The qmail-SPP project has a hook for C/Perl/PHP/Bash plugins that can trigger on various SMTP-actions like
connectionfor plugins run just after client connection
authfor AUTH (if supported)
At my company I have a Lotus Domino mailserver protected by 2 qmail relay-servers around a dmz. Mails coming in from the outside pass those 2 qmail relays and then get to the Domino server. Domino knows which accounts are valid and which are not, but when a client submits a mail to the outer
qmail-smtpd, this one doesn’t know – and accepts all messages for my domains (at least those that don’t get caught by
This creates a reply from the Domino server for each non-existant account ("xxxx is not listed in the Domino directory") and a lot of dead mails/bounces/stupid replies to forged senders. Better block the
RCPT TO as it happens.
A solution would be some kind of LDAP-integration so the outer qmail installation could ask the internal Domino server for each
RCPT TO line, to see if it’s an existing account. I know qmail-ldap and other projects exist, but for a mere 55+ Lotus Notes users (Yeah, a 55-user Domino infrastructure, speak of overkill…) there has to be an easier way: The qmail-spp "goodmailto" Plugin.
This plugin checks each
RCPT TO against
/var/qmail/control/goodmailto, a file containing all valid email-accounts of your domain(s), all shortnames and all aliases, one on a line. This file could be updated from your Domino/LDAP server or by a cronjob automatically, but you can figure that out yourself.
# Aliases ######################### admin abuse root www-admin webmaster # Accounts ####################### hh hansi.hinterseer jc jackie.chan jk james.kirk kk kaptain.kirk jb james.bond
If the file
/var/qmail/control/goodmailto is not readable or does not exist, the plugin accepts all messages, so none get lost. If the file is readable, the user-part from firstname.lastname@example.org is checked against the lines in the file. Checking the domain part is not this plugin’s job!
rcpt to commands are blocked with a
550 smtp-error with a nice "Fu** you, no such user"-message of your choice.
goodmailfrom checks can be disabled by setting the variable
NOGOODMAILTO, for example via your tcprules – I guess you want to send mail to other users from the inside to the outside, too…
Logging is customizable (just a text written to stderr), mine logs like:
@400000004773b7db29bf04f4 goodmailto: host: adsl-164-175.globonet.hu from: email@example.com to: sonja.xxxxx (firstname.lastname@example.org) status: found @400000004773b7db2a59647c goodmailto: host: adsl-164-175.globonet.hu from: email@example.com to: stefan.xxxx (firstname.lastname@example.org) status: not found @400000004773b7f30fcd24a4 goodmailto: host: adsl-164-175.globonet.hu from: email@example.com to: sod (firstname.lastname@example.org) status: not found [...]
Lines containing "goodmailto" can be logged separately to a folder called
/var/log/qmail-plugins by a line containing
'-*' '+* goodmailto*' /var/log/qmail-plugins
/service/qmail-smtpd/log/run. See the multilog documentation on how to filter lines.
Assuming you read the documentation at qmail-SPP, the plugin written in bash should be easy to adopt to your needs, but do not forget the ":" at the beginning of the line calling the plugin from
/var/qmail/control/smtpplugins to get it executed in a shell.
Download goodmailto.sh here.
Current version is 1.4 (2016-02-10), there may be bugs, so try this in a non-production environment first. You have been warned! Please tell me if you find something interesting so I can fix it.
Please write a comment using the form below.