stunnel and qpsmtpd - SOLVED

The company President has a laptop and uses Earthlink to get to the 
Internet when on the road.  Earthlink blocks port 25 except to their own 
servers.  We publish SPF records.  Some stupid admins have turned on 
mail blocking for SPF failures.  The President's mail *always* has to go 
out (or I hear about it)!  So I needed to get SMTPS (SMTP over SSL 
working)...

Here's the steps (assuming you use supervise):

0) Get TLS working (this will mean you have certs already);

1) Install stunnel (duh);

2) Create a management directory, e.g. /var/qmail/service/qpsmtpds;

3) Create the run file:

#!/bin/sh
stunnel /var/qmail/service/qpsmtpds/etc/stunnel.conf

and an appropriate log/run;

4) Create the stunnel.conf file:

# stunnel configuration file for smtp
foreground = yes
setuid = qmaild
setgid = clamav
pid =
debug = debug
output = /dev/stdout

CAfile=/var/qmail/service/qpsmtpd/ssl/qpsmtpd-ca.crt
cert=/var/qmail/service/qpsmtpd/ssl/qpsmtpd-stunnel.crt

[smtps]
accept=mail.example.com:smtps
connect=mail.example.com:smtp

5) stunnel requires both the key and the cert (in that order) in a 
single file, so just cat the qpsmtpd-server.key and qpsmtpd-server.crt 
(to use the default filenames) into the qpsmtpd-stunnel.crt file;

6) stunnel also requires the CAfile and cert be owned by the setuid/gid 
user and group and have rights 600 (which qpsmtpd will not care about if 
the same user is used in qpsmtpd and stunnel);

7) Open a hole in your firewall for SMTPS (port 465);

8) Test (when it works, you might want to lower the logging level from 
debug).

You are strongly encouraged to require SMTP AUTH (since as far as 
qpsmtpd is concerned, this connection is coming from a local address). 
I'm going to investigate whether there is any way to know that the 
connection is coming via stunnel (but I doubt that is possible).

HTH

John
0
jpeacock
2/16/2006 9:21:29 PM
perl.qpsmtpd 1907 articles. 0 followers. Follow

53 Replies
845 Views

Similar Articles

[PageSpeed] 12
Get it on Google Play
Get it on Apple App Store

John Peacock wrote:

> The company President has a laptop and uses Earthlink to get to the 
> Internet when on the road.  Earthlink blocks port 25 except to their 
> own servers.  We publish SPF records.  Some stupid admins have turned 
> on mail blocking for SPF failures.  The President's mail *always* has 
> to go out (or I hear about it)!  So I needed to get SMTPS (SMTP over 
> SSL working)...
>
> Here's the steps (assuming you use supervise):
>
> 0) Get TLS working (this will mean you have certs already);
>
> 1) Install stunnel (duh);
>
> 2) Create a management directory, e.g. /var/qmail/service/qpsmtpds;
>
> 3) Create the run file:
>
> #!/bin/sh
> stunnel /var/qmail/service/qpsmtpds/etc/stunnel.conf
>
> and an appropriate log/run;
>
> 4) Create the stunnel.conf file:
>
> # stunnel configuration file for smtp
> foreground = yes
> setuid = qmaild
> setgid = clamav
> pid =
> debug = debug
> output = /dev/stdout
>
> CAfile=/var/qmail/service/qpsmtpd/ssl/qpsmtpd-ca.crt
> cert=/var/qmail/service/qpsmtpd/ssl/qpsmtpd-stunnel.crt
>
> [smtps]
> accept=mail.example.com:smtps
> connect=mail.example.com:smtp
>
> 5) stunnel requires both the key and the cert (in that order) in a 
> single file, so just cat the qpsmtpd-server.key and qpsmtpd-server.crt 
> (to use the default filenames) into the qpsmtpd-stunnel.crt file;
>
> 6) stunnel also requires the CAfile and cert be owned by the 
> setuid/gid user and group and have rights 600 (which qpsmtpd will not 
> care about if the same user is used in qpsmtpd and stunnel);
>
> 7) Open a hole in your firewall for SMTPS (port 465);
>
> 8) Test (when it works, you might want to lower the logging level from 
> debug).
>
> You are strongly encouraged to require SMTP AUTH (since as far as 
> qpsmtpd is concerned, this connection is coming from a local address). 
> I'm going to investigate whether there is any way to know that the 
> connection is coming via stunnel (but I doubt that is possible).
>
> HTH
>
> John


You could also use port 587 (submission) non-ssl if you're just trying 
to get around port 25 being blocked.  That way you wouldn't have to 
re-route the connections to localhost.  You would also be able to retain 
the connecting IP.

I'm assuming the "some stupid admins" part was a joke?  Or are they 
blocking on SPF soft failures?
0
elliotf
2/16/2006 10:01:52 PM
Elliot Foster wrote:
> You could also use port 587 (submission) non-ssl if you're just trying 
> to get around port 25 being blocked.  That way you wouldn't have to 
> re-route the connections to localhost.  You would also be able to retain 
> the connecting IP.

But then I'd have to run a second instance of qpsmtpd in that case 
(since I don't see any support for running on two ports in the existing 
code).

> I'm assuming the "some stupid admins" part was a joke?  Or are they 
> blocking on SPF soft failures?

No joke.  I don't think that SPF is ready to be used to block mail (hard 
*or* soft failure).  The one site is running some M$loth anti-spam 
feature for Exchange and I get no reason back why they are blocking.  I 
have our SPF records set to hard fail and so far I have exactly 1 domain 
that blocked the mail (which shows exactly how useless SPF is)...

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748
0
jpeacock
2/16/2006 10:14:58 PM
John Peacock wrote:

> Elliot Foster wrote:
>
>> You could also use port 587 (submission) non-ssl if you're just 
>> trying to get around port 25 being blocked.  That way you wouldn't 
>> have to re-route the connections to localhost.  You would also be 
>> able to retain the connecting IP.
>
>
> But then I'd have to run a second instance of qpsmtpd in that case 
> (since I don't see any support for running on two ports in the 
> existing code).

Or do some port forwarding trickery, but that becomes clumsy, and not 
intuitively maintainable.  Does the trunk (or forkserver) have code that 
allows it to listen on multiple ports/interfaces/ips?

I used stunnel for a while, but I didn't like not being able to tell 
from where someone was connecting.

>> I'm assuming the "some stupid admins" part was a joke?  Or are they 
>> blocking on SPF soft failures?
>
>
> No joke.  I don't think that SPF is ready to be used to block mail 
> (hard *or* soft failure).  The one site is running some M$loth 
> anti-spam feature for Exchange and I get no reason back why they are 
> blocking.  I have our SPF records set to hard fail and so far I have 
> exactly 1 domain that blocked the mail (which shows exactly how 
> useless SPF is)...
>
> John


What happens, just a plain deny (45x/55x)?

If anyone ever forges an email to me that says it's from you, I'll be 
domain #2.  :)  I don't block soft failures, but I'm using it to block 
phishing scams trying to deliver messages to my users, pretending to be 
administrator@gratuitous.net (or somesuch) I tend to get a lot of those.

It just needs to reach some sort of critical mass before it really 
becomes useful.
0
elliotf
2/17/2006 1:07:49 AM
Elliot Foster wrote:
> John Peacock wrote:
>
>> Elliot Foster wrote:
>>
>>> You could also use port 587 (submission) non-ssl if you're just 
>>> trying to get around port 25 being blocked.  That way you wouldn't 
>>> have to re-route the connections to localhost.  You would also be 
>>> able to retain the connecting IP.
>>
>>
>> But then I'd have to run a second instance of qpsmtpd in that case 
>> (since I don't see any support for running on two ports in the 
>> existing code).
>
> Or do some port forwarding trickery, but that becomes clumsy, and not 
> intuitively maintainable.  Does the trunk (or forkserver) have code 
> that allows it to listen on multiple ports/interfaces/ips?
>
> I used stunnel for a while, but I didn't like not being able to tell 
> from where someone was connecting.
>
>>> I'm assuming the "some stupid admins" part was a joke?  Or are they 
>>> blocking on SPF soft failures?
>>
>>
>> No joke.  I don't think that SPF is ready to be used to block mail 
>> (hard *or* soft failure).  The one site is running some M$loth 
>> anti-spam feature for Exchange and I get no reason back why they are 
>> blocking.  I have our SPF records set to hard fail and so far I have 
>> exactly 1 domain that blocked the mail (which shows exactly how 
>> useless SPF is)...
>>
>> John
>
>
> What happens, just a plain deny (45x/55x)?
>
> If anyone ever forges an email to me that says it's from you, I'll be 
> domain #2.  :)  I don't block soft failures, but I'm using it to block 
> phishing scams trying to deliver messages to my users, pretending to 
> be administrator@gratuitous.net (or somesuch) I tend to get a lot of 
> those.
>
> It just needs to reach some sort of critical mass before it really 
> becomes useful.
A common spf violation is to spoof being an authority
at mta's domains, as social-engineering for phish attack.

Another is to spoof being a subscriber on a mailing list.

How would you know how many times your users have
been spoofed to listservers elsewhere, spoof blocked,
based on your spf records? You would have to host
lists to project the value of spf to your users at other
listservers. Or be unscientific and just assume like I
do. I don't know of any "studies" to consult.

You would have a log of the administrator@here phish, if
you denied on spf fail. That's one spf benefit I'm logging
http://perlq.org/ and I'm not even running any lists which
would bump up the stats for spf.

-Bob
0
cto
2/17/2006 5:22:32 AM
On Feb 17, 2006, at 02:07, Elliot Foster wrote:
> John Peacock wrote:
>> Elliot Foster wrote:
>>> You could also use port 587 (submission) non-ssl if you're just  
>>> trying to get around port 25 being blocked.  That way you  
>>> wouldn't have to re-route the connections to localhost.  You  
>>> would also be able to retain the connecting IP.
>> But then I'd have to run a second instance of qpsmtpd in that case  
>> (since I don't see any support for running on two ports in the  
>> existing code).
> Or do some port forwarding trickery, but that becomes clumsy, and  
> not intuitively maintainable.  Does the trunk (or forkserver) have  
> code that allows it to listen on multiple ports/interfaces/ips?

