Stand Blue Technology -> projects.standblue.net -> software -> qmail

Stand Blue Technology - badmailfrom-env patch

The Patches

But, Why?

I run two instances of qmail-smtpd, /service/smtpd-a/ and /service/smtpd-b/. I offer virus and spam scanning for my clients, at an additional charge. For the clients who subscribe to this service I set their mx record to a.mx.standblue.net (smtpd-a). Everyone else has their mx record set to b.mx.standblue.net (smtpd-b). The /service/smtpd-a/run file has QMAILQUEUE defined and passes all incoming mail through qmail-scanner. Mail destined for domains with an mx record of b.mx.standblue.net gets passed straight through to the queue, no checking.

Of course, the customers who aren't paying for spam blocking are getting the benefits of what I blacklist in /var/qmail/control/badmailfrom. With the badmailfrom-env patch I added a line to the /service/smtpd-b/run file that specified a different file to use for badmailfrom.

  #!/bin/sh

  PATH=/var/qmail/bin:$PATH
  QMAILDUID=`id -u qmaild`
  NOFILESGID=`id -g qmaild`
  MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
  BADMAILFROM="/var/qmail/control/badmailfrom-b"
  export BADMAILFROM
  exec /usr/local/bin/softlimit -m 30000000 \
      tcpserver -vR -l b.mx.standblue.net -x /service/smtpd-a/tcp.cdb -c "$MAXSMTPD" \
          -u "$QMAILDUID" -g "$NOFILESGID" 66.216.97.211 smtp qmail-smtpd 2>&1

Now I can maintain completely separate badmailfrom lists for the two qmail-smtpd services.

Of course, thats just one way the patch can be used. Another would be to specify different badmailfrom files based on where the message is coming from. For example, I have noticed recently that users have been receiving lots of spam from the aol.com networks. Much of the spam has sender addresses from yahoo.com and hotmail, which is obviously not right. You want to still be able to receive mail from users at yahoo.com and hotmail, but not if its being sent from the aol.com network.

The following line can be added to your tcprules file to prevent this from happening:

  =.aol.com:allow,BADMAILFROM="/var/qmail/control/badmailfrom-aol"

Then, create a /var/qmail/control/badmailfrom-aol file with the following:

  @yahoo.com
  @hotmail.com

Don't forget to recompile your tcprules file.

Another way to approach this would be to list @yahoo.com and @hotmail.com in your global badmailfrom file, then have a line in your tcprules file that changed the badmailfrom file to one that doesn't list @yahoo.com or @hotmail.com:

  shell$ cat /service/smtpd-a/tcp
  =.yahoo.com:allow,BADMAILFROM="/var/qmail/control/badmailfrom-fromyahoo"  

Using this method messages with a envelope sender from @yahoo.com can only come from an ip address that reverse resolves to *.yahoo.com . Note that anyone with control of their reverse dns can set an ip to reverse resolve to something under .yahoo.com. Read Russell Nelson's qmail list post about this.

This is not necessarily a recommendation, but rather an example of things that can be done.

Note: If you apply the badmailfrom-env-qregex patch then qmail-smtpd will also look for a BADMAILTO environment variable before it uses control/badmailto.

Applying The Patches

For the vanilla patch, badmailfrom-env, simply copy the file to your qmail-1.03 source directory and run the following command:

  shell$ patch < badmailfrom-env.patch

The badmailfrom-env-qregex patch requires that you have already applied the qregex patch to your qmail sources. After that, apply the badmailfrom-env-qregex patch:

  shell$ patch < badmailfrom-env-qregex.patch
Finally, stop qmail, make setup check, restart qmail.