- Browse patched qmail on github
Changelog
- Sep 26, 2024
- sources moved to github
- solved (I think) all compilation errors/warnings against GCC 14.2 - Jul 10, 2024
- Bug fix in qmail-smtpd.c's smtp_auth function where the auth command with no argument or with an invalid one causes a segfault (commit) - Jan 15, 2024
- TLS patch by F. Vermeulen upgraded to version 20231230 (more info at https://inoa.net/qmail-tls/ tx Greg Bell for the patch)
* support to openssl 3.0.11 - Mar 12, 2023
- The mail headers will change from "ESMTPA" to "ESMTPSA" when the user is authenticated via starttls/smtps (tx Ali Erturk TURKER) diff here - Feb 16, 2022
- fixed a TLS Renegotiation DoS vulnerability. Disabled all renegotiation in TLSv1.2 and earlier (only openssl-1.1). (diff here)
I have put into a package the latest version of the following patches for netqmail-1.06
.
You may be interested to the combined patch I have put together here.
qmail-authentication
- Author: Erwin Hoffmann (updates the previous work of Krysztof Dabrowski and Bjoern Kalkbrenner)
- Version 0.8.3
- Info: http://www.fehcom.de/qmail/smtpauth.html
- README.auth
Provides cram-md5
, login
, plain
authentication support.
Fixed an issue on wrong capabilities in the ehlo message (thanks to Florian and genconc): removed the "-" sign before the AUTH verb
- if (smtpauth == 1 || smtpauth == 11) out("250-AUTH LOGIN PLAIN\r\n"); - if (smtpauth == 3 || smtpauth == 13) out("250-AUTH LOGIN PLAIN CRAM-MD5\r\n"); - if (smtpauth == 2 || smtpauth == 12) out("250-AUTH CRAM-MD5\r\n"); + if (smtpauth == 1 || smtpauth == 11) out("250 AUTH LOGIN PLAIN\r\n"); + if (smtpauth == 3 || smtpauth == 13) out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n"); + if (smtpauth == 2 || smtpauth == 12) out("250 AUTH CRAM-MD5\r\n");
remember to restore the "-" sign if you are going to append a new line to the ehlo message.
qmail-tls
- Author: Frederik Vermeulen
- Info: http://inoa.net/qmail-tls/
- Version 20231230
Implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA.
force-tls
- Author: Marcel Telka
- Download original
- Version: 2016.05.15
Optionally gets qmail
to require TLS before authentication to improve security.
Usage
Create users and groups:
groupadd nofiles useradd -g nofiles -d /var/qmail/alias alias useradd -g nofiles -d /var/qmail qmaild useradd -g nofiles -d /var/qmail qmaill useradd -g nofiles -d /var/qmail qmailp groupadd qmail useradd -g qmail -d /var/qmail qmailq useradd -g qmail -d /var/qmail qmailr useradd -g qmail -d /var/qmail qmails
Download and install:
git clone -b auth-tls-forcetls https://github.com/sagredo-dev/qmail.git cd qmail chown -R root:root . make setup check
Forcing STARTTLS
By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do
export FORCETLS=0
in your run
file. Values different from 0 or no declaration at all will force the TLS before the auth.
Managing auth options
You may want to take a look to the README.auth file expecially if you are planning to enable CRAM-MD5 auth.
Be aware that you have to export SMTPAUTH in you run file.
Creating an SSL key file
To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs qmail-smtpd
, in our case vpopmail.
> make cert Generating a 1024 bit RSA private key ..................++++++ .......++++++ writing new private key to '/var/qmail/control/servercert.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IT State or Province Name (full name) [Some-State]:Italy Locality Name (eg, city) []:Cagliari Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:smtp.yourdomain.net Email Address []:postmaster@yourdomain.net > make tmprsadh > chown vpopmail.vchkpw /var/qmail/control/*.pem
It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.
Now let’s create a cronjob to update the certificate every day:
> crontab -e 03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
Important: If you run qmail-submission
as a user other than vpopmail
, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.
I have written a page concerning the creation of a certificate of third party (letsencrypt) for qmail. More info here.
Comments
qmail-authentication-0.8.3 patch
Iqbal May 2, 2024 03:29 CET
I wanted to patch my qmail with SMTPAUTH but I couldn't download the qmail-authentication-0.8.3 patch from http://www.fehcom.de/qmail/smtpauth.html (the link is broken) and have tried to contact the owner but haven't had any response yet. I was wondering if you'd have a copy of that patch which you can share.
Reply | Permalink
qmail-authentication-0.8.3 patch
Roberto Puzzanghera Iqbal May 2, 2024 07:21 CET
yes look here https://notes.sagredo.eu/files/qmail/patches/authentication/
Reply | Permalink
qmail-authentication-0.8.3 patch
iqbal Roberto Puzzanghera May 2, 2024 09:44 CET
Perfect. Thank you!
Reply | Permalink
Need qmail-smtp with starttls
Munish January 25, 2023 17:35 CET
Hi,
I am using qmail just for incoming messages , i don't need to send anything out.
I have to run qmail with starttls
But when i am running ehlo google.com , it's not popping starttls. I am running with qmail-1.03 and aplied patch on it.