I think I will look into running a second instance. Actually I only  
need a second instance of the config/ directory, the rest is the  
same. I will only allow AUTH'd connections over TLS, and I will not  
run any of the standard plugins (it's only me sending; other admins  
may want to run virus and/or spam checking) but plugins fir HashCash  
addition and DomainKeys signing (once I get that to work) instead.

> I used stunnel for a while, but I didn't like not being able to  
> tell from where someone was connecting.
>>> I'm assuming the "some stupid admins" part was a joke?  Or are  
>>> they blocking on SPF soft failures?
>> No joke.  I don't think that SPF is ready to be used to block mail  
>> (hard *or* soft failure).  The one site is running some M$loth  
>> anti-spam feature for Exchange and I get no reason back why they  
>> are blocking.  I have our SPF records set to hard fail and so far  
>> I have exactly 1 domain that blocked the mail (which shows exactly  
>> how useless SPF is)...
> If anyone ever forges an email to me that says it's from you, I'll  
> be domain #2.  :)  I don't block soft failures, but I'm using it to  
> block phishing scams trying to deliver messages to my users,  
> pretending to be administrator@gratuitous.net (or somesuch) I tend  
> to get a lot of those.

I have stopped a sizeable amount of paypal phishing attempts using  
SPF, so I think it is starting to work (I also added paypa1.com,  
paypaI.com and paypall.com to badmailfrom). I can't give you the  
exact number of messages stopped (because it's a softfail so they  
retry over and over again) but it's more than 10 and less than 100.

-Johan
0
johan
2/17/2006 8:01:37 AM
On Feb 16, 2006, at 23:01, Elliot Foster wrote:
> You could also use port 587 (submission) non-ssl if you're just  
> trying to get around port 25 being blocked.  That way you wouldn't  
> have to re-route the connections to localhost.  You would also be  
> able to retain the connecting IP.

Just to make sure: you'd still want to run TLS and auth on 587 in  
this case!

-Johan


0
johan
2/17/2006 8:37:00 AM
Elliot Foster wrote:
> Or do some port forwarding trickery, but that becomes clumsy, and not
> intuitively maintainable.  Does the trunk (or forkserver) have code that
> allows it to listen on multiple ports/interfaces/ips?

Not yet...

> I used stunnel for a while, but I didn't like not being able to tell
> from where someone was connecting.

I wound up just adding the public IP address of the host to the norelayclients
list (since any local services can just use localhost).  I confirmed that
without this the server would be technically an open relay for my domains, but
with it I can enforce the AUTH requirements.

John
0
jpeacock
2/17/2006 12:13:50 PM
On Fri, 2006-02-17 at 02:01, Johan Almqvist wrote:

> I think I will look into running a second instance. Actually I only  
> need a second instance of the config/ directory, the rest is the  
> same. I will only allow AUTH'd connections over TLS, and I will not  
> run any of the standard plugins (it's only me sending; other admins  
> may want to run virus and/or spam checking) but plugins fir HashCash  
> addition and DomainKeys signing (once I get that to work) instead.

Wouldn't it at some point be simpler to run sendmail as the
front end since it already knows how to do this stuff?  And
with MimeDefang running as a milter you can control everything
in perl anyway.  It would be kind of bizarre, but maybe you
could glue the backend delivery out of qpsmptd into MimeDefang
and just discard everthing at the sendmail level if you
don't trust sendmail's delivery agents.

-- 
  Les Mikesell
   les@futuresource.com

0
les
2/17/2006 5:43:53 PM
On Feb 16, 2006, at 1:21 PM, John Peacock wrote:

> The company President has a laptop and uses Earthlink to get to the  
> Internet when on the road.  Earthlink blocks port 25 except to  
> their own servers.  We publish SPF records.  Some stupid admins  
> have turned on mail blocking for SPF failures.  The President's  
> mail *always* has to go out (or I hear about it)!  So I needed to  
> get SMTPS (SMTP over SSL working)...
>
> Here's the steps (assuming you use supervise):
[...]

Very cool!

You should add that to a page on the website -- or on the wiki.  :-)

Are we ready for 0.32?

  - ask

-- 
http://www.askbjoernhansen.com/


0
ask
2/17/2006 5:44:01 PM
Ask Bj�rn Hansen wrote:
> You should add that to a page on the website -- or on the wiki.  :-)

Please ship tuits via return post.  I've got two modules disassembled on 
the bench and I'm getting whiplash going between one busted test and the 
other... :(

> Are we ready for 0.32?

I've been running branches/0.3x in production for a week.  Time for an RC!

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748
0
jpeacock
2/17/2006 5:48:03 PM
On Fri, 2006-02-17 at 11:48, John Peacock wrote:

> > You should add that to a page on the website -- or on the wiki.  :-)
> 
> Please ship tuits via return post.  I've got two modules disassembled on 
> the bench and I'm getting whiplash going between one busted test and the 
> other... :(

I think I missed how you keep this from being an open relay if
someone finds the ssl port. Can you at least cover that part?
Do you require a matching client cert for stunnel?  I don't
see how you can require smtp auth for connections coming from
the local host without breaking other stuff.

-- 
  Les Mikesell
   les@futuresource.com 

0
les
2/17/2006 5:59:02 PM
Les Mikesell wrote:
> I think I missed how you keep this from being an open relay if
> someone finds the ssl port. Can you at least cover that part?
> Do you require a matching client cert for stunnel?  I don't
> see how you can require smtp auth for connections coming from
> the local host without breaking other stuff.

It's not connecting via localhost, it is connecting via the public IP 
address.

ASCII art time:

port 465 SSL ==> stunnel ==> port 25 SMTP on public IP address

The key is that this qpsmtpd instance is set to require AUTH for any 
address not in the relayclients.  What I did in the end was add the 
public IP address to the norelayclients file (since I already have our 
public class-C in the relayclients).

Localhost port 25 is a straight qmail-smtpd instance, so local apps 
don't have to worry about AUTH.

And you don't need a client cert (at least not the way that I set it 
up).  It will require anyone connecting via SMTPS to trust the cert the 
first time...

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748
0
jpeacock
2/17/2006 6:14:40 PM
Bob Dodds wrote:

> Elliot Foster wrote:
>
>> John Peacock wrote:
>>
>>> Elliot Foster wrote:
>>>
>>>> You could also use port 587 (submission) non-ssl if you're just 
>>>> trying to get around port 25 being blocked.  That way you wouldn't 
>>>> have to re-route the connections to localhost.  You would also be 
>>>> able to retain the connecting IP.
>>>
>>>
>>>
>>> But then I'd have to run a second instance of qpsmtpd in that case 
>>> (since I don't see any support for running on two ports in the 
>>> existing code).
>>
>>
>> Or do some port forwarding trickery, but that becomes clumsy, and not 
>> intuitively maintainable.  Does the trunk (or forkserver) have code 
>> that allows it to listen on multiple ports/interfaces/ips?
>>
>> I used stunnel for a while, but I didn't like not being able to tell 
>> from where someone was connecting.
>>
>>>> I'm assuming the "some stupid admins" part was a joke?  Or are they 
>>>> blocking on SPF soft failures?
>>>
>>>
>>>
>>> No joke.  I don't think that SPF is ready to be used to block mail 
>>> (hard *or* soft failure).  The one site is running some M$loth 
>>> anti-spam feature for Exchange and I get no reason back why they are 
>>> blocking.  I have our SPF records set to hard fail and so far I have 
>>> exactly 1 domain that blocked the mail (which shows exactly how 
>>> useless SPF is)...
>>>
>>> John
>>
>>
>>
>> What happens, just a plain deny (45x/55x)?
>>
>> If anyone ever forges an email to me that says it's from you, I'll be 
>> domain #2.  :)  I don't block soft failures, but I'm using it to 
>> block phishing scams trying to deliver messages to my users, 
>> pretending to be administrator@gratuitous.net (or somesuch) I tend to 
>> get a lot of those.
>>
>> It just needs to reach some sort of critical mass before it really 
>> becomes useful.
>
> A common spf violation is to spoof being an authority
> at mta's domains, as social-engineering for phish attack.


Yes, which is what I described above.  Are you answering a question?

> Another is to spoof being a subscriber on a mailing list.
>
> How would you know how many times your users have
> been spoofed to listservers elsewhere, spoof blocked,
> based on your spf records? You would have to host
> lists to project the value of spf to your users at other
> listservers. Or be unscientific and just assume like I
> do. I don't know of any "studies" to consult.


You wouldn't know, because in an ideal world, other MTAs would be 
blocking people trying to spoof your domain.  Unless these remote MTAs 
report back that they denied some random person based on SPF records 
from your domain, you (at your server(s)) would never know.

As in, hopefully hotmail's MXs would be checking for SPF, and if they 
receive a message being sent as if from my domain, but not from one of 
my servers, then they choose to deny it.  I would never know.

> You would have a log of the administrator@here phish, if
> you denied on spf fail. That's one spf benefit I'm logging
> http://perlq.org/ and I'm not even running any lists which
> would bump up the stats for spf.
>
> -Bob


Are you answering a question here, or making a suggestion?
0
elliotf
2/17/2006 6:31:58 PM
On Feb 17, 2006, at 18:43, Les Mikesell wrote:
> On Fri, 2006-02-17 at 02:01, Johan Almqvist wrote:
>> I think I will look into running a second instance. Actually I only
>> need a second instance of the config/ directory, the rest is the
>> same. I will only allow AUTH'd connections over TLS, and I will not
>> run any of the standard plugins (it's only me sending; other admins
>> may want to run virus and/or spam checking) but plugins fir HashCash
>> addition and DomainKeys signing (once I get that to work) instead.
>
> Wouldn't it at some point be simpler to run sendmail as the
> front end since it already knows how to do this stuff?  And
> with MimeDefang running as a milter you can control everything
> in perl anyway.  It would be kind of bizarre, but maybe you
> could glue the backend delivery out of qpsmptd into MimeDefang
> and just discard everthing at the sendmail level if you
> don't trust sendmail's delivery agents.

Not really, I don't use sendmail anywhere else in the system, so I'd  
have to use qmail-smtpd, and I'd have to patch that too to use TLS  
and AUTH. I think I will go with qpsmtpd here...

-Johan

0
johan
2/17/2006 9:32:02 PM
On Feb 17, 2006, at 9:43 AM, Les Mikesell wrote:

> Wouldn't it at some point be simpler to run sendmail as the
> front end since it already knows how to do this stuff?

It depends.

