One of the worst problems in qmail is that it accepts messages for non existent users and then sends back a bounce to the sender. This is the perfect setup to be exploited by a spammer. I'm using the qmail-tls port configured with vpopmail on FreeBSD.
There might be some patches that make qmail use the vpopmail command line tools directly to check if a user exists before accepting messages but I either didn't find them or thought that using the SMTP Plugins patch is more elegant and gives me more flexibility (It might be slower but this was not a high traffic server so I didn't care).
The SMTP plugins patch adds hooks at all STMP stages and the plugins can use those hooks to accept or reject a message based on the data in the smtp statements sent by the sender.
I used the Qmail-SPP - Vpopmail check user Script written by Werner Maier.
The only problem was that I had to patch the source code for qmail-tls with the qmail-spp patch and there were quite a few rejects because of the other patches applied by freebsd ports system.
I managed to adapt the code to make this patch work and here is how I did it...
First I built the original freebsd port:
- cd /usr/ports/mail/qmail-tls
- make config # pick up the options you want here ... I needed tls, smtpd-auth,vpopmail and a few others
- make install
This will also install the files and then after we apply the spp plugin we just copy the modified file ( qmail-smtpd )
Next step if to download the qmail-spp plugin into /usr/ports/mail/qmail-tls/work and apply it.
- cd work
- tar -xzpf qmail-spp-0.42.tar.gz
- cd qmail-1.03
- patch -p1 < ../qmail-spp-0.42/qmail-spp-smtpauth-tls-20060105.diff
This will give you some rejects but don't worry because you'll fix them with my next patch : Qmail-tls-spp-FreeBSD patch-0.1 (4.73 KB)
- patch < qmail-tls-spp-freebsd.patch
- /usr/local/etc/rc.d/svscan stop
- cp qmail-smtpd /var/qmail/bin
- /usr/local/etc/rc.d/svscan start
At this point qmail-smtpd should have smtp plugins working and we can set up the vpopmail user verifier script.
- cd /var/qmail
- mkdir plugins
- fetch http://www.maiers.de/qmail/vpopmail_check_recipient.sh
- chown root:qmail vpopmail_check_recipient.sh
- chmod 755 vpopmail_check_recipient.sh
Now edit vpopmail_check_recipient.sh and make sure the correct paths to vpopmail directory ( /home/vpopmail on freebsd ) are set in the script.
To test it, connect to smtp and try to send a message to an nonexistent account, you should see a reject message instead of the usual "ok".
This post describes the configuration of Sendmail to use SMTP-AUTH when connecting to a remote MTA to send messages. Such a configuration would be needed in case you have a dynamic ip and your ISP relays the messages for you, but they require authentication. This is not a post about how to set your mta to authenticate users and to relay for them. This will show you how to set it to authenticate itself to other mta that will relay messages for you.
Sendmail comes installed by default on a clean FreeBSD 6.2 system, but is has no support for SMTP authentication using SASL by default, so it needs to be recompiled.
Install Cyrus SASL
You can compile cyrus-sasl2 lib from ports (if you need to set some special options ) or install it as a package:
- cd /usr/ports/security/cyrus-sasl2
- make install clea
Or just install it from packages with:
- pkg_add -r cyrus-sasl2
First you need to make sure you set the compile flags so that Sendmail uses cyrus-sasl2:
- echo "
- SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
- " >> /etc/make.conf
and then just recompile it and install:
- cd /usr/src/usr.sbin/sendmail
- make clean
- make depend
- make install
Make sure you have the right mc files. Go to /etc/mail and type: make all install . This will create a .mc file named [your_hostname].mc .
Edit that file, look for a line like “define(`SMART_HOST', `your.isp.....” and replace your.isp with the host that will relay messages for you. After that line add the following lines:
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
Note: In case your ISP's MTA does not accept connections on port 25, but another port you can tell sendmail to connect on that port by using something like the following line:
define(`RELAY_MAILER_ARGS', `IPC $h 587')dnl
where 587 is the port where your ips accepts connections for smtp relay.
Now you have to regenerate the .cf file. Type make all install in /etc/mail and you should have everything set in sendmail.cf .
All that's left to do is to create the file that will hold the information about the username and password to use when authenticating to your ISP's MTA : /etc/mail/auth/client-info :
- mkdir /etc/mail/auth
- chmod 700 /etc/mail/auth
- cd /etc/mail/auth
- echo '
- AuthInfo:[YOUR.ISP.MTA.HOST] "U:root" "I:[YOUR_USERNAME]" "P:[YOUR_PASSWORD]"
- ' > client-info
- makemap hash client-info < client-info
Now you can start/restart sendmail and everything should be ok.
