control-alt-del.org

Last update: 2007-02-12

// C O N T R O L - A L T - D E L . O R G

"Fate strikes down the strong man, Everyone weep with me " - O Fortuna

NAVIGATION>>

:: CODE

The three chief virtues of a programmer are: Laziness, Impatience and Hubris
-- Larry Wall

CONTACT

:. Qmail installation guide

This document explains how to install Qmail with the following features:

- Greylisting

- Adaptive blacklist

- SpamAssassin

- Simscan

- Recipient filtering

- Virus scanning (ClamAV)

- Administration tool for configuring whitelists, blacklists, relay control, etc...

:. Document conventions

Commands to run use the Courier New font and are highlighted in orange:

/path/to/a/command/to/run --options

File contents are always displayed within a text area field:

#!/bin/bash echo "Mark rocks"

(sorry firefox folks, copy-paste button only works with IE)

Explanations use Arial – This text.

Replace all occurances of yourdomain.com with your domain name. Duh.

:. Assumptions

I'm going to assume you've already got a working Linux system.

I personally prefer Slackware Linux, and will eventually get around to posting the exact installation instructions used to setup all of the servers I manage. For now, you'll need:

- Working Linux server

- You need to be root to install these packages

- A public IP address that has reverse DNS setup

- Not currently running an MTA on the server (remove sendmail)

- Knowledge on how to compile applications

This document describes the installation from source of all the applications, so it'll probably work on all the *BSDs as well as Linux.

Note that you shouldn't try to just install the binary packages from your distribution and expect it to work with the instructions in this document (unless the distribution decides to adopt my way of implementing Qmail).

One last thing, this isn't really a setup that can be used stand-alone, as it's designed to rely on a backend server for actually handling the delivery to a mailbox (M$ exchange using Active Directory). I may eventually get around to schlepping together a version for supporting local/virtual users, vpopmail, ldap, etc...

:. Architectural considerations

Security

The Qmail SMTP server was selected because it was built with security in mind. The version we are using has been in a production state since March 1997, and no security vulnerabilities have been discovered in this software since then.
Each component of the system is independent of the others, and makes use of privilege separation and different unprivileged user accounts to accomplish the various tasks which need to be performed.
Should one component become compromised, it is unlikely to cascade to all systems or lead to a compromised system.
Separate functions are moved into mutually untrusting programs.
Qmail is one of the most used SMTP servers in the world (well over 1,000,000 deployments).
Linux has a fairly good track record for operating system security and can be hardened to meet military grade security if this is deemed necessary.
Enforced memory limits on the SMTP process limits the possibility of buffer overflows.

Speed

Filtering operations are layered from least resource intensive to most intensive. A large percentage of spam messages are filtered without needing resource intensive scanning.
Where possible, the system avoids reading from the hard drive (temporary files are written to a ramdisk). All scanning engines (virus, spam) are resident in memory.
Bounces should be avoided at all costs as they tie up resources needlessly.

Limiting the possibilities of false positives

SpamAssassin has a target false positive rate of less than 1/2500 (0.04%) on a corpus of 250,000 mail messages.
None of the filtering methods should have an impact on normal mail delivery.
There should be an easy way to control whitelists, as no filtering system is foolproof

Adaptive filtering

The system should be able to update itself and learn as new spam techniques evolve.

Easy to understand and extend

No monolithic application, each process should be small and well documented/understood
Extensive logging capabilities
Easy to monitor
Open source should be favored to avoid vendor lock-in

:. Features - Greylisting

Greylisting is a spam prevention method which is particularly good at stopping spam generated by zombie bots. It operates on a very simple principle.

Since SMTP is considered an unreliable transport, the possibility of temporary failures is built into the core spec (see RFC 821). As such, any well behaved message transfer agent (MTA) should attempt retries if given an appropriate temporary failure code for a delivery attempt.

The implementation of greylisting which is described in this guide was developped here: http://oss.albawaba.com/cqgreylist.html

How it works is simple:

- The first time a remote mail server or client connects to the server, we give a temporary failure error.

- For the next 60 seconds, we will continue to give this temporary failure should the server or client reconnect.

- After 60 seconds, any further attempts from that same IP will be allowed through

Since most spam software and zombies operate on a fire-and-forget mode of operation, this method is fairly effective at reducing the total volume of spam without impacting valid mail servers that regularly send e-mail to our systems.

:. Features - Adaptive blacklist

The adaptive blacklist is something I cooked up. The basic idea is that all spam filtering methods which are implemented should create a feedback loop.

The adaptive blacklist application operates as a multilog logfile post-processor. It analyzes patterns of spam/ham/viruses/invalid recipients and makes an assessment of the relative 'trustability' of an IP address over time.

The current implementation will keep track of all spams, hams, viruses and invalid recipient delivery attempts for an IP address for a 60 minute interval. If a remote IP has tried to deliver e-mail more than 10 times in this interval, and over 50% of these delivery attempts were spam/viruses/invalid recipients, I blacklist the IP for 4 hours.

Although not terribly effective for defending against things like one time spams, it will probably catch 'spam storms' and dictionairy attacks.

:. Features - Recipient validation

This system is meant to be integrated into a M$ Exchange environment, and integrates itself with Active Directory.

The recipient validation reduces the amount of bounce emails which are due to spam by verifying that the recipient is valid before accepting the mail for delivery.

To do so, I make use of a qmail patch which can be found here

At this layer, we also check to see if the sender is in our blacklists as implemented using Qmail's badmailfrom list.

:. Features - Spam/Virus scanning

Content scanning is the last line of defense in this system.

Once the mail has reached this layer, we've eliminated most of the obvious robot generated spam that is in 'fire and forget' and 'carpetbomb' mode.

Informal analysis on the systems I've worked with indicate that at least 80% of the e-mail at this point is still spam/viruses. Luckily, the other layers have already eliminated a large number of spam, so scanning what's left in depth isn't such a big deal.

This part of the system will accomplish the following:

- Scan the messages for viruses

- Perform various DCC (distributed checksum clearinghouse) checks

- Perform multiple realtime blackhole DNS lookups

- Perform rule-based analysis using regular expressions

- Lookup SPF (sender policy framework) DNS records for the envelope sender domain

- Lookup DomainKeys values

- Perform URI dns blacklist lookups on URI's contained in the message

- Use Bayesian analysis and automatic whitelists

If a virus is found, the messages is dropped outright. Otherwise, each of the above tests will be combined to create an overall spam score.

The scores are evaluated against two score thresholds; warning and spam. When a messages is below the warning, a message will be generated and delivered to the user along with the message. When the score is above the warning, it is considered spam and rejected during the SMTP conversation.

:. Installation - Daemontools

Download, untar, install daemontools

# cd /usr/src
# wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
# tar xvfz daemontools-0.76.tar.gz
# mv admin daemontools-0.76
# wget http://www.linuxfromscratch.org/patches/downloads/daemontools/daemontools-0.76-errno-1.patch
# cd daemontools-0.76/daemontools-0.76/src
# patch -p2 <../../../daemontools-0.76-errno-1.patch
# cd ..
# package/install

Verify that svscan is running

# ps ax | grep sv

Should look something like this:

:. Installation - CDB

Download/Unpack/Install Package

# cd /usr/src
# wget http://cr.yp.to/cdb/cdb-0.75.tar.gz
# wget http://www.jm-associates.com/admin/downloads/cdb-0.75.errno.patch
# tar xvfz cdb-0.75.tar.gz
# cd cdb-0.75
# patch -p1 <../cdb-0.75.errno.patch
# make setup check

:. Installation - DJBDNS

Download/unpack/install package

# cd /usr/src
# wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
# tar xvfz djbdns-1.05.tar.gz
# cd djbdns-1.05
# echo gcc -O2 -include /usr/include/errno.h > conf-cc
# make setup check

Create user to run caching DNS server

# useradd -s /bin/false -d /nonexistent dnscache

Configure dnscache

# dnscache-conf dnscache dnscache /etc/dnscache 127.0.0.1
# cd /etc/dnscache
# rm -rf log

Edit /etc/dnscache/run:

#!/bin/sh exec > /dev/null exec 2>&1 exec <seed exec envdir ./env sh -c ' exec envuidgid dnscache softlimit -o250 -d "$DATALIMIT" /usr/local/bin/dnscache '

# chmod +x /etc/dnscache/run
# cd /service
# ln -s /etc/dnscache
# echo -e "search yourdomain.com\nnameserver 127.0.0.1\n" >/etc/resolv.conf

Test DNS

# dnsip www.google.com

:. Installation - ClamAV

Create a user to run the daemon process as

# groupadd spamd
# useradd -s /bin/false -d /home/spamd -g spamd spamd
# mkdir /home/spamd
# chown spamd:spamd /home/spamd

Download/unpack/install

# cd /usr/src
# wget http://superb-west.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.6.tar.gz
# tar xvfz clamav-0.88.6.tar.gz
# cd clamav-0.88.6
# ./configure --sysconfdir=/etc --prefix=/usr --with-user=spamd --with-group=spamd
# make install

Edit the file /etc/clamd.conf:

LocalSocket /tmp/clamd FixStaleSocket MaxThreads 50 User spamd ExitOnOOM Foreground ScanPE DetectBrokenExecutables ScanOLE2 ScanMail ScanHTML ScanArchive ArchiveMaxFileSize 40M ArchiveMaxRecursion 10 ArchiveMaxFiles 2000 ArchiveMaxCompressionRatio 300 ArchiveBlockEncrypted ArchiveBlockMax

Edit file /etc/freshclam.conf:

DatabaseOwner spamd DatabaseMirror db.us.clamav.net DatabaseMirror database.clamav.net Checks 12 NotifyClamd /etc/clamd.conf Foreground

More configuration stuff

# mkdir /etc/clamav
# cd /etc/clamav

Edit /etc/clamav/run:

#!/bin/sh exec > /dev/null exec 2>&1 exec clamd

# chmod +x run
# cd /service
# ln -s /etc/clamav
# crontab -l >/tmp/crontab.tmp
# echo "0 */4 * * * /usr/bin/freshclam --quiet 2>&1 1> /dev/null" >>/tmp/crontab.tmp
# crontab /tmp/crontab.tmp
# /usr/bin/freshclam

Verify that everything is working properly

# svstat /service/clamav

Output should resemble this:

:. Installation - UCSPI-TCP

Download/unpack/install package

# cd /usr/src
# wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
# tar xvfz ucspi-tcp-0.88.tar.gz
# cd ucspi-tcp-0.88
# patch -p1 <../cdb-0.75.errno.patch
# make setup check

:. Installation - Perl support modules + SpamAssassin

If prompted, follow all dependencies. These may need a bit of ‘massaging’. If you're not familiar with installing perl modules, this might seem a bit of a challenge.