I run qmail-smtpd (with TLS and AUTH patches) on the client relays,  
but if I had a user database integrated with qpsmtpd already it'd  
probably be easier to set it up in qpsmtpd instead.   Or if you want  
other qpsmtpd plugins running, for example virus filtering on  
outgoing mail...  (the usual reasons to run qpsmtpd ;-) )


  - ask

-- 
http://www.askbjoernhansen.com/


0
ask
2/17/2006 9:45:04 PM
On Fri, 2006-02-17 at 15:45, Ask Bjørn Hansen wrote:
> On Feb 17, 2006, at 9:43 AM, Les Mikesell wrote:
> 
> > Wouldn't it at some point be simpler to run sendmail as the
> > front end since it already knows how to do this stuff?
> 
> It depends.
> 
> I run qmail-smtpd (with TLS and AUTH patches) on the client relays,  
> but if I had a user database integrated with qpsmtpd already it'd  
> probably be easier to set it up in qpsmtpd instead.   Or if you want  
> other qpsmtpd plugins running, for example virus filtering on  
> outgoing mail...  (the usual reasons to run qpsmtpd ;-) )

Yes, but MimeDefang does all the same stuff that you can do
in qpsmtpd - or if it doesn't it would be easy to duplicate
there, and it works with sendmail.  And the things you can
control in sendmail's access file are handled more effeciently
than you can do it in perl.  Qpsmtpd is a neat idea but there
is just a lot of functionality to duplicate to match sendmail
plus a milter.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/17/2006 9:55:47 PM
Les Mikesell wrote:

>On Fri, 2006-02-17 at 15:45, Ask Bjørn Hansen wrote:
>  
>
>>On Feb 17, 2006, at 9:43 AM, Les Mikesell wrote:
>>
>>    
>>
>>>Wouldn't it at some point be simpler to run sendmail as the
>>>front end since it already knows how to do this stuff?
>>>      
>>>
>>It depends.
>>
>>I run qmail-smtpd (with TLS and AUTH patches) on the client relays,  
>>but if I had a user database integrated with qpsmtpd already it'd  
>>probably be easier to set it up in qpsmtpd instead.   Or if you want  
>>other qpsmtpd plugins running, for example virus filtering on  
>>outgoing mail...  (the usual reasons to run qpsmtpd ;-) )
>>    
>>
>
>Yes, but MimeDefang does all the same stuff that you can do
>in qpsmtpd - or if it doesn't it would be easy to duplicate
>there, and it works with sendmail.  And the things you can
>control in sendmail's access file are handled more effeciently
>than you can do it in perl.  Qpsmtpd is a neat idea but there
>is just a lot of functionality to duplicate to match sendmail
>plus a milter.
>
Yes, you could use sendmail and a milter instead of qpsmtpd, or you
could use a milter with qpsmtpd.  What is your point?  What
functionality is missing in qpsmtpd to which you're referring?  I would
argue that it would be easy to add anything to qpsmtpd that is missing.
I added LDAP authentication and recipient verification to qpsmtpd in
about 45 minutes, for example.  The framework is there to do whatever
you want.  It's also a bit easier to read than sendmail (in my opinion,
of course), from a configuration standpoint as well as a code standpoint.

I noticed you posted a while ago about using qpsmtpd's milters..  That
seems to be the best of both worlds for you: mimedefang with qpsmtpd
(which I would personally be interested in, too.)  Did you have success
with that?

0
elliotf
2/17/2006 10:44:24 PM
On Fri, 2006-02-17 at 16:44, Elliot Foster wrote:
> >
> Yes, you could use sendmail and a milter instead of qpsmtpd, or you
> could use a milter with qpsmtpd.  What is your point?  What
> functionality is missing in qpsmtpd to which you're referring?

The one that brought up the issue was listening on multiple
ports for ssl and smtp and perhaps the submission port too,
and then you need starttls.

> I would
> argue that it would be easy to add anything to qpsmtpd that is missing.

Possible, perhaps but it will be tough to match all the options or
or the speed that sendmail processes things controlled by
its access database.

> I noticed you posted a while ago about using qpsmtpd's milters..  That
> seems to be the best of both worlds for you: mimedefang with qpsmtpd
> (which I would personally be interested in, too.)  Did you have success
> with that?

It didn't just drop in and I haven't spent the time it would take
to glue them together.  Due to some business changes, the place
where I thought I might want the combination isn't going to need
it. It still seems like an interesting project, though.

-- 
  Les Mikesell
   lesmikesell@gmail.com


0
les
2/17/2006 11:02:12 PM
Les Mikesell wrote:

>On Fri, 2006-02-17 at 16:44, Elliot Foster wrote:
>  
>
>>Yes, you could use sendmail and a milter instead of qpsmtpd, or you
>>could use a milter with qpsmtpd.  What is your point?  What
>>functionality is missing in qpsmtpd to which you're referring?
>>    
>>
>
>The one that brought up the issue was listening on multiple
>ports for ssl and smtp and perhaps the submission port too,
>and then you need starttls.
>  
>
What John sent out was one way to get it done.  There are other ways 
where it could be set up so as to not need stunnel.  For example, you 
could use firewall rules to redirect the port.  Improved starttls is in 
the .32-rc1 release that was just annouced, and once the event-based 
engine from trunk gets further use, it should be (fairly) trivial to add 
code to allow it to listen on multiple interfaces/ports.

I would still like to know what your original point was.  That John 
should/could run sendmail instead of qmail and qpsmtpd?

>>I would
>>argue that it would be easy to add anything to qpsmtpd that is missing.
>>    
>>
>
>Possible, perhaps but it will be tough to match all the options or
>or the speed that sendmail processes things controlled by
>its access database.
>  
>
I would agree with you that sendmail has many more options than qpsmtpd, 
but as I said in my previous email, I added LDAP functionality (for 
authentication and recipient verification) to qpsmtpd in less than an 
hour.  I would question how long it took to get the same functionality 
into sendmail.  Also, sendmail has been around for a little bit longer 
(10+ years?) than qpsmtpd, so it's not suprising to see that it has more 
features.  :)

I also wouldn't use 'speed' and 'sendmail' in the same sentence, 
either.  Maybe you're referring to the v9 rewrite, or maybe I'm biased.  :)

0
elliotf
2/18/2006 12:19:58 AM
On Fri, 17 Feb 2006, Les Mikesell wrote:

> Yes, but MimeDefang does all the same stuff that you can do
> in qpsmtpd - or if it doesn't it would be easy to duplicate
> there, and it works with sendmail.

You've been playing the same tune for a long time now, Les:

http://contribs.org/mailman/public/devinfo/msg08091.html
http://contribs.org/mailman/public/devinfo/msg08095.html

If you like sendmail, use it. But it's off topic here.
0
charlieb
2/18/2006 12:55:07 AM
On Fri, 2006-02-17 at 18:19, Elliot Foster wrote:

> I would still like to know what your original point was.  That John 
> should/could run sendmail instead of qmail and qpsmtpd?

I didn't mean to start MTA wars here.  My point was that
sendmail is already fairly feature-complete and if your
reason for using qpsmtpd was for the extra stuff you can
glue for spam/virus and similar checks, MimeDefang allows
that just as well.  So, he probably could run sendmail.
I wouldn't go so far as to say he should.  Some people
don't like sendmail and there is no accounting for taste.

> I would agree with you that sendmail has many more options than qpsmtpd, 
> but as I said in my previous email, I added LDAP functionality (for 
> authentication and recipient verification) to qpsmtpd in less than an 
> hour.  I would question how long it took to get the same functionality 
> into sendmail.

Probably a long time, but it's already done.

>   Also, sendmail has been around for a little bit longer 
> (10+ years?) than qpsmtpd, so it's not suprising to see that it has more 
> features.  :)

Yes, but what's the point in duplicating features in free
software?

> I also wouldn't use 'speed' and 'sendmail' in the same sentence, 
> either.  Maybe you're referring to the v9 rewrite, or maybe I'm biased.  :)

The only place you can really fault sendmail speed-wise is for
the number of DNS lookups it does per message and for defaulting
to putting everything in a single queue directory.  In both
cases it isn't sendmail code that is slow, it is just at the
mercy of your DNS server and filesystem code when it looks things
up.  The part that handles the access database where you can
reject based on sender/recipients and an assortment of
circumstances happens much faster than anything you can do
in perl.

-- 
  Les Mikesell
   les@futuresource.com

0
les
2/18/2006 2:22:56 AM
On Fri, 2006-02-17 at 18:55, Charlie Brady wrote:

> > Yes, but MimeDefang does all the same stuff that you can do
> > in qpsmtpd - or if it doesn't it would be easy to duplicate
> > there, and it works with sendmail.
> 
> You've been playing the same tune for a long time now, Les:
> 
> http://contribs.org/mailman/public/devinfo/msg08091.html
> http://contribs.org/mailman/public/devinfo/msg08095.html
> 
> If you like sendmail, use it. But it's off topic here.

I do like and use sendmail, but thought I'd be using SMEserver
for a smaller group and was watching this list to see how
people were doing the same things with qpsmtpd.  And I
still think that MimeDefang and qpsmtpd could share a lot
of code since they need to do many of the same things
in perl.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/18/2006 4:00:22 AM
--------------040809030807090102040900
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Les Mikesell wrote:
> On Fri, 2006-02-17 at 15:45, Ask Bjørn Hansen wrote:
>   
>> On Feb 17, 2006, at 9:43 AM, Les Mikesell wrote:
>>
>>     
>>> Wouldn't it at some point be simpler to run sendmail as the
>>> front end since it already knows how to do this stuff?
>>>       
>> It depends.
>>
>> I run qmail-smtpd (with TLS and AUTH patches) on the client relays,  
>> but if I had a user database integrated with qpsmtpd already it'd  
>> probably be easier to set it up in qpsmtpd instead.   Or if you want  
>> other qpsmtpd plugins running, for example virus filtering on  
>> outgoing mail...  (the usual reasons to run qpsmtpd ;-) )
>>     
>
> Yes, but MimeDefang does all the same stuff that you can do
> in qpsmtpd - or if it doesn't it would be easy to duplicate
> there, and it works with sendmail.  And the things you can
> control in sendmail's access file are handled more effeciently
> than you can do it in perl.  Qpsmtpd is a neat idea but there
> is just a lot of functionality to duplicate to match sendmail
> plus a milter.
qpsmtpd catches a lot of spam and phishing at the
protocol stages. It's not just a content filter.