Below is my qmail-smtpd/run file :
Reply | Permalink
Need qmail-smtp with starttls
Roberto Puzzanghera Munish January 25, 2023 17:52 CET
Hi, which patch did you apply?
Reply | Permalink
Sending problem
alex2525 March 18, 2022 10:15 CET
Hi Roberto,
I installed "smtp-auth + qmail-tls + forcetls patch for qmail" under your indication on Alma Linux8.5.
Installed without pop before SMTP as :
after starting qmail and if I try to send email under using SMTP-AUTH, port 465 [SSL], occured "553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)".
I can receive email using port995 setting, pop3 and pop3s are stable. if I add domain name I want to send into rcpthosts, I can send it.
I can't understand what I made mistake.
There is no error log at /var/log/maillog and messagem if its failed.
Please give me some advices.
Best Regards.
Reply | Permalink
Sending problem
Roberto Puzzanghera alex2525 March 18, 2022 11:11 CET
Hi,
I'm not sure that this patch can work with 465 port + auth. If you don't have a particular reason to do the auth on port 465, use submission service on 587 and it will work
Reply | Permalink
Sending problem 2
alex2525 Roberto Puzzanghera March 19, 2022 19:55 CET
Hello, thank you for reply.
I change the port 465 to 587, but my mail client displays error "this server not correspond to STARTTLS, please check port setting of server".
after trying to send mail through sptps 465, /var/log/message is as below (not error):
I guess some environment variables are not transmitted to "tcp-smtp", like open-smtp with pop before smtp option.
In my present condition, If I want to send email to Gmail address, I must write "gmail.com" in "rcpthosts" everytime, it's unconvinient.
My cert file is made by Let's Encrypt and conbined private key and cert key to one file.
My SMTPS starting scripit is below:
some file's status are
Reply | Permalink
Sending problem 2
Roberto Puzzanghera alex2525 March 19, 2022 20:16 CET
Hi, I can't be of any help on the configuration of smtps on port 465, because I don't use it.
As far as port 587 is concerned, did you install ucspi-tcp6? if yes post your qmail-submission/run file, the entire smtp conversation via "telnet yourserver 587" and the log lines
Reply | Permalink
Sending problem 3
alex2525 Roberto Puzzanghera March 20, 2022 06:46 CET
Hi Roberto,thank you for help me.
I re-installed ucspi-tcp6 as below:.
and you show me latest patch link, I re-installed qmail-1.06 with your patch.
My submission starting scripts is as below:
[1004 and 1001 is qmaild's one ]
I try to connect my server.
※myserverdomain is added to my server by vpopmail.
In this operation, there is no error in /var/log/message.
If I add "mailto@gmail.com" into "rcpthosts".
I can send and receive email.
I installed vpopmail without pop before smtp, of course.
There is not open-smtp file in /vpopmail/etc directory.
I feel strange that NO Error of "SMTP-Auth".
If SMTP-Authentidication is enable, message "530 Sorry, please use SMTP-AUTH instead" should be displayed.
And does this "ucspi-tcp6" not support SSL ? I can not set 995 pop3s port, cause I get error.
I know I still haven't learned enough about mail system.
Sorry for the hassle.
Reply | Permalink
Sending problem 3
Roberto Puzzanghera alex2525 March 20, 2022 11:14 CET
this line in your run file
points to a missing executable.
Please double check your configuration
Reply | Permalink
Sending problem 3
Roberto Puzzanghera alex2525 March 20, 2022 09:05 CET
> My submission starting scripts is as below:
> /usr/local/bin/tcpserver -H -R -l0 -x /home/vpopmail/etc/tcp.smtp.cdb \
first of all I suggest to use separate tcprules for smtp and submission. You can simply have
for tcp.submission.
Secondly, I reccomend to do these initial tests with an essential configutation, so I suggest to comment out this
in your run file.
Thirdly, can you confirm that this patch is not installed over other qmail patches?
Do you have
in your run file?
It's always better if you post the entire run file here...
> I try to connect my server.
The 553 error is normal, as this is not an open relay. It will deny you from sending as long as you don't authenticate.
But you can't auth because the auth is advertised only after STARTTLS, and you have that 454 TLS missing certificate
You can do the auth without TLS if you turn off STARTTLS with this option in your run file
and restart qmail. But in this case you are sending your pwd in clear text over the internet.
Therefore you have to solve your certificate problems.
> And does this "ucspi-tcp6" not support SSL ? I can not set 995 pop3s port, cause I get error.
of course yes. Your problems are due to a missing TLS certificate.
How are you creating your certificate?
Reply | Permalink
Sending problem 3
Anonymous Roberto Puzzanghera March 20, 2022 12:16 CET
Hi Roberto,thank you for support me.
I revised some files following your advises:
tcp.smtp >> :allow
export SMTPAUTH="!" << add run fil
eMy cert.key is named "cert.pem" at /var/qmail/control, but I change it to "servercert.pem".
After reboot qmail, "clientcert.pem" file is made naturally (it's symlink to servercert.pem).
※my cert.key is made using Let's Encrypt, and I combined them to one file.
but mail client result says "530 authentication required [5.7.1]".
it was "553 not allowed rcpthosts" before, and "STARTTLS" is enabled.