When in doubt, if the install of a module fails, replace the 'install' command with 'force install'.

If you've never installed perl modules, you'll have to answer some questions before CPAN will allow you to install the modules below.

Good luck :)

# perl -MCPAN -e shell
cpan> install Bundle::CPAN
cpan> install Archive::Tar
cpan> install Time::HiRes
cpan> install LWP
cpan> install Net::LDAP
cpan> install Digest
cpan> install Digest::SHA1
cpan> install MIME::Base64
cpan> install Net::DNS
cpan> install Net::SMTP
cpan> install File::Spec
cpan> install MIME::Base64
cpan> install Test::Simple
cpan> install Test::Harness
cpan> install URI::Escape
cpan> install Module::Build
cpan> install Net::CIDR
cpan> install Sys::Hostname
cpan> install Getopt::Long
cpan> install File::Copy
cpan> install Test::YAML
cpan> install Text::Glob
cpan> install Text::EntityMap
cpan> install Time::TAI64
cpan> install IP::Country
cpan> install IP::Country::Fast
cpan> install IO::Zlib
cpan> install Convert::ASN1
cpan> install File::GlobMapper
cpan> install File::HomeDir
cpan> install HTML::Tagset
cpan> install Crypt::OpenSSL::Bignum
cpan> install HTML::Parser
cpan> install Mail::Util
cpan> install Mail::Field
cpan> install Mail::Cap
cpan> install Mail::DKIM
cpan> install Mail::DomainKeys
cpan> install Mail::SPF::Query
cpan> install Time::TAI64
cpan> install Mail::SpamAssassin
cpan> install Curses
cpan> install Curses::UI
cpan> install Mail::RFC822::Address
cpan> install Validate::Net
cpan> exit

Configure SpamAssassin

Edit /etc/mail/spamassassin/local.cf

lock_method flock dcc_path /usr/local/bin/dccproc use_razor2 1 razor_config /home/spamd/.razor/razor-agent.conf bayes_path /home/spamd/.spamassassin/bayes use_bayes 1 bayes_auto_learn 1 include /etc/mail/spamassassin/trusted.cf include /etc/mail/spamassassin/whitelist.cf

Create some configuration files

# touch /etc/mail/spamassassin/trusted.cf
# touch /etc/mail/spamassassin/whitelist.cf

Create Ramdisk

# mkdir /tmp/mailscan
# chown spamd.spamd /tmp/mailscan

Figure out what the user spamd’s numerical userid and groupid is:

# id spamd

It should return output like this:

Edit the file /etc/fstab and add a line like this one:

none /tmp/mailscan tmpfs uid=1001,gid=103,mode=700,size=128M 0 0

Replacing the uid=XXXX,gid=XXX part with the numerical values returned by the ‘id’ command.

# mount -a

Start SpamAssassin

# mkdir /etc/spamassassin
# cd /etc/spamassassin

Edit file /etc/spamassassin/run:

#!/bin/sh exec >/dev/null exec 2>&1 export TMPDIR=/tmp/mailscan exec spamd -u spamd -g spamd --max-children=40 --min-children=20 \ --min-spare=5 --max-spare=5 --max-conn-per-child=1000

# chmod +x /etc/spamassassin/run
# cd /service/spamassassin
# ln -s /etc/spamassassin

Check to make sure SpamAssassin is running

# svstat /service/spamassassin

Check to see if configuration is sane

# spamassassin --lint

(shouldn’t output anything if there are no errors)

Configure Automatic rule updates

# cd /tmp
# wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY
# sa-update
# sa-update --import GPG.KEY
# crontab -l >/tmp/crontab.tmp
# echo -e "0 1 * * * sa-update --channelfile \
/etc/mail/spamassassin/sare-sa-update-channels.txt \
--gpgkey 856AA88A \
&& svc -t /service/spamassassin" >>/tmp/crontab.tmp
# crontab /tmp/crontab.tmp

Edit /etc/mail/spamassassin/sare-sa-update-channels.txt:

70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net updates.spamassassin.org

Installing Vipul's Razor2

Download/unpack/install

# cd /usr/src
# wget 'http://prdownloads.sourceforge.net/razor/razor-agents-2.82.tar.bz2?download'
# tar xvfj razor-agents-2.82.tar.bz2
# cd razor-agents-2.82
# perl Makefile.PL
# make
# make test
# make install

Configure Razor2

# razor-admin -home=/home/spamd/.razor -register
# razor-admin -home=/home/spamd/.razor -create
# razor-admin -home=/home/spamd/.razor –discover
# chown -R spamd.spamd /home/spamd

Edit file /home/spamd/.razor/razor-agent.conf :

debuglevel = 0 identity = identity ignorelist = 0 listfile_catalogue = servers.catalogue.lst listfile_discovery = servers.discovery.lst listfile_nomination = servers.nomination.lst logfile = razor-agent.log logic_method = 4 min_cf = ac razordiscovery = discovery.spamnet.com rediscovery_wait = 172800 report_headers = 1 turn_off_discovery = 0 use_engines = 4,8 whitelist = razor-whitelist

NOTE: make sure that firewall rules allow outbound TCP connections on port 2703

Installing DCC

Download/unpack/install package

# cd /usr/src
# wget http://www.rhyolite.com/anti-spam/dcc/source/dcc.tar.Z
# tar xvfz dcc.tar.Z
# cd dcc-1.3.42/
# ./configure
# make install

Configure DCC

NOTE: Make sure that the firewall allows inbound and outbound UDP port 6277 (src port >1023 dst port 6277 from the box ip to the internet and from the internet src port any to dst port 6277 on the box’s ip.

:. Installation - NetQmail

Download/unpack/patch/install package

# cd /usr/src
# wget http://www.qmail.org/netqmail-1.05.tar.gz
# tar xvfz netqmail-1.05.tar.gz
# cd netqmail-1.05
# ./collate.sh
# wget http://qmail.jms1.net/patches/netqmail-1.05-validrcptto.cdb.patch
# cd netqmail-1.05
# patch -p1 <../netqmail-1.05-validrcptto.cdb.patch
# groupadd nofiles
# useradd -g nofiles -d /var/qmail/alias alias
# useradd -g nofiles -d /var/qmail qmaild
# useradd -g nofiles -d /var/qmail qmaill
# useradd -g nofiles -d /var/qmail qmailp
# groupadd qmail
# useradd -g qmail -d /var/qmail qmailq
# useradd -g qmail -d /var/qmail qmailr
# useradd -g qmail -d /var/qmail qmails
# make setup check
# ./config-fast yourhost.yourdomain.com

Configure Qmail/Startup Scripts

Edit /var/qmail/control/rcpthosts:

yourdomain.com

(This file should contain the full list of all the domains you want to receive mail for)

Edit /var/qmail/rc:

#!/bin/sh exec env - PATH="/var/qmail/bin:$PATH" \ qmail-start "`cat /var/qmail/control/defaultdelivery`"

# chmod 755 /var/qmail/rc
# mkdir /var/log/qmail
# echo ./Maildir/ >/var/qmail/control/defaultdelivery

Edit /usr/bin/qmailctl:

#!/bin/sh # description: the qmail MTA PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin export PATH QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` case "$1" in start) echo "Starting qmail" if svok /service/qmail-send ; then svc -u /service/qmail-send /service/qmail-send/log else echo "qmail-send supervise not running" fi if svok /service/qmail-smtpd ; then svc -u /service/qmail-smtpd /service/qmail-smtpd/log else echo "qmail-smtpd supervise not running" fi if [ -d /var/lock/subsys ]; then touch /var/lock/subsys/qmail fi ;; stop) echo "Stopping qmail..." echo " qmail-smtpd" svc -d /service/qmail-smtpd /service/qmail-smtpd/log echo " qmail-send" svc -d /service/qmail-send /service/qmail-send/log if [ -f /var/lock/subsys/qmail ]; then rm /var/lock/subsys/qmail fi ;; stat) svstat /service/qmail-send svstat /service/qmail-send/log svstat /service/qmail-smtpd svstat /service/qmail-smtpd/log qmail-qstat ;; doqueue|alrm|flush) echo "Flushing timeout table and sending ALRM signal to qmail-send." /var/qmail/bin/qmail-tcpok svc -a /service/qmail-send ;; queue) qmail-qstat qmail-qread ;; reload|hup) echo "Sending HUP signal to qmail-send." svc -h /service/qmail-send ;; pause) echo "Pausing qmail-send" svc -p /service/qmail-send echo "Pausing qmail-smtpd" svc -p /service/qmail-smtpd ;; cont) echo "Continuing qmail-send" svc -c /service/qmail-send echo "Continuing qmail-smtpd" svc -c /service/qmail-smtpd ;; restart) echo "Restarting qmail:" echo "* Stopping qmail-smtpd." svc -d /service/qmail-smtpd /service/qmail-smtpd/log echo "* Sending qmail-send SIGTERM and restarting." svc -t /service/qmail-send /service/qmail-send/log echo "* Restarting qmail-smtpd." svc -u /service/qmail-smtpd /service/qmail-smtpd/log ;; cdb) if [ ! -f /etc/tcp.smtp.blacklist ]; then touch /etc/tcp.smtp.blacklist chown qmaill.nofiles /etc/tcp.smtp.blacklist fi cat /etc/tcp.smtp /etc/tcp.smtp.blacklist | tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp chmod 644 /etc/tcp.smtp.cdb echo "Reloaded /etc/tcp.smtp." ;; help) cat <<HELP stop -- stops mail service (smtp connections refused, nothing goes out) start -- starts mail service (smtp connection accepted, mail can go out) pause -- temporarily stops mail service (connections accepted, nothing leaves) cont -- continues paused mail service stat -- displays status of mail service cdb -- rebuild the tcpserver cdb file for smtp restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it doqueue -- schedules queued messages for immediate delivery reload -- sends qmail-send HUP, rereading locals and virtualdomains queue -- shows status of queue alrm -- same as doqueue flush -- same as doqueue hup -- same as reload HELP ;; *) echo "Usage: $0 " exit 1 ;; esac exit 0

# chmod 755 /var/bin/qmailctl
# mkdir -p /var/qmail/supervise/qmail-send/log
# mkdir -p /var/qmail/supervise/qmail-smtpd/log

Edit /var/qmail/supervise/qmail-send/run:

#!/bin/sh exec /var/qmail/rc

Edit /var/qmail/supervise/qmail-send/log/run:

#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail

Edit /var/qmail/supervise/qmail-smtpd/run:

#!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in echo /var/qmail/supervise/qmail-smtpd/run exit 1 fi if [ ! -f /var/qmail/control/rcpthosts ]; then echo "No /var/qmail/control/rcpthosts!" echo "Refusing to start SMTP listener because it'll create an open relay" exit 1 fi exec /usr/local/bin/softlimit -m 40000000 \ /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/cqgreylist \ /var/qmail/bin/qmail-smtpd 2>&1

Edit /var/qmail/supervise/qmail-smtpd/log/run:

#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \ s100000 n1 !"/var/qmail/bin/adaptive_blacklist.pl" /var/log/qmail/smtpd

Edit /etc/tcp.smtp:

127.:allow,RELAYCLIENT="" :allow,QMAILQUEUE="/var/qmail/bin/simscan"

Note: In /etc/tcp.smtp you should list all the networks you want to allow relaying from. For example, if your internal network is 1.2.3.0/24, you'd add the following line:

1.2.3.:allow,RELAYCLIENT=""

Edit /var/qmail/bin/adaptive_blacklist.pl:

#!/usr/bin/perl # Adaptive Blacklist - a multilog post-processor which automatically # adds entries to tcprules to deny spammer IP address. Based on Qmail configuration # setup developped by Mark Steele on http://www.control-alt-del.org/code # Copyright (C) 2006 Mark Steele # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # use Storable qw(store_fd retrieve_fd); use Time::TAI64 qw(tai2unix); use Sys::Syslog; use strict; openlog('adaptive_blacklist', 'cons,pid', 'user'); my %state; open(STATE_RFD,"<&=4") || die "couldn't open read fd: $!"; eval { %state = %{retrieve_fd(\*STATE_RFD)}; }; close(STATE_RFD); while(<STDIN>) { my ($ts,$type,$ip); if (/^(@.{24,24})\s.+?(SPAM REJECT|CLEAN|VIRUS).+?:.+?:.+?:((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)).*\n$/) { ($ts,$type,$ip) = (tai2unix($1),$2,$3); } elsif (/^(@.{24,24})\s.+?: not in validrcptto:.+?((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\n$/) { ($ts,$type,$ip) = (tai2unix($1),'INVALIDRCPT',$2); } elsif (/^.+?excessive validrcptto violations, hanging up on ((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\n$/) { $state{'blocklist'}{$1} = time; } else { next; } push(@{$state{$ip}->{$type}},$ts); for (my $i = 0; $i <= scalar @{$state{$ip}->{$type}}; $i++) { if (time - @{$state{$ip}->{$type}}[$i] > 600) { splice(@{$state{$ip}->{$type}},$i,1); } } my ($spams,$hams,$virus,$invalidrcpt) = (0,0,0,0); if (defined($state{$ip}->{'SPAM REJECT'})) { if (!scalar @{$state{$ip}->{'SPAM REJECT'}}) { delete($state{$ip}->{'SPAM REJECT'}); } else { $spams = scalar @{$state{$ip}->{'SPAM REJECT'}}; } } if (defined($state{$ip}->{'CLEAN'})) { if (!scalar @{$state{$ip}->{'CLEAN'}}) { delete($state{$ip}->{'CLEAN'}); } else { $hams = scalar @{$state{$ip}->{'CLEAN'}}; } } if (defined($state{$ip}->{'VIRUS'})) { if (!scalar @{$state{$ip}->{'VIRUS'}}) { delete($state{$ip}->{'VIRUS'}); } else { $virus = scalar @{$state{$ip}->{'VIRUS'}}; } } if (defined($state{$ip}->{'INVALIDRCPT'})) { if (!scalar @{$state{$ip}->{'INVALIDRCPT'}}) { delete($state{$ip}->{'INVALIDRCPT'}); } else { $invalidrcpt = scalar @{$state{$ip}->{'INVALIDRCPT'}}; } } if (!scalar keys %{$state{$ip}}) { delete($state{$ip}); } if ($spams+$hams+$virus+$invalidrcpt > 10) { # 10 messages from the same IP if (($spams+$virus+$invalidrcpt)/($spams+$virus+$invalidrcpt+$hams) > 0.5) { # We're getting over 50% spam/viruses/invalidrcpts from this IP. Block it for a couple hours. $state{'blocklist'}{$ip} = time; } } } if (!$state{'cleanup'} || time > ($state{'cleanup'} + 600)) { my %stats; $state{'cleanup'} = time; foreach my $ip (keys %state) { next if ($ip eq 'cleanup' || $ip eq 'blocklist'); if (defined($state{$ip}->{'SPAM REJECT'})) { for (my $i = 0; $i <= scalar @{$state{$ip}->{'SPAM REJECT'}}; $i++) { if (time - @{$state{$ip}->{'SPAM REJECT'}}[$i] > 600) { splice(@{$state{$ip}->{'SPAM REJECT'}},$i,1); } else { $stats{'spams'}++; } } if (!scalar @{$state{$ip}->{'SPAM REJECT'}}) { delete($state{$ip}->{'SPAM REJECT'}); } } else { delete($state{$ip}->{'SPAM REJECT'}); } if (defined($state{$ip}->{'CLEAN'})) { for (my $i = 0; $i <= scalar @{$state{$ip}->{'CLEAN'}}; $i++) { if (time - @{$state{$ip}->{'CLEAN'}}[$i] > 600) { splice(@{$state{$ip}->{'CLEAN'}},$i,1); } else { $stats{'hams'}++; } } if (!scalar @{$state{$ip}->{'CLEAN'}}) { delete($state{$ip}->{'CLEAN'}); } } if (defined($state{$ip}->{'VIRUS'})) { for (my $i = 0; $i <= scalar @{$state{$ip}->{'VIRUS'}}; $i++) { if (time - @{$state{$ip}->{'VIRUS'}}[$i] > 600) { splice(@{$state{$ip}->{'VIRUS'}},$i,1); } else { $stats{'virus'}++; } } if (!scalar @{$state{$ip}->{'VIRUS'}}) { delete($state{$ip}->{'VIRUS'}); } } if (defined($state{$ip}->{'INVALIDRCPT'})) { for (my $i = 0; $i <= scalar @{$state{$ip}->{'INVALIDRCPT'}}; $i++) { if (time - @{$state{$ip}->{'INVALIDRCPT'}}[$i] > 600) { splice(@{$state{$ip}->{'INVALIDRCPT'}},$i,1); } else { $stats{'invalid'}++; } } if (!scalar @{$state{$ip}->{'INVALIDRCPT'}}) { delete($state{$ip}->{'INVALIDRCPT'}); } } if (!scalar keys %{$state{$ip}}) { delete($state{$ip}); } else { $stats{'ips'}++; } } syslog('debug','Stats - spams: %s hams: %s invalid: %s viruses: %s total IPs: %s', $stats{'spams'},$stats{'hams'},$stats{'invalid'},$stats{'virus'},$stats{'ips'}); } ## Do the blocklist open(F,">/etc/tcp.smtp.blacklist") || die "couldn't open blacklist: $!"; for (keys %{$state{'blocklist'}}) { ## Cleanup blocklist if ((time-$state{'blocklist'}{$_}) > 60*60*4) { delete($state{'blocklist'}{$_}); syslog('debug','unblocking %s',$_); } else { ## Create blocklist now print F "$_:deny\n"; #syslog('debug','blocklist: %s blocked for: %s seconds',$_,time-$state{'blocklist'}{$_}); } } close(F); open(STATE_WFD,">&=5") || die "couldn't open write fd: $!"; store_fd(\%state,*STATE_WFD); close(STATE_WFD); closelog(); exit 0; __END__

