Jeff Thompson | 1 Sep 06:21 2006

Re: qmail-dk dropping mail?

Russ Nelson wrote:
Jeff Thompson writes:
Although the email message is malformed, should qmail-dk drop a message
> that has not been signed or should it allow the message to be queued for > delivery? I would treat syntax errors the same as having no signature. Anybody who wants their email to pass inspection isn't going to send it with a syntax error.

Russ, thank you for replying... I would agree that would be the proper way to handle a malformed message, however, qmail-dk exiting with a 31 causes the email to not be delivered. I've looked into this and I believe the error occurs here in qmail-dk.c:

   if (dksign || dkverify)
     for(i=0; i < n; i++) {
       if (x[i] == '\n') st = dk_message(dk, "\r\n", 2);
       else st = dk_message(dk, x+i, 1);
       maybe_die_dk(st);
      }


In my case, dk_message is returning DK_STAT_SYNTAX, which is correct due to two "From:" headers being present, however, maybe_die_dk causes qmail-dk to exit with status 31 as shown below:

void maybe_die_dk(e) DK_STAT e; {
  switch(e) {
  case DK_STAT_BADKEY: _exit(55);
  case DK_STAT_CANTVRFY: _exit(74);
  case DK_STAT_NORESOURCE: _exit(51);
  case DK_STAT_ARGS: _exit(12);
  case DK_STAT_SYNTAX: _exit(31);
  case DK_STAT_INTERNAL: _exit(81);
  }
}


Commenting out the maybe_die_dk(st); call above allows qmail-dk to finish building the message and upon completion, adds the header:

DomainKeys-Status: no signature

Here's the patch that removes the maybe_die_dk call:

--- qmail-dk.c.orig     2006-08-31 23:07:07.000000000 -0500
+++ qmail-dk.c  2006-08-31 23:09:55.000000000 -0500
<at> <at> -229,7 +229,6 <at> <at>
      for(i=0; i < n; i++) {
        if (x[i] == '\n') st = dk_message(dk, "\r\n", 2);
        else st = dk_message(dk, x+i, 1);
-       maybe_die_dk(st);
       }
    if (substdio_put(&ssout,x,n) == -1) die_write();
    substdio_SEEK(&ssin,n);


I'm not sure whether a patch like this would be accepted for qmail-dk, but if not, can anyone suggest another method to prevent qmail-dk from exiting before the mail is queued for delivery?

Thanks,

Jeff
Julian Grunnell | 1 Sep 11:45 2006
Picon
Picon

Qmail backup MX

Hi - quick question regarding the above that somehow has me baffled and am
hoping the answer is an obvious one!!

Got a cluster of 3 load balanced outbound SMTP relay servers built as per
LWQ that also act as secondry MX for several thousand domains. I've been
seeing from the qmail logs that some mail is getting into a loop whenever
the primary MX is down. Until the message finally bounces with the
"too_many_hops" error.

For the domains in question I've checked that they only exist in the
rcpthosts file and that no reference to the domains is in the smtproutes or
locals files. The servers sit behind a PIX firewall and are load balanced by
a Foundry Server Iron.

An example of this is:

sentinelgb.net
dig +short sentinelgb.net mx
10 relay.firstnet.net.uk.
5 mail.sentinelgb.net.

telnet mail.sentinelgb.net 25
Trying 135.196.25.211...

grep sentinelgb.net /var/qmail/control/rcpthosts
sentinelgb.net

bash-2.05# grep sentinelgb.net /var/qmail/control/smtproutes
bash-2.05# grep sentinelgb.net /var/qmail/control/locals

 <at> 4000000044f7f99e178585c4 starting delivery 2167: msg 171378 to remote
kevinmacdonald <at> sentinelgb.net
 <at> 4000000044f7f9db22a2b10c end msg 171378
 <at> 4000000044f7f9db22a262ec delivery 2167: success:
212.103.224.41_accepted_message./Remote_host_said:_250_ok_1157101981_qp_2262
3/

The log snippet above is a typical example of the mail loop I'm seeing.

Any help would be appreciated.

Julian.

Julian Grunnell
3rd Line Technical Support
Pipex Communications

Tel: 0113 344 1304
Mob: 07803 649593
Web: http://www.pipex.com/

This e-mail is subject to: http://www.pipex.net/disclaimer.html 

Richard Lyons | 1 Sep 10:23 2006
Picon

Re: Qmail backup MX

On Fri, 1 Sep 2006, Julian Grunnell wrote:

> For the domains in question I've checked that they only exist in the
> rcpthosts file and that no reference to the domains is in the smtproutes or
> locals files. The servers sit behind a PIX firewall and are load balanced by
> a Foundry Server Iron.

