Upgrading qmail

October 26, 2024 by Roberto Puzzanghera 532 comments

For my convenience I moved the qmail sources to my github space. Nonetheless, all information about qmail and related programs will continue to be posted in this web space, and this pages remain the place to  eventually seek support. From now on, instead of releasing a combined patch for qmail, I'll release a package which is the result of the ancient netqmail-1.06 plus the patches and modifications listed below.

Changelog

WARNING: IF YOU ARE UPGRADING qmail AND YOU ARE USING A VERSION BEFORE 2024.01.11, BE AWARE THAT dk-filter HAS BEEN DROPPED, SO YOU HAVE TO RECONFIGURE DKIM AND MODIFY YOUR rc FILE ACCORDINGLY.

  • Oct 26, 2024
    - qmail-remote.c patched to dinamically touch control/notlshosts/<fqdn> if control/notlshosts_auto contains any number greater than 0 in order to skip the TLS connection for remote servers with an obsolete TLS version. (tx Alexandre Fonceca) (commit)
    - defined CHKUSER_DISABLE_VARIABLE "RELAYCLIENT" in chkuser_settings.h
    - enabled CHKUSER_SENDER_NOCHECK_VARIABLE "RELAYCLIENT" in chkuser_settings.h
    - fixed several compilation breaks/warnings on later gcc compilers (tx Pablo Murillo)
    - invalid auth fix in qmail-smtpd.c's smtp_auth function (tx Alexandre Fonceca for the advice) (commit)
    - qmail path determined dinamically in conf-policy
    - added a patch to remove chkuser and the vpopmail dependency (other-patches dir)
  • Jun 8, 2024
    - conf-channels: default number of channels increased to 4 (was 2). Now qmail offers 2 additional channels with respect to the 2 offered by default (local and remote). More info here
    - maxrcpt: error code changed to 452 due to RFC 4.5.3.1 (was 553). If DISABLE_MAXRCPT is defined it skips the check, otherwise outgoing messages from mailing lists would be rejected. (commit)
  • May 16, 2024
    - DKIM: Make the dkimsign binary _not_ derive the "d=" domain value from the Return-Path header (tx mpdude)
    - Fixed -Wstringop-overflow on qmail-start.c line 128 (gcc-13.2) (commit)
    - Fixed -Wincompatible-pointer-types compilation warnings onsubstdio.h (commit)
    - Big Concurrency fix patch removed, as it is incompatible with the above change.
    - Create a trigger to decide if your qmail-smtpd instance should respect badmailfrom regex or not. This could be very handling if you decide to have very strict rules for your qmail-smtpd that you don´t want to be applied to qmail-submission. Usage: add export DISABLE_BADMAILFROM=1 to run file service (tx brdelphus)
  • Feb 12, 2024
    - DKIM patch upgraded to v. 1.48
    * fixed minor bug using filterargs for local deliveries (commit)
    - Fixed several compilation warnings (commit)
    - Fixed incompatible redeclaration of library function 'log2' in qmail-send.c qsutil.c as showed by notqmail friends here
    - removed FILES, shar target from Makefile
  • Feb 6, 2024
    - DKIM patch upgraded to v. 1.47
    * fixed a bug which was preventing filterargs' wildcards to work properly on sender domain
  • Jan 20, 2024 (diff here)
    liberal-lf: bare LF are no longer allowed by default due to smuggling vulnerability CVE-2023-51765. Bare LF can be allowed by defining ALLOW_BARELF in the tcprules or in the run file.
  • Jan 15, 2024
    TLS patch by F. Vermeulen upgraded to version 20231230 (more info at https://inoa.net/qmail-tls/ tx Greg Bell for the patch)
    - support to openssl 3.0.11
  • Jan 11, 2024
    - dkim patch upgraded to version 1.46
    * dk-filter.sh has been dropped. If signing at qmail-remote level, before upgrading, you have to review the configuration.
    - The variables USE_FROM, USE_SENDER and DKIMDOMAIN have been dropped
    - when signing at qmail-remote level qmail-dkim now has to be called directly by spawn-filter in the rc file. man spawn-filter for more info
    - In case of bounces the signature will be automatically based on the from: field. This will solve issues of DMARC reject by google in case of sieve/vacation bounces.
    - In case of ordinary bounces (mailbox not found, for instance) the bounce domain will be taken from control/bouncehost and, if doesn't exist, from control/me
  • Dec 9, 2023
    - sources moved to github.

My qmail package includes the latest versions of several commonly-used qmail patches, applied over the original netqmail-1.06 program. Several other changes have been done by me or others. You can find more info in the changelog.

[Follow the patch details here]

Other qmail variants of mine:

You're invited to take a look at the next page of this guide, which presents several tests for these patches toward the bottom of the page.

Installing libsrs2

This library is a prerequisite of the SRS patch, which is part of my package. You must install this, otherwise the compilation will break.

wget http://www.libsrs2.org/srs/libsrs2-1.0.18.tar.gz
tar xzf libsrs2-1.0.18.tar.gz
cd libsrs2-1.0.18
./configure
make
make install
ldconfig
cd ../

Be sure that libsrs2 is actually linked, otherwise you are going to have a qmail-send infinite crash and finally an auto-DoS:

> ldconfig -p|grep libsrs2
libsrs2.so.0 (libc6,x86-64) => /usr/local/lib/libsrs2.so.0
libsrs2.so (libc6,x86-64) => /usr/local/lib/libsrs2.so

In case you decided to install the libsrs2 library by means of a package provided by your Linux distribution, you should check the path where the library was installed. Check if the file /usr/local/include/srs2.h actually exists; if not you may have to modify the srs.c in the netqmail source directory as follows:

#include </usr/local/include/srs2.h>
#include </usr/include/srs2.h>

Download the sources

If you are wondering why we are going to download and install qmail again, it's worth to mention that the chkuser program embedded in my package has vpopmail as a prerequisite, while vpopmail itself requires to be installed over the vanilla qmail. So the compilation chain is netqmail > vpopmail > patched qmail.

QMAIL_VERSION=2024.10.26
wget https://github.com/sagredo-dev/qmail/archive/refs/tags/v${QMAIL_VERSION}.tar.gz
tar xzf v${QMAIL_VERSION}.tar.gz
cd qmail-${QMAIL_VERSION}

Configuring chkuser

The qmail package you downloaded has chkuser enabled and configured to perform recipient verification and MAV (Mail From: Address Verification). You can customize your configuration by editing the chkuser_settings.h file in the source directory.

force-tls variables

By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do

export FORCETLS=0

in your run file. Values other than 0 (or not declaring this variable at all) will force TLS before the authentication.

qmail-auth variables

By default the auth is allowed with LOGIN or PLAIN mechanism. You are invited to look at the README.auth file for further details concerning the use of the SMTPAUTH environment variable, expecially if you want to use CRAM-MD5.

Recompiling qmail

If this is a fresh installation for you compile qmail as follows:

make setup check

Then proceed to next paragraph (Creating an SSL key file), as the qmail configuration is presented in the next page.


Those who are upgrading and have qmail already running should stop qmail before installing it:

qmailctl stop

The BIG-TODO patch included in my combined patch may require that your queue has to be rebuilt. So be aware that all existing messages in the queue will be destroyed when you erase the queue below.

To check if your qmail has messages in the queue:

> qmailctl stat
    
qmail-smtpd:           [ up ] (pid 5638)   4 day(s), 22:25:01 
qmail-smtpd/log:       [ up ] (pid 5642)   4 day(s), 22:25:01 
qmail-smtpsd:          [ up ] (pid 5662)   4 day(s), 22:25:01 
qmail-smtpsd/log:      [ up ] (pid 5663)   4 day(s), 22:25:01 
qmail-submission:      [ up ] (pid 5644)   4 day(s), 22:25:01 
qmail-submission/log:  [ up ] (pid 5641)   4 day(s), 22:25:01 
qmail-send:            [ up ] (pid 5664)   4 day(s), 22:25:01 
qmail-send/log:        [ up ] (pid 5665)   4 day(s), 22:25:01 
vpopmaild:             [ up ] (pid 5645)   4 day(s), 22:25:01 
vpopmaild/log:         [ up ] (pid 5660)   4 day(s), 22:25:01 
vusaged:               [ up ] (pid 5643)   4 day(s), 22:25:01 
vusaged/log:           [ up ] (pid 5661)   4 day(s), 22:25:01 

messages in queue: 0 
messages in queue but not yet preprocessed: 0

Only if this will be the first time you install the combined patch (which contains the BIG-TODO patch), you’ll need to rebuild the queue:

rm -r /var/qmail/queue

Now compile, install and restart  qmail:

make setup
qmailctl start

Creating an SSL key file

To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs qmail-smtpd, vpopmail in our case.

> make cert
    
Generating a 1024 bit RSA private key
..................++++++
.......++++++
writing new private key to '/var/qmail/control/servercert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italy
Locality Name (eg, city) []:Cagliari
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:smtp.yourdomain.net
Email Address []:postmaster@yourdomain.net
    
> make tmprsadh
> chown vpopmail.vchkpw /var/qmail/control/*.pem

It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.

Now let’s create a cronjob to update the certificate every day:

> crontab -e
    
03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1

Important: If you run qmail-submission as a user other than vpopmail, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.

Installing a Let's Encrypt valid certificate

When everything is working and under your control it will be the time to install a valid certificate from Let's Encrypt, following the page "Installing a valid SSL certificate".

patches details

The qmail package that we have downloaded contains the following patches:

qmail-authentication

It provides cram-md5, login, plain authentication support for qmail-smtpd (port 587) and qmail-remote.

Added FORCEAUTHMAILFROM environment variable to REQUIRE that authenticated user and 'mail from' are identical.

Added SMTPAUTHMETHOD, SMTPAUTHUSER and SMTP_AUTH_USER env variables for external plugins (see http://qmail-spp.sourceforge.net/doc/)

qmail-tls

  • Author: Frederik Vermeulen
  • Info: http://inoa.net/qmail-tls/
  • Version 20231230
  • added DISABLETLS environment variable, useful if you want to disable TLS on a desired port

It implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA. I have adjusted the file update_tmprsadh to chown the .pem files to vpopmail, which runs qmail-smtpd.

Patched to dinamically touch control/notlshosts/<fqdn> if control/notlshosts_auto contains any number greater than 0 in order to skip the TLS connection for remote servers with an obsolete TLS version (tx Alexandre Fonceca).

You may be interested to take a look to the page concerning smtp-auth and TLS testing here.

force-tls

  • Author: Marcel Telka
  • Patch
  • Version: 2016.05.15

optionally gets qmail to require TLS before authentication to improve security.
You have to declare FORCETLS=0 if you want to allow the auth without TLS

chkuser

performs recipient verification and Mail From: Address Verification (MAV).

Small adjustments and a bug fix by Luca Franceschini here. Now CHKUSER_DISABLE_VARIABLE, CHKUSER_SENDER_NOCHECK_VARIABLE, CHKUSER_SENDER_FORMAT_NOCHECK, CHKUSER_RCPT_FORMAT_NOCHECK and CHKUSER_RCPT_MX_NOCHECK can be defined at runtime level as well.

You may be interested to take a look to this page concerning chkuser testing.

If you like this qmail distribution but don't want to use vpopmail and chkuser you can you this patch to remove them.

qmail-queue-custom-error patch

  • Author: Flavio Curti
  • Patch

Enables simscan and qmail-dkim to return the appropriate message for each e-mail that qmail refuses to deliver. Simscan rejects with the name of the virus or the spam-score; qmail-dkim rejects with the verification failure message.

qmail-SPF

It can check incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers.

qmail-SRS

implements Sender Rewriting Scheme fixing SPF break upon email forwarding. To enable SRS read carefully the configuration instructions above.

Oversize DNS

This patch enables qmail to handle large DNS packets.

Reread concurrency patch

  • Author: Jul
  • Version: 2
  • Patch

rereads control/concurrencylocal and control/concurrencyremote files when qmail-send receives a HUP signal.

Big Concurrency patch

  • Author: Johannes Erdfelt
  • Patch

It sets the spawn limit above 255.

maildir++ patch

  • Author: Bill Shupp
  • Version:  20050125
  • Patch

adds maildirquota support to qmail-pop3d and qmail-local.
Fixed a bug where the filesize part of the S=<filesize> component of the Maildir++ compatible filename is wrong (tx MG). More info here.

Better qmail-smtpd Logging patch

Facilitates diagnosing qmail-smtpd logging its actions and decisions (search for a line starting with qmail-smtp:). This is useful for discovering fake IP addresses with bad HELO’s when qmail-smtpd doesn’t log anything.

Greeting delay patch

  • Author: John Simpson (?)
  • Patch
  • More info here

adds a user-definable delay after SMTP clients have initiated SMTP sessions, prior to qmail-smtpd responding with "220 ESMTP". It can reject connections from clients which tried to send commands before greeting. You can control the delay via the environment variable SMTPD_GREETDELAY (was GREETDELAY in the original patch). A value of SMTPD_GREETDELAY=”30” will delay qmail-smtpd’s response for 30 seconds.

DKIM and SURBL patch

adds DKIM signing & verification support to qmail at both qmail-smtpd and qmail-remote/local level and SURBL filtering support to qmail.  

/var/qmail/control/cache and subdirs assigned to the vpopmail user.

EXT-TODO patch

  • Authors: Claudio Jeker and Andre Oppermann
  • Release: 5. Jan. 2003
  • Patch
  • README

addresses a problem known as the silly qmail (queue)  problem.

BIG-TODO patch

  • Author: Russell Nelson
  • Patch

Makes qmail use a hashing mechanism in the todo folder similar to that used in the rest of the queue.

qmail-inject-null-sender patch

Prevents qmail-inject from rewriting the null sender, fixing an issue with sieve vacation/reject messages.

doublebounce-trim patch

  • Authors: Russell Nelson (modified version by Charles Cazabon)
  • Download

Prevents double bounces from hitting your queue a second time provided that you delete the first line from /var/qmail/control/doublebounceto

qmail-taps-extended

Provides the ability to archive each email that flows through the system. Archiving only messages from or to certain email addresses is possible as well.

outgoingip patch

  • Author: Andy Repton (adjusted by Sergio Gelato)
  • Patch
  • Robbie Walker provided a patch to correct qmail-qmqpc.c's call to timeoutconn(), because the function signature was modified by the original outgoingip patch

By default all outgoing emails are sent through the first IP address on the interface. In case of a multiple IP server this patch makes qmail send outgoing emails with the IP eventually stored in control/outgoingip. The ehlo domain is NOT modified by this patch.

qmail-rfc2821 patch

  • Author: Matthias Andree
  • Patch
  • More info here

makes qmail rfc2821 compliant.

Ali Erturk TURKER added implicit TLS (SMTPS) support (patch here).

smtpd-502-to-500 patch

  • Author: Jonathan de Boyne Pollard
  • Patch
  • More info here

makes qmail rfc2821 compliant

qmail-dnsbl patch

  • Author: Fabio Busatto
  • Download
  • Modified by Luca Franceschini to add support for whitelists, TXT and A queries, configurable return codes 451 or 553 with custom messages
  • More info here

allows you to reject spam and virus looking at the sender's ip address. Added a line to make qmail-smtpd log the reject reason as well as the envelope to facilitate diagnostics.

qmail-moreipme patch

prevents a problem caused by an MX or other mail routing directive instructing qmail to connect to itself without realizing it's connecting to itself, saving CPU time.

qmail-hide-ip-headers

It will hide your Private or Public IP in the email Headers when you are sending Mail as a Relay Client.

qmail-date-localtime patch

  • Author: John Saunders
  • Patch

causes the various qmail programs to generate date stamps in the local timezone.

qmail-liberal-lf patch

allows qmail-smtpd to accept messages that are terminated with a single \n instead of the required \r\n  sequence.

Bare LF are no longer allowed by default due to smuggling vulnerability CVE-2023-51765. Bare LF can be allowed by defining ALLOW_BARELF in the tcprules or in the run file.

qmail-maxrcpt

  • author: Michael Samuel
  • Patch

allows you to set a limit on how many recipients are specified for any one email message by setting control/maxrcpt. RFC 2821 section 4.5.3.1 says that an MTA MUST allow at least 100 recipients for each message, since this is one of the favourite tricks of the spammer.
I slightly modified the patch also to log its response. If DISABLE_MAXRCPT is defined it skips the check, otherwise outgoing messages from mailing lists would be rejected.

qmail-eMPF patch

eMPF follows a set of administrator-defined rules describing who can message whom.  With this, companies can segregate various parts of their organizations email activities, as well as provide a variety of security-enhancing services.

It's useful in case of spammed servers, to temporarily stop outgoing messages. It adds a line like this in your qmail-smtp log:

2015-03-30 18:05:54.442596500 policy_check: remote someone@somewhere.xy -> local user@yourdomain.xy (UNAUTHENTICATED SENDER)
2015-03-30 18:05:54.442612500 policy_check: policy allows transmission

qregex

  • By  Andrew St. Jean. Contributors: Jeremy Kitchen, Alex Pleiner, Thanos Massias. Original patch by Evan Borgstrom
  • More info here
  • README

adds the ability to match address evelopes via Regular Expressions (REs) in the qmail-smtpd process.

Added new control file 'badhelonorelay', control/badmailto renamed control/badrcptto (Tx Luca Franceschini).

brtlimit

adds control/brtlimit and BRTLIMIT variable to limit max invalid recipient errors before closing the connection.

validrcptto

It works in conjunction with chkuser with both cdb and mysql accounts. Look here for details

reject-relay-test

  • Author: Russell Nelson
  • More info here

It gets qmail to reject relay probes generated by so-called anti-spammers. These relay probes have '!', '%' and '@' in the local (username) part of the address.

bug fixed in smtpd.c addrparse function

Fixed a little bug in 'mail from' address handling (see the patch by Andre Opperman at http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function)

qlog patch

  • Author: Luca Franceschini
  • The qlog patch is inside this bunch of patches (later adjustments here)

smtpd logging with fixed format (note: 'size' field is evaluated only when control/databytes or DATABYTES are set. An entry 'qlogenvelope' is generated after accepting or rejecting every recipients in the envelope phase, example:

qlogenvelope: result=rejected code=553 reason=rblreject detail=b.barracudacentral.org helo=test.machine.it mailfrom=test@domain.com rcptto=test@pippo.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=15.15.15.15 localport=25 remoteip=14.143.30.83 remoteport=57502 remotehost= qp= id=39156
qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=test mailfrom=test@test.com rcptto=test@pippo.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=15.15.15.15 localport=25 remoteip=12.181.218.154 remoteport=57742 remotehost= qp= pid=37357

an entry 'qlogreceived' is generated after DATA (message accepted o rejected by qmail-queue)

qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=test.machine.it mailfrom=test@domain.com rcptto=test@gmail.com relay=yes rcpthosts= size= authuser=pippo@pippo.com,pluto@pippo.com authtype=login encrypted=tls sslverified=no localip=192.168.200.162 localport=25 remoteip=192.168.200.162 remoteport=52602 remotehost= qp=30982 pid=30980

reject null senders patch

  • by Luca Franceschini

useful in special cases if you temporarily need to reject the null sender (although breaks RFC compatibility). You just need to put 1 (actually any number different from 0) in your control/rejectnullsenders or define REJECTNULLSENDERS to reject the null sender with 421 error message.

remove-cname-check patch

Removed dns_cname call in qmail-remote.c instead of changing the funcion in dns.c,in case another patch requires dns_cname(). Avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response buffer.

any-to-cname patch

  • Author: Jonathan de Boyne Pollard
  • Download

Avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response buffer.

rcptcheck patch

Originally designed for the purpose of receipt validation, it can also be used to limit the number of email a given IP and/or auth-user and/or domain can send in a given time interval. It has to be used in conjuction with the rcptcheck-overlimit.sh LF's script.

qmail-channels

Allows you to add an arbitrary number of supplemental remote queues, each distinguished by a list of recipient domains and separate throttling (concurrency) capabilities. This patch also allows dynamic throttling of the concurrency control files so you can just send qmail-send a HUP signal instead of restarting the service every time.

This patch is useful when some email provider complains of too many emails receveid at the same time (in case of news letters for instance).

Edit conf-channels before compiling: Total number of channels (queues) available for delivery. Must be at least 2, and anything above 2 are considered supplemental channels.

qmail-remote-logging

Gets qmail-remote to log sender, recipient and IP adddress all together in the "Delivery success/failure" line

Here is the sample log lines:

@400000004b1bdd4d1f89d84c delivery 10: success: <From:owner-freebsd-current@freebsd.org_To:user@remotedomain.com>_193.140.X.X_accepted_message.
/Remote_host_said:_250_ok_1260117440_qp_15626/

@400000004b1bdbb8191f1954 delivery 6: failure: <From:a@surgate.net_To:test323232@remoteserver.com>_212.252.x._does_not_like_recipient.
/Remote_host_said:_550_non-existent_recipient/alici_bulunamadi/Giving_up_on_212.252.x.x/

CVE-2005-1513 fix

 addresses a vulnerability issue spotted by Georgi Guninski in 2005.

qmail-spp

  • Author: Pawel Foremski
  • Version: 0.42
  • More info here

qmail-spp provides plug-in support for qmail-smtpd. It allows you to write external programs and use them to check SMTP command argument validity. The plug-in can trigger several actions, like denying a command with an error message, logging data, adding a header and much more.

The qmail-spp functionality is disabled by default, so that it will be transparent for ancient users of this patch. If you want to enable qmail-spp just export the variable ENABLE_SPP in your run file. Note that the variable NOSPP is not available in this combined patch.

fastremote

While sending individual messages with qmail consumes very little CPU, sending multiple large messages in parallel can effectively DoS a sender due to inefficiencies in qmail-remote's "blast" function. In its original form, this function scans the message one byte at a time to escape leading periods and newlines, as required by SMTP.

This patch modifies blast to scan the message in larger chunks. Tests show that the change reduces the CPU time consumed by qmail-remote by a factor of 10.

Comments

Recompiling qmail error

Hi Roberto, 

I am getting the following error while recompiling qmail below are the details 

QMAIL_VERSION=2024.06.08

Openssl Version
OpenSSL 1.0.1e-fips 11 Feb 2013

./compile qmail-remote.c
qmail-remote.c: In function âtls_initâ:
qmail-remote.c:437: error: âOPENSSL_INIT_LOAD_SSL_STRINGSâ undeclared (first use in this function)
qmail-remote.c:437: error: (Each undeclared identifier is reported only once
qmail-remote.c:437: error: for each function it appears in.)
qmail-remote.c:438: warning: passing argument 1 of âSSL_CTX_newâ makes pointer from integer without a cast
/usr/include/openssl/ssl.h:1630: note: expected âconst struct SSL_METHOD *â but argument is of type âintâ
make: *** [qmail-remote.o] Error 1

Regards

Shailendra

Reply |

Recompiling qmail error

Hi Shailendra, this is because of your old openssl version. You have to choose between one of the following options

- upgrade your openssl (I woudn't do it if I don't know which other package must be recompiled (openssh?))

- use an old qmail patch of mine, downloading it from the archive https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06/. Just pick up the one with the date around your OS release and try. I think at least 10/12 years ago for openssl v. 1.0

- download my latest qmail, manually remove the qmail-tls patch from f.v., then add an old version of the same patch. You can find all qmail-tls patches here https://notes.sagredo.eu/files/qmail/patches/tls/. Just look for the one where the string OPENSSL_INIT_LOAD_SSL_STRINGS is not matched by grep

Reply |

Recompiling qmail error

It appears that the tls patch released in 2020 compiles successfully against openssl v. 1.0

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

Hello everyone,

I found an error with the delivery of some emails involving TLS.

When using a server with a newer version of OpenSSL, TLS 1.0 and 1.1 were left out, leaving only 1.2 and 1.3. However, because of this, qmail-remote, when delivering emails to older servers, generates a TLS/SSL error and the email returns to the queue.

Error example: delivery 50838: deferral: TLS_connect_failed:_error:0A00018A:SSL_routines::dh_key_too_small;_connected_to_187.8.50.70. (but there are other types).

However, qmail will NEVER attempt to send without TLS to these servers since they report that they support STARTTLS in the connection. Perhaps some adjustment in qmail-remote could be made so that when a TLS/SSL error occurs, it adds the domain's MX FQDN to /var/qmail/control/notlshosts/, so that on the next delivery attempt, it sends without using STARTTLS.

I even found government servers with outdated TLS, which would not receive emails until I added their FQDN to /var/qmail/control/notlshosts for qmail to send without using TLS.

Best regards,

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

fixed in version 2024.10.26

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

Hi,

I'm also getting "dh_key_too_small" error while delivering mail to some host. Following are some example host where I get dh_key_too_small error.

itokin.com.hk
mail1.tfzipper.com
mail4.optimaxbd.net
mailgw1e.hk2china.com
mail.mekodenim.com.pk
mail.pot-bd.com

There are many hosts that does not accept mail until I add to /var/qmail/control/notlshosts/. I think there should be an automated script that will add file to /var/qmail/control/notlshosts/ location.

I'm running Debian Bookworm, OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)

Thanks.

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

I still have to reproduce this issue, I'll try again.

For me, we can add Alexandre's patch but I would require that the user enables the functionality by means of a control file, say control/enablenotlshosts, where to put 1 inside, just to avoid unwanted surprises for those who don't want to allow clients with obsolete tls

Alexandre, do you have upgrades for your patch?

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

I'm using the patch I made above in production, and it has been working... since that day until today, I have 97 hosts that only support TLS 1.0 or 1.1, and since I don't have support for that, it results in an error. Then it adds the host to notlshosts, and on the next attempt, it sends without using any TLS

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

Can you guys give this patch a try?

git clone -b fix-dh_key_too_small https://github.com/sagredo-dev/qmail.git

you need to enable the feature defining control/notlshosts_auto with a value greater than 0

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

I cannot reproduce this issue. I'm sending to a remote server (openssl 0.9.8 with TLS 1.1 not available) and my remote messages have been sent by qmail-remote with no errors.

It would be great if you can mention a public server with an old openssl, to use for a quick test

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

which version of my qmail package or TLS patch are you using? According to my logs, I haven't had a TLS_connect_failed error for the past 6 years now.

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

I'm using the latest version, qmail-2024.06.08, compiled on Debian 12.

Testing the remote hosts that showed an error with 'openssl s_client -connect XXXX:25 -starttls,' I see that they still support TLS 1.0 or 1.1, while the version compiled on Debian 12 supports only 1.2 or 1.3.

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

which version of openssl is installed in debian 12? I'll try to reproduce the issue in the following days, but I think that this is something to submit to f.vermeulen attention

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

I made a temporary (ugly?) solution here that worked... when a TLS error is generated, it adds the FQDN to notlshosts.

In qmail-remote.c, in the function void tls_quit(const char *s1, const char *s2),

I changed from:

void tls_quit(const char *s1, const char *s2)
{
out((char *)s1); if (s2) { out(": "); out((char *)s2); } TLS_QUIT;
}

to:

void tls_quit(const char *s1, const char *s2)
{
FILE *fp; // ACF
char acfcommand[1200]; // ACF
sprintf(acfcommand, "/bin/touch /var/qmail/control/notlshosts/'%s'", partner_fqdn);
fp = popen(acfcommand, "r");
if (fp == NULL) {
printf("Failed to run command\n" );
exit(1);
}
pclose(fp);
out((char *)s1); if (s2) { out(": "); out((char *)s2); } TLS_QUIT;
}

Note that /var/qmail/control/notlshosts needs to have ownership qmailr:qmail so that it can write to it!

I’m currently using this on a test server to see if I don’t accidentally cause another issue... before moving it to production.

Reply |

Adjustments in qmail-remote for sending emails with TLS to older servers?

Great! Let us know if it works

Reply |

compile with vpopmail, use a different virtual mail mgr?

Greetings,

Short question: can I compile netqmail with your unified patch, and then just ignore the vpopmail piece?

Long question: I have a very old qmail installation that I've been carrying along from CentOS to CentOS version. It's currently on CentOS 7 and built from Bruce Guenter's old RPMs, but it's time to modernize and I'm looking at building from scratch+patch. However, we do not use vpopmail (and will not be using it), but rather use a different virtual mail manager.

Is it possible to use this unified patch, but effectively ignore vpopmail after install? I'm perfectly capable of changing permissions, ownership, run scripts, and the like, but without having built this before, it's unclear whether vpopmail is so heavily integrated into this package as to render the package unusable if vpopmail is unused.

Thanks in advance!
Peter

Reply |

compile with vpopmail, use a different virtual mail mgr?

you can use without it but it won't compile.  So install vpopmail and then forget about. Also disable chkuser.

Or you can try to remove chkuser and the call to vpopmail from the Makefile. It's not difficult to do.

Reply |

compile with vpopmail, use a different virtual mail mgr?

you have here a patch to remove chkuser and vpopmail from the sources https://github.com/sagredo-dev/qmail/blob/main/other-patches/qmail-remove_chkuser_vpopmail.patch

If you prefer to do it manually, be aware that the "control/cache" dir and the control/*.pem files have to be owned by the user who runs qmail-smtpd, so you should adjust the update_tmprsadh.sh file

Reply |

version 2024.06.08 not found

Hi Roberto

When I try to download https://github.com/sagredo-dev/qmail/archive/refs/tags/v2024.06.08.tar.gz, the file is indicated like not found (404) 

Could you verify ?

Thanks

Reply |

version 2024.06.08 not found

Hi, try again now

Reply |

version 2024.06.08 not found

It's OK, thank you. 

Reply |

Upgrading from netqmail-1.06 to github version

Hello Roberto,

Thanks a lot for all your work. I would not be able to have my own server if wouldn´t be because of your patch.

I am running a qmail patched with netqmail-1.06 in my mail server. The server is 100% configured and operational.

I need to add DKIM support.

 

I downloaded your version from the github and compiled without any issue.

From your notes, I understand that the installation would simply consist on executing:

qmailctl stop

rm -r /var/qmail/queue

make setup

qmailctl start

My question is simple ... would this keep my old configuraiton and add qmail-dkim ?

If the answer is positive, i believe that I should just upgrade, wait to ensure compatibility and configure dkim after some days.

Am I correct ?

Thanks for your support !

i$

Reply |

Upgrading from netqmail-1.06 to github version

Hi, probably your current DKIM configuration won't work as it was revised recently. After the upgrade you should refer to the dkim documentation 

Reply |

Upgrading from netqmail-1.06 to github version

Hello Roberto,

Apologies, I was not clear enough.

Let me try again:

 - My current netqmail-1.06 does not have DKIM configured nor enabled

 - I noticed the new way to configure DKIM, this is why ...

  - ... I have compiled a new qmail GITHUB_based version without any problem.

If I install the upgraded qmail (github_based) using the following procedure:

qmailctl stop

rm -r /var/qmail/queue

make setup

qmailctl start

Will my old configuration remain and work ?

In case of a positive answer, I will upgrade first to then configure DKIM following the new procedure.

Many thanks !

Regards

Reply |

Upgrading from netqmail-1.06 to github version

Yes, your old configuration will work

Reply |

Upgrading from netqmail-1.06 to github version

Thanks a lot Roberto,

I has worked perfectly.

Thanks !

Reply |

qmail package

May I ask if your qmail package (included patches) can be installed in CentOS 5.3?

When I run "make setup check", it stops with a number of errors.

srs.c:3:37: error: /usr/local/include/srs2.h: No such file or directory
srs.c: In function ‘srsforward’:
srs.c:86: error: ‘srs_t’ undeclared (first use in this function)

........

srs.c:144: error: ‘SRS_SUCCESS’ undeclared (first use in this function)
make: *** [srs.o] Error 1

If I download netqmail-1.06.tar.gz and patch dkim-netqmail-1.06.patch-1.46 , it compile successfully. However, there is a lot of error if I add other patches. It cannot send email at all.

Please advise how I can install the qmail-dkim into our qmail installed in CentOS 5.3. Thanks a lot!

Reply |

qmail package

Hi, my qmail requires the libsrs2 library. Read the docs above.

Concerning the other problem, building a composite patch is a bit complicated and for me mantaining my one is enough. It would be impossible to teach how to do that in this reply, also because it is beyond the scope of this guide, sorry

Reply |

Where can I download the roberto-netqmail-1.06.patch-20240120.gz ?

Hi

I'm a little old :D, and I really don't like github :D
Ajajajajaja
I was from the very old school, ftp, download links, and everyone working on its own :D
Aajajaja

Reply |

Where can I download the roberto-netqmail-1.06.patch-20240120.gz ?

Hi Pablo :-), I'm old school too but there's no github knowledge required... just take the time to read the new instructions and you'll find the link :-)

Reply |

Where can I download the roberto-netqmail-1.06.patch-20240120.gz ?

Hi again ! :D

I can't find the old format (1 file patch), I only see the qmail source allready patched :D

What I'm missing ?

Reply |

Where can I download the roberto-netqmail-1.06.patch-20240120.gz ?

Pablo, there's no patch anymore. You have to download the patched sources, then unpack. It's explained at the top of this page. Just cut and paste the code. No need to use git

Reply |

Where can I download the roberto-netqmail-1.06.patch-20240120.gz ?

ok, thanks

As I was talking with some friends, programming now is for lazy people, now, nobody knows what are using, nobody know what is a patch, nobody ever read a source file !
Neither patches, now, I want the file alredy patched
Ajajajja

The way we did software is dead !
A guy who works with phyton told me that he use chat gtp to wrote code !