I can receive email, means authenticated, but sending by 587, got auth-error.
There still seems to be a mistake.
Although it is a supplementary explanation of my mail system, I make mail process under system, I regist it to system service.
I use "systemctl start|stop qmail" command.
system file /etc/systemd/system/qmail.service
run file /etc/qmail/exec_qmail
Reply | Permalink
Sending problem 3
Roberto Puzzanghera Anonymous March 20, 2022 13:51 CET
as already said in my previous reply and as qmail's output says you can't authenticate without TLS
I see that your configuration is very personal. I've never seen all the run script in one single file. If you don't have a particular reason to do like this, I suggest to read and follow these pages at least until the "Testing qmail" one.
I don't want to sound rude to you, but maintaining this guide and patches is already very time consuming and I don't always have extra time to fix other broken configurations
Reply | Permalink
Problem Receiving mail from (only) gmail
bellfox ace December 14, 2020 05:52 CET
Dear Roberto,
I've got something strange with qmail-tls, i used FreeBSD and I've install qmail (non-tls) and qmail-tls from freebsd ports in different time (caused FreeBSD ports can't install qmail & qmail-tls in the same time). when i installed qmail (non-tls) i've no problem when sending or receiving email from any commonly mail server such as, gmail, yahoo, outlook, even my company mail server. But when i installed qmail-tls, i still can send email to all of them, and i can received from all of them except from gmail. i've monitoring of logs for qmail-smtpd, qmail-send, qmail-pop3d, and qmail-queue with tail -f while send email from gmail, but nothing log was coming in. i have no idea about. do u have any suggestion for? is it caused that gmail using TLS1.3 while the others still using TLS-1.2? or something i've missed?
Thanks for your helping, before.
Reply | Permalink
Problem Receiving mail from (only) gmail
Roberto Puzzanghera bellfox ace December 14, 2020 13:57 CET
Dear bellfox ace,
if you don't see anything in the logs your server didn't receive anything... are you sure that you don't even have a connection from an external IP, like the following?
Reply | Permalink
Problem Receiving mail from (only) gmail
bellfox ace Roberto Puzzanghera December 15, 2020 07:51 CET
dear Roberto,
yes, you're right, there are logs at qmail-smtpd (current) came in. Beside, after a day gmail respons me with the message that i guest he takes from tls testing when he tries to send email to my domain, such as:
after telnet localhost 25, i do ehlo then starttls, i've got this error message what i guess gmail takes one. I really confuse, because i can send email to gmail normally, and i forensic the original/plain message which the message i sent was encrypted (tls) completely. but otherwise, it was fail. Would u mind give me some sugestion, to solve this problem?
Thank you my friend.
note:
I thought gmail test smtp-tls clearly & completely before he send email while The other commonly email i told above keep sending email even though the error above still in there.
Reply | Permalink
Problem Receiving mail from (only) gmail
Roberto Puzzanghera bellfox ace December 15, 2020 20:24 CET
I think that your problem is that you misconfigured your certificate and in some way gmail is more strict than other providers... so I would try to inspect the certificate, not the server config.
Reply | Permalink
Problem Receiving mail from (only) gmail
Bellfox Ace Roberto Puzzanghera December 16, 2020 08:35 CET
Dear Roberto,
Thank you very much for emphasizing my problem, i focus at making cert .pem properly, then it solved.
You're the guy, keep health on my friend, and... Terima Kasih (bahasa).
Reply | Permalink
Cipher suite preference order
Gabriel Torres June 8, 2020 02:00 CET
Hi Roberto,
I need help configuring a cipher suite preference order. Running diagnostics tools such as https://testssl.sh/ and https://www.hardenize.com/ they tell me that I must configure a cipher suite preference order:
I have no idea how to do that. Reading the qmail-tls documentation inside the patch itself, it says:
I've configured both files with:
But this didn't do the trick.
Have you figured this out? Have you tried running your own email server against these diagnostics tools?
Thank you in advance.
Cheers,
Gabriel.
Reply | Permalink
Cipher suite preference order
delphus Gabriel Torres October 1, 2021 14:32 CET
I have played with it long time ago, but you should set the cyphers separated by colon as patch documentation states. check mine for instance:
cheers
delphus
Reply | Permalink
Cipher suite preference order
Roberto Puzzanghera Gabriel Torres June 8, 2020 10:01 CET
I'm sorry Gabriel, I've never played with this...
Reply | Permalink
configuration to work auth+tls
michele May 29, 2020 12:00 CET
Hi Roberto,
I applied the roberto-netqmail-1.06_auth_tls_force-tls.patch-latest patch but I can't configure qmail with authentication and tls at the same time.
My file supervise/run is:
I can send email with tls, but the server does not ask me for the password. I can send e-mails without authentication.
Where is my error?
Thanks
Michele
Reply | Permalink
configuration to work auth+tls
Roberto Puzzanghera michele May 29, 2020 14:25 CET
Michele, your setup refers to ucspi-ssl (port 465), while my patch is for submission port 587. Please refer to this page for details https://notes.sagredo.eu/en/qmail-notes-185/configuring-qmail-83.html
Reply | Permalink
TLS 1.1 enable
Nzmark May 12, 2020 14:06 CET
Hi!
