I am going to have this server be a mail server for about 50 websites..each site has email users associated with it. So i am trying to lock down qmail the best i can..if you go to http://spamlart.homeunix.org/ and enter my hostname: baguh.lenernet.net and click start it performs about 90 tests on qmail to see if its an open relay or at least where some holes are...it fails 6 out of 90 which is not bad at all but when i get the daily qmail stats im seeing attempts of about 20-100 emails being sent through my server for instace this is what i have now:

Basic statistics

qtime is the time spent by a message in the queue.

ddelay is the latency for a successful delivery to one recipient---the
end of successful delivery, minus the time when the message was queued.

xdelay is the latency for a delivery attempt---the time when the attempt
finished, minus the time when it started. The average concurrency is the
total xdelay for all deliveries divided by the time span; this is a good
measure of how busy the mailer is.

Completed messages: 585
Recipients for completed messages: 572
Total delivery attempts for completed messages: 581
Average delivery attempts per completed message: 0.993162
Bytes in completed messages: 2708480
Bytes weighted by success: 2449060
Average message qtime (s): 12.0308

Total delivery attempts: 581
success: 532
failure: 40
deferral: 9
Total ddelay (s): 7104.285881
Average ddelay per success (s): 13.353921
Total xdelay (s): 252.147764
Average xdelay per delivery attempt (s): 0.433989
Time span (days): 10.3136
Average concurrency: 0.000282964

I am the only user and im not even using this server for normal mail delivery yet..so my goal would be to try to decrease or stop most of the these attacks on my server...by applying patches and stuff.

just wanted you to know where i was going with this....

thanks again

lenny

Hmmm... well, I just patched it on my end. It looks like what you had was good. Aside from the stuff you commented, it looks to be correct.

Tell me... when you pathed the file, what text editor did you use? If you patched the file using the vi editor, then it should be OK. But if you patched the file through windows via a samba connection, then you may want to be sure your newlines are not causing you a problem. let me know and I'll explain.

Basically it shoudl work. I'm very surprised it doesn't.

Also, I'm still showing that one line to be in question...

case '\\': flagesc = 1; break;

I took my qmail-smtpd.c from the qmail tarball you get from cr.yp.to, which is the definitive source. Theirs has two \\ and yours has only one, so it makes me wonder if maybe somebody on qmailrocks has tinkered with the file.

You may want to try changing that line and rerun your make setup check and see what happens.

Also, the problem could be the SSL libraries. The line right near the top that says #include <openssl/ssl.h> could be pointed to SSL in the wrong place. It may be that your SSL libraries are located somewhere other than what they expected. It may be that all you need to do is give it the correct location path and it may work fine.

So at this point, I'm not sure. I think you may have to take this to higher authorities like the qmailrocks mailing list or maybe the qmail mailing list. either that, or try googling until you find some clues form people who have tried installing the TLS patch also.

Are you sure you have openssl installed?

rpm -qa | grep ssl

You may also want to install the devel for this too.

yep

openssl-0.9.7a-35
mod_ssl-2.0.51-2.7
openssl-devel-0.9.7a-35

How about removing all the comments and try it again. Maybe the placement of the comments are tripping you up?

I'm grasping at straws by now. I don't know if I can really help you on this one.

The only other idea I have is to redo the whole patching process. Just go to the tarball and extract all of the contents into the source directory and run the qmail_big_patches.script and run make setup check afterwards.

I dont think you need to run config-fast or create the cert again.

Hmm, you know... I wouldn't put too much faith into that tester thingy.... I just ran it against mine and it returned 32 "possible vulnerabiilties" but I was watching my qmail-smtpd logs and my smtp server blocked every single one of them. This leads me to believe that their tester is reporting false positives. most of them were blocked by the use of my qregex patch doing its job and blocking with badmailfrom and badmailto.

hey thank u so much for your help...i took ur advise and unpacked the qmail-1.03 tarball and applied the big patch and then the "Norman" patch and then ran make setup check and it worked!

one thing that i noticed i paused qmail with qmailctl pause to stop the email from going al the way through to see where they are coming from and stuff but when i run qmailctl stat it still shows that there arnt any in queue even though i send a few test messages through...i then unpaused qmail and then the emails went through....any reason why they are not showing up in the queue as being "queued"

thanks

Lenny

Well, when messages enter the queue, they usually aren't there for very long. This is especially true if you're doing local deliveries. qmail doesn't have too many problems delivering messages from the queue to another place on your hard drive, so it's in the queue very briefly.

To get a more accurate test, you may want to try sending the messages to a remote email address.... maybe yahoo or hotmail. But even that is usually done pretty fast. The only time messages will "hang" in the queue for any significant period of time is when there is a delivery problem... like maybe the remote server is congested and can't be reached on the first try... in that case, the messages are held in the queue until the next retry.

Like I was saying before.... you may want to just watch your qmail-smtpd logs. These logs will show ALL incoming messages that are trying to get into your server. My assumption is that you don't have any mailboxes created yet... maybe just the postmaster account? If you have no other mailboxes created yet, then most of your incoming messages are probably going to bounce, or get delivered to your mailbox if they were addressed to you.

If the messages are bouncing, that's good. I'm not surprised that you're getting junk mail alraedy. The web is so congested with spammers that it's sad. Spammers find that new domains exist and immediately try to send mail to bogus accounts on your system.

So do you have a lot of messages in the queue? I assume you're probably bouncing a bunch of messages back to the spammers who sent them. In that case, there is a good likelihood that the bounce messages cannot be delivered, so they sit in the queue trying to be sent but never succeed. To remedy that, you shoudl be running the mfcheck patch. If you have the control file created for this (/var/qmail/control/mfcheck) with a value of "1" in the file, then maybe your queue isn't very clogged. The mfcheck patch will do reverse dns checking against the envelope sender's domain, so it will only allow incoming mail that has a real domain. This way, bounces are possible.

Did you modify your qmail-smtpd/run file to include the rblsmtpd stuff??? If so, that will stop a bunch of these messages from ever getting into your system. This is where qmail shines. You can stop messages right away and they never have to enter your system... you are blocking them at the door. There is no way to stop people from TRYING to send you mail. But you can stop the mail from getting into your computer by using rblsmtpd. I think you're going to find that after you start using this, you will not get so many messages coming into your system. Start watching your qmail-smtpd file and I think you'll see that spamhaus stops a great deal of incoming junk mail. I'm pretty sure you're going to conclude that after rblsmtpd is up and running, you will no longer care about this issue because the only messages getting in are either legitimate messages or they are very small numbers of spam.... so small that it's not worth the effort in trying to block them.

so if i paused qmail and send a message will it get held in queue or not?

i have several testing email addresses setup and im sending email to them while qmail is on pause but the queue it still at 0...or will it only show emails in queue if there are having issue delivering?

one while qmail is on pause no emails are getting deleivered but i though the queue would increase since im pauseing it?

once i "continue" qmail those emails are delivered.

thanks

lenny

do u think the queue isnt showing up correct bc i unpacked the qmail-1.03 dir and ran make setup clean is there something in the dir that i need to config?

No, I'm sure the queue is probably fine. I just dont know much about qmailctl pause. I dont really use it. But from what I have read, I believe it still allows new mail to come in, but does not allow it to be delivered.

WHen you've got it paused and you run qmailctl stat, does it show the "not yet preprocessed" number is growing? I would expect the messages to be held in there until you unpause. But again, I dont know that much about it.

yeah qmailctl pause temporarily stops mail service (connections accepted, nothing leaves)..i had my friend try it and the messages in queue does update in his but not on mine for some reason