We are going to become extinct in a few years
ajajajajj

Reply |

Where can I download the roberto-netqmail-1.06.patch-20240120.gz ?

and nobody ever read the docs! :-)

Reply |

About CVE-2023-51765

Hi roberto puzzanghera 

I am not sure but I think qmail-liberal-lf patch  in our patch is affeted with CVE-2023-51765

Is that correct?

Reply |

About CVE-2023-51765

I released an update which denies bare LF by default. Now bare LF can be allowed by defining ALLOW_BARELF in tcprules or in the run file

Reply |

About CVE-2023-51765

I did the tests here and found out that my package is vulnerable to smuggling. Removing the liberal-lf solves.

I uploaded my changes here in a testing branch. I'll relase a new package in the following days if further tests without that patch are ok. If you want to try it you are welcome.

Thanks for the advice!

PS this is the reject logline of my server once I repaired it

2024-01-18 20:45:15.679975634 qlogenvelope: result=rejected code=451 reason=bad_newlines detail= helo=check.smtpsmuggling.com mailfrom=test@check.smtpsmuggling.com rcptto= relay=yes rcpthosts= size=268 authuser= authtype= encrypted= sslverified=no localip=10.0.0.4 localport=25 remoteip=10.0.0.4 remoteport=43466 remotehost=smtp.sagredo.eu qp=31931 pid=31923

Reply |

About CVE-2023-51765

Honestly I didn't have the time to dig into it, just read discussions in qmail lists

PS if anyone can play with these test tools concerning the alleged smuggling security issue it would be welcome https://github.com/The-Login/SMTP-Smuggling-Tools 

Reply |

Compiling error when chkuser is enabled

Hi,

When I enable chkuser with the 2024.01.15 version, I get a compilation error:

chkuser.c:953:45: warning: implicit declaration of function ‘vmaildir_readquota’ [-Wimplicit-function-declaration]
953 | if (vmaildir_readquota(tmp_path.s,format_maildirquota(user_passwd->pw_shell))
| ^~~~~~~~~~~~~~~~~~
make: *** [Makefile:333: chkuser.o] Error 1

However, with the 2024.01.05 version, I don't get this error...

Thanks.

Reply |

Compiling error when chkuser is enabled

weird... this part wasn't touched during latest upgrade. It's not recognizing your vpopmail installation directory.

can you do this from the qmail source directory?

/bin/sh vpopmail-dir.sh

it should output your vpopmail installation directory

Reply |

Compiling error when chkuser is enabled

Hi Gabriel, which Linux distribution and which gcc version?

Reply |

Compiling error when chkuser is enabled

Hi Roberto,

Thanks for trying to help me.

I tried to compile the 2024.01.05 version again with chkuser enabled, and the same error is now showing up. So I must correct what I said before. The error is showing up regardless of the version now. If I disable chkuser in chkuser_settings.h, the error doesn't show up.

Answering your questions:

Running /bin/sh vpopmail-dir.sh replies /home/vpopmail, which is the correct path.

Here we use Debian 12.4 and gcc (Debian 12.2.0-14) 12.2.0.

Thank you in advance.

Gabriel.

Reply |

Compiling error when chkuser is enabled

got it! The actual error was before the line you reported

chkuser.c:124:2: error: #error "chkuser setting error: CHKUSER_ALWAYS_ON and CHKUSER_STARTING_VARIABLE are mutually esclusive. Edit your chkuser_settings.h and disable one of them" 
 124 | #error  "chkuser setting error: CHKUSER_ALWAYS_ON and CHKUSER_STARTING_VARIABLE are mutually esclusive. Edit your chkuser_settings.h and disable one of them"
    |  ^~~~~

so you have enabled chkuser by removing the comment on the variable CHKUSER_ALWAYS_ON, which is commented by default. In this case, as reported in the error message, you have to comment CHKUSER_STARTING_VARIABLE.

Be aware that enabling chkuser in this way prevents the possibility of disabling it in the run file.

Reply |

Compiling error when chkuser is enabled

Hi Gabriel, it compiles with no errors here on Debian 12... 

can you verify that the file /home/vpopmail/etc/lib_deps exists and that the libriaries listed in that file are linked?

ldd /home/vpopmail/bin/vadddomain

Reply |

Compiling error when chkuser is enabled

Hi Roberto,

Actually the whole thing was my mistake. I followed your guide, at Configuring chkuser, you say to uncomment the #define lines, and I edited the chkuser_settings.sh and removed the starting # from those lines thinking that # meant "comment". I am not well versed in the C language. Only after you last message I understood that commenting is done with /* and */ and I shouldn't have touched the #define lines, because they were already uncommented in the chkuser_settings.sh inside the .tar.gz file you provide, I belive the whole "Configuring chkuser" section listing each #define line is completely unecessary and should be removed, so other people don't do the same mistake as I did.

Or at least the wording should be changed to say that the reader must COMMENT those lines if he wants to disable each one of the features -- since they are already enabled. If you read carfuly, you say that those lines must be "uncommented", but they are already uncommented...

Cheers,

Gabriel.

Reply |

Compiling error when chkuser is enabled

Ok...  I'll try to improve that section. Unfortunately I don't think I have chances to do the same with my English :-)

Reply |

New qmail-TLS patch has been released

Hi, the qmail-tls patch has been updated by its author to support OpenSSL v3. (Until now, OpenSSL 1.1 support was required, which some linuxes have been dropping i.e. debian!)

New patch is: http://inoa.net/qmail-tls/notqmail-1.08-tls-20231230.patch

I am going to try to manually figure out how to apply this to my build (at the moment based on roberto 2020.12.04) , but meanwhile I wanted to let you know so you could update the new distribution. Some day soon I would like to update mine to a use a more recent sagredo distribution :)

Reply |

New qmail-TLS patch has been released

I merged your changes to my tree on github. In my Slackware I still have the old openssl-1.1 version. Did you test everything on Debian/openssl-3?

Reply |

New qmail-TLS patch has been released

Yes I am running "my" version as of yesterday night and it is alive and fine.  ldd command on qmail-remote and qmail-smtpd indicate they are linked with libssl 3 :)

Reply |

New qmail-TLS patch has been released

Thanks for the advice. I'll upgrade my patch 

Reply |

Download of qmail not found

wget https://github.com/sagredo-dev/qmail/archive/refs/tags/v${QMAIL_VERSION}.tar.gz
--2024-01-04 11:53:59-- https://github.com/sagredo-dev/qmail/archive/refs/tags/v2024.01.04.tar.gz
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/sagredo-dev/qmail/tar.gz/refs/tags/v2024.01.04 [following]
--2024-01-04 11:54:00-- https://codeload.github.com/sagredo-dev/qmail/tar.gz/refs/tags/v2024.01.04
Resolving codeload.github.com (codeload.github.com)... 140.82.114.9
Connecting to codeload.github.com (codeload.github.com)|140.82.114.9|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-01-04 11:54:00 ERROR 404: Not Found.

Reply |

Download of qmail not found

2023.01.04 was removed. Use 2023.01.05

Reply |

qmail-smtpd for submission - block auth attemp / dont wait , drop

Hi, 

Im looking if its possible to have some control file for qmail or mechanism for dropping auth attemp for certain emails ?

like: qmail-smtpd[2706450]: auth: auth-failed type=login user=<mailer-daemon@com.com> 

qmail-smtpd: read failed (connection closed by the client before the quit cmd): (null) from 195.190.115.42 to (null) helo mxv.trucksparts.ru

its piling up and fail2ban dont really help, as each auth is from different IPs once.

im looking if there is way to have /control/blockauth kind of file , where i put for example mailer-daemon@com.com and qmail-smtp or sslserver will just close conenction imediately 

similar way as badrcptto is working.

thank you

Reply |

qmail-smtpd for submission - block auth attemp / dont wait , drop

There's no options like this, but you can use control/authsenders to redirect the Auth of certain users to a different (unexistent) port. Look at the man for more info

Reply |

qmail-smtpd for submission - block auth attemp / dont wait , drop

Hi,

thnx for hint, but authsender are for ourtgoing smtp . im looking for incoming auth conenction / where bots are trying to login with some crendentials of non existen accounts

i want qmail to drop connection once a certain login name is used /dotn wait for auth, drop it/

seems no way round this

anyway, thnx

miki

Reply |

Please add "senderip" patch to allow specific domain to use specific outgoing IP

Hi, Please add "senderip" patch so that specific domain can use specific IP for outgoing mail. JMS has this patch at: https://qmail.jms1.net/patches/combined-details.shtml#:~:text=domain:1.2.3.4

Reply |

Please add

Hi, I cannot find the patch source at the link you provided

Reply |

Please add "senderip" patch

hi,

Thanks for your reply. I also searched in the web, but did not find any patch. As I'm not a programmer, so it's really difficult for me to identify what's inside the code. But original qmail-1.03 holds following codes in timeoutconn.c file. Hope this can enlighten expert like you:

timeoutconn.c: struct constmap senderip ;
timeoutconn.c: switch ( control_readfile ( &stext , "control/senderip" , 0 ) )
timeoutconn.c: if ( ! constmap_init ( &senderip , stext.s , stext.len , 1 ) )
timeoutconn.c: chosenip = constmap ( &senderip , domain.s , domain.len ) ;

below are the difference after applying the patch:

timeoutconn.c: struct constmap senderip ;
timeoutconn.c: switch ( control_readfile ( &stext , "control/senderip" , 0 ) )
timeoutconn.c: if ( ! constmap_init ( &senderip , stext.s , stext.len , 1 ) )
timeoutconn.c: chosenip = constmap ( &senderip , domain.s , domain.len ) ;
timeoutconn.c.orig: struct constmap senderip ;
timeoutconn.c.orig: switch ( control_readfile ( &stext , "control/senderip" , 0 ) )
timeoutconn.c.orig: if ( ! constmap_init ( &senderip , stext.s , stext.len , 1 ) )
timeoutconn.c.orig: chosenip = constmap ( &senderip , domain.s , domain.len ) ;
Binary file timeoutconn.o matches

Hope this can give you some clue.

thanks.

Reply |

Please add

Hi, it's not an easy task. Please understand that I'm not in the position to fullfill personal requests for free...

Reply |

Please add

OK, I'll try to figure it out. If I succeed, I'll post here so that everybody can get benefited.

thanks.

Reply |

Please add

Hi,

I've found that patch. Below is the patch. Requesting you to add it in your combined patch.

Patch link: https://qmail.jms1.net/patches/newbind.patch 

BR

Reply |

Please add

Hi, I think I already replied to your request above

Reply |

libdomainkeys-openssl-1.1 for OpenSSL 3.0.9

Hi,

I'm trying to compile qmail in Debian 12 that come with OpenSSL 3.0.9 and I'm getting some errors. Is there any way to compile with OpenSSL 3.0.9?

Thanks

Joao

Reply |

libdomainkeys-openssl-1.1 for OpenSSL 3.0.9

Hi, libdomainkeys is no longer a prerequisite of my patch. Qmail compiles with no errors here.

Reply |

libdomainkeys-openssl-1.1 for OpenSSL 3.0.9

Hello, Roberto, thank you for replying.

I'm using your patch but my vpopmail authentication is cdb. Do I need libdomainkeys?

Thanks
Joao

Reply |

libdomainkeys-openssl-1.1 for OpenSSL 3.0.9

No. It was a prerequisite of the dkim program inside qmail, to sign messages with the old domainkeys signature. Now that part was dropped, so we can forget about libdomainkeys

Reply |

ARC authentication

Hello Roberto

Sometimes the email recipients make a redirection to their Gmail box. Then the DKIM and SPF systems no longer work and emails are considered to be spam.

I read that it was possible to add an ARC signature (Authenticated Received Chain).

Do you know and what do you think of this system. Would this system suit the problem of redirects? Do you know if a patch exists to add this signature?

Thanks

Reply |

ARC authentication

Hi, is the forward performed by qmail or via sieve rules? In the first case SRS can be the solution, as you know.

I haven't played with ARC yet. But I think that in case of a sieve rule qmail can't do much, because the decision of forwarding the message is up to the LDA and it should be the LDA (dovecot) to change the header and add the ARC certification... in this case I would look for a dovecot plugin.

On the qmail side, did you have a look at https://github.com/mbirth/mail-arc?

Let me know if you find something interesting

PS an idea can be to modify that python and prepend it in the .qmail so that it can do the ARC stuff before passing the message to dovecot

Reply |

ARC authentication

Roberto, redirection is not done from my server. My problem is when I send an external email to abc@domain.com and that abc@domain.com makes a redirection to a Gmail account. The email goes to spam at Gmail because the SPF and DMARC are no longer good.
I find so little information on arc certification that I do not know if this certification must be added before I send the email by my Qmail server or if it is the external server when it makes the transfer. .. I continue to seek;)

Reply |

ARC authentication

So it's not your server responsibility to certify with ARC those forwards for you. That remote server can use ARC or better SRS. Your server is already providing its credentials when it uses SPF and/or DKIM correctly

Reply |

ARC authentication

Well, I have a job less ;) Thanks

Reply |

ARC authentication

You will have when you forward via sieve :-)

Reply |

ARC authentication

For the moment, I have not installed Dovecot/Sieve as it is not tempted to look at how it works ...

Reply |

vpopmail-dir.sh blank

Heia,

Thanks for all the continued effort on the qmail patch!

Tried to update to the latest today, but it broke on not finding vpopmail.h

(note that I'm building from a clean alpine docker by adding prerequisites first, this has always worked so far)

Some digging later I noticed your new script to detect the include dir, with empty output:

bash -x ./vpopmail-dir.sh
+ PASSWD=/etc/passwd
+ '[' '!' -f /etc/passwd ']'
++ head -9 conf-users
++ tail -1
+ VUSR=vpopmail
+ SED=
+ for f in /usr/bin/sed /bin/sed /usr/sbin/sed /sbin/sed /usr/local/bin/sed /usr/local/sbin/sed
+ test -x /usr/bin/sed
+ for f in /usr/bin/sed /bin/sed /usr/sbin/sed /sbin/sed /usr/local/bin/sed /usr/local/sbin/sed
+ test -x /bin/sed
+ SED=/bin/sed
+ break
+ '[' /bin/sed = '' ']'
++ /bin/sed -n '/#/! s/^vpopmail:.*:.*:.*::\(.*\):.*/\1/p' /etc/passwd
+ echo

Compare this against the added user in /etc/passwd:

grep vpopmail /etc/passwd
vpopmail:x:89:89:Linux User,,,:/home/vpopmail:/sbin/nologin

Maybe use getent instead? E.g.

getent passwd vpopmail | cut -d: -f6
/home/vpopmail

Reply |

vpopmail-dir.sh blank

I uploaded a new combined patch with your suggestion based on getent

Reply |

vpopmail-dir.sh blank

Hi,

getent would be ok, but I would like to understand what's wrong in my approach based on sed. Do you have any idea?

I downloaded a very minimal alpine LXC image and it works as is in finding the vpopmail dir, even before I install anything.

PS /etc/passwd in the alpine installation already had the vpopmail user :-) are you the maintainer of that LXC image?

Reply |

vpopmail-dir.sh path check for sed

The vpopmail-dir.sh should look for 'sed' in '/bin' as well - which is how it is on Ubuntu 20 LTS at least. 

Reply |

vpopmail-dir.sh path check for sed

Thanks for letting me know. That's easy to correct. I'll do it as soon as possible

Reply |

vpopmail-dir.sh path check for sed

np! Took me a bit to figure out a weird error I was getting until I realized it couldn't find sed 😂

Reply |

DNS query timeout

Hi roberto puzzanghera 

Today I faced this error below in smtpd log.

Do you know anything about this error? .This is qmail error or my resolve DNS .

2023-06-28 01:06:57.006281500 DNS query timeout for ***.com
2023-06-28 09:26:16.487948500 DNS query timeout for ***.com
2023-06-28 10:37:49.557948500 DNS query timeout for ***.jp

Reply |

DNS query timeout

I can't say much more than what it already says... did you try to query that DNS from the command line?

Reply |

DNS query timeout

 Hi roberto puzzanghera 

Thank you for your advice. 

I checked all DNS resolver server. Everything is good.

Receiving and sending email is not affected by this log message. I think it is not qmail 's problem.

Reply |

dateformat in log

Hi

I may have missed a trick, but is there a possibility for the date to be readable directly in the qmail log files ?
For the moment I am forced each time to use tai64nlocal

Thanks

Reply |

dateformat in log

Hi, I've just added a patch for daemontools which provides a readable datetime format like this

2023-06-28 16:17:26.501272173 tcpserver: status: 0/200/0

This will be compatible with the convert-multilog and qlog archive programs, while the patch that I suggested below will break them.

Look at the daemontools page for details

Reply |

dateformat in log

You have to patch daemontools with this patch. But in this case the archive_qmail_qlog functionality will not work, so you have to choose which one you want.

Edit: also the JMS multilog backup will not work with this

Reply |

dateformat in log

It works. Great.

Thanks

Reply |

qqfailure

Hi brother, first of all, thanks for your excellent work here with this huge patch. I used to have one myself long time ago, but gave up with no time for maintaining. Your patch is outstanding. I have a small suggestion if you allow me to:

the reject code 451 is listed in several distinct errors on qmail-smtpd.c

the error:

@40000000648b1bd90cba9d14 qlogreceived: result=rejected code=451 reason=queuedelay detail=qq_internal_bug_(#4.3.0) helo=ams1b-admin-mta-01.mta.blizzard.com mailfrom=noreply@battle.net rcptto=RODRIGO@DELPHUS.ORG relay=no rcpthosts= size=59959 authuser= authtype= encrypted=tls sslverified=no localip=177.67.83.195 localport=25 remoteip=185.60.113.118 remoteport=50444 remotehost=ams1b-admin-mta-07.mta.blizzard.com qp=15137 pid=15132

the code:

void die_alarm() { qlogenvelope("rejected","alarmtimeout","","451"); logit("timeout"); out("451 timeout (#4.4.2)\r\n"); flush(); _exit(1); }
void straynewline() { qlogenvelope("rejected","badnewlines","","451"); logit("bad newlines"); out("451 See http://pobox.com/~djb/docs/smtplf.html.\r\n"); flush(); _exit(1); }
void err_qqt() { qlogenvelope("rejected","qqtfailure","","451"); out("451 qqt failure (#4.3.0)\r\n"); }

and there is another one in RBL, SPF  and CHKUSER code as well. Is that related to temp problems ? my qq problem is quite persistent

I am sure I am getting the last one, the qqfailure, but I don't know why. message goes  to the last qqx loop at qmail-smtpd.c

[pid 16171] read(0, "\27\3\3\26\261", 5) = 5
[pid 16171] read(0, " /\10\203z\340~\217\361b\331\21J\365B\247`\227X\270\324\261+\267\244 \215\322\232\340\35\305"..., 5809) = 5809
[pid 16171] read(0, "\27\3\3\26\261", 5) = 5
[pid 16171] read(0, "6\3\3708Y\f\302\345\221\352\233\227Pd\233\254\350\300hq\345\267d\357\216a\36\274}\370\306\26"..., 5809) = 5809
[pid 16171] read(0, "\27\3\3\26\261", 5) = 5
[pid 16171] read(0, "%RN\327\312\rJ\10\355#,\317\234e xHF\30646q\26\350\3117\377Vk2\346\333"..., 5809) = 5809
[pid 16171] read(0, "\27\3\3\26\261", 5) = 5
[pid 16171] read(0, "\221{\327S\265\213\232\304b\376\317qe\251o\10\340m\0256Q\223\350\4\0260k\277\215r\7Q"..., 5809) = 4207
[pid 16171] read(0, 0x55e5f9d4d6b7, 1602) = -1 EAGAIN (Resource temporarily unavailable)
[pid 16171] select(1, [0], NULL, NULL, {tv_sec=1200, tv_usec=0}) = 1 (in [0], left {tv_sec=1199, tv_usec=790431})
[pid 16171] read(0, "\253ez\4\332|\351\245/\25147\7so\27!\343\356\271F\341{\212{\3\377]\220\354\7\377"..., 1602) = 1602
[pid 16171] read(0, "\27\3\3\26\261", 5) = 5
[pid 16171] read(0, "d\351\245\335\236\221\365pQ\223CO\334\t4\2637\vnN\275d\7\307\277\230|\207\r\365\0F"..., 5809) = 5809
[pid 16171] read(0, "\27\3\3\26\261", 5) = 5
[pid 16171] read(0, "7\321qC\221\22\f\320\317^s\235\313\364\346G\237\312Q\233R4\24\6\17\33E\377\343yc,"..., 5809) = 5809
[pid 16171] read(0, "\27\3\3\26\261", 5) = 5
[pid 16171] read(0, "\232H\301D\372\2=\2358\22/\265!\312\21t\366\370\0\367)\272\311Qot\"[\344\345\7\4"..., 5809) = 5809
[pid 16171] read(0, "\27\3\3\16E", 5) = 5
[pid 16171] read(0, "2D\10\210\16H\364~t\237\263\t\204]\16s\212\217\211\332v\261/z2QQ%/\201\2277"..., 3653) = 3653
[pid 16171] close(4) = 0
[pid 16171] close(6) = 0
[pid 16171] read(7, "", 1024) = 0
[pid 16171] close(7) = 0
[pid 16171] wait4(16172, [{WIFEXITED(s) && WEXITSTATUS(s) == 81}], 0, NULL) = 16172
[pid 16171] select(3, NULL, [2], NULL, {tv_sec=1200, tv_usec=0}) = 1 (out [2], left {tv_sec=1199, tv_usec=999996})
[pid 16171] write(2, "qlogreceived: result=rejected co"..., 406) = 406
[pid 16171] select(3, NULL, [2], NULL, {tv_sec=1200, tv_usec=0}) = 1 (out [2], left {tv_sec=1199, tv_usec=999998})
[pid 16171] write(2, "\n", 1) = 1
[pid 16171] select(3, NULL, [2], NULL, {tv_sec=1200, tv_usec=0}) = 1 (out [2], left {tv_sec=1199, tv_usec=999998})
[pid 16171] write(2, "qmail-smtpd: message delayed (qq"..., 160) = 160
[pid 16171] write(1, "\27\3\3\0/\7C\320\30])%U\21\264\231\301\211\256*\\w\254[?%y\334HB!\10"..., 52) = 52
[pid 16171] write(1, "\27\3\3\0'\237\324\5\332\217C\0M5\37$\1.\311\267\362\250{\353\32\232[\362\266\244+\37"..., 44) = 44
[pid 16171] write(1, "\27\3\3\0\23f\213P?*\223\337\360.$p\346\252\374^\351)\337\f", 24) = 24
[pid 16171] exit_group(0) = ?
[pid 16171] +++ exited with 0 +++

I have even tried to "fix" qmail-queue with that perl recomended here, I have removed queue and installed a new one from qmail check setup, none makes any difference.

I'm quite  lost atm, but I am sure I have more than one host with such problems.

any comments appreciated

thanks, Rodrigo

Reply |

qqfailure

are you using my latest patch?

have also a look at this thread https://notes.sagredo.eu/en/qmail-notes-185/testing-qmail-smtp-and-auth-22.html#comment2960  

Reply |

qqfailure

Fantastic.

Well I am not sure what's wrong with qmail-dkim, but since it's not my submission, I've switched from qmail-dkim to qmail-queue and it worked like a charm. I see in the strace that somehow dkim is not quite able to lookup hosts, tho my /etc/resolv.conf points to 127.0.0.1 which is dnscache and it works like a charm. I will investigate it further, as qmail-dkim works perfectly when called from my submission, well it signs just fine.

Thanks Brother.

Rodrigo

Reply |

qqfailure

Sure that you are not affected by the same bug, which was cured on March 18? According to the code lines that you posted above you are not using the latest patch...

Reply |

qqfailure

Oh I see. It is possible indeed. I have patched with latest today. I will try dkim once again and let you know about it. 
thanks 

Reply |

qqfailure

Hi brother, 

can you show the entire qmail-smtpd log line? It is not shown completely in your strace...

Edit: I see now your qlog error line, sorry for asking

Reply |

Small modification

Hello 

Please modify the 

gunzip -c ../roberto-netqmail-1.06.patch-latest.gz | patch

with 

gunzip -c ../roberto-netqmail-1.06.patch-2023.03.01.gz |patch 

Or save wget with latest . 

Reply |

Small modification

Corrected. Thank you

Reply |

can not send email to special domain

Hi roberto puzzanghera 

After applied the latest patch. I could not send email account with domain s--and--s.net

The error is "553 5.1.3 sorry, mailbox syntax not allowed ". I think 「--」 is not accepted. 

Before updated the latest patch. I used 2022.05.22 patch.

$ telnet 172.24.4.23 25
Trying 172.24.4.23...
Connected to 172.24.4.23.
Escape character is '^]'.
220 mail.local Welcome to SMTP server ESMTP
AUTH LOGIN
334 VXNlcm5hbWU6
xxxxx
334 UGFzc3dvcmQ6
xxxxx
235 ok, go ahead (#2.0.0)
mail from:test@mail.local
250 ok
rcpt to:test@s--and--s.net
553 5.1.3 sorry, mailbox syntax not allowed 
quit
221 mail.local Welcome to SMTP server
Connection closed by foreign host.

Reply |

can not send email to special domain

I cannot reproduce the issue. And I remember that we cured it here...

can you double check that you are actually applying the latest patch?

Reply |

can not send email to special domain

hi roberto puzzanghera 

Yes, I tried to compile again with the lastest patch. but the same is displayed.

In chkuser_settings.h , i uncommented 383 line and recomplied again everything is going well

#define CHKUSER_DISABLE_VARIABLE "RELAYCLIENT"

Reply |

can not send email to special domain

Do you have CHKUSER_SENDER_NOCHECK_VARIABLE defined as RELAYCLIENT?

Reply |

can not send email to special domain

Yes ,I have #define CHKUSER_SENDER_NOCHECK_VARIABLE "RELAYCLIENT" in chkuser_settings.h too.

Reply |

can not send email to special domain

Weird... This option would be sufficient to let RELAYCLIENT send even garbage in the domain syntax. 

My tests work as expected. And if I disable RELAYCLIENT from tcprules mails with the double hyphen are sent anyway

Reply |

can not send email to special domain

Thank you roberto puzzanghera

Now I can not figure out the problem. So I will run qmail with this setting. 

#define CHKUSER_DISABLE_VARIABLE "RELAYCLIENT"

Reply |

can not send email to special domain

Hi Jacky

Unfortunately you are playing with the wrong knobs. Please undo what you did.

The patch Roberto mentioned previously corrected "check_sender_address_format()" function.

But you are bitten by "check_rcpt_address_format()" function.

Please search this function after patching, and comment out the lines below as follows:

/*
} else {
if (strstr (domain->s, "--") != NULL)
return 0;
*/

Reply |

can not send email to special domain

Thanks Ali. Patch updated

Reply |

can not send email to special domain

Hi roberto puzzanghera and Ali Erturk TURKER 

Thank you very much!

I applied the latest patch. Everything is going well.

Appreciated

Reply |

STARTTLS/SMTPS AUTH header fix for qmail-smtpd

Hi Roberto,

As you will see here the qmail-auth patch sets the protocol string as "ESMTPA", even though the user is authenticated via starttls/smtps. We need a patch like this to correct the headers generated by qmail-smtpd (which should cleanly apply on your combined patch). After the patch, the mail headers will change from "ESMTPA" to "ESMTPSA" and the

ssl_cipher used will be provided as follows:

Before patch:

Received: from unknown (HELO ?172.16.10.2?) (turkerali@xxxxxx.xxx@172.16.10.2)
by xxx.xxxxxx.com with ESMTPA; 10 Mar 2023 20:33:57 -0000

After patch:

Received: from unknown (HELO ?172.16.10.2?) (turkerali@xxxxxx.xxx@172.16.10.2)
by xxx.xxxxxx.com with ESMTPSA (TLS_AES_128_GCM_SHA256 encrypted, authenticated); 12 Mar 2023 12:32:03 -0000

Feel free to test and share on your website.

Regards,

AET

Reply |

STARTTLS/SMTPS AUTH header fix for qmail-smtpd

Thank you, Ali. Added

Reply |

qmail-remote CRLF patch on steroids

Hi Roberto,

Bruce Guenter (a qmail guru) has written a patch which offers the exact same functionality of your qmail-remote CRLF patch, while providing 10x less CPU usage for qmail-remote. He accomplishes this by reading the message in 4K chunks (instead of byte-by-byte) while substituting the control characters, and pushing the mail to the remote mail server.

That makes perfect sense, as almost all major filesystems in use today (ext4, btrfs, xfs) default to 4K blocksize.

I modified his patch so that it applies cleanly on your combined patch. Feel free to download from this link, test and share on your website.

Reply |

qmail-remote CRLF patch on steroids

Hi Ali, thanks for the advise. Patch added

Reply |

vpopmail needed?

Hi Roberto,

Thank you for putting together the combined patch that adds so many useful feature to netqmail-1.06.

Will the combine patch work without vpopmail? I would like to use it on servers where I do not have mysql and vpopmail installed.

Reply |

vpopmail needed?

No, it has vpopmail as a prerequisite 

Reply |

qmail-rfc2821 patch does not cover implicit TLS (SMTPS) connections.

Hi Robert

As you will see here, if the remote port is given as "465" in control/smtproutes file, qmail-remote automatically switches to implicit TLS ("SMTP over TLS" or "smtps"). I believe qmail-rfc2821 patch appeared before the qmail-tls support, therefore it does not cover implicit TLS (SMTPS) connections. Since I am a fan of implicit TLS connections myself, (due to STARTTLS MitM attacks), I created this patch. Feel free to test and share on your website.

Reply |

qmail-rfc2821 patch does not cover implicit TLS (SMTPS) connections.

Do you think that it shoukd be like this?

# ifdef TLS 
- if (tls_init())
+ if (tls_init()) {
   if (smtps) {
       code = smtpcode();
       if (code >= 500 && code < 600) quit("DTLS Connected to "," but greeting failed");
       if (code >= 400 && code < 500) return; /* try next MX, see RFC-2821 */
       if (code != 220) quit("ZTLS Connected to "," but greeting failed");
   }
 /* RFC2487 says we should issue EHLO (even if we might not need
    * extensions); at the same time, it does not prohibit a server
    * to reject the EHLO and make us fallback to HELO */
   code = ehlo();
+ }
# endif

Reply |

qmail-rfc2821 patch does not cover implicit TLS (SMTPS) connections.

Hi Roberto,

I also removed 2 lines from tls_init() to move the connection checks to smtp() function,

to make the code consistent with the previous qmail-rfc2821 patch. Please check my patch again.

It should apply cleanly on your combined patch.

AET

Reply |

qmail-rfc2821 patch does not cover implicit TLS (SMTPS) connections.

Yes, I see those other two lines removed.

But I don't understand why in your patched file this line

code = ehlo();

is no longer inside the if (tls_init())

Reply |

qmail-rfc2821 patch does not cover implicit TLS (SMTPS) connections.

Hi Roberto,

Probably there is a misunderstanding. My patch does not replace the qmail-rfc2821 patch.

My patch should be applied on top of your latest combined patch (netqmail-1.06 v. 2023.02.24).

After patching, qmail-remote.c should look like this. Please check and let me know if you have any questions.

Regards

AET

Reply |

qmail-rfc2821 patch does not cover implicit TLS (SMTPS) connections.

Exactly. What I don't understand is why that last

code = ehlo();

before your patch is inside the if (tls_init()) block

  if (tls_init())
 /* RFC2487 says we should issue EHLO (even if we might not need
    * extensions); at the same time, it does not prohibit a server
    * to reject the EHLO and make us fallback to HELO */
   code = ehlo();

while after your patch it is outside the same block

if (tls_init())
if (smtps) {
code = smtpcode();
if (code >= 500 && code < 600) quit("DTLS Connected to "," but greeting failed");
if (code >= 400 && code < 500) return; /* try next MX, see RFC-2821 */
if (code != 220) quit("ZTLS Connected to "," but greeting failed");
}
/* RFC2487 says we should issue EHLO (even if we might not need
* extensions); at the same time, it does not prohibit a server
* to reject the EHLO and make us fallback to HELO */
code = ehlo();

Reply |

qmail-rfc2821 patch does not cover implicit TLS (SMTPS) connections.

Hi Roberto

You are %1000000000000 right.

First I created the patch on my win10 machine and it's exactly how you suggested.

Then I manually created it again on my linux vm to rebase it on your combined patch, and screwed up.

I revised the patch , should be OK now.

Reply |

qmail-rfc2821 patch does not cover implicit TLS (SMTPS) connections.

Impossible not to have at least a bug when you develop on Windows :-)

Patch updated

Reply |

qregex patch needs to be corrected

Hi Roberto

At some point in time, Luca Franceschini had renamed control/badmailto and control/badmailtonorelay files to control/badrcptto and control/badrcpttonorelay files in:

qmail-smtpd.8
qmail-smtpd.c

Unfortunately this patch overlooked these files, which still contain the old naming scheme.

README.qregex
qmail-control.9
qmail-smtpd.8
qmail-showctl.c

The above files should also be updated accordingly.

