Tcp.smtp: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
(Created page with "Located at /etc/tcprules.d/, tcp.smtp is a 2 line (default toaster) file that orchestrates many of the QMT functions. It is the traffic cop in a busy intersection, controlling SMTP processing alternatives. If you're running another MTA in concert with QmailToaster, or you have an unusual or complicated setup, the following might not be applicable to you. If that is the case, you should take your problem straight to the mailing list. Hopefully this page will eventually c...")
 
No edit summary
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
Located at /etc/tcprules.d/, tcp.smtp is a 2 line (default toaster) file that orchestrates many of the QMT functions. It is the traffic cop in a busy intersection, controlling SMTP processing alternatives.
[[Configuration#tcp.smtp|Back]]<br>
/etc/tcprules.d/tcp.smtp is a 2 line (default toaster) file that orchestrates many of the QMT functions. It is the traffic cop in a busy intersection, controlling SMTP processing alternatives.


If you're running another MTA in concert with QmailToaster, or you have an unusual or complicated setup, the following might not be applicable to you. If that is the case, you should take your problem straight to the mailing list. Hopefully this page will eventually cover advanced configurations as documented by those who have such requirements.
If you're running another MTA in concert with QmailToaster, or you have an unusual or complicated setup, the following might not be applicable to you. If that is the case, you should take your problem straight to the mailing list. Hopefully this page will eventually cover advanced configurations as documented by those who have such requirements.
'''Disclaimer:'''  I do not have a working domainkey setup, so DK settings are provided as a best guess. For proper domainkey setup, see [[Domainkeys]]. Also, this is a work in progress. Be sure to check back for improvements, and make corrections as you find errata.


'''Reminder:''' if you make changes to tcp.smtp, execute the following afterwards to activate the changes:  
'''Reminder:''' if you make changes to tcp.smtp, execute the following afterwards to activate the changes:  
Line 12: Line 11:
Your default tcp.smtp file on a fresh install looks like this (backslashes are for display purposes only, do not include them or newlines or extra spaces in the file - there are two and only two lines here):
Your default tcp.smtp file on a fresh install looks like this (backslashes are for display purposes only, do not include them or newlines or extra spaces in the file - there are two and only two lines here):


  127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private"
  127.:allow,RELAYCLIENT=""
  :allow,BADMIMETYPE="",BADLOADERTYPE="M",\
  <nowiki>:</nowiki>allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan"
  CHKUSER_RCPTLIMIT="15",CHKUSER_WRONGRCPTLIMIT="3",\
  DKVERIFY="DEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",\
  DKQUEUE="/var/qmail/bin/qmail-queue.orig",\
  DKSIGN="/var/qmail/control/domainkeys/%/private"
 
You should read it like this:
 
line 1)
 
  127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private"
 
line 2) (readability is imperfect (aka sucks). This is one long mother of a line. Again, ignore the '\' and newline)
 
:allow,BADMIMETYPE="",BADLOADERTYPE="M",\
  CHKUSER_RCPTLIMIT="15",CHKUSER_WRONGRCPTLIMIT="3",\
DKVERIFY="DEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",\
DKQUEUE="/var/qmail/bin/qmail-queue.orig",\
DKSIGN="/var/qmail/control/domainkeys/%/private"
 
 
'''Let's break that down.''' Entries in the default tcp.smtp and what they mean:
 
line 1)
 
127.    ->local (as in 127.0.0.1)
 
:     ->if, then or 'default follows'
 
allow  ->instruction to allow,
 
RELAYCLIENT=""  ->variable set to null, calls smtp-auth, never seen it written any other way
 
DKSIGN="/var/qmail/control/domainkeys/%/private"    ->domain key processing instructions to sign mail with dk
 
    '''Putting it all together:'''
if the incoming mail is local (127.)
then allow relay
process by variable (smtp-auth)
and sign the message with the domain key info.
 
 
line 2)
 
  :    ->if, then--since it is empty(nothing to the left) all mail not meeting      the line 1) conditional is processed by the following rules which are the default.
  allow  ->instruction to allow
  BADMIMETYPE=""     ->warlord patch variable--it's fine as-is
  BADLOADERTYPE="M"     ->warlord patch variable--it's fine as-is
  CHKUSER_RCPTLIMIT="15"   -> set max # of recipients, more than this set number, the toaster treats it as a 'mail-bomb-event' and denies further delivery attempts
  CHKUSER_WRONGRCPTLIMIT="3"     -> set max # of non-existant users, once this number is met, the toaster treats it as a 'mail-bomb-event' and denies further delivery attempts
  DKVERIFY="DEGIJKfh"    ->instructions by which to verify domain keys
  QMAILQUEUE="/var/qmail/bin/simscan"     ->instuction how and where to run it through simscan (thus spam/clam/attach) before delivery
  DKQUEUE="/var/qmail/bin/qmail-queue.orig"    ->instruction for where to queue messages for domain key verification.
  DKSIGN="/var/qmail/control/domainkeys/%/private"    ->instruction for location for domain key verification of private key.
 
 
    '''Putting it all together:'''
Mail making it this far (line 2 of 2) is not local therefore from a remote server, so process it this way as default handling:
check for bad mimetypes
check for badloader types
check for max recipients
check for incorrect addressees
pull dk signing info if applicable
send it through simscan (and it's buddies)
finish dk verification
then deliver to the recipient.
Wow, that is a lot to master.
 
