Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just set up qmail on my home server in the UK. Firstly, the IP is from my ISP (British Telecom) and it seems that my universtiy blocks mail coming from private mail servers. How many other email sites (hotmail, gmail, corporate servers etc) will block mail coming from a personal SMTP server?
Secondly, my qmail server does not force authentication. Although I can use my password and username and it works, how can I make it reject connections where the username and password are not given? Is it a line in the conf that I need to change?
Most likely they are using SORBS or some other service that has a database of all the dynamic IP ranges on the internet. So when you try to send mail from your server to theirs, they find your IP listed on SORBS' database and your connection is dropped.
Some mail servers do this and some don't. Easiest way to fix it is by getting a static IP instead of dynamic. Get on a DSL service and be sure they offer the ability to set your reverse DNS. This way you don't have a nasty ugly reverse DNS like "12.34.56.78-yourisp.com" but instead you can make it the domain name of your choosing.
But on the other hand if you can't afford to switch providers or just don't want to, you can just live with the occasional rejected mail. Your ISP may even have a "smarthost" which is a mail server they control that will allow you to relay mail. This server will accept any mail from your IP address and send it to the proper destination. You may want to be careful about asking them, because I'll be you money that it's against their policy for you to run a server on your account unless you're paying for a business connection.
>> my qmail server does not force authentication
Not sure what you mean by this. It sounds like you're saying that you can leave off the username and password and it will still transmit your mail??? If that's the case, then you have big problems. It means you could be an open relay and anyone can use your mail server for sending mail to whoever they want! You could be a spammers wet dream if you're not careful.
Maybe you need to post your run files here. Post the contents of /var/qmail/supervise/qmail-smtpd/run. You may also want to post the output of /var/qmail/bin/qmail-showctl. But please don't censor the output. If you change a bunch of stuff, it could be very misleading to me because I could be chasing problems that aren't real.
root@hamishnet hamish # /var/qmail/bin/qmail-showctl
qmail home directory: /var/qmail.
user-ext delimiter: -.
paternalism (in decimal): 2.
silent concurrency limit: 500.
subdirectory split: 23.
user ids: 200, 201, 202, 0, 203, 204, 205, 206.
group ids: 200, 201.
badmailfrom: (Default.) Any MAIL FROM is allowed.
badrcptto: (Default.) Any RCPT TO is allowed.
morebadrcptto: (Default.) No badrcptto; morebadrcpto is irrelevant.
morebadrcptto.cdb: (Default.) No effect.
bouncefrom: (Default.) Bounce user name is MAILER-DAEMON.
bouncehost: (Default.) Bounce host name is hamishnet.homelinux.com.
concurrencylocal: (Default.) Local concurrency is 10.
concurrencyremote: (Default.) Remote concurrency is 20.
databytes: (Default.) SMTP DATA limit is 0 bytes.
defaultdomain: Default domain name is hamishnet.homelinux.com.
defaulthost: (Default.) Default host name is hamishnet.homelinux.com.
doublebouncehost: (Default.) 2B recipient host: hamishnet.homelinux.com.
doublebounceto: (Default.) 2B recipient user: postmaster.
envnoathost: (Default.) Presumed domain name is hamishnet.homelinux.com.
helohost: (Default.) SMTP client HELO host name is hamishnet.homelinux.com.
idhost: (Default.) Message-ID host name is hamishnet.homelinux.com.
localiphost: (Default.) Local IP address becomes hamishnet.homelinux.com.
locals:
me: My name is hamishnet.homelinux.com.
percenthack: (Default.) The percent hack is not allowed.
plusdomain: Plus domain name is hamishnet.homelinux.com.
qmqpservers: (Default.) No QMQP servers.
queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds.
rcpthosts:
SMTP clients may send messages to recipients at hamishnet.homelinux.com.
morercpthosts: (Default.) No effect.
morercpthosts.cdb: (Default.) No effect.
smtpgreeting: (Default.) SMTP greeting: 220 hamishnet.homelinux.com.
smtproutes: (Default.) No artificial SMTP routes.
timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.
timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.
timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.
virtualdomains:
Virtual domain: hamishnet.homelinux.com:hamishnet.homelinux.com
clientcert.pem: I have no idea what this file does.
conf-smtpd.org: I have no idea what this file does.
rcpthosts.lock: I have no idea what this file does.
defaultdelivery: I have no idea what this file does.
locals.lock: I have no idea what this file does.
conf-pop3d: I have no idea what this file does.
conf-qmqpd: I have no idea what this file does.
conf-qmtpd: I have no idea what this file does.
servercert.cnf: I have no idea what this file does.
servercert.pem: I have no idea what this file does.
conf-smtpd: I have no idea what this file does.
virtualdomains.lock: I have no idea what this file does.
conf-common: I have no idea what this file does.
rsa512.pem: I have no idea what this file does.
and
Code:
root@hamishnet hamish # /var/qmail/supervise/qmail-smtpd/run
tcpserver: fatal: unable to bind: address already used
I think I have set the smtp server to only send mail from localhost and my internal network.