"More efficiently" is troll bait, considering how much
inefficiency is due to spam, phish, and worm load and
how much "access" is determined by lookup calls to
the same other tools by either qpsmtpd or sendmail.

qpsmtpd can use milters and mimedefang, so neither
of those is worth points in the sendmail column. And
I just implied in the previous column, ldap and sql
are not worth points in the sendmail column, since
qpsmtpd can use any lookup and auth method that
sendmail can.

Just what does sendmail exclusively have, and show
me its realtime smtp protocol filtering. I know, you
are touting the "efficiency" of a vacuum, of a lack of
protocol filtering?! Must be.

-Bob

--------------040809030807090102040900--
0
cto
2/18/2006 8:15:33 AM
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2006-02-17 20:22:56 -0600, Les Mikesell wrote:
> On Fri, 2006-02-17 at 18:19, Elliot Foster wrote:
> >   Also, sendmail has been around for a little bit longer=20
> > (10+ years?) than qpsmtpd,

More like 20 years.

> > so it's not suprising to see that it has more features.  :)
>=20
> Yes, but what's the point in duplicating features in free
> software?

Scratching itches. I've been using sendmail for a long time, and I liked
it less and less the longer I used it. There are a lot of options and
features which sometimes interact in wierd ways, and if you need things
which the sendmail authors haven't anticipated (or which you can't
find in the README.cf) you have to write sendmail macros, which - for me
- are plainly write only. It did itch me, and the itch was growing
over the years.

Qpsmtpd was perfect for me: It is small. It is written and extended
in perl, which is a language I use daily, and not in an arcane pattern
substitution language which I need only once every couple of years. It
is only an SMTP server, and not also an SMTP client, MDA, queue manager,
etc. It has a nice plugin system. So I can simply make it do what I want
in an hour or an afternoon, and - most importantly - understand what I
have done a year later.

It scratched my itch.

	hp

--=20
   _  | Peter J. Holzer    | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR       | geeignet sind, um sich was zu merken.
| |   | hjp@hjp.at         |
__/   | http://www.hjp.at/ |	-- Holger Lembke in dan-am

--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD9uZWfZ+RkG8quy0RApYtAJ4j7Z7RJUN6LHn9iprJACGOJeeZ2gCdFTYK
4eeAjEEfxkMvlgUZFXWFEgU=
=Od4c
-----END PGP SIGNATURE-----

--sdtB3X0nJg68CQEu--
0
hjp
2/18/2006 9:18:14 AM
On Sat, 2006-02-18 at 03:18, Peter J. Holzer wrote:
> > 
> > Yes, but what's the point in duplicating features in free
> > software?
> 
> Scratching itches. I've been using sendmail for a long time, and I liked
> it less and less the longer I used it. There are a lot of options and
> features which sometimes interact in wierd ways, and if you need things
> which the sendmail authors haven't anticipated (or which you can't
> find in the README.cf) you have to write sendmail macros, which - for me
> - are plainly write only. It did itch me, and the itch was growing
> over the years.

That was all true until the milter interface worked reliably.  Now
if you can't do what you want by pasting a few well-known lines
into sendmail.mc to expand the canned macros that handle most
transport-related needs, you write a milter in a language of
your choice that runs under a uid of your choice, does the
processing you want in realtime to control the smtp conversation
and whatever else you want it to do.

> Qpsmtpd was perfect for me: It is small. It is written and extended
> in perl, which is a language I use daily, and not in an arcane pattern
> substitution language which I need only once every couple of years.

MimeDefang give you exactly the same thing.  It hooks itself
in as a milter, provides functions for all the operations you
are likely to want, and gives you one small snippet of perl
where you control what happens and can add any local code
you need.

> It
> is only an SMTP server, and not also an SMTP client, MDA, queue manager,
> etc. It has a nice plugin system. So I can simply make it do what I want
> in an hour or an afternoon, and - most importantly - understand what I
> have done a year later.

The milter operation only happens during the smtp conversations, so
sendmail is on it's own for queuing which it handles at least
reasonably well  and it already hooks your choice of program
for local delivery.

> It scratched my itch.

But today, it wouldn't be necessary unless you needed the
backend delivery for postfix or qmail.  Actually, I run mine
on an internet relay machine that does no local delivery
anyway - it just forwards things that pass the spam and
virus checks to another machine that happens to also run
sendmail but that could be anything else.

Qpsmtpd does seem like a neat idea - it just doesn't look
as mature as mimedefang or as complete as current
sendmail+mimedefang.  I'm not saying anyone should switch
but just that you are likely to have to solve a lot of
the same problems and it might be worth looking at how
it has already been done.  At least glance through the
mail list archives to see the problems that have come up
and think about how qpsmtpd will handle the same situations.

And there's still the option to run mimedefang itself
through qpsmtpd's milter interface which might not be
difficult if someone has time to try it.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/18/2006 5:48:44 PM
--------------050307040307000800030109
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Les is a bit slow to recognize on his own, in lieu of hearing
me at any time, that mimedefang and milters are qpsmtpd
assets--NOT exclusively sendmail assets. Shall we iterate
one more loop of in-my-face denial, Les? How many more
loops of in-my-face denial, Les? I'm not the best
communicator, it's true:

http://svn.perl.org/qpsmtpd/trunk/plugins/milter

This plugin allows you to attach to milter filters (yes, those
written for sendmail) as though they were qpsmtpd plugins.

In order to do this you need the C<Net::Milter> module from CPAN.

It takes two required parameters - a milter name (for logging) and
the port to connect to on the localhost. This can also contain a
hostname if the filter is on another machine

Or, once again lightly, from Les himself this time:

Les Mikesell wrote:
> ...you write a milter in a language of
> your choice
>> .........
>>     
>
> MimeDefang give you exactly the same thing.  It hooks itself
> in as a milter, provides functions for all the operations you
> are likely to want, and gives you one small snippet of perl
> where you control what happens and can add any local code
> you need.
>   
> Bob's prereq which Les always ignored: And there's still the option
to run mimedefang itself
> through qpsmtpd's milter interface which might not be
> difficult if someone has time to try it.
While the only point to be made, since mimedefang and
milters belong to qpsmtpd equally as to sendmail, is that
qpsmtpd does dynamic, realtime protocol evaluation.

-Bob

--------------050307040307000800030109--
0
cto
2/19/2006 2:19:01 AM
Bob Dodds wrote:

> http://svn.perl.org/qpsmtpd/trunk/plugins/milter

Has anyone *actually* used MIMEDefang with qmail in any way?  As the
author of MIMEDefang, I'd be fascinated to hear that someone has it
working.
However, I have my doubts; MIMEDefang has more dependencies on Sendmail
than just the milter part.  Even if you do get it working, you'd only
have a subset
of the available functionality.

Regards,

David.

0
dskoll
2/19/2006 3:38:41 AM
On 18-Feb-06, at 9:19 PM, Bob Dodds wrote:

> Les is a bit slow to recognize on his own, in lieu of hearing
> me at any time, that mimedefang and milters are qpsmtpd
> assets--NOT exclusively sendmail assets. Shall we iterate
> one more loop of in-my-face denial, Les? How many more
> loops of in-my-face denial, Les? I'm not the best
> communicator, it's true:
>
> http://svn.perl.org/qpsmtpd/trunk/plugins/milter
>
> This plugin allows you to attach to milter filters (yes, those
> written for sendmail) as though they were qpsmtpd plugins.
>
> In order to do this you need the C<Net::Milter> module from CPAN.
>
> It takes two required parameters - a milter name (for logging) and
> the port to connect to on the localhost. This can also contain a
> hostname if the filter is on another machine

I'd actually be really interested if other people try this and it  
doesn't work. It is written by a co-worker of mine, and it worked for  
us, but we only tried it with one milter so we'd love to make it more  
compatible.

Matt.
0
matt
2/19/2006 3:46:38 AM
On Sat, 2006-02-18 at 02:15, Bob Dodds wrote:

> qpsmtpd catches a lot of spam and phishing at the
> protocol stages. It's not just a content filter.

Agreed, but so does mimedefang. It gives you hooks
to every part of the smtp operation. 

> "More efficiently" is troll bait, considering how much
> inefficiency is due to spam, phish, and worm load and
> how much "access" is determined by lookup calls to
> the same other tools by either qpsmtpd or sendmail.

The 'access' in question is a dbm style database and
sendmail does matches against it in c code.  I know there
are valid arguments about perl code being as fast as
c sometimes, but sendmail does this pretty quickly.
My point was simply that if you can reject based on
this before the message even gets to the slower network
tests or content scans it will be more efficient.
For example, if you normally relay to an internal server
and a lot of mail still comes addressed to an ex-user,
rather than doing the remote smtp check for every message
you can put:
To:olduser@mydomain.com ERROR:550 user unknown
in the access database on the outside machine to bounce
it without going any farther.

> qpsmtpd can use milters and mimedefang, so neither
> of those is worth points in the sendmail column.

This would be more convincing if you verified that
someone has done it.  I apologize for bringing it up
and not actually making it work.  Mimedefang appears
to exercise most of the possibilities of the milter
interface so I'll be surprised if it works on the
first attempt.  Some things may turn out to be fairly
intimate with sendmail like the way you would pass,
whether the connection was using a TLS certification or
was authenticated through the milter interface. 

> And
> I just implied in the previous column, ldap and sql
> are not worth points in the sendmail column, since
> qpsmtpd can use any lookup and auth method that
> sendmail can.

Of course - it is possible to write just about anything
in perl.  But most things people need have already been
done when you combine the features of sendmail and mimedefang.
I notice there is still work in progress getting remote
smtp recipient verification to work before accepting a message
to rely.  Mimedefang has had that for some time although
it doesn't have to perform the relay operation because
that's built into sendmail.

> Just what does sendmail exclusively have, and show
> me its realtime smtp protocol filtering.

It already has the ability to listen for smtp/smtps/submission
at the same time without losing the relay IP address as you
do with stunnel and can process starttls. It can use PAM based
authentication (maybe it needs sasl for that..). It understands
relatively complex schemes of virtual users, aliases, .forward
files and the necessary recursive expansions to process them.

> I know, you
> are touting the "efficiency" of a vacuum, of a lack of
> protocol filtering?! Must be.