Regards,

Ali Erturk TURKER

Reply |

qregex patch needs to be corrected

corrected. Thank you

Reply |

Timeout Log

Hi roberto puzzanghera 

Today, I got many error in SMTP log. 

Can you tell me the meaning of「reason=alarmtimeout 」 . And how can I tunning any qmail 's parameter to fix it ?

2022-11-14 19:40:42.017547500 mail1 qlogenvelope: result=rejected code=451 reason=alarmtimeout detail= helo=xxx mailfrom=xxx@163.com rcptto= relay=no rcpthosts= size=148766 authuser= authtype= encrypted= sslverified=no localip=xxxx localport=25 remoteip=xxxxx remoteport=16847 remotehost=m12-15.163.com qp=3063 pid=2630

Reply |

Timeout Log

Hi Jacky,

it is an error belonging to the timeoutread function of qmail-smtpd, which doesn't have any comment inside. It is triggered when the client does not provide some of the mandatory commands in time, such as helo, mailfrom, rcptto etc. When I have this error I can always see a missing helo, or a missing mailfrom or rcptto just like when the client didn't provide them in time. You can see that rcptto is empty also in your example.

I don't think that this is your server's renponsibility. Anyway you can try to increase the "timeoutsmtpd" time in your control/timeoutsmtpd if you have set it to a very short time interval. It defaults to 1200s (20 minutes), which is a very long time.

You can reproduce that logline by connecting to your server, not providing the helo or mailfrom or rcptto commands and letting the remote server close the connection after the timeout (of course it's better to shorten it modifying your control/timeoutsmtpd file).

Reply |

Timeout Log

I  increased timoutsmtpd to 600 second. Until now I did not get any alarmtimeout log anymore. 

Thank you roberto puzzanghera

Reply |

Get size of message via environment variable

Hi roberto puzzanghera 

I am trying to write a qmail-spp plugin to deny the message that over size limit of our partner mail server.

So can I get size of message via environment variable like TCPREMOTEHOST ?

Reply |

Get size of message via environment variable

Hi,

I'm not sure that the environment variables visible for qmail-smtpd will be directly visible inside a qmail-spp program. You can see which variables you have in the readme file at point 5 https://notes.sagredo.eu/files/qmail/patches/qmail-spp/README. I don't recall if/where the size of the incoming message is stored, but you can easily print those variables to find out where it is.

Reply |

Get size of message via environment variable

Hi roberto puzzanghera 

I will try to set enviroment MAILSIZE in qmail-smtpd.c

I have one more question. Is there limit maximum of allowed recipients(To,Cc or Bcc). I try to send 1000 recipients

but it does not work well

I dont set CHKUSER_RCPTLIMIT variable. 

Reply |

Get size of message via environment variable

yes, look at the concurrencylocal and concurrencyremote config files (http://www.lifewithqmail.org/lwq.html#configuration)

edit: be sure not to have set limits here for that particular account https://notes.sagredo.eu/en/qmail-notes-185/limiting-the-number-of-emails-sent-by-a-given-auth-userdomainip-231.html

Reply |

incoming maximum number of recipients allowed

 Hi Roberto and all,

Recently one of my domains keep getting 550_5.5.3_sorry,_reached_maximum_number_of_recipients_allowed_in_one_session_(chkuser) when someone sent more than 20 recipients to them. How and where do i increase this limit?

Thank you

Reply |

incoming maximum number of recipients allowed

Hi, just edit control/concurrencyincoming and restart qmail

Reply |

qmail-smtpd: read failed (hang up before quit cmd)

Hi Roberto,

I see a lot of messages like this from time to time in the smptd log. I don't know if this is something we should worry about or it is normal and safe to ignore.

Thank you in advance!

 qmail-smtpd: read failed (hang up before quit cmd)

Reply |

qmail-smtpd: read failed (hang up before quit cmd)

I recorded a qmail-smtpd session just to be sure what that messages means:

2022-05-22 20:13:44.267014500 tcpserver: pid 27286 from 199.249.230.87 
2022-05-22 20:13:44.357670500 tcpserver: ok 27286 smtp.sagredo.eu:10.0.0.4:25 tor38.quintex.com:199.249.230.87::37602
2022-05-22 20:14:04.363400500 27286 > 220 smtp.sagredo.eu ESMTP^M
2022-05-22 20:14:06.787104500 27286 < [EOF]
2022-05-22 20:14:06.787172500 qmail-smtpd: read failed (hang up before quit cmd): (null) from 199.249.230.87 to (null) helo >
2022-05-22 20:14:06.787488500 27286 > [EOF]
2022-05-22 20:14:06.787591500 tcpserver: end 27286 status 256

It is an issue due to the fact that the client closed the connection unexpectedly without sending the quit command. Tecnically it is something that should not happen, so the read error.

PS often this happens after the client received a reject message from our qmail. I've just modified the error messages in the patch of may 22 from "hang up before quit cmd" to "client closed the connection before the quit command"

Reply |

Failed after apply roberto-netqmail-1.06.patch-2022.02.13

Hello,

After apply the patch roberto-netqmail-1.06.patch-2022.02.13, i got this error:

compilation terminated.
make: *** [: srs.o] Erro 1

Reply |

Failed after apply roberto-netqmail-1.06.patch-2022.02.13

Did you install libsrs2 first?

If yes please post the entire error string

Reply |

Failed after apply roberto-netqmail-1.06.patch-2022.02.13

Thanks, I installed libsrs2 and the process advanced a little further, changing the error message:

make: *** [Makefile:1674: qmail-remote.o] Erro 1

Reply |

Failed after apply roberto-netqmail-1.06.patch-2022.02.13

Can you provide the entire error string, please?

Reply |

Failed after apply roberto-netqmail-1.06.patch-2022.02.13

This is the complete output after I run the command 'make setup check'

Makefile:156: aviso: sobrescrevendo os comandos para o alvo 'base64.o'
Makefile:152: aviso: ignorando comandos antigos para o alvo 'base64.o'
Makefile:239: aviso: sobrescrevendo os comandos para o alvo 'byte_cspn.o'
Makefile:235: aviso: ignorando comandos antigos para o alvo 'byte_cspn.o'
Makefile:255: aviso: sobrescrevendo os comandos para o alvo 'byte_rcspn.o'
Makefile:251: aviso: ignorando comandos antigos para o alvo 'byte_rcspn.o'
Makefile:1845: aviso: sobrescrevendo os comandos para o alvo 'qmail-todo'
Makefile:1831: aviso: ignorando comandos antigos para o alvo 'qmail-todo'
Makefile:1853: aviso: sobrescrevendo os comandos para o alvo 'qmail-todo.o'
Makefile:1839: aviso: ignorando comandos antigos para o alvo 'qmail-todo.o'
Makefile:2172: aviso: sobrescrevendo os comandos para o alvo 'spf.o'
Makefile:2154: aviso: ignorando comandos antigos para o alvo 'spf.o'
Makefile:2177: aviso: sobrescrevendo os comandos para o alvo 'spfquery'
Makefile:2160: aviso: ignorando comandos antigos para o alvo 'spfquery'
Makefile:2184: aviso: sobrescrevendo os comandos para o alvo 'spfquery.o'
Makefile:2167: aviso: ignorando comandos antigos para o alvo 'spfquery.o'
Makefile:2222: aviso: sobrescrevendo os comandos para o alvo 'str_cpyb.o'
Makefile:2218: aviso: ignorando comandos antigos para o alvo 'str_cpyb.o'
Makefile:2311: aviso: sobrescrevendo os comandos para o alvo 'strsalloc.o'
Makefile:2306: aviso: ignorando comandos antigos para o alvo 'strsalloc.o'
./compile qmail-remote.c
qmail-remote.c: In function ‘dropped’:
qmail-remote.c:128:7: error: ‘ssl_err_str’ undeclared (first use in this function)
128 | if (ssl_err_str) { out((char *)ssl_err_str); out(" "); }
| ^~~~~~~~~~~
qmail-remote.c:128:7: note: each undeclared identifier is reported only once for each function it appears in
qmail-remote.c: In function ‘ssl_timeoutread’:
qmail-remote.c:158:10: warning: implicit declaration of function ‘ERR_error_string’ [-Wimplicit-function-declaration]
158 | out(ERR_error_string(ERR_get_error(), buf)); out("\n");
| ^~~~~~~~~~~~~~~~
qmail-remote.c:158:27: warning: implicit declaration of function ‘ERR_get_error’; did you mean ‘SSL_get_error’? [-Wimplicit-function-declaration]
158 | out(ERR_error_string(ERR_get_error(), buf)); out("\n");
| ^~~~~~~~~~~~~
| SSL_get_error
In file included from qmail-remote.c:7:
qmail-remote.c: At top level:
substdio.h:12:64: warning: initialization of ‘int (*)()’ from incompatible pointer type ‘ssize_t (*)(int, void *, size_t)’ {aka ‘long int (*)(int, void *, long unsigned int)’} [-Wincompatible-pointer-types]
12 | #define SUBSTDIO_FDBUF(op,fd,buf,len) { (buf), 0, (len), (fd), (op) }
| ^
qmail-remote.c:231:17: note: in expansion of macro ‘SUBSTDIO_FDBUF’
231 | substdio ssin = SUBSTDIO_FDBUF(read,0,inbuf,sizeof inbuf);
| ^~~~~~~~~~~~~~
substdio.h:12:64: note: (near initialization for ‘ssin.op’)
12 | #define SUBSTDIO_FDBUF(op,fd,buf,len) { (buf), 0, (len), (fd), (op) }
| ^
qmail-remote.c:231:17: note: in expansion of macro ‘SUBSTDIO_FDBUF’
231 | substdio ssin = SUBSTDIO_FDBUF(read,0,inbuf,sizeof inbuf);
| ^~~~~~~~~~~~~~
qmail-remote.c: In function ‘quit’:
qmail-remote.c:350:30: error: ‘smtps’ undeclared (first use in this function); did you mean ‘smtpto’?
350 | if (state & TLS_ST_OK || (!smtps && state & TLS_ST_BEFORE))
| ^~~~~
| smtpto
qmail-remote.c: In function ‘smtp’:
qmail-remote.c:585:13: warning: implicit declaration of function ‘strcasecmp’ [-Wimplicit-function-declaration]
585 | if (strcasecmp(fqdn,commonName)){
| ^~~~~~~~~~
qmail-remote.c:622:9: warning: implicit declaration of function ‘b64encode’ [-Wimplicit-function-declaration]
622 | if (b64encode(&auth_smtp_plain,&slop)) temp_nomem();
| ^~~~~~~~~
make: *** [Makefile:1674: qmail-remote.o] Erro 1

Reply |

Failed after apply roberto-netqmail-1.06.patch-2022.02.13

did you installed openssl? which version?

can you post which version of gcc and which os you have?

Reply |

Failed after apply roberto-netqmail-1.06.patch-2022.02.13

OpenSSL Version:

OpenSSL 1.1.1n  15 Mar 2022

In 'gcc -v' the result is this:

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/10/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa:hsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 10.2.1-6' --with-bugurl=file:///usr/share/doc/gcc-10/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-10 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-10-Km9U7s/gcc-10-10.2.1/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-10-Km9U7s/gcc-10-10.2.1/debian/tmp-gcn/usr,hsa --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-mutex
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 10.2.1 20210110 (Debian 10.2.1-6)

And my OS is Debian 11.3

Reply |

Failed after apply roberto-netqmail-1.06.patch-2022.02.13

ssl_err_str was defined around line 72 of qmail-remote.c, isn't it?

did you get any error during the patch process?

Reply |

Implement reject null senders patch only for port 465 or 587

Hi roberto puzzanghera 

In this qmail patch can I apply reject null senders only for special port (465 or 587) with environment variable  ?

Reply |

Implement reject null senders patch only for port 465 or 587

Reply |

Implement reject null senders patch only for port 465 or 587

Hi roberto puzzanghera 

Thank your patch.
After apply new patch I got this error below.

# telnet 127.0.0.1 587
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
421 unable to read controls (#4.3.0)
Connection closed by foreign host.
# openssl s_client -connect localhost:587 -starttls smtp
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
write:errno=32
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 38 bytes and written 25 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1645801919
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

Reply |

Implement reject null senders patch only for port 465 or 587

try downloading again now

Reply |

Implement reject null senders patch only for port 465 or 587

Hi roberto puzzanghera 

Everything is fine. Thank you very much.

P/s: I think if add ipv6 support this patch is the best patch for qmail.cool

Reply |

Implement reject null senders patch only for port 465 or 587

Yes, I think because this is the only maintained patch published on the internet!

Ipv6 would be great! Which patch are you testing?

Reply |

Implement reject null senders patch only for port 465 or 587

I tested this patch roberto-netqmail-1.06.patch-2022.02.25.gz 

and implemented to one production server for workload test.

Reply |

Implement reject null senders patch only for port 465 or 587

I'm not sure that ipv6 can work without patching the core of qmail...

Reply |

Implement reject null senders patch only for port 465 or 587

Exactly,

I just applied tcpserver for ipv6 only . incomming email is fine(RBL is not working well) ,

but outgoing does not work.cool

Reply |

Implement reject null senders patch only for port 465 or 587

I guess that the rblsmtpd program by eh embedded in ucspi-tcp6 will work

I think that also at least spf and moreipme have to patched.

If you want to help, can you test the Manvendra's ipv6 patch here https://sourceforge.net/projects/indimail/files/netqmail-addons/qmail-dkim-1.0/ against Saout's spf?

Reply |

Implement reject null senders patch only for port 465 or 587

this patch with name dkim+spf+ipv6.patch-1.14.gz right?

If you need one machine with ipv6 let me know.

Reply |

Implement reject null senders patch only for port 465 or 587

yes, this one. At a certain point Manvendra added ipv6 to the original dkim patch, but I've never found the time to add it to my patch.

I would install it on a vanilla qmail and test it as is. Then I would install the spf patch (https://notes.https://notes.sagredo.eu/files/qmail/patches/qmail-spf-rc5.patchsagredo.eu/files/qmail/patches/qmail-spf-rc5.patch) on top of it and test spf.

Thanks for the collaboration and for the possibility to use a machine of yours. This month I don't have free time because I have to migrate this server.

We can continue this discussion on ipv6 in private via mail if you like (contact button on the top of this page).

Reply |

not-qmail?

Hey Robert,

Long time reader, first time caller.  Recently came across the not-qmail project (GH/not-qmail/not-qmail), from some former qmail users who went over to postfix and came back.  Was wondering if you'd taken a look at their work, or if you think net-qmail is still the best base for qmail?

Reply |

not-qmail?

Hi Ryan, certainly a combined patch based on the qmail legacy like mine can't represent the future of qmail and one day we'll have to look at some of those qmail successors like not-qmail. I've never played with not-qmail but I have a big respect for such an ambitious project, and the fact that it comes from qmail gurus like Manvendra Bhangui and the others sounds like a garantee for me. But, as their wishlist says, most common features still have to be implemented, so let's give them their time.

Nowadays, if I'd have to use in production a qmail successor, I'd rather consider Manvendra's indimail (it has everything) and Erwin Hoffmann's s/qmail (very active and complete)

Reply |

Got error with netqmail-1.06 v. 2022.02.10 

Hi roberto puzzanghera 

I tried to apply newest patch combined patch for netqmail-1.06 v. 2022.02.10

but got some error below. Can you check it for me. is it displayed only on my server?

./compile qmail-smtpd.c
In file included from tls.h:4:0,
from qmail-smtpd.c:36:
qmail-smtpd.c: In function ‘tls_init’:
qmail-smtpd.c:2351:28: error: ‘SSL_OP_NO_RENEGOTIATION’ undeclared (first use in this function)
SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
^
qmail-smtpd.c:2351:28: note: each undeclared identifier is reported only once for each function it appears in
make: *** [qmail-smtpd.o] Error 1

Reply |

Got error with netqmail-1.06 v. 2022.02.10 

Hi, which version of openssl do you have?

Reply |

Got error with netqmail-1.06 v. 2022.02.10 

Hi,

I am using openssl version below. Is it old?

OpenSSL 1.0.2k-fips  26 Jan 2017

Reply |

Got error with netqmail-1.06 v. 2022.02.10 

openssl is now at v. 1.1.

The patch that I linked above should solve your problem. Let me know.

Reply |

Got error with netqmail-1.06 v. 2022.02.10 

Hi roberto puzzanghera

When i tried to apply the link you gave to me. I got some text below.

what should i do? Just enter to countinue?

# gunzip -c ../roberto-netqmail-1.06.patch-2022.02.13.gz |patch
The next patch would delete the file CHANNELS, which does not exist!  Assume -R? [n]

Reply |

Got error with netqmail-1.06 v. 2022.02.10 

Sorry, the patch that I uploaded yesterday is corrupted. Please download it again and retry

Reply |

Got error with netqmail-1.06 v. 2022.02.10 

Hi Roberto Puzzanghera 

Thank you very much .

I applied new patch successfully.

Until now everything is good.

Reply |

qmail-smtp get 100% of CPU

Hi roberto puzzanghera 

Yesterday, I updated the latest this patch. After that i faced the problem with qmail-smtpd process.

It made my CPU to 100% . Did you have the same issue? Do you have any advice for me to check my server?

Send and receive e-mail is ok.

Tasks: 717 total,   2 running, 581 sleeping,   0 stopped,   0 zombie

%Cpu(s):  6.5 us,  0.2 sy,  0.0 ni, 93.3 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st

KiB Mem : 65429236 total, 24054772 free,  2695836 used, 38678628 buff/cache

KiB Swap:  8388604 total,  8344368 free,    44236 used. 58790728 avail Mem

PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                      

17142 vpopmail  20   0   43068   4764   4176 R 100.0  0.0   8:28.19 qmail-smtpd                                                                                                  

21070 root      20   0  164140   5152   3804 R   0.7  0.0   0:00.06 top

Reply |

qmail-smtp get 100% of CPU

Hi Jacky, no I don't have the same problem.

What do you have in the tcpserver: status line?

2022-01-23 16:16:37.153586500 tcpserver: status: 1/200

PS If I understand well, you are one of the most ancient commentators of this place :-) 

Reply |

qmail-smtp get 100% of CPU

Hi roberto puzzanghera 

Thank you for your reply ! It is my qmail-smtpd in status line.

2022-01-24 01:17:40.458419500 tcpserver: ok 26702 mail1.xxx.com:172.24.xxx.xxx:25 service.axxx.xxx:209.141.xxx.xxx::45762
2022-01-24 01:17:41.066480500 tcpserver: end 26549 status 2562022-01-24 01:17:41.066481500 tcpserver: status: 15/600
2022-01-24 01:17:41.722767500 tcpserver: end 26593 status 256
2022-01-24 01:17:41.722767500 tcpserver: status: 14/600
2022-01-24 01:17:41.841063500 tcpserver: status: 15/600
2022-01-24 01:17:41.841284500 tcpserver: pid 26723 from 107.16xxx.xxx
2022-01-24 01:17:42.313190500 tcpserver: end 26588 status 256
2022-01-24 01:17:42.313191500 tcpserver: status: 14/600
2022-01-24 01:17:42.854308500 tcpserver: status: 15/600
2022-01-24 01:17:42.854440500 tcpserver: pid 26726 from 134.73.xxx.xxx
2022-01-24 01:17:42.854926500 tcpserver: ok 26726 mail1.xxx.com:172.24.xxx.xxx:25 :134.73.xxx.xxx::61096
2022-01-24 01:17:43.897306500 tcpserver: status: 16/600
2022-01-24 01:17:43.897474500 tcpserver: pid 26727 from 151.52.xxx.xxx
2022-01-24 01:17:43.990919500 tcpserver: ok 26652 mail1.xxx.com:172.24.xxx.xxx:25 :107.16xxx.xxx::54474

Reply |

qmail-smtp get 100% of CPU

Are the servers' date and time correct? 

Secondly, I would try to see what smtpd is doing with strace

Reply |

qmail-smtp get 100% of CPU

Hi roberto puzzanghera 

This is my strace qmail-smtpd. I used "strace -fp 24210" command. i

strace: Process 24210 attached
brk(NULL) = 0x840000
brk(NULL) = 0x840000brk(0x83c000) = 0x83c000
brk(NULL) = 0x83c000
write(1, "\26\3\1\0001\2\0\0-\3\1\223\310\"\312Q\0\202\321\223\303.b;}\245I'\276\225\313\344"..., 4095) = 4095
read(0, 0x810c43, 5) = -1 EAGAIN (Resource temporarily unavailable)fcntl(0, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl(0, F_SETFL, O_RDWR) = 0fcntl(1, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(1, F_SETFL, O_RDWR) = 0select(2, NULL, [1], NULL, {tv_sec=60, tv_usec=0}) = 1 (out [1], left {tv_sec=59, tv_usec=999997})
write(1, "454 TLS connection failed: timed"..., 47) = 47
brk(NULL) = 0x83c000brk(NULL) = 0x83c000
brk(0x83a000) = 0x83a000brk(NULL) = 0x83a000
brk(NULL) = 0x83a000brk(NULL) = 0x83a000
brk(0x836000) = 0x836000brk(NULL) = 0x836000
brk(NULL) = 0x836000brk(NULL) = 0x836000brk(0x82b000) = 0x82b000
brk(NULL) = 0x82b000select(3, NULL, [2], NULL, {tv_sec=60, tv_usec=0}) = 1 (out [2], left {tv_sec=59, tv_usec=999996})
write(2, "qmail-smtpd: read failed (tls co"..., 114) = 114
exit_group(1) = ?+++ exited with 1 +++

Reply |

qmail-smtp get 100% of CPU

you have a TLS connection failure, I guess in your submission service. Can you check your TLS certificate state in this way

openssl s_client -starttls smtp -crlf -connect localhost:587 -cert /var/qmail/control/servercert.pem -key /var/qmail/control/servercert.pem -state

Reply |

qmail-smtp get 100% of CPU

Hi roberto puzzanghera 

Sorry for late reply . 

I added recordio command before qmail-smtpd in config file to get more detail log. but no TLS error log .

I changed qmail-smtpd/run config [/usr/local/bin/softlimit -m 10000000]->][/usr/local/bin/softlimit -m 200000].

So after 2 days everything is ok. and my server 's cpu is sage now. I think softlimit is over-spec . Thank you for your kindly support.

I am still trying to get qmail using IPv6 . Have a nice day.

Reply |

qmail-smtp get 100% of CPU

Here is command 's result on my server. I am using "SMTPD_GREETDELAY" for greeting delay too.

Maybe this make server resouce is higher than normal? I will remove SMTPD_GREETDELAY option.

openssl s_client -starttls smtp -crlf -connect localhost:587 -cert /var/qmail/control/servercert.pem -key /var/qmail/control/servercert.pem -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 CN = *.no1-serxxx.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/CN=*.no1-serxxx.com
i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGRzCCBS+gAwIBAgIMTy0J+wRHU1/6EtfPMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTIxMDYxMTA4MDQwOFoXDTIyMDcx
MzA4MDQwOFowHTEbMBkGA1UEAwwSKi5ubzEtc2VydmVyMjguY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqTXFrhHBizsjq4CCBeTADUN/7bl1F2yc
xHfWiptQzGTnY3ohDCbnsY4/pYqh3AX6/e5ay5++XHHsDlnh9hKFHwEDoBV8f2Jx
NGVChH1JLwGTXEzseeEse76JkqZQj4K6ImxrUvieS4OisN0BTxtkFQ1cazAwHCL1
CjtIoULJK6keoIdZ24H6bNjKX/stmqb6sUp2ttHQOnzTojbZ4dmqqtI/fhfN0dLn
SQrq1aV0owfkgplMS48whjRjfRvuCLGDYy1vl4hpbhBTEQgv4TKxR/cEozAMwDJD
Rhqj2Gujn7CRnlN37ywptBSKStQD9Jsjx2WsNnkSlZMPIaj4dhe1oQIDAQABo4ID
VjCCA1IwDgYDVR0PAQH/BAQDAgWgMIGJBggrBgEFBQcBAQR9MHswQgYIKwYBBQUH
MAKGNmh0dHA6Ly9zZWN1cmUyLmFscGhhc3NsLmNvbS9jYWNlcnQvZ3NhbHBoYXNo
YTJnMnIxLmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmdsb2JhbHNpZ24u
Y29tL2dzYWxwaGFzaGEyZzIwVwYDVR0gBFAwTjBCBgorBgEEAaAyAQoKMDQwMgYI
KwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkv
MAgGBmeBDAECATAJBgNVHRMEAjAAMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9j
..
-----END CERTIFICATE-----
subject=/CN=*.no1-serxxx.com
phaSSL CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3605 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: AB98869F6AA62BD90D91E8F6EAFDB4B0EFD014FFD6019560C21242593A9CF8E9
Session-ID-ctx:
Master-Key: CFB1310D7B82FCA44346348EB4C2D57FF53E4AFB7A63C7BDA61F772F8DDC2FB73A2C95E1A1EC03CFF52A4186C7748F62
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 37 05 25 6f d9 34 73 41-dd c7 fb 5c b7 61 00 21 7.%o.4sA...\.a.!
0010 - e2 dd 4f 35 c3 f5 86 12-d8 59 39 97 b2 db 66 ec ..O5.....Y9...f.
0020 - 5f e4 70 39 8f 54 e9 46-55 a9 41 6f d6 dd 3b b1 _.p9.T.FU.Ao..;.
0030 - 0a f1 49 64 3e 68 30 fe-ba 93 df 39 da 1a 8d bb ..Id>h0....9....
0040 - 5c 76 e0 5f 34 83 33 b1-d8 67 c2 81 9b 75 bd 79 \v._4.3..g...u.y
0050 - 09 11 bb a0 56 d8 3b a3-e6 fe f2 b5 48 40 2f 43 ....V.;.....H@/C
0060 - 9f f4 0e 25 36 db e0 e4-39 1b 69 be 02 0b 6f 79 ...%6...9.i...oy
0070 - 9e fa 8b 20 73 ff 60 0f-54 cc c4 e9 dc e7 f9 26 ... s.`.T......&
0080 - c9 11 b9 93 7c 40 92 57-2c 1c 2a fc c1 c5 8c fb ....|@.W,.*.....
0090 - 14 34 b3 1d 0f e4 cf 58-d0 0b a4 18 25 61 d6 c3 .4.....X....%a..

Start Time: 1643020850
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 SIZE 20480000

Reply |

qmail-smtp get 100% of CPU

No, greetdelay will not engage your cpu, just absorbs spammers' resources :-)

First of all consider an update of your openssl server or disable the connections with SSL 3.0, because of the POODLE vulberability. Anyway your certificate seems ok.

Can you check the logs (both smtpd and submission) and look for those "454 TLS connection failed"? Can you do

openssl s_client -starttls smtp -crlf -connect yourserver.tld:25/587

from remote, using the port that advertise STARTTLS?

Reply |

Problem of check sender email address with ~ character

Hi roberto

Today I faced the problem with WBErbxishu_citizen~micro_205_0_0@abc.com

When i remove [~] character everything is ok. So I wonder if we can add exception of [~] character in chckuser.

I checked patch is uncommented [~] character . But it does not work . Can you please check it ?

+#define CHKUSER_ALLOW_SENDER_CHAR_5 '*'
+#define CHKUSER_ALLOW_SENDER_CHAR_6 '^'
+#define CHKUSER_ALLOW_SENDER_CHAR_7 '~'

Reply |

Problem of check sender email address with ~ character

Hi Jacky, WBErbxishu_citizen~micro_205_0_0@abc.com works here...

Reply |

Problem of check sender email address with ~ character

Hi roberto

telnet mail-xxx.xxx-xxxx.com 25
Trying 158.101.69.33...
Connected to mail-xxx.xx-xxx.com.
Escape character is '^]'.
220 mail.no1-xxx.com Welcome to SMTP server ESMTP
ehlo
250-mail.no1-xxx.com Welcome to SMTP server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN CRAM-MD5
250 SIZE 20480000
mail from: <WBErbxishu_citizen~micro_205_0_0@biem.eco-serv.jp>
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)
mail from: <WBErbxishu_citizen?micro_205_0_0@rbiem.eco-serv.jp>
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)
mail from: <WBErbxishu_citizen~micro_205_0_0@rbiem.eco-serv.jp>
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)

I deployed newest patch but it does not work for me.

do you have any advice for me.

Reply |

Problem of check sender email address with ~ character

weird... it's seems like you're not using the same chkuser...

I would check the chkuser's source code in order to verify that you are using the same patch. Check these lines https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06/2021.06.19_patch.diff

Did you restart qmail after last compile/install?

Reply |

Problem of check sender email address with ~ character

hi  Roberto

Thank you for your advice.

I figured out my problem. This issue is in my qmail-smtp run config is still using old qmail-smtpd file . i am terribly sorry.

Thank you very much.

Reply |

Problem with latest patch

Hello Roberto

Thank you for your excellent work, time and support of this patch. 

The latest patch builds fine. I can send outgoing mail. However, problems with vdelivermail leaves mail in the queue, perpetually deffered with database_down errors. Have spent a day troubleshooting this new build and could not locate the issue, hoping you can point me in the right direction. 

Here is what I have:

## -> mlcat send

2021-10-25 16:05:54.914534500 delivery 2: deferral: vdelivermail:_deferred,_database_down/

I have double-checked all the usual suspects... queue looks good, brand new build anyways, still not sure what's missing here. Any pointers is much appreciated. Thank you.

Thank you very much.

Reply |

Problem with latest patch

Hi, I had a look at the source code

   /* if the database is down, deferr */ 
   if ( verrori == VA_NO_AUTH_CONNECTION )
       vexiterr (EXIT_DEFER, "vdelivermail: deferred, database down");

it seems that it cannot connect to your mysql. So, double check your mysql connection/priviledges and your vpopmail/mysql configuration

Reply |

Problem with latest patch

After the help dealing with the log date patch, this seems to be the error I now face. 

I can successfully make users and valiases, can successfully query those on port 89, can successfully do

mysql -h 127.0.0.1 -u vpopmail -pPASSWORD vpopmail 

and the same if I swap it to 0.0.0.0 

the line in

more /home/vpopmail/etc/vpopmail.mysql is: 0.0.0.0|0|vpopmail|PASSWORD|vpopmail

though has been in testing this, localhost and 127.0.0.1. 

I the various GRANT etc statements gave me issues and seemed to be related to:

https://stackoverflow.com/questions/52372165/mysql-error-1064-42000-you-have-an-error-in-your-sql-syntax

But I assumed that once I navigated to a place where I could make accounts and the like I was fine, as I was the last time I did this whole process and had the same error with the GRANT commands. 

What is the best way to find out where this is now failing and remedy it? 

System is Ubuntu 22.04 LTS with the database packages installed from apt. 

Reply |

Problem with latest patch

I will  try tomorrow with your Ubuntu version also to try to reproduce the bug with the daemontools patch. Regarding the database/user query, I don't see the problem in the page you link. My query is exactly as suggested there...

BTW, which is the exact query are you using? I suggest to use localhost everywhere if the mail server and the mysql server are the same

Reply |

Problem with latest patch

I'm floored with the level you're willing to go to help people with this process and the guide. Very impressive. Thank you again. 

The last time I did this my notes on the

>GRANT USAGE ON * . * TO 'vpopmail'@'mailserver-IP' IDENTIFIED BY 'jz_jcsX4yW' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

Command prompted me to make note of the URL shared above in my build log. That was with 20.04 LTS (MySQL Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu) )

This time:

Server version: 8.0.34-0ubuntu0.22.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.

mysql> GRANT USAGE ON * . * TO 'vpopmail'@'localhost' IDENTIFIED BY 'PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'IDENTIFIED BY 'X8vFVtChqVwf' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOU' at line 1

In both cases I was able to proceed with a GRANT USAGE that trunkates after localhost - not applying the limits. But in the 20.04 case I did not run into the vdelivermail:_deferred,_database_down/ error. 

Many things have changed in the years gap. I find myself wondering if the default mysql password type matters, as that appears to have changed from then to now based on my trying to resolve this. 

I have another error in my qmail/send/current log regarding a TLS_connect_failed when sending a remote message, unsupported protocol an I'd have expected that to fall back to unsecure for non-submission ie: port 25. I know a good deal about the other server as the one I'm building is backupmx for some of it's domains, so ideally I just need this to work too - until that other one gets rebuilt. Given this is the rather minimal rc run script I'm not sure how to adjust that setting. 

I'm also happen to take the more extended conversation on this to email or another system if you'd rather not have all of it here. 

Reply |

Problem with latest patch

Try to use 

GRANT USAGE ON * . * TO 'vpopmail'@'localhost' WITH MAX_QUERIES_PER_HOUR and all the rest

as explained in the link you provided above.

Let's continue the conversation here for now, as it can be of interest for others

Reply |

Problem with latest patch

mysql> GRANT USAGE ON * . * TO 'vpopmail'@'localhost' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USE' at line 1

Removing the password section does not seem to be enough. 

Reply |

Problem with latest patch

No idea... is there a particular reason why you are using MySQL? What about switching to mariadb and get rid of these issues? It's available in the Ubuntu store, as you know

Reply |

Problem with latest patch

I've swapped databases as suggested, the grant statements now work with the limits. 

I've rebuilt the vdomains, vusers, valiases due to switching databases. All went as smoothly as before. 

