|
|
| (6 intermediate revisions by the same user not shown) |
| Line 11: |
Line 11: |
| Your default tcp.smtp file on a fresh install looks like this (backslashes are for display purposes only, do not include them or newlines or extra spaces in the file - there are two and only two lines here): | | Your default tcp.smtp file on a fresh install looks like this (backslashes are for display purposes only, do not include them or newlines or extra spaces in the file - there are two and only two lines here): |
|
| |
|
| 127.:allow,RELAYCLIENT="",RBLSMTPD="",NOP0FCHECK="1" | | 127.:allow,RELAYCLIENT="" |
| <nowiki>:</nowiki>allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",NOP0FCHECK="1" | | <nowiki>:</nowiki>allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan" |
|
| |
|
| Line 1 | | Line 1 |
| 127.:allow - Allow localhost | | 127.:allow - Allow localhost |
| RELAYCLIENT="" - Allow relaying without authentication | | RELAYCLIENT="" - Allow relaying without authentication |
| RBLSMTPD="" -
| |
| NOP0FCHECK="1" -
| |
|
| |
|
| Line 2 | | Line 2 |
|
| |
|
| (empty):allow - Allow anyone without to deliver locally, no relay | | (empty):allow - Allow remote to deliver locally, no relay |
| BADMIMETYPE="" - Warlord patch | | BADMIMETYPE="" - Warlord patch |
| BADLOADERTYPE="M" - Warlord patch | | BADLOADERTYPE="M" - Warlord patch |
| Line 28: |
Line 26: |
| CHKUSER_WRONGRCPTLIMIT="10" - Max non-existent recipients any more denied | | CHKUSER_WRONGRCPTLIMIT="10" - Max non-existent recipients any more denied |
| QMAILQUEUE="/var/qmail/bin/simscan" - Simscan is the queue and will call qmail-queue | | QMAILQUEUE="/var/qmail/bin/simscan" - Simscan is the queue and will call qmail-queue |
| NOP0FCHECK="1" -
| |
|
| |
|
| | [https://cr.yp.to/ucspi-tcp/tcprules.html tcprules] |
|
| |
|
| '''Let's break that down.''' Entries in the default tcp.smtp and what they mean:
| | # tcprulescheck tcp.smtp.cdb |
| | | rule : |
| line 1)
| | set environment variable SIMSCAN_DEBUG=1 |
| | | set environment variable SMTP_DEBUG=1 |
| 127. ->local (as in 127.0.0.1)
| | set environment variable DSPAM_BIN=/usr/bin/dspamc |
| | | set environment variable DSPAM_DEBUG=1 |
| : ->if, then or 'default follows' | | set environment variable BADMIMETYPE= |
| | | set environment variable BADLOADERTYPE=M |
| allow ->instruction to allow,
| | set environment variable CHKUSER_RCPTLIMIT=50 |
| | | set environment variable CHKUSER_WRONGRCPTLIMIT=10 |
| RELAYCLIENT="" ->variable set to null, calls smtp-auth, never seen it written any other way
| | set environment variable QMAILQUEUE=/var/qmail/bin/simscan |
| | | allow connection |
| DKSIGN="/var/qmail/control/domainkeys/%/private" ->domain key processing instructions to sign mail with dk
| |
| | |
| '''Putting it all together:'''
| |
| if the incoming mail is local (127.) | |
| then allow relay
| |
| process by variable (smtp-auth)
| |
| and sign the message with the domain key info.
| |
| | |
| | |
| line 2)
| |
| | |
| : ->if, then--since it is empty(nothing to the left) all mail not meeting the line 1) conditional is processed by the following rules which are the default.
| |
| allow ->instruction to allow
| |
| BADMIMETYPE="" ->warlord patch variable--it's fine as-is
| |
| BADLOADERTYPE="M" ->warlord patch variable--it's fine as-is
| |
| CHKUSER_RCPTLIMIT="15" -> set max # of recipients, more than this set number, the toaster treats it as a 'mail-bomb-event' and denies further delivery attempts
| |
| CHKUSER_WRONGRCPTLIMIT="3" -> set max # of non-existant users, once this number is met, the toaster treats it as a 'mail-bomb-event' and denies further delivery attempts
| |
| DKVERIFY="DEGIJKfh" ->instructions by which to verify domain keys
| |
| QMAILQUEUE="/var/qmail/bin/simscan" ->instuction how and where to run it through simscan (thus spam/clam/attach) before delivery
| |
| DKQUEUE="/var/qmail/bin/qmail-queue.orig" ->instruction for where to queue messages for domain key verification.
| |
| DKSIGN="/var/qmail/control/domainkeys/%/private" ->instruction for location for domain key verification of private key.