Mimedefang does the realtime protocol filtering part.
You can filter based on the relay address, the envelope
sender - actually any of the ESMTP arguments can be
accessed during filter_sender(), the recipient, or
you can add custom code.  For example you can call
md_check_against_smtp_server() inside filter_recipient
to reject unknown users early if you are going to
relay to another machine for final delivery.  If you
continue on to content filtering, mimedefang breaks
out the attachments in temporary files so you can
efficiently run your choice of scanners before the
SMTP accept happens.  If, in fact mimedefang will work
with the qpsmtpd milter interface, none of this part
would be exclusive to sendmail.  

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/19/2006 4:57:26 AM
On Sat, 2006-02-18 at 21:38, dskoll@gmail.com wrote:

> > http://svn.perl.org/qpsmtpd/trunk/plugins/milter
> 
> Has anyone *actually* used MIMEDefang with qmail in any way?  As the
> author of MIMEDefang, I'd be fascinated to hear that someone has it
> working.
> However, I have my doubts; MIMEDefang has more dependencies on Sendmail
> than just the milter part.  Even if you do get it working, you'd only
> have a subset
> of the available functionality.

Hi David,
I seem to have stirred up a hornets nest here by suggesting
the combination.  I did sort-of try a while ago but didn't
get very far and the situation where I thought I would need
it has changed.  However, I think it would be a worthwhile
project because qpsmtpd can work as the receiving front-end
for either qmail or postfix and would thus let the excellent
features of mimedefang work just about everywhere.  Since
qpsmtpd is all-perl, maybe any missing features could be
added or a better way than the milter interface used to
connect them.  Or, the suggestion that wasn't very well
received here the first time around: run sendmail as the
front-end receiver feeding mimedefang with qpsmtpd's
queue delivery code glued in. I suppose you'd get the
worst of all possible methods that way but it sounds crazy
enough to work if you can tell sendmail to skip its own
queue/delivery step.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/19/2006 5:23:54 AM
On Sat, 2006-02-18 at 22:57, Les Mikesell wrote:

> > Just what does sendmail exclusively have, and show
> > me its realtime smtp protocol filtering.

Forgot to mention: converts annoying quoted-printable or
base64 encodings back to normal 8-bit on the fly.  I
don't think the others do that.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/19/2006 5:50:40 AM
On Sat, 2006-02-18 at 11:48 -0600, Les Mikesell wrote:
[....]
> That was all true until the milter interface worked reliably.  Now
> if you can't do what you want by pasting a few well-known lines
> into sendmail.mc to expand the canned macros that handle most
> transport-related needs, you write a milter in a language of
> your choice that runs under a uid of your choice, does the
> processing you want in realtime to control the smtp conversation
> and whatever else you want it to do.

Do know of a good tutorial/intro/... to write a milter plugin (assuming
years of programming and sendmail experience)?


	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services



0
bernd
2/19/2006 11:33:00 AM
On Sat, 18 Feb 2006, Les Mikesell wrote:

> it has changed.  However, I think it would be a worthwhile
> project because qpsmtpd can work as the receiving front-end
> for either qmail or postfix and would thus let the excellent
> features of mimedefang work just about everywhere.

Since this is your itch, Les, then please scratch it. Be sure to let us 
know how you get on, and publish any source code you come up with.

Regards

---
Charlie

0
charlieb
2/19/2006 3:41:14 PM
Hi David,

On Sat, 18 Feb 2006 dskoll@gmail.com wrote:

> Bob Dodds wrote:
>
>> http://svn.perl.org/qpsmtpd/trunk/plugins/milter
>
> Has anyone *actually* used MIMEDefang with qmail in any way?  As the
> author of MIMEDefang, I'd be fascinated to hear that someone has it
> working.
> However, I have my doubts; MIMEDefang has more dependencies on Sendmail
> than just the milter part.

Could you elaborate on what those are? Your architecture description at 
http://www.mimedefang.org/node.php?id=10 doesn't have enough detail to 
determine what they might be.

It looks to me as though qpsmtpd could interact directly with 
mimedefang-multiplexor. Is there a description of the interface anywhere?

> Even if you do get it working, you'd only have a subset of the available 
> functionality.

What sorts of things might be missing? If those things are already 
competently handled by qpsmtpd then that's no real drawback.

[BTW, I think you need to add MIME::WordDecoder to your requirements 
list in the FAQ.]

Regards

---
Charlie
0
charlieb
2/19/2006 4:15:17 PM
On Sun, 2006-02-19 at 05:33, Bernd Petrovitsch wrote:
> On Sat, 2006-02-18 at 11:48 -0600, Les Mikesell wrote:
> [....]
> > That was all true until the milter interface worked reliably.  Now
> > if you can't do what you want by pasting a few well-known lines
> > into sendmail.mc to expand the canned macros that handle most
> > transport-related needs, you write a milter in a language of
> > your choice that runs under a uid of your choice, does the
> > processing you want in realtime to control the smtp conversation
> > and whatever else you want it to do.
> 
> Do know of a good tutorial/intro/... to write a milter plugin (assuming
> years of programming and sendmail experience)?

Personally, I'd recommend trying MimeDefang first to see if
it already does what you need or if it can be accomplished by
just adding the operations you need to the perl filter portion
but this looks like the place to start if you want to do
it the hard way: http://www.milter.org/milter_api/index.html.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/19/2006 7:53:00 PM
--8w3uRX/HFJGApMzv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2006-02-18 22:57:26 -0600, Les Mikesell wrote:
> On Sat, 2006-02-18 at 02:15, Bob Dodds wrote:
> > "More efficiently" is troll bait, considering how much
> > inefficiency is due to spam, phish, and worm load and
> > how much "access" is determined by lookup calls to
> > the same other tools by either qpsmtpd or sendmail.
>=20
> The 'access' in question is a dbm style database and
> sendmail does matches against it in c code.  I know there
> are valid arguments about perl code being as fast as
> c sometimes, but sendmail does this pretty quickly.
> My point was simply that if you can reject based on
> this before the message even gets to the slower network
> tests or content scans it will be more efficient.

So can (and does) qpsmtpd.

> For example, if you normally relay to an internal server
> and a lot of mail still comes addressed to an ex-user,
> rather than doing the remote smtp check for every message
> you can put:
> To:olduser@mydomain.com ERROR:550 user unknown
> in the access database on the outside machine to bounce
> it without going any farther.

Explicitely enumerating the mail addresses which don't exist instead of
those which do seems to be a rather weird way of doing things but you
can do that in qpsmtpd with the badrcptto plugin.=20

Generally you would check if the user exists. There are a number of
plugins to do that: goodrcptto and my aliases_* plugins for those who
prefer plain text files, plugins which do LDAP, finger or SQL lookups
for those who prefer to keep their user database on a central host.

In the normal case with forkserver, BTW, my aliases plugin should be
faster than a DBM lookup: It only requires a single stat to check if the
config file has changed (normally it hasn't) and then an in-core hash
lookup.

	hp

--=20
   _  | Peter J. Holzer    | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR       | geeignet sind, um sich was zu merken.
| |   | hjp@hjp.at         |
__/   | http://www.hjp.at/ |	-- Holger Lembke in dan-am

--8w3uRX/HFJGApMzv
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD+PRffZ+RkG8quy0RAmrgAKDBV/sJcL9VgrQsvj5O2dP6ekYB7QCgmQaC
7P0fBD6x/yb7g25v3tXiNHg=
=7B1a
-----END PGP SIGNATURE-----

--8w3uRX/HFJGApMzv--
0
hjp
2/19/2006 10:42:39 PM
On Sun, 2006-02-19 at 16:42, Peter J. Holzer wrote:
> > you can put:
> > To:olduser@mydomain.com ERROR:550 user unknown
> > in the access database on the outside machine to bounce
> > it without going any farther.
> 
> Explicitely enumerating the mail addresses which don't exist instead of
> those which do seems to be a rather weird way of doing things but you
> can do that in qpsmtpd with the badrcptto plugin. 

> Generally you would check if the user exists. There are a number of
> plugins to do that: goodrcptto and my aliases_* plugins for those who
> prefer plain text files, plugins which do LDAP, finger or SQL lookups
> for those who prefer to keep their user database on a central host.

I guess a better example would have been a user whose account
needs to remain active for a while but should no longer
receive mail.  I just wanted to show the header matching
capability (To: is actually a special case) and the ability
to return a custom error response in case people hadn't
used sendmail recently.   The more common use of the access
db is to specify networks allowed to relay and to blacklist
certain senders by IP, domain or email address.

Anyway the point was just that while you can do that kind
of stuff in the mimedefang/milter code you also have the
option to use the stock sendmail features if it is
more convenient.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/20/2006 12:00:52 AM
Charlie Brady wrote:

> > However, I have my doubts; MIMEDefang has more dependencies on Sendmail
> > than just the milter part.

> Could you elaborate on what those are?

Well, nothing show-stopping, but:

1) MIMEDefang relies on Sendmail's local submission program for its
stream_by _domain and stream_by_recipient functions.  These let you
have
different filtering rules for different recipients; they rely on the
fact that you
can re-mail copies of the original message and that those copies will
appear
some time later over SMTP.  (The copies, of course, are only for one
domain
or recipient, so the stream_by_* functions do nothing when they appear
the
second time around.)

2) MIMEDefang lets you pass Sendmail macro values in; you can do
various
things.  For example, you can skip spam-scanning if a sender is
authenticated.
That information is communicated via Sendmail macros.

3) MIMEDefang lets you use Perl to implement a map using Sendmail
8.13's
socketmap feature.  That's really powerful; it lets you back-end
Sendmail maps
with database connections, LDAP lookups or even arbitrary Perl
functions, without
wading through incomprehensible Sendmail configuration rules.

The architecture is better described by the LISA slides:
http://www.mimedefang.org/static/mimedefang-lisa04.pdf.

> It looks to me as though qpsmtpd could interact directly with
> mimedefang-multiplexor. Is there a description of the interface anywhere?

Yes; in the mimedefang-protocol(7) man page.  (Alas, that's somewhat
out of date; the best documentation is the source code, unfortunately.)

Regards,

David.

