summaryrefslogtreecommitdiff
path: root/sqmail-4.3.07/man/qmail-remote.8
diff options
context:
space:
mode:
Diffstat (limited to 'sqmail-4.3.07/man/qmail-remote.8')
-rw-r--r--sqmail-4.3.07/man/qmail-remote.8806
1 files changed, 0 insertions, 806 deletions
diff --git a/sqmail-4.3.07/man/qmail-remote.8 b/sqmail-4.3.07/man/qmail-remote.8
deleted file mode 100644
index 363c972..0000000
--- a/sqmail-4.3.07/man/qmail-remote.8
+++ /dev/null
@@ -1,806 +0,0 @@
-.TH s/qmail: qmail-remote 8
-.SH NAME
-qmail-remote \- send mail via SMTP(S) or QMTP(S)
-.SH SYNOPSIS
-.B qmail-remote
-.I host
-.I sender
-.I recip
-[
-.I recip ...
-]
-.SH DESCRIPTION
-.B qmail-remote
-reads a mail message from its input
-and sends the message
-to one or more recipients
-at a remote host.
-
-The remote host is
-.BR qmail-remote 's
-first argument,
-.IR host .
-.B qmail-remote
-sends the message to
-.IR host ,
-or to a mail exchanger for
-.I host
-listed in the Domain Name System,
-via the Simple Mail Transfer Protocol (SMTP/ESMTP)
-perhaps encrypted via STARTTLS/TLS
-or the Quick Mail Transfer Protocol (QMTP/QMTPS).
-Prior of setting up a TLS connection,
-.B qmail-remote
-will lookup automatically the corresponding TLSA
-record in the DNS and uses this for X.509 certificate
-validation.
-.I host
-can be either a fully-qualified domain name:
-
-.EX
- silverton.berkeley.edu
-.EE
-
-or an IPv4 or IPv6 address enclosed in brackets:
-
-.EX
- [128.32.183.163]
- [2001::163]
-.EE
-
-In case the primary mail exchanger for that Domain
-will issue a 5xy reply message during the connection,
-.B qmail-remote
-will contact all responsible mail exchangers in turn
-in order to deliver the message anyway.
-
-The envelope recipient addresses are listed as
-.I recip
-arguments to
-.BR qmail-remote .
-The envelope sender address is listed as
-.I sender\fP.
-
-In case the remote host issues the EHLO SIZE extension,
-.I qmail-remote
-will handover the size of the message (in byte)
-prior of transmission and respects the remote host's reply code.
-
-Note that
-.B qmail-remote
-does not take options
-and does not follow the
-.B getopt
-standard.
-.SH "TRANSPARENCY"
-End-of-file in SMTP is encoded as dot CR LF.
-A dot at the beginning of a line is encoded as dot dot.
-It is impossible in SMTP to send a message that does not end with a newline.
-.B qmail-remote
-respects SMTPUTF8 and EAI addresses
-and converts the UNIX newline convention into the
-SMTP newline convention by inserting CR before each LF.
-
-.SH "RESULTS"
-.B qmail-remote
-prints some number of
-.I recipient reports\fP,
-followed by a
-.I message report\fR.
-Each report is terminated by a 0 byte.
-Each report begins with a single letter:
-.TP 5
-r
-Recipient report: acceptance.
-.TP 5
-h
-Recipient report: permanent rejection.
-.TP 5
-s
-Recipient report: temporary rejection.
-.TP 5
-K
-Message report: success.
-.I host
-has taken responsibility for delivering the message to each
-acceptable recipient.
-.TP 5
-Z
-Message report: greylisted or temporary failure.
-.TP 5
-D
-Message report: permanent failure.
-.PP
-After this letter comes a human-readable description of
-what happened.
-
-.B qmail-remote
-may use SMTP Authenticaton to connect to remote hosts.
-The following reports are provided:
-.TP 5
-K
-no supported AUTH s/qmail: method found, continuing without authentication.
-.TP 5
-Z
-Connected to
-.I host
-but authentication was rejected (AUTH s/qmail: PLAIN).
-.TP 5
-Z
-Connected to
-.I host
-but unable to base64encode (plain).
-.TP 5
-Z
-Connected to
-.I host
-but authentication was rejected (plain).
-.TP 5
-Z
-Connected to
-.I host
-but authentication was rejected (AUTH s/qmail: LOGIN).
