qmail SPP-Plugin

The qmail-SPP project has a hook for C/Perl/PHP/Bash plugins that can trigger on various SMTP-actions like

• connection for plugins run just after client connection
• helo for HELO/EHLO
• mail for MAIL
• rcpt for RCPT
• data for DATA
• auth for AUTH (if supported)

The reason for writing this plugin

At my company I have a Lotus Domino mailserver protected by 2 qmail relay-servers around a dmz. Mails coming in from the outside pass those 2 qmail relays and then get to the Domino server. Domino knows which accounts are valid and which are not, but when a client submits a mail to the outer qmail-smtpd, this one doesn’t know – and accepts all messages for my domains (at least those that don’t get caught by rblsmtpd, badhelo, badmailfrom, badmailto etc.).

This creates a reply from the Domino server for each non-existant account ("xxxx is not listed in the Domino directory") and a lot of dead mails/bounces/stupid replies to forged senders. Better block the RCPT TO as it happens.

A solution would be some kind of LDAP-integration so the outer qmail installation could ask the internal Domino server for each RCPT TO line, to see if it’s an existing account. I know qmail-ldap and other projects exist, but for a mere 55+ Lotus Notes users (Yeah, a 55-user Domino infrastructure, speak of overkill…) there has to be an easier way: The qmail-spp "goodmailto" Plugin.

What this plugin does

This plugin checks each RCPT TO against /var/qmail/control/goodmailto, a file containing all valid email-accounts of your domain(s), all shortnames and all aliases, one on a line. This file could be updated from your Domino/LDAP server or by a cronjob automatically, but you can figure that out yourself.

# Aliases #########################
admin
abuse
root
www-admin
webmaster
# Accounts #######################
hh
hansi.hinterseer
jc
jackie.chan
jk
james.kirk
kk
kaptain.kirk
jb
james.bond

If the file /var/qmail/control/goodmailto is not readable or does not exist, the plugin accepts all messages, so none get lost. If the file is readable, the user-part from user@domain.com is checked against the lines in the file. Checking the domain part is not this plugin’s job!

Invalid rcpt to commands are blocked with a 550 smtp-error with a nice "Fu** you, no such user"-message of your choice.

goodmailfrom checks can be disabled by setting the variable NOGOODMAILTO, for example via your tcprules – I guess you want to send mail to other users from the inside to the outside, too…

Logging

Logging is customizable (just a text written to stderr), mine logs like:

@400000004773b7db29bf04f4 goodmailto: host: adsl-164-175.globonet.hu from: jqsdq@jhg.com to: sonja.xxxxx (sonja.xxxx@xxxx.de) status: found
@400000004773b7db2a59647c goodmailto: host: adsl-164-175.globonet.hu from: jqsdq@jhg.com to: stefan.xxxx (stefan.xxxx@xxxx.de) status: not found
@400000004773b7f30fcd24a4 goodmailto: host: adsl-164-175.globonet.hu from: jqsdq@jhg.com to: sod (sod@xxxx.de) status: not found
[...]

Lines containing "goodmailto" can be logged separately to a folder called /var/log/qmail-plugins by a line containing

'-*' '+* goodmailto*' /var/log/qmail-plugins

in /service/qmail-smtpd/log/run. See the multilog documentation on how to filter lines.

Installation

Assuming you read the documentation at qmail-SPP, the plugin written in bash should be easy to adopt to your needs, but do not forget the ":" at the beginning of the line calling the plugin from /var/qmail/control/smtpplugins to get it executed in a shell.

Download

Download goodmailto.sh here.

Current version is 1.4 (2016-02-10), there may be bugs, so try this in a non-production environment first. You have been warned! Please tell me if you find something interesting so I can fix it.

Error reports, cheers and bashing

Please write a comment using the form below.

Andere Seiten unter 'Qmail und Spamassassin'

• qmail ORBL-Checks (Älter als 730 Tage) - 05.09.2010
• Spamassassin "Shortcircuit"-Funktion (Älter als 730 Tage) - 09.10.2010