0
dskoll
2/20/2006 1:37:56 AM
--0eh6TmSyL6TZE2Uz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2006-02-19 18:00:52 -0600, Les Mikesell wrote:
> On Sun, 2006-02-19 at 16:42, Peter J. Holzer wrote:
> > > you can put:
> > > To:olduser@mydomain.com ERROR:550 user unknown
> > > in the access database on the outside machine to bounce
> > > it without going any farther.
> >=20
> > Explicitely enumerating the mail addresses which don't exist instead of
> > those which do seems to be a rather weird way of doing things but you
> > can do that in qpsmtpd with the badrcptto plugin.=20
>=20
> > Generally you would check if the user exists. There are a number of
> > plugins to do that: goodrcptto and my aliases_* plugins for those who
> > prefer plain text files, plugins which do LDAP, finger or SQL lookups
> > for those who prefer to keep their user database on a central host.
>=20
> I guess a better example would have been a user whose account
> needs to remain active for a while but should no longer
> receive mail.

Funny, that's one of the cases which I couldn't figure out how to do
with sendmail. Putting to: lines into the access database for a few
hundred email addresses somehow didn't cross my mind (and I still think
it is ugly). All the other ays I tried either didn't work or had some
side-effects.=20

In contrast, writing a complete plugin which did lookups for
mail-addresses, noted per-recipient options for perusal by other
plugins, and recursively expanded aliases was almost trivial - it
certainly took less time than I had previously spent reading sendmail
docs and experimenting with various sendmail options. (And - most
importantly - it was a lot more fun)

BTW, I knew about MIMEDefang since at least 2001. But I only thought of
it as a tool to manipulate the content of mails, and I didn't have any
need for that, so I never took a closer look.


> I just wanted to show the header matching
> capability (To: is actually a special case)

IIRC "to:" in the access db matches the envelope recipient, not the
header.

> Anyway the point was just that while you can do that kind
> of stuff in the mimedefang/milter code you also have the
> option to use the stock sendmail features if it is
> more convenient.

Yes, but if you want that, you must run sendmail. I don't think anybody
will implement a sendmail.cf-interpreter for qpsmtpd.

Getting MIMEDefang with qpsmtpd may be worthwhile (although it seems to
duplicate a lot of the stuff qpsmtpd does already), but if you want
sendmail, you know where to find it.

(I find arguments of the sort "developers of free software A are wasting
their time - they should instead help improving software B" extremely
pointless. AFAIK nobody ever criticised a company for competing with
another company)

	hp

--=20
   _  | Peter J. Holzer    | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR       | geeignet sind, um sich was zu merken.
| |   | hjp@hjp.at         |
__/   | http://www.hjp.at/ |	-- Holger Lembke in dan-am

--0eh6TmSyL6TZE2Uz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD+cfifZ+RkG8quy0RAmqVAJ0aTwINb94/dLZzXJ1e6HNZ8EOGqwCeJUFG
Ckl5DLnYeE4QNYzJJBYpVUI=
=vaxn
-----END PGP SIGNATURE-----

--0eh6TmSyL6TZE2Uz--
0
hjp
2/20/2006 1:45:06 PM
On Mon, 2006-02-20 at 07:45, Peter J. Holzer wrote:

> > I guess a better example would have been a user whose account
> > needs to remain active for a while but should no longer
> > receive mail.
> 
> Funny, that's one of the cases which I couldn't figure out how to do
> with sendmail. Putting to: lines into the access database for a few
> hundred email addresses somehow didn't cross my mind (and I still think
> it is ugly). All the other ays I tried either didn't work or had some
> side-effects. 

One database is as good as another as far as I'm concerned.  I
think the trick to configuring sendmail is to pretend that
sendmail.cf is not meant to be modified directly and stay
away from the volumes of documentation about doing that.
The access db allows you to specify what you want to
accept/relay/reject based on several criteria:
http://www.sendmail.org/m4/anti_spam.html#access_db

> In contrast, writing a complete plugin which did lookups for
> mail-addresses, noted per-recipient options for perusal by other
> plugins, and recursively expanded aliases was almost trivial - it
> certainly took less time than I had previously spent reading sendmail
> docs and experimenting with various sendmail options. (And - most
> importantly - it was a lot more fun)

Well, yes, there are people who will rewrite a complicated
program in python rather than learning the one line of
perl they needed to configure an existing program.  There's
no accounting for taste.

> BTW, I knew about MIMEDefang since at least 2001. But I only thought of
> it as a tool to manipulate the content of mails, and I didn't have any
> need for that, so I never took a closer look.

It also appears to have had a lot of work put into solving
the performance problems of running a lot of big, slow,
memory-sucking perl processes.  Qpsmptd will have to deal
with these too.

> > Anyway the point was just that while you can do that kind
> > of stuff in the mimedefang/milter code you also have the
> > option to use the stock sendmail features if it is
> > more convenient.
> 
> Yes, but if you want that, you must run sendmail. I don't think anybody
> will implement a sendmail.cf-interpreter for qpsmtpd.

That depends on your reasons for not running sendmail itself. I
don't have any problem with it and the price is right.  But
again, there is no accounting for taste,  Qmail has caused me
enough pain in the past that I'd never run it by choice again
although qpsmtpd solves one of it's problems.

> Getting MIMEDefang with qpsmtpd may be worthwhile (although it seems to
> duplicate a lot of the stuff qpsmtpd does already), but if you want
> sendmail, you know where to find it.
> 
> (I find arguments of the sort "developers of free software A are wasting
> their time - they should instead help improving software B" extremely
> pointless. AFAIK nobody ever criticised a company for competing with
> another company)

Yes, it's probably as pointless as complaining about the
fragmentation of unix into sysv, bsd, solaris, aix, hpux
with their arbitrary differences back in the day, but with
free software it at least makes sense to be aware of the
prior art and use as much as you can from it.  But,
I'm not saying that the project shouldn't exist, just that
sendmail has a lot of functionality to duplicate, and that
if your reason for not using sendmail was that it did not
let you control it in perl, that's not true any more.

-- 
  Les Mikesell
    les@futuresource.com


0
les
2/20/2006 5:16:08 PM
Les Mikesell said the following on 02/20/2006 05:16 PM:
> Qmail has caused me enough pain in the past that I'd never run it by
> choice again although qpsmtpd solves one of it's problems.

Care to elaborate on that? What pain have you suffered, and which
problem does qpsmtpd solve?

R.

0
robin
2/20/2006 5:38:40 PM
> > (I find arguments of the sort "developers of free software A are wasting
> > their time - they should instead help improving software B" extremely
> > pointless. AFAIK nobody ever criticised a company for competing with
> > another company)
> 
> Yes, it's probably as pointless as complaining about the
> fragmentation of unix into sysv, bsd, solaris, aix, hpux
> with their arbitrary differences back in the day, but with
> free software it at least makes sense to be aware of the
> prior art and use as much as you can from it.  But,
> I'm not saying that the project shouldn't exist, just that
> sendmail has a lot of functionality to duplicate, and that
> if your reason for not using sendmail was that it did not
> let you control it in perl, that's not true any more.

Please end this thread.

The qpsmtpd list is not the right place for sendmail and milter
advocacy.

-R (who has absolutely nothing against sendmail, and happily runs it
on several production systems.)
0
rspier
2/20/2006 6:34:10 PM
--------------030407040602050905080101
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Les Mikesell wrote:
> That depends on your reasons for not running sendmail itself. I
> don't have any problem with it and the price is right.  But
> again, there is no accounting for taste,  Qmail has caused me
> enough pain in the past that I'd never run it by choice again
> although qpsmtpd solves one of it's problems.
....
> Yes, it's probably as pointless as complaining about the
> fragmentation of unix into sysv, bsd, solaris, aix, hpux
> with their arbitrary differences back in the day, but with
> free software it at least makes sense to be aware of the
> prior art and use as much as you can from it.  But,
> I'm not saying that the project shouldn't exist, just that
> sendmail has a lot of functionality to duplicate, and that
> if your reason for not using sendmail was that it did not
> let you control it in perl, that's not true any more.
>   

Ok; you don't want to deal with anything but sendmail.
So please explain why you find it worthwhile to constantly try to debate 
the prose and cons of different SMTP applications?

I personally love qpsmtp for the simple reason that I have yet to 
need/want to hook something into it and not been able too.
For that reason I think it is great.  I am not saying that a good debate 
is a bad thing.  But I don't C where there is anything productive coming 
hear.

Now what is it you want to do that you can't?
Please don't say milter (if milter is your answer what is it you want to 
do with milter that you can not currently?)

tmb


--------------030407040602050905080101--
0
topaz
2/20/2006 6:39:02 PM
On Feb 17, 2006, at 22:45, Ask Bj=F8rn Hansen wrote:
> On Feb 17, 2006, at 9:43 AM, Les Mikesell wrote:
>> Wouldn't it at some point be simpler to run sendmail as the
>> front end since it already knows how to do this stuff?
>
> I run qmail-smtpd (with TLS and AUTH patches) on the client relays, =20=

> but if I had a user database integrated with qpsmtpd already it'd =20
> probably be easier to set it up in qpsmtpd instead.   Or if you =20
> want other qpsmtpd plugins running, for example virus filtering on =20
> outgoing mail...  (the usual reasons to run qpsmtpd ;-) )

Just in case anyone cares, I put a description of what I did onto the =20=

wiki

	http://wiki.qpsmtpd.org/submission

I agree with Robert; or rather I hope we can get the discussion back =20
to something else than advocacy for the sake of advocacy.

-Johan

0
johan
2/20/2006 6:44:49 PM
On Mon, 2006-02-20 at 11:38, Robin Bowes wrote:
> Les Mikesell said the following on 02/20/2006 05:16 PM:
> > Qmail has caused me enough pain in the past that I'd never run it by
> > choice again although qpsmtpd solves one of it's problems.
> 
> Care to elaborate on that? What pain have you suffered, and which
> problem does qpsmtpd solve?

The biggest problem with stock qmail is that it accepts everything
at the smtp level then generates bounces for anything it can't
deliver.  For the last several years 'dictionary attacks' have
been a common spam/virus delivery approach so you end up with
a huge queue of bounces to undeliverable sender addresses that
clog up your own outbound deliveries.  Qpsmtpd fixes this
one by checking allowed recipients before accepting a message.

The other problem may not be so bad for people where the
destinations are randomly distributed, but my servers are
in remote offices, mostly with expensive private frame-relay
links and the bulk of email use is to groups of people at
one or a few other locations.  Qmail will always send a
separate copy of every message to each recipient even if
they are on the same destination host.  So, if someone
sends a big file to a large group of people (which my users
often do), it hogs the bandwidth of that office link long
enough for people to complain.  This can also be a problem
on an internet link if you have a limited uplink rate. Other
mailers would group the recipients to the same next-hop
destination.