Messages still do not get delivered with the same 

2023-09-03 13:40:07.895332212 delivery 10: deferral: vdelivermail:_deferred,_database_down/

Though operations work on the database to make the users etc which I assume uses the same authentication file and the same data channel as vdelivermail does. 

Thank you again for all of your assistance.

Reply |

Problem with latest patch

You have a failed connection to database (VA_NO_AUTH_CONNECTION) while attempting to read the virtual aliases. Did you test vpopmail with telnet 0 89?

Do you have mariadb and qmail on the same host? Try to do a connection from the commad line:

mysql -u vpopmail -p vpopmailpwd

look for errors in mariadb log.

Check the priviledge. What do you have in vpopmail.mysql? Of course hide your pwd. Be aware that vpopmail@localhost is a different user than vpopmail@127.0.0.1 from the database point of view...

Reply |

Problem with latest patch

postmaster for a vdomain can successfully authenticate with the telnet 0 89 test yes. 

Both are hosted on the same machine yes:

# mysql -u vpopmail -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 1496
Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
mariadb(mysql) error log is empty, 0 bytes.

vpopmail.mysql file:

-rw-r----- 1 vpopmail vchkpw   43 Sep  3 14:39 vpopmail.mysql
localhost|0|vpopmail|PASSWORD|vpopmail

localhost was used for all the GRANT statements - so matching that seemed important but in testing I've cycled through 'localhost' '127.0.0.1' and '0.0.0.0' - am tempted to add additional matching GRANT statements for all of these in hopes it would help. 

Reply |

Problem with latest patch

Ok. So I assume that you have a database user vpopmail@localhost with privileges to use the vpopmail db.

The delivery fails only when sending to a valias or even to an ordinary mailbox?

Reply |

Problem with latest patch

I re-ran 

MariaDB [(none)]> CREATE USER 'vpopmail'@'localhost' IDENTIFIED BY 'PASSWORD'; 
ERROR 1396 (HY000): Operation CREATE USER failed for 'vpopmail'@'localhost'
MariaDB [(none)]> select User from mysql.user;
+-------------+
| User        |
+-------------+
| mariadb.sys |
| mysql       |
| root        |
| vpopmail    |
+-------------+
4 rows in set (0.001 sec)

MariaDB [(none)]>  GRANT USAGE ON * . * TO 'vpopmail'@'localhost' IDENTIFIED BY 'PASSWORD' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON `vpopmail` . * TO 'vpopmail'@'localhost';
Query OK, 0 rows affected (0.001 sec)

Failure is happening on non-alias virtualusers. Haven't tested the aliases, though I have made aliases.

Reply |

Problem with latest patch

You should select not only the user field but also the host. Anyway it seems that vpopmail@localhost exists.

I've no idea. I think that if you recompiile without valias it will work as no dB connection is needed.

Does the valias table exist? Try to create a valias and see if it's written correctly

Reply |

Problem with latest patch

I'd also try to connect with the vpopmail account and to

USE vpopmail;
SELECT * from valias;

Reply |

Problem with latest patch

I'm really at a loss. 

As posted the other day the valias database seems to be correctly populated. 

I've now granted access on all three of 0.0.0.0 localhost and 127.0.0.1 and tried those values in the file. 

I've been able to get errors out of mariadb by looking at the service status and if I mangle the password intentionally it will throw a password error. When I restart qmail there is an aborted connection warning. 

I've now set the vpopmail.mysql file to be 127.0.0.1 and changed the port to 3306. Per: 

Sep 05 11:56:08  mariadbd[431485]: 2023-09-05 11:56:08 0 [Note] Server socket created on IP: '127.0.0.1'.
Sep 05 11:56:08 mariadbd[431485]: 2023-09-05 11:56:08 0 [Note] /usr/sbin/mariadbd: ready for connections.
Sep 05 11:56:08 mariadbd[431485]: Version: '10.6.12-MariaDB-0ubuntu0.22.04.1'  socket: '/run/mysqld/mysqld.sock'  port: 3306  Ubuntu 22.04

Though from this perspective 0 seemed to work as did 0.0.0.0 and localhost. 

I recompiled vpopmail without valias, no change. I attempted to recompile it without any of the sql-database options (I could live without it using mysql/mariadb as long as dovecot pop/imap also works down the line) and that wouldn't compile at all.

Reply |

Problem with latest patch

Hi, can we continue the discussion via mail, just to avoid the bombing for those who subscribed the comments? :-) Please use the contact button above.

Please send the errors you eventually get in the mysql log. 

If you disabled valias and continue to get db connections errors like "vdelivermail: deferred, database down", your vpopmail installation is a mess. The code speaks clearly:

file vdelivermail.c:

#ifdef VALIAS 
   /* process valiases if configured */
   if ( process_valias() == 1 )
       vexiterr (EXIT_OK, "vdelivermail: valiases processed");

   /* if the database is down, deferr */
   if ( verrori == VA_NO_AUTH_CONNECTION )
       vexiterr (EXIT_DEFER, "vdelivermail: deferred, database down");
#endif

You can't get that error without VALIAS defined. Or your previous installation has not been overwritten. Check if VALIAS has been defined or not in ~vpopmail/include/config.h

Also you may have called an old vdelivermail and not installed vpopmail in another folder. Please post the following

which vdelivermail
grep -r vpopmail /etc/passwd

and the content of your .qmail-default

Reply |

Problem with latest patch

# mysql -u vpopmail -p                
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
our MariaDB connection id is 1508
Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> USE vpopmail;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [vpopmail]> SELECT * from valias;
+----+---------------+------------------------+--------------------------+
| id | alias         | domain                 | valias_line              |
+----+---------------+------------------------+--------------------------+

(and it appears correctly populated)

I need aliases. though can get away with using .qmail-VUSER files if need be. 

Reply |

qmail outgoing ip with Ipv6 support

Hi all,

I search "Ipv6" keyword on this page but can not find the answer.

So qmail can send email to other mail server with IPv6 support or not?

I use tcpserver daemon to run qmail.

Reply |

qmail outgoing ip with Ipv6 support

Not with this qmail patch.

Edit: Only ucspi-tcp6 is ipv6 ready

Reply |

qmail outgoing ip with Ipv6 support

Hi Roberto

I will install ucspi-tcp6 and try to send and receive with IPv6

Reply |

add qmail-spp to this patch

Sorry , anyone can help me install qmail-spp http://qmail-spp.sourceforge.net/doc/ with this patch?

Reply |

add qmail-spp to this patch

Hi, it should be quite easy to add the patch that was built for the old Bill Shupp's combined patch. But you should do it by hand because the qmail-smtpd.c from Shupp's patch is very different from mine

Reply |

add qmail-spp to this patch

Hi Roberto ,

Thank you for your reply. I will try to add by hand .

Reply |

add qmail-spp to this patch

Remember that those two qmail-qpp files are new and can be copied from a vanilla qmail  patched with the same patch.

Then you only have to take care of the makefile, which is easy to adjust,  and qmail-smtpd.c, where you just have to put those  new lines in the right place

Reply |

"TLS connect failed" on netqmail-tls 1.06.20110119_1

Hi Roberto,

My qmail installation (netqmail-tls 1.06.20110119_1 over the FreeBSD ports) can't send mails to Microsoft (and others) anymore for a few month. qmail tries to send it for a week and then give up. I read that Microsoft (and others) rejects TLSv1.0 now and accepts only TLSv1.2.

I just checked the last FreeBSD port. It uses the latest Frederik Vermeulen's patch (https://inoa.net/qmail-tls/netqmail-1.06-tls-20200107.patch). But I couldn't find any version number like TLSv1.0, TLSv1.1, TLSv1.2, etc.

  • Does it not depend on qmail but on OpenSSL?
  • So the patch from f.vermeulen will work with TLSv1.2?

Reply |

TLS connect failed

I think that the latest version will work with all TLS versions, I just remember that the SSLv3 support was removed after POODLE was spotted, but I'm not sure. You should contact the author of the patch for further informations

Or you can install the latest tls patch and test the connection against microsoft using openssl as explained in this guide

Reply |

expanding allowed characters in mail adresses

Hi Roberto,

in the patch there are a range of characters that are allowed in the mail address. The CHKUSER_ALLOW_RCPT_CHAR_* variables are used in the functions check_sender_address_format and check_rcpt_address_format in chkuser.c.

Our server with your latest patch rejects mails because of the address includes slashes. I really have no idea why people are thinking this is a good idea :)

2021-06-14 14:41:18.754723500 qlogenvelope: result=rejected code=553 reason=chkusersender detail=senderformat helo=**************** mailfrom=SRS0=R/yv=LI=**************** rcptto= relay=no rcpthosts= size= authuser= authtype= encrypted=tls sslverified=no localip=**************** localport=25 remoteip=**************** remoteport=56562 remotehost=**************** qp= pid=4456
2021-06-14 15:07:27.879168500 CHKUSER rejected sender: from <SRS0=R/yv=LI=****************|remoteinfo/auth:|chkuser-identify:> remote <helo:|remotehostname:****************|remotehostip:****************> rcpt <> : invalid sender address format

What do you think about either replace f.e. #define CHKUSER_ALLOW_RCPT_CHAR_9 '#' (because of '#' is also declared in the 2 functions ) or (my favorite) patch the 2 functions to declare the rest of the allowed characters?

&& (user->s[x] != '#')
&& (user->s[x] != '/')
and so on ...

As I understand the rfc the allowed characters are: !#$%&'*+-/=?^_`.{|}~

Regards Thomas

Reply |

expanding allowed characters in mail adresses

Hi Thomas,

I think we can patch to define a CHKUSER_ALLOW_RCPT/SENDER_CHAR_11 for the slash character, so that those addresses will be allowed even when CHKUSER_ALLOW_RCPT_SRS is not defined. I'll do it in the following days.

Reply |

expanding allowed characters in mail adresses

This will be good. I am awaiting your patch :)

Reply |

expanding allowed characters in mail adresses

The patch is already in place ;)

Reply |

expanding allowed characters in mail adresses

Oh. I did not realise this. Thank you :)

Reply |

RSA/DH keys

Hi Roberto,

I noticed the change of RSA/DH keys (rsa4096.pem/dh4096.pem) to length 4096 created by 'update_tmprsadh.sh', but the code has not changed, qmail-smtpd.c still only opens the rsa/dh pem files (below) of 2048 and 1024 length:

FILE *in = fopen("control/rsa2048.pem", "r")
FILE *in = fopen("control/dh2048.pem", "r")
FILE *in = fopen("control/dh1024.pem", "r");

This may be a stupid question by how does qmail utilize these new keys?

Eric

Reply |

RSA/DH keys

Hi Eric, 

yes, you are right. Actually I'm not using the self signed cert and didn't realized the problem.

Reply |

RSA/DH keys

Hi Roberto,

Thanks for your great website. I really learn a lot from you.

In your combined patch, below code from "qmail-smpt.c" looks buggy, and may cause performance issues when using TLS.

The statement "if (keylen == 2048)" will always fail and an ephemeral key will be created on every request, instead of using the static one:

+RSA *tmp_rsa_cb(SSL *ssl, int export, int keylen)
+{
+ ;
+
+ if (!export) keylen = 4096;
+ if (keylen == 2048) {
+ FILE *in = fopen("control/rsa4096.pem", "r");
+ if (in) {
+ rsa = PEM_read_RSAPrivateKey(in, NULL, NULL, NULL);
+ fclose(in);
+ if (rsa) return rsa;
+ }
+ }

Reply |

RSA/DH keys

Hi Ali, thanks for your comment.

I don't remember much of that piece of code, but I see that it's different from the original tls patch here

+if (!export) keylen = 4096;
-if (!export) keylen = 2048;
if (keylen == 2048) {

I think it was changed when there was a request to icreasethe  RSA key and DH parameters to 4096 bit.

Unfortunately I'm very busy these days and I can't play with this before a couple of weeks. If you already know how to correct this, please post your solution

Reply |

RSA/DH keys

Hi again Roberto,

If you consider the file it tries to open is named rsa4096.pem, "keylen == 2048" is meaningless there,

and this bug will cause the creation of a temporary key in every request, which is a bad thing (TM).

The fix is pretty straightforward (build tested):

diff -ruN netqmail-1.06/qmail-smtpd.c netqmail-1.06-fixed/qmail-smtpd.c
--- netqmail-1.06/qmail-smtpd.c 2023-01-30 17:01:57.920116546 +0400
+++ netqmail-1.06-fixed/qmail-smtpd.c 2023-01-30 17:03:03.752370617 +0400
@@ -2156,7 +2156,7 @@
RSA *rsa;

if (!export) keylen = 4096;
- if (keylen == 2048) {
+ if (keylen == 4096) {
FILE *in = fopen("control/rsa4096.pem", "r");
if (in) {
rsa = PEM_read_RSAPrivateKey(in, NULL, NULL, NULL);

Reply |

RSA/DH keys

Thank you. I'll correct as soon as possible

Reply |

Key too small

Debian 10 after update openssl have error

TLS_connect_failed:_error:141A318A:SSL_routines:tls_process_ske_dhe:dh_key_too_small

Reply |

Key too small

which version of openssl? what do you have in your /etc/ssl/openssl.cnf -> default_bits? do you get the error if you put default_bits=2048?

Reply |

Key too small

yes i have
default_bits = 2048

Reply |

Key too small

What openssl version? Do you have any hint to exactly reproduce the issue?

Reply |

Key too small

This problem is caused by target domains which do not support current encryption standards.

Some current examples for such domains are foni.net or versanet.de.

You can use https://www.checktls.com/TestReceiver to find out if a certain domain is affected; in the test output you should then see something like this:

  SSLVersion in use: TLSv1_2
    Cipher in use: DHE-RSA-AES256-GCM-SHA384
    Perfect Forward Secrecy: yes
    Session Algorithm in use: DHE(1024 bits)
    This may block some email, see DH key too small

Of course the best way to solve this would be that the administrators of the target domain update their configuration. However, since we are currently experiencing this problem with a bunch of target domains since upgrading our system, I am currently looking for a workaround how we can still/again send e-mails to them encrypted until they have done so.

I find it interesting that sending an e-mail to these domains still works when I use "swaks -tls …" on the same system. But qmail refuses to talk to them. Any hints?

Or even:

Reply |

Key too small – Workaround

FYI: My current workaround is now:

cat /var/qmail/control/tlsclientciphers 
DEFAULT:!DH

I'm a bit afraid, however, that this might cause TLS problems with other target servers.

Reply |

Key too small – Workaround

Ok, thanks for your hint. Let us know if this causes problems with other servers

Reply |

Key too small

I didn't checked, but I think tls won't work if you disable SSL and leave active only TLS-1.x in your openssl configuration.

Reply |

Key too small

OpenSSL 1.1.1d 10 Sep 2019

Reply |

Error in qmail recompiling

Hi,

I'm using Debian 10.7.0-amd64. Installation followed step-by-step with your directions.

During last recompiling (chkuser options included) I've got such errors

./compile chkuser.c
In file included from chkuser.c:43:
chkuser_settings.h:54:1: error: unknown type name ‘define’
define CHKUSER_STARTING_VARIABLE "CHKUSER_START"
^~~~~~
chkuser_settings.h:54:34: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before string constant
define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

When chkuser all variables commented, recompilling qmail without any errors.

Reply |

Error in qmail recompiling

please post your chkuser_settings.h somewhere (not here, 'cause it's too long), so that I can check the syntax

Reply |

Error in qmail recompiling

I don't see my reply with link to my chkuser_settings.h so here post the part that generate errors

/*
* Uncomment the following line if you want chkuser to work depending on a VARIABLE setting
* VALUE HERE DEFINED is the name of the variable
* Values admitted inside the variable: NONE | ALWAYS | DOMAIN
* NONE = chkuser will not work
* ALWAYS = chkuser will work always
* DOMAIN = chkuser will work depending by single domain settings
* CHKUSER_STARTING_VARIABLE cannot be defined together with CHKUSER_ALWAYS_ON
* if CHKUSER_STARTING_VARIABLE is defined, and no variable or no value is set, then chkuser is disabled
*/
define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

Reply |

Error in qmail recompiling

You should not delete that hash # which goes before define, because in C language it's not intended as a character for comments. So it will be

#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

If you want to comment out a line, do like this

/* #define CHKUSER_STARTING_VARIABLE "CHKUSER_START" */

Reply |

Error in qmail recompiling

Thx very much.

I don't know C language, in bash # is a comment so my misunderstunding.

Reply |

Compilation error qmail with path and vpopmail

Hi,

I have problem with compiling vpopmail and qmail with your patchset.
I can not compile qmail with chkuser because he required vpopmail:

./compile chkuser.c
chkuser.c:38:10: fatal error: vpopmail.h: No such file or directory
38 | #include "vpopmail.h"
| ^~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:334: chkuser.o] Error 1

I can not compile vpopmail because he reqired qmail:

configure: error: Unable to find your qmail-newu file, specify --enable-qmail-newu=/full/path/to/qmail-newu

Reply |

Compilation error qmail with path and vpopmail

Please take the time needed to read these pages.

You must compile vanilla qmail, not the patched one, and then compile vpopmail on top of it. Then patch and  recompile

Reply |

Last pacth fail to compile

Hi Roberto.

I'm using your directions to build some qmail servers. Pretty good job, sure.

Now I'm trying to update one of the servers, and receive a compilation error.  I only have modified the chkuser_settings.h uncommenting the setting that you have noted.  I was using the patch from 26-Aug-2018 before without those modification to this file, just apply patch and compile. My system is a Centos 7.5.1804.

./compile chkuser.c
In file included from chkuser.c:43:0:
chkuser_settings.h:306:1: error: nombre de tipo ‘define’ desconocido
define CHKUSER_RCPT_MX
^
chkuser_settings.h:313:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘define’
define CHKUSER_SENDER_FORMAT
^
chkuser_settings.h:313:1: error: nombre de tipo ‘define’ desconocido
make: *** [chkuser.o] Error 1

Reply |

Last pacth fail to compile

Hi Ruben, can you post the content of line 306?

Reply |

please take this into consideration related to qmail vulnerabilities

I am a qmail fan and i like your website ... used it to install qmailservers several times

please take this into consideration add the pach in your bundle if possible: https://cxsecurity.com/issue/WLB-2020050189

Thanks in advance

Reply |

Only Single E-mail Delivered

I ran across a situation I did not know existed until yesterday when I was building an e-mail webapp and I'm hoping you can help explain and/or solve this.

When I send an e-mail to two aliases that both resolve to the same user account, only a single message gets delivered.

For example:

To: foo@bar.com

CC: foo2@bar.com

Both of these addresses are .qmail-foo and .qmail-foo2 inside the bar.com domain directory. Inside these files is the same real user's e-mail address so that they are forwarding accounts only.

If I send that e-mail to both of those aliases, only the latter gets delivered (i.e. the headers show that it was delivered to foo2@bar.com, even though qmail logs that it should be sending two e-mails and both the To and Cc headers are present).

If I change the message to send to foo@bar.com and bar@yahoo.com everything gets delivered properly. I read about someone else seeing the same thing with EXIM and while I'm sure it's a cool feature to limit bandwidth, it cause me hours of trying to nail down a problem with my code that didn't exist. So, I'd love to be able to disable this feature if possible. Thanks!

Reply |

Only Single E-mail Delivered

Never mind. This was traced out and qmail is working just fine, as is Vpopmail. It appears that Apple Mail is automatically deleting duplicate messages delivered to the same inbox.

Reply |

rcptcount in qmail-smtpd.c

I had some customers that create several emails in offline mode and when they connect, their outlook starts sending the emails saved in the outbox but some times gives the maxrcpt error (like when the mail has more rcpt to than "control/maxrcpt").

I noted that Outlook sends all emails sequentially, in a single connection, giving a rset after each message sending. But rcptcount is not reset.

to get around this, I had to add:

rcptcount = 0;

within the void smtp_rset function in qmail-smtpd.c

this solved the problem, so the maxrcpto error only occurs if you exceed the limit "control/maxrcpt" in the same email, but not in multiple messages sequentially.

regards,

void smtp_rset(arg) char *arg;
{
seenmail = 0; /* seenauth = 0; RFC 5321: retain authentication */
mailfrom.len = 0; rcptto.len = 0;
rcptcount = 0; // add by me
out("250 flushed\r\n");
}

Reply |

rcptcount in qmail-smtpd.c

Thanks for the advise, I've updated my patch.

After speaking with Luca Franceschini, my italian friend who authored qlogenvelope and heavily modified the qmail-smtpd stuff, I patched as follows

void smtp_rset(arg) char *arg;
{
seenmail = 0; /* seenauth = 0; RFC 5321: retain authentication */
mailfrom.len = 0; rcptto.len = 0;
+rcptcount = 0;
+envelopepos = 1;
out("250 flushed\r\n");
}

Luca suggested also to add envelopepos = 1 just to set qlogenvelope as we are after an HELO/EHLO. 

It's not clear WHEN outlook is going to RSET the session, hopefully not after the data has been sent, in that case we should also verify that the total size of the message is reset as well, not to exceed the 'datalimit' for multiple messages. 

Reply |

Chkuser configuration

I am using your previous patch (Dec 8, 2019) and chkuser and vpopmail are playing nicely. I am not using Mysql with vpopmail, just file based.

When I installed your latest patch (Jan 11, 2020) I could send e-mails out but could not receive anything. All messages failed back to the sender with a failure notice stating "sorry, no mailbox here by that name (chkuser)"

I stopped all qmail services and installed the previous version I kept as a backup, just in case I had issues with the new patch, and everything is back and working.

So, it would be great to get this resolved.

That being said, I am having a major issue with how qmail is processing e-mails prior to sending through SpamAssassin. This is an old system and I am using Qmail-Scanner to connect SA and Qmail. It works just fine, but Qmail is apparently stripping out certain portions of the e-mail because two things are occurring:

1. None of my whitelist_from_rcvd or whitelist_auth lines work.

We tested this against a postfix system and used the entire text of the e-mail against SpamAssassin on this server, and sure enough whitelisting worked as it should. DKIM headers are missing and who knows what else.

2. Every e-mail gets tagged with no rDNS, even though obviously Yahoo, Gmail, etc. all have correct PTR entries for their domain names. Again, when the same e-mail from postfix was tested on this server, SA had no issues finding the rDNS for the sender's domain.

Thanks!

Reply |

Chkuser configuration

This is strange as the latest modifications did not touch qmail-smtpd.c, where chkuser acts and concerns only ssl (diff here). Can you post your run and tcp.smtp files?

Concerning the qmail-scanner issue, I replaced it with simscan ages ago and I don't even remember how it works, I'm sorry.

Reply |

Chkuser configuration

The good news is that I finally solved my whitelisting and rdns issue by removing the -H flag from my /service/qmail-smtpd/run file (i.e. /usr/bin/tcpserver -v -R -l "$LOCAL"). That re-enabled dns lookups and everything started working properly again on that front. The other issue with chkuser is still a problem of course so I'm using your previous patch as mentioned above.

This is my /service/qmail-smtpd run file

#!/bin/sh

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`
LOCAL=`head -1 /var/qmail/control/me`

# This enables greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to disable SURBL filtering
export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter
export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim afer sublfilter
export DKIMQUEUE=/var/qmail/bin/simscan # simscan is executed after qmail-dkim
# DKIM verification. Use carefully
#export DKIMVERIFY="FGHKLMNOQRTVWjp"
# This is to avoid verification of outgoing messages
export RELAYCLIENT_NODKIMVERIFY=1

# This turns off TLS on port 25
export DISABLETLS="1"

# Requires that authenticated user and 'mail from' are identical
#export FORCEAUTHMAILFROM="1"

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
#export RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh
#export RCPTCHECKRELAYCLIENT="1"

# This enables simscan debug
#export SIMSCAN_DEBUG=4

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/bin/tcpserver -v -R -l "$LOCAL" \
-x tcp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/tru 2>&1

This is my /service/qmail-smtpd/tcp file

# rules for qmail-smtpd see tcprules(1)
127.:allow,RELAYCLIENT="",QS_SPAMASSASSIN="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
:allow,QS_SPAMASSASSIN="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"
:allow,DKVERIFY="DEGIJKfh,CGHIJMQRkl",AUTH_UNSET_DKVERIFY=""

Reply |

Chkuser configuration

you should run qmail-smtpd as vpopmail, not qmaild

Secondly, assigning QMAILQUEUE to qmail-scanner in your tcp.smtp certainly prevents dkim to sign your outgoing mails.

Reply |

Chkuser configuration

I use a qmail-remote wrapper script so that my outgoing messages are signed, which works perfectly.

Not sure about running as vpopmail as your previous patch works just fine. It's only the new patch that seems to break chkuser against vpopmail.

Reply |

Chkuser configuration

So how can chkuser check users' existence without vpopmail priviledges?

I guess that in your previous installation you enabled CHKUSER_ENABLE_UIDGID before compiling, in order to run qmail-smtpd with a user diffrerent from vpopmail (look here).

Reply |

Chkuser configuration

Nope. I compared the previous chkuser_settings.h with the new one and the new one has quite a bit more code in it. However, the exact same lines were commented out in both.

Here are the variables that are commented out in both:

ALWAYS_ON
ENABLE_UIDGID
SPECIFIC_BOUNCING
VGET_REAL_DOMAIN
ENABLE_VALIAS
ENABLE_USERS_EXTENSIONS
ENABLE_MAILMAN_LISTS
ACCEPT_NULL_SENDER
ENABLE_NULL_SENDER_WITH_TCPREMOTEHOST
EXTRA_MUSTAUTH_VARIABLE

Reply |

Chkuser configuration

My apologies that I did not come back and post the solution to this issue, which btw, is still present in your latest patch.

Here's how to solve it:

nano chkuser_settings.h

Look for the line
#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

Comment out this line by:

/*
#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"
*/

Reply |

Chkuser configuration

Not defining CHKUSER_STARTING_VARIABLE completely disables chkuser, unless you have CHKUSER_ALWAYS_ON defined. I don't think this is what we want

Reply |

Chkuser configuration

Makes sense, however this is the only way I can get qmail to compile and install with your latest patches, and everything works just fine for me. If chkuser was disabled, wouldn't vpopmail fail to send and deliver messages?

Reply |

Chkuser configuration

chkuser is disabled in this way, and even though qmail/vpopmail can work without it you'll get an increase of spam. chkuser and vpopmail can work together with my configuration, which is the same suggested by the author, i.e. running qmail as vpopmail

Reply |

qmail-send concurrency issue

Hi Roberto,

We have an old issue here that we were never able to understand or fix.

We have concurrencyremote set to 120

When sending out a newsletter to 400,000 subscribers, the number of concurrent connections always drops to less than 10.

Right now we are sending our newsletter and here is what we have:

@400000005e146a3a2ef8509c status: local 0/40 remote 7/120 suppl0 0/1 suppl1 2/5 suppl2 0/1

See how we only have 7 concurrent connections going on.

But if we use qmailctl to check the queue, we still have a huge number of queued emails:

messages in queue: 135384
messages in queue but not yet preprocessed: 135305

I was never able to understand what causes this behavior of qmail-remote not going anywhere close to the concurrencyremove limit. I did a Google search several times, found other people with the same issue, but no solution or any hint of how to debug this or what might be causing it.

If you have any pointers on how to start debugging this I'd appreciate it.

Thank you in advance!

Reply |

qmail-send concurrency issue

Hi Gabriel,

I don't know exactly what can be the cause, but the CHANNELS file (CAVEATS) reminds us that <<concurrencyremote, concurrencysupplX, etc are each subject to the hard limit in conf-spawn, which in turn is bounded by per-process limits>>... anyway your concurrency seems to be very low.

Reply |

chkuser

Hi.

MariaDB log:

[Warning] Aborted connection 58 to db: 'vpopmail' user: 'vpopmail' host: 'localhost' (Got an error reading communication packets)
# The client connected successfully but terminated improperly (and may relate to not closing the connection properly)

chkuser_settings.h:

#define CHKUSER_DB_CLEANUP

chkuser.c:

void chkuser_cleanup (int exit_value) {
#if defined CHKUSER_DB_CLEANUP
    vclose (); /* can't call function */
#endif
    _exit (exit_value);
}

Modify:

#define CHKUSER_DB_CLEANUP -> #define CHKUSER_DB_CLEANUP 1

or

#if defined CHKUSER_DB_CLEANUP -> #ifdef CHKUSER_DB_CLEANUP

Thank you.

Reply |

chkuser

Thanks for your comment.

I have CHKUSER_DB_CLEANUP defined as well, but I've never seen such an error. How can I reproduce it?

Reply |

chkuser

chkuser.h

#ifdef TLS_H
#undef _exit
#define _exit(value) { if (ssl) ssl_free(ssl); chkuser_cleanup(value); }
#else
#define _exit(value) chkuser_cleanup(value) /* can't override _exit() function */
#endif

------------------

My Test

chkuser.c

add: #include

void chkuser_cleanup (int exit_value) {
    syslog(LOG_NOTICE, "[NOTICE: %s][__LINE__ : %d] %s", __FILE__, __LINE__, __FUNCTION__);

...

}

check: /var/log/message

result: nothing

---------------------

Below is executed correctly.

int chkuser_realrcpt (stralloc *sender, stralloc *rcpt) {
...
retstat = realrcpt (sender, rcpt);
#if defined CHKUSER_DB_CLEANUP
syslog(LOG_NOTICE, "[NOTICE: %s][__LINE__ : %d] %s", __FILE__, __LINE__, __FUNCTION__);
vclose();
#endif

switch (retstat) {

...

Did I test it?

Thank you.

Reply |

chkuser

while compiling I get

chkuser.c:1049:9: error: 'LOG_NOTICE' undeclared (first use in this function)
syslog(LOG_NOTICE, "[NOTICE: %s][__LINE__ : %d] %s", __FILE__, __LINE__, __FUNCTION__);

Reply |

chkuser

add #include <syslog.h>

Reply |

chkuser

I can confirm that the code inside the chkuser_cleanup function is not executed. But I don't get any mariadb error

Reply |

chkuser

Hi.

I found the cause of the problem.

tls.h

#define _exit ss_exit

chkuser.h

/* Called before tls.h is called. */
#ifdef TLS_H
#undef _exit
...
#endif

Solutions:

qmail-smtpd.c line 77 #ifdef block:

#ifdef TLS
...
#endif

move to before  this line.

#include "chkuser.h"

Now works correctly.

Thank you.

Reply |

chkuser

Thank you. Patch updated

Reply |

chkuser

MariaDB 10.x version: log warning messages.

MariaDB version 5.X : warning messages are not logged.

Anyway, I think vclose() function should be executed

Thank You.

Reply |

chkuser

Sorry ^^

Maybe it's a different matter.

I will write again if I find the cause.

Thank you.

Reply |

qlogenvelope: reason=authnotmailfrom

Hi Roberto,

Can you tell me what qlogenvelope: result=rejected code=503 reason=authnotmailfrom detail means?

Reply |

qlogenvelope: reason=authnotmailfrom

It means that the user who did the authentication is different from the one in the mailfrom field. This is because you have

export FORCEAUTHMAILFROM=1

in your run file

Reply |

qlogenvelope: reason=authnotmailfrom

Thank you, Roberto

Reply |

Bug with Received: line

Hi Roberto,

I found a bug caused by your patch. The header from received emails are, for some reason, filling with '0' where there should be the server name. Let me explain.

In the header of receiving emails, I see:

Received: from unknown (HELO somedomain.com) (a.b.c.d)
by 0 with SMTP; 5 Jul 2019 19:08:08 -0300

Note the "by 0" part. It should read:

Received: from unknown (HELO somedomain.com) (a.b.c.d)
by mail.ourdomain.com with SMTP; 5 Jul 2019 19:08:08 -0300

Digging this further, the function that fills that part is received() found in received.c. The variable called "local" (which is a copy of the TCPLOCALHOST variable) is somehow being deleted or misconfigured somewhere.

I made a temporary fix by hardcoding our FQDN there, but obviously we need to investigate this further to find out where exactly this variable is being transformed into a zero.

I hope you can investigate this. I will try to take a look at this myself later, even though I am not too familiar with the C language.

Thank you in advance.

Cheers,

Gabriel.

Reply |

Bug with Received: line

got it! 0 was the value of TCPLOCALHOST (in this case, set using the -l option to tcpserver). For example:

 /usr/local/bin/tcpserver -v -H -R -l "yourdomain.tld"

Reply |

Bug with Received: line

it's worth to mention that djb's tcpserver documentation suggests to use "-l 0" as a choice

-l localname: Do not look up the local host name in DNS; use localname for the environment variable $TCPLOCALHOST. A common choice for localname is 0. To avoid loops, you must use this option for servers on TCP port 53.

Btw, I modified my documentation passing the content of control/me as suggested by life with qmail

Reply |

Bug with Received: line

Perfect. This makes much more sense than using using 0. By using 0, SpamCop isn't able to parse the email headers, so reporting spam to SpamCop with spamassassin -r doesn't work. Please take a look here to fully understand how I found out that this Received: line was malformed: http://forum.spamcop.net/topic/39031-resolvednbspmailhost-configuration-problem-identified-internal-ip-as-source/

Reply |

Bug with Received: line

I had this exact same issue and apparently it has to do directly with the -H option in the tcpserver line. That is what prevents reverse DNS lookups. I took out -H and all is well (at least I think so, lol).