>> tcpserver: fatal: unable to bind: address already used
This means there is already an SMTP server listening on port 25 so qmail is unable to use port 25. Try looking at the output of "ps -ef" or "netstat -nap" and see what is using port 25. Maybe you have postfix, sendmail or exim running and trying to listen on port 25.
Also, your setup looks pretty good... I think you're safe to run qmail... no danger of open relay. But I'm still not sure I understand why you are having auth problems. When I see your run file for qmail-smtpd, it may shed some light.
root@hamishnet hamish # more /var/qmail/supervise/qmail-smtpd/run
#!/bin/sh
# Gentoo Startup script for qmail's SMTP daemon
# $Header: /var/cvsroot/gentoo-x86/mail-mta/qmail/files/1.03-r13/run-qmailsmtpd,
v 1.2 2004/07/18 03:29:51 dragonheart Exp $
#
# If you need to edit this file, please look at editing conf-smtpd and
# conf-common first. If you still need to change this file, you should
# probably file a bug on the bugzilla saying what you wanted to change so that
# modification can be make possible via the configuration files
# This is to make life easier
SERVICE=smtp
# this is to inherit QMAIL_CONTROLDIR
. /etc/profile
[ -s ${QMAIL_CONTROLDIR}/conf-common ] && source ${QMAIL_CONTROLDIR}/conf-common
[ -s ${QMAIL_CONTROLDIR}/conf-${SERVICE}d ] && source ${QMAIL_CONTROLDIR}/conf-$
{SERVICE}d
[ -s /var/qmail/bin/config-sanity-check ] && source /var/qmail/bin/config-sanity
-check
# Now run it all
exec /usr/bin/softlimit ${SOFTLIMIT_OPTS} \
${QMAIL_TCPSERVER_PRE} \
/usr/bin/tcpserver ${TCPSERVER_OPTS} -x /etc/tcp.${SERVICE}.cdb \
-c ${MAXCONN} -u ${QMAILDUID} -g ${NOFILESGID} \
${TCPSERVER_HOST} ${TCPSERVER_PORT} \
${QMAIL_SMTP_PRE} /var/qmail/bin/qmail-${SERVICE}d ${QMAIL_SMTP_POST} \
2>&1
Code:
root@hamishnet hamish # tail -f /var/log/qmail/qmail-smtpd/current
@40000000427e813b20dc605c /bin/rm: cannot remove `/var/spool/qmailscan/working/new/hamishnet.homelinux.com11155868657196792': Permission denied
@40000000427e81412d972e44 X-Qmail-Scanner-1.25st:[hamishnet.homelinux.com11155868717196795] cannot open /var/spool/qmailscan/qmail-scanner-queue-version.txt - did you initialise the system by running "qmail-scanner-queue.pl -z"? - Permission denied
@40000000427e81412dc7333c /bin/rm: cannot remove `/var/spool/qmailscan/tmp/hamishnet.homelinux.com11155868717196795/': Permission denied
@40000000427e81412dca38ac /bin/rm: cannot remove `/var/spool/qmailscan/working/new/hamishnet.homelinux.com11155868717196795': Permission denied
@40000000427faf6007336fec X-Qmail-Scanner-1.25st:[hamishnet.homelinux.com111566421471910235] cannot open /var/spool/qmailscan/qmail-scanner-queue-version.txt - did you initialise the system by running "qmail-scanner-queue.pl -z"? - Permission denied
@40000000427faf60090b9aec /bin/rm: cannot remove `/var/spool/qmailscan/tmp/hamishnet.homelinux.com111566421471910235/': Permission denied
@40000000427faf60090bbe14 /bin/rm: cannot remove `/var/spool/qmailscan/working/new/hamishnet.homelinux.com111566421471910235': Permission denied
@40000000427fb4c42b0d6a6c X-Qmail-Scanner-1.25st:[hamishnet.homelinux.com111566559471910796] cannot open /var/spool/qmailscan/qmail-scanner-queue-version.txt - did you initialise the system by running "qmail-scanner-queue.pl -z"? - Permission denied
@40000000427fb4c42b4199cc /bin/rm: cannot remove `/var/spool/qmailscan/tmp/hamishnet.homelinux.com111566559471910796/': Permission denied
@40000000427fb4c42b44a70c /bin/rm: cannot remove `/var/spool/qmailscan/working/new/hamishnet.homelinux.com111566559471910796': Permission denied
I did have problems in that courier-imap didn't install at all. However, I didn't think that this would affect the SMTP authentication stuff. Was I wrong?
*sigh* Oh Jesus Christ. Why does everyone feel like they have to make a standardized qmail install. This the second one I've seen today and it makes it very very difficult to assist people when their run files are chocked full of variables. I guess the Gentoo people are to blame.