How can I enable the old and obsolote TLS 1.1 with qmail? Some partners use TLS 1.1 :-(
thanks, mark
Reply | Permalink
TLS 1.1 enable
Roberto Puzzanghera Nzmark May 12, 2020 14:40 CET
I think you have to reverse the qmail-tls patch and install v. 20110119 (look here), but it's affected by a well known vulnerability
Reply | Permalink
Broken Link
Gabriel Torres December 21, 2019 01:46 CET
Hi Roberto,
The link is broken here as well:
Managing auth options
You may want to take a look to the README.auth file expecially if you are planning to enable CRAM-MD5 auth.
Be aware that you have to export SMTPAUTH in you run file.
Reply | Permalink
Broken Link
Roberto Puzzanghera Gabriel Torres December 21, 2019 08:30 CET
Thank you. Corrected.
Reply | Permalink
patch
Charles January 31, 2019 09:26 CET
hello,
i'm newbe to start install qmail. i try to patch but I got error like this:
need your advice, how to
Reply | Permalink
patch
Roberto Puzzanghera Charles January 31, 2019 16:37 CET
patch like this:
Reply | Permalink
Can't compile port qmail-tls on FreeBSD 12, openssl 1.1.1
M. Minkov January 26, 2019 15:34 CET
Reply | Permalink
Can't compile port qmail-tls on FreeBSD 12, openssl 1.1.1
Roberto Puzzanghera M. Minkov January 26, 2019 16:11 CET
Take a look at this patch https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment1209
Reply | Permalink
Disable smtp auth and allow only delivery for rcpthosts domains
Joao April 26, 2018 21:57 CET
Hello,
Is there any way to disable smtp auth relay in port 25, and allow only for delivery to local domains?
I'd like enable smtp auth only in port 587.
Cheers
Joao
Reply | Permalink
Disable smtp auth and allow only delivery for rcpthosts domains
Roberto Puzzanghera Joao April 27, 2018 14:06 CET
Yes, in your qmail-smtpd/run file just avoid to call /home/vpopmail/bin/vchkpw after qmail-smtpd
Reply | Permalink
Disable smtp auth and allow only delivery for rcpthosts domains
Joao Roberto Puzzanghera May 2, 2018 18:49 CET
Hello Roberto, thank you for replying.
Just another question about it. Maybe you can help me.
Is it possible disable smtp auth for many domains and enable just for another?
All domains will be in my rcpthosts, but I'd like to allow just some domains to send emails using smtp auth.
Sorry for my English. Did you understand?
Best
Joao
Reply | Permalink
Disable smtp auth and allow only delivery for rcpthosts domains
Roberto Puzzanghera Joao May 2, 2018 20:01 CET
You can set up an "authsender" control file for the purpose. Take a look at the detailed info for the qmail-authentication patch here https://www.fehcom.de/qmail/smtpauth.html and inside the README file
And also the eMPF functionality can be used to set up advanced policies for the users. Refer to its README file
Reply | Permalink
Disable smtp auth and allow only delivery for rcpthosts domains
Joao Roberto Puzzanghera May 2, 2018 18:43 CET
Very thank you!
Cheers
Joao
Reply | Permalink
smtp-auth + qmail-tls + forcetls patch not compiling on debian9
Nikola Todev November 9, 2017 03:51 CET
Hello,
The smtp-auth + qmail-tls + forcetls patch is not compiling on debian 9. Here is the error:
Any chance you can fix the patch?
Thanks
Nikola
Reply | Permalink
smtp-auth + qmail-tls + forcetls patch not compiling on debian9
Roberto Puzzanghera Nikola Todev November 10, 2017 06:56 CET
Try to downgrade your openssl to v. 1.0
Reply | Permalink
smtp-auth + qmail-tls + forcetls patch not compiling on debian9
Roberto Puzzanghera Nikola Todev November 9, 2017 10:49 CET
There must be some problem with gcc-6, as already reported here yesterday http://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html#comment971
unfortunately at the moment I've no gcc-6 machine to do tests with
Reply | Permalink
In which file store the certificate
Marc May 12, 2016 19:18 CET
Hi, where should I store the certificate? Clientca.pem, clientcrl.pem or servercert.pem? Will the TLS working with a self signed certificate?
I get this error :
What does it mean?
Reagrds. Marc
Reply | Permalink
Hi Marc,
roberto puzzanghera Marc May 12, 2016 19:38 CET
Hi Marc,
I forgot to mention here how to create the certificate. Please take a look to the "Creating an SSL key file" section of the big patch page here http://notes.sagredo.eu/node/82
The certificate is stored in /var/qmail/control/servercert.pem, and in my configuration must be owned by vpopmail. And yes, self signed certs work
Reply | Permalink
Thanks. I've now generated a
Marc roberto puzzanghera May 13, 2016 07:31 CET
Thanks. I've now generated a new self signed certificate and saved in the right file but I still get the same error message after the starttls command.
For information: I don't use vpopmail. I work with Zarafa (which give POP and IMAP but no SMTP AUTH) on debian. To apply your patch, I started with the netqmail-1.06 from Debian (and the debian patches). So it was necessary to adjust your patch. This is probably the cause of my non fonctional system. Even if I disable the forcetls (in the code), the authentification doesn't work...