Reply |

Bug with Received: line

Thanks for the hint. I modified my configuration accordingly

Reply |

Bug with Received: line

Many thanks, this tip of removing the -H was really helpful!

Before:

Received: from unknown (HELO mail-lj1-f179.google.com) (209.85.208.179)

After:

Received: from mail-lj1-f174.google.com (209.85.208.174)

Reply |

Bug with Received: line

I think this is because the server IP is hidden by this patch (as you know 0 stands for localhost) https://notes.sagredo.eu/files/qmail/patches/qmail-hide-ip-headers.patch

Actually we can get rid of this patch as explained here https://lists.gt.net/qmail/users/126552 

Try to revert it and please let me know.

PS did you have the time to play with my new testing patch with the qmail-channels? look here

Reply |

Bug with Received: line

sorry, that patch has nothing to do with it... I'll do some checks and let you know

Reply |

Bug with Received: line

Hi,

Forgot to mention that the same issue happens in the SPF line as follows. I also had to manually edit and hardcode our server name in spf.c

It is showing:

Received-SPF: none (0: domain at email.invisionpower.com does not designate permitted sender hosts)

Whereas it should be:

Received-SPF: none (mail.ourdomain.com: domain at email.invisionpower.com does not designate permitted sender hosts)

Regarding the other patch, I need some time when our server isn't sending our newsletters to try it out... :) I will probably have the time to do so during this coming week! I will let you know and appreciate your effort!

Gabriel.

Reply |

Pay attention to permissions for DKIM signing

If your outgoing emails aren't being DKIM-signed, please check permissions of the folder /usr/local/etc/domainkeys/ and below. With me, I had to change ownership manually to qmailr.

"When you create a key for a domain.net it will be stored in the /usr/local/etc/domainkeys/domain.net folder. The folder will be owned by qmailr (the user running qmail-remote) if you sign at qmail-remote level or vpopmail, which is the user who runs qmail-smtpd, if you decide to sign at qmail-smtpd level. My script changes the owner to qmailr by default"

Reply |

softlimit error message

If you get the following error at /var/log/qmail/smtpd/current

/var/qmail/bin/qmail-smtpd: error while loading shared libraries: libdl.so.2: failed to map segment from shared object

Simply increase the value present in /var/qmail/control/softlimit

Here I added 64000000 and is working fine

Reply |

qmail-channels

Hi Roberto,

Try adding this patch: http://www.thesmbexchange.com/eng/qmail-channels_patch.html

This is something we need to slow down delivery to certain ISPs, so emails will be correctly delivered. (We run a weekly newsletter.)

Cheers.

Reply |

qmail-channels

nice patch, but... I don't have the time to accomplish personal requests...

Reply |

qmail-channels

Hi Roberto,

Maybe this will help other people as well? Anyway, I made a donation to you earlier today via Paypal. Keep up the nice job of keeping this website up-to-date.

Cheers,

Gabe.

Reply |

qmail-channels

Thank you very much for your donation and contributions. I'll take a deeper look at this patch, but it seems to me that it's too much invasive, as it completely changes the logic of the qmail queue...

Reply |

qmail-channels

The thing is, we run a newsletter with 400,000 subscribers, and some email providers complain that we are sending too many emails at the same time. For example:

2019-06-24 19:33:47.462279500 delivery 34301: deferral: 200.147.36.13_does_not_like_recipient./Remote_host_said:_450_4.7.1_<xxxxxxxxxx@bol.com.br>:_Recipient_address_rejected:_MX-AFL-02_-_Too_many_messages,_try_again_later./Giving_up_on_200.147.36.13./

So it would be great to have a way to limit the number of emails sent out based on the destination domain.

It doesn't need to be this specific patch, just something to think about.

Thanks!

Reply |

qmail-channels

you have a testing patch embedding qmail-channels here. Can you test the channels functionality please?

I configured it not to create additional channels, so you have to edit conf-channels and increase the number of qmail-rspawn processes to be created (it was 22 before my adjustment)

PS thanks for helping me improve this guide

Reply |

qmail-channels

Hi Roberto,

I finally had the time to install this patch and configure qmail-channels. Now I need to wait until we send out our next newsletter to see if qmail is separating emails in separate queues based on the destination domain. I should have a detailed analysis for us within the next couple of days. Stay tuned!

Many thanks for integrating this patch for me! :)

After my original message, Yahoo is now also refusing our newsletters because we are sending too many emails at the same time:

@400000005d24ae9631f30a6c delivery 417355: deferral: Connected_to_67.195.228.94_but_sender_was_rejected./Remote_host_said:_421_4.7.0_[TSS04]_Messages_from_XXXXXXXX_temporarily_deferred_due_to_user_complaints_-_4.16.55.1;_see_https://help.yahoo.com/kb/postmaster/SLN3434.html/

So I have high hopes that this patch will fix this issue.

Cheers,

Gabriel.

Reply |

qmail-channels

Hello Gabriel,

delivering mails to yahoo has always been difficult. I'm not familiiar with the qmail channel patch, but you have to limit the number of mails per second in order to avoid the block.

In postfix this can be achieved in the following way: https://serverfault.com/questions/56719/postfix-stagger-rate-limit-outbound-mail

Hope this might help !

Reply |

qmail-channels

It seems that yahoo accepts a maximum of 20 msg per connection, so this patch should do the trick... look here https://help.yahoo.com/kb/SLN3433.html

Reply |

qmail-channels

Hi Roberto,

The qmail-channels patch you integrated in your patch worked like a charm to fix the yahoo issue described above. We could use the postfix solution you linked above, but it would only work in our webserver (where postfix is used to accept and send emails to our email server, which is running qmail), whereas with qmail-channels we have the solution valid for all emails sources in our setup, which is best.

The configuration of qmail-channels is quite simple. After applying the patch, and before compiling qmail, we need to edit conf-channels and add the total number of queues we want. The default is 2, meaning local and remote. As I wanted two additional queues (two group of domains we wanted to limit the delivery rate), I changed that to 4 and compiled qmail.

Then, we need to add the configuration files at /var/qmail/control:

suppls0 - the list of domains for this group. In my case:

bol.com.br

zipmail.com.br

suppls1 - the list of domains for this group. In my case:

yahoo.com
ymail.com
yahoo.co.uk
yahoo.com.br
yahoo.fr
yahoo.de
yahoo.es
yahoo.cn
yahoo.it
yahoo.co.jp
yahoo.com.au
yahoo.in
yahoo.com.ar
yahoo.com.mx
yahoo.no
yahoo.ie
yahoo.com.es
yahoo.ca
yahoo.co.nz
yahoo.gr
yahoo.com.vn
yahoogrupos.com.br
yahoo.se
yahoo.dk
yahoo.ro
yahoo.co.in
yahoomail.com
yahoo.co.id
yahoo.com.sg
yahoo.com.ph

concurrencysuppl0 - with the number of simultaneous outgoing emails for the domain group "0"

concurrencysuppl1 - with the number of simultaneous outgoing emails for the domain group "1"

Restarted qmail and voilá!

Thank you for all your help. Our qmail server is now "perfect".

Cheers.

Reply |

qmail-channels

Great! Can you share your control/concurrencysuppl* files please? Suitable concurrency values could be useful to someone else...

Reply |

qmail-channels

Hi Roberto,

I am still testing the numbers. I have concurrencysuppl0 with 1 and concurrencysuppl1 with 10 right now. According to what the other user posted above, we could increase the Yahoo queue up to 20.

Another note: I had to increase the softlimit configuration. Otherwise I would get the infamous "qq temporary problem" at /var/log/qmail/smtpd/current

Cheers

Reply |

Hi,

Latest stable combined patch for netqmail-1.06 v. 2019.04.09

My OpenSSL  Version: 1.0.2k

Error send mail.

Modify file: qmail-smtpd.c

before:

2331 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 
2332 /* support ECDH */
2333 SSL_CTX_set_ecdh_auto(ctx,1);
2334 #endif

after:

OPENSSL_VERSION_NUMBER >= 0x10002000L

Please check!

Reply |

Thank you!!! Corrected

Reply |

hardcoded llinks to /home/vpopmail

I've installled vpopmail to a different folder (in my case /var/vpopmail).

While running make in the netqmail dir I encountered an error in chkuser.c, it couldn't find the vpopmail.h file, I edited this to /var/vpopmail/include, which worked for that part.

But after continueing I got more errors:

./load qmail-smtpd chkuser.o dns.o rcpthosts.o commands.o timeoutread.o \
strerr.a wildmat.o qregex.o \
timeoutwrite.o ip.o ipme.o ipalloc.o strsalloc.o control.o \
tls.o ssl_timeoutio.o ndelay.a -L/usr/local/ssl/lib -lssl -lcrypto \
constmap.o received.o date822fmt.o now.o qmail.o spf.o cdb.a \
fd.a wait.a datetime.a getln.a open.a sig.a case.a env.a stralloc.a \
alloc.a substdio.a error.a strerr.a str.a fs.a auto_qmail.o base64.o policy.o \
`head -1 /home/vpopmail/etc/lib_deps` `cat dns.lib` \
`cat socket.lib`
head: cannot open '/home/vpopmail/etc/lib_deps' for reading: No such file or directory
chkuser.o: In function `realrcpt':
/usr/local/src/netqmail-1.06/chkuser.c:746: undefined reference to `vget_assign'
/usr/local/src/netqmail-1.06/chkuser.c:875: undefined reference to `vauth_getpw'
/usr/local/src/netqmail-1.06/chkuser.c:906: undefined reference to `format_maildirquota'
/usr/local/src/netqmail-1.06/chkuser.c:906: undefined reference to `vmaildir_readquota'
chkuser.o: In function `chkuser_cleanup':
/usr/local/src/netqmail-1.06/chkuser.c:462: undefined reference to `vclose'
collect2: error: ld returned 1 exit status
Makefile:1757: recipe for target 'qmail-smtpd' failed
make: *** [qmail-smtpd] Error 1

So I ended up creating a symlink (ln -s /var/vpopmail /home) , after that  'make' succeeded.

PS THNX for ur effort with this tutorial/toaster.

Reply |

hardcoded llinks to /home/vpopmail

Have you tried to modify this line on top of the Makefile?

VPOPMAIL_HOME=/home/vpopmail

Reply |

Still require libdomainkeys-0.69.diff

Hi,

I just compile libdomainkeys with patch "libdomainkeys-openssl-1.1.patch" but result with underneath error when running make:

./libdomainkeys.a(dns_txt.o): In function `dns_text':
dns_txt.c:(.text+0x25): undefined reference to `__res_query'
dns_txt.c:(.text+0xa1): undefined reference to `__dn_expand'
dns_txt.c:(.text+0xfc): undefined reference to `__dn_expand'
collect2: error: ld returned 1 exit status
make: *** [dktest] Error 1

When apply the missing patch "libdomainkeys-0.69.diff" and compile again, it did success.

Is the patch "libdomainkeys-openssl-1.1.patch" not completed or mistake to remove the patch "libdomainkeys-0.69.diff" from download and step?

Reply |

Still require libdomainkeys-0.69.diff

Yes, we have to apply that patch as well. Thanks for letting me know

Reply |

Cant compile libdomainkeys

gcc-6.1 -DBIND_8_COMPAT -O2 -o makeheader makeheader.c
./makeheader domainkeys.h
gcc-6.1 -DBIND_8_COMPAT -O2 -c dktest.c -I.
gcc-6.1 -DBIND_8_COMPAT -O2 -c domainkeys.c -I.
domainkeys.c:123:14: Fehler: Feld »mdctx« hat unvollständigen Typen
EVP_MD_CTX mdctx; /* the hash */
^~~~~
domainkeys.c: In Funktion »dkheaders«:
domainkeys.c:1285:5: Warnung: Typkonvertierung in Zeiger von Ganzzahl anderer Breite [-Wint-to-pointer-cast]
(void *)dk_headers(dk, dk->headers);
^
domainkeys.c: In Funktion »dk_free«:
domainkeys.c:2155:3: Warnung: Implizite Deklaration der Funktion »EVP_MD_CTX_cleanup« [-Wimplicit-function-declaration]
EVP_MD_CTX_cleanup(&dk->mdctx);
^~~~~~~~~~~~~~~~~~
domainkeys.c:2162:6: Warnung: »ERR_remove_state« ist veraltet [-Wdeprecated-declarations]
ERR_remove_state(0);
^~~~~~~~~~~~~~~~
In file included from /usr/include/openssl/evp.h:13:0,
from domainkeys.c:27:
/usr/include/openssl/err.h:260:1: Anmerkung: hier deklariert
DEPRECATEDIN_1_0_0(void ERR_remove_state(unsigned long pid))
^
Makefile:23: recipe for target 'domainkeys.o' failed
make: *** [domainkeys.o] Error 1

Any idea?

Reply |

Cant compile libdomainkeys

Try to apply the patch linked on top of this page. Let me know if it solves.

Reply |

Cant compile libdomainkeys

The patch was applied already.

Reply |

Cant compile libdomainkeys

sorry if I ask... but this is an error which comes when you don't apply this patch https://notes.sagredo.eu/files/qmail/patches//libdomainkeys-openssl-11.patch. Can you confirm that this is the patch you applied?

Reply |

Cant compile libdomainkeys

 Yes, i used the linked openssl patch. I have all downloaded data deletetd and repeated the whole procedure again:

root@threepwood:~/libdomainkeys# wget https://notes.sagredo.eu/files/qmail/patches/libdomainkeys-openssl-11.patch
--2019-02-20 08:18:47-- https://notes.sagredo.eu/files/qmail/patches/libdomainkeys-openssl-11.patch
Auflösen des Hostnamen »notes.sagredo.eu (notes.sagredo.eu)«... 91.121.144.116
Verbindungsaufbau zu notes.sagredo.eu (notes.sagredo.eu)|91.121.144.116|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 1091 (1,1K) [text/plain]
In »»libdomainkeys-openssl-11.patch«« speichern.

libdomainkeys-openssl-11.patch 100%[==========================================================================================================================================>] 1,07K --.-KB/s in 0s

2019-02-20 08:18:47 (11,8 MB/s) - »»libdomainkeys-openssl-11.patch«« gespeichert [1091/1091]

root@threepwood:~/libdomainkeys# patch < libdomainkeys-openssl-11.patch
patching file domainkeys.c
root@threepwood:~/libdomainkeys# vi Makefile
root@threepwood:~/libdomainkeys# make
gcc-6.1 -DBIND_8_COMPAT -O2 -o makeheader makeheader.c
./makeheader domainkeys.h
gcc-6.1 -DBIND_8_COMPAT -O2 -c dktest.c -I.
gcc-6.1 -DBIND_8_COMPAT -O2 -c domainkeys.c -I.
In file included from domainkeys.c:27:0:
domainkeys.c: In Funktion »dk_sign«:
domainkeys.c:510:16: Warnung: Übergabe des Arguments 1 von »EVP_DigestInit« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
EVP_SignInit(&dk->mdctx, dklib->md);
^
/usr/local/include/openssl/evp.h:555:12: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
__owur int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
^~~~~~~~~~~~~~
domainkeys.c: In Funktion »dk_verify«:
domainkeys.c:548:18: Warnung: Übergabe des Arguments 1 von »EVP_DigestInit« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
EVP_VerifyInit(&dk->mdctx, dklib->md);
^
/usr/local/include/openssl/evp.h:555:12: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
__owur int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
^~~~~~~~~~~~~~
domainkeys.c: In Funktion »dkhash«:
domainkeys.c:942:26: Warnung: Übergabe des Arguments 1 von »EVP_DigestUpdate« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
EVP_DigestUpdate(&dk->mdctx, dk->hash_buff, dk->hash_buff_len);
^
In file included from domainkeys.c:27:0:
/usr/local/include/openssl/evp.h:546:12: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
__owur int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d,
^~~~~~~~~~~~~~~~
domainkeys.c:968:28: Warnung: Übergabe des Arguments 1 von »EVP_DigestUpdate« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
EVP_DigestUpdate(&dk->mdctx, dk->hash_buff, dk->hash_buff_len);
^
In file included from domainkeys.c:27:0:
/usr/local/include/openssl/evp.h:546:12: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
__owur int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d,
^~~~~~~~~~~~~~~~
domainkeys.c:990:24: Warnung: Übergabe des Arguments 1 von »EVP_DigestUpdate« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
EVP_DigestUpdate(&dk->mdctx, dk->hash_buff, dk->hash_buff_len);
^
In file included from domainkeys.c:27:0:
/usr/local/include/openssl/evp.h:546:12: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
__owur int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d,
^~~~~~~~~~~~~~~~
domainkeys.c: In Funktion »dkheaders«:
domainkeys.c:1289:5: Warnung: Typkonvertierung in Zeiger von Ganzzahl anderer Breite [-Wint-to-pointer-cast]
(void *)dk_headers(dk, dk->headers);
^
domainkeys.c: In Funktion »dk_end«:
domainkeys.c:1753:22: Warnung: Übergabe des Arguments 1 von »EVP_DigestUpdate« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
EVP_DigestUpdate(&dk->mdctx, dk->hash_buff, dk->hash_buff_len);
^
In file included from domainkeys.c:27:0:
/usr/local/include/openssl/evp.h:546:12: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
__owur int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d,
^~~~~~~~~~~~~~~~
domainkeys.c:1956:27: Warnung: Übergabe des Arguments 1 von »EVP_VerifyFinal« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
i = EVP_VerifyFinal(&dk->mdctx, md_value, md_len, publickey);
^
In file included from domainkeys.c:27:0:
/usr/local/include/openssl/evp.h:623:12: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
__owur int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
^~~~~~~~~~~~~~~
domainkeys.c: In Funktion »dk_getsig«:
domainkeys.c:2065:21: Warnung: Übergabe des Arguments 1 von »EVP_SignFinal« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
EVP_SignFinal(&dk->mdctx, sig, &siglen, pkey);
^
In file included from domainkeys.c:27:0:
/usr/local/include/openssl/evp.h:616:12: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
^~~~~~~~~~~~~
domainkeys.c: In Funktion »dk_free«:
domainkeys.c:2162:19: Warnung: Übergabe des Arguments 1 von »EVP_MD_CTX_free« von inkompatiblem Zeigertyp [-Wincompatible-pointer-types]
EVP_MD_CTX_free(&dk->mdctx);
^
In file included from domainkeys.c:27:0:
/usr/local/include/openssl/evp.h:536:6: Anmerkung: »EVP_MD_CTX * {aka struct evp_md_ctx_st *}« erwartet, aber Argument hat Typ »EVP_MD_CTX ** {aka struct evp_md_ctx_st **}«
void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
^~~~~~~~~~~~~~~
domainkeys.c:2170:6: Warnung: »ERR_remove_state« ist veraltet [-Wdeprecated-declarations]
ERR_remove_state(0);
^~~~~~~~~~~~~~~~
In file included from /usr/local/include/openssl/evp.h:13:0,
from domainkeys.c:27:
/usr/local/include/openssl/err.h:260:1: Anmerkung: hier deklariert
DEPRECATEDIN_1_0_0(void ERR_remove_state(unsigned long pid))
^
gcc-6.1 -DBIND_8_COMPAT -O2 -c dns_txt.c
gcc-6.1 -DBIND_8_COMPAT -O2 -c -o dktrace.o dktrace.c
rm -f libdomainkeys.a
ar cr libdomainkeys.a domainkeys.o dns_txt.o dktrace.o
ranlib libdomainkeys.a
(if make dnstest >/dev/null 2>&1; then echo -lresolv; else echo ""; fi) >dns.lib
rm -f dnstest
(if make socktest >/dev/null 2>&1; then echo -lsocket -lnsl; else echo ""; fi) >socket.lib
rm -f socktest
gcc-6.1 -DBIND_8_COMPAT -O2 -o dktest dktest.o -L. -ldomainkeys -lcrypto `cat dns.lib` `cat socket.lib`
./libdomainkeys.a(dns_txt.o): In function `dns_text':
dns_txt.c:(.text+0x25): undefined reference to `__res_query'
dns_txt.c:(.text+0xae): undefined reference to `__dn_expand'
dns_txt.c:(.text+0x151): undefined reference to `__dn_expand'
collect2: Fehler: ld gab 1 als Ende-Status zurück
Makefile:10: recipe for target 'dktest' failed
make: *** [dktest] Error 1

Reply |

Cant compile libdomainkeys

Are you using openssl or libressl?

Reply |

Cant compile libdomainkeys

I suspect that your compiler is not recognizing your openssl version.

Try to apply this patch, which is specific for openssl-1.1 without any version recognizer https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment1207

Reply |

So sad and disapointing :-(

 It will not compile with OpenSSL 1.0.2 and above, so Qmail will ever get TLS1.3 support. After more than 12 years of using Qmail it is now time to change to Exim or PostFix, i guess. Sad and disapointing...

Reply |

So sad and disapointing :-(

try to compile using the test patches linked on the top of this page, which should solve all the compilation breaks against openssl-1.1

Reply |

So sad and disapointing :-(

It compiles with v. 1.0.2 here. I would not say that it will **ever** get tls 1.3 support. I'm confident that someone will solve this at some point. 

Other qmail distributions as s/qmail and indimail are already openssl-1.1 compliant, because they are mainteined by senior C programmers, so I would suggest to give them a chance before deciding to leave qmail 

Reply |

Patch netqmail1.06

Hello,

I have installed netqmail-1.06 and I found the patch qmail on your website, and interest to try but have error like this:

./load qmail-qmtpd rcpthosts.o control.o constmap.o \
received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \
datetime.a open.a getln.a sig.a case.a env.a stralloc.a \
alloc.a substdio.a error.a str.a fs.a auto_qmail.o
./compile qmail-smtpd.c
qmail-smtpd.c: In function ‘setup’:
qmail-smtpd.c:239: error: ‘maxrcpt’ undeclared (first use in this function)
qmail-smtpd.c:239: error: (Each undeclared identifier is reported only once
qmail-smtpd.c:239: error: for each function it appears in.)
qmail-smtpd.c:303: error: ‘rejectrelaytest’ undeclared (first use in this functi on)
qmail-smtpd.c:307: error: ‘rejnsmf’ undeclared (first use in this function)
qmail-smtpd.c:316: error: ‘greetdelay’ undeclared (first use in this function)
qmail-smtpd.c:318: error: ‘drop_pre_greet’ undeclared (first use in this functio n)
qmail-smtpd.c:320: error: ‘protocol’ undeclared (first use in this function)
qmail-smtpd.c:322: error: ‘spfbehavior’ undeclared (first use in this function)
qmail-smtpd.c:327: error: ‘spflocal’ undeclared (first use in this function)
qmail-smtpd.c:329: error: ‘spfguess’ undeclared (first use in this function)
qmail-smtpd.c:331: error: ‘spfexp’ undeclared (first use in this function)
qmail-smtpd.c:331: error: ‘SPF_DEFEXP’ undeclared (first use in this function)
qmail-smtpd.c:336: error: ‘remoteip4’ undeclared (first use in this function)
qmail-smtpd.c:404: error: ‘forcetls’ undeclared (first use in this function)
qmail-smtpd.c:405: error: ‘smtps’ undeclared (first use in this function)
qmail-smtpd.c: In function ‘smtp_helo’:
qmail-smtpd.c:504: error: ‘seenmail’ undeclared (first use in this function)
qmail-smtpd.c: In function ‘smtp_ehlo’:
qmail-smtpd.c:517: error: ‘seenmail’ undeclared (first use in this function)
qmail-smtpd.c: In function ‘smtp_rset’:
qmail-smtpd.c:521: error: ‘seenmail’ undeclared (first use in this function)
qmail-smtpd.c: In function ‘smtp_mail’:
qmail-smtpd.c:527: error: ‘flagbarf’ undeclared (first use in this function)
qmail-smtpd.c:528: error: ‘seenmail’ undeclared (first use in this function)
qmail-smtpd.c: In function ‘smtp_rcpt’:
qmail-smtpd.c:535: error: ‘seenmail’ undeclared (first use in this function)
qmail-smtpd.c:537: error: ‘flagbarf’ undeclared (first use in this function)
qmail-smtpd.c: In function ‘spfreceived’:
qmail-smtpd.c:645: error: ‘spfbehavior’ undeclared (first use in this function)
qmail-smtpd.c: In function ‘acceptmessage’:
qmail-smtpd.c:706: error: ‘strnum’ undeclared (first use in this function)
qmail-smtpd.c:715: error: ‘sslog’ undeclared (first use in this function)
qmail-smtpd.c: In function ‘smtp_data’:
qmail-smtpd.c:729: error: ‘seenmail’ undeclared (first use in this function)
qmail-smtpd.c:731: error: ‘envelopepos’ undeclared (first use in this function)
qmail-smtpd.c:739: error: ‘protocol’ undeclared (first use in this function)
qmail-smtpd.c: At top level:
qmail-smtpd.c:758: error: redefinition of ‘authin’
qmail-smtpd.c:111: note: previous definition of ‘authin’ was here
qmail-smtpd.c:759: error: redefinition of ‘user’
qmail-smtpd.c:112: note: previous definition of ‘user’ was here
qmail-smtpd.c:760: error: redefinition of ‘pass’
qmail-smtpd.c:113: note: previous definition of ‘pass’ was here
qmail-smtpd.c:761: error: redefinition of ‘resp’
qmail-smtpd.c:114: note: previous definition of ‘resp’ was here
qmail-smtpd.c:762: error: redefinition of ‘slop’
qmail-smtpd.c:116: note: previous definition of ‘slop’ was here
qmail-smtpd.c: In function ‘smtp_auth’:
qmail-smtpd.c:943: error: ‘seenmail’ undeclared (first use in this function)
make: *** [qmail-smtpd.o] Error 1

any idea?

thanks for the help

Reply |

Patch netqmail1.06

It seems like the patching process went wrong... 

Reply |

TLS 1.3

Hi Robert!

Thanks a lot for your continued effort to patch up QMail!

In the past I've been very happy with John Simpson's combined patch (https://qmail.jms1.net/patches/combined-details.shtml), but that hasn't been updated for years now.

Right now I'm trying to upgrade my legacy qmail server to a new incarnation based on Docker, going with your patch this time :)

That said, I tried to compile against the latest OpenSSL and quickly ran into trouble, so I was wondering if you (or anyone else that you know of) have plans to support the new OpenSSL and with that the TLS 1.3 protocol.

I figure it's a matter of time before this becomes a necessity, alreaady I see older TLS versions being dropped on various mailservers.

Anyway, keep up the good work!

Reply |

TLS 1.3

Honestly, accomplishing this task would be far over my skills but I'm confident that an upgrade to the qmail-tls patch by f.vermulen will come at a certain point 

Reply |

error after update with the new patch

Hi Roberto!

I have a centos 7 working with your qmail how to. But when i try to update to the latest patch i start getting this errors on smtp log

qlogreceived: result=rejected code=451 reason=queuedelay detail=qq_temporary_problem_(#4.3.0)

Do you have any idea what can be?

Thanks,

Bernardo Correia 

Reply |

error after update with the new patch

Hi everybody,

same old story here :-)

- brand new centos 7 64bit server

- installation and compilation went perfectly fine

- everything seems to be working, exept for:

Jul 24 12:31:27 2019 qmail-smtpd: message delayed (unable to exec qq (#4.3.0)):xxx@domain.it from x.x.x.x to Jul 24 12:31:59

I'm still unable to solve the problem, already tried to increased soft limit with no luck, double checked all perms on queues and qmail directory, checked all the run files, nothing.

- there is no antivirus (no clamd, simscan, anything) installed, no qmail-scanner and no spamassassin.

- local delivery is working fine:

/var/qmail/bin/qmail-inject xxx@domain.it < /tmp/test.txt

Any hint about ways to debug this ?

Thank you ! 

Reply |

error after update with the new patch

are you using my combined patch? if yes, can you post your run file and your tcp.smtp?

Reply |

error after update with the new patch

check also your clamav and spamassassin logs, because something is breaking your delivery

Reply |

error after update with the new patch

Did you try to increase your softlimit already?

Reply |

Bug in logit and logit2 functions

I found a bug in logit and logit2 functions which comes from https://notes.sagredo.eu/files/qmail/patches/logging-4.patch

It was hard to track. But I was lucky to isolate the problem with a mail client who was issuing a RSET command and closed the connection brutally after this.

To replicate the problem I did:

$ telnet localhost 25

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 Welcome to BLABLABLA
mail from: <sender@domain.tld>
250 ok
rcpt to: <recipient@domain.tld>
250 ok
data
354 go ahead
Date: Mon, 20 Aug 2018 15:24:01 +0200
From: sender@domain.tld
To: recipient@domain.tld
Subject: test

test
.
250 ok 1534778879 qp 11906
rset
250 flushed
^]
telnet> quit
Connection closed.

At this point a segfault at 9220000 ip 0805d309 sp bfc5e4ac error 6 in qmail-smtpd[8048000+34000] is generated

After a RSET command, the mailfrom.len is set to 0, but mailfrom.s is still allocated.
In logit/logit2 functions, a check is done on mailfrom.s and then a

stralloc_catb(&log_buf, mailfrom.s, mailfrom.len-1)) die_nomem();

is done, but mailform.len is zero and this will cause a memory allocation fault when using softlimit.

The following is a patch to cure this issue.

--- qmail-smtpd.c.orig 2018-08-20 16:34:55.000000000 +0200
+++ qmail-smtpd.c 2018-08-20 17:23:49.000000000 +0200
@@ -1096,19 +1096,19 @@
if (!stralloc_copys(&log_buf, "qmail-smtpd: ")) die_nomem();
if (!stralloc_cats(&log_buf, message)) die_nomem();
if (!stralloc_catb(&log_buf, ": ", 2)) die_nomem();
- if (mailfrom.s) {
+ if (mailfrom.s && mailfrom.len) {
if (!stralloc_catb(&log_buf, mailfrom.s, mailfrom.len-1)) die_nomem();
} else
if (!stralloc_catb(&log_buf, "(null)", 6)) die_nomem();
if (!stralloc_catb(&log_buf, " from ", 6)) die_nomem();
if (!stralloc_cats(&log_buf, remoteip)) die_nomem();
if (!stralloc_catb(&log_buf, " to ", 4)) die_nomem();
- if (addr.s) {
+ if (addr.s && addr.len) {
if (!stralloc_catb(&log_buf, addr.s, addr.len-1)) die_nomem();
} else
if (!stralloc_catb(&log_buf, "(null)", 6)) die_nomem();
if (!stralloc_catb(&log_buf, " helo ", 6)) die_nomem();
- if (helohost.s) {
+ if (helohost.s && helohost.len) {
if (!stralloc_catb(&log_buf, helohost.s, helohost.len-1)) die_nomem();
} else
if (!stralloc_catb(&log_buf, "(null)", 6)) die_nomem();
@@ -1125,19 +1125,19 @@
if (!stralloc_cats(&log_buf, " (")) die_nomem();
if (!stralloc_cats(&log_buf, reason)) die_nomem();
if (!stralloc_cats(&log_buf, "): ")) die_nomem();
- if (mailfrom.s) {
+ if (mailfrom.s && mailfrom.len) {
if (!stralloc_catb(&log_buf, mailfrom.s, mailfrom.len-1)) die_nomem();
} else
if (!stralloc_catb(&log_buf, "(null)", 6)) die_nomem();
if (!stralloc_cats(&log_buf," from ")) die_nomem();
if (!stralloc_cats(&log_buf, remoteip)) die_nomem();
if (!stralloc_cats(&log_buf, " to ")) die_nomem();
- if (addr.s) {
+ if (addr.s && addr.len) {
if (!stralloc_catb(&log_buf, addr.s, addr.len-1)) die_nomem();
} else
if (!stralloc_catb(&log_buf, "(null)", 6)) die_nomem();
if (!stralloc_cats(&log_buf, " helo ")) die_nomem();
- if (helohost.s) {
+ if (helohost.s && helohost.len) {
if (!stralloc_catb(&log_buf, helohost.s, helohost.len-1)) die_nomem();
} else
if (!stralloc_catb(&log_buf, "(null)", 6)) die_nomem();

Reply |

Bug in logit and logit2 functions

Thanks to Mirko this bug was fixed in the v.5 of the logging patch, which I have just included in my package

Reply |

Mess822 bug

I found a bug in mess822-0.58 package.

You do not have a section for it, so I'm posting a patch under qmail.

You can use a tool like 822field to extract a field from headers in a mail.

However, it compares the header with string without considering that the string may be longer, after the match. So a

cat email | 822field Subjectttttt

will give back the Subject field in any case, which is wrong.

The proposed patch will fix this, allowing, as an extreme case, to specify a colon as last character in searched header string. So a | 822field Subject: will work too giving back the searched Subject, while | 822field Subjectt won't.

--- mess822_line.c.old 2018-08-17 16:03:24.000000000 +0200
+++ mess822_line.c 2018-08-17 16:02:26.000000000 +0200
@@ -41,7 +41,7 @@
}

for (a = h->action;a->name;++a)
- if (!case_diffb(h->inprogress.s,pos,a->name))
+ if (!case_diffb(h->inprogress.s,pos,a->name) && (a->name[pos] == 0 || a->name[pos] == ':'))
break;

for (;pos < h->inprogress.len;++pos) {

Reply |

Mess822 bug

Thank you, I'll check it out when I'll be back home

Reply |

combined patches

Hi,

Great job collecting and putting together this site.

