Hinweis: Die Seite "qmail SPP-Plugin" ist vor mehr als einem Jahr geschrieben oder zuletzt editiert worden und unter Umständen veraltet oder nicht mehr korrekt.

The qmail-SPP project has a hook for C/Perl/PHP/Bash plugins that can trigger on various SMTP-actions like

  • connection for plugins run just after client connection
  • helo for HELO/EHLO
  • mail for MAIL
  • rcpt for RCPT
  • data for DATA
  • auth for AUTH (if supported)

The reason for writing this plugin

At my company I have a Lotus Domino mailserver protected by 2 qmail relay-servers around a dmz. Mails coming in from the outside pass those 2 qmail relays and then get to the Domino server. Domino knows which accounts are valid and which are not, but when a client submits a mail to the outer qmail-smtpd, this one doesn’t know – and accepts all messages for my domains (at least those that don’t get caught by rblsmtpd, badhelo, badmailfrom, badmailto etc.).

This creates a reply from the Domino server for each non-existant account („xxxx is not listed in the Domino directory“) and a lot of dead mails/bounces/stupid replies to forged senders. Better block the RCPT TO as it happens.

A solution would be some kind of LDAP-integration so the outer qmail installation could ask the internal Domino server for each RCPT TO line, to see if it’s an existing account. I know qmail-ldap and other projects exist, but for a mere 55+ Lotus Notes users (Yeah, a 55-user Domino infrastructure, speak of overkill…) there has to be an easier way: The qmail-spp „goodmailto“ Plugin.

What this plugin does

This plugin checks each RCPT TO against /var/qmail/control/goodmailto, a file containing all valid email-accounts of your domain(s), all shortnames and all aliases, one on a line. This file could be updated from your Domino/LDAP server or by a cronjob automatically, but you can figure that out yourself.

If the file /var/qmail/control/goodmailto is not readable or does not exist, the plugin accepts all messages, so none get lost. If the file is readable, the user-part from user@domain.com is checked against the lines in the file. Checking the domain part is not this plugin’s job!

Invalid rcpt to commands are blocked with a 550 smtp-error with a nice „Fu** you, no such user“-message of your choice.

goodmailfrom checks can be disabled by setting the variable NOGOODMAILTO, for example via your tcprules – I guess you want to send mail to other users from the inside to the outside, too…

Logging

Logging is customizable (just a text written to stderr), mine logs like:

Lines containing „goodmailto“ can be logged separately to a folder called /var/log/qmail-plugins by a line containing

in /service/qmail-smtpd/log/run. See the multilog documentation on how to filter lines.

Installation

Assuming you read the documentation at qmail-SPP, the plugin written in bash should be easy to adopt to your needs, but do not forget the „:“ at the beginning of the line calling the plugin from /var/qmail/control/smtpplugins to get it executed in a shell.

Download

Download goodmailto.sh here.

Current version is 1.4 (2016-02-10), there may be bugs, so try this in a non-production environment first. You have been warned! Please tell me if you find something interesting so I can fix it.

Error reports, cheers and bashing

Please write a comment using the form below.

Mehr zum Thema

Andere Seiten unter 'Qmail und Spamassassin'

Ähnliches

Seiten und Einträge, gefunden nach Tags.