Craig Jungers | 14 May 00:38 2015
Picon

Minimal Use of Qpsmtpd

I'm trying to just use qpsmtpd to stop multiple connections from spam servers. Some .eu servers are trying to sent 35 or 40 emails at a time... they get rejected but it takes up my server's resources to do it. But I want to wait and set up qpsmtpd to check blacklists later. I'm using Postfix. 

Is this relatively easy to do? I'm not an smtp novice but new to qpsmtpd.

Craig
Charlie Brady | 28 Jan 14:24 2015
Picon
Picon

CVE-2015-0235 exposure via qpsmtpd?


As you can see in the advisory:

http://www.openwall.com/lists/oss-security/2015/01/27/9

exim allows remote exploit of a buffer overflow in glibc.

Has anybody done an analysis of qpsmtpd to see whether there is a code 
path via qpsmtpd (and plugins) and perl which allows the same exploit?

Reinhard Seifert | 21 Jan 12:18 2015

Is there any example of a Qmail::Deliverable plugin

Hi,

first of all, thank you guys for developing/maintaining qpstmpd, really
a great piece of work.

I am a newbee qpstmpd user and also new to Perl... and also quite new to
qmail at that.

It took me some time to dpkg-reconfigure the debian package, but now it
is working excellent together with spamassassin.

I found the Qmail::Deliverable module for perl and installed it using
cpanminus.

But what now?

I looked at perldoc Qmail::Deliverable and found those code lines to use
in a qpstmpd plugin

<quote>
        use Qmail::Deliverable ':all';

        return DECLINED if not qmail_local $recip;
        return DECLINED if deliverable $recip;
        return DENY, "Who's that?";
</quote>

I pasted those lines into /usr/share/qpstmpd/plugins/check_deliverable
and added "check_deliverable" to the /etc/qpsmtpd/plugins config file.

But when restarting the service I get an error message complaining about
the $recip variable.

I tried to find an example plugin which utilizes Qmail::Deliverable, but
did not succeed.

Can anyone give me a hint or even provide a working plugin? Also welcome
are hints regarding the startup of the qmail-deliverabled daemon. Do I
need to start it and will the plugin know about the port?

Thanks,
Reinhard

salvisbe | 19 Jan 22:21 2015
Picon
Picon

DKIM for mail generated internally by PHP?

Some of my sites have private forums that let members subscribe to get email notifications when new
posts/comments are created. The mails are generated by Drupal/PHP via either `sendmail -t -i` or
`/var/qmail/bin/qmail-inject`. Obviously, neither of those go through qpsmtpd and the dkim plugin,
and the mails go out without any DKIM signature and get refused by GMail and other major providers.

Is there a way to leverage qpsmtpd for locally PHP-generated mail, or do I have to provide a duplicate
outgoing DKIM implementation in qmail?

Hans

Hans Salvisberg | 5 Jan 13:44 2015
Picon
Picon

Aw: Re: Issues in the current HEAD

No, this produces
 
Deep recursion on subroutine "Qpsmtpd::Transaction::DESTROY" at lib/Qpsmtpd.pm line 271.
Deep recursion on subroutine "Qpsmtpd::log" at lib/Qpsmtpd/Transaction.pm line 242.
Deep recursion on subroutine "Qpsmtpd::varlog" at lib/Qpsmtpd.pm line 93.
Deep recursion on subroutine "Qpsmtpd::run_hooks_no_respond" at lib/Qpsmtpd.pm line 105.
Out of memory!
 
Hans
 
Gesendet: Montag, 05. Januar 2015 um 01:35 Uhr
Von: "Matt Simerson" <matt <at> tnpi.net>
An: "Hans Salvisberg" <salvisbe <at> gmx.ch>
Cc: "Jared Johnson" <jjohnson <at> efolder.net>, "qpsmtpd <at> perl.org" <qpsmtpd <at> perl.org>
Betreff: Re: Issues in the current HEAD
 
On Jan 4, 2015, at 3:38 PM, Hans Salvisberg <salvisbe <at> gmx.ch> wrote:
 
Going to the new HEAD
   b1abc66 - qpsmtpd: Add additional dependency for geoip: Math::Complex. (2015-01-03 18:29:08 +0100)
has brought some relief:
 
Handle 2 now gives me only 7 instances of
 
FATAL PLUGIN ERROR [logging::file_3a7]: Can't call method "notes" on unblessed reference at /home/smtpd/qpsmtpd/plugins/logging/file line 275.
 
anymore, even though I still have 4 file loggers enabled. Plus one
 
5014 XX: Can't call method "notes" on unblessed reference at /home/smtpd/qpsmtpd/plugins/logging/file line 275.
 
And the warn_handler message is indeed gone, at least in my test case! Thanks!
 
