1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
README - qmail-smtpd RECIPIENTS extension
=========================================
1. Scope:
qmail-smtpd accepts messages if the SMTP domain part of
recipient address ("RCPT to: <recip@domain>") matches an
entry in control/rcpthosts or control/morercpthosts.cdb.
The existence of a mailbox/maildir for the corresponding
SMTP recipient is checked later in the delivery chain.
In case no Mailbox/Maildir exists, the message is bounced
back to the SMTP sender ("MAIL From: <send@example.com>").
For normal SMTP mail traffic thats fine as long as the rate
of undeliverable messages dont exceed 10% and the sender is
'legitmate'; ie. exists.
Todays situation is different: Spam and Virus attacks with
forged/faked sender addresses to a bunch of random
recipient addresses yield a undeliverable rate up to 90%.
Worse, the generated bounces will never reach the sender and
a double-bounce is eventually send to the postmaster.
2. qmail-smtpd RECIPIENTS:
The RECIPIENTS extension makes qmail-smtpd aware of acceptable
recipients, which are fetched from an external source.
Which source to query depends on the domain-part of the
recipient address.
- The recipients are kept either in 'fastforward' compatible
cdbs for quick lookup during the SMTP session, or
- are available by means of a 'checkpassword' compatible
Plugable Authentication Module (PAM).
The RECIPIENTS mechanism supports natively Qmail's address
extensions (VERP). If a recipient address like 'foo@mydomain.com'
defined, all VERP addresses like 'foo-bar@mydomain.com' are
accepted for SMTP reception.
The RECIPIENTS lookup is triggered by the recipient domain, thus
is domain-specific. The domain-part of the envelope address
is evaluated in lower case. You can specify which lookup is performed
per domain within control/recipients. Consider the following:
a) An entry 'example.com' is used to match 'example.com' and
in addition all subdomain addresses '*.example.com';
depending in addition on 'control/rcpthosts'.
b) An entry '@example.com' serves as exact match for the
domain address.
c) The entry '*' will match all domains for the respective lookup.
d) Reversely, domains flagged as '!domain.com' are not queried
and all recipients for this domain are accepted.
e) A 'fail-open' behaviour can be achieved adding '!*' as last
statement in control/recipients. Thus, emails for domains not
listed in control/recipients will finally be accepted.
Thus, the RECIPIENTS extension can be used in a 'fail-closed' or
'fail-open' mode for the domains included in control/recipients.
Without including '!*' on the last line, the recipient check is done
'fail-closed', thus if all queries are negative, the incoming email
with this recipient address will be rejected.
The RECIPIENTS check is done only in a none-RELAYCLIENT case
and after control/rcpthosts, control/morercpthosts.cdb has been
successfully consulted.
NOTE: The new wilddomain mechanism superseeds the old cdb-only
wilddomain syntax (which is not working anymore).
The PAM should be in your $PATH or referenced with full path.
3. Setting up the recipients control file:
Release 0.5 the RECIPIENTS extension provides a flexible
new syntax to interprete control/recipients on a domain
base, as part of the RCPT TO: envelope address.
a) Read 'man qmail-smtpd' and 'man qmail-recipients.'
Some additional scripts can be found in doc.
b) Legacy:
Put 'recipients.cdb' into control/recipients.
This is a backward compatible mode.
c) Per Domain cdbs:
Put 'example.com:example.cdb' in
control/recipients and you advise the
RECIPIENTS extension to do a per-domain lookup.
d) Global cdbs:
Use '*:users/recipients.cdb' in
control/recipients.
This is equivalent to (1.).
e) Per Domain PAM:
Put 'example.com|checkpassword true'
into control/recipients and the RECIPIENT
extension will use the program defined
after the "|" to check the existence of
the provided RCPT TO.
f) Global PAM:
Put '*|ldapam myldapserver' into
control/recipients and you delegate the entire
verification of the RCPT TO to the program in charge.
g) Wildcarded domain:
Prepend the domain name with a '!' and
emails for this domain will be entirely accepted:
'!localhost'.
h) Pass-Thru for unlisted domains:
Use '!*' as last statement in control/recipients.
Lines in control/recipients starting with a '#'
are not evaluated, thus are treated as comment lines.
4. Generating a cdb with recipient addresses:
a) Build a list of recipients (with full qualified address).
- Use 'qmail-pwd2recipients' to build this list for
local system users.
- Use 'qmail-alias2recipients' to build this list for
qmail alias users (ie. postmaster, root).
- Use 'qmail-users2recipients' to build this list for
qmail users (as per users/assign).
- You can use 'qmail-vpopmail2recipients' for
vpopmail users.
Verify that list to be found under users/recipients.
If you have a different Qmail home directory, modify the
above scripts.
You may need to change "localhost" in the above scripts
to the real hostname.
b) Run qmail-recipients to transform that list into a cdb:
users/recipients.cdb
c) After the successful generation of the recipients.cdb
you can rename it to your taste.
d) Edit control/recipients and
include users/recipients.cdb therein.
e) If you have 'fastforward' cdbs (those which are generated
by 'setforward') you have to place the output somewhere
in a subdirectory under Qmail's home directory and
include those into control/recipients.
At that time, your control/recipients file may look like:
mydomain.com:control/mydomain.cdb
users/recipients.cdb
etc/fastforward.cdb
f) You can add an arbitary number of cdbs to control/recipients.
Any change regarding control/recipients and/or the content
of the cdbs is effective on the fly.
5. VERP support
The RECIPIENTS extension allows now per default VERP support.
The local part of the recipient addresses is truncted AFTER
the character defined as AUTO_BREAK and only the first part
of the address (plus domain) is used for the evaluation.
a) If you run EZMLM, you have to set up a list of recipient
addresses for all your mailing lists.
b) Simply put the full qualified list name apppended with the VERP
charcater into the recipients database (or into the LDAP dir).
c) Sample: If your list is called:
mylist@example.com
define
mylist-@example.com
This makes VERP addresses distinguishable from normal addresses.
d) In order to support generic and VERP addresses, you have to
add both address schemes into the recipient database:
me@example.com
me-@example.com
6. Using a checkpassword compatible PAM:
The checkpassword API is defined in:
http://cr.yp.to/checkpwd/interface.html
and typically consists of the string:
username\0password\0timestamp\0otherdata\0
written to file descriptor 3 (FD 3) to be read by the
checkpassword compatible PAM.
For email address (recipient) verification, we replace
username\0
with
email-address\0
ie.
recipient@domain.tld\0
The PAM fetches this information and checks for it's
existance in any external resource, for example a LDAP
directory or a SQL database.
The PAM returns a '0' in case of successful verification,
otherwise a '1'; and perhaps a '111' in case of problems.
RECIPIENT's checkpassword API allows to enter up to five
additional arguments; which are specific to the PAM.
The attached PERL ldap_mail.pl serves as a sample.
7. Customization:
The RECIPIENTS extension needs no customization except for
the following circumstances:
a) You may need to adjust the provided scripts
'qmail-pwd2recipients', 'qmail-users2recipients', and
'qmail-alias2recipient' to your need; these are samples.
b) The script 'qmail-vpopmail2recipients' is contributed
by David Du SERRE-TELMON, pls. check whether it
suits your vpopmail installation.
c) A phyton script to generate "Recipients" users out of
- /var/qmail/users/assign
- /var/qmail/alias
-/etc/aliases
and the vpopmail's virtual users can be found at:
http://www.epigenomics.org/software/oss/qmail/create_recipients.py
Contributed by Robert Sander
Erwin Hoffmann (www.fehcom.de) - Cologne 2009-09-02
|
