SPAMCONTROL

SPAMCONTROL is a qmail extension. Though mainly used to filter and control unsolicited commercial E-Mails (UCE/SPAM), since release 2 it includes substantial ESMTP protocol enhancements for qmail.

Features of SPAMCONTROL 2.7

Enhancements for qmail-smtpd

• ESMTP enhancements
• Strict RFC 2821 conformance.
• Reference 'Mail From:' parameter parser, supporting SIZE (RFC 1870) and AUTH options.
• Customizable SMTP Authentication (RFC 2554) support for LOGIN, PLAIN, and CRAM-MD5 including SUBMISSION feature.
• Optional STARTTLS (RFC 2487) support in conjunction with sslserver.
• X.509 client certificate based relaying.
• SMTP envelope Anti-Spam-Tools
• Wildmat Filters for the HELO/EHLO greeting and the 'Mail From: ' in Split-Horizon fashion.
• DNS Lookup for the HELO/EHLO greeting (A/MX) and the domain part of the 'Mail From:' (MX).
• Customizable HELO/EHLO greeting checks supporting smart exceptions.
• Tarpitting and Smart Rejection in case of too many invalid Recipients.
• SPF and RBLSMTPD hook to display information in the email header.
• Mail From: Address Verification (MAV)
• Check, whether for Relayclients the domain part of corresponds to a local address (Reverse Split-Horizon).
• Full control of outgoing Mail From: SMTP envelope addresses in case of a SMTP authenticated user.
• Enhanced control/badmailfrom support
• Wildmat filter.
• 'badmailfromunknown' capabilities.
• Additional 'badmailfromwellknown' filter (ie. 'hotmail.com', 'yahoo.com'), thus the domain part of the address has to match the sending host's domain.
• Anti-spoofing of own addresses.
• Recipients extensions
• control/badrcptto wildmat filter.
• Restricting the number of allowed 'Rcpt To:' per SMTP session.
• Whitelisting: Controlling the reception of mails not only on a control/rcpthosts base but rather on the complete with domain-based, fast, and extensible cdb and /or PAM lookup. including wilddomains and VERP support, as well as fail-open and fail-close behavior.
• Customizable 550 or 450 return messages.
• qmail-smtpam in addition to the ldapam.pl.
• Virus prevention
  • Reference badmimetypes implementation.
  • Additional badloadertypes filter.
  • Qmail High Performance Scanner Interface (QHPSI).
  • Customizable SMTP 554 Reply Message.
• qmail-smtpd logging
• Extensible logging format.
• Logging for failed and accepted SMTP sessions.
• qmail-smtpd gadgets
• Customizable qmail-smtpd 5xy failure return messages.
• Interrogatable SMTP envelope and protocol information.
• Deliverto capability: Mail can be forwarded to any recipient.
• X-RBL-Info: header.

Enhancements for qmail-remote

• Flexible SMTPS and STARTTLS implementation based on UCSPI-SSL libraries.
• Extensible control of SMTP server validation/verification via tlsdestinations.
• Sending Domain based presentation of client X.509 certificate by means of domaincerts.
• Domain-IP feature.
• Bind qmail-remote to available IPs based on Sender address by means of control file domainips.
• Issue specific Helo greeting per Domain-IP.
• QMTP support.
• Additional qmtproutes control files (with delivery precedence of authsenders and smtproutes).
• SMTP Authentication
• Supported are Auth types LOGIN, PLAIN, and CRAM-MD5.
• Additional authsenders control file.
• Authenticated relaying by means of control/smtproutes .
• Fast delivery
• Delivery to any DNS listed MX for that domain instead just the primary.
• Increased read buffer for delivery.
• Bounce Host support:
  • Forward qmail-send bounces to dedicated QMTP hosts.
  • Forward qmail-send bounces to dedicated SMTP hosts.

Enhancements for qmail-pop3d

• STLS support.
• Flexibel demand for TLS encrypted POP3 connections.
• CAPA User announcement (RFC 2449).
• Logging of accepted and rejected session.

Enhancements for qmail-queue

• High speed virus scanner by means of QHPSI.
• Additional QMAILQUEUE (Extra) usage.
• Additional qmail-queue.scan script for virus and spam scanning on a RAM disk.
• BIGTODO support.

Enhancements for qmail-send:

• Restricting the size of bounces.
• Doublebouncetrim.

External enhancements:

• Seamless support for djbdns lib instead libresolv.
• qmail-mrtg interface.
• Newanalyse for log-file processing.

Download

• SPAMCONTROL Version 2.7.33 (final version) (MD5: 8535ac0255e2a83badfd371e9a689b43).
• Previous: SPAMCONTROL Version 2.6.24 (MD5: f1b3a118aa80bfc0352c2b5a1bb467f5).
• Previous: SPAMCONTROL Version 2.5.27 (MD5: 94e9948c3d7dfa25f4e85c90502188c2).
• Patch for clamav 0.9x.y to enable logging to STDERR; this patch might need to be modified for forthcoming ClamAV versions.
• ucspi-ssl providing 'delayed' (i.e. STARTTLS/STLS) TLS support.
• ucspi-tcp6 with IPv6 capabilities, CIDR support and RBLSMTPD promotion to qmail-smtpd.
• badmimetypes (date: 20.8.2010 - including double and triple Base64 encoded Windows executables and some patterns for current trojans).
• badloadertypes (including recognition of KERNEL32.DLL).
• IPv6 support for SPAMCONTROL 2.7.28 contributed by Robert Sandner.