- Ivan Ivoras wrote an article that presents new features that will be included in FreeBSD 7. If you want to give it a try before it's released you can download a snapshot cd image or you can try his FreeBSD 7 live CD snapshot
- It seems like the next version of Mac OSX is going to get ZFS, well it shouldn't be hard now that it was ported works on FreeBSD 7 snapshots and MacOSX has FreeBSD at it's roots.
- Leopard is also going to get Dtrace from Sun but they'll call it Xray
- Want to try OpenSolaris but you like Ubuntu too much? Get Nexenta, an operating system that uses OpenSolaris kernel and Debian/Ubuntu. It looks and feels just like Ubuntu, has more then 12000 packages in the APT repository and you can take advantage of some features that don't exist in Linux ( yet ? ) like ZFS
It seems Solaris features (mostly ZFS ) make a lot of buzz these days. I wonder when ( if ever ) will Linux include ZFS in the kernel. I know there is a ZFS implementaion for Linux in FUSE, but that's never going to be used in production unless it's ported in the kernel.
I think the developers should leave the licensing mambo jumbo aside and really look at what ZFS has to offer and decide upon that if it's worth implementing . Isn't there anyone in the Linux world that wants ZFS ?
When programming/scripting in shell, like in most of the other programing languages you can organize your code in functions that can be called from anywhere in your code, you can pass parameters to them and they can return a value or output something.
A bug exists in the pecl cli script on freebsd that will not permit you to install any pecl package.
The problem is that the pecl script needs pcre.so but the script calls php with -n ( don't use php.ini ) so the pcre.so extension is not loaded.
A quick fix is to edit /usr/local/bin/pecl and remove "-n" from the last line so it will look like
exec $PHP -C -q $INCARG -d output_buffering=1 -d safe_mode=0 -d register_argc_argv="On" $INCDIR/peclcmd.php "$@"
I tried to set up qmail with tls and smtp auth on freebsd. I have configured my server with SMTP-AUTH so that I can use it to relay messages for me and other authenticated users. I would like qmail to sign the messages that the authenticated users send through my server.
I compiled qmail-tls from ports, checked the smtp-auth and qmailqueue options, then I compiled qmail-dk and selected the SMTP-AUTH patch. I set up my private and public keys, I set up bin/qmail-dk for qmailqueue as described on this page : http://jeremy.kister.net/howto/dk.htm but still not results. It just does not want to add the DomainKeys signature but instead it tries to verify the messages. Read more
The development version of FreeBSD ( 7.0 ) seems to scale a lot better then linux on SMP systems.
A combination of latest freebsd scheduler ULE 2.0 that is built into FreeBSD 7.0, the libthr threading library and a patch (not commited, yet ? ) that addresses poor scalability of file descriptor locking and some other patches is what made a system with 8 core amd64 cpu and 16 GB of ram outperform linux by a factor of 4 in MySQL tests.
The tests were performed using sysbench OLTP benchmark, a tool designed for testing mysql performance.
Brief test results: Linux is actually a little ( ~ 2% ) faster then FreeBSD for less then 9 clients, but when the number of clients grows to 20 linux performance drops a lot and FreeBSD's performance stays the same.
More details about the test here:
Just one day after the release and we have the first bugs that show up in the FreeBSD errata.
bug #1 Some isolated crashes were reported for arcmsr, the driver for Areca ARC-11xx and ARC-12xx series of SATA II RAID controllers. This problem is still being investigated. Users that have problems are advised to consider backing out the driver update or installing a version of this driver directly from Areca
bug #2 is a kernel bug related to Unix domain sockets. A patch for this problem has been committed to HEAD and RELENG_6, and is a candidate for an errata patch to RELENG_6_2 after further testing.
bug #3 was observer on systems with heavy network activity. the problem seems to be with the kernel memory allocator. A partial workaround for this problem is to add the following line to /boot/loader.conf and reboot:
More details about the bugs in this release on Errata
FreeBSD 6.2 was released today at 00:29:19 -0500
The release brings a lot of bug fixes and new features like official support for binary updates with freebsd-update, ipfw packet tagging, linux emulation support for sysfs, kde 3.5.4, gnome 2.16.1, bind 9.3.3 . Check out the complete list of new features and bug fixes in freebsd 6.2 for more.
FreeBSD securelevel is a security mechanism implemented in the kernel that restricts certain tasks depending on the level that is active. Not even the super user will be able to bypass this mechanism if well setup.
From securelevel man page :
-1 Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted file systems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded.
2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with file systems by unmounting them, but also inhibits running newfs(8) while the system is multiuser.
In addition, kernel time changes are restricted to less than or equal to one second. Attempts to change the time by more than this will log the message ``Time adjustment clamped to +1 second''.