love
Jens