Is there a way to get more log? I don't have anything in the qmail logs nor in syslog.
Thanks for help.
Regards, Marc
Reply | Permalink
so which port are you using
roberto puzzanghera Marc May 13, 2016 10:35 CET
so which port are you using to do the auth?
The tls patch embedded in my combined patch does not allow the SSL_23, because of the poodle vulnerability. You must connect using TLS
Reply | Permalink
Bug in qmail-auth (SMTP RSET also resetting authentication)
Andreas January 30, 2016 22:26 CET
It looks like there is a bug in the qmail-auth patch. I have an Android client connecting to the server (using TLS), and the client is issuing a RSET command after successfully authenticating but before sending the actual email (for whatever reasons that I don't understand). This results in the actual sending of the message failing with an "Authentication required" message (I have SMTPAUTH='!') set). The issue seems to be that, according to the SMTP RFCs, a RSET must retain authentication, yet the patch resets it (in smtp_rset()):
I have fixed this to comment the resetting of 'seenauth':
With this, the Android client is able to connect and send email successfully.
I will also forward that to the upstream maintainer of the qmail-authentication patch, but you may also want to fix that locally for the time being.
Andreas
Reply | Permalink
Fixed
roberto puzzanghera Andreas August 18, 2017 14:26 CET
This bug has been fixed on august 18, 2017 version of the patch. Of course the big patch was updated as well
Reply | Permalink
Andreas, I have noticed that
roberto puzzanghera Andreas February 3, 2016 13:54 CET
Andreas, I have noticed that e.h. has updated his s/qmail but he hasn't updated the qmail patch yet.. do you know if the modification he did was the same as you suggest here in your comment?
Reply | Permalink
I discussed this with him and
Andreas roberto puzzanghera February 3, 2016 14:03 CET
I discussed this with him and he had said that we would update his patch and include this modification. He may just want to wait until the next release for qmail-authentication patches. I looked at his most recent s/qmail code, and it looks like he did the same that I showed above in there.
Reply | Permalink
yes, he mentioned your hint
roberto puzzanghera Andreas February 3, 2016 14:05 CET
yes, he mentioned your hint in the s/qmail m/l
Reply | Permalink
thank you Andreas, I'll check
roberto puzzanghera Andreas January 30, 2016 22:37 CET
thank you Andreas, I'll check this issue as soon as possible.
Reply | Permalink
How did you solved the problem ...
Anouar September 30, 2015 18:42 CET
Hello,
I have the some issue :
Im calling vchkpw from run file ... but still i can't authenticat ... would you please tell me how you solved this issue ?
Thank you
Reply | Permalink
post your run file
roberto puzzanghera Anouar October 1, 2015 10:01 CET
Hi, can you post your run file?
Reply | Permalink
my run file
Anouar roberto puzzanghera October 1, 2015 10:07 CET
Hello,
Here's is my run file
Reply | Permalink
you are not calling vchkpw
roberto puzzanghera Anouar October 1, 2015 11:02 CET
but you are not calling vchkpw as you said.. I'm not familiar with checkvpw.. I guess that the problem is there..
Reply | Permalink
I do but ..
Anouar roberto puzzanghera October 1, 2015 14:45 CET
Yes, even if i replace the run file with /home/vpopmail/bin/vchkpw ... i always can't authenticate
Reply | Permalink
using my combined patch?
roberto puzzanghera Anouar October 1, 2015 14:46 CET
are you using my combined patch?
Reply | Permalink
Yes i did
Anouar roberto puzzanghera October 1, 2015 16:09 CET
Yes, i used netqmail 1.06 with your combined patch ...
for information i had already vpopmail installed from the qmail 1.03 ... now i upgrated to netqmail with your scripts ...
But im still facing that problem ... i don't see what im doing wrong ... do you think this is a problem with the vchkpw already installed with vpopmail ?
thank you
Reply | Permalink
did you recompiled vpopmail?
roberto puzzanghera Anouar October 1, 2015 16:11 CET
did you recompiled vpopmail against the netqmail patched with my combined patch? If yes, what the smtp log says?
Reply | Permalink
Just did it
Anouar roberto puzzanghera October 1, 2015 20:13 CET
Hello,
I just recompiled vpopmail and then re-patch your netqmail with your comibned patch ... but the problem is still present ...
Any ideas ?
Thank you
Reply | Permalink
I didn't explain myself very well
roberto puzzanghera Anouar October 1, 2015 20:47 CET
Sorry, I didn't explain myself very well. Actually you have to recompile netqmail once you have installed vpopmail. If this is what you did you are ok. In the case feel free to post the smtp log
Reply | Permalink
Fixed
Anouar roberto puzzanghera October 1, 2015 20:49 CET
Hello,
I fixed the problem ... it was in my run file ...
this :
Should be like this :
Thank you
Reply | Permalink
No, i did'nt
Anouar roberto puzzanghera October 1, 2015 20:12 CET
Hello,
No i didn't recompiled vpopmail after make setup check for your netqmail patch comibined ... do i have to do it ?
