Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running fedora 2 with qmail and the mail server has been up for 2 days and my qmail stats show alot of delevery atempts and messages:
Completed messages: 224
Recipients for completed messages: 219
Total delivery attempts for completed messages: 228
Average delivery attempts per completed message: 1.01786
Bytes in completed messages: 1027919
Bytes weighted by success: 821661
Average message qtime (s): 30.8267
Total delivery attempts: 228
success: 194
failure: 25
deferral: 9
Total ddelay (s): 6970.408828
Average ddelay per success (s): 35.929942
Total xdelay (s): 124.157869
Average xdelay per delivery attempt (s): 0.544552
Time span (days): 2.29918
Average concurrency: 0.00062501
Is the server being attacked?
are there any security patches?
I might of sent about 50 emails myself for testing purposes but no where near that many.
i am also getting alot of AOL spam warings:
1 0.13 Connected to 205.188.156.249 but greeting failed./Remote host said:
554- (RTR:SC) http://postmaster.info.aol.com/error...trsc.html/554- AOL does
not accept e-mail transactions from IP addresses which/554- generate complaints or
transmit unsolicited bulk e-mail./554 Connecting IP: xxx.xxx.xxx.xxx/
is there anyway to stop these attacks is somehting not configured correctly on my side?
i only have 2 domains in my rcpthosts file and nothing else.
Where did you find these stats? What program provided these? How did you install qmail? Was it part of a howto? What howto did you use?
You should try to examnie your logs carefully and see if you can figure out where the messages are coming from and where they are going. If messages seem to be coming from a certain IP, you can block the IP address using tcprules (/etc/tcp.smtp) or you can block it at your firewall (you ARE running a firewall, aren't you?)
Where are the messages going? If they are going to your local mailbox, then you may not be able to do much except try to deploy some anti-spam measures. If the messages are being delivered to other domains, then it must mean you are an open relay (not likely, since you have something in rcpthosts, which is all that's required) or you have legitimate users of your mail server who are sending the messages.
About the AOL messages, you IP is likely to be in a range that has been used by spammers (or has been complained about) and some of your mail fail. Maybe you have qmail configured to retry a number of times (hence the number of failures)
I don't know qmail myself but reading your stats, that's what I would say.
i got those stats from qmail's Nightly Qmail Stats Report
program in also knows as qlogtools or qmail analog.
Its weird now im at:
Completed messages: 412
Recipients for completed messages: 399
Total delivery attempts for completed messages: 408
Average delivery attempts per completed message: 0.990291
Bytes in completed messages: 1793493
Bytes weighted by success: 1539035
Average message qtime (s): 16.9008
Total delivery attempts: 408
success: 363
failure: 36
deferral: 9
Total ddelay (s): 7029.538476
Average ddelay per success (s): 19.365120
Total xdelay (s): 180.791914
Average xdelay per delivery attempt (s): 0.443117
Time span (days): 6.91846
Average concurrency: 0.000302452
Well, it really depends on how much traffic is supposed to be coming into your server. I figured that because you only just recently got the system up and running that there woudl not be much traffic (if any) coming into qmail. When there is only a little traffic it's easier to diagnose.
I recommend looking at the qmail-send logs and try to watch them over time. For example...
This will allow you to watch as new mail is delivered. Watch for lines that say "to remote" which means it's sending mail to remote machines. Lines that say "to local" are messages being delivered to your local box.
It's possible you may have a mailbox that is filling up that you didn't expect... like maybe the "postmaster" account that is created by default by vpopmail. Try to watch this log file for an hour or two. You may need to restart the command occasionally because when the log file gets full, it will stop being echo'd to the command line using the "tail" command.
Combine this with the grep command and I"m sure you can figure out where the messages are coming from and where they are going. It's possible you may not have a problem at all, but there's no way for me to tell because I have no idea how much traffic you're supposed to be getting right now.
im going to montior the traffic and see whats going on...this server doesnt have any users on it just myself for testing and as of right now i have the following stats:
Completed messages: 535
Recipients for completed messages: 522
Total delivery attempts for completed messages: 531
Average delivery attempts per completed message: 0.992523
Bytes in completed messages: 2543949
Bytes weighted by success: 2284529
Average message qtime (s): 13.1353
Total delivery attempts: 531
success: 482
failure: 40
deferral: 9
Total ddelay (s): 7093.627593
Average ddelay per success (s): 14.717070
Total xdelay (s): 242.786280
Average xdelay per delivery attempt (s): 0.457225
Time span (days): 8.72188
Average concurrency: 0.000322181
very strange i do see bogus emails going through so im adding them to the badmailfrom file for qmail but im not too sure where to go to see the IP addresses of the people who are doing this.
Are the deliveries going to "local"? Maybe to your mailbox?
Sounds like you're getting the first wave of spam coming to your shiny new mail server?
To see where they are coming from, you'll need to check your qmail-smtpd logs, whicih shows messages that are trying to be sent to your server. qmail-smtpd is what queues the messages for delivery by qmail-send. So when you're watching qmail-send logs, they are showing the messages being delivered to your local users or to remote addresses... your'e watching the hind-end of the process.
Check your qmail-smtpd logs which is new mail coming in. This is where you can get the IP address of the people who are trying to send these messages. I recommend doing the tail -f trick we talked about on your qmail-smtpd logs and wait to see if they show up in your mailbox.
if they do, you can block that IP address using your etc/tcp.smtp file which is more effective than just blocking an email address that may be never used by the spammer again.