And of course there is the personal issue of having to
learn yet another complicated way of doing things which
wouldn't be so bad if it weren't for the time you waste
on the problems with no solution.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/20/2006 7:02:43 PM
--------------000409090609070509020708
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



Les Mikesell wrote:
> On Mon, 2006-02-20 at 11:38, Robin Bowes wrote:
>   
>> Les Mikesell said the following on 02/20/2006 05:16 PM:
>>     
>>> Qmail has caused me enough pain in the past that I'd never run it by
>>> choice again although qpsmtpd solves one of it's problems.
>>>       
>> Care to elaborate on that? What pain have you suffered, and which
>> problem does qpsmtpd solve?
>>     
>
> The biggest problem with stock qmail is that it accepts everything
> at the smtp level then generates bounces for anything it can't
> deliver.  For the last several years 'dictionary attacks' have
> been a common spam/virus delivery approach so you end up with
> a huge queue of bounces to undeliverable sender addresses that
> clog up your own outbound deliveries.  Qpsmtpd fixes this
> one by checking allowed recipients before accepting a message.
>   
Not by accepting all messages only on listed valid domains.  But yes 
that was a problem; just as it was a problem for stock sendmail in the 90's.
> The other problem may not be so bad for people where the
> destinations are randomly distributed, but my servers are
> in remote offices, mostly with expensive private frame-relay
> links and the bulk of email use is to groups of people at
> one or a few other locations.  Qmail will always send a
> separate copy of every message to each recipient even if
> they are on the same destination host.  So, if someone
> sends a big file to a large group of people (which my users
> often do), it hogs the bandwidth of that office link long
> enough for people to complain.  This can also be a problem
> on an internet link if you have a limited uplink rate. Other
> mailers would group the recipients to the same next-hop
> destination.
>   
For ppl to complain?  Don't buy that at all.  On a frame?  Sorry but 
going to call you on that.
> And of course there is the personal issue of having to
> learn yet another complicated way of doing things which
> wouldn't be so bad if it weren't for the time you waste
> on the problems with no solution.
>   
Ok a sendmail man is complaining that qmail/qpsmtpd is complicated.
But again that is the point isn't it.  You have to learn the step by 
step system to do something.
That is the problem; you don't know what you are doing you have to learn 
a "another complicated way of doing things."

If you knew what you were doing there would be no such thing as "another 
complicated way of doing things".
Sendmail isn't complicated; nor is postfix, exim, or qmail.  I can see 
how if you are missing that understanding it would be.
Perhaps you would be happier in a different field.

Topaz M. Bott

--------------000409090609070509020708--
0
topaz
2/20/2006 7:33:35 PM
Please stop feeding the troll. If we wanted to use sendmail, we'd use 
sendmail. We don't want to talk about it on this list.

If Les has some improvements to make to qpsmtpd, then I'm sure they'd be 
welcome. But I've seen him on lists for quite a few years, and I don't 
remember ever seeing code from him. Perhaps that's why his domain is 
futuresource.com.

Followup to comp.advocacy.sendmail please.

---
Charlie


0
charlieb
2/20/2006 10:47:22 PM
On Mon, 2006-02-20 at 16:47, Charlie Brady wrote:
> Please stop feeding the troll. If we wanted to use sendmail, we'd use 
> sendmail. We don't want to talk about it on this list.
> 
> If Les has some improvements to make to qpsmtpd, then I'm sure they'd be 
> welcome. But I've seen him on lists for quite a few years, and I don't 
> remember ever seeing code from him. Perhaps that's why his domain is 
> futuresource.com.

Sorry, most lists aren't so hostile to the mention of things
invented elsewhere. Perhaps something about qmail code affects
people's attitudes.  I haven't done much coding for a long time
but you might find my name (possibly misspelled) in attributions
on some old things that nobody cares about anymore. I'm not that
good at it and it's been more productive to avoid customizing
things as much as possible.

-- 
  Les Mikesell
   les@futuresource.com


0
les
2/21/2006 11:02:48 PM
Les Mikesell said the following on 02/21/2006 11:02 PM:
> On Mon, 2006-02-20 at 16:47, Charlie Brady wrote:
> 
>>Please stop feeding the troll. If we wanted to use sendmail, we'd use 
>>sendmail. We don't want to talk about it on this list.
>>
>>If Les has some improvements to make to qpsmtpd, then I'm sure they'd be 
>>welcome. But I've seen him on lists for quite a few years, and I don't 
>>remember ever seeing code from him. Perhaps that's why his domain is 
>>futuresource.com.
> 
> 
> Sorry, most lists aren't so hostile to the mention of things
> invented elsewhere.

Most qmail-related lists are. :)

> Perhaps something about qmail code affects people's attitudes.

Possibly...who cares?

R.

0
robin
2/21/2006 11:10:19 PM
Les Mikesell wrote:

>On Mon, 2006-02-20 at 16:47, Charlie Brady wrote:
>  
>
>>Please stop feeding the troll. If we wanted to use sendmail, we'd use 
>>sendmail. We don't want to talk about it on this list.
>>
>>If Les has some improvements to make to qpsmtpd, then I'm sure they'd be 
>>welcome. But I've seen him on lists for quite a few years, and I don't 
>>remember ever seeing code from him. Perhaps that's why his domain is 
>>futuresource.com.
>>    
>>
>
>Sorry, most lists aren't so hostile to the mention of things
>invented elsewhere. Perhaps something about qmail code affects
>people's attitudes.  I haven't done much coding for a long time
>but you might find my name (possibly misspelled) in attributions
>on some old things that nobody cares about anymore. I'm not that
>good at it and it's been more productive to avoid customizing
>things as much as possible.
>

You are definitely discussing something that was invented elsewhere.  
Mainly you are talking about qmail and sendmail.  This is (as far as I 
know) not a qmail or sendmail list.  As far as I know, the people on 
this list are MTA-neutral in relation to this project.

Speaking for myself, the reason why I am irritated with your 
continuation of this thread is that the crux of your argument (as I 
understand it) is:

> Why are you using qpsmtpd with qmail/postfix?  I find them complex and 
> insufficient for my needs.  You can do the same thing with sendmail 
> and mimedefang.  Sendmail is better and simpler.  What you are doing 
> is a waste of time and you should do what I want you to do.  I will 
> now continue to discuss something that does not have relevance to your 
> project (sendmail vs. qmail)


Did you mean something else?  I would be more than happy for you to 
discuss writing a sendmail-queue plugin for qpsmtpd that will allow it 
to work in a sendmail environment, or to discuss getting mimedefang 
working with qpsmtpd.  Those topics are definitely appropriate, and I 
(for one) would welcome them.

All you seem to be doing is arguing senndmail vs. qmail.  If you want to 
do that, move this thread to the qmail or sendmail mailing lists.

Sorry, Charlie, I couldn't resist.
0
elliotf
2/21/2006 11:23:23 PM
Les Mikesell wrote:
> [...]
> Sorry, most lists aren't so hostile to the mention of things
> invented elsewhere. 
 > [...]

Most lists are hostile to having developer time wasted:

     http://lists.contribs.org/mailman/public/devinfo/msg08129.html

This list is no exception, and neither is the SME Server developer list.

Yes, we should all look at what is going on in other projects. And once 
we have looked, we can choose to do something different if we wish to.

Or incorporate the idea, if it makes sense to do so. Or merge projects, 
if that makes sense. That's the beauty of free software.

We chose not to use sendmail. You can choose not to use qpsmtpd.

Thanks,

Gordon
0
gordonr
2/21/2006 11:42:02 PM
On Feb 21, 2006, at 3:02 PM, Les Mikesell wrote:

> On Mon, 2006-02-20 at 16:47, Charlie Brady wrote:
>> [...] If we wanted to use sendmail, we'd use
>> sendmail. We don't want to talk about it on this list.
>
> Sorry, most lists aren't so hostile to the mention of things
> invented elsewhere.

I'm sorry you saw the discussion that way!    I agree with Charlie  
that the thread was running off-topic.

It's not that "we" don't like things invented elsewhere, a decade ago  
I used sendmail extensively in all sorts of odd configurations.

The thread was turning into "sendmail can do that too, so why bother?".

As I think you said yourself -- preferences differ.    Many people  
enjoy the particular ways qpsmtpd lets you customize and configure.


  - ask

-- 
http://askask.com/  - http://develooper.com/


0
ask
2/22/2006 1:00:42 AM
On Tue, 2006-02-21 at 17:23, Elliot Foster wrote:

> Speaking for myself, the reason why I am irritated with your 
> continuation of this thread is that the crux of your argument (as I 
> understand it) is:
> 
> > Why are you using qpsmtpd with qmail/postfix?  I find them complex and 
> > insufficient for my needs.

I'm pretty sure I didn't say anything of the sort.  I said it
was less mature, in the sense that it needs additional development.

>   You can do the same thing with sendmail 
> > and mimedefang.

Yes, I did say that in case people here were not aware of it,
and from the responses I don't think everyone was.

>   Sendmail is better and simpler.  What you are doing 
> > is a waste of time and you should do what I want you to do.  I will 
> > now continue to discuss something that does not have relevance to your 
> > project (sendmail vs. qmail)

I'm quite sure I didn't say any of that.

> Did you mean something else?

Yes, what I tried to say was that mimedefang does much of
the same things that qpsmtpd needs to do, and mostly in perl,
and there might be a way to use some or all of it.  Also,
that the mimedefang mail list would be a valuable resource
for the discussions of how different approaches have worked
out in practice.

> All you seem to be doing is arguing senndmail vs. qmail.

I thought I was responding to misconceptions about sendmail.
I think everyone knows now that you can write filters in
perl so we can leave that topic alone.

