path: root/man/qmail-remote.8

.TH s/qmail: qmail-remote 8
.SH NAME
qmail-remote \- send mail via SMTP(S) or QMTP(S)
.SH SYNOPSIS
.B qmail-remote
.I host
.I sender
.I recip
[
.I recip ...
]
.SH DESCRIPTION
.B qmail-remote
reads a mail message from its input
and sends the message
to one or more recipients
at a remote host.

The remote host is
.BR qmail-remote 's
first argument,
.IR host .
.B qmail-remote
sends the message to
.IR host ,
or to a mail exchanger for
.I host
listed in the Domain Name System,
via the Simple Mail Transfer Protocol (SMTP/ESMTP) 
perhaps encrypted via STARTTLS/TLS
or the Quick Mail Transfer Protocol (QMTP/QMTPS).
Prior of setting up a TLS connection, 
.B qmail-remote 
will lookup automatically the corresponding TLSA
record in the DNS and uses this for X.509 certificate
validation.
.I host
can be either a fully-qualified domain name:

.EX
     silverton.berkeley.edu
.EE

or an IPv4 or IPv6  address enclosed in brackets:

.EX
     [128.32.183.163]
     [2001::163]
.EE
 
In case the primary mail exchanger for that Domain
will issue a 5xy reply message during the connection,
.B qmail-remote
will contact all responsible mail exchangers in turn
in order to deliver the message anyway.

The envelope recipient addresses are listed as
.I recip
arguments to
.BR qmail-remote .
The envelope sender address is listed as
.I sender\fP.

In case the remote host issues the EHLO SIZE extension,
.I qmail-remote
will handover the size of the message (in byte) 
prior of transmission and respects the remote host's reply code.

Note that
.B qmail-remote
does not take options
and does not follow the
.B getopt
standard.
.SH "TRANSPARENCY"
End-of-file in SMTP is encoded as dot CR LF.
A dot at the beginning of a line is encoded as dot dot.
It is impossible in SMTP to send a message that does not end with a newline.
.B qmail-remote
respects SMTPUTF8 and EAI addresses 
and converts the UNIX newline convention into the 
SMTP newline convention by inserting CR before each LF.

.SH "RESULTS"
.B qmail-remote
prints some number of 
.I recipient reports\fP,
followed by a
.I message report\fR.
Each report is terminated by a 0 byte.
Each report begins with a single letter:
.TP 5
r
Recipient report: acceptance.
.TP 5
h
Recipient report: permanent rejection.
.TP 5
s
Recipient report: temporary rejection.
.TP 5
K
Message report: success.
.I host
has taken responsibility for delivering the message to each
acceptable recipient.
.TP 5
Z
Message report: greylisted or temporary failure.
.TP 5
D
Message report: permanent failure.
.PP
After this letter comes a human-readable description of
what happened.

