switched default TLS security in config/tls_ciphers from HIGH to HIGH:!SSLv2. Added note for how to set the minimum level of security necessary for PCI compliance.
Signed-off-by: Robert <rspier@pobox.com>
based on..
From: Charlie Brady <charlieb-qpsmtpd@budge.apana.org.au>
Subject: rpm packaging bug - smtpd user created with shell not /bin/false
Date: Sat, 17 Jul 2010 18:17:49 -0400 (EDT)
Message-ID:
<Pine.LNX.4.64.1007171816230.19928@e-smith.charlieb.ott.istop.com>
http://bugs.contribs.org/show_bug.cgi?id=6025
if ! id smtpd >/dev/null 2>&1
then
# need to create smtpd user.
if perl -e 'exit ! defined(getgrnam("postdrop"))'
then
# if postfix is installed, we will probably use
# queue/postfix, which will need this:
supp="-G postdrop"
fi
useradd -r -m $supp smtpd
fi
qpsmtpd needs a user "smtpd", but should not create a home directory or
give access to a shell.
2. If the name doesn't end in a dot then append each item in the search list to the name.
This is only done if dnsrch is true.
triggered by..
From: Charlie Brady <charlieb-qpsmtpd@budge.apana.org.au>
Subject: [BUG] Default search path used in require_resolvable_fromhost
Date: Sat, 17 Jul 2010 16:24:42 -0400 (EDT)
Message-ID:
<Pine.LNX.4.64.1007171623040.17109@e-smith.charlieb.ott.istop.com>
http://bugs.contribs.org/show_bug.cgi?id=5808
Jesper Knudsen 2010-03-01 01:29:10 MST
When using the require_resolvable_fromhost plugin for qpsmtpd I noticed
that mails from user@localhost.localdomain was actually getting through
this filter. I finally found out that the plugin has a bug that causes it
to insert default search path if it cannot find the domain. This means in
my case that localhost.localdomain was then tried resolved as
localhost.localdomain.swerts-knudsen.dk and since I have a wilcard CNAME
was resolved as my public IP.
Since this plugin is only enabled for public interface the fix is to set
the "dnsrch" flag when creating the Net::DNS object.
In require_resolvable_fromhost:
my $res = Net::DNS::Resolver->new (
dnsrch => 0
);
added to MANIFEST
plugins/check_bogus_bounce
plugins/auth/auth_vpopmaild
t/plugin_tests/greylisting
added packaging to MANIFEST.SKIP
Signed-off-by: Robert <rspier@pobox.com>
- these changes are in the previous TCPLOCAL patch. Documented here.
added p0f config option
added POD docs to explain usage
modified $dbdir selection logic. The previous logic failed when QPHOME was
not selected (as is the case when tests are being run).
Added '.' as the dir of last resort for $dbdir selection (others $EMPTY/dir
dumped greylisting database in / )
- These changes are included in this patch -
Added t/plugin_tests/greylisting, with greylist logic testing (tests are
disabled by default, as greylisting is disabled in config.sample/plugins)
Added example entry in config.sample/plugins
Signed-off-by: Robert <rspier@pobox.com>
(updated patch against rspier/qpsmtpd)
The p0f plugin defaulted to binding to TCPLOCALIP, which doesn't work
when the mail server is running behind a firewall with a private IP. If
the local_ip option is set in the config file, it overrides TCPLOCALIP.
Added POD documentation for local_ip option and p0f general usage
Signed-off-by: Robert <rspier@pobox.com>
(patch remade against latest rspier/qpsmtpd)
added remote_port, local_ip, local_port, and local_host to $qp->connection, as the p0f plugin relies on it.
added notes to TcpServer.pm and the p0f plugin noting the dependence, and the lack of support for models other than tcpserver.
Signed-off-by: Robert <rspier@pobox.com>
rewrote the plugin using Mail::SPF, which is the replacement for Mail::SPF::Query (by the same author). The two plugins are mutually exclusive and SpamAssassin expects to have Mail::SPF available.
Signed-off-by: Robert <rspier@pobox.com>
added auth_vpopmail plugin, using the perl-vpopmail module
added VPOPMAIL auth methods description to docs/authentication
added SEE ALSO section to each module, noting the VPOPMAIL description
Signed-off-by: Robert <rspier@pobox.com>
updates to auth_vpopmail_sql module
- moved vpopmail database parameters into config files
- added LIMITATIONS section to POD, noting no support for alias domains
- renamed sub from authsql (too generic) to auth_vmysql
Signed-off-by: Robert <rspier@pobox.com>
The current status file, in git, has the following entry:
-plugin to reject mails from <> if it has multiple recipients.
I hereby submit my plugin to handle this case for possible inclusion,
under the same terms as the current qpsmtpd release.
The plugin is available here:
http://www.steve.org.uk/Software/qpsmtpd/check_bogus_bounce/
Please find patch against git head below, adding the file and removing
the TODO line from the status file.
Signed-off-by: Robert <rspier@pobox.com>
Minor fixups to the documentation:
* README + CREDITS:
We use git now, not subversion.
* README:
dns -> DNS
smtp -> SMTP
Steve
--
Let me steal your soul?
http://stolen-souls.com
Signed-off-by: Robert <rspier@pobox.com>
Jost Krieger pointed out that the documentation for the header check called
for a config_headers, but the code actually implemented scan_headers. Updated
to accept either. Also the condition for actually checking/skipping the
headers was inverted.
Also whitespace fixes.
Qpsmtpd::config now checks cache, hooks, qmail_config, default in this
order and returns the first match. In any case the returned value is
stored in the cache, so subsequent calls to Qpsmtpd::config return the
same value (unless the cache is cleared).
Trying to get SMTP auth working with alpine, I came across a bug.
Alpine sends AUTH PLAIN and waits for a 334 response, then sends the
auth string. According to the RFC, the server should reply with 334
and a nothing else, but in Auth.pm qpsmtpd responds with "334 Please
continue." the "Please continue" is interpreted as a non-zero
length initial challenge which causes alpine (and maybe other
clients?) to abort the session.
Signed-off-by: Charlie Brady <charlieb@budge.apana.org.au>
Signed-off-by: Robert <rspier@pobox.com>
Exim's BSMTP interface will indicate the SMTP response to the exchange;
actually use it rather than assuming all errors are 400-class soft ones.
Tolerate $transaction->header returning undef (since it evidently can under
some conditions).
Convert a few errant tabs to spaces.
Fix vi modeline.
Signed-off-by: Robert <rspier@pobox.com>
Hi all!
I have written a patch to allow the spamassasin plugin to have a custom
spam tag read in from a configuration file as opposed to the default ***
SPAM *** that is hard coded.
When the configuration file (spamsubjectprefix) is not defined or empty
the default value still applies, if it is provided the value from the
configuration file is used.
Any change this can be considered for implementation as we would really
like to have it for SME Server.
Kind regards,
Jonathan
Signed-off-by: Robert <rspier@pobox.com>