Your servers don't know that the servers listed in the MX records are
themselves.  Search qmail.org for "moreipme patch", or create dummy
interfaces.

Rick.

Julian Grunnell | 1 Sep 12:47 2006
Picon
Picon

RE: Qmail backup MX


> -----Original Message-----
> From: Richard Lyons [mailto:frob-qmail <at> webcentral.com.au] 
> Sent: 01 September 2006 09:24
> To: qmail <at> list.cr.yp.to
> Subject: Re: Qmail backup MX
> 
> On Fri, 1 Sep 2006, Julian Grunnell wrote:
> 
> > For the domains in question I've checked that they only 
> exist in the 
> > rcpthosts file and that no reference to the domains is in the 
> > smtproutes or locals files. The servers sit behind a PIX 
> firewall and 
> > are load balanced by a Foundry Server Iron.
> 
> Your servers don't know that the servers listed in the MX 
> records are themselves.  Search qmail.org for "moreipme 
> patch", or create dummy interfaces.
> 
> Rick.
> 
Thanks Rick, makes sense.

Stopped qmail and tried to apply the patch but get:

pwd
/usr/local/src/netqmail-1.05/netqmail-1.05

patch < ../../moreipme.patch.txt
patching file Makefile
patching file ipme.c
Hunk #3 FAILED at 42.
Hunk #4 succeeded at 104 (offset 5 lines).
1 out of 4 hunks FAILED -- saving rejects to file ipme.c.rej

more ipme.c.rej
***************
*** 40,51 ****
    int len;
    int s;
    struct ip_mx ix;

    if (ipmeok) return 1;
    if (!ipalloc_readyplus(&ipme,0)) return 0;
    ipme.len = 0;
    ix.pref = 0;

    if ((s = socket(AF_INET,SOCK_STREAM,0)) == -1) return -1;

    len = 256;
--- 42,60 ----
    int len;
    int s;
    struct ip_mx ix;
+   int moreipme_fd;

    if (ipmeok) return 1;
    if (!ipalloc_readyplus(&ipme,0)) return 0;
    ipme.len = 0;
    ix.pref = 0;

+   /* 0.0.0.0 is a special address which always refers to
+    * "this host, this network", according to RFC 1122, Sec. 3.2.1.3a.
+   */
+   byte_copy(&ix.ip,4,"\0\0\0\0");
+   if (!ipalloc_append(&ipme,&ix)) { return 0; }
+
    if ((s = socket(AF_INET,SOCK_STREAM,0)) == -1) return -1;

    len = 256;

Should the patch apply to a netqmail install ok?

Thanks - Julian.

Jose Luis Faria | 1 Sep 13:17 2006
Picon

testing the MX for that dy domain

Hello,

we have two nodes for qmail in cluster and with ldap.

Which is the patch, for qmail, for rejecting any message without a valid 
MX for that domain?

thanks in advance.

--

-- 

   :) cumprimentos
----------------------
José Luís Faria
Network Eng./Administrador de Sistemas
Cisco Certified Network Associate
Departamento de Informática
Universidade do Minho
Attachment (smime.p7s): application/x-pkcs7-signature, 6237 bytes
Julian Grunnell | 1 Sep 15:27 2006
Picon
Picon

RE: Qmail backup MX

Thanks to Richard who set me on the right track.

With the netqmail install you just need the netqmail moreipme patch.

So far it's looking good.

Julian. 

> -----Original Message-----
> From: Richard Lyons [mailto:frob-qmail <at> webcentral.com.au] 
> Sent: 01 September 2006 09:24
> To: qmail <at> list.cr.yp.to
> Subject: Re: Qmail backup MX
> 
> On Fri, 1 Sep 2006, Julian Grunnell wrote:
> 
> > For the domains in question I've checked that they only 
> exist in the 
> > rcpthosts file and that no reference to the domains is in the 
> > smtproutes or locals files. The servers sit behind a PIX 
> firewall and 
> > are load balanced by a Foundry Server Iron.
> 
> Your servers don't know that the servers listed in the MX 
> records are themselves.  Search qmail.org for "moreipme 
> patch", or create dummy interfaces.
> 
> Rick.
> 

Joel Gwynn | 1 Sep 19:58 2006
Picon

Qmail ignoring rcpthosts?

My qmail seems to be acting as an open relay even though I have an
rcpthosts file:

-rw-r--r-- 1 root root 49 Aug 22 17:13 /var/qmail/control/rcpthosts

which has only my domains in it. I can telnet to my server on port 25
and send email from joelman <at> anywhere.com and it's happy to do so. My
understanding is that qmail shouldn't do this unless I have
RELAYCLIENT environment set.