Hans
 
 
Seems to be a bug in that logging plugin:
 
    if (   !$self->{_f}
        || !$self->{_nosplit}
        || !$transaction
        || !$transaction->notes('file-logged-this-session'))
 
The last line is 275, and apparently $transaction isn't a reference there. $transaction can be an empty hash defined in ::Qpsmtpd, which seems like a dumb default, as it will cause arrow operations like this one to blow up). Try this and see if it helps:
 
--- a/lib/Qpsmtpd.pm
+++ b/lib/Qpsmtpd.pm
<at> <at> -244,7 +244,10 <at> <at> sub _load_package_plugin {
     return $plug;
 }

 

-sub transaction { return {}; }    # base class implements empty transaction
+sub transaction {
+    eval 'use Qpsmtpd::Transaction';
+    return Qpsmtpd::Transaction->new();
+}

 

 sub run_hooks {
     my ($self, $hook) = (shift, shift);
 
 
Matt
 
 
 
Gesendet: Sonntag, 04. Januar 2015 um 06:11 Uhr
Von: "Jared Johnson" <jjohnson <at> efolder.net>
An: "salvisbe <at> gmx.ch" <salvisbe <at> gmx.ch>
Cc: "qpsmtpd <at> perl.org" <qpsmtpd <at> perl.org>
Betreff: Re: Issues in the current HEAD

Regarding the warn_handler message, I probably managed to mess up my recently merged https://github.com/smtpd/qpsmtpd/pull/168 for xinetd mode. Unfortunately my availability will be spotty this week. As a temporary fix, you could use a different mode (I recorded prefork) or un-merge that PR. Of course this may be the least of your problems.

On Jan 3, 2015 5:12 PM, salvisbe <at> gmx.ch wrote:
I'm using xinetd according to http://wiki.qpsmtpd.org/doku.php?id=deploy:start, i.e. no daemon mode but just running

exec qpsmtpd


-----Ursprüngliche Nachricht-----
Gesendet: Saturday, 03 January 2015 um 23:31:06 Uhr
Von: "Jared Johnson" <jjohnson <at> efolder.net>
An: "salvisbe <at> gmx.ch" <salvisbe <at> gmx.ch>
Betreff: Re: Issues in the current HEAD

What daemon mode are you using? Prefork?
--
*** DoubleCheck identified this as CLEAN. Give feedback:
*** This is SPAM: http://filter.emailportal.com
*** More options: http://filter.emailportal.com
Hans Salvisberg | 5 Jan 00:48 2015
Picon
Picon

logging/file's nosplit option is broken

I like configuring a debug log as
 
logging/file:7  loglevel LOGDEBUG   nosplit  tsformat %F_%T  /var/log/qpsmtpd/7-debug-%F_%H%M%S.log
 
In spite of the presence of "nosplit", the logs (with the %S in the filename) are typically broken into three files.
 
 
Incidentally, it would be nice to be able to use the PID in the filename (at least for an xinetd setup :)) to make sure that each connection goes into its own file.
 
Hans
 
Hans Salvisberg | 5 Jan 00:28 2015
Picon
Picon

Aw: Re: Issues in the current HEAD

Hmm...
on https://github.com/smtpd/qpsmtpd/wiki/Install.Authentication suggests that you set up authentication without tls (it's commented out in config.sample) and only activate tls in a third step. Only the third page says
 
"Notice now that the previous authentication mechanisms are gone! When SSL is enabled, authentication is not advertised unless the connection is secure. This is a VERY good default, but it can be changed by editing config/tls_before_auth."
 
So, "AUTH" should be there as long as you don't have tls.
 
At the risk of beating a dead horse,
   5c8f6b6 - Merge pull request #181 from jaredj/more-data-respond-tests (2015-01-01 18:59:21 -0800)
would stall after...
 
4729 4729 Loaded logging/warn 6
4729 4729 Connection from ###
4729 4729 (connect) earlytalker: pass, not spontaneous
4729 4729 (connect) relay: skip, no match
4729 4729 (connect) dnsbl: karma -1 (-2)
4729 4729 (connect) dnsbl: fail, NAUGHTY, zen.spamhaus.org
4729 4729 220 ### ESMTP qpsmtpd 0.95/v0.94-310-g5c8f6b6 ready; send us your mail, but not your spam.
4729 4729 dispatching EHLO [192.168.123.13]
4729 4729 250-### Hi ###
4729 4729 250-PIPELINING
4729 4729 250-8BITMIME
 
... and then time out later with...
 
4729 FATAL PLUGIN ERROR [logging::file_3a7]: Can't call method "notes" on unblessed reference at /home/smtpd/qpsmtpd/plugins/logging/file line 275, <STDIN> line 1.
4729 4729 (post-connection) connection_time: 101.698 s.
 
Note the missing "STARTTLS" above. Maybe it wasn't specifically "AUTH" missing but just the last option ("AUTH" if no tls, "STARTTLS" if with tls).
 
The new current HEAD
   3db87b8 - Merge pull request #188 from msimerson/dbm-default-perm (2015-01-04 14:40:38 -0600)
does not have this problem anymore, both with the same config!
 
So I'm on HEAD/3db87b8 now.
 