.B qmail-remote
may use SMTP Authenticaton to connect to remote hosts.
The following reports are provided:
.TP 5
K
no supported AUTH s/qmail: method found, continuing without authentication.
.TP 5
Z
Connected to 
.I host
but authentication was rejected (AUTH s/qmail: PLAIN).
.TP 5
Z
Connected to 
.I host 
but unable to base64encode (plain).
.TP 5
Z
Connected to 
.I host
but authentication was rejected (plain). 
.TP 5
Z
Connected to
.I host
but authentication was rejected (AUTH s/qmail: LOGIN).
.TP 5
Z
Connected to 
.I host
but unable to base64encode user.
.TP 5
Z
Connected to 
.I host 
but authentication was rejected (username).
.TP 5
Z
Connected to 
.I host 
but unable to base64encode pass.
.TP 5
Z
Connected to
.I host
but authentication was rejected (AUTH s/qmail: CRAM-MD5).
.TP 5
Z
Connected to
.I host
but unable to base64decode challenge.
.TP 5
Z
Connected to
.I host
but unable to base64encode username+digest.
.TP 5
Z
Connected to
.I host
but authentication was rejected (username+digest).
.PP
The recipient reports will always be printed in the same order as
.BR qmail-remote 's
.I recip
arguments.
Note that in failure cases there may be fewer
recipient reports
than
.I recip
arguments.
.PP
In case a CNAME can not be resovled 
.B qmail-remote
issues the following message:
.TP 5
Z
CNAME lookup failed temporarily for:
.IR host . 
.PP
If a SMTP connection is bound to a none-existing IP address
.B qmail-remote
will complain with the message:
.TP 5
Z
System resources temporarily unavailable.
.TP 5
Z
System can't bind to local ip address:
.IR ip .
.PP
In case a QMTP connection can not be established 
.B qmail-remote
will issue the error message:
.TP 5
Z 
recipient
.I host
did not talk proper QMTP.
.PP
On demand
.B qmail-remote
supports TLS/STARTTLS and will log the following notifications:
.TP 5
K
TLS transmitted message accepted
.TP 5
K
TLS (verfied CA) transmitted message accepted
.TP 5
K
TLS (verified CA+DN*) transmitted message accepted
.TP 5
K
TLS (verified CA+DN) transmitted message accepted
.TP 5
K
TLS (CERT pinning) transmitted message accepted
.TP 5
K
TLS (TLSA validated) transmitted message accepted
.PP
.B qmail-remote 
needs to read some X.509 certificates and key files 
prior of setting up a TLS connection. Failures are indicated as:
.TP 5
Z
Can't load X.509 certificate:
.IR certfile .
.TP 5
Z
Can't load X.509 private key:
.IR keyfile .
.TP 5
Z
Keyfile does not match X.509 certificate:
.IR password .
.TP 5
Z
I wasn't able to process the TLS ciphers:
.IR ciphers .
.TP 5
Z
I wasn't able to setup CAFILE:
.I cafile
or CADIR:
.I cadir
for TLS.
.PP
Connection problems for TLS are not uncommon.
Here, 
.I host
is the domain or host to connect with and
.I remotehost
is the corresponding MX.
.B
qmail-remote
provides the following diagnostic messages:
.TP 5
Z
I wasn't able to create TLS context for:
.I host 
at
.IR remotehost .
.TP 5
Z
I wasn't able to establish a TLS connection with:
.I remotehost 
for 
.IR host .
.TP 5
Z
TLS connection/protocol error with host:
.I remotehost 
for 
.IR host .
.TP 5
Z
I wasn't able to negotiate a StartTLS connection with:
.I remotehost
for
.IR host .
.PP
For each MX to reach via TLS,
.B qmail-remote
performs an automatic TLSA lookup comparing the received
X.509 fingerprints with the issued cert during the TLS handshake.
X.509 certificate checks can also been performed. Failures here 
are given as:
.TP 5
Z
Unable to obtain X.500 certificate from:
.I remotehost
for
.IR host .
.TP 5
Z
Unable to validate X.500 certificate Subject for:
.I host
at
.IR remotehost .
.TP 5
Z
TLSA X.509 cert required but missing from:
.I remotehost 
for
.IR host .
.TP 5
Z
Received X.500 certificate from:
.I remotehost 
for
.I host 
does not match provided fingerprint: 
.IR hashvalue .
.TP 5
Z
Received X.500 certificate from:
.I remotehost 
for
.I host 
posses an unknown digest method.
.PP
.SH "CONTROL FILES"
.TP 5
.I authsenders
Authenticated sender.
For each
.I sender 
included in 
.IR authsenders :
.I sender\fB:\fIrelay\fB;\fI[s]port\fB|\fIuser\fB|\fIpassword 
.B qmail-remote
will try SMTP Authentication 
of type CRAM-MD5, LOGIN, or PLAIN 
with the provided user name
.I user 
and password
.I password 
(the authentication information) 
and eventually relay the 
mail through
.I relay
on port
.IR port .
If 
.I port
is given als or prepended with
.I s
like
.I s587
\'implicit TLS\' is used omitting StartTLS upon connection.
The use of 
.I relay
and 
.I port 
follows the same rules as for
.IR smtproutes 
Note: In case
.I sender
is empty, 
.B qmail-remote
will try to deliver each outgoing mail 
SMTP authenticated. If the authentication
information is missing, the mail is 
delivered none-authenticated.
.I authsenders
can be constructed as follows:

.EX
   @example.com:relay.example.com|user|passwd
   info@example.com:relay.example.com;26|infouser|infopasswd
   :mailrelay.example.com|e=mc2|testpass
.EE
.TP 5
.I domaincerts
In case
.B qmail-remote
needs to present a client certificate to the server 
(for authentication purposes) the PEM encoded 
X.509 certificate can be provided per sending domain:
.IR domain\fB:\fIcertificate\fB|\fIkeyfile\fB|\fIpassword .
If 
.I domain
equals '*' this
.I certificate
is used as default.
The file 
.I certificate 
may include the private key, thus 
.I keyfile
can be omitted. Additionally, the private key can be protected with a
.IR password .

.TP 5
.I domainips
IP addresses to be used for outgoing connections.
Each line has the form
.IR domain\fB:\fIlocalip(%ifname)\fB|\fIhelohost ,
without any extra spaces.
If
.I domain
matches the domain part in
.IR sender ,
.B qmail-remote
will bind to
.IR localip
when connecting to
.IR host .
LLU IPv6 addresses need to be appended with the binding 
.IR ifname
following
.IR localip 
with a '%'.
If it matches, it will set the provided HELO string as greeting; 
otherwise, it will use the default.
.I domain 
can be the wildcard
.I *
in which case 
.B qmail-remote
binds to the provided address for any sender domain name.
.TP 5
.I helohost
Current host name,
for use solely in saying ehlo/hello to the remote SMTP server.
Default:
.IR me ,
if that is supplied;
otherwise
.B qmail-remote
refuses to run.
.TP 5
.I qmtproutes
Additional QMTP routes which have precedence over
.IR smtproutes .
QMTP routes should obey the form
.IR domain\fB:\fIrelay\fB;\fIport ,
without any extra spaces.
.I qmtproutes
follows the same syntax as
.IR smtproutes .
By default, 
.B qmail-remote
connects to QMTP service port 209. However
you can chose a dedicated high-port for QMTP communication
as defined in
.IR qmtproutes .
In case the QMTP port is chosen to be
.I 6209
the TLS secured QMTPS protocol will be used, 
irrespectively of the settings in 
.IR tlsdestinations .
.TP 5
.I smtproutes
Artificial SMTP routes.
Each route has the well-known form
.I domain\fB:\fIrelay 
or the enhanced syntax
.I domain\fB:\fIrelay;\fI[s]port\fB|\fIuser\fB|\fIpassword|localip
without any extra spaces.
If
.I domain
matches
.IR host ,
.B qmail-remote
will connect to
.IR relay ,
as if
.I host
had
.I relay
as its only MX.
(It will also avoid doing any CNAME lookups on
.IR recip .)
.I host
may include a semi-colon and a port number to use instead of the
normal SMTP port, 25. 
If 
.I port
is given as or prepended with
.I s
\'implicit TLS\' is assumed.
In case, a userid and password is
present,
.B qmail-remote
will try a SMTP authenticated session:

.EX
   inside.af.mil:firewall.af.mil;26
   :submission.myrelay.com;s587|myuserid|mypasswd
.EE

However,
.I authsenders
routes have precedence.

.I relay
may be empty;
this tells
.B qmail-remote
to look up MX records as usual.
.I smtproutes
may include wildcards:

.EX
   .af.mil:
   :heaven.af.mil
.EE

Here
any address ending with
.B .af.mil
(but not
.B af.mil
itself)
is routed by its MX records;
any other address is artificially routed to
.BR heaven.af.mil .