Thank you
Reply | Permalink
250-STARTTLS sent twice in EHLO response
Andreas August 23, 2015 21:07 CET
Roberto,
your combined patch also has another small issue with the SMTP server sending the "250-STARTTLS" capability back twice in response to an EHLO query.
The problem is in qmail-smtp.c. Your combined patch includes (in the smtp_ehlo() routine):
but this should be:
I.e. there is one STARTTLS response too many.
This seems to be an issue with the qmail-tls patch (netqmail-1.06-tls-20141216.patch) not having been applied properly. (That patch is a bit weird, it patches qmail-smtp.c twice, first to add the line in question, then later to remove it again.)
Thanks for putting all of this together!
Andreas
Reply | Permalink
thank you. I'll fix it asap
roberto puzzanghera Andreas August 23, 2015 21:13 CET
thank you. I'll fix it asap
Edit: this bug has been fixed
Reply | Permalink
Combined patch and number of EHLOs
Christoph Gröver August 5, 2015 15:53 CET
Hello Roberto,
I have a question about the combined smtp-auth + qmail-tls (starttls) + forcetls patch. We have a problem with one server which refuses to accept messages send by our MTA. While tracking down with network debugging tools I found that qmail sends the EHLO three times. These are refused by the remote mailserver and qmail finally gives up. If I understand the combined patch correctly there are actually 3 EHLOs sent. On if it's via SMTPS, then after tls_init once again. And a third time unconditinally. Is this correct? Well, normally there are no problems, but one mailserver doesn't accept our mails anymore.
Reply | Permalink
Hi Christopher, in my
roberto puzzanghera Christoph Gröver August 5, 2015 17:07 CET
Hi Christoph,
in my telnet tests I always get only two EHLO. The portion of code that you report is actually suspect, but I have to admit that it's not clear to me what all those "if" imply. Anyway that portion of code is exactly the code of the tls Vermulen patch, as there were no modifications/customizations by me in qmail-remote.c
Let me know if you manage to solve
Reply | Permalink
Solved the problem
Christoph Gröver roberto puzzanghera August 6, 2015 00:10 CET
Sorry, I'm nearly spamming you ... ;-)
I've been able to create a patch. I finally understood what is there too mich in the combined patch, and this is the patch for qmail-remote.c We should perhaps really discuss this further via mail - you have my address.
Reply | Permalink
They are not the same ... I just found out
Christoph Gröver roberto puzzanghera August 5, 2015 23:45 CET
Reply | Permalink
Comparison with Vermulen Patch
Christoph Gröver roberto puzzanghera August 5, 2015 23:15 CET
Reply | Permalink
CRAM-MD5 with FORCETLS=1
Christoph Gröver August 3, 2015 22:28 CET
Reply | Permalink
to allow *only* CRAM-MD5 just
roberto puzzanghera Christoph Gröver August 3, 2015 22:46 CET
to allow *only* CRAM-MD5 just use (README.auth for more info)
but IMHO a TLS connection is already secure with TLS v.1.2 (POODLE vulnerability was fixed in the latest patch version) and I think there's no need to force also CRAM-MD5, which turns to be useful just when you cannot force tls (on port 25 for instance)
Reply | Permalink
Combined patch no update
Arturo May 26, 2015 10:04 CET
Hi Roberto,
Please, you can update the combined patch with the last patch, combine patch version is 2015.04.11 right now.
Thank for you work!!
Reply | Permalink
Hi, the big patch 2015.04.11
roberto puzzanghera Arturo May 26, 2015 10:42 CET
Hi, the big patch 2015.04.11 already contains the latest auth-0.8.2 and tls-20141216 :-)
Reply | Permalink
export FORCETLS=0
Nic February 26, 2015 04:16 CET
Hi,
I had added export FORCETLS=0 to my run file and still it requires TLS auth.
<- 250-STARTTLS
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-AUTH LOGIN PLAIN CRAM-MD5
<- 250 SIZE 0
-> AUTH LOGIN
<** 503 auth not available (#5.3.3)
*** No authentication type succeeded
-> QUIT
What did i done wrong?
regards
nic
Reply | Permalink
Hi Nic, it's not
roberto puzzanghera Nic February 26, 2015 07:41 CET
Hi Nic,
it's not complaining about a missing TLS connection, it's complaining about a missing AUTH. Are you sure that you are calling vchkpwd in your run file?
Reply | Permalink
Thanks Roberto. You spotted
Nic roberto puzzanghera February 26, 2015 08:50 CET
Thanks Roberto. You spotted it correctly.
cheers!
Reply | Permalink
SMTPAUTH="-" doesn't seem to disable auth
cpitchford January 21, 2015 02:31 CET
Hi there, great work on your combiled patch..
I've been working to try and disable auth on port 25 and require auth on 587. So far, it it's going well..
on 587, SMTPAUTH="!"
on 25, SMTPAUTH="-"
However, I've noticed on port 25 it would advertise 250-AUTH PLAIN LOGIN, however if I submit an AUTH request, it will honor it.
I was tempted to create a patch to enforce this, when smtpauth=0 in qmail-smtpd, however that changes the way the patch works. Instead I was thinking of creating a new mode: SMTPAUTH="^" which disables auth altogether.