More commands to run…

# chmod +x /var/qmail/bin/adaptive_blacklist.pl
# chmod 755 /var/qmail/supervise/qmail-send/run
# chmod 755 /var/qmail/supervise/qmail-send/log/run
# chmod 755 /var/qmail/supervise/qmail-smtpd/run
# chmod 755 /var/qmail/supervise/qmail-smtpd/log/run
# echo 120 >/var/qmail/control/concurrencyincoming
# echo 60 >/var/qmail/control/concurrencyremote
# mkdir -p /var/log/qmail/smtpd
# chown qmaill /var/log/qmail /var/log/qmail/smtpd
# cd /service
# ln -s /var/qmail/supervise/qmail-send
# ln -s /var/qmail/supervise/qmail-smtpd
# qmailctl stop
# qmailctl cdb

Edit /var/qmail/control/smtproutes:

yourdomain.com:1.2.3.5

Note: /var/qmail/control/smtproutes contains the should contain the full list of all the domains you want to receive mail for, and the IP address of the server to route e-mail received for that domain to. In the above example, mail received for yourdomain.com would be sent to the server 1.2.3.5

# crontab -l >/tmp/crontab.tmp
# echo -e "* * * * * /usr/bin/qmailctl cdb\n" >>/tmp/crontab.tmp
# crontab /tmp/crontab.tmp

:. Installation - RipMIME

Download/unpack/install package

# cd /usr/src
# wget http://www.pldaniels.com/ripmime/ripmime-1.4.0.6.tar.gz
# tar xvfz ripmime-1.4.0.6.tar.gz
# cd ripmime-1.4.0.6
# make; make install

:. Installation - CQGreylist

Download/unpack/install package

# cd /usr/src
# wget http://oss.albawaba.com/files/cqgreylist-0.2.tar.gz
# tar xvfz cqgreylist-0.2.tar.gz
# cd cqgreylist-0.2
# make
# cp cqgreylist /var/qmail/bin
# mkdir /var/qmail/cqgreylist
# chown qmaild: /var/qmail/cqgreylist
# crontab -l >/tmp/crontab.tmp
# echo -e "0 0 * * * rm -rf /var/qmail/cqgreylist/*\n" \
>>/tmp/crontab.tmp
# crontab /tmp/crontab.tmp

:. Installation - Simscan

Download/unpack/install package

# cd /usr/src
# wget http://www.inter7.com/simscan/simscan-1.3.1.tar.gz
# tar xvfz simscan-1.3.1.tar.gz
# cd simscan-1.3.1
# ./configure --enable-user=spamd --enable-group=spamd \
--enable-clamav=y --enable-clamdscan=/usr/bin/clamdscan \
--enable-spam=y --enable-spam-passthru=n --enable-spamc=/usr/bin/spamc \
--enable-spamc-user=n --enable-spam-hits=10 \
--enable-ripmime=/usr/local/bin/ripmime \
--enable-workdir=/tmp/mailscan
# make; make install

:. Installation - Recipient Checking

Edit /var/qmail/bin/updaterecipients.pl:

#!/usr/bin/perl use strict; if (-e '/tmp/recips.txt.new') { die "last run unsuccessful, aborting (check /tmp/recips.txt.new)\n"; } `/var/qmail/bin/getadsmtp.pl`; if ($?) { die "Error populating recipient list: $?\n"; } ## Compare old with new if (-e '/tmp/recips.txt.old') { print "Comparing data files\n"; my $old = `wc -l </tmp/recips.txt.old`; my $new = `wc -l </tmp/recips.txt.new`; if (($old - $new) > 100 || ($new - $old) > 100 || !$old || !$new) { die "too many differences!\n"; } } ## Good to go, create new cdb file `/usr/local/bin/cdbmake-12 /var/qmail/control/validrcptto.cdb /tmp/recips.cdb.tmp </tmp/recips.txt.new`; if ($?) { print "Error with creation of CDB, rolling back to last known good cdb\n"; `cp /var/qmail/control/validrcptto.cdb.good /var/qmail/control/validrcptto.cdb` if (-e '/var/qmail/control/validrcptto.cdb.good'); exit; } else { print "Backing up this CDB database as a known good db\n"; `cp /var/qmail/control/validrcptto.cdb /var/qmail/control/validrcptto.cdb.good`; } ## backup old txt file `mv /tmp/recips.txt.new /tmp/recips.txt.old`; print "All done\n";

# chmod +x /var/qmail/bin/updaterecipients.pl

Edit /var/qmail/bin/getadsmtp.pl:

#!/usr/bin/perl # Version 1.02 # I don't remember where I found this. If you wrote this, let me know and I'll put your name here. use Net::LDAP; use Net::LDAP::Control::Paged; use Net::LDAP::Constant ( "LDAP_CONTROL_PAGED" ); # Enter the path/file for the output $VALID = "/tmp/recips.txt.new"; # Enter the FQDN of your Active Directory domain controllers below $dc1="1.2.3.99"; $hqbase="dc=yourdomain,dc=com"; $user="youruser\@yourdomain.com"; $passwd="yourdomainpass"; # Connecting to Active Directory domain controllers $noldapserver=0; $ldap = Net::LDAP->new($dc1) or $noldapserver=1; if ($noldapserver == 1) { $ldap = Net::LDAP->new($dc2) or die "Error connecting to specified domain controllers $@ \n"; } $mesg = $ldap->bind ( dn => $user, password =>$passwd); if ( $mesg->code()) { die ("error:", $mesg->code(),"\n","error name: ",$mesg->error_name(), "\n", "error text: ",$mesg->error_text(),"\n"); } # How many LDAP query results to grab for each paged round # Set to under 1000 for Active Directory $page = Net::LDAP::Control::Paged->new( size => 990 ); @args = ( base => $hqbase, # Play around with this to grab objects such as Contacts, Public Folders, etc. # A minimal filter for just users with email would be: # filter => "(&(sAMAccountName=*)(mail=*))", filter => "(& (mailnickname=*) (| (&(objectCategory=person) (objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*))) (&(objectCategory=person)(objectClass=user)(|(homeMDB=*) (msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact)) (objectCategory=group)(objectCategory=publicFolder) ))", control => [ $page ], attrs => "proxyAddresses", ); my $cookie; while(1) { # Perform search my $mesg = $ldap->search( @args ); # Filtering results for proxyAddresses attributes foreach my $entry ( $mesg->entries ) { my $name = $entry->get_value( "cn" ); # LDAP Attributes are multi-valued, so we have to print each one. foreach my $mail ( $entry->get_value( "proxyAddresses" ) ) { # Test if the Line starts with one of the following lines: # proxyAddresses: [smtp|SMTP]: # and also discard this starting string, so that $mail is only the # address without any other characters... if ( $mail =~ s/^(smtp|SMTP)://gs ) { $valid{lc($mail)} = 1; } } } # Only continue on LDAP_SUCCESS $mesg->code and last; # Get cookie from paged control my($resp) = $mesg->control( LDAP_CONTROL_PAGED ) or last; $cookie = $resp->cookie or last; # Set cookie in paged control $page->cookie($cookie); } if ($cookie) { # We had an abnormal exit, so let the server know we do not want any more $page->cookie($cookie); $page->size(0); $ldap->search( @args ); # Also would be a good idea to die unhappily and inform OP at this point die("LDAP query unsuccessful"); } # Only write the file once the query is successful open VALID, ">$VALID" or die "CANNOT OPEN $VALID $!"; for (keys %valid) { print VALID $_,"\n" if (/^\S+/); } close VALID;

You'll want to edit this script. Near the beginning, you'll need to plug in your domain controller's IP address, your domain name, and some domain user credentials. Any valid user should work, so you should create a user for this purpose.

# crontab -l >/tmp/crontab.tmp
# echo -e "0 */4 * * * /var/qmail/bin/updaterecipients.pl 2>&1 1> /dev/null" >>/tmp/crontab.tmp
# crontab /tmp/crontab.tmp
# chmod +x /var/qmail/bin/getadsmtp.pl
# /var/qmail/bin/updaterecipients.pl
# qmailctl start

Edit /usr/bin/QmailAdmin:

#!/usr/bin/perl # QmailAdmin - A utility to manage configuration files for the Qmail # setup developped by Mark Steele on http://www.control-alt-del.org/code # Copyright (C) 2006 Mark Steele # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. use strict; use Curses::UI; use Mail::RFC822::Address qw(valid); use Validate::Net; if (-e '/tmp/QmailAdmin.lock' && $force) { open(F,"+</tmp/QmailAdmin.lock"); chomp(my $pid = <F>); seek(F,0,0); print F $$; close(F); kill(9,$pid); } elsif (-e '/tmp/QmailAdmin.lock') { print "Sorry, someone else has a QmailAdmin session open. Only one person may use this application at a time.\n"; exit; } else { open(F,">/tmp/QmailAdmin.lock") || die "couldn't open lockfile"; print F $$; close(F); } my $checker = Validate::Net->new('fast'); my %EnvLabels = ( 'RELAYCLIENT=""' => 0, 'QMAILQUEUE="/var/qmail/bin/simscan"' => 1, 'WHITELISTED=""' => 2 ); my %REnvLabels = reverse %EnvLabels; # Create the root object and main window. my $cui = new Curses::UI ( -clear_on_exit => 0, -debug => 0, -mouse_support => 1, -color_support => 1 ); $cui->set_binding( sub { unlink('/tmp/QmailAdmin.lock'); exit(0); } , "\cQ"); my $main = $cui->add( undef, 'Window', -title => 'Main Window', ); $main->add( undef, 'Label', -y => $main->height - 1, -width => $main->width, -text => '<PageUp> / <PageDown> cycles through pages; <Ctrl>-Q exits', -textalignment => 'middle', -bold => 1, ); my $timeoutwarning; local $SIG{ALRM} = \&idle_timeout; alarm(120); # Create notebook and a couple of pages. my $notebook = $main->add( undef, 'Notebook', -height => $main->height - 1, ); ## RELAY CONTROL my $nb_relay = $notebook->add_page("Relay Control"); $nb_relay->add(undef, 'Label',-text => "Relay control affects completely trusted networks.",-x=>3,-y=>1); $nb_relay->add(undef,'Label',-text=>"IP/Range",-y=>3,-x=>3); $nb_relay->add(undef,'Label',-text=>"Allow/Deny",-y=>3,-x=>22); $nb_relay->add(undef,'Label',-text=>"Environment variables",-y=>3,-x=>40); my ($defaultrules,$rules) = parse_relay(); $nb_relay->add('RelayIPListBox','Listbox', -values=>[sort keys %{$rules}], -width=>17, -height=>10, -x=>3, -y=>5, -onselchange=>\&clear_relay_rule, -onchange=>\&display_relay_rule, -border=>1, -vscrollbar=>1); $nb_relay->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Update Selected>',-onpress=>\&relay_modentry}, {-label=> '<Delete Selected>',-onpress=>\&relay_delentry} ], -x=>30, -y=>12); $nb_relay->add('RelayRuleRadio','Listbox', -values=>['allow','deny'], -radio=>1, -x=>22,-width=>10,-height=>5, -y=>5); $nb_relay->add('RelayENVMulti','Listbox', -values=> [ 0, 1, 2 ], -labels=> { 0 => 'Relay (overrides all other options)', 1 => 'Virus/Spam Scanning', 2 => 'Skip Greylisting'}, -multi=>1, -x=>40,-width=>40,-height=>5, -y=>5); $nb_relay->add(undef,'Label',-text=>'----------------------------------------------------------------------------',-y=>16,-x=>3,-width=>-1,-height=>1); $nb_relay->add(undef,'Label',-text=>'New entry',-y=>17,-x=>3,-width=>10,-height=>1); $nb_relay->add(undef,'Label',-text=>'----------------------------------------------------------------------------',-y=>18,-x=>3,-width=>-1,-height=>1); $nb_relay->add('RelayNewEntry','TextEntry',-y=>19,-x=>3,-width=>17,-height=>1,-reverse=>1,-text=>'<IP Address>',-onfocus=>\&clear_new_entry); $nb_relay->add('RelayNewRuleRadio','Listbox', -values=>['allow','deny'], -radio=>1, -x=>22,-width=>10,-height=>5, -y=>19); $nb_relay->add('RelayNewENVMulti','Listbox', -values=> [ 0, 1, 2 ], -labels=> { 0 => 'Relay (overrides all other options)', 1 => 'Virus/Spam Scanning', 2 => 'Skip Greylisting'}, -multi=>1, -x=>40,-width=>40,-height=>5, -y=>19); $nb_relay->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Create Rule>',-onpress=>\&relay_addentry} ], -x=>3, -y=>22); $nb_relay->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Apply>',-onpress=>\&relay_save}, {-label=>'<Revert>',-onpress=>\&relay_revert}, {-label=>'<Help>',-onpress=>\&show_help_relay}, ], -x=>3, -y=>26); my $nb_whitelist = $notebook->add_page("Whitelist"); $nb_whitelist->add(undef,'Label',-text=>"The whitelist bypasses spam filtering from the specified addresses or domains",-x=>3,-y=>1); my ($whitelistdomain,$whitelistaddress) = parse_whitelist(); $nb_whitelist->add(undef,'Label',-text=>"White listed domains",-width=>25,-height=>1,-x=>3,-y=>5); $nb_whitelist->add(undef,'Label',-text=>"White listed addresses",-width=>25,-height=>1,-x=>35,-y=>5); $nb_whitelist->add('WhitelistDomList','Listbox', -values=> $whitelistdomain, -width=>25, -height=>15, -x=>3, -y=>7, -vscrollbar=>1, -border=>1, -onselchange=>\&set_selected); $nb_whitelist->add('WhitelistUserList','Listbox', -values=> $whitelistaddress, -width=>25, -height=>15, -x=>35, -y=>7, -vscrollbar=>1, -border=>1, -onselchange=>\&set_selected); $nb_whitelist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Delete domain>',-onpress=>\&whitelist_deldomain} ], -x=>3,-height=>1,-width=>15, -y=>23); $nb_whitelist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Delete user>',-onpress=>\&whitelist_deladdress} ], -x=>35,-height=>1,-width=>15, -y=>23); $nb_whitelist->add(undef,'Label',-text=>"New domain: ",-width=>13,-x=>3,-y=>27,-height=>1); $nb_whitelist->add('WhitelistNewDom','TextEntry',-x=>17,-y=>27,-width=>25,-reverse=>1,-onfocus=>\&clear_new_entry); $nb_whitelist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Add>',-onpress=>\&whitelist_adddomain} ], -x=>45,-height=>1,-width=>5, -y=>27); $nb_whitelist->add(undef,'Label',-text=>"New address: ",-width=>13,-x=>3,-y=>29,-height=>1); $nb_whitelist->add('WhitelistNewUser','TextEntry',-x=>17,-y=>29,-width=>25,-reverse=>1,-onfocus=>\&clear_new_entry); $nb_whitelist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Add>',-onpress=>\&whitelist_adduser} ], -x=>45,-height=>1,-width=>15, -y=>29); $nb_whitelist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Apply>',-onpress=>\&whitelist_save}, {-label=> '<Revert>',-onpress=>\&whitelist_revert}, {-label=>'<Help>',-onpress=>\&show_help_whitelist} ], -x=>3,-height=>1,-width=>26, -y=>35); my $nb_smtproutes = $notebook->add_page("SMTP routes"); $nb_smtproutes->add(undef,'Label',-text=> <<"EOF",-x=>3,-y=>1); SMTP routes controls which domains we will accept mail for as well as where the mail will be routed. Normally, the relay IP should be the exchange server's IP address. EOF my $smtproutes = parse_smtproutes(); $nb_smtproutes->add(undef,'Label',-text=>'Domain',-width=>6,-height=>1,-x=>3,-y=>6); $nb_smtproutes->add('SMTPRoutesListBox','Listbox', -values=> [sort keys %{$smtproutes}], -width=>30, -height=>10, -x=>3, -y=>7, -border=>1, -vscrollbar=>1, -onselchange=>\&set_selected, -onchange=>\&smtproute_display_route); $nb_smtproutes->add(undef,'Label',-text=>'Relay IP',-width=>8,-height=>1,-x=>35,-y=>6); $nb_smtproutes->add('SMTPRoutesDomEntry','TextEntry',-reverse=>1,-width=>19,-height=>1,-x=>35,-y=>8); $nb_smtproutes->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Update>',-onpress=>\&smtproute_modentry}, {-label=> '<Delete>',-onpress=>\&smtproute_delentry} ], -x=>35, -height=>1, -width=>20, -y=>12); $nb_smtproutes->add(undef,'Label',-text=>'----------------------------------------------------------------------------',-y=>18,-x=>3,-width=>-1,-height=>1); $nb_smtproutes->add(undef,'Label',-text=>'New entry',-y=>19,-x=>3,-width=>10,-height=>1); $nb_smtproutes->add(undef,'Label',-text=>'----------------------------------------------------------------------------',-y=>20,-x=>3,-width=>-1,-height=>1); $nb_smtproutes->add(undef,'Label',-text=>'Domain',-width=>6,-y=>22,-x=>3); $nb_smtproutes->add('SMTPRoutesNewEntry','TextEntry',-reverse=>1,-width=>30,-height=>1,-x=>15,-y=>22); $nb_smtproutes->add(undef,'Label',-text=>'Relay IP',-width=>9,-y=>24,-x=>3); $nb_smtproutes->add('SMTPRoutesNewIP','TextEntry',-reverse=>1,-width=>19,-height=>1,-x=>15,-y=>24); $nb_smtproutes->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Create Route>',-onpress=>\&smtproute_addentry} ], -x=>3, -height=>1, -width=>14, -y=>26); $nb_smtproutes->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Apply>',-onpress=>\&smtproute_save}, {-label=> '<Revert>',-onpress=>\&smtproute_revert}, {-label=>'<Help>',-onpress=>\&show_help_smtproutes}, ], -x=>3, -height=>1, -width=>26, -y=>30); my $nb_blacklist = $notebook->add_page("Blacklist"); $nb_blacklist->add(undef,'Label',-text=><<"EOF",-x=>3,-y=>1); E-mail addresses or domains we want to block. These emails will be blocked during the SMTP conversation. EOF my ($blacklistdomain,$blacklistaddress) = parse_blacklist(); $nb_blacklist->add(undef,'Label',-text=>"Black listed domains",-width=>25,-height=>1,-x=>3,-y=>5); $nb_blacklist->add(undef,'Label',-text=>"Black listed addresses",-width=>25,-height=>1,-x=>35,-y=>5); $nb_blacklist->add('BlacklistDomList','Listbox', -values=> $blacklistdomain, -width=>25, -height=>15, -x=>3, -y=>7, -vscrollbar=>1, -border=>1, -onselchange=>\&set_selected); $nb_blacklist->add('BlacklistUserList','Listbox', -values=> $blacklistaddress, -width=>25, -height=>15, -x=>35, -y=>7, -vscrollbar=>1, -border=>1, -onselchange=>\&set_selected); $nb_blacklist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Delete domain>',-onpress=>\&blacklist_deldomain} ], -x=>3,-height=>1,-width=>15, -y=>23); $nb_blacklist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Delete user>',-onpress=>\&blacklist_deladdress} ], -x=>35,-height=>1,-width=>15, -y=>23); $nb_blacklist->add(undef,'Label',-text=>"New domain: ",-width=>13,-x=>3,-y=>27,-height=>1); $nb_blacklist->add('BlacklistNewDom','TextEntry',-x=>17,-y=>27,-width=>25,-reverse=>1,-onfocus=>\&clear_new_entry); $nb_blacklist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Add>',-onpress=>\&blacklist_adddomain} ], -x=>45,-height=>1,-width=>5, -y=>27); $nb_blacklist->add(undef,'Label',-text=>"New address: ",-width=>13,-x=>3,-y=>29,-height=>1); $nb_blacklist->add('BlacklistNewUser','TextEntry',-x=>17,-y=>29,-width=>25,-reverse=>1,-onfocus=>\&clear_new_entry); $nb_blacklist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Add>',-onpress=>\&blacklist_adduser} ], -x=>45,-height=>1,-width=>15, -y=>29); $nb_blacklist->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Apply>',-onpress=>\&blacklist_save}, {-label=> '<Revert>',-onpress=>\&blacklist_revert}, {-label=>'<Help>',-onpress=>\&show_help_blacklist}, ], -x=>3,-height=>1,-width=>26, -y=>35); my $nb_semitrust = $notebook->add_page("Trusted networks"); $nb_semitrust->add(undef,'Label',-text=><<"EOF",-x=>3,-y=>1); Semi-trusted networks for which we won't do any spam filtering. We will however do virus scanning on mail received from these networks.This option only takes effect if the environment variable on for this IP class is set for Spam/Virus scanning. EOF my $trusted = parse_trusted(); $nb_semitrust->add(undef,'Label',-text=>"Semi-trusted networks",-x=>3,-y=>6,-width=>25,-height=>1); $nb_semitrust->add('STListbox','Listbox', -values=> $trusted, -vscrollbar=>1, -border=>1, -x=>3, -y=>7, -width=>23, -height=>15, -onselchange=>\&set_selected); $nb_semitrust->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Delete>',-onpress=>\&semitrust_delentry}, ], -x=>28,-height=>1,-width=>20, -y=>8); $nb_semitrust->add(undef,'Label',-text=>'New network',-x=>3,-y=>25,-width=>11,-height=>1); $nb_semitrust->add('STEntry','TextEntry',-reverse=>1,-width=>23,-x=>3,-y=>26); $nb_semitrust->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Add>',-onpress=>\&semitrust_addentry}, ], -x=>32,-height=>1,-width=>5, -y=>26); $nb_semitrust->add(undef,'Buttonbox', -buttons=> [ {-label=> '<Apply>',-onpress=>\&semitrust_save}, {-label=> '<Revert>',-onpress=>\&semitrust_revert}, {-label=>'<Help>',-onpress=>\&show_help_semitrust}, ], -x=>3,-height=>1,-width=>26, -y=>35); my $nb_about = $notebook->add_page("About"); $nb_about->add('about_txtvwr','TextViewer',-text=><<'EOF',-vscrollbar=>1); This is the administrative client for the Qmail Spam Boxes. Author: Mark 'the Hammer' Steele <mark@control-alt-del.org> -- Stop, hammer time. EOF $notebook->focus; $cui->mainloop; sub parse_relay { my $defaultregex = '^(?:127\.