Tag Archives: freebsd

Qmail TLS + SMTP Plugins on FreeBSD

Problem

One of the worst problems in qmail is that it accepts messages for non existent users and then sends back a bounce to the sender. This is the perfect setup to be exploited by a spammer. I'm using the qmail-tls port configured with vpopmail on FreeBSD.

Solution

There might be some patches that make qmail use the vpopmail command line tools directly to check if a user exists before accepting messages but I either didn't find them or thought that using the SMTP Plugins patch is more elegant and gives me more flexibility (It might be slower but this was not a high traffic server so I didn't care).

The SMTP plugins patch adds hooks at all STMP stages and the plugins can use those hooks to accept or reject a message based on the data in the smtp statements sent by the sender.
I used the Qmail-SPP - Vpopmail check user Script written by Werner Maier.

The only problem was that I had to patch the source code for qmail-tls with the qmail-spp patch and there were quite a few rejects because of the other patches applied by freebsd ports system.
I managed to adapt the code to make this patch work and here is how I did it...

First I built the original freebsd port:

  1. cd /usr/ports/mail/qmail-tls
  2. make config # pick up the options you want here ... I needed tls, smtpd-auth,vpopmail and a few others
  3. make
  4. make install

This will also install the files and then after we apply the spp plugin we just copy the modified file ( qmail-smtpd )
Next step if to download the qmail-spp plugin into /usr/ports/mail/qmail-tls/work and apply it.

  1. cd work
  2. tar -xzpf qmail-spp-0.42.tar.gz
  3. cd qmail-1.03
  4. patch -p1 < ../qmail-spp-0.42/qmail-spp-smtpauth-tls-20060105.diff

This will give you some rejects but don't worry because you'll fix them with my next patch : Qmail-tls-spp-FreeBSD patch-0.1 (4.73 KB)

  1. patch < qmail-tls-spp-freebsd.patch
  2. make
  3. /usr/local/etc/rc.d/svscan stop
  4. cp qmail-smtpd /var/qmail/bin
  5. /usr/local/etc/rc.d/svscan start

At this point qmail-smtpd should have smtp plugins working and we can set up the vpopmail user verifier script.

  1. cd /var/qmail
  2. mkdir plugins
  3. fetch http://www.maiers.de/qmail/vpopmail_check_recipient.sh
  4. chown root:qmail vpopmail_check_recipient.sh
  5. chmod 755 vpopmail_check_recipient.sh

Now edit vpopmail_check_recipient.sh and make sure the correct paths to vpopmail directory ( /home/vpopmail on freebsd ) are set in the script.

To test it, connect to smtp and try to send a message to an nonexistent account, you should see a reject message instead of the usual "ok".

Sendmail as a SMTP-AUTH client on FreeBSD

This post describes the configuration of Sendmail to use SMTP-AUTH when connecting to a remote MTA to send messages. Such a configuration would be needed in case you have a dynamic ip and your ISP relays the messages for you, but they require authentication. This is not a post about how to set your mta to authenticate users and to relay for them. This will show you how to set it to authenticate itself to other mta that will relay messages for you.

Sendmail comes installed by default on a clean FreeBSD 6.2 system, but is has no support for SMTP authentication using SASL by default, so it needs to be recompiled.

Install Cyrus SASL

You can compile cyrus-sasl2 lib from ports (if you need to set some special options ) or install it as a package:

  1. cd /usr/ports/security/cyrus-sasl2
  2. make install clea

Or just install it from packages with:

  1. pkg_add -r cyrus-sasl2

Recompile Sendmail

First you need to make sure you set the compile flags so that Sendmail uses cyrus-sasl2:

  1.  
  2. echo "
  3. SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
  4. SENDMAIL_LDFLAGS=-L/usr/local/lib
  5. SENDMAIL_LDADD=-lsasl2
  6. " >> /etc/make.conf
  7.  

and then just recompile it and install:

  1. cd /usr/src/usr.sbin/sendmail
  2. make clean
  3. make depend
  4. make
  5. make install

Configure Sendmail

Make sure you have the right mc files. Go to /etc/mail and type: make all install . This will create a .mc file named [your_hostname].mc .
Edit that file, look for a line like “define(`SMART_HOST', `your.isp.....” and replace your.isp with the host that will relay messages for you. After that line add the following lines:

define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl

Note: In case your ISP's MTA does not accept connections on port 25, but another port you can tell sendmail to connect on that port by using something like the following line:

define(`RELAY_MAILER_ARGS', `IPC $h 587')dnl

where 587 is the port where your ips accepts connections for smtp relay.

