From 14d5bad9ff60dcc780ba822b20ba85cd4c808926 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Mon, 5 Aug 2013 15:32:31 -0700 Subject: [PATCH 1/6] remove plaintext UPGRADING (.pod added by Ask) --- UPGRADING | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 UPGRADING diff --git a/UPGRADING b/UPGRADING deleted file mode 100644 index 7a3b478..0000000 --- a/UPGRADING +++ /dev/null @@ -1,26 +0,0 @@ - -When upgrading from: - -v 0.84 or below - -CHECK_RELAY, CHECK_NORELAY, RELAY_ONLY - - All 3 plugins are deprecated and replaced with a new 'relay' plugin. The new plugin reads the same config files (see 'perldoc plugins/relay') as the previous plugins. To get the equivalent functionality of enabling 'relay_only', use the 'only' argument to the relay plugin as documented in the RELAY ONLY section of plugins/relay. - -GREYLISTING plugin: - - 'mode' config argument is deprecated. Use reject and reject_type instead. - - The greylisting DB format has changed to accommodate IPv6 addresses. (The DB key has colon ':' seperated fields, and IPv6 addresses are colon delimited). The new format converts the IPs into integers. There is a new config option named 'upgrade' that when enabled, updates all the records in your DB to the new format. Simply add 'upgrade 1' to the plugin entry in config/plugins, start up qpsmtpd once, make one connection. A log entry will be made, telling how many records were upgraded. Remove the upgrade option from your config. - -SPF plugin: - - spf_deny setting deprecated. Use reject N setting instead, which provides administrators with more granular control over SPF. For backward compatibility, a spf_deny setting of 1 is mapped to 'reject 3' and a 'spf_deny 2' is mapped to 'reject 4'. - - -P0F plugin: - defaults to p0f v3 (was v2). - - Upgrade p0f to version 3 or add 'version 2' to your p0f line in config/plugins. perldoc plugins/ident/p0f for more details. - - From 6b4b714c2af17baaf08df8d5d432acdb1a7dfc71 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Sun, 1 Dec 2013 03:42:55 -0500 Subject: [PATCH 2/6] removed a diff block from docs/config.pod --- docs/config.pod | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/config.pod b/docs/config.pod index e2fbb28..86e0f0b 100644 --- a/docs/config.pod +++ b/docs/config.pod @@ -89,11 +89,7 @@ connection before any auth succeeds, defaults to C<0>. =back -<<<<<<< HEAD -=head2 Plugin settings -======= =head2 Plugin settings files ->>>>>>> initial import - based on my qpsmtpd fork =over 4 From ddb613f173c6226a9e537c35ddb23f11489ac50e Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Sun, 1 Dec 2013 03:45:12 -0500 Subject: [PATCH 3/6] TcpServer: optimize DNS lookups for PTR a. don't use search path (/etc/resolv.conf) b. explicitely specify PTR in query request --- lib/Qpsmtpd/TcpServer.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/Qpsmtpd/TcpServer.pm b/lib/Qpsmtpd/TcpServer.pm index 8641576..5651aa4 100644 --- a/lib/Qpsmtpd/TcpServer.pm +++ b/lib/Qpsmtpd/TcpServer.pm @@ -191,18 +191,18 @@ sub tcpenv { return ($TCPLOCALIP, $TCPREMOTEIP, $TCPREMOTEIP ? "[$ENV{TCPREMOTEIP}]" : "[noip!]"); } - my $res = new Net::DNS::Resolver; + my $res = Net::DNS::Resolver->new( dnsrch => 0 ); $res->tcp_timeout(3); $res->udp_timeout(3); - my $query = $res->query($nto_iaddr); + my $query = $res->query($nto_iaddr, 'PTR'); my $TCPREMOTEHOST; if ($query) { foreach my $rr ($query->answer) { - next unless $rr->type eq "PTR"; + next if $rr->type ne 'PTR'; $TCPREMOTEHOST = $rr->ptrdname; } } - return ($TCPLOCALIP, $TCPREMOTEIP, $TCPREMOTEHOST || "Unknown"); + return ($TCPLOCALIP, $TCPREMOTEIP, $TCPREMOTEHOST || 'Unknown'); } sub check_socket() { From 19115cd2e435f2cdcdd44524c404263e64723eb7 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Tue, 17 Dec 2013 14:13:51 -0800 Subject: [PATCH 4/6] move Auth-Results header to Original-Auth-Results this was in a sub, commented out as a TODO to delete them. Instead of deleting, move the Authentication-Results header on incoming messages to the Original-A-R. --- lib/Qpsmtpd/SMTP.pm | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/lib/Qpsmtpd/SMTP.pm b/lib/Qpsmtpd/SMTP.pm index 1589472..fe8e63e 100644 --- a/lib/Qpsmtpd/SMTP.pm +++ b/lib/Qpsmtpd/SMTP.pm @@ -23,7 +23,7 @@ use Net::DNS; # this is only good for forkserver # can't set these here, cause forkserver resets them -#$SIG{ALRM} = sub { respond(421, "Game over pal, game over. You got a