| |
| | |
| | |
| '''Putting it all together:'''
| |
| Mail making it this far (line 2 of 2) is not local therefore from a remote server, so process it this way as default handling: | |
| check for bad mimetypes
| |
| check for badloader types
| |
| check for max recipients
| |
| check for incorrect addressees
| |
| then deliver to the recipient.
| |
|
| |
|
| |
| Wow, that is a lot to master.
| |
| | |
| | |
| | |
| | |
|
| |
| Now let's talk about customizations. The default install is very good with very sane defaults for setting up a standalone mail server,
| |
| which explains the popularity with not-so-experienced admins such as myself.
| |
| Easy to setup, secure by design, secure on setup, wonderfully protective of your valuable emails. You really want to mess with that?
| |
| Please keep an accurate record of your customizations for your sanity.
| |
| The more you customize, the more "on your own" you go.
| |
| | |
| '''I don't have domainkeys setup for [insert reason here]'''
| |
| | |
| Make a copy of tcp.smtp to something like tcp.smtp.dk, in case you change your mind later, then edit out any reference to domainkeys in the tcp.smtp file, then execute: #qmailctl cdb
| |
| | |
| Warning: no domainkey=Yahoo!/bulk (and possibly other sites) Your mail will go straight to the bulk folder, unless the recipient 'whitelists' your sender by adding to the contacts list.
| |
| | |
| '''I am confused about badmimetypes/badloaders and simscan...they overlap'''
| |
| | |
| Well, they differ in that simscan uses ripmime to check against file extensions only, whereas badmimetypes/badloaders checks against "known"(to somebody) mime signatures. The difference is subtle, yet they both block attachments and notify the sender. If you feel compelled to remove badmimetypes/badloaders from your simscan regimen, then copy the tcp.smtp file to something like tcp.smtp.blbm, in case you change your mind later, then edit out any reference to badloaders and badmimetypes in the tcp.smtp file, then execute: #qmailctl cdb
| |
| (alternatively: you could leave tcp.smtp alone and comment out all lines in these 2 files and execute: #qmailctrl cdb)
| |
| | |
| '''I want to scan even local mails (clam, spam, attach) as a further protection for my windows users. You know, to keep them from infecting each other.'''
| |
|
| |
| Add (,QMAILQUEUE="/var/qmail/bin/simscan") without parentheses() to the end of line 1). Execute: #qmailctl cdb
| |
|
| |
| Now mail from user1-at-domain3-dot-com will process through simscan before it is delivered to user2-at-domain3-dot-com. Also, mail from user1-at-domain3-dot-com will process through simscan before it is delivered to user3-at-domain2-dot-com on the same toaster. Interestingly, simscan will scan that message for attachments and viruses, though not for spam. I believe that has something to do with the RELAYCLIENT variable or the 127 conditional. This is not something you should worry too much about. If you suspect you are harboring a spammer or a zombie on your domain, pull the plug on the account.
| |
| | |
| | |
| ...to be re-formatted and continued.
| |
Back
/etc/tcprules.d/tcp.smtp is a 2 line (default toaster) file that orchestrates many of the QMT functions. It is the traffic cop in a busy intersection, controlling SMTP processing alternatives.
If you're running another MTA in concert with QmailToaster, or you have an unusual or complicated setup, the following might not be applicable to you. If that is the case, you should take your problem straight to the mailing list. Hopefully this page will eventually cover advanced configurations as documented by those who have such requirements.
Reminder: if you make changes to tcp.smtp, execute the following afterwards to activate the changes:
# qmailctl cdb
You do not need to stop and start qmail when only regenerating the .cdb files.
Stock (default) tcp.smtp file
Your default tcp.smtp file on a fresh install looks like this (backslashes are for display purposes only, do not include them or newlines or extra spaces in the file - there are two and only two lines here):
127.:allow,RELAYCLIENT=""
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan"
Line 1
127.:allow - Allow localhost
RELAYCLIENT="" - Allow relaying without authentication
Line 2
(empty):allow - Allow remote to deliver locally, no relay
BADMIMETYPE="" - Warlord patch
BADLOADERTYPE="M" - Warlord patch
CHKUSER_RCPTLIMIT="50" - Max recipients any more are denied
CHKUSER_WRONGRCPTLIMIT="10" - Max non-existent recipients any more denied
QMAILQUEUE="/var/qmail/bin/simscan" - Simscan is the queue and will call qmail-queue
tcprules
# tcprulescheck tcp.smtp.cdb
rule :
set environment variable SIMSCAN_DEBUG=1
set environment variable SMTP_DEBUG=1
set environment variable DSPAM_BIN=/usr/bin/dspamc
set environment variable DSPAM_DEBUG=1
set environment variable BADMIMETYPE=
set environment variable BADLOADERTYPE=M
set environment variable CHKUSER_RCPTLIMIT=50
set environment variable CHKUSER_WRONGRCPTLIMIT=10
set environment variable QMAILQUEUE=/var/qmail/bin/simscan
allow connection