Now you have to regenerate the .cf file. Type make all install in /etc/mail and you should have everything set in sendmail.cf .
All that's left to do is to create the file that will hold the information about the username and password to use when authenticating to your ISP's MTA : /etc/mail/auth/client-info :

  1.  
  2. mkdir /etc/mail/auth
  3. chmod 700 /etc/mail/auth
  4. cd /etc/mail/auth
  5. echo '
  6. AuthInfo:[YOUR.ISP.MTA.HOST] "U:root" "I:[YOUR_USERNAME]" "P:[YOUR_PASSWORD]"
  7. ' > client-info
  8. makemap hash client-info < client-info

Now you can start/restart sendmail and everything should be ok.

Speedlinking Unix 20-07-2007

It seems Solaris features (mostly ZFS ) make a lot of buzz these days. I wonder when ( if ever ) will Linux include ZFS in the kernel. I know there is a ZFS implementaion for Linux in FUSE, but that's never going to be used in production unless it's ported in the kernel.

I think the developers should leave the licensing mambo jumbo aside and really look at what ZFS has to offer and decide upon that if it's worth implementing . Isn't there anyone in the Linux world that wants ZFS ?

PHP pecl freebsd port bug

A bug exists in the pecl cli script on freebsd that will not permit you to install any pecl package.

The problem is that the pecl script needs pcre.so but the script calls php with -n ( don't use php.ini ) so the pcre.so extension is not loaded.

A quick fix is to edit /usr/local/bin/pecl and remove "-n" from the last line so it will look like
exec $PHP -C -q $INCARG -d output_buffering=1 -d safe_mode=0 -d register_argc_argv="On" $INCDIR/peclcmd.php "$@"

I found this bug when I wanted to install the svn extension but it seems the bug is known for some time and there is a patch for it : http://www.freebsd.org/cgi/query-pr.cgi?pr=110209

Qmail with smtp-auth and DomainKeys on FreeBSD

I tried to set up qmail with tls and smtp auth on freebsd. I have configured my server with SMTP-AUTH so that I can use it to relay messages for me and other authenticated users. I would like qmail to sign the messages that the authenticated users send through my server.

I compiled qmail-tls from ports, checked the smtp-auth and qmailqueue options, then I compiled qmail-dk and selected the SMTP-AUTH patch. I set up my private and public keys, I set up bin/qmail-dk for qmailqueue as described on this page : http://jeremy.kister.net/howto/dk.htm but still not results. It just does not want to add the DomainKeys signature but instead it tries to verify the messages. Continue reading

freebsd 7.0 outperforms linux

The development version of FreeBSD ( 7.0 ) seems to scale a lot better then linux on SMP systems.

A combination of latest freebsd scheduler ULE 2.0 that is built into FreeBSD 7.0, the libthr threading library and a patch (not commited, yet ? ) that addresses poor scalability of file descriptor locking and some other patches is what made a system with 8 core amd64 cpu and 16 GB of ram outperform linux by a factor of 4 in MySQL tests.

The tests were performed using sysbench OLTP benchmark, a tool designed for testing mysql performance.

Brief test results: Linux is actually a little ( ~ 2% ) faster then FreeBSD for less then 9 clients, but when the number of clients grows to 20 linux performance drops a lot and FreeBSD's performance stays the same.

More details about the test here:

http://people.freebsd.org/~kris/scaling/mysql.html

first freebsd 6.2 bugs found

Just one day after the release and we have the first bugs that show up in the FreeBSD errata.

bug #1 Some isolated crashes were reported for arcmsr, the driver for Areca ARC-11xx and ARC-12xx series of SATA II RAID controllers. This problem is still being investigated. Users that have problems are advised to consider backing out the driver update or installing a version of this driver directly from Areca

bug #2 is a kernel bug related to Unix domain sockets. A patch for this problem has been committed to HEAD and RELENG_6, and is a candidate for an errata patch to RELENG_6_2 after further testing.

bug #3 was observer on systems with heavy network activity. the problem seems to be with the kernel memory allocator. A partial workaround for this problem is to add the following line to /boot/loader.conf and reboot:

kern.ipc.nmbclusters="0"

More details about the bugs in this release on Errata

FreeBSD 6.2 RELEASE

FreeBSD 6.2 was released today at 00:29:19 -0500 :)

The release brings a lot of bug fixes and new features like official support for binary updates with freebsd-update, ipfw packet tagging, linux emulation support for sysfs, kde 3.5.4, gnome 2.16.1, bind 9.3.3 . Check out the complete list of new features and bug fixes in freebsd 6.2 for more.

freebsd securelevel setup

FreeBSD securelevel is a security mechanism implemented in the kernel that restricts certain tasks depending on the level that is active. Not even the super user will be able to bypass this mechanism if well setup.

From securelevel man page :

-1 Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.

0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions.

1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted file systems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded.

2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with file systems by unmounting them, but also inhibits running newfs(8) while the system is multiuser.

In addition, kernel time changes are restricted to less than or equal to one second. Attempts to change the time by more than this will log the message ``Time adjustment clamped to +1 second''.

3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted.

Continue reading