We have 50+ qmail servers mainly to send out e-mail and not receiving any.

I am wondering, what patches do i really need to have a stable sending qmail servers.

I currently have DNS and TLS patch only.

Thanks very much if you reply.

Vahid.

Reply |

combined patches

Provided that you can choose to install the complete combined patch and then use just what you need of it, this could be a subset of patches that you need to build a send server. The most important (in my opinion) are in bold text

qmail-authentication
qmail-tls
force-tls
oversize DNS
reread concurrency
big concurrency
big concurrency fix
Better qmail-smtpd logging
SMTP HELO/EHLO Greeting delay
DKIM and SURBL
EXT-TODO
BIG-TODO
qmail-inject-null-sender
qmail-taps-extended
qmail-remote CRLF
outgoingip
qmail-smtpd pid, qp log patch
any-to-cname
qmail-rfc2821
smtpd-502-to-500
qmail-moreipme
qmail-hide-ip-headers
qmail-date-localtime
qmail-smtpd liberal-lf
qmail-empf
reject-relay-test
qlog
dnscname
rcptcheck

Reply |

combined patches

why am I keep getting this error while compiling qmail with a few patches (please see my other question):

more undefined references to `logit' follow collect2: error: ld returned 1 exit status

Reply |

combined patches

as you know, logit is a function which belongs to the logging patch... did you get any error while patching?

Reply |

combined patches

started fresh and noticed that if I apply patches in this order:

logging-5.patch compiles OK
qmail-remote-CRLF.diff - OK
qmail-inject-null-sender.patch - OK

roberto-netqmail-1.06_auth_tls_force-tls.patch-latest - fails with this error:

qmail-smtpd.o: In function `err_nogateway':
qmail-smtpd.c:(.text+0x1b8): undefined reference to `tls_nogateway'
qmail-smtpd.o: In function `setup':
qmail-smtpd.c:(.text+0x1030): undefined reference to `tls_init'

If I only apply roberto-netqmail-1.06.patch-latest patch, then I get

chkuser.c:38:22: fatal error: vpopmail.h: No such file or directory

These servers are only sending mail out so I only need any-to-cname and TLS patch.
which one do you recommend?
thanks again.

Reply |

combined patches

First of all, I would recommend to apply the auth/tls/forcetls patch, which is the biggest one and the most difficult to fix if the patching went wrong, and then the others.

If your server is just sending, the logging patch is of little use, because it logs qmail-smtpd. 

"any to cname" is not so important for me, while qmail-remote-CRLF and qmail-inject-null-sender are both a good choice because they fix bugs.

You can always decide to use my big patch (roberto-netqmail-1.06.patch-latest) but you have to install vpopmail, libdomainkeys and libsrs2 libraries, but it's very easy to do, otherwise you'll get compilation breaks like the one you showed above (it's complaining about the lack of vpopmail)

And I would like to return the wishes for a happy 2019 :-)

Reply |

combined patches

Sorry, didnt see this post.

so, trying fresh tarball, applying the following patches in this order:

roberto-netqmail-1.06_auth_tls_force-tls.patch-latest - OK
any-to-cname.patch - OK (I need this patch since we get so much large DNS realted issues)
qmail-remote-CRLF.diff - OK
qmail-inject-null-sender.patch - OK

so i should be good for prod i guess?
We are getting lots of complains and rejections due to use of TLS 1.0 and no also no TLS so I have to upgrade.
in the current built, I used netqmail-1.05-tls-20060104.patch.

Reply |

combined patches

I would suggest to do all tests before switching to production...

Reply |

combined patches

ah yeah, lots of tests...

daemontools needs to be recompiled and giving me hard time but i will figure out. thanks for your help.

Reply |

combined patches

Happy New Year Roberto,

I have many qmail server to install/upgrade to include the new TLS 1.2 patch (other domains started denying TLS 1.0).

I am wondering is there is a way to make qmail-remote (we are only sending) binary static so I just package the binaries and deploy to servers rather that compile on each server. I am not sure all servers have the latest libraries.

i am installing the following patches to netqmail-1.06:

roberto-netqmail-1.06_auth_tls_force-tls.patch-latest
logging-5.patch
qmail-inject-null-sender.patch
any-to-cname.patch
qmail-remote-CRLF.diff

Thanks,

Reply |

combined patches

I would also consider building a qmail package for your linux distribution, just to save the compilation time, but you must be sure that all the libraries are the same in all your servers, of course

Reply |

combined patches

Perhaps this could be possible, but I think it would be more time expensive **and not secure** than compiling the entire qmail in each server, especially if they don't share the same libraries...

Reply |

FreeBSD

When compiling this patch on FreeBSD I get the following error:

qmail-smtpd.c:2398:41: error: function definition is not allowed here
void outqlog(char *s, unsigned int n) {
^
qmail-smtpd.c:2405:17: error: a parameter list without types is only allowed in a function definition
void outsqlog(s) char *s; { outqlog(s,str_len(s)); }
^
qmail-smtpd.c:2405:19: error: expected ';' at end of declaration
void outsqlog(s) char *s; { outqlog(s,str_len(s)); }
^

Any idea on how to fix that?

Reply |

Libdomainkeys compilation error

Hello,

Libdomainkeys gives a compilation error on debian 9 as follows:

make
gcc -DBIND_8_COMPAT -O2 -o makeheader makeheader.c
./makeheader domainkeys.h
gcc -DBIND_8_COMPAT -O2 -c dktest.c -I.
gcc -DBIND_8_COMPAT -O2 -c domainkeys.c -I.
domainkeys.c:123:14: error: field ‘mdctx’ has incomplete type
EVP_MD_CTX mdctx; /* the hash */
^~~~~
domainkeys.c: In function ‘dkheaders’:
domainkeys.c:1285:5: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
(void *)dk_headers(dk, dk->headers);
^
domainkeys.c: In function ‘dk_free’:
domainkeys.c:2155:3: warning: implicit declaration of function ‘EVP_MD_CTX_cleanup’ [-Wimplicit-function-declaration]
EVP_MD_CTX_cleanup(&dk->mdctx);
^~~~~~~~~~~~~~~~~~
domainkeys.c:2162:6: warning: ‘ERR_remove_state’ is deprecated [-Wdeprecated-declarations]
ERR_remove_state(0);
^~~~~~~~~~~~~~~~
In file included from /usr/include/openssl/x509_vfy.h:20:0,
from /usr/include/openssl/x509.h:309,
from /usr/include/openssl/pem.h:17,
from domainkeys.c:28:
/usr/include/openssl/err.h:248:1: note: declared here
DEPRECATEDIN_1_0_0(void ERR_remove_state(unsigned long pid))
^
Makefile:23: recipe for target 'domainkeys.o' failed
make: *** [domainkeys.o] Error 1

Reply |

Libdomainkeys compilation error

which version of gcc?

Reply |

Libdomainkeys compilation error

Here are the gcc versions installed: 

ii gcc 4:6.3.0-4 amd64 GNU C compiler
ii gcc-6 6.3.0-18 amd64 GNU C compiler
ii gcc-6-base:amd64 6.3.0-18 amd64 GCC, the GNU Compiler Collection (base package)
ii libgcc-6-dev:amd64 6.3.0-18 amd64 GCC support library (development files)
ii libgcc1:amd64 1:6.3.0-18 amd64 GCC support library

Reply |

Libdomainkeys compilation error

I haven't tested with gcc-6.

tests would be much appreciated

Reply |

Libdomainkeys compilation error

I will gladly test but I don't know how to fix the code for this library and the qmail-remote.c and all other files that may need fixing. Sorry but I am more of a system guy than a developer:)

Cheers,

Reply |

Libdomainkeys compilation error

The issue is linked to libssl-dev 1.1 with 1.0 all works.

Cheers,

Reply |

Libdomainkeys compilation error

Hello, i also have this issue,

Fix it by changing this lines:

domainkeys.c:123 ->

From: EVP_MD_CTX mdctx; /* the hash */

To: EVP_MD_CTX *mdctx; /* the hash */

domainkeys.c:2156 ->

From: EVP_MD_CTX_cleanup(&dk->mdctx);

To: EVP_MD_CTX_free(&dk->mdctx);

 

After editing source file, compilation is successfull

Reply |

Libdomainkeys compilation error

and are you using libssl-dev 1.1?

Reply |

Libdomainkeys compilation error

I can confirm the changes sa1phx  posted for the "domainkeys.c:123:14: error: field ‘mdctx’ has incomplete type" problem on Debian 9 with openssl-1.1. Here are my details -

ii gcc 4:6.3.0-4 amd64 GNU C compiler
ii gcc-6 6.3.0-18+deb9u1 amd64 GNU C compiler
ii gcc-6-base:amd64 6.3.0-18+deb9u1 amd64 GCC, the GNU Compiler Collection (base package)
ii libgcc-6-dev:amd64 6.3.0-18+deb9u1 amd64 GCC support library (development files)
ii libgcc1:amd64 1:6.3.0-18+deb9u1 amd64 GCC support library

ii libssl-dev:amd64 1.1.0j-1~deb9u1 amd64 Secure Sockets Layer toolkit - development files
ii libssl-doc 1.1.0j-1~deb9u1 all Secure Sockets Layer toolkit - development documentation
ii libssl1.0.2:amd64 1.0.2q-1~deb9u1 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl1.1:amd64 1.1.0j-1~deb9u1 amd64 Secure Sockets Layer toolkit - shared libraries

Here is the resulting diff between the source with the libdomainkeys-0.69.diff applied and then the changes suggested by sa1phx. I confirm that after applying their changes, make succeeds and libdomainkeys.a is produced. I cannot yet confirm that the libdomainkeys.a file functions.

diff -u for-diff/domainkeys.c libdomainkeys/domainkeys.c
--- for-diff/domainkeys.c 2008-03-31 18:50:39.000000000 -0400
+++ libdomainkeys/domainkeys.c 2019-01-25 09:12:11.184191244 -0500
@@ -120,7 +120,7 @@
{
/* STARTPRIV */
int dkmarker; /* in case somebody casts in */
- EVP_MD_CTX mdctx; /* the hash */
+ EVP_MD_CTX *mdctx; /* the hash */
int signing; /* our current signing/verifying state */
int in_headers; /* true if we're still processing headers */
char *header; /* points to a malloc'ed block for header. */

@@ -2152,7 +2152,7 @@
#ifdef DK_HASH_BUFF
DK_MFREE(dk->hash_buff);
#endif
- EVP_MD_CTX_cleanup(&dk->mdctx);
+ EVP_MD_CTX_free(&dk->mdctx);
DK_MFREE(dk->header); /* alloc'ing dk->header is not optional. */
dk->dkmarker = ~DKMARK;
DK_MFREE(dk);

Reply |

Libdomainkeys compilation error

Thank you. And how are you patching qmail-remote.c?

I'm still unable to compile with openssl-1.1 and gcc-8.2, as I get this error

./compile qmail-remote.c
qmail-remote.c: In function ‘tls_init’:
qmail-remote.c:522:60: error: dereferencing pointer to incomplete type ‘X509_NAME_ENTRY’ {aka ‘struct X509_name_entry_st’}
const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;

I'm using this patch to solve other compilation breaks

--- qmail-remote.c.orig 2017-05-14 13:50:09 UTC
+++ qmail-remote.c
@@ -266,7 +266,7 @@ char *append;
{
#ifdef TLS
/* shouldn't talk to the client unless in an appropriate state */
- int state = ssl ? ssl->state : SSL_ST_BEFORE;
- if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
+ int state = SSL_get_state(ssl);
+ if (state & TLS_ST_OK || (!smtps && state & TLS_ST_BEFORE))
#endif
substdio_putsflush(&smtpto,"QUIT\r\n");
--- ssl_timeoutio.c.orig 2017-05-14 13:50:09 UTC
+++ ssl_timeoutio.c
@@ -74,10 +74,10 @@ int ssl_timeoutrehandshake(int t, int rf

SSL_renegotiate(ssl);
r = ssl_timeoutio(SSL_do_handshake, t, rfd, wfd, ssl, NULL, 0);
- if (r <= 0 || ssl->type == SSL_ST_CONNECT) return r;
+ if (r <= 0 || SSL_get_state(ssl) == SSL_ST_CONNECT) return r;

/* this is for the server only */
- ssl->state = SSL_ST_ACCEPT;
+ SSL_set_connect_state(ssl);
return ssl_timeoutio(SSL_do_handshake, t, rfd, wfd, ssl, NULL, 0);
}

As my C skills are close to zero, some help would be really appreciated in order to make my patch openssl-1.1 compliant.

Reply |

Libdomainkeys compilation error

Unfortunately, qmail-remote.c won 't compile for me in any way, even when I install and use the current openssl-1.0.2.q from source. I applied the patch you showed for qmail-remote.c and ssl_timeoutio.c, that moved things along but still make ultimately ends with error 1. 

When I try to make with the openssl-1.1.0 package from Debian I use this conf-cc file, the .h files are in /usr/include/openssl:

cc -O2 -g -DEXTERNAL_TODO -DTLS=20160918 -I/usr/include/openssl -I/home/vpopmail/include

This will be used to compile .c files.

./compile qmail-remote.c
In file included from qmail-remote.c:7:0:
substdio.h:12:64: warning: initialization from incompatible pointer type [-Wincompatible-pointer-types]
#define SUBSTDIO_FDBUF(op,fd,buf,len) { (buf), 0, (len), (fd), (op) }
^
qmail-remote.c:172:17: note: in expansion of macro ‘SUBSTDIO_FDBUF’
substdio ssin = SUBSTDIO_FDBUF(read,0,inbuf,sizeof inbuf);
^~~~~~~~~~~~~~
substdio.h:12:64: note: (near initialization for ‘ssin.op’)
#define SUBSTDIO_FDBUF(op,fd,buf,len) { (buf), 0, (len), (fd), (op) }
^
qmail-remote.c:172:17: note: in expansion of macro ‘SUBSTDIO_FDBUF’
substdio ssin = SUBSTDIO_FDBUF(read,0,inbuf,sizeof inbuf);
^~~~~~~~~~~~~~
qmail-remote.c: In function ‘tls_init’:
qmail-remote.c:535:60: error: dereferencing pointer to incomplete type ‘X509_NAME_ENTRY {aka struct X509_name_entry_st}’
const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
^~
qmail-remote.c: In function ‘mailfrom_cram’:
qmail-remote.c:670:3: warning: implicit declaration of function ‘hmac_md5’ [-Wimplicit-function-declaration]
hmac_md5(chal.s,chal.len,pass.s,pass.len,digest);
^~~~~~~~
Makefile:1675: recipe for target 'qmail-remote.o' failed
make: *** [qmail-remote.o] Error 1

I didn't want to use openssl 1.0.2, but I saw that officially version 1.0.2 would be supported through December of 2019. I created /usr/local/special and passed, "./config --prefix=/usr/local/special --openssldir=/usr/local/special/openssl" to config, that way it would not end up in any $PATH down the road. I edit netqmail's conf-cc to read:

cc -O2 -g -DEXTERNAL_TODO -DTLS=20160918 -I/usr/local/special/include/openssl -I/home/vpopmail/include

This will be used to compile .c files.

Then I make clean, and try to make again now using the older openssl-1.0.2 and it still errors out in the end again on qmail-remote.c:

./compile qmail-remote.c
In file included from qmail-remote.c:7:0:
substdio.h:12:64: warning: initialization from incompatible pointer type [-Wincompatible-pointer-types]
#define SUBSTDIO_FDBUF(op,fd,buf,len) { (buf), 0, (len), (fd), (op) }
^
qmail-remote.c:172:17: note: in expansion of macro ‘SUBSTDIO_FDBUF’
substdio ssin = SUBSTDIO_FDBUF(read,0,inbuf,sizeof inbuf);
^~~~~~~~~~~~~~
substdio.h:12:64: note: (near initialization for ‘ssin.op’)
#define SUBSTDIO_FDBUF(op,fd,buf,len) { (buf), 0, (len), (fd), (op) }
^
qmail-remote.c:172:17: note: in expansion of macro ‘SUBSTDIO_FDBUF’
substdio ssin = SUBSTDIO_FDBUF(read,0,inbuf,sizeof inbuf);
^~~~~~~~~~~~~~
qmail-remote.c: In function ‘tls_init’:
qmail-remote.c:535:60: error: dereferencing pointer to incomplete type ‘X509_NAME_ENTRY {aka struct X509_name_entry_st}’
const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
^~
qmail-remote.c: In function ‘mailfrom_cram’:
qmail-remote.c:670:3: warning: implicit declaration of function ‘hmac_md5’ [-Wimplicit-function-declaration]
hmac_md5(chal.s,chal.len,pass.s,pass.len,digest);
^~~~~~~~
Makefile:1675: recipe for target 'qmail-remote.o' failed
make: *** [qmail-remote.o] Error 1

I have even less C than you do, but am more than willing to continue testing & troubleshooting. There's apparently some deep issue with const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value; as we're both getting the same error on make, yours presumably on Slackware and mine on Debian, mine with both openssl-1.0.2 and openssl-1.1.0. 

Reply |

Libdomainkeys compilation error

const ASN1_STRING *s = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subj, i));

instead of

const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;

Reply |

Libdomainkeys compilation error

Thank you, Eric. It compiles now. qmail-smtpd.c must be modified as well

Reply |

Libdomainkeys compilation error

New testing patch released. Look at the top of this page. There's a patch for libdomainkeys as well. They can be used both on v. 1.0 and 1.1 of openssl

Please give me some feedback, so that I can release it as stable soon..

Reply |

Libdomainkeys compilation error

Debian 9 openssl and libssl 1.1.0j

dktest not work 
log send

delivery 154: deferral: /var/qmail/bin/dk-filter:_(spawn-filter)_exit_code:_139:_/var/qmail/bin/dk-filter:_line_271:_62249_Segmentation_fault______/var/qmail/bin/dktest_-s_/var/qmail/control/domainkeys/hidden_domain/default/._(#4.3.0)spawn-filter_said:_Message_deferred

syslog

... dktest[62249]: segfault at 1 ip 00007fd82e3b7b36 sp 00007ffce29d2bc0 error 4 in libcrypto.so.1.1

Reply |

Libdomainkeys compilation error

Please try the following libdomainkeys patched by Manvendra Banghui. If this will not solve feel free to write me in private so that I can provide a direct contact with him.

Reply |

Libdomainkeys compilation error

Thanks Roberto and Manvendra with libdomainkeys patched by Manvendra Banghui working :)

Reply |

Libdomainkeys compilation error

Just got notified of dktest segmentation fault. I will take a look at it. It might take me some time to replicate the same openssl version on my laptop and test it out. If it helps, you can temporarily disable domainkeys and just have DKIM.

Reply |

FORCEAUTHMAILFROM not check

Hello.

I performed the patch installation but the mailfrom check function is not being performed.
I ran tests by thunderbird by changing from: and sending successfully.

In the smtp run I configured with export FORCEAUTHMAILFROM = 1

Any tip?

thanks

Reply |

FORCEAUTHMAILFROM not check

Hi, I have no idea.. my tests are ok... please double check everything

Reply |

FORCEAUTHMAILFROM not check

I did the installation again and I did not succeed.
Does this patch block the email with the from field changed?

Log of test performed:

2017-11-07 07: 50: 25.679940500 policy_check: local marciorubens@dialhost.com.br -> remote marciorubenscardoso@gmail.com (AUTHENTICATED SENDER)
2017-11-07 07: 50: 25.830499500 simscan: [8424]: CLEAN (-1.00 / 15.00 / 15.00): 0.1197s: dddd: 177.69.128.1: marciorubens@dialhost.com.br: marciorubenscardoso@gmail.com
2017-11-07 07: 50: 25.976899500 mail recv: pid 8424 from <marciorubens@dialhost.com.br> qp 8429
2017-11-07 07: 50: 25.976901500 qmail-smtpd: message accepted: marciorubens@dialhost.com.br from 177.69.128.1 to marciorubenscardoso@gmail.com helo [10.1.1.53]

Log Gmail:

Delivered-To: marciorubenscardoso@gmail.com
Received: by 10.176.87.18 with SMTP id s18csp4018920uaa;
        Tue, 7 Nov 2017 01:50:27 -0800 (PST)
X-Google-Smtp-Source: ABhQp + SMg7Vnmj4Ss9PNWvQpdkXHZ + Jd0MlFbzJrQVTHP + PtCDNom2DrakgBTAxwjkl7DwSkCaCR
X-Received: by 10.159.59.71 with SMTP id j7mr14577994uah.135.1510048227462;
        Tue, 07 Nov 2017 01:50:27 -0800 (PST)
ARC-Seal: i = 1; a = rsa-sha256; t = 1510048227; cv = none;
        d = google.com; s = arc-20160816;
        b = rcWVEW8 / w0hpFVZlQogAAqwV66o5rIH0yOkHWjjqw6lh6YjAaMF5gNlH0x0o61Ow0Y
         vddzV + 6l1NVvl6M4yd9eug1aPIhF7ndfX6ZitkE + Gl3xq2iPQ5AtcX + CHZFEpV2F + MVX
         a ++ FFpoGP5qmjlmyL974c6aLNZTP + dzkKE93IUF5XQtab9C4iney2OHVV2kkjfVIHfA7
         10
         nz
         giLw ==
ARC-Message-Signature: i = 1; a = rsa-sha256; c = relaxed / relaxed; d = google.com; s = arc-20160816;
        h = content-language: content-transfer-encoding: mime-version: user-agent
         : date: message-id: subject: from: to: / m: arc-authentication-results;
        bh = SzVMU + mFZiUdyQvZrHmIh1w9KIokwNhHQSVvk1pnTOU =;
        b = guPdLgygMuZNwQyJG3bapZzOPerg / R4pxt / aGWh9rG / JHidRBl / Rqrl6J8K8H1U47j
         IGkOaPRDZkCVwX57fh5Cgfdb3Uwkht3X2WZt + 0Oot1vurYcj9iPnKX5NYuwr0DoKVJw7
         WGFI9LuEoBhF3CI9ca3rHZgBwRU / Da9grff3NEWHRLYDFV0xvwxIw7qx9CupL3r2ScFV
         uhjxPVoVM5uE9i0XLSG2AkWgCcsgssEl8CLw6 / twyoLjqzKG6M9D8G1C4WYNZolPrd5D
         aHpOfTBxvX6M6RXQbabP4Ts1nXa6FBmhFysCJPPled15cMx9wsE689 + UaKShPSlYkfHr
         e9iw ==
ARC-Authentication-Results: i = 1; mx.google.com;
       spf = pass (google.com: domain of marciorubens@dialhost.com.br designates 138.118.172.67 as permitted sender) smtp.mailfrom=marciorubens@dialhost.com.br;
       dmarc = pass (p = NONE sp = NONE dis = NONE) header.from = dialhost.com.br
Return-Path: <marciorubens@dialhost.com.br>
Received: from mailf67-br118.dialhost.com.br (mailf67-br118.dialhost.com.br. [138.118.172.67])
        by mx.google.com with ESMTPS id s6si210550vka.356.2017.11.07.01.50.27
        for <marciorubenscardoso@gmail.com>
        (version = TLS1_2 cipher = AES128-SHA bits = 128/128);
        Tue, 07 Nov 2017 01:50:27 -0800 (PST)
Received-SPF: pass (google.com: domain of marciorubens@dialhost.com.br designates 138.118.172.67 as permitted sender) client-ip = 138.118.172.67;
Authentication-Results: mx.google.com;
       spf = pass (google.com: domain of marciorubens@dialhost.com.br designates 138.118.172.67 as permitted sender) smtp.mailfrom=marciorubens@dialhost.com.br;
       dmarc = pass (p = NONE sp = NONE dis = NONE) header.from = dialhost.com.br
Received: (qmail 8433 invoked by uid 89); 7 Nov 2017 07:50:25 -0200
Received: (simscan 1.4.0 ppid 8424 pid 8429 t 0.1287s) (scanners:
  attach: 1.4.0 clamav: 0.99.2
/ m: 58 / d: 23753); 07 Nov 0117 09:50:25 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on br118.dialhost.com
X-Spam-Level:
X-Spam-Status: No, score = -1.0 required = 15.0 tests = ALL_TRUSTED, HK_RANDOM_FROM autolearn = ham autolearn_force = no version = 3.4.1
Received: from unknown (HELO? 10.1.1.53?) (Marciorubens@dialhost.com.br)
  by 0 with ESMTPA; 7 Nov 2017 07:50:25 -0200
To: marciorubenscardoso@gmail.com
From: marciorubenswwww@dialhost.com.br
Subject: dddd
Message-ID: <241fe7b7-db09-f65c-f77d-58405c9b6553@dialhost.com.br>
Date: Tue, 7 Nov 2017 07:50:25 -0200
User-Agent: Mozilla / 5.0 (Windows NT 10.0; WOW64; rv: 52.0) Gecko / 20100101 Thunderbird / 52.4.0
MIME-Version: 1.0
Content-Type: text / plain; charset = utf-8; format = flowed
Content-Transfer-Encoding: 7bit
Content-Language: en

Reply |

FORCEAUTHMAILFROM not check

yes, it should block emails with a from field different from the auth-user. 

can you please post a telnet session and the run file of your qmail-submission service (I suppose you use this service to authenticate)?

Reply |

FORCEAUTHMAILFROM not check

telnet br118.dialhost.com.br 587
Trying 138.118.172.244...
Connected to br118.dialhost.com.br.
Escape character is '^]'.
220 mailf72-br118.dialhost.com.br ESMTP
EHLO dial.teste@dialhost.com.br
250-mailf72-br118.dialhost.com.br
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 52428800
AUTH LOGIN
334 VXNlcm5hbWU6
ZGlhbC50ZXN0ZUBkaWFsaG9zdC5jb20uYnI=
334 UGFzc3dvcmQ6
NzBRVVFSSE1ldVZ5UU9taVFyOXM=
235 ok, go ahead (#2.0.0)
MAIL FROM:dial.teste2222@dialhost.com.br
250 ok
RCPT TO:marciorubenscardoso@gmail.com
250 ok
DATA
354 go ahead
tESTE
.
250 ok 1510067699 qp 22428
quit
221 mailf72-br118.dialhost.com.br 
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`

# You MUST export this, otherwise you'd get a 30 sec timeout
# "!" if you want the submission feature (auth required)
export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMQUEUE=/var/qmail/bin/simscan
export DKIMVERIFY="FGHKLMNOQRTVWjpu"
export DKIMKEY=/var/qmail/control/domainkeys/%/default
export SMTPAUTH="!"
export FORCETLS=0
export FORCEAUTHMAILFROM=1
export RELAYCLIENT_NODKIMVERIFY=1
# This enables greetdelay for qmail-smtpd.
# comment out if using fail2ban on port 587
#export SMTPD_GREETDELAY=5
#export DROP_PRE_GREET=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# This enables simscan debug
#export SIMSCAN_DEBUG=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -H -R -l 0 \
-x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1

Reply |

FORCEAUTHMAILFROM not check

Hi,

I might me completely wrong, but did you try adding this:

AUTH=1
REQUIRE_AUTH=1
ALLOW_INSECURE_AUTH=0
FORCE_TLS=1

(i have these settings in my submission service file on smtp 587)

Reply |

FORCEAUTHMAILFROM not check

but these variables have nothing to do with my patch...

Reply |

FORCEAUTHMAILFROM not check

Yes Roberto, of course you are right, but I found a strange behaviour when I installed the run service and I had to set those variable in order to have the submission service  (TLS on 587 with AUTH and CHKUSER) work correctly.

I was just wondering if using AUTH only on TLS (disabling the PLAIN AUTH) would show the same behaviour / error.

Reply |

FORCEAUTHMAILFROM not check

if you "grep -r" those variables in the netqmail source code patched with my combined patch you will not find any match, so this can't be an explaination...

Reply |

FORCEAUTHMAILFROM not check

Your config seems to be correct and I have almost the same run file in my 2 servers... I've no idea at the moment, if you find a solution let me know please

Reply |

compile error qmail-remote.c

I am trying to setup qmail on a fresh install of Debian 9 (stretch) with openssl-1.1.0f

I followed your installation and ran in to trouble at compiling netqmail-1.06 including the roberto patches

see my error list:

./compile qmail-remote.c
In file included from qmail-remote.c:7:0:
substdio.h:12:64: warning: initialization from incompatible pointer type [-Wincompatible-pointer-types]
#define SUBSTDIO_FDBUF(op,fd,buf,len) { (buf), 0, (len), (fd), (op) }
^
qmail-remote.c:173:17: note: in expansion of macro ‘SUBSTDIO_FDBUF’
substdio ssin = SUBSTDIO_FDBUF(read,0,inbuf,sizeof inbuf);
^~~~~~~~~~~~~~
substdio.h:12:64: note: (near initialization for ‘ssin.op’)
#define SUBSTDIO_FDBUF(op,fd,buf,len) { (buf), 0, (len), (fd), (op) }
^
qmail-remote.c:173:17: note: in expansion of macro ‘SUBSTDIO_FDBUF’
substdio ssin = SUBSTDIO_FDBUF(read,0,inbuf,sizeof inbuf);
^~~~~~~~~~~~~~
qmail-remote.c: In function ‘quit’:
qmail-remote.c:290:24: error: dereferencing pointer to incomplete type ‘SSL {aka struct ssl_st}’
int state = ssl ? ssl->state : SSL_ST_BEFORE;
^~
qmail-remote.c:290:34: error: ‘SSL_ST_BEFORE’ undeclared (first use in this function)
int state = ssl ? ssl->state : SSL_ST_BEFORE;
^~~~~~~~~~~~~
qmail-remote.c:290:34: note: each undeclared identifier is reported only once for each function it appears in
qmail-remote.c:291:15: error: ‘SSL_ST_OK’ undeclared (first use in this function)
if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
^~~~~~~~~
qmail-remote.c: In function ‘tls_init’:
qmail-remote.c:536:60: error: dereferencing pointer to incomplete type ‘X509_NAME_ENTRY {aka struct X509_name_entry_st}’
const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
^~
qmail-remote.c: In function ‘mailfrom_cram’:
qmail-remote.c:671:3: warning: implicit declaration of function ‘hmac_md5’ [-Wimplicit-function-declaration]
hmac_md5(chal.s,chal.len,pass.s,pass.len,digest);
^~~~~~~~
Makefile:1675: recept voor doel 'qmail-remote.o' is mislukt
make: *** [qmail-remote.o] Fout 1

Can you help me with this

greetings Ed

Reply |

look here

Reply |

compile error qmail-remote.c

I am sorry but because I am not a programmer I don't understand what is written so I think that something has changed in openssl-1.1.0 

witch means that something has to change in the file qmail-remote.c the problem is that I don't know what

please help me understand what I have to change

Reply |

Re:

Provided that I can't do the tests myself because I don't use Debian and I just have openssl-1.0.2k installed, if what reported in that is correct you miss some dependencies. 

So try to install them looking below "STEPS TO REPRODUCE" and compile again

Reply |

compile error netqmail

Finally i found out how to compile

I had to use libssl1.0.2 as in this link https://github.com/duosecurity/duo_unix/issues/90

thanks very much for your help

Reply |

compile error netqmail

I have been trying to find out what the problem is with compiling netqmail and what i found is this, all packages related to openssl cannot be compiled with openssl-1.1.0 the syntax off most of the ssl calls is wrong because openssl has changed sinds version 0.9. 

if you want to compile with openssl-1.1.0 then you have to rewrite all the .c and .h files with openssl calls in them.

qmail-remote.c ssl-timeoutio.c qmail-smtpd.c dkimsign.h dkimverify.h dkimfunc.cpp to name a few.

on debian 9 there is no old version of openssl and it is discouraged to use old versions.

so the only way to use qmail is to compile it on an old depracated linux system because all new versions will be with openssl-1.1 and higher.

thank you very much for your anwser.

Reply |

Subdomains emails errors

When sent an email to yyy@xx.domain.com the sending is performed as yyy@domain.com, returning error.
Any tips for correction?

Reply |

Never seen this error

I've never seen this error. Are you using my combined patch?

Reply |

test erro

Yes. I'm using it.
How do you make a submission test and see if it is occurring in your installation account?
Please send a test to gustavo.ribes@br.cobogroup.net

Reply |

It appears that your server

It appears that your server is an exim MTA. I can't be of any help, sorry

Reply |

not Exim

My server is a qmail and installed with your indicated patches

When I send emails to the email gustavo.ribes@br.cobogroup.net it removes br and returns errors informing that user gustavo.ribes@cobogroup.net does not exist.

Can you send a test email?

Reply |

Sending a test mail

Sending a test mail returns an error message from mx1.cobospa.it which says that xxx@cobogroup.net does not exist.

What about that mx1.cobospa.it server? It appears to be a Sophos platform... maybe you have to check that all the MTAs that are routing your mails are configured to forward br.cobogroup.net to you

Reply |

Patched and working

We have the Latest stable combined patch for netqmail-1.06 v. 2017.05.14  and everything is looking good. 

To compile I did have to manually kill some VPOPMAIL processes that were tying up qmail-smtp.  The error was

install: fatal: unable to write .../bin/qmail-smtpd: text busy

Thank you Roberto!

