Simpler fix
Instead of creating two listeners with different rules, just change the order of the server_args in the smtp_psa and smtps_psa files under /etc/xinetd.d/. I want to check non-authenticated users against the PBL included in spamhaus.org's ZEN list (SBL -- spammers, XBL -- exploited boxes, and PBL -- dynamic IP where the ISP provides MTA services, all combined)
The swsoft-supplied server_args line is:
Code:
server_args = /usr/sbin/rblsmtpd -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
Move the rblsmtpd to the end of the line like this:
Code:
server_args = /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true /usr/sbin/rblsmtpd -r zen.spamhaus.org
Of course, Plesk rewrites this line whenever it decides to, so I run the following SED script every-so-often:
Code:
sed -i -e "s/server_args.*$/server_args = \/var\/qmail\/bin\/relaylock \/var\/qmail\/bin\/qmail-smtpd \/var\/qmail\/bin\/smtp_auth \/var\/qmail\/bin\/true \/var\/qmail\/bin\/cmd5checkpw \/var\/qmail\/bin\/true \/usr\/sbin\/rblsmtpd -r zen.spamhaus.org/" /etc/xinetd.d/smtp_psa
Use at your own risk (no back up is attempted).
For the more adventurous, I found a script that I think is responsible for rebuilding the scripts above. It's in /usr/local/psa/bin/mysqldump.sh.
Please note, my version of PSA is: 8.1.1 RedHat el4 81070423.15. I haven't tried this anywhere else.
Code:
[root@114394-www1 bin]# diff -Naur mysqldump.sh_ mysqldump.sh
--- mysqldump.sh_ 2007-06-16 19:17:02.000000000 -0500
+++ mysqldump.sh 2007-06-16 19:20:42.000000000 -0500
@@ -545,7 +545,7 @@
user = root
instances = UNLIMITED
server = $QMAIL_ROOT_D/bin/tcp-env
- server_args = $RBLSMTPD $rbl_server $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN
+ server_args = $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
}" > "$xinetd_dir/smtp_${product}" || die "$inten"
;;
@@ -579,7 +579,7 @@
user = root
instances = UNLIMITED
server = $QMAIL_ROOT_D/bin/tcp-env
- server_args = $RBLSMTPD $rbl_server $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN
+ server_args = $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
}" > "$xinetd_dir/smtps_${product}" || die "$inten"
;;
*)
@@ -674,8 +674,8 @@
case "$rbl_on" in
on)
- smtp_rec="smtp stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $RBLSMTPD $rbl_server
$QMAIL_ROOT_D/bin/relaylock $QMAIL_ROOT_D/bin/qmail-smtpd
$QMAIL_ROOT_D/bin/smtp_auth $QMAIL_ROOT_D/bin/true
$QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"
- smtps_rec="smtps stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $RBLSMTPD $rbl_server
$QMAIL_ROOT_D/bin/relaylock $QMAIL_ROOT_D/bin/qmail-smtpd
$QMAIL_ROOT_D/bin/smtp_auth $QMAIL_ROOT_D/bin/true
$QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"
+ smtp_rec="smtp stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
$RBLSMTPD $rbl_server"
+ smtps_rec="smtps stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
$RBLSMTPD $rbl_server"
;;
*)
smtp_rec="smtp stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"
Or, an ed-style script for those who'd rather use that:
Code:
[root@114394-www1 bin]# diff -ed mysqldump.sh_ mysqldump.sh
677,678c
smtp_rec="smtp stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
$RBLSMTPD $rbl_server"
smtps_rec="smtps stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
$RBLSMTPD $rbl_server"
.
582c
server_args = $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
.
548c
server_args = $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
.
Perhaps blocking all attempts from SBL and XBL IP addresses is a Good Thing, but blocking authenticated PBL is not. One thing I haven't tried is splitting the rblsmtpd command into two groups and leaving the SBL/XBL checking at the front of the list of server_args and then referring to rblsmtpd again after the authentication checks for the PBL list.
Anyway, a bit of re-ordering the server_args means I don't need to run separate qmail daemons on various ports.
Please tell me your improvements on my methods above.