I dont even feel like using any brain power to figure this out, but you need to check your "conf-common" and "conf-smtp" and see if you can figure out which one defines the variable... ${QMAIL_SMTP_POST}
I see this showing up at the bottom of your run file and I don't know what it contains. If you want to add authentication, it could be handled in this variable, or we may need to add something to the file to handle this. Maybe you can just post those conf files here so I can see what the hell these people are trying to do.
We also need to fix this error. You should start by following the advice shown in your logs. You need to run qmail-scanner-queue.pl with the -z option. Normally this is done like so...
/var/qmail/bin/qmail-scanner-queue.pl -z
But at this point, I think all bets are off. These goobers probably put it some unusual place and now we have to go hunting for it. if you get a failure on this, you may have to enlist the help of "find" to see if you can figure out where it is.
You may also want to verify that /var/spool/qmailscan/qmail-scanner-queue-version.txt is where its supposed to be, because your system is looking for the file at this location.
Your courier imap install should be a whole different auth.
Man, to be honest, I'm not sure I'm going to be able to help you. This is going to be like dentistry through the @$$. I think you might be better off blowing away all this crap and install per www.qmailrocks.org or maybe install per the howto in my signature. At least then we can be on common ground and I can guide you a little better.
# Common Configuration file for all qmail daemons
# $Header: /var/cvsroot/gentoo-x86/mail-mta/qmail/files/1.03-r13/conf-common,v 1.3 2005/02/14 12:26:31 robbat2 Exp $
# Qmail User IDS to run daemons as
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
# Qmail Control Dir (this is actually set in /etc/env.d/99qmail)
#QMAIL_CONTROLDIR=/var/qmail/control
# Host and port to listen on
# We listen on the IPv4 local ip by default
#TCPSERVER_HOST=0.0.0.0
TCPSERVER_HOST=0.0.0.0
TCPSERVER_PORT=${SERVICE}
# you do not need to specify -x, -c, -u or -g in this variable as those are
# added later
#TCPSERVER_OPTS="-p -v"
TCPSERVER_OPTS="-H -R -l 0"
# we limit data and stack segments to 8mbytes, you may need to raise this if
# you are using a filter in QMAILQUEUE
SOFTLIMIT_OPTS="-m 16000000"
# We don't have anything to set QMAILQUEUE to at the moment, so we leave it alone
#QMAILQUEUE=""
# tcpserver maximum concurrency, defaults to 40 in tcpserver
# this controls the maximum number of incoming connections that it will accept
[ -e ${QMAIL_CONTROLDIR}/concurrencyincoming ] && MAXCONN=$(<${QMAIL_CONTROLDIR}/concurrencyincoming) || MAXCONN=40
Ok, I think /var/vpopmail/bin/vchkpw is incorrect. I think it should be /home/vpopmail/bin instead. Can you verify that this is the proper location? I doubt you even have a /var/vpopmail directory.
As much as I love the "trace the variables" game, I'll comment on the original question:
Quote:
Originally posted by hamish Secondly, my qmail server does not force authentication. Although I can use my password and username and it works, how can I make it reject connections where the username and password are not given? Is it a line in the conf that I need to change?
Quote:
Originally posted by hamish The only lines in the /etc/tcp.smtp are:
If you are sending mail from the 10.0.0.0 network, you won't be required to enter a username/pass even if SMTPAUTH is enabled because of relaying. The last line in this file tells qmail to always accept mail from this network for relaying. Bad news is that you are an open relay. Good news is that you are only on open realy for the 10.0.0.0 network.
My advice: Ditch the @#%$! precompiled install and install per Life With Qmail.
I have a /var/qmail folder. All qmail folders/files are in there:
root@hamishnet hamish # ls /var/qmail/
alias bin boot control queue rc supervise users
TruckStuff: I removed the 10.0.0. line from tcp.smtp file. I now need authentication. Tomorrow, I'll try from a friends to see that I can send emails via the SMTP server from a completely different network.
leaving me with just this:
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""
I have to use authentication from my 10.0.0. network. I'm going to check later today if I can still use the SMTP server from a different location (which I'm pretty sure will work).
I think the main problem was the qmail-scanner-queue, as I have had nothing int he log files since I removed it. What does this file do? I remember adding it as I thought it had something to do with blocking spam. (That is the next challenge btw, setting up spam filtering )
Anyway, I can use Horde etc so I'm quite please. Thank you for your excellent help
It really depends on how you had everything setup. If you were using the C wrapper to overcome problems with running suidperl, then maybe you needed to use qmail-scanner-queue for that reason. But since you're not having problems now, maybe that was just a type-o and you missed putting the "pl" at the end?
Which means that any mail that originates from 127.0.0.1 will be passed directly to the qmail-queue. This is good if you want to avoid scanning a bunch of mail for spam and viruses that you know are coming from trusted hosts.
For example, if you wanted to avoid scanning mail from your 10.x.x.x network and the localhost, but scan all the rest...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.