hotmail sends bare LF that rejected by qmail

[nethubonline]

Now Hotmail sends bare LF which will be rejected by qmail, although we understand it is the problem on Hotmail, however it makes trouble to users very much and we have no way to ask Hotmail to correct their system.

Sep 28 12:50:37 p1 qmail-queue[31872]: possible qmail-smtpd exited by timeout, reset connection or with "See http://pobox.com/~djb/docs/smtplf.html."

So is there any solution for qmail running in Plesk Linux?

 

[jjjl]

We have exactly same problem.

We have exactly same problem.

We cannot receive e-mail form hotmail.

Help please!

 

[MerkasiS]

Same here.

It happens in at least 8 of hotmail servers.

 

[CyrusC]

Hi

In www.qmail.org, I found:

Daniel J. Bernstein suggests that if you have buggy clients that send bare LFs, and you want to treat their messages the same way sendmail does, you can simply run his fixcrio program instead of qmail-smtpd for your outgoing mail relay. fixcrio then takes qmail-smtpd as argument. fixcrio is part of the ucspi-tcp package.

http://cr.yp.to/ucspi-tcp/fixcrio.html

I use "fixcrio" and now I am able to receice email from the buggy client (hotmail)

 

[realaaa@]

I can't beleive that I haven't heard of this problem before, but it does really exist. Even more surprising is that it happens not for all hotmail servers - when I tested it I found out that one hotmail account was OK, but the other one could not send e-mail to Plesk.

And I can confirm that "fixcrio" worked on Plesk 8.6.0 RedHat el3 86090728.14 and I guess it should be the same on Plesk 9.x.

Here's the steps I followed:

1) Download and compile ucspi-tcp sources:

http://cr.yp.to/ucspi-tcp/install.html
http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz

2) If it fails with "undefined reference to `errno'", add "#include <errno.h>" to error.h as described here:

http://mail.nl.linux.org/kernelnewbies/2004-02/msg00210.html

[root@localhost ucspi-tcp-0.88]# grep -A 1 "extern int errno" *
error.h:extern int errno;
error.h-#include <errno.h>

3) Copy compiled fixcrio binary to /var/qmail/bin/ and chown/chmod as other binaries:

[root@localhost ucspi-tcp-0.88]# ls -l /var/qmail/bin/fixcrio
-r-xr-xr-x 1 root qmail 13388 Oct 1 16:36 /var/qmail/bin/fixcrio

4) Add "/var/qmail/bin/fixcrio" to /etc/xinetd.d/smtp_psa right before /var/qmail/bin/qmail-smtpd.

If you use mail submission you probably want to add it to /etc/xinetd.d/submission_psa as well.

WARNING - fixcrio is NOT compatible with TLS (SMTPS), so do not add it to /etc/xinetd.d/smtps_psa - see my post below

[root@localhost root]# diff /root/smtp_psa_with_fixcrio /etc/xinetd.d/smtp_psa
11c11
< server_args = -Rt0 /usr/sbin/rblsmtpd -r sbl.spamhaus.org -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/fixcrio /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
---
> server_args = -Rt0 /usr/sbin/rblsmtpd -r sbl.spamhaus.org -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

5) restart xinetd

Should be OK after that.

 

[faris]

This is a great solution. Thank you. I'm going to try it out immediately.

There is another option to fix this issue. It isn't for everybody, but....

Basically, if you install spamdyke (www.spamdyke.org) [ rpm available from the ART repo at atomicrocketturtle.com ], it also resolves the problem. Spamdyke's main aim, however, it to give you a lot more power and flexibility then it comes to rbls, graylisting, and so on, than any other qmail-based option that I know of.

It works perfectly with 8.6 but I've not tired it with 9.x. pop-before-relay is not supported, however, so if your clients use this then spamdyke is not for you.

Faris.

 

[faris]

OK, I can confirm that it works a treat.

However, it looks like all the hotmail emails that were causing the base LFs were actually spam. I wonder if this is a conincidence or not.....

Faris.

 

[faris]

OK, I've encountered a problem. The fixiocr solution seems to break TLS.

TLS_connect_failed:_error:0D07209B:asn1_encoding_routines:ASN1_get_object:too_long

I'm looking into this, but so far I can't figure it out.

 

[realaaa@]

OK, I've encountered a problem. The fixiocr solution seems to break TLS.

thanks for pointing this out, faris! I corrected my post.

of course it breaks TLS, I should have understood that, shame on me! since the data is encrypted fixcrio CR "fix" effectively damages the data.