-.TP 5
-Z
-Connected to
-.I host
-but unable to base64encode user.
-.TP 5
-Z
-Connected to
-.I host
-but authentication was rejected (username).
-.TP 5
-Z
-Connected to
-.I host
-but unable to base64encode pass.
-.TP 5
-Z
-Connected to
-.I host
-but authentication was rejected (AUTH s/qmail: CRAM-MD5).
-.TP 5
-Z
-Connected to
-.I host
-but unable to base64decode challenge.
-.TP 5
-Z
-Connected to
-.I host
-but unable to base64encode username+digest.
-.TP 5
-Z
-Connected to
-.I host
-but authentication was rejected (username+digest).
-.PP
-The recipient reports will always be printed in the same order as
-.BR qmail-remote 's
-.I recip
-arguments.
-Note that in failure cases there may be fewer
-recipient reports
-than
-.I recip
-arguments.
-.PP
-In case a CNAME can not be resovled
-.B qmail-remote
-issues the following message:
-.TP 5
-Z
-CNAME lookup failed temporarily for:
-.IR host .
-.PP
-If a SMTP connection is bound to a none-existing IP address
-.B qmail-remote
-will complain with the message:
-.TP 5
-Z
-System resources temporarily unavailable.
-.TP 5
-Z
-System can't bind to local ip address:
-.IR ip .
-.PP
-In case a QMTP connection can not be established
-.B qmail-remote
-will issue the error message:
-.TP 5
-Z
-recipient
-.I host
-did not talk proper QMTP.
-.PP
-On demand
-.B qmail-remote
-supports TLS/STARTTLS and will log the following notifications:
-.TP 5
-K
-TLS transmitted message accepted
-.TP 5
-K
-TLS (verfied CA) transmitted message accepted
-.TP 5
-K
-TLS (verified CA+DN*) transmitted message accepted
-.TP 5
-K
-TLS (verified CA+DN) transmitted message accepted
-.TP 5
-K
-TLS (CERT pinning) transmitted message accepted
-.TP 5
-K
-TLS (TLSA validated) transmitted message accepted
-.PP
-.B qmail-remote
-needs to read some X.509 certificates and key files
-prior of setting up a TLS connection. Failures are indicated as:
-.TP 5
-Z
-Can't load X.509 certificate:
-.IR certfile .
-.TP 5
-Z
-Can't load X.509 private key:
-.IR keyfile .
-.TP 5
-Z
-Keyfile does not match X.509 certificate:
-.IR password .
-.TP 5
-Z
-I wasn't able to process the TLS ciphers:
-.IR ciphers .
-.TP 5
-Z
-I wasn't able to setup CAFILE:
-.I cafile
-or CADIR:
-.I cadir
-for TLS.
-.PP
-Connection problems for TLS are not uncommon.
-Here,
-.I host
-is the domain or host to connect with and
-.I remotehost
-is the corresponding MX.
-.B
-qmail-remote
-provides the following diagnostic messages:
-.TP 5
-Z
-I wasn't able to create TLS context for:
-.I host
-at
-.IR remotehost .
-.TP 5
-Z
-I wasn't able to establish a TLS connection with:
-.I remotehost
-for
-.IR host .
-.TP 5
-Z
-TLS connection/protocol error with host:
-.I remotehost
-for
-.IR host .
-.TP 5
-Z
-I wasn't able to negotiate a StartTLS connection with:
-.I remotehost
-for
-.IR host .
-.PP
-For each MX to reach via TLS,
-.B qmail-remote
-performs an automatic TLSA lookup comparing the received
-X.509 fingerprints with the issued cert during the TLS handshake.
-X.509 certificate checks can also been performed. Failures here
-are given as:
-.TP 5
-Z
-Unable to obtain X.500 certificate from:
-.I remotehost
-for
-.IR host .
-.TP 5
-Z
-Unable to validate X.500 certificate Subject for:
-.I host
-at
-.IR remotehost .
-.TP 5
-Z
-TLSA X.509 cert required but missing from:
-.I remotehost
-for
-.IR host .
-.TP 5
-Z
-Received X.500 certificate from:
-.I remotehost
-for
-.I host
-does not match provided fingerprint:
-.IR hashvalue .
-.TP 5
-Z
-Received X.500 certificate from:
-.I remotehost
-for
-.I host
-posses an unknown digest method.