Hans
 
Gesendet: Sonntag, 04. Januar 2015 um 06:44 Uhr
Von: "Matt Simerson" <matt <at> tnpi.net>
An: salvisbe <at> gmx.ch
Cc: qpsmtpd <at> perl.org
Betreff: Re: Issues in the current HEAD

> On Jan 3, 2015, at 7:17 AM, salvisbe <at> gmx.ch wrote:
>
> Hi,
>
> I'm a long-time happy user of qpsmtpd with a small site, and right now I'm in the process of setting up my site on a new server and reinstalling qpsmtpd. I want to use auth_imap, which is in HEAD but not in 0.94, so I decided to try HEAD, but HEAD is broken: it does not announce "AUTH" at all. So I went for commit ee01a07 (2014-12-22 15:01:12 -0800), except for the following issue:

That's a feature. By default, QP only advertises AUTH if there's an AUTH provider AND the connection is secured. See the contents of config/tls_before_auth

Matt
Hans Salvisberg | 4 Jan 18:34 2015
Picon
Picon

Aw: Re: Issues with the dmarc/dkim plugins

I've set rlimit_as=UNLIMITED (8GB in the host) and this hasn't made any difference.
 
Actually, the culprit is not dkim but dmarc. Commenting out dmarc lets the mails come in.
 
(I can't try it the other way around, because dmarc crashes if dkim isn't active.)
 
Hans
 
Gesendet: Sonntag, 04. Januar 2015 um 03:21 Uhr
Von: "Matt Simerson" <matt <at> tnpi.net>
An: "salvisbe <at> gmx.ch" <salvisbe <at> gmx.ch>
Cc: "qpsmtpd <at> perl.org" <qpsmtpd <at> perl.org>
Betreff: Re: Issues with the dmarc/dkim plugins
DKIM needs more RAM, bump up to at least 256MB.

Matt



> On Jan 3, 2015, at 5:10 PM, salvisbe <at> gmx.ch wrote:
>
> I'm having a fatal issue with the dmarc plugin: when it's enabled then I get "Out of memory!" when trying to receive mail from
> -- gmail
> -- check-auth <at> verifier.port25.com
> -- checkmyauth <at> auth.returnpath.net
>
> I'm not passing any parameters to dmarc, and upping the memory limit from 128MB to 196MB in the xinetd configuration file has not made any difference. This occurs with all of the following versions:
> -- ee01a07 (2014-12-22 15:01:12 -0800),
> -- a515e2b (2014-12-30 13:58:21 -0800), and
> -- HEAD
>
>
> Seeing that there were changes in dkim/dmarc between ee01a07 and a515e2b, I've decided to try the latter and that one still advertises "AUTH". This puts the AUTH breakage into the last 10 commits.
>
>
> There's a minor issue with dkim, too: check-auth <at> verifier.port25.com reports "permerror (no usable key records)". However, it also says:
>
> NOTE: DKIM checking has been performed based on the latest DKIM specs
> (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
> older versions. If you are using Port25's PowerMTA, you need to use
> version 3.2r11 or later to get a compatible version of DKIM.
>
> The other two test hosts say "pass", so I'm not sure where the problem is.
salvisbe | 4 Jan 02:10 2015
Picon
Picon

Issues with the dmarc/dkim plugins

I'm having a fatal issue with the dmarc plugin: when it's enabled then I get "Out of memory!" when trying to
receive mail from
  -- gmail
  -- check-auth <at> verifier.port25.com
  -- checkmyauth <at> auth.returnpath.net

I'm not passing any parameters to dmarc, and upping the memory limit from 128MB to 196MB in the xinetd
configuration file has not made any difference. This occurs with all of the following versions:
  -- ee01a07 (2014-12-22 15:01:12 -0800),
  -- a515e2b (2014-12-30 13:58:21 -0800), and
  -- HEAD

Seeing that there were changes in dkim/dmarc between ee01a07 and a515e2b, I've decided to try the latter
and that one still advertises "AUTH". This puts the AUTH breakage into the last 10 commits.

There's a minor issue with dkim, too: check-auth <at> verifier.port25.com reports "permerror (no usable key
records)". However, it also says:

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

The other two test hosts say "pass", so I'm not sure where the problem is.

salvisbe | 3 Jan 23:06 2015
Picon
Picon

invalid_localhost test in helo plugin?

How can this ever pass when receiving mail from the outside?

sub invalid_localhost {
    my ($self, $host) =  <at> _;
    if ($self->is_localhost($self->qp->connection->remote_ip)) {
        $self->log(LOGDEBUG, "pass, is localhost");
        return;
    }
    if ($host && lc $host eq 'localhost') {
        $self->log(LOGDEBUG, "pass, host is localhost");
        return;
    };

    #$self->log( LOGINFO, "fail, not localhost" );
    return "You are not localhost", "invalid localhost";
}

What is the relation between the helo and fcrdns plugins? Isn't helo doing everything and more than fcrdns does?

salvisbe | 3 Jan 18:10 2015
Picon
Picon

summarize broken in HEAD

summarize is broken, too, in HEAD as well as in commit ee01a07 (2014-12-22 15:01:12 -0800):

syntax error at ./summarize line 209, near "$message)
      "
syntax error at ./summarize line 211, near "$message)"
Execution of ./summarize aborted due to compilation errors.

I'm puzzled by the error message though, because I don't see what could be wrong.


Gmane