Skip Navigation

zeitform qmail toaster

Description

qmail is a secure, reliable, efficient and simple MTA written by Dan J. Bernstein. It has been security bug free since 1998 and is freely available.

But vanilla qmail does not support security mechanisms like SMTP authentication or support for SSL/TLS. While it supports RBL via tcpserver, it has no Anti-Spam-Features like checking the Envelope-From or tarpitting SMTP-connections. It further has no hook for Virus-Scanners or Spam-Filters. And last but not least it misses some nice-to-have features.

Nevertheless qmail is one of the best choices for running an MTA.

There are several patches and patch collections that add single or multiple extensions to qmail. This zeitform qmail toaster is another one. Check what we provide and use this patch if you see it fit your needs. You are welcome.

top

Feature Overview

The zeitform qmail toaster adds the following features to qmail:

Anti-Spam and Anti-Virus

Security Enhancements

Other Enhancements

Bugfixes and Workarounds

All features marked [*] are also included in netqmail-1.05.

top

Download

Download the following files:

top

Installation

Install qmail as explained in Life with qmail.

If everything works correctly install the patches:

cd qmail-1.03
patch -p0 < ../zeitform-qmail-toaster-0.21.patch
make
make setup check
top

Usage and Configuration

The zeitform qmail toaster adds or modifies the following configuration files:

Table 1: configuration files
signaturessignatures of executable content to block
badhelocontaining regular expressions of bad HELO strings
badmailfromcontaining regular expressions of bad senders
badmailtocontaining regular expressions of bad recipients
databytesmax message size for incoming SMTP
clientcert.pemSSL certificate when acting as SMTP client
servercert.pemSSL certificate when acting as SMTP server
dh1024.pem1024 bit DH key
dh512.pem512 bit DH key
rsa512.pem512 bit RSA key
clientca.pemlist of CAs for client authentication
clientcrl.pemlist of CRLS for client authentication
tlsclientslist of E-Mail addresses for client authentication
tlsclientcipherslist of openssl cipher strings for client
tlsservercipherslist of openssl cipher strings for server
tlshosts/*certificates for servers with required authentication

And it adds the following environment variables:

Table 2: environment variables
EXECUTABLEOKsignatures of executable content to block
QMAILQUEUEpath to qmail-queue replacement
DATABYTESoverwrite control/databytes
NOBADHELOdiables the checking of HELO strings
SMTPSstarts SMTP over TLS

Block executable attachments

The blocking of executable attachments is controlled with the configuration file control/signatures. This file contains BASE64 signatures of the MIME attachments you want to block. To create own signatures look at the raw mail and include the significant bytes of the attachment's first line into the control file. The following example blocks Windows executables and includes signatures for Zip-Archives:

cat <<EOF >/var/qmail/control/signatures
# Windows executables seen in active virii
TVqQAAMAA
TVpQAAIAA
# Additional windows executable signatures not yet 
# seen in virii
TVpAALQAc
TVpyAXkAX
TVrmAU4AA
TVrhARwAk
TVoFAQUAA
TVoAAAQAA
TVoIARMAA
TVouARsAA
TVrQAT8AA
# .ZIPfile signature seen in SoBig.E and mydoom:
#UEsDBBQAA
#UEsDBAoAAA
EOF

To disable the blocking of executables set the environment variable EXECUTABLEOK.

Using a qmail-queue replacement

To use a replacement for qmail-queue set the environment variable QMAILQUEUE to the path of the queue replacement. A good example is Qmail-Scanner. It allows you to run all incoming messages though one or more virus scanners (like Clam AntiVirus or a variety of commercial products) and/or SpamAssassin for spam filtering.

Checking the Envelope-From

If you receive mail from user@domain.com and the mail can not be delivered to the recipient it must be bounced. If domain.com does not exist, qmail sends a doublebounce.

As most spammers fake the sender address -- even to non-existent ones -- it can be reasonable to check if the Envelope-From's domain exists.