How can I verify that qmail is/not using rcpthosts?

TIA
Joel

brian | 1 Sep 20:08 2006

Re: Qmail ignoring rcpthosts?

On Fri, 1 Sep 2006, Joel Gwynn wrote:

> My qmail seems to be acting as an open relay even though I have an
> rcpthosts file:
>
> -rw-r--r-- 1 root root 49 Aug 22 17:13 /var/qmail/control/rcpthosts
>
> which has only my domains in it. I can telnet to my server on port 25
> and send email from joelman <at> anywhere.com and it's happy to do so. My
> understanding is that qmail shouldn't do this unless I have
> RELAYCLIENT environment set.
>
> How can I verify that qmail is/not using rcpthosts?

questions/requests:
what are your tcp.smtp rules?
complete output of qmail-showctl command would be useful.
please provide a complete email w/ headers that has been relayed through 
the server as well.

brian
--
Never be afraid to tell the world who you are.
              -- Anonymous
  14:00:01 up 52 days, 21:18,  2 users,  load average: 0.00, 0.00, 0.00

Joel Gwynn | 1 Sep 20:42 2006
Picon

Re: Qmail ignoring rcpthosts?

OK.  I've attached the output of qmail-ctl and a sample email.  Are
attachments allowed on this list?

here's my /etc/tcp.smtp
127.:allow,RELAYCLIENT=""

Thanks

On 9/1/06, brian <at> highstream.kicks-ass.org
<brian <at> highstream.kicks-ass.org> wrote:
> On Fri, 1 Sep 2006, Joel Gwynn wrote:
>
> > My qmail seems to be acting as an open relay even though I have an
> > rcpthosts file:
> >
> > -rw-r--r-- 1 root root 49 Aug 22 17:13 /var/qmail/control/rcpthosts
> >
> > which has only my domains in it. I can telnet to my server on port 25
> > and send email from joelman <at> anywhere.com and it's happy to do so. My
> > understanding is that qmail shouldn't do this unless I have
> > RELAYCLIENT environment set.
> >
> > How can I verify that qmail is/not using rcpthosts?
>
> questions/requests:
> what are your tcp.smtp rules?
> complete output of qmail-showctl command would be useful.
> please provide a complete email w/ headers that has been relayed through
> the server as well.
>
>
> brian
> --
> Never be afraid to tell the world who you are.
>               -- Anonymous
>   14:00:01 up 52 days, 21:18,  2 users,  load average: 0.00, 0.00, 0.00
>
Attachment (qmail-ctl.out): application/octet-stream, 3675 bytes
X-Gmail-Received: a72f19ac5ea86008c61266d6cfe61ae106070626
Delivered-To: joelman <at> gmail.com
Received: by 10.67.100.8 with SMTP id c8cs287555ugm;
        Wed, 30 Aug 2006 18:50:38 -0700 (PDT)
Received: by 10.70.46.1 with SMTP id t1mr557380wxt;
        Wed, 30 Aug 2006 18:50:37 -0700 (PDT)
Return-Path: <joelman <at> whatever.com>
Received: from mail.funnyrnot.com ([66.150.225.38])
        by mx.gmail.com with ESMTP id 44si217813wri.2006.08.30.18.50.37;
        Wed, 30 Aug 2006 18:50:37 -0700 (PDT)
Received-SPF: neutral (gmail.com: 66.150.225.38 is neither permitted nor denied by best guess record
for domain of joelman <at> whatever.com)
Date: Wed, 30 Aug 2006 18:50:37 -0700 (PDT)
Message-Id: <44f6406d.66b66cb9.601e.5519SMTPIN_ADDED <at> mx.gmail.com>
Received: (qmail 11885 invoked by uid 0); 30 Aug 2006 21:50:20 -0400
Received: from localhost (HELO ) (sendmail-bs <at> 127.0.0.1)
  by localhost with SMTP; 30 Aug 2006 21:50:20 -0400
subject: ORT II

still open.
Charles Cazabon | 1 Sep 20:55 2006
Picon

Re: Qmail ignoring rcpthosts?

Joel Gwynn <joelman <at> gmail.com> wrote:
> 
> here's my /etc/tcp.smtp
> 127.:allow,RELAYCLIENT=""

Setting RELAYCLIENT tells qmail-smtpd to ignore rcpthosts.  If you're trying
to test whether you're an open relay, do it from another machine.

Charles
--

-- 
--------------------------------------------------------------------------
Charles Cazabon                               <qmail <at> discworld.dyndns.org>
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
My services include qmail consulting.  See http://pyropus.ca/ for details.
--------------------------------------------------------------------------


Gmane