How to fix relaying while using RBL/MAPS

[cluge]

OK folks, first lets define the problem.

Qmail is a modular MTA, and RBLSMTPD (Thats the daemon that checks the RBL and drops you) is called before authentication is. Thus if your IP is in a RBL, you will have to whitelist it to be able to relay through the plesk server. Sucks if your on a dynamically assigned IP. This is a limitation of the qmail package as installed with Plesk.

Fix - run another instance of the qmail smtpd daemon without calling RBLSMTPD on another port (Pick one, be creative in this example we use 8025). Give this port to your customers to put into their "out going mail server" port number. This has the added advantage of working around port 25 blocks imposed by some ISPs.

How?

add the following line to /etc/services

sssmtp 8025/tcp # Super Special SMTP

cd /etc/xinetd.d

vi sssmtp
(or nano, or joe or whatever)

Make the file look like the following

service sssmtp
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = root
instances = UNLIMITED
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}


restart xinetd!

Rember to poke a hole in your iptables for the port that you choose. Thats it, have fun.

cluge

 

[faris]

Most excellent! Thanks.

Faris.

 

[buddaaa]

qmail sucks!

the standard port for message submission is TCP 587:
http://tools.ietf.org/html/rfc4409

still qmail sucks really big time! especially as this behavior produces random works/doesn't-work problems depending on the IP-number. most users probably think it's their fault since a reboot gives a new IP (if not behind a router) and it works then.

plesk should support postfix which can easily assign the order of smtp-auth to RBL-checks.

 

[split]

Hello,

yeah, that's right but the RFC says that the connection has to be authenticated.
Anyway to force qmail to only accept authenticated email?

thx!

 

[robotterror]

Simpler fix

Instead of creating two listeners with different rules, just change the order of the server_args in the smtp_psa and smtps_psa files under /etc/xinetd.d/. I want to check non-authenticated users against the PBL included in spamhaus.org's ZEN list (SBL -- spammers, XBL -- exploited boxes, and PBL -- dynamic IP where the ISP provides MTA services, all combined)

The swsoft-supplied server_args line is:

 server_args     = /usr/sbin/rblsmtpd  -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

Move the rblsmtpd to the end of the line like this:

server_args     = /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true /usr/sbin/rblsmtpd  -r zen.spamhaus.org

Of course, Plesk rewrites this line whenever it decides to, so I run the following SED script every-so-often:

 sed -i -e "s/server_args.*$/server_args     = \/var\/qmail\/bin\/relaylock \/var\/qmail\/bin\/qmail-smtpd \/var\/qmail\/bin\/smtp_auth \/var\/qmail\/bin\/true \/var\/qmail\/bin\/cmd5checkpw \/var\/qmail\/bin\/true \/usr\/sbin\/rblsmtpd  -r zen.spamhaus.org/" /etc/xinetd.d/smtp_psa

Use at your own risk (no back up is attempted).

For the more adventurous, I found a script that I think is responsible for rebuilding the scripts above. It's in /usr/local/psa/bin/mysqldump.sh.

Please note, my version of PSA is: 8.1.1 RedHat el4 81070423.15. I haven't tried this anywhere else.

[root@114394-www1 bin]# diff -Naur mysqldump.sh_ mysqldump.sh
--- mysqldump.sh_       2007-06-16 19:17:02.000000000 -0500
+++ mysqldump.sh        2007-06-16 19:20:42.000000000 -0500
@@ -545,7 +545,7 @@
        user            = root
        instances       = UNLIMITED
        server          = $QMAIL_ROOT_D/bin/tcp-env
-       server_args     = $RBLSMTPD $rbl_server $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN
+       server_args     = $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
 }" > "$xinetd_dir/smtp_${product}" || die "$inten"
                                        ;;
 
@@ -579,7 +579,7 @@
        user            = root
        instances       = UNLIMITED
        server          = $QMAIL_ROOT_D/bin/tcp-env
-       server_args     = $RBLSMTPD $rbl_server $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN
+       server_args     = $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
 }" > "$xinetd_dir/smtps_${product}" || die "$inten"
                                        ;;
                                *)
@@ -674,8 +674,8 @@
 
        case "$rbl_on" in
                on)
-                       smtp_rec="smtp stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env  $RBLSMTPD $rbl_server
$QMAIL_ROOT_D/bin/relaylock $QMAIL_ROOT_D/bin/qmail-smtpd
$QMAIL_ROOT_D/bin/smtp_auth $QMAIL_ROOT_D/bin/true
$QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"
-                       smtps_rec="smtps stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env  $RBLSMTPD $rbl_server
$QMAIL_ROOT_D/bin/relaylock $QMAIL_ROOT_D/bin/qmail-smtpd
$QMAIL_ROOT_D/bin/smtp_auth $QMAIL_ROOT_D/bin/true
$QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"
+                       smtp_rec="smtp stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
$RBLSMTPD $rbl_server"
+                       smtps_rec="smtps stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
$RBLSMTPD $rbl_server"
                        ;;
                *)
                        smtp_rec="smtp stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env  $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"

Or, an ed-style script for those who'd rather use that:

[root@114394-www1 bin]# diff -ed mysqldump.sh_ mysqldump.sh
677,678c
                        smtp_rec="smtp stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
$RBLSMTPD $rbl_server"
                        smtps_rec="smtps stream tcp nowait$maxconn root
$QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
$QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
$RBLSMTPD $rbl_server"
.
582c
        server_args     = $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
.
548c
        server_args     = $QMAIL_ROOT_D/bin/relaylock
$QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
$QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
.

Perhaps blocking all attempts from SBL and XBL IP addresses is a Good Thing, but blocking authenticated PBL is not. One thing I haven't tried is splitting the rblsmtpd command into two groups and leaving the SBL/XBL checking at the front of the list of server_args and then referring to rblsmtpd again after the authentication checks for the PBL list.

Anyway, a bit of re-ordering the server_args means I don't need to run separate qmail daemons on various ports.

Please tell me your improvements on my methods above.

 

[Brujo]

@robotterror
2 points...

a) if you move rblsmtpd on the end it seems never to block a IP based on RBL

b) i did the changes on the mysqldump.sh but it seems to be not used to setup the xinetd conf for smtp_psa & smtps_psa

 

[albans]

Hey guys, thanks for all those informations.

Do you have any idea on a way to FORCE SMTP AUTH even for mails sent to local domain?

More explanation here:
http://forum.swsoft.com/showthread.php?threadid=48408