No local mailbox handling

[Nonamys]

I am setting up a webserver that will need to access qmail, but will not be handling mail storage locally (the 3 domains on the server all have their mail handled by a third party). My biggest issues in setting this up are as follows:

- How do I set up qmail so that it ONLY accepts connections for SMTP from localhost? (Don't want to be an open relay )
- How do I handle bounces & postmaster type messages, since I won't be checking this server for any mail?

Thanks for any help you can provide!

My qmail-showctl follows:

/var/qmail/queue : ../bin/qmail-showctl |more
qmail home directory: /var/qmail.
user-ext delimiter: -.
paternalism (in decimal): 2.
silent concurrency limit: 120.
subdirectory split: 23.
user ids: 1003, 1002, 1004, 0, 1005, 1006, 1007, 1008.
group ids: 1002, 1003.

badmailfrom: (Default.) Any MAIL FROM is allowed.

bouncefrom: Bounce user name is bounce.

bouncehost: Bounce host name is peakswebdev.com.

concurrencylocal: (Default.) Local concurrency is 10.

concurrencyremote: (Default.) Remote concurrency is 20.

databytes: (Default.) SMTP DATA limit is 0 bytes.

defaultdomain: Default domain name is wheezer.peakswebdev.com.

defaulthost: (Default.) Default host name is wheezer.peakswebdev.com.

doublebouncehost: (Default.) 2B recipient host: wheezer.peakswebdev.com.

doublebounceto: (Default.) 2B recipient user: postmaster.

envnoathost: (Default.) Presumed domain name is wheezer.peakswebdev.com.

helohost: (Default.) SMTP client HELO host name is wheezer.peakswebdev.com.

idhost: (Default.) Message-ID host name is wheezer.peakswebdev.com.

localiphost: (Default.) Local IP address becomes wheezer.peakswebdev.com.

locals:

me: My name is wheezer.peakswebdev.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: Plus domain name is ipowerweb.com.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds.

rcpthosts:
SMTP clients may send messages to recipients at usa.net.
SMTP clients may send messages to recipients at cscolo.com.
SMTP clients may send messages to recipients at peakswebdev.com.
SMTP clients may send messages to recipients at computersolutionsllc.com.

morercpthosts: (Default.) No effect.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: SMTP greeting: 220 Hello.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

virtualdomains: (Default.) No virtual domains.

defaultdelivery: I have no idea what this file does.

concurrencyincoming: I have no idea what this file does.

 

[thedaver]

I am setting up a webserver that will need to access qmail, but will not be handling mail storage locally (the 3 domains on the server all have their mail handled by a third party).  My biggest issues in setting this up are as follows:

- How do I set up qmail so that it ONLY accepts connections for SMTP from localhost? (Don't want to be an open relay ;) )
- How do I handle bounces & postmaster type messages, since I won't be checking this server for any mail?

What is your first question again? That didn't ring a bell for me.

qmail ONLY for localhost is via your tcp.smtp control file. code it to only allow 127.0.0.*

bounces can be responded to or deleted. I recommend deleting them, otherwise I think you can include any valid email address in one of the bounceto control files. I typically route to /dev/null in the .qmail-default file when I run with vpopmail






Internet Directory

http://dir.surfinbox.com/dir.php/Top

 

[Nonamys]

Hoping that the localhost-only thing is simplest, I'm going on that demon first.

My /etc/tcp.smtp file contains the following:
*******************
127.:allow,RELAYCLIENT=""
*.*.*.*:deny
********************

However, a telnet to port 25 on my public IP still gives me an SMTP 220 response. I really want to shut that down so I'm not running an open relay. Any further reccomendations?

 

[thedaver]

Your rcpthosts file defines that you are NOT an open relay since you are only accepting traffic for those domains. Any attemtps to send mail to any other domain should be refused by qmail-smtpd.

Now, your point about NOT wanting to have your smtpd listen on your public tcp port 25 is another matter.

Typically you should define a firewall to eliminate the risk/configuration concerning port 25 exposed to the world.