Reply |

Bug in TLS patch

qmail-tls patch is buggy. qmail-remote server cert checking logic if configured through tlshosts/ is broken  - it'll consider *any* valid cert even if none of the alt/common names matches.

Somthing like this should fix this:

diff --git a/qmail-remote.c b/qmail-remote.c

index 40dbd31..f6b13b2 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -494,6 +494,7 @@ int tls_init()
     X509 *peercert;
     STACK_OF(GENERAL_NAME) *gens;
     int found_gen_dns = 0;
+    int matched = 0;

     int r = SSL_get_verify_result(ssl);
     if (r != X509_V_OK) {
@@ -517,7 +518,10 @@ int tls_init()
         const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
         if (gn->type == GEN_DNS){
           found_gen_dns = 1;
-          if (match_partner(gn->d.ia5->data, gn->d.ia5->length)) break;
+          if (match_partner(gn->d.ia5->data, gn->d.ia5->length)) {
+            matched = 1;
+            break;
+          }
         }
       }
       sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
@@ -540,6 +544,9 @@ int tls_init()
         out("ZTLS unable to verify server "); out(partner_fqdn);
         out(": received certificate for "); outsafe(&peer); TLS_QUIT;
       }
+    } else if (!matched) {
+      out("ZTLS unable to verify server ");
+      tls_quit(partner_fqdn, "certificate contains no matching names");
     }

     X509_free(peercert);

Reply |

Missing features.h on FreeBSD 10.2

Hi,

I applied latest patch for netqmail, then #make and receive error missing features.h, how could i solve this?

Also tried with older patch, and got the same error :(

i am using FreeBSD 10.2 64bit

Thank you.

Reply |

still no luck with many

still no luck with many attempts, google didn't return positive result on this matter :(

Reply |

Someone in the past already

Someone in the past already mentioned that my patch is not freebsd compliant. Unfortunately I don't have any freebsd machine to do tests. 

Reply |

i could prepare a server for

i could prepare a server for you to test it.
I will send you an email include account shortly.

Thanks a lot.

Reply |

Hi bzero

Hi bzero, thank you but this is not that kind of thing that I can do for free..

Reply |

Ciao Roberto and hi to all

Ciao Roberto and hi to all the qmail users,

here I'm again with a STRANGE problem occurring. I recently upgrade to the latest patch here, and I think that this is causing a problem:

2014-11-15
-modified the QUEUE_EXTRA variable in extra.h to record the Message-ID in the qmail-send's log. Thanks to Simone for the hint.

I have an account on my domain named log@[domain].[net]. Every single mail get copied to this account since the upgrade !

I'm basically running into this configuration (http://cr.yp.to/qmail/faq/admin.html#copies)

----------------------------

How do I keep a copy of all incoming and outgoing mail messages?

Answer: Set QUEUE_EXTRA to "Tlog\0" and QUEUE_EXTRALEN to 5 in extra.h. Recompile qmail. Put ./msg-log into ~alias/.qmail-log.

You can also use QUEUE_EXTRA to, e.g., record the Message-ID of every message: run

     | awk '/^$/ { exit } /^[mM][eE][sS][sS][aA][gG][eE]-/ { print }'

from ~alias/.qmail-log.

----------------------------

I tried to remove the /var/qmail/alias/.qmail-log but nothing happens.

Is there a way to disable/reconfigure this feature without recompiling ? If not, how can I remove that extra.h declaration in order to recopile without that feature ?

Thank you !

Reply |

you have to reverse that patch

you have to reverse that patch. simply replace extra.h with the original file and recompile. also remove .qmail-log

Reply |

Thank you Roberto. I was

Thank you Roberto. I was looking into a solution to keep the feature and disable it run-time; I will try with:

Set QUEUE_EXTRA to "Tlogother\0" and QUEUE_EXTRALEN to 8 in extra.h

to have the logging feature ready into the "logother@domain" alias. Otherwise I will just reverse the patch as you suggest and remove the feature.

Thank you !

Reply |

extra.h

It is okay to enter the entire email address.  Just change the length number to the number of characters minus 1.

#ifndef EXTRA_H

#define EXTRA_H

#define QUEUE_EXTRA "Tlog@co.ker.tx.us\0"
#define QUEUE_EXTRALEN 18

#endif

Reply |

Woops! Not idiot proof.

Thanks Roberto for your hard work and excellent guide on qmail.

I am installing qmail for the first time on Debian and I got to the 'finally install and start qmail' (make setup check, qmailctl start) part on this page, but qmailctl did run as it did not exist.

So I just spent an hour stressing out trying to work out why qmailctl and supervise scripts didn't exist, and got it working on my own from LWQ, then came back here to continue and realised that you provide exact instructions for qmailctl and the supervise stuff to get it running in the next page, the configuration section!! OMG!! I am such an idiot, I know I should have read the whole guide first perhaps but I think maybe you should could indicate something around the finally install & start part to stop idiots from me wasting hours thinking their installation is messed up.

Thanks so much!

Reply |

Woops! Not idiot proof.

THNX was fighting the same thing, because the cmd qmailctl was mentioned in the guide...

Reply |

Woops! Not idiot proof.

OK, I added a warning :-)

Reply |

:-)))

:-)))

George, you had to be very tired, not idiot, and I think that in  a normal situation this should not happen to you.

BTW I think it's not a good idea to add such obvious instructions, someone would be offended.. In addition the "install page" is just in the 4th page of the guide and the readers should consider all the following pages, as you already pointed out.

Reply |

smtproutes - smtp-auth

Dear  Roberto,

I have a box A which was sending spams as one of the email accounts was compromised because of a weak password.

The IP was blacklisted and to prevent more undelivered emails, i had decided to use box B to relay emails.

In box B, I had created an email account relay@boxb.com with password secret.

In box A, I had created the file smtproutes in /var/qmail/control/ and added an entry like this:-

domain1.com:smtp.boxb.com relay@boxb.com secret

Emails from domain1.com are now relaying fine. In box A, i have about 60 domains and being lazy i decided to change the extry of smtproutes (box A) from domain1.com:smtp.boxb.com relay@boxb.com secret to :smtp.boxb.com relay@boxb.com secret

But now i started to get the below error

<email@remotedomain.com>:
Sorry, I couldn't find any host named smtp.boxb.com?relay@boxb.com?secret. (#5.1.2)

What is wrong with my smtproutes? And is this the best way workaround until i had removed box A's IP from the blacklists?

regards

nic

Reply |

Nic, the man page says that

Nic, the man page says that the correct syntax should be

:smtp.boxb.com|relay@boxb.com|secret

Reply |

smtproutes

Hi Roberto,

Is the below syntax still working?

domain1.com:smtp.boxa.com|relay@boxa.com|secret
domain2.com:smtp.boxb.com|relay@boxb.com|secret

Thanks

Reply |

smtproutes

Hi, I think yes. I don't think it has been modified. I'm using it just without pwd. Is it not working?

Reply |

smtproutes

Not sure why it is not working for me. No bounce message.

Is there a command whereby certain domains uses local delivery whereas others use mulitple relays? Maybe i can troubleshoot from here.

Eg.

domain1.com:local
domain2.com:smtp.boxa.com|relay@boxa.com|secret
domain3.com:smtp.boxb.com|relay@boxb.com|secret

Thanks

Reply |

smtproutes

Nic, 

domain1.com:

will route it to its own mx

Do you have Auth enabled on qmail-smtpd?

Reply |

smtproutes

I don't know... I have to test it but I haven't got the time these days... sorry. Let me know if you solve

Reply |

Thanks Roberto!It is

Thanks Roberto!

It is working good. Is this the best method for my case until i can get the IP delisted?

thanks again

nic

Reply |

I think is good enough. But

I think is good enough. But in my opinion the most important thing is to recognize why that pwd was stolen.. was a simple multiple trial via imap or submission port? In that case use fail2ban. Or it was an sql exploit by means of a security hole in one of your hosted websites?

Reply |

The user was using 1234 as

The user was using 1234 as the password. Sigh!

Many thanks again, Roberto!

Reply |

I recently published a pwd

I recently published a pwd patch for qmailadmin, I think it can enforce the pwd complexity even though it is very rudimental. Are you using fail2ban as suggested?

Reply |

I saw the patch. Applying it

I saw the patch. Applying it now.

Thanks

nic

Reply |

Is the patch in this

Is the patch in this tutorial? Let me read through again and let me add this into my present build. And yes i am using fail2ban.

regards

nic

Reply |

can not start up qmail-send

dear roberto

I use centos7.0 to install the qmail,if i do not install the qmail patching netqmail-1.06, the qmail stat run properly,, but I can only sent mail to my own server and receive email from other mail server, can not sent mail to other mail server(i think it is the qmail auth problem).

But, when I installed the netqmail patch roberto-netqmail-1.06.patch-latest.gz(for qmail auth?), when i enter the commond qmailctl start , qmail-send can not up,and qmail-send PID are change(after each enter commond qmailctl stat), and if i enter the commond "top" ,i find a lot of qmail-todo process, the server becomes very slow, how can i do? Thank you.

A little summary

1, if i do not install roberto-netqmail-1.06.patch-latest.gz, i can send mail to my mail server and receive mail from other mail server(some@somemail.com to my@mymail.com),i can not send mail to other mail.

2, after the installation of roberto-netqmail-1.06.patch-latest.gz, qmail-send cannot open normally, have been varied number between 0 second and 1 second, the server CPU is very high.

Can you give me any suggestion on this matter? Thanks very much?

Reply |

Hi xia0sheng, as mentioned

Hi xia0sheng,

as mentioned above, the TODO patch included in my package may require that the queue has to be rebuilt. So, if you are sure that there are no messages in your queue, because it's just a testing server, stop qmail and try to kill all your qmail-todo processes like this

qmailctl kill

if those processes are still alive kill them manually.

Then erase your queue

rm -rf /var/qmail/queue

Now you can recompile qmail and restart

Let me know if this solved your issue

Reply |

a lot qmail-todo process problem is also resolve

ldconfig -p|grep libsrs2

the server is centos7.0, if  I patching "roberto-netqmail-1.06.patch-latest.gz"  the qmail-send can not up

the problem is  libsrs2, after install libsrs2

enter the command:

ldconfig -p|grep libsrs2

there is no result

the resove is

1. vim /etc/ld.so.conf

2. add  /usr/local/lib

3. save

4. ldconfig

5.  ldconfig -p|grep libsrs2

the result will be correct.

Reply |

I had built a new toaster on

I had built a new toaster on a VPS and also got flooded by qmail-todo which Roberto had mentioned.

"Be sure that libsrs2 is actually linked, otherwise you are going to have a qmail-send infinite crash and finally an auto-DoS"

I tried xia0sheng method and it did not work, maybe this is a CentOS 6.

So i added a custom file in /etc/ld.so.conf.d/

vim /etc/ld.so.conf.d/custom.conf

add the location of the libsrs2 library and mine is in /usr/local/lib

save

ldconfig
ldconfig -p|grep libsrs2

And the result

libsrs2.so.0 (libc6,x86-64) => /usr/local/lib/libsrs2.so.0
libsrs2.so (libc6,x86-64) => /usr/local/lib/libsrs2.so

My floodings stopped.

This might be a better because my library for libev is also in the folder /usr/local/lib

ldconfig -p|grep libev

libev.so.4 (libc6,x86-64) => /usr/local/lib/libev.so.4
libev.so.4 (libc6,x86-64) => /usr/lib64/libev.so.4
libev.so (libc6,x86-64) => /usr/local/lib/libev.so

Just my $0.02

Reply |

Thanks a lot. I found the same problem

Thanks a lot.

Your solution worked for me.

Ruben

Reply |

Many thanx, had the same

Many thanx, had the same qmail-todo problem

Reply |

still not work

dear  roberto

Thanks very much for your reply. I did as what you say, but the problem is still.

In fact , i remove the /var/qmail/queue of my installtion in my before install path.

I did as you say but when i enter the commond qmailctl stat , the qmail-send still can no up normal. and the log in /var/log/qmail/send/current  has no any error log.  where can i find the error log of qmail-send of the qmailctl stat?

i have another question, if i install the qmail before, but i want to delete it and rebuilt it . Is it ok  just delete the /var/qmail and /usr/local/src/netqmal-1.06 folder? and then make and path /usr/local/src/netqmail-1.06? Is there anything file or folder i should delete if i want rebuilt qmail?   or  should  i reinstall my linux server?

i think maybe it is the problem of my centos7.0 system .

i just learn qmail very little time, a lot of configure i do'not known .

can you give me some advice about what can i do?

wish you have a nice weekend!

Reply |

dear xia0sheng, I suppose

dear xia0sheng, I suppose that you recompiled qmail after erasing your queue. This is very strange. If I understand well

  1. you stopped qmail, erased the queue and you have no more qmail-todo processes alive
  2. recompiled qmail
  3. started qmail
  4. you have /var/log/qmail/send/current is empty

is it right?

When you want to recompile just follow this steps. I suppose that you have a folder with a patched qmail

  1. qmailctl stop
  2. erease the queue if it is the first time you install my patch
  3. cd to the source dir
  4. make clean
  5. make setup check (this will overwrite everything and rebuild the queue)
  6. qmailctl start

Reply |

use auth_tls_force-tls.patch-latest pathing is ok

Dear roberto:

I did as what you say, but the problem is still. So I change use the "roberto-netqmail-1.06_auth_tls_force-tls.patch-latest" and everything is ok.

But i still cannot send mail to other email accounts?i can send email to my server and recevie mail form other email account?

the error is "Please check the email , server reply: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)" If I write 163.com to the file /var/qmail/control/tcpthosts, I can sent email to my mail.163.com account.

I known it is maybe the qmail-auth problem? but i do'not konwn how to solve it.

can you give me some addvice?

Thuanks very much!

Reply |

I can't be of much help if

I can't be of much help if you don't try to provide details of what is happening to your server. You forgot to reply to my previous questions...

Concerning your new problem, your localhost must have the RELAYCLIENT flag in your tcp.smtp and tcp.submission. You should read the "tcprules" page. I suggest you to read carefully everything once again and perform all tests in the "Testing" page; I can assure that it works :)

Reply |

i'm sorry for previous question

1. you stopped qmail, erased the queue and you have no more qmail-todo processes alive 

    I stop qmail, erased the queue, but because of i don't known i to kill the many qmail-todo process?before you tell me use             qmailctl kill?, i use reboot my server to kill the qmail-todo process. I don't known why every of my reboot , I should first enter commond svscanboot & (it's can not auto startup)and then the qmail can start.(of course i enter svscanboot & after the pathing the qmail ) 
2. recompiled qmail

yes


3. started qmail

yes


4. you have /var/log/qmail/send/current is empty

yes

is it right?(all of right except 1)

When you want to recompile just follow this steps. I suppose that you have a folder with a patched qmail

1. qmailctl stop
2. erease the queue if it is the first time you install my patch
3. cd to the source dir
4. make clean
5 .make setup check (this will overwrite everything and rebuild the queue)
6 .qmailctl start

then i did all of you said above, but it is still have the qmail-send problem(can not up)

after pathing your full pathing"roberto-netqmail-1.06.patch-latest.gz" 

the later i do is :

7. svscanboot &

8. qmailctl start

9.qmailctl stat  

    the status is 

/service/qmail-send: up (pid 11702) 1 seconds
/service/qmail-send/log: up (pid 11592) 8 seconds
/service/qmail-smtpd: up (pid 11584) 8 seconds
/service/qmail-smtpd/log: up (pid 11587) 8 seconds
/service/qmail-submission: up (pid 11586) 8 seconds
/service/qmail-submission/log: up (pid 11591) 8 seconds
/service/vpopmaild: up (pid 11583) 8 seconds
/service/vpopmaild/log: up (pid 11585) 8 seconds

messages in queue: 0

messages in queue but not yet preprocessed: 0

10. qmailctl stat again

/service/qmail-send: up (pid 11742) 1 seconds
/service/qmail-send/log: up (pid 11592) 10 seconds
/service/qmail-smtpd: up (pid 11584) 10 seconds
/service/qmail-smtpd/log: up (pid 11587) 10 seconds
/service/qmail-submission: up (pid 11586) 10 seconds
/service/qmail-submission/log: up (pid 11591) 10 seconds
/service/vpopmaild: up (pid 11583) 10 seconds
/service/vpopmaild/log: up (pid 11585) 10 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

so it can not work.

and i use your "roberto-netqmail-1.06_auth_tls_force-tls.patch-latest"   every is ok except send mail to other mail server.

the /home/vpopmail/etc/tcp.smtp is

10.0.0.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

the /home/vpopmail/etc/tcp.smtp is

:allow,CHKUSER_WRONGRCPTLIMIT="3"

if i send mail to other mail acount, the error is

Please check the email <wangyouyu6@163.com>, server reply: 553 sorry, that domain isn't in my list of allowed rcpthosts; no valid cert for gatewaying (#5.7.1)

i reread your testing carefully tomorrow to find if solve my problem.

Thanks very much.

and if you will i can give you my mail server test acount, you enter my mail server and see what happen(i have no problem about this, because the mail server is just a test server )

if you want this, i can send you the test acount and password about my mail server.(can you receive mail about your mail acountroberto.puzzanghera@sagredo.eu?) and my email acount is wangyouyu6@163.com

Reply |

i'm sorry for previous question

hi roberto,

I m exactly in the same point as xia0sheng in 2015, how did you resolve it?

many thanks and kind regards

Reply |

i'm sorry for previous question

 I explain me better my problem. All seems fine, less when I try to send an email, it remains in the queue and lots of qmail-todo appears when I execute "top". Seems that is entered in an infinite loop.

I checked the log:

cat /var/log/qmail/smtpd/current

@400000006131272939ba7eec qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=localhost mailfrom=carlos@autoexaming.com rcptto=chernandez@webfutura.online relay=yes rcpthosts= size=91 authuser= authtype= encrypted= sslverified=no localip=127.0.0.1 localport=25 remoteip=127.0.0.1 remoteport=35356 remotehost=localhost qp=1999 pid=1998

I believe the problem is in the part "remoteip=127.0.0.1" and "remotehost=localhost" but I dont how can I fix it.

I cleaned the queue, and patched, and recompiled qmail

Reply |

srs check

can you do this and post the response please?

ldconfig -p|grep libsrs2

then check the srs.c in your source dir and check that the same dir is reported there, For example

#include </usr/local/include/srs2.h>

Reply |

srs check

In srs.c

#include </usr/local/include/srs2.h>

Reply |

srs check

I think this is fine, and for some reason is ignoring rcpthosts, because in the log shows "rcpthosts=" not "rcpthosts=yes"

# ldconfig -p|grep libsrs2
libsrs2.so.0 (libc6,x86-64) => /usr/local/lib/libsrs2.so.0
libsrs2.so (libc6,x86-64) => /usr/local/lib/libsrs2.so

Reply |

srs check

rcpthost= is normal, but I agree that it should advertise that it considered the domain as rcpthost. This is eventually an issue of the log line verbosity.

Reply |

i'm sorry for previous question

Hi Carlos,  can you please describe what is the issue in your server, please? I read the above from xiao and it is not clear to me...

Reply |

i'm sorry for previous question

I m not absolutely secure, but I think there is a bug in the patch: roberto-netqmail-1.06.patch-2021.08.22 on chkuser part (I dont know if is a part of my previous problem)

On line 456 says:

+ hostname the value of "TCPREMOTEHOST"

and I believe it must be:

remotehostname the value of "TCPREMOTEHOST"

I dont know if after in some point the variable name is toggled or not, and if it causes the mistake to loop with my qmail-todo process

Reply |

i'm sorry for previous question

but CHKUSER.log_format is just an info file, which is not part of the program...

Reply |

i'm sorry for previous question

Yes, you are right.

Sorry I wrote above as anonymous. When I send an email from my server (autoexaming.com) to an external domain (webfutura.online) In my /var/log/qmail/smtpd/current appears a connection from 127.0.0.1 to 127.0.0.1

@4000000061322839241167f4 qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=localhost mailfrom=carlos@autoexaming.com rcptto=chernandez@webfutura.online relay=yes rcpthosts= size=88 authuser= authtype= encrypted= sslverified=no localip=127.0.0.1 localport=25 remoteip=127.0.0.1 remoteport=33472 remotehost=localhost qp=1287 pid=1279
@400000006132283b0c98c504 tcpserver: end 1279 status 0
@400000006132283b0c98d4a4 tcpserver: status: 0/200
@4000000061324c30147e1224 tcpserver: status: 0/200
@4000000061324c873434d094 tcpserver: status: 1/200
@4000000061324c8734399f0c tcpserver: pid 8425 from 127.0.0.1
@4000000061324c873446b2b4 tcpserver: ok 8425 autoexaming.com:127.0.0.1:25 localhost:127.0.0.1::33550
@4000000061324cc330c129bc tcpserver: end 8425 status 0
@4000000061324cc330c1395c tcpserver: status: 0/200

Reply |

i'm sorry for previous question

What do you have in your control/rcpthosts?

Please reply also to the other comment of mine here https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment2223

Reply |

i'm sorry for previous question

thank you so much in advance for your great job :)

(In my case I preferred domain without smtp. prefix in all vars, and when generated cert i wrote the same)

$ cat /var/qmail/control/rcpthosts
autoexaming.com

Reply |

i'm sorry for previous question

remoteip=127.0.0.1 remotehost=localhost is normal as you are connecting to localhost from localhost. If you connect to your server from another server, because you want to send an email after the auth, then you will see the remote ip in remoteip, but this is mainly for the submission service.

Concerning your rcpthosts issue... sorry if I ask... are you sure not to have changed rcpthosts and forgot to restart qmail?

Concerning the todo loop (it seems to be a separate problem) what do you have in your queue? How many msg?

Reply |

i'm sorry for previous question

First of all, thanks a lot for your affords :)

1) I m trying to send from my localhost to an external server (a hosting, that is working fine, not mine)

2) Concerning your rcpthosts issue... sorry if I ask... are you sure not to have changed rcpthosts and forgot to restart qmail?

Yes, indead i recompiled all, many times in the last days

3) Concerning the todo loop (it seems to be a separate problem) what do you have in your queue? How many msg?

It is half-solved for me, just enter in the loop when i do qmailctl restart. When I want restart qmail, reboot the computer.

I tried to do this test: https://notes.sagredo.eu/en/qmail-notes-185/testing-qmail-smtp-and-auth-22.html#vpopmail

In the test: "No valid MX test, mailbox syntax test" I get some strange:

# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 autoexaming.com ESMTP
mail from: unexistent@fakedomain.xxx
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)
mail from: unexistent@fake_domain.xxx
553 5.1.7 sorry, mailbox syntax not allowed (chkuser)
quit

in the first case according with the test example, it should be:

mail from: unexistent@fakedomain.xxx
550 5.1.8 sorry, can't find a valid MX for sender domain (chkuser)

Reply |

i'm sorry for previous question

your server looks very bad as many different (apparently unrelated) issues appear

I think it's better if you write me in private and continue there the investigation. Once solved we'll post here the solution

Reply |

ok, let me know once you have

ok, let me know once you have finished to double check everything

Reply |

Everything is ok, Thanks very much.

dear  roberto:

      Thanks very much, now everything is ok.  i can use roundcube to send and receive mail.

      the problem is the configure of  roundcube   configure.inc.php file

      i  chose "Use the current IMAP username and password for SMTP authentication"  and then i can send mail to other mail account.

     thanks very much for the helps these days.

     Thanks very much....

     from:xia0sheng

Reply |

still have problems

dear roberto:

i check everything carefully, but still have some problems.

I can use foxmail  to send and receive mail to or from other  mail acounts.

the setting is:

send server:smtp.wangyouyu.cn,

ssl(not select)

port is 587

and i should select use STARTTLS. If the setting is this, every is ok.

but if I don't select use STASTTLS, if i send mail the error is "538 auth not available without TLS (#5.3.3)"

and in the roundcube webmail the config.inc.php is 

<?php

/* Local configuration for Roundcube Webmail */

// ----------------------------------
// SQL DATABASE
// ----------------------------------
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
$config['db_dsnw'] = 'mysql://temp:XXXXXXX@localhost/roundcubemail';

// ----------------------------------
// IMAP
// ----------------------------------
// The mail host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
//          required to match old user data records with the new host.
$config['default_host'] = 'smtp.wangyouyu.cn';

// ----------------------------------
// SMTP
// ----------------------------------
// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_server'] = 'smtp.wangyouyu.cn';

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 587;

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';

// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = 'al=t9fl&8A&Y+0D4rhipphsN';

// Automatically add this domain to user names for login
// Only for IMAP servers that require full e-mail addresses for login
// Specify an array with 'host' => 'domain' values to support multiple hosts
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['username_domain'] = 'wangyouyu.cn';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'xxxxxxx????';

// ----------------------------------
// PLUGINS
// ----------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = array('acl', 'additional_message_headers', 'archive', 'attachment_reminder', 'autologon', 'database_attachments', 'debug_logger', 'emoticons', 'enigma', 'example_addressbook', 'filesystem_attachments', 'help', 'hide_blockquote', 'http_authentication', 'identity_select', 'jqueryui', 'legacy_browser', 'managesieve', 'markasjunk', 'new_user_dialog', 'new_user_identity', 'newmail_notifier', 'password', 'redundant_attachments', 'show_additional_headers', 'squirrelmail_usercopy', 'subscriptions_option', 'userinfo', 'vcard_attachments', 'virtuser_file', 'virtuser_query', 'zipdownload');

// the default locale setting (leave empty for auto-detection)
// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
$config['language'] = 'zh_CN';

in the webmail if i send mail to other mail acounts

the error is "SMTP error: [553] sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)"

How can I set the roundcube use STARTTLS as foxmail setting?

thank very much.

I really don't konwn what to do now. 

Reply |

qmail-smtpd: read failed: (null) only with one sender

Hello Roberto,

i have a problem with mails coming from amazon. Every Mail send from amazon is not delivered because it shows the error qmail-smtpd: read failed. This error only happen with mails from the amazon mail servers, i do not have this eror with other mails. I have no clue whats wrong -  do you have an idea? Output from Log File:

tcpserver: pid 18422 from 54.240.0.89
tcpserver: ok 18422 0:::ffff:5.9.211.13:25 :54.240.0.89::32891
CHKUSER accepted sender: from <20141222011816fe8d1176403e4a1da936071f1208d53f-C24F0W6MS7QTYP@bounces.amazon.com|remoteinfo/auth:|chkuser-identify:> remote <helo:a0-89.smtp-out.eu-west-1.amazonses.com|remotehostname:unknown|remotehostip:54.240.0.89> rcpt <> : sender accepted
tcpserver: status: 1/20
qmail-smtpd: read failed: (null) from 54.240.0.89 to 20141222011816fe8d1176403e4a1da936071f1208d53f-C24F0W6MS7QTYP@bounces.amazon.com helo a0-89.smtp-out.eu-west-1.amazonses.com
tcpserver: end 18422 status 256

Regards,

Marc

Reply |

I think you should record the

I think you should record the smtp conversation enabling recordio in your run file. Let me know if you solve

Reply |

qmail-smtpd read failed - SPF Check was the problem

Hello Roberto,

thanks for the hint with recordio. I figured out that the SPF check was the problem:

@4000000054a81075289ded24 9091 > 451 SPF lookup failure (#4.3.0)
@4000000054a8107529ddac9c 9091 < RSET
@4000000054a8107529de0674 9091 > 250 flushed

When i changed the /var/qmail/control/spfbehavior entry to 1 mail from amazon get thru and i noticed, that it take some time to process the mail.

I tried a manual spfquery for the amazon mail and the check take about 70 sec. So i think that the check takes to long and the qmail-smtp process take this as an timeout and reject the mail because of that. Other spf checks to other domains are working fast. Maybe i should try to change the dns server entry? But it is strange that this happens only to amazon servers.

Thanks for helping.

Reply |

  I would try a test

I would try a test like

dig amazon.com txt

and see if you get a timeout error or not

Reply |

qmail-send fail

Dear Roberto

I completely followed your notes, my email server can send email to another domain but cannot deliver to local account.

I've try to send from huyenha to nxhuy (2 accounts already created and loged in sucsessful) but it said: 

failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/

qmail-send log:

@4000000054832f6635627354 new msg 2754774
@4000000054832f6635627b24 info msg 2754774: bytes 1228 from <huyenha@4trust.vn> qp 2158 uid 89
@4000000054832f6635627f0c starting delivery 1: msg 2754774 to local log@4trust.vn
@4000000054832f6635627f0c status: local 1/10 remote 0/20
@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local nxhuy@4trust.vn
@4000000054832f66356282f4 status: local 2/10 remote 0/20
@4000000054832f66358539ac delivery 2: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@4000000054832f6635e71474 status: local 1/10 remote 0/20
@4000000054832f6635f5b2a4 delivery 1: success: Received:_(qmail_2158_invoked_by_uid_89);_6_Dec_2014_11:31:24_-0500/Received:_(qmail_2158_invoked_by_uid_89);_6_Dec_2014_11:31:24_-0500/Received:_by_simscan_1.4.0_ppid:_2149,_pid:_2151,_t:_0.0077s/Received:_by_simscan_1.4.0_ppid:_2149,_pid:_2151,_t:_0.0077s/Received:_from_unknown_(HELO_mail.4trust.vn)_()/Received:_from_unknown_(HELO_mail.4trust.vn)_()/__by_0_with_SMTP;_6_Dec_2014_11:31:24_-0500/Date:_Sat,_06_Dec_2014_23:31:24_+0700/From:_huyenha@4trust.vn/To:_nxhuy@4trust.vn/Subject:_Re:_Fwd:_ssdfadf/In-Reply-To:_<e8dd61a49b9a353705819b4d656a3cbc@4trust.vn>/References:_<01988b8baeb0552fb9b3e52dbf482e6a@4trust.vn>/_<e8dd61a49b9a353705819b4d656a3cbc@4trust.vn>/Message-ID:_<8e9696acc4134d69e84119c5567ac871@4trust.vn>/Message-ID:_<8e9696acc4134d69e84119c5567ac871@4trust.vn>/---/did_0+0+2/
@4000000054832f6635f62bbc status: local 0/10 remote 0/20
@4000000054832f670250cbdc bounce msg 2754774 qp 2167
@4000000054832f670250d3ac end msg 2754774

Please help me!

Reply |

Duplicate emails

Hi, 

I made the installation of a new server, I have the same problems as mentioned, for every email that incoming or outgoing a copy this email is sent to the account log@domain.com.

I revert the path and all work fine.

Any ideas???

Thanks

Reply |

This is normal, as the

This is normal, as the log@yourdomain.xy account is used to improve the qmail-send log. What do you have in your ~alias/.qmail-log file?

Reply |

The .qmail-log contains:|

The .qmail-log contains:

| awk '/^$/ { exit } /^[mM][eE][sS][sS][aA][gG][eE]/ { print } /^[rR][eE][cC][eE][iI][vV][eE][dD]:/ { print; } /^[fF][rR][oO][mM]:/ { print } /^[tT][oO]:/ { print } /^[sS][uU][bB][jJ][eE][cC][tT]:/ { print } /^[xX]-[mM][aA][iI][lL][eE][rR]/ { print } /[hH][eE][lL][oO]/{ print } /^[rR][eE][pP][lL][yY]-[tT][oO]/{ print } /^[rR][eE][tT][uU][rR][nN]-[pP][aA][tT][hH]/{ print } /^[cC][cC]:/{ print } /^[dD][eE][lL][iI][vV][eE][rR][eE][dD]-[tT][oO]/{ print } /^[dD][aA][tT][eE]:/{ print } / by /{ print } / id /{ print } /<.*>/{ print }'
| echo "---"

But the error is:

<log@domain.com>: Sorry, no mailbox here by that name. (#5.1.1)

And log:

@4000000054a7d4ad3592ce3c new msg 1322152
@4000000054a7d4ad3592d224 info msg 1322152: bytes 2377 from <> qp 4710 uid 1008
@4000000054a7d4ad359310a4 starting delivery 3: msg 1322152 to local domain.com-log@domain.com
@4000000054a7d4ad359310a4 status: local 1/10 remote 0/20
@4000000054a7d4ad35933f84 starting delivery 4: msg 1322152 to remote me@mail.es
@4000000054a7d4ad3593436c status: local 1/10 remote 1/20
@4000000054a7d4ad35c68c54 delivery 3: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@4000000054a7d4ad35c75774 status: local 0/10 remote 1/20

Thanks!

Reply |

can you confirm that

can you confirm that domain.com (the domain inside control/me) really exists and has a valid MX record?

Reply |

Yes is correct!

Hi,

The MX is correct and set fine in control/me file.

Reply |

and you created the

and you created the domain with vpopmail?

Reply |

Yes

Yes, the domain was created with vpopmail, and i delete and recreate the domain.

The domain is on another files control\files.

Reply |

  what control\files is

what control\files is needed for?

Reply |

I mean that the domain is

I mean that the domain is automatically added to other files in the folder Control (virtualdomains, rcpthosts, etc).

Reply |

No ideas at the moment, but 

No ideas at the moment, but  you can be sure that the domain was actually created trying to connect to the postmaster account, for example

telnet 0 89
login postmaster@domain.com PASSWORD

Reply |

Good news, I think I've found

Good news, I think I've found a possible motive, apparently aliases found in /var/qmail/alias not working, I created a symbolic link to /home/vpopmail/domains/domain.com/.qmail-log and this if is working now.

