1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

How to fix relaying while using RBL/MAPS

Discussion in 'Plesk for Linux - 8.x and Older' started by cluge, Apr 4, 2006.

  1. cluge

    cluge Guest

    0
     
    OK folks, first lets define the problem.

    Qmail is a modular MTA, and RBLSMTPD (Thats the daemon that checks the RBL and drops you) is called before authentication is. Thus if your IP is in a RBL, you will have to whitelist it to be able to relay through the plesk server. Sucks if your on a dynamically assigned IP. This is a limitation of the qmail package as installed with Plesk.

    Fix - run another instance of the qmail smtpd daemon without calling RBLSMTPD on another port (Pick one, be creative in this example we use 8025). Give this port to your customers to put into their "out going mail server" port number. This has the added advantage of working around port 25 blocks imposed by some ISPs.

    How?

    add the following line to /etc/services

    sssmtp 8025/tcp # Super Special SMTP

    cd /etc/xinetd.d

    vi sssmtp
    (or nano, or joe or whatever)

    Make the file look like the following

    service sssmtp
    {
    socket_type = stream
    protocol = tcp
    wait = no
    disable = no
    user = root
    instances = UNLIMITED
    server = /var/qmail/bin/tcp-env
    server_args = /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
    }


    restart xinetd!

    Rember to poke a hole in your iptables for the port that you choose. Thats it, have fun.

    cluge
     
  2. faris

    faris Guest

    0
     
    Most excellent! Thanks.

    Faris.
     
  3. buddaaa

    buddaaa Guest

    0
     
    qmail sucks!

    the standard port for message submission is TCP 587:
    http://tools.ietf.org/html/rfc4409

    still qmail sucks really big time! especially as this behavior produces random works/doesn't-work problems depending on the IP-number. most users probably think it's their fault since a reboot gives a new IP (if not behind a router) and it works then.

    plesk should support postfix which can easily assign the order of smtp-auth to RBL-checks.
     
  4. split

    split Guest

    0
     
    Hello,

    yeah, that's right but the RFC says that the connection has to be authenticated.
    Anyway to force qmail to only accept authenticated email?

    thx!
     
  5. robotterror

    robotterror Guest

    0
     
    Simpler fix

    Instead of creating two listeners with different rules, just change the order of the server_args in the smtp_psa and smtps_psa files under /etc/xinetd.d/. I want to check non-authenticated users against the PBL included in spamhaus.org's ZEN list (SBL -- spammers, XBL -- exploited boxes, and PBL -- dynamic IP where the ISP provides MTA services, all combined)

    The swsoft-supplied server_args line is:

    Code:
     server_args     = /usr/sbin/rblsmtpd  -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
    Move the rblsmtpd to the end of the line like this:

    Code:
    server_args     = /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true /usr/sbin/rblsmtpd  -r zen.spamhaus.org
    
    Of course, Plesk rewrites this line whenever it decides to, so I run the following SED script every-so-often:
    Code:
     sed -i -e "s/server_args.*$/server_args     = \/var\/qmail\/bin\/relaylock \/var\/qmail\/bin\/qmail-smtpd \/var\/qmail\/bin\/smtp_auth \/var\/qmail\/bin\/true \/var\/qmail\/bin\/cmd5checkpw \/var\/qmail\/bin\/true \/usr\/sbin\/rblsmtpd  -r zen.spamhaus.org/" /etc/xinetd.d/smtp_psa 
    
    Use at your own risk (no back up is attempted).

    For the more adventurous, I found a script that I think is responsible for rebuilding the scripts above. It's in /usr/local/psa/bin/mysqldump.sh.

    Please note, my version of PSA is: 8.1.1 RedHat el4 81070423.15. I haven't tried this anywhere else.