I also suspect that tcpserver (from DJB) has some smarts about which IPs it advertises port 25 service, but frankly I'm far more comfortable about using a firewall to "do it" right. In fact, the firewall solution provides you with a far more elegant solution to prevent public IP machines from discovering other services running on your box.

Finally, you should find that your tcp.smtp as configured should work, although the deny statement is typically defined as simply ":deny"






Internet Directory

http://dir.surfinbox.com/dir.php/Top

 

[Nonamys]

Unfortunately, I cannot leave my rcpthosts file cranked down as it is, since one of my scripts needs to use localhost as an SMTP server to an undefined range of domains. As I am running in a jail on a virtual host, firewall configurations are not really open to my adjustment. I will adjust my tcp.smtp file to simply:

127.:allow,RELAYCLIENT=""
:deny

to see if that helps at all. Thank you for your help.

 

[Nonamys]

Well, the :deny blocks even a telnet to 127.0.0.1 on port 25. It's like I can have no access to port 25, or EVERYONE has access....

 

[thedaver]

rctphosts defines the domains that you ACCEPT mail for and has no bearing on to whom you can/try to transmit to!!!!

Please paste your entire file contents for:

1) tcp.smtp
2) /var/qmail/supervise/qmail-smtpd/run

Something may not be right in your setup... Your tcp.smtp looks right though.


Internet Directory

http://dir.surfinbox.com/dir.php/Top

 

[Nonamys]

tcp.smtp: (note... when using :deny, a telnet to port 25 on 127.0.0.1 is rejected. When using *.*.*.*:deny, all requests to port 25 on the public IP are accepted)
***********************************************************
:deny
127.0.0.1:allow,RELAYCLIENT=""
***********************************************************

.../qmail-smtpd/run:
***********************************************************
#!/bin/sh

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi

exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd 2>&1

***********************************************************

And I recognize what the rcpthosts is for. I'm having other issues w/ my cgi-bin being able to use qmail-inject, so a workaround is for it to use smtp to localhost to send the mail that way. If rcpthosts is cranked down, won't that prevent my script from sending to other domains?

Again, thank you for your time & assistance on this.

 

[thedaver]

OK, first, the tcp.smtp file is a rule-matching list from top-down. First rule matching wins.
Your post a little while ago showed ":deny" as last item in the file. This is correct. Your immediately previous post shows ":deny" first, this is incorrect since it never allows the next rule(s) to be processed. You have simply defined a ruleset that denies every source and does nothing else, in spite of other entries.

Next, rcpthosts isn't mean to be queried or parsed. It doesn't need to be. rcpthosts ONLY defines which domains MTAs (including you on 127.0.0.1) may send to. HOWEVER THE MOST IMPORTANT point here is that if your tcp.smtp uses the "127.0.0.1:allow,RELAYCLIENT=""" line properly on the first line of the tcp.smtp file, ( you *are* running 'qmailctl cdb' after changing tcp.smtp, right?) then you are specifically granting ALL connections to the SMTP server on port 25 IP 127.0.0.1 to send to ANYBODY.

I think the point that might be confusing you is that:

1) Without tcp.smtp and rctphosts, qmail is an open relay (very bad)
2) With rctphosts you are defining the domains you're willing to accept mail for
3) With tcp.smtp you are defining the domains/IPs that you're willing to allow to relay through you.

The point on #3 is especially important if you take the use of it out of context and envision a larger installation with several mail servers trying to send out to the Internet via a single gateway qmail. In that case you'd hypothetically have tcp.smtp including their IPs with no relay client string, AND THEN ":deny"

I hope this is starting to put the picture together.

The last commend I'll make is that qmail installs a substitute 'sendmail' binary, which I believe is a symlink to qmail-inject (or something). At any rate, this allows any scripts that are programmed to send to 'sendmail' to function properly.

My suggestion here is to stabilize your environment to your liking before undertaking a debug of the CGI procedures.





Internet Directory

http://dir.surfinbox.com/dir.php/Top