The outgoing IP address used by
.B qmail-remote
can be specified:

.EX
   :bouncehost.org||10.1.1.0
   :partnermx.net;42||2001::fefe
.EE

Note: 
.I localip
can be private IP address subject of NAT'ing.

Additionally,
.I smtproutes 
allows to forward bounces (with a 'Nullsender' MAIL FROM: <>)
literally expressed as '!@'
to a particular bounce host:

.EX
   !@:bouncehost.af.mil;27
.EE

The
.B qmail
system does not protect you if you create an artificial
mail loop between machines.
However,
you are always safe using
.I smtproutes
if you do not accept mail from the network.
.TP 5
.I timeoutconnect
Number of seconds
.B qmail-remote
will wait for the remote SMTP server to accept a connection.
Default: 60.
The kernel normally imposes a 75-second upper limit.
.TP 5
.I timeoutremote
Number of seconds
.B qmail-remote
will wait for each response from the remote SMTP server.
Default: 1200.
.TP 5
.I tlsdestinations
If present, this file advices
.B qmail-remote
to use TLS (optionally or mandatory) encryption for specific destination domains
as provided by the forward-path and to validate/verify 
the server certificate perhaps for a particular sender's domain:
.I destination:cafile|ciphers|verifydepth;[s]port|domain 
or
.IR destination:=fingerprint|ciphers|verifydepth;[s]port|domain .
Unless explicitely configured,
.B qmail-remote 
accepts any or no certificate provided by the server (opportunistic encryption)
using the following (single character) rules:

.EX
   (0) *:  # Enable TLS but fallback to NOTLS (default);
             server authentication is optional, given further settings
.EE

Special settings:

.EX
   (1) ?:  # fallthru to no TLS in case of TLS protocol errors (exceptional)
   (2) -:  # allow anonymous connections
   (3) /:  # disable TLSA lookup and verification
.EE

Double character rules instruct
.B qmail-remote
to require a STARTTLS or SMTPS connection (mandatory TLS):
 
.EX
   (4) -*: # at least anonymous connections
   (5) +*: # require and validate X.509 certs
   (6) ~*: # cert + validate SAN/DN, however accept wildcard certs and partial matching
   (7) =*: # cert + validate SAN/DN against FQDN
   (8) /*: # don't do TSLA lookup and X.509 matching
.EE

Additionally, 
.B qmail-remote 
can be told to use per-domain connection settings: 

.EX
   (9) example.com:
  (10) securityfirst.com:/etc/ssl/cafile|!SSLv2:HIGH
  (11) remote.com:/etc/ssl/certdir/||3;465
  (12) mx.partner.com:/etc/ssl/partnerca||2|mydomain.net
  (13) =mx.myfriend.com:/etc/ssl/cacert||4
  (14) ~wildneighbor.net:
  (15) -adhonlydomain.com:||aNULL:!kRSA
  (16) %peer.partner.com:=E44194C56EF.....
  (17) !nosslhost.example.com:
  (18) hiddenpartner.org:;35 
  (19) ?tlsold.net: 
  (20) /nodane.org: 
.EE

The ninth line requires from
.B qmail-remote 
to demand a STARTTLS connection for any destination
address targeting domain
.IR example.com .

The tenth line accepts STARTTLS connections
for
.I securityfirst.com
only, if the X.509 certificate can be verified against
the CA cert as provided via
.I /etc/ssl/cafile 
and with the acceptable ciphers 
.IR SSLv2:HIGH .

Line number eleven tells 
.B qmail-remote
to use a 
.I SMTPS
connection on port
.I 465
to any host at
.I remote.com
and accept this host only, if the peer's cert
can be validated against the CA certs available 
in
.I /etc/ssl/certdir/
and does not exceed a verification depth of
.IR 3 .

