Qmail TLS + SMTP Plugins on FreeBSD

May 15, 2009 · Posted in Patches · Comment 

Problem

One of the worst problems in qmail is that it accepts messages for non existent users and then sends back a bounce to the sender. This is the perfect setup to be exploited by a spammer. I'm using the qmail-tls port configured with vpopmail on FreeBSD.

Solution

There might be some patches that make qmail use the vpopmail command line tools directly to check if a user exists before accepting messages but I either didn't find them or thought that using the SMTP Plugins patch is more elegant and gives me more flexibility (It might be slower but this was not a high traffic server so I didn't care).

The SMTP plugins patch adds hooks at all STMP stages and the plugins can use those hooks to accept or reject a message based on the data in the smtp statements sent by the sender.
I used the Qmail-SPP - Vpopmail check user Script written by Werner Maier.

The only problem was that I had to patch the source code for qmail-tls with the qmail-spp patch and there were quite a few rejects because of the other patches applied by freebsd ports system.
I managed to adapt the code to make this patch work and here is how I did it...

First I built the original freebsd port:

cd /usr/ports/mail/qmail-tls
make config # pick up the options you want here ... I needed tls, smtpd-auth,vpopmail and a few others
make
make install

This will also install the files and then after we apply the spp plugin we just copy the modified file ( qmail-smtpd )
Next step if to download the qmail-spp plugin into /usr/ports/mail/qmail-tls/work and apply it.

cd work
tar -xzpf qmail-spp-0.42.tar.gz
cd qmail-1.03
patch -p1 < ../qmail-spp-0.42/qmail-spp-smtpauth-tls-20060105.diff

This will give you some rejects but don't worry because you'll fix them with my next patch : Qmail-tls-spp-FreeBSD patch-0.1 (4.73 KB)

patch < qmail-tls-spp-freebsd.patch
make
/usr/local/etc/rc.d/svscan stop
cp qmail-smtpd /var/qmail/bin
/usr/local/etc/rc.d/svscan start

At this point qmail-smtpd should have smtp plugins working and we can set up the vpopmail user verifier script.

cd /var/qmail
mkdir plugins
fetch http://www.maiers.de/qmail/vpopmail_check_recipient.sh
chown root:qmail vpopmail_check_recipient.sh
chmod 755 vpopmail_check_recipient.sh

Now edit vpopmail_check_recipient.sh and make sure the correct paths to vpopmail directory ( /home/vpopmail on freebsd ) are set in the script.

To test it, connect to smtp and try to send a message to an nonexistent account, you should see a reject message instead of the usual "ok".

Tags: , , , , ,