-.PP
-.SH "CONTROL FILES"
-.TP 5
-.I authsenders
-Authenticated sender.
-For each
-.I sender
-included in
-.IR authsenders :
-.I sender\fB:\fIrelay\fB;\fI[s]port\fB|\fIuser\fB|\fIpassword
-.B qmail-remote
-will try SMTP Authentication
-of type CRAM-MD5, LOGIN, or PLAIN
-with the provided user name
-.I user
-and password
-.I password
-(the authentication information)
-and eventually relay the
-mail through
-.I relay
-on port
-.IR port .
-If
-.I port
-is given als or prepended with
-.I s
-like
-.I s587
-\'implicit TLS\' is used omitting StartTLS upon connection.
-The use of
-.I relay
-and
-.I port
-follows the same rules as for
-.IR smtproutes
-Note: In case
-.I sender
-is empty,
-.B qmail-remote
-will try to deliver each outgoing mail
-SMTP authenticated. If the authentication
-information is missing, the mail is
-delivered none-authenticated.
-.I authsenders
-can be constructed as follows:
-
-.EX
- @example.com:relay.example.com|user|passwd
- info@example.com:relay.example.com;26|infouser|infopasswd
- :mailrelay.example.com|e=mc2|testpass
-.EE
-.TP 5
-.I domaincerts
-In case
-.B qmail-remote
-needs to present a client certificate to the server
-(for authentication purposes) the PEM encoded
-X.509 certificate can be provided per sending domain:
-.IR domain\fB:\fIcertificate\fB|\fIkeyfile\fB|\fIpassword .
-If
-.I domain
-equals '*' this
-.I certificate
-is used as default.
-The file
-.I certificate
-may include the private key, thus
-.I keyfile
-can be omitted. Additionally, the private key can be protected with a
-.IR password .
-
-.TP 5
-.I domainips
-IP addresses to be used for outgoing connections.
-Each line has the form
-.IR domain\fB:\fIlocalip(%ifname)\fB|\fIhelohost ,
-without any extra spaces.
-If
-.I domain
-matches the domain part in
-.IR sender ,
-.B qmail-remote
-will bind to
-.IR localip
-when connecting to
-.IR host .
-LLU IPv6 addresses need to be appended with the binding
-.IR ifname
-following
-.IR localip
-with a '%'.
-If it matches, it will set the provided HELO string as greeting;
-otherwise, it will use the default.
-.I domain
-can be the wildcard
-.I *
-in which case
-.B qmail-remote
-binds to the provided address for any sender domain name.
-.TP 5
-.I helohost
-Current host name,
-for use solely in saying ehlo/hello to the remote SMTP server.
-Default:
-.IR me ,
-if that is supplied;
-otherwise
-.B qmail-remote
-refuses to run.
-.TP 5
-.I qmtproutes
-Additional QMTP routes which have precedence over
-.IR smtproutes .
-QMTP routes should obey the form
-.IR domain\fB:\fIrelay\fB;\fIport ,
-without any extra spaces.
-.I qmtproutes
-follows the same syntax as
-.IR smtproutes .
-By default,
-.B qmail-remote
-connects to QMTP service port 209. However
-you can chose a dedicated high-port for QMTP communication
-as defined in
-.IR qmtproutes .
-In case the QMTP port is chosen to be
-.I 6209
-the TLS secured QMTPS protocol will be used,
-irrespectively of the settings in
-.IR tlsdestinations .
-.TP 5
-.I smtproutes
-Artificial SMTP routes.
-Each route has the well-known form
-.I domain\fB:\fIrelay
-or the enhanced syntax
-.I domain\fB:\fIrelay;\fI[s]port\fB|\fIuser\fB|\fIpassword|localip
-without any extra spaces.
-If
-.I domain
-matches
-.IR host ,
-.B qmail-remote
-will connect to
-.IR relay ,
-as if
-.I host
-had
-.I relay
-as its only MX.
-(It will also avoid doing any CNAME lookups on
-.IR recip .)
-.I host
-may include a semi-colon and a port number to use instead of the
-normal SMTP port, 25.
-If
-.I port
-is given as or prepended with
-.I s
-\'implicit TLS\' is assumed.
-In case, a userid and password is
-present,
-.B qmail-remote
-will try a SMTP authenticated session:
-
-.EX
- inside.af.mil:firewall.af.mil;26
- :submission.myrelay.com;s587|myuserid|mypasswd
-.EE
-
-However,
-.I authsenders
-routes have precedence.