Line twelve shows an example, how 
.I tlsdestinations
can be bound exclusively to a sender domain. In the shown case,
only if
.I mx.mydomain.net
is used as sender domain, 
a connection for the destination address
.I mx.partner.com
is mandatory secured by TLS with a CA cert available as
.I /etc/ssl/partnerca 
with a verification depth of
.IR 2 .

Furthermore, the sample on line thirteen demonstrates the case where 
.B qmail-remote
sees a destination address concatinated with
.IR = .
Now it will only accept the certificate,
if the X.509's DN can be validated
against the FQDN of the server (by means of a DNS lookup)
and it verifies against the 
.IR cacert
CA certificate and does not exceed a verification depth of
.IR 1 .

In case a certain
.I destination
may use 'wildcard' domain names in the SAN/DN, 
.B qmail-remote
can cope with this (line fourteeen) 
prepending the destination with a '~':
.IR ~wildneighor.net .
This mechanism also supports partial matching
of SAN/DN and domain name.

In the same sense (line fiveteen), 
.B qmail-remote
may accept TLS connections based on Anonymous DH (ADH)
- where the server does not provide a cert for authentication -
once the domain name is prepended with a 
.I - 
as key encryption cipher and discards 
.I !RSA
for authentication if told so.

Certificate pinning for a particular 
.I %host
indicated by the leading character '%' is shown on line sixteen.
Instead of the CA file, now the
.I =fingerprint
of the peer host certificate needs to be provided. 
The X.509 fingerprint
should prepended with an equal sign ('=') and to 
be stripped from additional colons (':'). The fingerprint
string is evaluated case-insensitive.  
.BR qmail-remote 's
certificate pinning supports SHA1, SHA224, SHA256, and SHA512
digests, determined by the length of the fingerprint given.

Note, that in this case, no TLSA validation is performed;
it is thus a 'silent' verification'.
.B qmail-remote
can be instructed to omit the STARTTLS command for the recipient address
.I nosslhost.example.com 
as indicated with a leading 
.I ! 
as shown on line seventeen. This behavior can be relaxed (line nineteen) using
.I ? 
followed by a colon, a host, or domain name. Now 
.B qmail-remote
will initally try a TLS connection by however is alllowed to switch back
to none-encryption mode, in case this is not possible due 
protocol reasons. 

.B qmail-remote
allows an \'implicit TLS\' connection on any port, if 
.I port
is prended with an 
.I s
even without providing the port.

In case, no particular ciphers or CA certs are
required, a colon/semi-colon ':;' can be used as shortcut (line eighteen).
Generally, any port can be provided after the semi-colon.
If however, 
.I port
equals 
.IR 465 , 
SMTPS will be used instead of STARTTLS and if 
.I port 
equals 
.IR 6209 , 
QMTPS is the chosen transport protocol.
The settings here overrule previous instructions.

Finally, TLSA lookups can be disabled, prepending a
domain name with
.I /
for the target domain as shown on line twenty.

Note that 'destination' is subject of the
forwarding rules as provided by
.IR authsenders ,
.IR qmtproutes  ,
and
.IR smtproutes .
.SU "ADDENDUM"
.B qmail-remote 
needs to read the message from a file in order
to announce the 
.I SIZE
in the SMTP dialogue.
However, if called through a pipe, it will not
provide this information to the receiving MTA.
More severe, a delivery over
.I QMTP(S)
will fail.
.SH "RETURN CODES"
.B qmail-remote
always exits
.I 0
for SMTP(S) delivery. 
In case of QMTP(S)
.I 1
is returned in case a buffer feed fails and
.I 0
otherwise.
.SH "SEE ALSO"
addresses(5),
envelopes(5),
qmail-control(5),
qmail-send(8),
qmail-smtpd(8),
qmail-smtpam(8),
qmail-dksign(8),
qmail-dkim(8),
qmail-tcpto(8)