 
 
 
 
Now let's talk about customizations.  The default install is very good with very sane defaults for setting up a standalone mail server,
which explains the popularity with not-so-experienced admins such as myself.
Easy to setup, secure by design, secure on setup, wonderfully protective of your valuable emails.  You really want to mess with that?
Please keep an accurate record of your customizations for your sanity. 
The more you customize, the more "on your own" you go.
 
'''I don't have domainkeys setup for [insert reason here]'''
 
Make a copy of tcp.smtp to something like tcp.smtp.dk, in case you change your mind later, then edit out any reference to domainkeys in the tcp.smtp file, then execute:  #qmailctl cdb
 
Warning: no domainkey=Yahoo!/bulk (and possibly other sites)  Your mail will go straight to the bulk folder, unless the recipient 'whitelists' your sender by adding to the contacts list.


'''I am confused about badmimetypes/badloaders and simscan...they overlap'''
Line 1
127.:allow - Allow localhost
RELAYCLIENT="" - Allow relaying without authentication


Well, they differ in that simscan uses ripmime to check against file extensions only, whereas badmimetypes/badloaders checks against "known"(to somebody) mime signatures.  The difference is subtle, yet they both block attachments and notify the sender.  If you feel compelled to remove badmimetypes/badloaders from your simscan regimen, then copy the tcp.smtp file to something like tcp.smtp.blbm, in case you change your mind later, then edit out any reference to badloaders and badmimetypes in the tcp.smtp file, then execute:  #qmailctl cdb
Line 2
(alternatively: you could leave tcp.smtp alone and comment out all lines in these 2 files and execute:  #qmailctrl cdb)


'''I want to scan even local mails (clam, spam, attach) as a further protection for my windows users. You know, to keep them from infecting each other.'''
(empty):allow - Allow remote to deliver locally, no relay
   
BADMIMETYPE="" - Warlord patch
Add (,QMAILQUEUE="/var/qmail/bin/simscan") without parentheses() to the end of line 1).  Execute:  #qmailctl cdb
BADLOADERTYPE="M" - Warlord patch
     
  CHKUSER_RCPTLIMIT="50" - Max recipients any more are denied
Now mail from user1-at-domain3-dot-com will process through simscan before it is delivered to user2-at-domain3-dot-com.  Also,  mail from user1-at-domain3-dot-com will process through simscan before it is delivered to user3-at-domain2-dot-com on the same toaster.  Interestingly, simscan will scan that message for attachments and viruses, though not for spam.  I believe that has something to do with the RELAYCLIENT variable or the 127 conditional.  This is not something you should worry too much about. If you suspect you are harboring a spammer or a zombie on your domain, pull the plug on the account.
  CHKUSER_WRONGRCPTLIMIT="10" - Max non-existent recipients any more denied
QMAILQUEUE="/var/qmail/bin/simscan" - Simscan is the queue and will call qmail-queue


[https://cr.yp.to/ucspi-tcp/tcprules.html tcprules]


...to be re-formatted and continued.
# tcprulescheck tcp.smtp.cdb
rule :
set environment variable SIMSCAN_DEBUG=1
set environment variable SMTP_DEBUG=1
set environment variable DSPAM_BIN=/usr/bin/dspamc
set environment variable DSPAM_DEBUG=1
set environment variable BADMIMETYPE=
set environment variable BADLOADERTYPE=M
set environment variable CHKUSER_RCPTLIMIT=50
set environment variable CHKUSER_WRONGRCPTLIMIT=10
set environment variable QMAILQUEUE=/var/qmail/bin/simscan
allow connection

Latest revision as of 15:08, 19 October 2024

Back
/etc/tcprules.d/tcp.smtp is a 2 line (default toaster) file that orchestrates many of the QMT functions. It is the traffic cop in a busy intersection, controlling SMTP processing alternatives.

If you're running another MTA in concert with QmailToaster, or you have an unusual or complicated setup, the following might not be applicable to you. If that is the case, you should take your problem straight to the mailing list. Hopefully this page will eventually cover advanced configurations as documented by those who have such requirements.

Reminder: if you make changes to tcp.smtp, execute the following afterwards to activate the changes:

 # qmailctl cdb

You do not need to stop and start qmail when only regenerating the .cdb files.

Stock (default) tcp.smtp file Your default tcp.smtp file on a fresh install looks like this (backslashes are for display purposes only, do not include them or newlines or extra spaces in the file - there are two and only two lines here):

127.:allow,RELAYCLIENT=""
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan"

Line 1

127.:allow - Allow localhost
RELAYCLIENT="" - Allow relaying without authentication

Line 2

(empty):allow - Allow remote to deliver locally, no relay
BADMIMETYPE="" - Warlord patch
BADLOADERTYPE="M" - Warlord patch
CHKUSER_RCPTLIMIT="50" - Max recipients any more are denied
CHKUSER_WRONGRCPTLIMIT="10" - Max non-existent recipients any more denied
QMAILQUEUE="/var/qmail/bin/simscan" - Simscan is the queue and will call qmail-queue

tcprules

# tcprulescheck tcp.smtp.cdb
rule :
set environment variable SIMSCAN_DEBUG=1
set environment variable SMTP_DEBUG=1
set environment variable DSPAM_BIN=/usr/bin/dspamc
set environment variable DSPAM_DEBUG=1
set environment variable BADMIMETYPE=
set environment variable BADLOADERTYPE=M
set environment variable CHKUSER_RCPTLIMIT=50
set environment variable CHKUSER_WRONGRCPTLIMIT=10
set environment variable QMAILQUEUE=/var/qmail/bin/simscan
allow connection