|1\.2\.3\.|:).*$'; my (%defaultrules,%rules); if (!-e '/etc/tcp.smtp') { $cui->error("Missing configuration file: /etc/tcp.smtp"); unlink('/tmp/QmailAdmin.lock'); exit; } open(F,"/etc/tcp.smtp") || die; while(<F>) { chomp; next if (/^(?:#.*|;.*|)$/); my ($ip, $data) = split(":",$_); my ($rule,@env) = split(",",$data); $defaultrules{$ip} = 1 if (/$defaultregex/); $rules{$ip} = { rule => $rule, envvars => \@env }; } close(F); return(\%defaultrules,\%rules); } sub display_relay_rule { my $obj = shift; alarm(120); my $selected = $obj->get(); my $relayrule = $obj->parent->getobj('RelayRuleRadio'); my $multienv = $obj->parent->getobj('RelayENVMulti'); if ($rules->{$selected}->{rule} eq 'allow') { $relayrule->set_selection(0); } elsif ($rules->{$selected}->{rule} eq 'deny') { $relayrule->set_selection(1); } else { $cui->error("ACK INVALID CONFIG: $rules->{$selected}->{rule}"); unlink('/tmp/QmailAdmin.lock'); exit; } my @envrules = (); for (@{$rules->{$selected}->{envvars}}) { if (defined($EnvLabels{$_})) { push(@envrules,$EnvLabels{$_}); } } $multienv->set_selection(@envrules); $obj->parent->draw(1); } sub clear_relay_rule { my $obj = shift; alarm(120); my $relayrule = $obj->parent->getobj('RelayRuleRadio'); my $multienv = $obj->parent->getobj('RelayENVMulti'); $relayrule->clear_selection(); $multienv->clear_selection(); $obj->parent->draw(1); $obj->set_selection($obj->get_active_id()); } sub relay_modentry { my $obj = shift; alarm(120); my $iplistbox = $obj->parent->getobj('RelayIPListBox'); my $relayrule = $obj->parent->getobj('RelayRuleRadio'); my $multienv = $obj->parent->getobj('RelayENVMulti'); if ($defaultrules->{$iplistbox->get()}) { $cui->error("Sorry, this is a default entry which cannot be modified"); return; } else { $rules->{$iplistbox->get()}->{rule} = $relayrule->get(); @{$rules->{$iplistbox->get()}->{envvars}} = (); for ($multienv->get()) { push(@{$rules->{$iplistbox->get()}->{envvars}},$REnvLabels{$_}); } } } sub relay_delentry { my $obj = shift; alarm(120); my $iplistbox = $obj->parent->getobj('RelayIPListBox'); if ($defaultrules->{$iplistbox->get()}) { $cui->error("Sorry, this is a default entry which cannot be deleted"); return; } else { delete($rules->{$iplistbox->get()}); $iplistbox->values(sort keys %{$rules}); $iplistbox->draw(1); } } sub relay_addentry { my $obj = shift; alarm(120); my $relaynew = $obj->parent->getobj('RelayNewEntry'); my $relayrule = $obj->parent->getobj('RelayNewRuleRadio'); my $multienv = $obj->parent->getobj('RelayNewENVMulti'); my $iplistbox = $obj->parent->getobj('RelayIPListBox'); my $ip = $relaynew->get(); $ip =~ s/\s//; if ($ip !~ /^(?:(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){1,3})$/) { $cui->error("Invalid IP address specified\nFormat is either a full IP address or\nin the form XXX.XXX. to denote a class"); $relaynew->focus(); return; } elsif ($defaultrules->{$ip}) { $cui->error("Sorry, this is a default entry which cannot be over-written"); $relaynew->focus(); return; } elsif ($rules->{$ip}) { $cui->error("Sorry, this IP is already defined"); $relaynew->focus(); return; } elsif (!$relayrule->get()) { $cui->error("You must select to either allow or deny traffic from the specified IP address"); return; } else { $rules->{$ip}->{rule} = $relayrule->get(); @{$rules->{$ip}->{envvars}} = (); for ($multienv->get()) { push(@{$rules->{$ip}->{envvars}},$REnvLabels{$_}); } $iplistbox->values(sort keys %{$rules}); $iplistbox->draw(1); } $relaynew->text(''); $multienv->clear_selection(); $multienv->draw(1); $relayrule->clear_selection(); $relayrule->draw(1); } sub clear_new_entry { my $obj = shift; alarm(120); $obj->text(''); return; } sub relay_save { my $obj = shift; alarm(120); if (!-e '/etc/tcp.smtp') { $cui->error("Error, missing configuration file: /etc/tcp.smtp"); unlink('/tmp/QmailAdmin.lock'); exit; } open(F,">/etc/tcp.smtp") || die "Couldn't open file: $!"; for (keys %{$rules}) { print F "$_:".join(",",($rules->{$_}->{rule},@{$rules->{$_}->{envvars}})),"\n"; } close(F); relay_revert($obj); `/usr/bin/qmailctl cdb`; $cui->dialog("Changes saved"); } sub relay_revert { my $obj = shift; alarm(120); ($defaultrules,$rules) = parse_relay(); my $relayrule = $obj->parent->getobj('RelayRuleRadio'); my $multienv = $obj->parent->getobj('RelayENVMulti'); my $iplistbox = $obj->parent->getobj('RelayIPListBox'); $iplistbox->values(sort keys %{$rules}); $multienv->clear_selection(); $relayrule->clear_selection(); $obj->parent->draw(1); } sub parse_whitelist { my (@whitelistdom,@whitelistuser); if (!-e '/etc/mail/spamassassin/whitelist.cf') { $cui->error("Missing configuration file: /etc/mail/spamassassin/whitelist.cf"); unlink('/tmp/QmailAdmin.lock'); exit; } open(F,"/etc/mail/spamassassin/whitelist.cf") || die "couldn't open whitelist file: $!"; while(<F>) { chomp; next if (!/^whitelist_from\s(\*|[^@]+?)@(\S+)$/); if ($1 eq '*') { push(@whitelistdom,$2); } else { push(@whitelistuser,"$1\@$2"); } } @whitelistdom = sort @whitelistdom; @whitelistuser = sort @whitelistuser; return(\@whitelistdom,\@whitelistuser); } sub whitelist_deldomain { my $obj = shift; alarm(120); my $whitelist_domlist = $obj->parent->getobj('WhitelistDomList'); my $i = 0; for (@{$whitelistdomain}) { if ($_ eq $whitelist_domlist->get()) { splice(@{$whitelistdomain},$i,1); last; } $i++; } $whitelist_domlist->values($whitelistdomain); $whitelist_domlist->draw(1); } sub whitelist_deladdress { my $obj = shift; alarm(120); my $whitelist_userlist = $obj->parent->getobj('WhitelistUserList'); my $i = 0; for (@{$whitelistaddress}) { if ($_ eq $whitelist_userlist->get()) { splice(@{$whitelistaddress},$i,1); last; } $i++; } $whitelist_userlist->values($whitelistaddress); $whitelist_userlist->draw(1); } sub whitelist_adduser { my $obj = shift; alarm(120); my $whitelist_userlist = $obj->parent->getobj('WhitelistUserList'); my $whitelist_user = $obj->parent->getobj('WhitelistNewUser'); if (!valid($whitelist_user->get())) { $cui->error("Sorry, that is not a valid e-mail address"); return; } for (@{$whitelistaddress}) { if ($_ eq $whitelist_user->get()) { $cui->error("Sorry, that entry already exists!"); return; } } push(@{$whitelistaddress},$whitelist_user->get()); @{$whitelistaddress} = sort @{$whitelistaddress}; $whitelist_userlist->values($whitelistaddress); $whitelist_userlist->draw(1); $whitelist_user->text(''); } sub whitelist_adddomain { my $obj = shift; alarm(120); my $whitelist_domlist = $obj->parent->getobj('WhitelistDomList'); my $whitelist_dom = $obj->parent->getobj('WhitelistNewDom'); for (@{$whitelistdomain}) { if ($_ eq $whitelist_dom->get()) { $cui->error("Sorry, that entry already exists!"); return; } } if (!$checker->domain($whitelist_dom->get())) { $cui->error("Sorry, that seems to be an invalid domain name"); return; } push(@{$whitelistdomain},$whitelist_dom->get()); @{$whitelistdomain} = sort @{$whitelistdomain}; $whitelist_domlist->values($whitelistdomain); $whitelist_domlist->draw(1); $whitelist_dom->text(''); } sub whitelist_save { my $obj = shift; alarm(120); my $whitelist_domlist = $obj->parent->getobj('WhitelistDomList'); my $whitelist_userlist = $obj->parent->getobj('WhitelistUserList'); if (!-e '/etc/mail/spamassassin/whitelist.cf') { $cui->error("Error, missing configuration file: /etc/mail/spamassassin/whitelist.cf"); unlink('/tmp/QmailAdmin.lock'); exit; } open(F,">/etc/mail/spamassassin/whitelist.cf") || die "couldn't open whitelist file: $!"; for (@{$whitelistdomain}) { print F "whitelist_from *\@$_\n"; } for (@{$whitelistaddress}) { print F "whitelist_from $_\n"; } close(F); whitelist_revert($obj); `/usr/local/bin/svc -t /service/spamassassin`; $cui->dialog("Changes saved"); } sub whitelist_revert { my $obj = shift; alarm(120); my $whitelist_domlist = $obj->parent->getobj('WhitelistDomList'); my $whitelist_userlist = $obj->parent->getobj('WhitelistUserList'); ($whitelistdomain,$whitelistaddress) = parse_whitelist(); $whitelist_domlist->values($whitelistdomain); $whitelist_domlist->draw(1); $whitelist_userlist->values($whitelistaddress); $whitelist_userlist->draw(1); } sub set_selected { my $obj = shift; alarm(120); $obj->set_selection($obj->get_active_id()); } sub parse_smtproutes { my %smtproutes; if (!-e '/var/qmail/control/smtproutes') { $cui->error("Missing configuration file: /var/qmail/control/smtproutes"); unlink('/tmp/QmailAdmin.lock'); exit; } open(F,"/var/qmail/control/smtproutes") || die "couldn't open file: $!"; while(<F>) { chomp; next if (/^(?:#.*|;.*|)$/); s/\s//g; next if !/^([^:]+?):((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$/; $smtproutes{$1} = $2; } close(F); return(\%smtproutes); } sub smtproute_display_route { my $obj = shift; alarm(120); my $smtproute_entry = $obj->parent->getobj('SMTPRoutesDomEntry'); my $smtproute_list = $obj->parent->getobj('SMTPRoutesListBox'); $smtproute_entry->text($smtproutes->{$smtproute_list->get()}); } sub smtproute_modentry { my $obj = shift; alarm(120); my $smtproute_entry = $obj->parent->getobj('SMTPRoutesDomEntry'); my $smtproute_list = $obj->parent->getobj('SMTPRoutesListBox'); $smtproutes->{$smtproute_list->get()} = $smtproute_entry->get(); } sub smtproute_delentry { my $obj = shift; alarm(120); my $smtproute_list = $obj->parent->getobj('SMTPRoutesListBox'); delete($smtproutes->{$smtproute_list->get()}); $smtproute_list->values([sort keys %{$smtproutes}]); $smtproute_list->draw(1); } sub smtproute_addentry { my $obj = shift; alarm(120); my $smtproute_entry = $obj->parent->getobj('SMTPRoutesNewEntry'); my $smtproute_ip = $obj->parent->getobj('SMTPRoutesNewIP'); my $smtproute_list = $obj->parent->getobj('SMTPRoutesListBox'); if (!