-
-.I relay
-may be empty;
-this tells
-.B qmail-remote
-to look up MX records as usual.
-.I smtproutes
-may include wildcards:
-
-.EX
- .af.mil:
- :heaven.af.mil
-.EE
-
-Here
-any address ending with
-.B .af.mil
-(but not
-.B af.mil
-itself)
-is routed by its MX records;
-any other address is artificially routed to
-.BR heaven.af.mil .
-
-The outgoing IP address used by
-.B qmail-remote
-can be specified:
-
-.EX
- :bouncehost.org||10.1.1.0
- :partnermx.net;42||2001::fefe
-.EE
-
-Note:
-.I localip
-can be private IP address subject of NAT'ing.
-
-Additionally,
-.I smtproutes
-allows to forward bounces (with a 'Nullsender' MAIL FROM: <>)
-literally expressed as '!@'
-to a particular bounce host:
-
-.EX
- !@:bouncehost.af.mil;27
-.EE
-
-The
-.B qmail
-system does not protect you if you create an artificial
-mail loop between machines.
-However,
-you are always safe using
-.I smtproutes
-if you do not accept mail from the network.
-.TP 5
-.I timeoutconnect
-Number of seconds
-.B qmail-remote
-will wait for the remote SMTP server to accept a connection.
-Default: 60.
-The kernel normally imposes a 75-second upper limit.
-.TP 5
-.I timeoutremote
-Number of seconds
-.B qmail-remote
-will wait for each response from the remote SMTP server.
-Default: 1200.
-.TP 5
-.I tlsdestinations
-If present, this file advices
-.B qmail-remote
-to use TLS (optionally or mandatory) encryption for specific destination domains
-as provided by the forward-path and to validate/verify
-the server certificate perhaps for a particular sender's domain:
-.I destination:cafile|ciphers|verifydepth;[s]port|domain
-or
-.IR destination:=fingerprint|ciphers|verifydepth;[s]port|domain .
-Unless explicitely configured,
-.B qmail-remote
-accepts any or no certificate provided by the server (opportunistic encryption)
-using the following (single character) rules:
-
-.EX
- (0) *: # Enable TLS but fallback to NOTLS (default);
- server authentication is optional, given further settings
-.EE
-
-Special settings:
-
-.EX
- (1) ?: # fallthru to no TLS in case of TLS protocol errors (exceptional)
- (2) -: # allow anonymous connections
- (3) /: # disable TLSA lookup and verification
-.EE
-
-Double character rules instruct
-.B qmail-remote
-to require a STARTTLS or SMTPS connection (mandatory TLS):
-
-.EX
- (4) -*: # at least anonymous connections
- (5) +*: # require and validate X.509 certs
- (6) ~*: # cert + validate SAN/DN, however accept wildcard certs and partial matching
- (7) =*: # cert + validate SAN/DN against FQDN
- (8) /*: # don't do TSLA lookup and X.509 matching
-.EE
-
-Additionally,
-.B qmail-remote
-can be told to use per-domain connection settings:
-
-.EX
- (9) example.com:
- (10) securityfirst.com:/etc/ssl/cafile|!SSLv2:HIGH
- (11) remote.com:/etc/ssl/certdir/||3;465
- (12) mx.partner.com:/etc/ssl/partnerca||2|mydomain.net
- (13) =mx.myfriend.com:/etc/ssl/cacert||4
- (14) ~wildneighbor.net:
- (15) -adhonlydomain.com:||aNULL:!kRSA
- (16) %peer.partner.com:=E44194C56EF.....
- (17) !nosslhost.example.com:
- (18) hiddenpartner.org:;35
- (19) ?tlsold.net:
- (20) /nodane.org:
-.EE
-
-The ninth line requires from
-.B qmail-remote
-to demand a STARTTLS connection for any destination
-address targeting domain
-.IR example.com .
-
-The tenth line accepts STARTTLS connections
-for
-.I securityfirst.com
-only, if the X.509 certificate can be verified against
-the CA cert as provided via
-.I /etc/ssl/cafile
-and with the acceptable ciphers
-.IR SSLv2:HIGH .