    Code:
    [root@114394-www1 bin]# diff -Naur mysqldump.sh_ mysqldump.sh
    --- mysqldump.sh_       2007-06-16 19:17:02.000000000 -0500
    +++ mysqldump.sh        2007-06-16 19:20:42.000000000 -0500
    @@ -545,7 +545,7 @@
            user            = root
            instances       = UNLIMITED
            server          = $QMAIL_ROOT_D/bin/tcp-env
    -       server_args     = $RBLSMTPD $rbl_server $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
    $QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN
    +       server_args     = $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
    $QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
     }" > "$xinetd_dir/smtp_${product}" || die "$inten"
                                            ;;
     
    @@ -579,7 +579,7 @@
            user            = root
            instances       = UNLIMITED
            server          = $QMAIL_ROOT_D/bin/tcp-env
    -       server_args     = $RBLSMTPD $rbl_server $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
    $QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN
    +       server_args     = $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
    $QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
     }" > "$xinetd_dir/smtps_${product}" || die "$inten"
                                            ;;
                                    *)
    @@ -674,8 +674,8 @@
     
            case "$rbl_on" in
                    on)
    -                       smtp_rec="smtp stream tcp nowait$maxconn root
    $QMAIL_ROOT_D/bin/tcp-env tcp-env  $RBLSMTPD $rbl_server
    $QMAIL_ROOT_D/bin/relaylock $QMAIL_ROOT_D/bin/qmail-smtpd
    $QMAIL_ROOT_D/bin/smtp_auth $QMAIL_ROOT_D/bin/true
    $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"
    -                       smtps_rec="smtps stream tcp nowait$maxconn root
    $QMAIL_ROOT_D/bin/tcp-env tcp-env  $RBLSMTPD $rbl_server
    $QMAIL_ROOT_D/bin/relaylock $QMAIL_ROOT_D/bin/qmail-smtpd
    $QMAIL_ROOT_D/bin/smtp_auth $QMAIL_ROOT_D/bin/true
    $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"
    +                       smtp_rec="smtp stream tcp nowait$maxconn root
    $QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
    $QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
    $RBLSMTPD $rbl_server"
    +                       smtps_rec="smtps stream tcp nowait$maxconn root
    $QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
    $QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
    $RBLSMTPD $rbl_server"
                            ;;
                    *)
                            smtp_rec="smtp stream tcp nowait$maxconn root
    $QMAIL_ROOT_D/bin/tcp-env tcp-env  $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
    $QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true"
    
    Or, an ed-style script for those who'd rather use that:

    Code:
    [root@114394-www1 bin]# diff -ed mysqldump.sh_ mysqldump.sh
    677,678c
                            smtp_rec="smtp stream tcp nowait$maxconn root
    $QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
    $QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
    $RBLSMTPD $rbl_server"
                            smtps_rec="smtps stream tcp nowait$maxconn root
    $QMAIL_ROOT_D/bin/tcp-env tcp-env $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth
    $QMAIL_ROOT_D/bin/true $QMAIL_ROOT_D/bin/cmd5checkpw $QMAIL_ROOT_D/bin/true
    $RBLSMTPD $rbl_server"
    .
    582c
            server_args     = $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
    $QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
    .
    548c
            server_args     = $QMAIL_ROOT_D/bin/relaylock
    $QMAIL_ROOT_D/bin/qmail-smtpd $QMAIL_ROOT_D/bin/smtp_auth $TRUE_BIN
    $QMAIL_ROOT_D/bin/cmd5checkpw $TRUE_BIN $RBLSMTPD $rbl_server
    .
    
    Perhaps blocking all attempts from SBL and XBL IP addresses is a Good Thing, but blocking authenticated PBL is not. One thing I haven't tried is splitting the rblsmtpd command into two groups and leaving the SBL/XBL checking at the front of the list of server_args and then referring to rblsmtpd again after the authentication checks for the PBL list.

    Anyway, a bit of re-ordering the server_args means I don't need to run separate qmail daemons on various ports.

    Please tell me your improvements on my methods above.
     
  6. Brujo

    Brujo Regular Pleskian

    28
    57%
    Joined:
    Mar 4, 2006
    Messages:
    278
    Likes Received:
    2
    Location:
    Germany
    @robotterror
    2 points...

    a) if you move rblsmtpd on the end it seems never to block a IP based on RBL

    b) i did the changes on the mysqldump.sh but it seems to be not used to setup the xinetd conf for smtp_psa & smtps_psa
     
  7. albans

    albans Regular Pleskian

    26
     
    Joined:
    Nov 29, 2005
    Messages:
    173
    Likes Received:
    0
Loading...