If domain.com can't be resolved via DNS, qmail will not accept the message for delivery.

Tarpitting

Regular users won't send messages to a large number of recipients, spammers do. To make life a bit more uneasy for spammers, tarpitting inserts a small delay between accepting recipients. With this feature qmail can be configured to inserts delays after a certain number of recipients is exceeded.

Checking HELO-strings, Senders and Recipients with Regular Expressions

Vanilla qmail can filter incoming mails based on a list of bad senders in the file control/badmailfrom, but does not support regular expression.

With this patch control/badmailfrom is expanded to understand regular expressions and the files control/badmailto and control/badhelo are added that keep a regex based list of bad recipients and bad HELO-strings. For further details see the file README.qregex. Some examples:

# example for "badhelo"
# block host strings with no dot (not a FQDN)
!\.
# example for "badmailfrom"
# drop everything containing the word spam
.*spam.*
# force users to fully qualify themselves
# (ie deny "user", accept "user@domain")
!@
# example for "badmailto"
# must not contain invalid characters, brakets or multiple @'s
[!%#:*^(){}]
@.*@

SMTP and POP3 Protocol Extensions

SMTP AUTH adds authentication to the STMP protocol and to qmail-smtpd in special. This enables selective relaying for users on dynamic IP addresses. The applied patch supports authentication via PLAIN, LOGIN or CRAM-MD5 SASL. All mechanisms but CRAM-MD5 send the password unencrypted and should be avoided in unencrypted SMTP sessions.

SMTP SIZE adds the SIZE sommand to qmail. qmail does by default limit the size of incoming messages by the amount of bytes given in control/databytes, but does not publish this limit. SMTP clients that observe the SIZE value would not start the DATA phase for larger messages. This saves traffic.

STARTTLS adds SSL/TLS encryption to the SMTP session after the command is issued. Please see README.tls for details and configuration issues.

Example:

220 mail.zeitform.de ESMTP
EHLO host.de
250-mail.zeitform.de
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250-8BITMIME
250 SIZE 50000000

POP3 CAPA is a command that shows the capabilities of a POP3 server. vanila qmail does not offer this command. It is required to propagate the AUTH methods.

POP3 AUTH offers SASL authentication via CRAM-MD5. While this is not strictly necessary as APOP provides a secure way of authentication (without plaintext password), some clients support it and it is considered more secure than APOP. Using CRAM-MD5 authentication with vpopmail required a patch for vchkpw.

Example:

+OK <23137.1078842811@guildenstern.zeitform.de>
CAPA
+OK Capability list follows
TOP
UIDL
LAST
USER
APOP
SASL CRAM-MD5

For further information on the protocols POP3 and SMTP:

vpopmail support

The zeitform qmail toaster adds Maildir++ quota support to qmail. This improves the interoperability with vpopmail.

If a message arrives for a recipient address that has no valid user associated (neither as POP3 account nor as forward to a different address) vpopmail may deliver this message to a catch-all account (e.g. postmaster) or bounce the message as being not deliverable (bounce-no-mailbox). With the chkuser patch this check can be done at SMTP level, i.e. after the client issued the RCPT TO command. If a message would be undeliverable, qmail-smtpd will answer with a error message instead of accepting the message and handling the bounce. With the increase of spam this looks like a better approach.

RCPT TO:<non-existant@domain.com>
550 sorry, no mailbox here by that name (#5.1.1 - chkusr)
top

License

Most of the patches within the zeitform qmail toaster are from other people. Most of them did not include any copyright or license information. So if you are in trouble, contact them for their lines of code.

This documentation and the merging of all patches was done by us. So we have some copyright after all. Where it applies, the license is either the GNU GPL or the GNU FDL, whichever fits better.

THE PATCH IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE PATCH OR THE USE OR OTHER DEALINGS IN THE PATCH.

top

References and Credits

The zeitform qmail toaster uses the patches, code or advice from a variety of people (in alphabetical order). The original patches are given as reference where it is possible.