-
-Line number eleven tells
-.B qmail-remote
-to use a
-.I SMTPS
-connection on port
-.I 465
-to any host at
-.I remote.com
-and accept this host only, if the peer's cert
-can be validated against the CA certs available
-in
-.I /etc/ssl/certdir/
-and does not exceed a verification depth of
-.IR 3 .
-
-Line twelve shows an example, how
-.I tlsdestinations
-can be bound exclusively to a sender domain. In the shown case,
-only if
-.I mx.mydomain.net
-is used as sender domain,
-a connection for the destination address
-.I mx.partner.com
-is mandatory secured by TLS with a CA cert available as
-.I /etc/ssl/partnerca
-with a verification depth of
-.IR 2 .
-
-Furthermore, the sample on line thirteen demonstrates the case where
-.B qmail-remote
-sees a destination address concatinated with
-.IR = .
-Now it will only accept the certificate,
-if the X.509's DN can be validated
-against the FQDN of the server (by means of a DNS lookup)
-and it verifies against the
-.IR cacert
-CA certificate and does not exceed a verification depth of
-.IR 1 .
-
-In case a certain
-.I destination
-may use 'wildcard' domain names in the SAN/DN,
-.B qmail-remote
-can cope with this (line fourteeen)
-prepending the destination with a '~':
-.IR ~wildneighor.net .
-This mechanism also supports partial matching
-of SAN/DN and domain name.
-
-In the same sense (line fiveteen),
-.B qmail-remote
-may accept TLS connections based on Anonymous DH (ADH)
-- where the server does not provide a cert for authentication -
-once the domain name is prepended with a
-.I -
-as key encryption cipher and discards
-.I !RSA
-for authentication if told so.
-
-Certificate pinning for a particular
-.I %host
-indicated by the leading character '%' is shown on line sixteen.
-Instead of the CA file, now the
-.I =fingerprint
-of the peer host certificate needs to be provided.
-The X.509 fingerprint
-should prepended with an equal sign ('=') and to
-be stripped from additional colons (':'). The fingerprint
-string is evaluated case-insensitive.
-.BR qmail-remote 's
-certificate pinning supports SHA1, SHA224, SHA256, and SHA512
-digests, determined by the length of the fingerprint given.
-
-Note, that in this case, no TLSA validation is performed;
-it is thus a 'silent' verification'.
-.B qmail-remote
-can be instructed to omit the STARTTLS command for the recipient address
-.I nosslhost.example.com
-as indicated with a leading
-.I !
-as shown on line seventeen. This behavior can be relaxed (line nineteen) using
-.I ?
-followed by a colon, a host, or domain name. Now
-.B qmail-remote
-will initally try a TLS connection by however is alllowed to switch back
-to none-encryption mode, in case this is not possible due
-protocol reasons.
-
-.B qmail-remote
-allows an \'implicit TLS\' connection on any port, if
-.I port
-is prended with an
-.I s
-even without providing the port.
-
-In case, no particular ciphers or CA certs are
-required, a colon/semi-colon ':;' can be used as shortcut (line eighteen).
-Generally, any port can be provided after the semi-colon.
-If however,
-.I port
-equals
-.IR 465 ,
-SMTPS will be used instead of STARTTLS and if
-.I port
-equals
-.IR 6209 ,
-QMTPS is the chosen transport protocol.
-The settings here overrule previous instructions.
-
-Finally, TLSA lookups can be disabled, prepending a
-domain name with
-.I /
-for the target domain as shown on line twenty.
-
-Note that 'destination' is subject of the
-forwarding rules as provided by
-.IR authsenders ,
-.IR qmtproutes ,
-and
-.IR smtproutes .
-.SU "ADDENDUM"
-.B qmail-remote
-needs to read the message from a file in order
-to announce the
-.I SIZE
-in the SMTP dialogue.
-However, if called through a pipe, it will not
-provide this information to the receiving MTA.
-More severe, a delivery over
-.I QMTP(S)
-will fail.
-.SH "RETURN CODES"
-.B qmail-remote
-always exits
-.I 0
-for SMTP(S) delivery.
-In case of QMTP(S)
-.I 1
-is returned in case a buffer feed fails and
-.I 0
-otherwise.
-.SH "SEE ALSO"
-addresses(5),
-envelopes(5),
-qmail-control(5),
-qmail-send(8),
-qmail-smtpd(8),
-qmail-smtpam(8),
-qmail-dksign(8),
-qmail-dkim(8),
-qmail-tcpto(8)