Add-Ons

Available are the following add-ons:

• cmd5checkpw Version 0.30 (MD5: 73dee86cde7759a2a670cf14c34015d1)
  checkpassword compliant PAM to allow CRAM-MD5 authentication for qmail-smtpd.
• newanalyse A must to maintain and analyze the qmail logs; in particular SPAMCONTROL's output.
  newanalyse version 1.80 supports SPAMCONTROL 2.7 !
• qmail-mrtg version 3.01 (MD5: f029e813b8af29b41109c2f134580678)
  Enhanced version of the Qmail MRTG to read qmail-smtpd's logs provided by SPAMCONTROL.
  For a working sample please check FEHCom.net.
  
• A LDAP-Pam (Version 0.9.2) to query the Mail-Attribute for existing Users in the LDAP directory.

UCSPI-SSL Dependencies

qmail-smtpd as well as now qmail-remote will use my version of Superscripts' UCSPI-SSL libraries. Thus, UCSPI-SSL has to be installed before.

Note: In order to succeed with X.509 client certificate relaying, ucspi-ssl version ≥ 0.94 is required (providing option '-m').

Usage

SPAMCONTROL is suited for Internet Mail Gateway using Qmail, not for an end-user trying to get rid of Spam E-Mails.

• SPAMCONTROL should be applied against qmail-1.03 and not netqmail-1.0x because it incorporates most of it's fixes.
• SPAMCONTROL modifies the behavior of qmail-smtpd heavily (far above what was intentionally designed by Dan Bernstein).
• SPAMCONTROL can be customized prior of compilation (conf-XXX).
• SPAMCONTROL supports the AMD64 environment and can be compiled with clang.

Documentation

It is important to have a good understanding of the pros'n'cons using SPAMCONTROL. Please consult the

• detailed README and the
• INSTALL instructions
• in addition, upgraders from SPAMCONTROL 2.6 to 2.7 need to read the Release notes.
  Note: The badmailfrom settings have been slightly enhanced!
  Further note: The BADLMIMETPYE and BADLOADERTYPE environment variable have been extended!
• GREETDELAY is explained here.
• Here's my documentation about SMTP Authentication.
• Some background informations regarding TLS, SMTP with StartTLS and SMTPS is now available in my SMTP and Transport Layer Security (TLS) tutorial.
• This site from Willem Froehling is a good start about TLS (in German language!).
• If you like to know how to secure your TLS connections with qualified Cipher-Suites, Ralf Ertzinger provides the required information.
• Renato Botelho and my contribution explaining the qmail+spamcontrol port for FreeBSD on the EuroBSDCon 2010 in Karlsruhe.
• Heinlein Mailserver-Konferenz (Berlin, 2014): TLS-VERSCHLÜSSELUNG BEI QMAIL/ SPAMCONTROL (German only).

Errata:

• [2.7.33] FINAL release of SPAMCONTROL! Maintenance Fixes:
  • Bug in qmail-smtpd abending in case of TLS required sessions and partner does not negotiate STARTTLS.
  • Bug in qmail-smtpd dropping Auth and TLS state in case of RST from the client.
  • Bug in qmail-remote not handling early Return Code 500 from server.
• [2.7.32] Fixed TLSv1 negotiation error for qmail-remote;
  disables SSLv2/SSLv3 connections for qmail-remote (Poodle bug in SSL).
• [2.7.31] Fixed bug in UCSPI="!" promotion to qmail-smtpd.
  Fixed wrong call of 'received.c' in qmail-qmqtd and qmail-qmqpd.
  Supports for qmail-pop3d/qmail-popup now the same UCSPI set of variables.
  Added support of X.509 client certificate based authentication for qmail-smtpd.
• [2.7.30] Fixed severe bug for qmail-smtpd logging due to missing declaration of variabels (AMD64 only) in case of SMTP Auth.
      Improved BADMIMETYPE and BADLOADERTYPE handling.
      Fixed a (common) bug evaluating domainips and domaincerts control files.
      Added additional HELO greeting feature in domainips.
• [2.7.29] Recovered 'lost' multiple MX connectivity; added CAPA=User announcement (MacOS X Mavericks).
• [2.7.28] Fixed segfault bug in qmail-smtpd after rejection of spam/virus mails due to missing declaration of variables during logging.
  Updated qmail-queue.scan script.
• [2.7.27] Added 'Anonymous Diffie-Hellman' ADH support for qmail-remote.
  New parameter for control/tlsdestinations "-domain:"; domain may be '*'.
• [2.7.26] Added POSIX compliant <utmpx.h> support for qbiff.c (required by FreeBSD 9.1).
  Note: In order to access qmail's man-pages under FreeBSD 9.1 add the following file into /usr/local/etc/man.d/:
  echo "MANPATH /var/qmail/man" > /usr/local/etc/man.d/qmail.conf
• [2.7.25] Fixed (C/)R conversion bug for qmail-smtpd;
      added provisional Greylisting recognition for qmail-remote.
• [2.7.24] Streamlined with qmail-authentication 0.8.1.
• [2.7.23] Fixed some residual integration bugs and streamlined/updated docs;
      added badmail from mismatched domains; SPF hook working now,
      aligned with SMTP Authentication 0.8 to provided authenticated smarthost relaying.
• [2.7.20] Integration bug: installation stops with missing man/man3 and man/cat3 directory.
      Workaround: Simply create those and continue installation.
• [2.7.20] TLS vulnerability VU#555316 is fixed.
• [2.6.24] Includes the RECIPIENTS bug fix for wilddomains. Last public version of the 2.6 development cycle.
• [2.5.27] Last public version of release 2.5.

---

• [FEHCom]
• [Impressum]
• [News]
• [top]