@4000000054a9350306110ffc delivery 19: success: Received:_(qmail_30229_invoked_by_uid_33);_4_Jan_2015_12:41:28_+0000/Received:_(qmail_30229_invoked_by_uid_33);_4_Jan_2015_12:41:28_+0000/To:_Arturo_Blanco_/To:_Arturo_Blanco_/Subject:_Re:_test_03/Date:_Sun,_04_Jan_2015_13:41:28_+0100/From:_user@domain.com/In-Reply-To:_/References:_/Message-ID:_/Message-ID:_/---/did_0+0+2/

Any idea why I do not work the /var/qmail/alias??

Reply |

mmh... do you have your

mmh... do you have your aliases stored in mysql db (vpopmail compiled with --enable-valias)?

Reply |

This configurator with the

This configurator with the --disable-valias option (I followed every step of your tutorial)

Reply |

root@mail:~# telnet 0

root@mail:~# telnet 0 89 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK login postmaster@domain.com pass +OK+ vpopmail_dir /home/vpopmail domain_dir /home/vpopmail/domains/domain.com uid 89 gid 89 name postmaster comment Postmaster quota NOQUOTA user_dir /home/vpopmail/domains/domain.com/postmaster encrypted_password pass_encrypt clear_text_password pass no_password_change 0 no_pop 0 no_webmail 0 no_imap 0 bounce_mail 0 no_relay 0 no_dialup 0 user_flag_0 0 user_flag_1 0 user_flag_2 0 user_flag_3 0 no_smtp 0 domain_admin_privileges 1 override_domain_limits 0 no_spamassassin 0 delete_spam 0 no_maildrop 0 system_admin_privileges 0 .

Reply |

I realise that in qmail-send

I realise that in qmail-send log:

@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local nxhuy@4trust.vn

must be:

@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local 4trust.vn-nxhuy@4trust.vn

So I delete the domain and re-add, now it can deliver to local account.

But that generate another error that can't deliver to "log alias" for qmail-tap function

@400000005483d6841bf4da4c new msg 2754788
@400000005483d6841bf4de34 info msg 2754788: bytes 628 from <huyenha@4trust.vn> qp 11658 uid 89
@400000005483d6841bf4e21c starting delivery 1: msg 2754788 to local 4trust.vn-log@4trust.vn
@400000005483d6841bf4e604 status: local 1/10 remote 0/20
@400000005483d6841bf4e9ec starting delivery 2: msg 2754788 to local 4trust.vn-nxhuy@4trust.vn
@400000005483d6841bf4e9ec status: local 2/10 remote 0/20
@400000005483d6841ccb8f24 delivery 1: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@400000005483d6841ccb96f4 status: local 1/10 remote 0/20
@400000005483d6841cced314 delivery 2: success: did_0+0+1/
@400000005483d6841cced6fc status: local 0/10 remote 0/20
@400000005483d6842401182c bounce msg 2754788 qp 11669
@400000005483d6842401c40c end msg 2754788

Reply |

I think this is because my

I think this is because my patch creates an alias /var/qmail/alias/.qmail-log which uses the same address of your tap address (http://notes.sagredo.eu/node/82#queue-extra). This alias is needed to improve the log of qmail send. You can solve by changing the tap address

Reply |

qmail-log alias

Hi Roberto ,

I have followed your excellent guide and installed my server. The issues is for every mail that is sent or received it is trying to send a copy to some log alias. How can I disable that . Below is the message transcript.

Hi. This is the qmail-send program at akhurathacpl.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <log@akhurathacpl.com>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <support@akhurathacpl.com> Received: (qmail 11804 invoked by uid 89); 12 Dec 2014 13:46:33 +0530 Received: by simscan 1.4.0 ppid: 11796, pid: 11799, t: 0.0938s scanners: attach: 1.4.0 clamav: 0.98.5/m:55/d:19764 spam: 3.4.0 Received: from unknown (HELO mail.akhurathacpl.com) (::1) by 0 with SMTP; 12 Dec 2014 13:46:33 +0530 Received-SPF: unknown (0: No IP address in conversation) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_354b252cc407d8efce244ea9bc720ecc" Date: Fri, 12 Dec 2014 13:46:20 +0530 From: support@akhurathacpl.com To: support@akhurathacpl.com Subject: test mail Message-ID: <0703b9b216a5918c3639dcf4dad7d264@akhurathacpl.com> X-Sender: support@akhurathacpl.com User-Agent: Roundcube Webmail/1.0.3 --=_354b252cc407d8efce244ea9bc720ecc Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII test --=_354b252cc407d8efce244ea9bc720ecc Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"> <html><body style=3D'font-size: 10pt; font-family: Verdana,Geneva,sans-seri= f'> <p>test</p> <div>&nbsp;</div> </body></html> --=_354b252cc407d8efce244ea9bc720ecc--

Request your help in this regards

Thanks

Reply |

you can revert this patch

you can revert this patch http://notes.sagredo.eu/node/82#queue-extra

anyway I think you have deleted the ~alias/.qmail-log alias or you don't have a valid mx for your control/me domain. Actually this is not a real mailbox but an alias created in order to improve the qmail-send log, so you may want to continue to use it

Reply |

qmail-log alias

ahhh now I get you , actually this is a newly created server and I have still not pointed the mx to the new servers ip . Let me check by doing point the valid MX to the server .

Thanks a lot for your precious guidance as always you are a real life saver

Reply |

I think you have a valid mx

I think you have a valid mx for for your domain

$ dig akhurathacpl.com mx

; <<>> DiG 9.9.6-P1 <<>> akhurathacpl.com mx                                                                                                                                                  
;; global options: +cmd                                                                                                                                                                       
;; Got answer:                                                                                                                                                                                
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36916                                                                                                                                     
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:  0                                                                                                                          
                                                                                                                                                                                              
;; QUESTION SECTION:                                                                                                                                                                          
;akhurathacpl.com.              IN      MX                                                                                                                                                    
                                                                                                                                                                                              
;; ANSWER SECTION:                                                                                                                                                                            
akhurathacpl.com.       3600    IN      MX      10 mail.net4india.com.

;; Query time: 288 msec
;; SERVER: 213.205.32.70#53(213.205.32.70)
;; WHEN: Fri Dec 12 14:03:12 CET 2014
;; MSG SIZE  rcvd: 65

Reply |

and are you sure you are

and are you sure you are using my patch? I can't see chkuser in action... is it enabled?

Reply |

Yes, chkuser in action, this

Yes, chkuser in action, this is qmail-smtpd log:

@4000000054832fc82cfe8ff4 tcpserver: status: 1/20
@4000000054832fc82cffbcbc tcpserver: pid 2222 from ::1
@4000000054832fc82d009f4c tcpserver: ok 2222 0:::1:25 :::1::40420
@4000000054832fc82d3d331c CHKUSER accepted sender: from <huyenha@4trust.vn|remoteinfo/auth:|chkuser-identify:> remote <helo:mail.4trust.vn|remotehostname:unknown|remotehostip:::1> rcpt <> : accepted any sender always
@4000000054832fc82d66a47c CHKUSER accepted rcpt: from <huyenha@4trust.vn|remoteinfo/auth:|chkuser-identify:> remote <helo:mail.4trust.vn|remotehostname:unknown|remotehostip:::1> rcpt <nxhuy@4trust.vn> : found existing recipient
@4000000054832fc8304afbd4 simscan:[2222]:RELAYCLIENT:0.0045s:-:::1:huyenha@4trust.vn:nxhuy@4trust.vn
@4000000054832fc83547c734 mail recv: pid 2222 from <huyenha@4trust.vn> qp 2224
@4000000054832fc83547cb1c qmail-smtpd: message accepted: huyenha@4trust.vn from ::1 to nxhuy@4trust.vn helo mail.4trust.vn
@4000000054832fc907f41454 tcpserver: end 2222 status 0
@4000000054832fc907f41c24 tcpserver: status: 0/20

Reply |

can you show your

can you show your control/defaultdelivery?

Reply |

 Now it

 Now it is:
|/var/qmail/bin/preline -f /usr/local/dovecot/libexec/dovecot/deliver -d $EXT@$USER

I also tried "| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox"

But the result is the same error

Reply |

the content of the

the content of the defaultdelivery is

| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox

without quotes, right?

Reply |

dovecot issue?

It can be a dovecot issue (you should also look for dovecot-lda errors, expecially in the sql driver).

But it's strange that you can't have it working when using vpopmail as deliver. Are there any .qmail overriding the defaultdelivery?

Let's fix vpopmail first of all.

Reply |

I've change the

I've change the control/defaultdelivery and ~vpopmail/domains/4trust.vn/.qmail_default to | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox"

But the error is still the same :(

Reply |

do you have double quotes?

do you have double quotes at the end of that line?

Reply |

Sorry, It's my mistake, i've

Sorry, It's my mistake, i've remove the double quote and re-test. The error is still there.

Could it be a qmail's error?

Reply |

can you send me in a private

can you send me in a private msg an strace of smtp session?

Reply |

Hi, have you passed the

Hi, have you passed the vpopmail login test from the command line?

Reply |

I've follow your vpopmail

I've follow your vpopmail auth test at http://notes.sagredo.eu/node/22#vpopmail

the result is ok

telnet localhost 89
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK
login nxhuy@4trust.vn 123456
+OK+
vpopmail_dir /home/vpopmail
domain_dir /home/vpopmail/domains/4trust.vn
uid 89
gid 89
name nxhuy
comment nxhuy
quota 524288000S
user_dir /home/vpopmail/domains/4trust.vn/nxhuy
encrypted_password $1$uk0Fi8aE$USOXMa6g9i0Rjgd9vgLx2/
clear_text_password 123456
no_password_change 0
no_pop 0
no_webmail 0
no_imap 0
bounce_mail 0
no_relay 0
no_dialup 0
user_flag_0 0
user_flag_1 0
user_flag_2 0
user_flag_3 0
no_smtp 0
domain_admin_privileges 0
override_domain_limits 0
no_spamassassin 0
delete_spam 0
no_maildrop 0
system_admin_privileges 0
.

Reply |

forcetls patch

Can you pls let me know how to remove the ForceTls patch from the big patch? I need the auth to work without tls.

Thank you!

Reply |

read above! :)

read above! :)

Reply |

DKIM and SRS = fail :-(

Hi,

if you use SRS, DKIM filter fails, as it sets original SENDER domain instead of that specified in SRS. Any suggestions how to fix it?

cheers and thanks for your patches!

S.

Reply |

Can you post how the headers

Can you post how the headers look like when we you use SRS?

I contacted M.Banghui, the author of the DKIM patch, and he told me that he can fix it.

Reply |

Sure :)

The DKIM is getting _SENDER  - and SRS is providing to qmail an original Sender domain, instead of the one taken from /var/qmail/control/srs_domain

BTW, why don't you move your awesome patchset to github? It would make things much easier :)

I would declare I can work on IPv6 part, as it is the only (but big) missing thing from your patches.

cheers,

S

Reply |

Hi, can you do a cut&paste of

Hi, can you do a cut&paste of the headers?

Actually an help on the IPv6 patch would be appreciated, as I have not much time these days, and I'm not an IPv6 expert. As you probably know M.Banghui has merged an IPv6 patch in his DKIM/SURBL and my plan is to add it to my package soon or later :)

Reply |

qmail-todo problem

Firslty, thanks Roberto for ur efforts of creating the patch, But i'm facing a critical problem after i patched qmail 1.6  with ur patch that i have found my server load reached to 250, and when i check the process found that qmail-todo consuming cpu terribly. But i don't know why this happened and what should i do, although i have applied the steps and installed qmail successfully.

Reply |

Re: qmail-todo problem

Hi Kamal,

I assume that you erased your queue in this way before installing the todo-patched qmail for the first time:

qmailctl stop
rm -rf /var/qmail/queue
make setup check

If yes please post a

ps axfuww | grep qmail 

The best way to investigate what qmail-todo is doing is using strace:

strace -Ff -o /tmp/qmail-strace.log -p <pid_of_qmail-todo>

Reply |

Re: qmail-todo problem

Hi Roberto,

Yes, I already erased the queue as you mentioned, I want to clear something i'm using the combined patch "roberto-netqmail1.06.patch-latest"  NOT todo-patch. but the problem with qmail-todo process that was consuming cpu.

Kindly find output details below,

strace.log
http://www.mediafire.com/view/9ptwzxri9xpptgr/qmail-strace.log

ps-axfuww.log
http://www.mediafire.com/view/1277h6de1g80xsn/ps-axfuww

Reply |

Maybe a lbsrs problem did you

Maybe a lbsrs problem did you successfully installed it? did you ldconfig it?

Reply |

I think it's not a libsrs

I think it's not a libsrs issue, as in that case the compilation itself will break

Reply |

Re: qmail-todo problem

it seems to be an infinite loop...

when you stop qmail I would try to kill all those qmail-todo which doesn't belong to qmail-send anymore, and after that erase the existing queue, recompile and restart qmail

Reply |

Re: qmail-todo problem

I realy did that, but unfortunately still the same, the load reached to 270,and server was going to explode.

Reply |

Hi, I have the same 

Hi,

I have the same  problem

I followed the howto line by line but nothing

You have to find the solution ?

thx

Reply |

Hi ruddur, can you describe

Hi ruddur, can you describe the problem you have?

Reply |

Roberto, Rudi, I took a

Roberto, Rudi,

I took a look at the problem..... so.... qmail-todo is launched by qmail-send. While doing an strace -f on the qmail-send supervise run file, I noticed this:

9011  stat("/usr/lib64", {st_mode=S_IFDIR|0755, st_size=167936, ...}) = 0
9011  writev(2, [{"qmail-send", 10}, {": ", 2}, {"error while loading shared libra"..., 36}, {": ", 2}, {"libsrs2.so.0", 12}, {": ", 2}, {"cannot open shared object file", 30}, {": ", 2}, {"No such file or directory", 25}, {"\n", 1}], 10) = -1 EBADF (Bad file descriptor)
9011  exit_group(127)                   = ?

Doing an ldd /var/qmail/bin/qmail-send, I realized that your libsrs2 is already included in your Slack64 but not under /usr/lib64. Instead you have it both under /usr/lib and /usr/local/lib.

I simply symlinked your libsrs2 to /usr/lib64 and everything is now working fine :)

Good troubleshooting exercice right :)

Pierre

PS: salutations to you Roberto - always nice to hear from you my friend!

Reply |

Hi my friend, thanks for your

Hi my friend, thanks for your hint!

But I expect that qmail-send will find the library provided that /usr/local/lib is in my /etc/ld.so.conf, right? So it's not clear to me the need to symlink /usr/lib64

Reply |

SRS2

Hi,

I am trying out the latest patch with the SRS2. While compiling i had an error

/usr/bin/ld: cannot find -lsrs2
collect2: ld returned 1 exit status
make: *** [qmail-local] Error 1

In the beginning it cannot find the file srs2.h so i download it from http://www.filewatcher.com/p/libsrs2-dev_1.0.18-4_amd64.deb.14658/usr/include/srs2.h.html and copied it to /usr/local/include/

I am on CentOS 6 64 bits.

Thanks for helping.

nic

Reply |

You need libsrs2

You have to install the libsrs2 libraries, not only the srs.h, see above. Check if they are installed in this way

ldconfig -p|grep libsrs2

Reply |

ldconfig -p|grep libsrs2

Hi Roberto,

Successfully compiled libsrs2 but libsrs2 is not linked.

# ldconfig -p|grep libsrs2

<ends up with no results>

I'm using CentOS 5.8.  Thanks.

Reply |

Re: ldconfig and libsrs2

supposing that you remembered to run "ldconfig" after the compilation, where libsrs2 was installed? Check that the directory where it was installed is included in your /etc/ld.so.conf (or similar). If not, you should add it and run "ldconfig" again after that

Reply |

Hello,Yes i

Hello,

Yes i did.

[root@beyond ~]# ldconfig -p|grep libsrs2
        libsrs2.so.0 (libc6,x86-64) => /usr/lib64/libsrs2.so.0

regards

nic

Reply |

did you modify srs.c?

did you modify srs.c accordingly?

Reply |

Didnt thought of doing that.

Didnt thought of doing that. What should i edit?

regards

nic

Reply |

Nic, read above :)

Nic, read above :)

Reply |

SSL CERTIFICATES

Hi roberto

I succesfully create the certificates and it works great, the only problem is that in mozilla-thunderbird, iphone, android show a warning because the certificate is not valid, configuring an exception it works. About it I have two questions.

First

Is there any chance to have differents certificates for every domain?

Second

If I buy a "valid certificate" can I just copy into the folder and it will work?

Thanks in advance

Reply |

Enetcs as far as I know

Enetcs

as far as I know the e.h. auth patch works with a global certificate.

Yes you simply have to copy the certificate into that folder, but when you buy a valid certificate you also get an "intermidiate certificate" to be copied in the same folder, which assures that your cert is valid

Reply |

CHKUSER patch - how to disable!!

imho, chkuser patch is way more problems than it's worth. It's blocking legit emails from namecheap, comodo, godaddy and others. How does one disable chkuser permenantly????? I've tried commenting out of my qmail-submission/run, and restarting qmail, chkuser still running. grrr.

Reply |

can you please provide log

can you please provide log details about the rejections for such providers? thank you

Reply |

chkuser silently dropping

chkuser silently dropping mail !  How do I completely disable chkuser??????????????????????

2013-10-11 12:39:48.373851500 tcpserver: status: 1/20

2013-10-11 12:39:48.374029500 tcpserver: pid 28172 from 208.65.144.245

2013-10-11 12:39:48.374142500 tcpserver: ok 28172 0:::ffff:192.184.84.112:587 :208.65.144.245::35583

2013-10-11 12:39:48.621588500 CHKUSER accepted sender: from <ehip1mxb2o0kj8twj5yh0wz9nvb9wa04-b@news.columbiarestaurant.com::> remote <p02c11m083.mxlogic.net:unknown:208.65.144.245> rcpt <> : accepted any sender always

2013-10-11 12:39:48.767883500 tcpserver: end 28172 status 02013-10-11 12:39:48.767910500 tcpserver: status: 0/20

Reply |

what make you think that it's

what makes you think that it's a chkuser fault? this is not a rejection, and this is the log of port 587, but you said that you have some incoming legitimate email rejected, which should be received on port 25

Reply |

It blocks legitimate emails,

It blocks legitimate emails, it just sucks. Shouldn't be included in the net-qmail patch.

Reply |

Tried commenting out of my

Tried commenting out of my qmail/submission/run file, chkuser still running!

# cat /var/qmail/supervise/qmail-submission/run 

#!/bin/sh
QMAILDUID=`id -u vpopmail`NOFILESGID=`id -g vpopmail`MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`SOFTLIMIT=`cat /var/qmail/control/softlimit`
# You MUST export this, otherwise you'd get a 30 sec timeoutexport

SMTPAUTH=""
# This enables greetdelay for qmail-smtpd.export

SMTPD_GREETDELAY=0
# This enables chkuserexport

CHKUSER_START=NONE
# This enables simscan debug#export

SIMSCAN_DEBUG=2
exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \    /usr/local/bin/tcpserver -v -H -R -l 0 \    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \    /var/qmail/bin/qmail-smtpd \    /home/vpopmail/bin/vchkpw /bin/true 2>&1

Reply |

again, this is the submission

again, this is the submission service, which has nothing to do with incoming emails. In any case you have an error. Correct in this way

export CHKUSER_START=NONE

but be aware that this should be done on standard smtpd (port 25) service.

Reply |

first of all, i think you can

first of all, i think you can try to take a look to the chkuser manual, to see how to fit it to your needs.

If you want to disable it, just comment it in your run file (in case you are following my configuration).

If you want to delete it from my package you have to look at the original patch and see what it modifies. I remember that it modifies only qmail-smtpd.c and the Makefile, apart from new created files. You can easily recognise the modifications because there is a comment more or less like "chkuser patch starts here"

Reply |

qmail-qmqpc.c change needed

Hi Roberto,

First, thanks for the patch collection. I ran across an issue that I thought I would make you aware of: one of the patches in this collection modifies the function signature of timeoutconn.c/timeoutconn() . I assume it's one of the TLS or AUTH patches, but I haven't tried to figure it out. In any case, the patch adds an additional parameter to the signature which is not present in the original calls to timeoutconn() in qmail-qmqpc.c

None of the patches even touch qmail-qmqpc.c ( probably because very few people make use of it) but I actually use it for SMTP servers. Crypto can put quite a load on older hardware so I "spread the wealth" around with multiple smtp servers using QMQP to send the messages to my queue machine.

In any case, the fix is pretty straightforward and I am going to try and post the patch here in this comment:

diff netqmail-1.06/qmail-qmqpc.c netqmail-1.06.patched/qmail-qmqpc.c
0a1,20
>   /*** 2013-08-24 Robbie Walker 
>   DESCRIPTION: the great collection of patches from Roberto Puzzanghera [ https://notes.sagredo.eu ]
>   includes changes to timeoutconn.c function signature as listed below. qmail-qmqpc.c also calls
>   timeoutconn and needs to be patched as well.
> > original timeoutconn() signature: > int timeoutconn(s,ip,port,timeout) > int s; > struct ip_address *ip; > unsigned int port; > int timeout; > > modifed timeoutconn() signature: > int timeoutconn(s,ip,outip,port,timeout) > int s; > struct ip_address *ip; > struct ip_address *outip; > unsigned int port; > int timeout; > */ > 104a125,126 > struct ip_address outip; > outip.d[0]=outip.d[1]=outip.d[2]=outip.d[3]=(unsigned char) 0; 112c134 < if (timeoutconn(qmqpfd,&ip,PORT_QMQP,10) != 0) { --- > if (timeoutconn(qmqpfd,&ip,&outip,PORT_QMQP,10) != 0) {

Reply |

Thanks for the fix

Hi Robbie, I'm going to add your fix in the next release that will be released in a few days

Thanks for the contribution :)

Reply |

You're welcome

Glad to contribute!

Reply |

SPF

Hi,

I noticed that the spf is not running properly. The IP consist of 4 fs.

Received: from unknown (HELO p14g.com) (::ffff:183.240.178.142)
  by 0 with SMTP; 28 Jul 2013 14:37:47 -0000
Received-SPF: unknown (0: No IP address in conversation)

Whereas my old box running on shupp toaster 0.9.4

Received: from unknown (HELO om-jetstar.rsys2.com) (12.130.139.139)
  by 0 with SMTP; 26 Jul 2013 03:02:52 -0000
Received-SPF: pass (0: SPF record at envfrm.rsys2.com designates

Am i right to say that the fs infront of the IP is affecting spf?

Is there a fix or workaround?

regards
nic

Reply |

Hi Nicholas,I think you are

Hi Nicholas,

I think you are right. The SPF patch is very old (the same embedded in the shupp's combined patch) and is not compatible with IPv6. As far as I know there are no fix to this (but you can ask the author) or alternative spf patches.If you find something interersting let me know

Reply |

But i am not on

But i am not on IPv6.

regards

nic

Reply |

you are not in an IPv6 net

you are not in an IPv6 net but that address ::ffff:183.240.178.142 is IPv6, and the SPF patch is not able to recognize such an IP

Reply |

Understand nowThanksnic

Understand now

Thanks

nic

Reply |

Hi Roberto,Manvendra Bhangui

Hi Roberto,

Manvendra Bhangui from IndiMail get it fixed.

http://sourceforge.net/p/indimail/bugs/55/#ac98

http://sourceforge.net/projects/indimail/files/Patches/qmail-1.03.patch.gz/download
Is it possible to get it into your combined patches?

regards
nic

Reply |

Hi Nick, Manvendra Bhangui

Hi Nick, Manvendra Bhangui has already answered to my requests. He is kind as always and provided details to make saout's spf patch work with IPv6-mapped as well. So I modified my big patch accordingly and this is a test version:

roberto-netqmail-1.06.patch-20130731testing.gz

It is important that you have the new ucspi-tcp6 installed otherwise the filter on IPv6 clients will not work. I tested it both against the new tcpserver (ucspi-tcp6) and the original djb's ucspi-tcp-0.88 and they are both ok for IPv4 clients. Unfortunately I don't have any IPv6 net.

Test if you like and let me know :)

Reply |

Hi Roberto,I also do not have

Hi Roberto,

I also do not have IPv6, Tested the new patch and don't seem to be working

Received: from unknown (HELO bay0-omc3-s14.bay0.hotmail.com) (::ffff:65.54.190.152)

regards
nic

Reply |

So, if I understand well, you

So, if I understand well, you can't see the "Received-SPF: ...." line in the header?

Edit: Can you confirm that you are using ucspi-tcp6 or another tcpserver with IPv6 capabilities?

Reply |

Roberto,Can you send me

Roberto,

Can you send me qmail-smtpd.c as an attachment. Just want to check the call to spfcheck() function.

Regards Manvendra

Reply |

Hi Roberto,Received-SPF:

Hi Roberto,

Received-SPF: unknown (0: No IP address in conversation)

I am using uspi-tcp6-0.98

regards
nic

Reply |

Hi NIck, I will try to ask

Hi NIck, I will try to ask Manvendra Bhangui if he can provide more details. If he can I will certainly update my patch

The link to the download page is the big indimail patch and it's impossibile (for me) to extract the modifications he did.

Thanks for the contribution

Roberto

Reply |

0 instead of the server name

Hi Roberto,

Please take a look how, in this thread, the mail server from this other user has the same issue I am discussing in another thread: the header is showing "0" instead of his server's name:

Received: from unknown (HELO p14g.com) (::ffff:183.240.178.142)
  by 0 with SMTP; 28 Jul 2013 14:37:47 -0000

This shows that this issue isn't specific to my environment here.

With our previous qmail installation, our FQDN would show up correctly there.

Cheers.

Reply |

0 instead of the server name

yes, and he reports the same bahaviour in another machine running shupp's patch, then this is not an issue of my patch's...

but let's continue the discussion in the other thread

Reply |

503_MAIL_first_(#5.5.1)

Hi , i need some help, after applying his combined patch, i get many emails with this errors:

503_MAIL_first_(#5.5.1)

No mail that happen this error are delivering in my mailbox, make a lot of googleeing and nothing, could you help me?

Reply |

Re: 503_MAIL_first_(#5.5.1)

Hi Fabiano, I think this is due to improper commands entered by the client. You should enable recordio inside your smtpd run file to record the entire smtp conversation and try to find out the reason of the reject. Post here the smtp dialog if you like.

Reply |

Bounce size limitation

Hi Everyone,

Has anyone came across a patch to limit size of any type of bounce?

I had tried qmail-bounce.patch by Frank Denis. But it will only work if databytes is enabled.

Thanks
nic

Reply |

SMTPAUTH

Hi after apply the patch and export auth, CRAM-MD5 is not enabled

220 my.domain.com ESMTP
ehlo
250-my.domain.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 0

Do i need to export CRAM-MD5?

Thanks

Nic

Reply |

cram-md5 auth

No, take a look to README.auth for details

Reply |

Many thanks!

Many thanks!

Reply |

Hi, thank you very much for

Hi, thank you very much for your work. I was wondering if it is possible to have a combined patch including ALL the patches above, EXCEPT for the BIG-TODO one. It is mentioned somewhere, but I couldn't find it.

Thanks again!

Reply |

it should be quite simple to

it should be quite simple to reverse that patch, but for me it's already very time consuming to follow one single patch, so I can't fullfil all requests for changes. anyway I'm always available as advisor :)

Reply |

Just want to say thank you

Just wanted to say thank you for pulling this all together in one page. It has been very helpful have a single source location to get what I needed for qmail, your hard work is appreciated!

Reply |

IPv6 support?

Is this version netqmail, with your patch supports IPv6?
I mean SPF, setting RELAYCIENT and other variables.

I found a patch for IPv6 netqmail-1.06:

But when I tried to put it on the source of your patch, came out a lot of mistakes, which can not cope.


On my server a few weeks, turn on the full support of IPv6, I also found a patch to patch the IPv6 tcpserwer:
http://www.brandonturner.net/blog/2009/08/qmail-ipv6-tcpserver/
It remains to Spamdyke, but that's my problem;)

Cheers;)

Reply |

No, my combined patch doesn't support IPv6

No, my combined patch doesn't support IPv6. Unfortunately I don't have any IPv6 network to test the patches that are around.

cheers :)

Reply |

Forcetls

Hi

I improved a little patch Forcetls to Qmail did not propose an authorization when it is not possible, due to lack of TLS encryption:

http://pastebin.com/N4zBQZUu#

Still I would like to improve the correct fragment responsible for:

538 auth not available without TLS (# 5.3.3)
Connection closed by foreign host.

To properly closed the connection, such as MUSTAUTH, or SPFFAIL

-> QUIT
<- 221 example.com
=== Connection closed with remote host.

But I have no idea how to do it .

Cheers ;)

Reply |

If my understanding

If my understanding of you code is correct, you want to allow the auth with CRAM_MD5 when STARTTLS is not provided. So it's not clear to me why you want to close the door once you decided that it's a user's responsibity to secure the connection with TLS

538 auth not available without TLS (# 5.3.3)
Connection closed by foreign host.

In my opinion it would be a responsibility of the postmaster to forcetls. If not, you may want to rename the "forcetls" label of this patch with something like "skiptls" :)

Reply |

HI "If my understanding of

HI "If my understanding of you code is correct, you want to allow the auth with CRAM_MD5 when the user does not provide STARTTLS

No, :it's not at all with CRAM-MD5:

swaks -f user@example.com -t postmaster@example.com -s example.com --p 587 -au user@example.com -ap password
=== Trying example.com:587...
=== Connected to example.com.
<- 220 example.com ESMTP
-> EHLO localhost.localdomain
<- 250-wampir7.pl
<- 250-STARTTLS
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 67108864
<- 250 X Authorization requires an encrypted SSL or TLS connection
*** Host did not advertise authentication
-> QUIT
<- 221 example.com
=== Connection closed with remote host.

My goal was that the server did not provide authentication, authorization when it is not possible due to lack of TLS encryption:

While the offer, when encryption is enabled:
Like this:

swaks -f user@example.com -t postmaster@example.com -s example.com --p 587 -au user@example.com -ap q --tls
=== Trying example.com:587...
=== Connected to example.com.
<- 220 example.com ESMTP
-> EHLO localhost.localdomain
<- 250-example.com
<- 250-STARTTLS
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 67108864
<- 250 X Authorization requires an encrypted SSL or TLS connection
-> STARTTLS
<- 220 ready for tls
=== TLS started w/ cipher DHE-RSA-AES256-SHA
=== TLS peer subject DN="/C=IT/ST=PL/L=TestO=Test/OU=IMAP server/CN=example.com/emailAddress=postmaster@example.com"
~> EHLO localhost.localdomain
<~ 250-example.com
<~ 250-PIPELINING
<~ 250-8BITMIME
<~ 250-SIZE 67108864
<~ 250 AUTH LOGIN PLAIN CRAM-MD5
~> AUTH CRAM-MD5
<~ 334 PDMyNjAwLjEzMzIyNDI3NjhAMD4=
~> dXNlckBleGFtcGxlLmNvbSAwMzFlYjgwNTE4OTcyODgwZWRlOWU5M2U1ZThhZDJjYw==
<~ 235 ok, go ahead (#2.0.0)
~> MAIL FROM:<user@example.com>
<~ 250 ok
~> RCPT TO:<postmaster@exammple.com>
<~ 250 ok
~> DATA
<~ 354 go ahead
~> Date: Tue, 20 Mar 2012 12:26:08 +0100
~> To: postmaster@exammple.com
~> From: user@example.com
~> Subject: test Tue, 20 Mar 2012 12:26:08 +0100
~> X-Mailer: swaks v20111230.0 jetmore.org/john/code/swaks/
~>
~> This is a test mailing
~>
~> .
<~ 250 ok 1332242769 qp 32604
~> QUIT
<~ 221 example.com
=== Connection closed with remote host.

That was my reservation it immediately, and disconnect the test without TLS authentication constitute circumvention of the problem, but it only partially solved.
Here, not about the CRAM-MD5, but here is that the server did not provide authorization for no reason that can not be held, and that in connection with any mail client that does not try to send the password without encryption.

Made sure that the CRAM-MD5 was exclusive, as before. ;)

I meant it to be solved better than Gmail. :D

Cheers ;)

Reply |

I'm sorry but I'm not sure

I'm sorry but I'm not sure I have understood what you say towards the end of your message..

Anyway, are the tests you provide made using my patch or your modified one?

My goal was that the server did not provide authentication, authorization when it is not possible due to lack of TLS encryption:

This is exactly what my forcetls patch does, right?

Reply |

Hi This is exactly what my

Hi

This is exactly what my forcetls patch does, right?

Exactly the point, I had to just to authorization was not offered when it is unrealistic due to lack of TLS.

This is to avoid situations where someone set the example in Outlook autoryzaj? PLAIN, then this Outlok trying to log in, and the error log.

I prefer a system where the server does not offer authorization (AUTH), if it can not be done, just like in Gmail

Cheers ;)

Reply |

Add a comment

Recent comments
See also...
Recent posts

RSS feeds