The qmail-SPP project has a hook for C/Perl/PHP/Bash plugins that can trigger on various SMTP-actions like
connection
for plugins run just after client connectionhelo
for HELO/EHLOmail
for MAILrcpt
for RCPTdata
for DATAauth
for AUTH (if supported)At my company I have a Lotus Domino mailserver protected by 2 qmail relay-servers around a dmz. Mails coming in from the outside pass those 2 qmail relays and then get to the Domino server. Domino knows which accounts are valid and which are not, but when a client submits a mail to the outer qmail-smtpd
, this one doesn’t know – and accepts all messages for my domains (at least those that don’t get caught by rblsmtpd
, badhelo
, badmailfrom
, badmailto
etc.).
This creates a reply from the Domino server for each non-existant account ("xxxx is not listed in the Domino directory") and a lot of dead mails/bounces/stupid replies to forged senders. Better block the RCPT TO
as it happens.
A solution would be some kind of LDAP-integration so the outer qmail installation could ask the internal Domino server for each RCPT TO
line, to see if it’s an existing account. I know qmail-ldap and other projects exist, but for a mere 55+ Lotus Notes users (Yeah, a 55-user Domino infrastructure, speak of overkill…) there has to be an easier way: The qmail-spp "goodmailto" Plugin.
This plugin checks each RCPT TO
against /var/qmail/control/goodmailto
, a file containing all valid email-accounts of your domain(s), all shortnames and all aliases, one on a line. This file could be updated from your Domino/LDAP server or by a cronjob automatically, but you can figure that out yourself.
# Aliases #########################
admin
abuse
root
www-admin
webmaster
# Accounts #######################
hh
hansi.hinterseer
jc
jackie.chan
jk
james.kirk
kk
kaptain.kirk
jb
james.bond
If the file /var/qmail/control/goodmailto
is not readable or does not exist, the plugin accepts all messages, so none get lost. If the file is readable, the user-part from user@domain.com is checked against the lines in the file. Checking the domain part is not this plugin’s job!
Invalid rcpt to
commands are blocked with a 550
smtp-error with a nice "Fu** you, no such user"-message of your choice.
goodmailfrom checks can be disabled by setting the variable NOGOODMAILTO
, for example via your tcprules – I guess you want to send mail to other users from the inside to the outside, too…
Logging is customizable (just a text written to stderr), mine logs like:
@400000004773b7db29bf04f4 goodmailto: host: adsl-164-175.globonet.hu from: jqsdq@jhg.com to: sonja.xxxxx (sonja.xxxx@xxxx.de) status: found
@400000004773b7db2a59647c goodmailto: host: adsl-164-175.globonet.hu from: jqsdq@jhg.com to: stefan.xxxx (stefan.xxxx@xxxx.de) status: not found
@400000004773b7f30fcd24a4 goodmailto: host: adsl-164-175.globonet.hu from: jqsdq@jhg.com to: sod (sod@xxxx.de) status: not found
[...]
Lines containing "goodmailto" can be logged separately to a folder called /var/log/qmail-plugins
by a line containing
'-*' '+* goodmailto*' /var/log/qmail-plugins
in /service/qmail-smtpd/log/run
. See the multilog documentation on how to filter lines.
Assuming you read the documentation at qmail-SPP, the plugin written in bash should be easy to adopt to your needs, but do not forget the ":" at the beginning of the line calling the plugin from /var/qmail/control/smtpplugins
to get it executed in a shell.
Download goodmailto.sh here.
Current version is 1.4 (2016-02-10), there may be bugs, so try this in a non-production environment first. You have been warned! Please tell me if you find something interesting so I can fix it.
Please write a comment using the form below.