=========
This is mentioned here:

1) http://iain.cx/ssl/?qmailtls
BIG IMPORTANT WARNING:
STARTTLS won't work if you use fixcrio or some other program that helps
out those broken clients and servers out there that violate the SMTP
specs by not sending CRLF properly. You must choose whether to support
buggy clients or secure clients.

2) And here:

http://groups.google.com/group/alt....4da1037febe81207/c7fe177f33d7d012?hl=en&pli=1

3) And here - in Gentoo they decided to enable TLS and comment fixcrio by default and put a warning:
http://bugs.gentoo.org/93958
http://bugs.gentoo.org/79799

=========
As for the workarounds, what I found so far is:

1) it might be worked around by using TLS proxy, not integrated TLS support - as I understand in this case qmail-smtpd receives decrypted data:

http://forum.qmailrocks.org/showthread.php?t=4264
btw, fixcrio can be run on the data stream after it's been decrypted...
one of solution I found in qmail-maillist is to use TLS proxy
http://www.suspectclass.com/~sgiffor...-tlsproxy.html I not tried it yet,
maybe latter... cya!

http://www.suspectclass.com/sgifford/abandoned/stunnel-tlsproxy/
http://www.suspectclass.com/sgifford/abandoned/stunnel-tlsproxy/stunnel-tlsproxy.html
http://www.suspectclass.com/sgifford/abandoned/stunnel-tlsproxy/smtp-tls.README

2) Christophe Saout wrote a patch to fixcrio, but I'm not sure what it actually does:

http://www.mail-archive.com/[email protected]/msg48044.html
http://www.mail-archive.com/[email protected]/msg45127.html

the same patch is mentioned in this bug, although was not applied as I see:
http://bugs.gentoo.org/40521

=========

anyone wants to give it a try?

 

[realaaa@]

One more solution suggested on Microsoft support forum - but this requires qmail recompilation:

http://windowslivehelp.com/community/t/123986.aspx
http://www.arctic.org/~dean/patches/qmail-0.95-liberal-lf.patch

 

[faris]

The "hacky" patch seems to work. I applied it manually though, not using the patch command, as there seemd to be chunks it didn't like (maybe I cut and pasted incorrectly). Manually applying it was potentially more sensible anyway, in order to see what it did and where it did it.

Anyway....I'm currently still testing, but TLS definitely works, normal email seems to work, and email with bare LRs seems to work, so so far so good.

Faris.

 

[faris]

Just to confirm that all is well (as far as I can tell at least) after extensive testing.

All logs clean, no complaints from customers, all tests I did worked 100%.

Faris.

 

[jjjl]

after install fixcrio, hotmail can send message to our server, BUT ...

Hi:

after install fixcrio, hotmail can send message to our server, BUT our server cannot send message to other server running qmail.

help please.

 

[realaaa@]

after install fixcrio, hotmail can send message to our server, BUT our server cannot send message to other server running qmail.

I'm not sure how could that happen, because changes in smtp_psa and submission_psa files only affect how qmail receives messages.

are you sure you didn't change anything else? you should probably check your maillog (usually /usr/local/psa/var/log/maillog) for errors.

 

[cross]

Since use the fixcrio, hotmail Email can send to qmail server.
But another mails cant send to qmail server.
So I need to cancel this setting, and tell my custom dont use hotmail to send mail.

 

[faris]

@jjjl --- you need to implement the TLS patch to fixcrio.

When your server communicates with another server using qmail it will use TLS, and fixcrio (without the TLS patch) breaks TLS.

Faris.

 

[faris]

And before I forget, many many many thanks to realaaa for your research on this, without which none of this would be possible.

Faris.

 

[cross]

The "hacky" patch seems to work. I applied it manually though, not using the patch command, as there seemd to be chunks it didn't like (maybe I cut and pasted incorrectly). Manually applying it was potentially more sensible anyway, in order to see what it did and where it did it.

Anyway....I'm currently still testing, but TLS definitely works, normal email seems to work, and email with bare LRs seems to work, so so far so good.

Faris.

Excuse me!
Can you post your settings or methods that how to do ?
Thanks!

 

[faris]

Attached is fixcrio.txt. This is a version of fixcrio.c but with the TLS patch applied.

Rename from fixcrio.txt to fixcrio.c and use this one instead of the fixcrio.c that you already have.

Compile it and install it like you did before, restart xinetd and all should be well.

Check your maillog for errors.


Faris.

 

[realaaa@]

And before I forget, many many many thanks to realaaa for your research on this, without which none of this would be possible.

Faris.

Thanks, Faris! and allow me to say, your contribution was no less than mine