Reply | Permalink
First of all, to disable auth
roberto puzzanghera cpitchford January 21, 2015 11:03 CET
First of all, to disable auth on port 25, why don't you simply avoid to call vchkpw in your run file? In that way there's no need to declare SMTPAUTH anymore.
Concerning your suggestion, what the RFCs say? I don't have the time to check, but are you sure that you *can* declare the AUTH verb even if the auth is forbidden?
In any case I think it's better to stick with the original eh auth patch, just to simplify the future upgrades...
Thanks for the contribution :)
Reply | Permalink
disable auth patch
cpitchford roberto puzzanghera January 21, 2015 11:48 CET
First of all, to disable auth on port 25, why don't you simply avoid to call vchkpw in your run file? In that way there's no need to declare SMTPAUTH anymore.
I can't make that change since it would be global. I actually need to be able to disable SMTP auth for some systems, not all so using environment variables and tcpserver is the way to do this rather than a global change to vchkpw
Concerning your suggestion, what the RFCs say? I don't have the time to check, but are you sure that you *can* declare the AUTH verb even if the auth is forbidden?
You're describing what I think is a bug. With your patch the server postively responds to AUTH even if AUTH is not advertised (and should be disabled SMTPAUTH="-" or SMTPAUTH unset) Here's a walk through of the problem and how my patch works around it:
I'm not sure my patch is the best way to solve this bug. It adds another feature (SMTPAUTH="^") which means it won't change existing behaviour (for people who rely on the hidden but available AUTH) However, if it were to follow the RFC, I believe that if AUTH is not advertised, AUTH requests should always be met with a 503
Reply | Permalink
I'm thinking again about
roberto puzzanghera cpitchford January 21, 2015 13:22 CET
I'm thinking again about it... actually this is not a bug but an intentional behaviour of the auth patch. Infact it allows the auth if SMTPAUTH is not declared at all.
Please let me know if you can solve assigning the RELAYCLIENT to those IP and disabling vchkpw on the run file
Reply | Permalink
Why not assigning RELAYCLIENT?
roberto puzzanghera cpitchford January 21, 2015 12:38 CET
I can't make that change since it would be global. I actually need to be able to disable SMTP auth for some systems, not all so using environment variables and tcpserver is the way to do this rather than a global change to vchkpw
Why not assigning to those systems the RELAYCLIENT variable?
Concerning the main purpose of your message, I understand now. In normal conection (not encrypted) it should not advertise the AUTH if it is not allowed. This should be fixed.
But I can't get the bug you showd in the encrypted connection. I have
are you using my latest combined patch, with no modifications?
Edit: uh.. this is because I don't have vchkpkw.. So I think you are right. I will apply your patch. Thank you :)
Reply | Permalink
Forcetls Question
Jacekalex October 6, 2011 09:22 CET
HI
I have question about forcetls patch:
If forcetls is active, why not offer authentication server in an unencrypted connection?
Auth TLS not available without a password, and so it was sent in clear text, when you try to AUTH PLAIN authentication.
Is this a correct and meaningful?
The correct solution - gmail.com:
The server does not provide authorization for connection without encryption:
No attempt was made AUTH PLAIN authentication, the password is safe.
Is such a solution is correct? Does it make sense?
In my opinion gmail has the correct solution to prevent sending an unencrypted password in the AUTH PLAIN.
Can you make a patch forcetls similar change in the future?
Cheers
Reply | Permalink
Patch update, fix wrong capabilities
Florian Jacekalex November 19, 2014 13:18 CET
Hello,
first of all this patch needs to be updated so that SSLv3 is switched off. I did this by adding the following line of code in qmail-smtpd.c and qmail-remote.c:
Then, more severe, the parsing of the capabilities in the HELO message causes Gmail to choke and refuse mail delivery TO a patched server. The CORRECT lines should be:
NOTE the "-" sign at 8BITMIME and the REMOVED "-" sign at AUTH lines... this is necessary to not violate the ESMTP protocol!
BR Florian
Reply | Permalink
Florian, concerning the dash
roberto puzzanghera Florian November 19, 2014 21:22 CET
Florian, concerning the dash "-" question, as you know it must be omitted just in case it will be the last command in the list. In my big patch I have:
and this is why the dash is present.
I'm not sure it's worth to modify the patch in this page, as it will certainly be the base for other patches that need to be added, which may (or not) add a command in the list. A good practice could be to add an innocent command like BYEBYE without dash at the end, but I think that problems could arise also in this case.
Reply | Permalink
Size missing
Florian roberto puzzanghera November 19, 2014 22:08 CET
Hello,
this is strange. After your patch I do not see "SIZE" in the output. This could be the reason then. I will investigate
Thanks so far BR
Reply | Permalink
The SIZE is due to the esmtp-size
roberto puzzanghera Florian November 20, 2014 13:29 CET
The SIZE is due to the esmtp-size patch. I'm using this big patch http://notes.sagredo.eu/node/82#esmtp-size
Reply | Permalink
Wrong patch
Florian roberto puzzanghera November 20, 2014 14:54 CET
Hello Roberto,
this explains it maybe: I did not use the big patch that you refer to in the link on the beginning, but only the smaller one from 11/2013. There is no size patch included, but the 250 headers are wrong. Maybe you should take this patch offline for reasons of clarity. I really overlooked that this is not the same file...