$checker->domain(lc($smtproute_entry->get())) || $smtproute_ip->get !~ /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/) { $cui->error("Invalid domain or IP address specified"); $smtproute_entry->text(''); $smtproute_ip->text(''); return; } $smtproute_entry->text(''); $smtproute_ip->text(''); $smtproutes->{$smtproute_entry->get()} = $smtproute_ip->get(); $smtproute_list->values([sort keys %{$smtproutes}]); $smtproute_list->draw(1); } sub smtproute_save { alarm(120); if (!-e '/var/qmail/control/smtproutes') { $cui->error("Missing configuration file: /var/qmail/control/smtproutes"); unlink('/tmp/QmailAdmin.lock'); exit; } if (!-e '/var/qmail/control/rcpthosts') { $cui->error("Missing configuration file: /var/qmail/control/rcpthosts"); unlink('/tmp/QmailAdmin.lock'); exit; } open(SMTPROUTES,">/var/qmail/control/smtproutes") || die "couldn't open file: $!"; open(RCPTHOSTS,">/var/qmail/control/rcpthosts") || die "couldn't open file: $!"; for (keys %{$smtproutes}) { print SMTPROUTES "$_:$smtproutes->{$_}\n"; print RCPTHOSTS "$_\n"; } close(SMTPROUTES); close(RCPTHOSTS); `/usr/bin/qmailctl restart`; $cui->dialog("Changes saved"); } sub smtproute_revert { my $obj = shift; alarm(120); my $smtproute_list = $obj->parent->getobj('SMTPRoutesListBox'); $smtproutes = parse_smtproutes(); $smtproute_list->values([sort keys %{$smtproutes}]); $smtproute_list->draw(1); } sub parse_blacklist { my (@blacklistdom,@blacklistuser); if (!-e '/var/qmail/control/badmailfrom') { $cui->error("Missing configuration file: /var/qmail/control/badmailfrom"); unlink('/tmp/QmailAdmin.lock'); exit; } open(F,"/var/qmail/control/badmailfrom") || die "couldn't open blacklist file: $!"; while(<F>) { chomp; next if (/^(?:#.*|;.*|)$/); if (/^\@(.+)$/) { push(@blacklistdom,$1); } else { push(@blacklistuser,$_); } } @blacklistdom = sort @blacklistdom; @blacklistuser = sort @blacklistuser; return(\@blacklistdom,\@blacklistuser); } sub blacklist_deldomain { my $obj = shift; alarm(120); my $blacklist_domlist = $obj->parent->getobj('BlacklistDomList'); my $i = 0; for (@{$blacklistdomain}) { if ($_ eq $blacklist_domlist->get()) { splice(@{$blacklistdomain},$i,1); last; } $i++; } $blacklist_domlist->values($blacklistdomain); $blacklist_domlist->draw(1); } sub blacklist_deladdress { my $obj = shift; alarm(120); my $blacklist_userlist = $obj->parent->getobj('BlacklistUserList'); my $i = 0; for (@{$blacklistaddress}) { if ($_ eq $blacklist_userlist->get()) { splice(@{$blacklistaddress},$i,1); last; } $i++; } $blacklist_userlist->values($blacklistaddress); $blacklist_userlist->draw(1); } sub blacklist_adduser { my $obj = shift; alarm(120); my $blacklist_userlist = $obj->parent->getobj('BlacklistUserList'); my $blacklist_user = $obj->parent->getobj('BlacklistNewUser'); if (!valid($blacklist_user->get())) { $cui->error("Sorry, that is not a valid e-mail address"); return; } for (@{$blacklistaddress}) { if ($_ eq $blacklist_user->get()) { $cui->error("Sorry, that entry already exists!"); return; } } push(@{$blacklistaddress},$blacklist_user->get()); @{$blacklistaddress} = sort @{$blacklistaddress}; $blacklist_userlist->values($blacklistaddress); $blacklist_userlist->draw(1); $blacklist_user->text(''); } sub blacklist_adddomain { my $obj = shift; alarm(120); my $blacklist_domlist = $obj->parent->getobj('BlacklistDomList'); my $blacklist_dom = $obj->parent->getobj('BlacklistNewDom'); for (@{$blacklistdomain}) { if ($_ eq $blacklist_dom->get()) { $cui->error("Sorry, that entry already exists!"); return; } } if (!$checker->domain($blacklist_dom->get())) { $cui->error("Sorry, that seems to be an invalid domain name"); return; } push(@{$blacklistdomain},$blacklist_dom->get()); @{$blacklistdomain} = sort @{$blacklistdomain}; $blacklist_domlist->values($blacklistdomain); $blacklist_domlist->draw(1); $blacklist_dom->text(''); } sub blacklist_save { my $obj = shift; alarm(120); my $blacklist_domlist = $obj->parent->getobj('BlacklistDomList'); my $blacklist_userlist = $obj->parent->getobj('BlacklistUserList'); if (!-e '/var/qmail/control/badmailfrom') { $cui->error("Error, missing configuration file: /var/qmail/control/badmailfrom"); unlink('/tmp/QmailAdmin.lock'); exit; } open(F,">/var/qmail/control/badmailfrom") || die "couldn't open blacklist file: $!"; for (@{$blacklistdomain}) { print F "\@$_\n"; } for (@{$blacklistaddress}) { print F "$_\n"; } close(F); blacklist_revert($obj); `/usr/bin/qmailctl restart`; $cui->dialog("Changes saved"); } sub blacklist_revert { my $obj = shift; alarm(120); my $blacklist_domlist = $obj->parent->getobj('BlacklistDomList'); my $blacklist_userlist = $obj->parent->getobj('BlacklistUserList'); ($blacklistdomain,$blacklistaddress) = parse_blacklist(); $blacklist_domlist->values($blacklistdomain); $blacklist_domlist->draw(1); $blacklist_userlist->values($blacklistaddress); $blacklist_userlist->draw(1); } sub parse_trusted { my @trusted; open(F,"/etc/mail/spamassassin/trusted.cf") || die "couldn't open open trusted sites"; while(<F>) { chomp; next if (!/trusted_networks\s((?:(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\/\d{1,2})?))$/); push(@trusted,$1); } close(F); @trusted = sort @trusted; return(\@trusted); } sub semitrust_delentry { my $obj = shift; my $semitrust_list = $obj->parent->getobj('STListbox'); my $i = 0; for (@{$trusted}) { if ($_ eq $semitrust_list->get()) { splice(@{$trusted},$i,1); last; } $i++; } $semitrust_list->values($trusted); $semitrust_list->draw(1); } sub semitrust_addentry { my $obj = shift; alarm(120); my $semitrust_list = $obj->parent->getobj('STListbox'); my $semitrust_entry = $obj->parent->getobj('STEntry'); if ($semitrust_entry->get() !~ /^(?:(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\/\d{1,2})?)$/) { $cui->error("This doesn't appear to be a valid IP or CIDR network"); $semitrust_entry->text(''); return; } for (@{$trusted}) { if ($_ eq $semitrust_entry->get()) { $cui->error("This entry is already defined"); $semitrust_entry->text(''); return; last; } } push(@{$trusted},$semitrust_entry->get()); $semitrust_list->values($trusted); $semitrust_list->draw(1); } sub semitrust_save { my $obj = shift; alarm(120); my $semitrust_list = $obj->parent->getobj('STListbox'); open(F,">/etc/mail/spamassassin/trusted.cf") || die "couldn't open open trusted sites"; for (@{$trusted}) { print F "trusted_networks $_\n"; } close(F); `/usr/local/bin/svc -t /service/spamassassin`; $cui->dialog("Changes saved"); } sub semitrust_revert { my $obj = shift; alarm(120); $trusted = parse_trusted(); my $semitrust_list = $obj->parent->getobj('STListbox'); $semitrust_list->values($trusted); $semitrust_list->draw(1); } sub show_help_relay { alarm(120); $cui->dialog(<<"EOF"); The relay control page manages which servers are allowed to connect to this server, which servers/clients are allowed to relay mail through this server, as well as which service/clients will undergo greylisting and virus/spam filtering. Quick tips: - The first entry in the list (which is blank) is a catch-all. Everything that doesn't specifically match other rules will match the first entry. - Some entries can't be modified. This is a sanity check to make sure someone doesn't accidentally break anything. Ask Mark if you need to change these. - When an IP has the 'Relay' option, the other environment variables are irrelevant. - You _shouldn't_ need to change these settings. If you aren't sure what this does, refer to the documentation or ask around. This menu edits the following file: /etc/tcp.smtp When changes are applied, it also runs the following commands: qmailctl cdb EOF } sub show_help_whitelist { alarm(120); $cui->dialog(<<"EOF"); The whitelist control page manages SpamAssassin's whitelist. The whitelist is a list of envelope senders or sender domains for which we won't calculate a spam score. Quick tips: - This is the place to be to deal with users complaining of mis-tagged spam notifications. This menu edits the following file: /etc/mail/spamassassin/whitelist.cf When changes are applied, it also runs the following commands: EOF } sub show_help_smtproutes { alarm(120); $cui->dialog(<<"EOF"); The SMTP routes control page manages Qmail's artificial SMTP routes, as well as the recipient domain list (the list of domains for which the server will accept incomming mail for relaying. Quick tips: - The only time these settings need to be changed is if: a) we add a new domain b) the exchange server's IP address changes c) we delete a domain - The default setting for all domains here should be the IP address of your exchange server. The only time we'd want this to be something else is if we want to route mail to another mail server out on the internet somewhere. This page edits the following files: /var/qmail/control/smtproutes /var/qmail/control/rcpthosts When changes are applied, it also runs the following commands: qmailctl restart EOF } sub show_help_blacklist { alarm(120); $cui->dialog(<<"EOF"); The blacklist page control Qmail's envelope sender blacklist. Addresses or domains listed here will be rejected during the SMTP conversation. Quick tips: - Here's the place to block emails from specific senders. If you receive a complaint from a user that's constantly receiving spam from the same sender address, or a user is getting harassed by someone by email, you can add the offending e-mail address/domain here and it will be blocked. This page edits the following files: /var/qmail/control/badmailfrom When changes are applied, it also runs the following commands: qmailctl restart EOF } sub show_help_semitrust { alarm(120); $cui->dialog(<<"EOF"); This page controls SpamAssassin's trusted network list. A trusted network is a network which we consider will never send us any spam. This option shouldn't be used very often if at all. This page edits the following files: /etc/mail/spamassassin/trusted.cf When changes are applied, it also runs the following commands: svc -t /service/spamassassin EOF } sub idle_timeout { unlink('/tmp/QmailAdmin.lock'); $cui->error('This session has timed out, sorry!'); exit; }

