Qmail TLS + SMTP Plugins on FreeBSD
One of the worst problems in qmail is that it accepts messages for non existent users and then sends back a bounce to the sender. This is the perfect setup to be exploited by a spammer. I'm using the qmail-tls port configured with vpopmail on FreeBSD.
There might be some patches that make qmail use the vpopmail command line tools directly to check if a user exists before accepting messages but I either didn't find them or thought that using the SMTP Plugins patch is more elegant and gives me more flexibility (It might be slower but this was not a high traffic server so I didn't care).
The SMTP plugins patch adds hooks at all STMP stages and the plugins can use those hooks to accept or reject a message based on the data in the smtp statements sent by the sender.
I used the Qmail-SPP - Vpopmail check user Script written by Werner Maier.
The only problem was that I had to patch the source code for qmail-tls with the qmail-spp patch and there were quite a few rejects because of the other patches applied by freebsd ports system.
I managed to adapt the code to make this patch work and here is how I did it...
First I built the original freebsd port:
- cd /usr/ports/mail/qmail-tls
- make config # pick up the options you want here ... I needed tls, smtpd-auth,vpopmail and a few others
- make install
This will also install the files and then after we apply the spp plugin we just copy the modified file ( qmail-smtpd )
Next step if to download the qmail-spp plugin into /usr/ports/mail/qmail-tls/work and apply it.
- cd work
- tar -xzpf qmail-spp-0.42.tar.gz
- cd qmail-1.03
- patch -p1 < ../qmail-spp-0.42/qmail-spp-smtpauth-tls-20060105.diff
This will give you some rejects but don't worry because you'll fix them with my next patch : Qmail-tls-spp-FreeBSD patch-0.1 (4.73 KB)
- patch < qmail-tls-spp-freebsd.patch
- /usr/local/etc/rc.d/svscan stop
- cp qmail-smtpd /var/qmail/bin
- /usr/local/etc/rc.d/svscan start
At this point qmail-smtpd should have smtp plugins working and we can set up the vpopmail user verifier script.
- cd /var/qmail
- mkdir plugins
- fetch http://www.maiers.de/qmail/vpopmail_check_recipient.sh
- chown root:qmail vpopmail_check_recipient.sh
- chmod 755 vpopmail_check_recipient.sh
Now edit vpopmail_check_recipient.sh and make sure the correct paths to vpopmail directory ( /home/vpopmail on freebsd ) are set in the script.
To test it, connect to smtp and try to send a message to an nonexistent account, you should see a reject message instead of the usual "ok".