BR Florian
Reply | Permalink
that patch reflects the
roberto puzzanghera Florian November 20, 2014 15:17 CET
that patch reflects the modifications to qmail-smtpd.c of the qmail-auth patch. But I think that you are right, so I'm going to adjust it
Reply | Permalink
updated patch
genconc roberto puzzanghera May 24, 2015 00:04 CET
I'm embarassed to say how many hours I lost before properly comprehending this exchange about florian's edits. In short I was operating under the assumption that
http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06_auth_tls_force-tls.patch-latest
contained those edits. In the hope of saving time for other careless readers like me, I have editted your auth_tls_force-tls patch to incorporate the "250-8BITMIME" fix and Vermeulen's more recent qmail-tls patch (20141216) which disables SSLv3.
You can get the updated patch here.
Reply | Permalink
I corrected the patch
roberto puzzanghera genconc May 25, 2015 14:28 CET
I corrected the patch accordingly and upgraded the qmail-authentication to 0.8.2 as well
Reply | Permalink
Hi gencoc, thanks for the
roberto puzzanghera genconc May 24, 2015 20:27 CET
Hi gencoc, thanks for the contribution.
Concerning the "250-8BITMIME" fix, as said above, I'm not sure this is a fix. Anyway I'm going to write a clarification on the purpose as soon as possibile
Reply | Permalink
thanks for the advise
roberto puzzanghera Florian November 19, 2014 14:24 CET
thanks for the advise. Actually I was aware of the first issue, but didn't have time to fix it by myself. I'll do an update as soon as possibile
Concerning the second problem, I will write a note to the author of the qmail-auth patch and eventually I'll correct it as well
Reply | Permalink
I have adjusted the force-tls
roberto puzzanghera Jacekalex October 6, 2011 22:38 CET
I have adjusted the force-tls patch accordingly. Now the program simply does an exit instead of a return if STARTTLS is not provided when required.
Reply | Permalink
Yes, I agree.
roberto puzzanghera Jacekalex October 6, 2011 20:26 CET
Yes, I agree. This is a point where the patch deserves some improvement. I'll fix it when I have some time.
Thanks a lot for the contribution.
Reply | Permalink
How to stop unauthenticated users from sending mails
Anouar Charif roberto puzzanghera July 25, 2016 13:06 CET
Hello, I used your installations and now my server is used to relay unauthenticated users from outlook or thunderbird to send mails through my server ... they creates accounts with wrong username/password in outlook per example, only the domain is good. What can i do to stop this?
Reply | Permalink
open relay?
roberto puzzanghera Anouar Charif July 25, 2016 13:14 CET
If I understand well, they are using your MTA to send unauthenticated mail? In that case you have an open relay and I suggest to take a look again to the page where the "qmail configuration" is explained, in particular the submission service setup on port 587.
If they are sending messages through another relay, I suggest to setup SPF, DKIM and a DMARC policy
Reply | Permalink
Re: Open Relay
Anouar Charif roberto puzzanghera July 25, 2016 13:25 CET
Hello,
They are using outlook or any other agent to send mail without be authenticated ... per example they take one from my hosted domains and use fake email, after this they set it in outlook, and they start sending spams. i don't use the port 587.
I just tested my self by connecting with a fake account into my server using outlook, and im able to send mails.
Do you have any suggestions ?
thank you
Reply | Permalink
So you are not using my
roberto puzzanghera Anouar Charif July 25, 2016 13:34 CET
So you are not using my installation properly. Double check your tcp.smtp file to be sure that you are not allowing the internet to send mail with your server.
Reply | Permalink
tcp.smtp
Anouar Charif roberto puzzanghera July 25, 2016 13:36 CET
Hello,
Here's my tcp.smtp file :
Any ideas ?
Thank you
Reply | Permalink
your tcp.smtp is correct, but
roberto puzzanghera Anouar Charif July 25, 2016 13:46 CET
your tcp.smtp is correct, but the behaviour of your server seems not to follow its setup. Are you absolutely sure that you are actually usinig this file, and that you have rebuilt your tcp.cdb file?
Reply | Permalink
Log qmail-smtpd
Anouar Charif roberto puzzanghera July 25, 2016 13:53 CET
Hello,
Here's the logs of a current user who send mail from outlook :
Barnett.66811 is the fake user in domain.ltd (domaine exist)
Reply | Permalink
can you contact me in a
roberto puzzanghera Anouar Charif July 25, 2016 16:03 CET
can you contact me in a private message, so that we can investigate what's happening? (use the "contact" button above)
Reply | Permalink
Yes i did
Anouar Charif roberto puzzanghera July 25, 2016 13:49 CET
Hello,
Yes im using qmailctl cdb every time i change this file.
I don't know what im missing ?
Reply | Permalink
can you show your rcpthosts?
roberto puzzanghera Anouar Charif July 25, 2016 13:52 CET
can you show your rcpthosts? You should have only your local domains there
Reply | Permalink
rcpthosts
Anouar Charif roberto puzzanghera July 25, 2016 13:54 CET
Yes i have only my hosted domains ... one per line
Reply | Permalink