# chmod +x /usr/bin/QmailAdmin

And here's where things get a bit tricky. QmailAdmin has a few variables that you'll need to update for it to work properly.

First off, we're going to add a safeguard to the admin utility. Search for the line :

my $defaultregex = '^(?:127\.|1\.2\.3\.|:).*$';

This defines a regular expression that we won't allow people who use QmailAdmin to modify. It safeguards someone accidentally turning your mail server into an open relay (or closed relay). This part of the code modifies the file /etc/tcp.smtp which is what defines relay control using tcprules.

If you followed these instructions, your /etc/tcp.smtp file should look like:

127.:allow,RELAYCLIENT=""

1.2.3.:allow,RELAYCLIENT=""
:allow,QMAILQUEUE="/var/qmail/bin/simscan"

In this example, we're assuming that you are operating from the 1.2.3.0/24 network and want to allow any host on this network to relay mail through your mail server.

Notice the red text above, I hope you see the connection. As a second example, suppose you wanted to add another network (2.2.2.0/24), to the list of trusted networks and wanted to make sure nobody could delete it with QmailAdmin, the default regex line would look like:

my $defaultregex = '^(?:127\.|1\.2\.3\.|2\.2\.2\.|:).*$';

And your /etc/tcp.smtp would look like:

127.:allow,RELAYCLIENT=""

1.2.3.:allow,RELAYCLIENT=""
2.2.2.:allow,RELAYCLIENT=""

:allow,QMAILQUEUE="/var/qmail/bin/simscan"

:. Closing thoughts

At this point, if you followed these instructions dilligently (and I documented the installation process correctly) you should have a working front-end that you can sit in front of a M$ Exchange server.

I'll leave the configuration necessary in Exchange to do this as an exercise to the reader (hell, if you use M$ and don't know how to do this, call M$ and get them to explain, that's what you pay them for).

Sit back, relax, and enjoy the spam you aren't receiving in your Inbox. With a little tweaking I'm sure this could be adapted to work as a front-end to a Unix system, or could be tweaked to actually deliver mail locally.

Feel free to send any questions may way, or god forbid you should find a typo or mistake/omission.