If you feel pretty sure these are just spams coming to your new server, that's another can of worms.
if they are remote deliveries, that's something to be concerned about ifyou're the only valid account right now.
To help control spam, I recommend searching the forums here for a message where I was posting back and forth with Apollo77. We were talking about something called rblsmtpd which is built into qmail by default. By changing a few lines of your qmail-smtpd/run file, you can block an enormous amount of spam.
When you get it working, you may want to check over each of the rbl sites carefully... some of them are no longer in service and having them included in the run file just makes things work slower because it's having to check the extra sites that are dead.
Maybe post your run file here when you're done and it's working... I can easily show you which ones are dead.
For the patch, I think you are going to need to patch the file manually. This sounds scary, but it's actually quite easy once you understand how its done.
First, you need to open the file qmail-smtpd.c. I know that's the file we want because that's the first line of your patch file.
Now, ignoring the first 2 lines of the file, you should start looking at the rest of the patch file. In the patch file, you'll see there are some lines that begin with a plus (+) and in some cases, your patch file will also contain lines that begin with a minus (-). In your case, the patch file doesn't have any lines that begin with a minus.
Any lines that begin with a plus are lines that we need to add to the qmail-smtpd.c file. Lines that contain a minus are lines we need to remove from the qmail-smtpd.c file.
So, starting at the beginning of the patch file, we see that the first 3 lines don't have any plus or minus. That means these 3 lines are alraedy in the qmail-smtpd.c file. Line 4 of the patch begins with a plus, so that means we are adding this line.
So, looking at your smtpd.c file, search the file and look for the first 3 lines of your patch file. Those lines look like this...
Code:
void err_nogateway() { out("553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)\r\n"); }
void err_unimpl() { out("502 unimplemented (#5.5.1)\r\n"); }
void err_syntax() { out("555 syntax error (#5.5.4)\r\n"); }
once you find this area, the very next line in the patch file shows that we are adding a line because it begins with a plus. The line to be added is...
Code:
void err_relay() { out("553 we don't relay (#5.7.1)\r\n"); }
So now your qmail-smtpd.c file should look like this....
Code:
void err_nogateway() { out("553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)\r\n"); }
void err_unimpl() { out("502 unimplemented (#5.5.1)\r\n"); }
void err_syntax() { out("555 syntax error (#5.5.4)\r\n"); }
void err_relay() { out("553 we don't relay (#5.7.1)\r\n"); }
void err_wantmail() { out("503 MAIL first (#5.5.1)\r\n"); }
void err_wantrcpt() { out("503 RCPT first (#5.5.1)\r\n"); }
void err_noop() { out("250 ok\r\n"); }
You'll notice all I really did was add the line that begins with a plus. Be sure NOT to include the actual plus... just include the code that comes after the plus.
Also notice in your patch file, there are lines that look like this...
@@ -216,6 +217,21 @@
This is showing you a particular line number of your qmail-smtpd.c file. This will help to give you an idea of where to look. So you should look in the neighborhood of line 216 and 217.
The next part of our patch file shows...
Code:
return r;
}
And right after this (in the patch file) you will see we are adding a whole bunch of new lines because there are several that begin with a plus. Just like before, just add the lines with a plus. So your new and improved qmail-smtpd.c file shoudl look liek this...
Code:
return r;
}
int addrrelay()
{
int j;
j = addr.len;
while(--j >= 0)
if (addr.s[j] == '@') break;
if (j < 0) j = addr.len;
while(--j >= 0) {
if (addr.s[j] == '@') return 1;
if (addr.s[j] == '%') return 1;
if (addr.s[j] == '!') return 1;
}
return 0;
}
int seenmail = 0;
int flagbarf; /* defined if seenmail */
Now you'll see that there is another line that looks like this...
@@ -250,6 +266,7 @@
which means we're jumping to a new part of our qmail-smtpd.c file. Just go to that area and you are adding another line, as indicated by the plus sign.
Now there is ONE small thing that i'm not sure about... You'll notice yoru patch file looks like this...
Code:
void smtp_rcpt(arg) char *arg; {
if (!seenmail) { err_wantmail(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
+ if (addrrelay()) { err_relay(); return; }
if (flagbarf) { err_bmf(); return; }
if (relayclient) {
--addr.len;
the part I'm unsure about is the last line which says --addr.len; I'm not sure if this is meaning that line shoudl be removed or what.
Check your qmail-smtpd.c file and see if the line looks like this...
-addr.len;
Notice there is a single dash at the beginning of that line. If there is just a single dash in the actual smtpd.c file, then it means the patch intends for you to remove this line.
Let me know abotu this area. I dont have the qmail-smtpd.c file in front of me right now, so I'm not sure how to advise you further until you have looked at this area closer.
When you are done applying the patch, you can just go to your qmail source directory and run "make setup check" and it will apply your patch to qmail. You may also want to restart qmail with "qmailctl restart" but I dont think you need to because of the way smtp works.
Is there possibly more to that patch? Maybe there are some additional lines that need to be patched, or maybe there are other files that need to be patched. Can you post the entire contents of that patch???
Also, what patch is that called???
You may want to email me (or post) a copy of the qmail-smtpd.c file you patched. Maybe there is an error in there somewhere that I can spot.
if u go to http://qmail.org/top.html and scroll down to the 'Anti-spam techniques and code' section ull see a line link the following:
Russell Nelson has a patch to reject relay probes generated by so-called anti-spammers. These relay probes have '!', '%' and '@' in the local (username) part of the address.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