-- 
  Les Mikesell
   les@futuresource.com

0
les
2/22/2006 2:26:08 AM
Reply:

Similar Artilces:

qpsmtpd or qpsmtpd-server or qpsmtpd-forkserver
As just installed, it appears that the run file invokes 'qpsmtpd'. The qpsmtpd-server wants to use Qpsmtpd::SelectServer instead of Qpsmtpd::TcpServer. Okay, what's the difference? And since I want to run the forkserver version anyway, should my run file use 'qpsmtpd-forkserver' instead of 'qpsmtpd'? Thanks. roger-qp-list@rope.net wrote: > As just installed, it appears that the run file invokes 'qpsmtpd'. > The qpsmtpd-server wants to use Qpsmtpd::SelectServer instead of > Qpsmtpd::TcpServer. Okay, what's the difference? I d...

qpsmtpd or qpsmtpd-forkserver
Lo all, Given I am using the vanilla run file that came with the download: #!/bin/sh QMAILDUID=`id -u qpsmtpd` NOFILESGID=`id -g qpsmtpd` exec /usr/local/bin/softlimit -m 25000000 \ /usr/local/bin/tcpserver -c 10 -v -R -p \ -u $QMAILDUID -g $NOFILESGID `head -1 config/IP` 2525 \ ./qpsmtpd 2>&1 Should I be using qpsmtpd as above or qpsmtpd-forkserver. The email flow is less than 800 a day, if that. It is also a low spec box, AMD K6, top gives memory as: Mem: 247260K total, 242828K used, 4432K free, 41472K buffers Swap: 787168K total, 9840K used, 7...

stunnel and qpsmtpd ?
Has anyone tried running qpsmtpd through stunnel? Stunnell normally just sits in between the tcpserver and the regular qmail-smtpd. I wonder if qmail-smtpd acts any differently in this context. If our implementation of qpsmtpd is good enough, we should be able to run it under stunnel like we can with qmail-smtpd. - Gabriel ...

qpsmtpd
I have run qpsmtpd-0.10+spamassassin+razor on my Linux qmail server and have had mixed results. 1. A lot of spams were in fact never delivered, 2. Some spams were delivered in spite of the fact a header had been added to the email showing that the score was 24.0/9.0 3. Many non-spam emails were not delivered. However, when I reverted to the normal qsmtpd they were delivered immediately. So although the results were promising, it was not good enough for a production site. In ./lib/Qpsmtpd/Transaction.pm the directory /home/smtpd/qpsmtpd/tmp/ is hard-coded $self->{_fi...

cvs commit: qpsmtpd Changes qpsmtpd (fwd)
FYI. (Devin, I haven't forgotten about your questions about filtering - just been busy :) ) - ask -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); ---------- Forwarded message ---------- Date: 27 Jan 2002 01:23:42 -0000 From: ask@cvs.perl.org To: cvs-qpsmtpd@perl.org Subject: cvs commit: qpsmtpd Changes qpsmtpd ask 02/01/26 17:23:42 Modified: . Changes qpsmtpd Log: Allow [1.2.3.4] for the hostname when checking if the dns resolves Revision Changes Path 1.5 +3 -0 qpsmtpd/Changes Index: Changes ...

[patch] Qpsmtpd::TcpServer: Allow running qpsmtpd from xinetd
--NzX0AQGjRQPusK/O Content-Type: multipart/mixed; boundary="L1c6L/cjZjI9d0Eq" Content-Disposition: inline --L1c6L/cjZjI9d0Eq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This patch allows running from xinetd and inetd. Inetd is distributed with almost all Unix versions. Xinetd with most current Linux distributions. Both lack some features that tcpserver has (inetd more than xinetd), but for those which want to run qpsmtpd without qmail (I now have it running with qmail, sendmail and postfix on d...

[qpsmtpd] Still looking: tcpserver startup for qpsmtpd-prefork 0.81
I reinstalled clean, from scratch. I changed my 'run' file to the following: ==================== #!/bin/sh exec 2>&1 \ sh -c ' exec \ /usr/local/bin/softlimit -m 100000000 \ ${PERL-perl} -T ./qpsmtpd-prefork \ --port 25 \ --port 587 \ --children 30 \ --idle-children 5 \ --pid-file /var/run/qpsmtpd.pid \ --renice-parent 5 \ --detach \ --max-from-ip 10 \ --user smtpd ' ==================== I fired it up: svc -u /services/qpsmtpd The log file shows ev...

patch: listen port should be user-specifiable in qpsmtpd/run, qpsmtpd/config/PORT
This patch makes the PORT configurable, just as IP is configurable. It requires the addition of a new file qpsmtpd/config/PORT: 25 # on what port shall we listen? # if using qpsmtpd as an inline proxy, make this something besides 25. # mengwong 20030723 This is the patch to qpsmtpd/run. *** run.~1.4.~ Tue Mar 18 04:46:52 2003 --- run Wed Jul 23 14:25:55 2003 *************** *** 3,8 **** NOFILESGID=`id -g smtpd` exec /usr/local/bin/softlimit -m 25000000 \ /usr/local/bin/tcpserver -c 10 -v -R -p \ ! -u $QMAILDUID -g $NOFILESGID `head -1 config/IP` smtp \ ./qp...

qpsmtpd installation help
------=_NextPart_000_0039_01C26008.21EAB530 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit After increasing the verbosity of the logs I am getting this error message. Can't locate object method "new" via package "Qpsmtpd::TcpServer" at /usr/home/smtpd/qpsmtpd/qpsmtpd line 22. Have I missed something, I am running v.10 from cvs. Thanks, Max ------=_NextPart_000_0039_01C26008.21EAB530-- On Thu, Sep 19, 2002 at 06:12:36PM -0700, Max Clark wrote: > After increasing the verbosity of the logs I am gettin...

Qpsmtpd Article
Tell all your friends: http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html Matt Sergeant wrote: > Tell all your friends: > http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html > Excellent! Now if Ask can just spare a minute and release 0.31, we'd be all set for the onslaught of new sysadmins... ;-) John [Well done.] On Thu, 15 Sep 2005, Matt Sergeant wrote: > Tell all your friends: > http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html The reference to swaks needing a patch for TLS is long obsolete. I se...

qpsmtpd-dev
http://www.nntp.perl.org/group/perl.qpsmtpd/2009/01/msg8376.html This thread almost precisely describes my vision for QP. To whit: a) It describes the need for a standardized method for handling = rejections. I have implemented this in pull request #23: = https://github.com/smtpd/qpsmtpd/pull/23 It breaks nothing in qpsmtpd, facilitates consistency in plugins, = simplifies each plugin, and yet has met resistance (passive or = intentional) in getting integrated. b) The thread describes a consistent manner of deferring rejections = among plugins (wait for DATA). A numb...

qpsmtpd #2
I am trying to make qpsmtd work with e-mail on my machine, but keep getting stuck on the smtp message from my ISP [Verizon.net] "host .... Authorization required", and cannot find a plugin which handles this case, or if it relates to this, the exmh, or any other program. Has this been encountered earlier, and if so, what was the solution? I cannot find an answer anywhere in the docs and FAQ of the various programs. I am running Linux 2-6-12-1-k7, Debian, and the related daemons are 6639 pts/1 S 0:00 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd and 6...

Regarding Qpsmtpd
--047d7bdc9a92060c6e04d5b334d3 Content-Type: text/plain; charset=ISO-8859-1 Hi I just installed qpsmtpd on my system with 25 port and i have also installed postfix email server. I moved the smtp port of postfix to 2525 so that i can configure. So then after i tried to send a mail from the CLI using mail command then i got this Error. "[root@postfix qpsmtpd-0.84]# mail root Subject: new mail dsag ds d v. .. Cc: [root@postfix qpsmtpd-0.84]# Feb 14 23:35:07 postfix sendmail[16669]: r1EI57op016669: from=root, size=42, class=0, nrcpts=1, msgid=<201302141805.r1EI57o...

qpsmtpd and mailman
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all Does anyone use qpsmtpd with Mailman? Is there a recommended way to do recipient checking? I use check_goodrcptto currently and can obviously add the addresses for lists into its config but is there a better way or does someone have a custom plug-in for this that they would be willing to share? Thanks James Turnbull - -- James Turnbull (james@lovedthanlost.net) - -- Author of: - - Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) - - Pro Nagios 2.0 (http://www.amazon.com/gp/product/159059...

qpsmtpd logging
Hi everyone, Quick question: to generate smtp logs from qpsmtpd, does qpsmtpd have to run under supervise? The README says logs are in smtpd's log/ directory, but in our case, it's always been empty. Trying to stop the constant spam problem that leaves our servers, we need some kind of logging that displays the source IP address, the from (even if it's fake) and to. That way we can match the IP with vpopmail's logging of who is logging in via POP3. All our users require to POP3 first before using SMTP, so that would be an easy way to catch them...

Web resources about - stunnel and qpsmtpd - SOLVED - perl.qpsmtpd

stunnel: Home
Home page for stunnel: a multiplatform GNU/GPL-licensed proxy encrypting arbitrary TCP connections with SSL/TLS.

Twitter
Sign in Sign up To bring you Twitter, we and our partners use cookies on our and other websites. Cookies help personalize Twitter content, tailor ...

rsync - Wikipedia, the free encyclopedia
This article may require copy editing for grammar, style, cohesion, tone, or spelling . You can assist by editing it . This article contains ...

rsync documentation
home FAQ resources features examples mailing lists bug-tracking current issues and debugging download documentation search documentation An html ...

Free Encryption Software Downloads and Program Reviews - Fileforum
Fileforum Join Betanews Log in BetaNews Fileforum Top Freeware FileForum Picks Security Center Software Store Download Crew Software Reviews ...

Bitrix24: Bitrix Environment for Bitrix24 (Self-hosted version): Overview
Home Tour Features Pricing Solutions Partners Apps Support Log In Close Your Bitrix24 Log In Authorize to enter your company's Bitrix24. Enter ...

cloudControl » Cloud App Platform » Documentation: Popular articles
Cloud hosting secure, easy and fair: Highly available and scalable cloud hosting with no administraton hassle and pay as you go billing

Cryptsoft
... ANNOUNCEMENTS CUSTOMERS PARTNERS LINKS ABOUT Useful Links Interesting Quotes OpenSSL Apache-SSL (English) Apache-SSL (German) mod_ssl stunnel ...

cygwin-announce archive, subject index for December, 2014
cygwin-announce archive subject index for December, 2014 This is the mail archive of the cygwin-announce mailing list for the Cygwin project ...

WiFi Pineapple Mark V for Hacking Wireless Networks
Why would you want to hack your own wireless network? To make sure you catch security holes before they become something serious. WiFi Pineapple ...

Resources last updated: 12/9/2015 5:23:24 AM