timeout; I just can't wait that long..."); exit }; +#$SIG{ALRM} = sub { respond(421, "timeout; I can't wait that long..."); exit }; #$SIG{ALRM} = sub { warn "Connection Timed Out\n"; exit; }; sub new { @@ -818,17 +818,24 @@ sub authentication_results { sub clean_authentication_results { my $self = shift; -# On messages received from the internet, we may want to remove -# the Authentication-Results headers added by other MTAs, so our downstream -# can trust the new A-R header we insert. -# We do not want to invalidate DKIM signatures. -# TODO: parse the DKIM signature(s) to see if A-R header is signed - return if $self->transaction->header->get('DKIM-Signature'); +# http://tools.ietf.org/html/draft-kucherawy-original-authres-00.html - my @headers = $self->transaction->header->get('Authentication-Results'); - for ( my $i = 0; $i < scalar @headers; $i++ ) { +# On messages received from the internet, move Authentication-Results headers +# to Original-AR, so our downstream can trust the A-R header we insert. + +# TODO: Do not invalidate DKIM signatures. +# if $self->transaction->header->get('DKIM-Signature') +# Parse the DKIM signature(s) +# return if A-R header is signed; +# } + + my @ar_headers = $self->transaction->header->get('Authentication-Results'); + for ( my $i = 0; $i < scalar @ar_headers; $i++ ) { $self->transaction->header->delete('Authentication-Results', $i); + $self->transaction->header->add('Original-Authentication-Results', $ar_headers[$i]); } + + $self->log(LOGDEBUG, "Authentication-Results moved to Original-Authentication-Results" ); }; sub received_line { From 04634feffea89d763ca02b8ab76f40f1bde713e5 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Tue, 17 Dec 2013 15:06:58 -0800 Subject: [PATCH 5/6] STATUS: removed -dev comments --- STATUS | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/STATUS b/STATUS index 6992271..c9e7e8f 100644 --- a/STATUS +++ b/STATUS @@ -1,19 +1,11 @@ -Qpsmtpd-dev is a fork of Qpsmtpd. Qpsmtpd is a very good SMTP daemon for -developers and hackers (admittedly, its focus). The plugin system is great -but the plugin organization, documentation, and consistency left much -to be desired. +Qpsmtpd is a very good SMTP daemon for developers and hackers. -The primary focus of the -dev branch is improving the consistency and -behavior of the plugins. After using one plugin, the knowledge gained -should carry over to other plugins. - -Secondary goals are making it easier to install, reducing code duplication, +Current goals are making it easier to install, reducing code duplication, reducing complexity, and cooperation between plugins. Anything covered -in Perl Best Practices is also fair game. +in Perl Best Practices is fair game. -So far, the main changes between the release and dev branches have focused -on these goals: +Recent changes have been made towards these goals: - plugins use is_immune and is_naughty instead of a local methods - plugins log a single entry summarizing their disposition @@ -36,7 +28,7 @@ For most sites, even DNSBL, SPF, DKIM, and SpamAssassin tests alone are insuffic Roadmap ======= - - https://github.com/qpsmtpd-dev/qpsmtpd-dev/issues + - https://github.com/smtpd/qpsmtpd/issues - Bugfixes - qpsmtpd is extremely stable (in production since 2001), but there are always more things to fix. From f78da4b13dd70d25fcd096cdff7476f4fa5ab206 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Tue, 17 Dec 2013 15:08:29 -0800 Subject: [PATCH 6/6] Changes: updated with 0.93 changes --- Changes | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/Changes b/Changes index 01053b6..3e377a8 100644 --- a/Changes +++ b/Changes @@ -1,4 +1,30 @@ +0.93 Dec 17, 2013 + + Added Authentication-Results header + moves Authentication-Results to Original-Authentication-Results on inbound. + no longer puts auth info in Received header + + TcpServer: ignore DNS search path and explicitely request PTR lookups (speedup) + + store envelope TO/FROM in connection notes + + raised max msg size in clamdscan + + SPF enabled by default (if Mail::SPF available) + + auth_vpopmaild: added taint checking to responses + + added run files for most common deployment methods (easier install) + + untaint config data passed to plugins + + Qpsmtpd.pm: split config args on /\s+/, was / / + (compatibility with newer versions of perl) + + dmarc: added subdomain policy handling + + 0.92 Apr 20, 2013 new plugins: dmarc, fcrdns