Parallels H-Sphere Documentation System Administrator Guide

 

Qmail Configuration

 
 

Related Docs:   Introduction to H-Sphere Mail Mail ToDo H-Sphere Mail Installation/Upgrade From Sources Rules Du Jour

Last modified: 23 Jan 2008

 

WARNING: This documentation covers Parallels H-Sphere versions up to 3.1. For the latest up-to-date Parallels H-Sphere documentation, please proceed to the official Parallels site.

H-Sphere offers enhanced Qmail SMTP server configuration. Most enhancements have been added to fight spam at the server level.

  Mail Flow Chart

Antivirus and Antispam Filters (SpamAssassin and ClamAV)

The Qmail update incorporates SpamAssassin and ClamAV filters at the server level. It uses an improved qmail-queue patch concept, where the use of the QMAILQUEUE variable is replaced with checking recipient addresses against the clamavclients and spamdclients databases (see the drawing). H-Sphere users can add their mail addresses to the database to have them checked for spam and viruses. User-defined antispam preferences are stored in a MySQL database.

Mail is filtered by standalone clamd and spamd services. We had to get rid of the Qmail-Scanner perl wrapper, because it is rather heavy and unreliable for high load SMTP servers. Instead, we use clamdmail software, which is fast and adapted to working with clamd and/or spamd.

Updating Virus Patterns

Mail server cron has a script that updates virus patterns every day at 12AM. You can manually change the timing of the cron.

Enabling Antivirus and Antispam

ClamAV and Spamassasin have been added to H-Sphere as resources, and can be enabled and disabled from the control panel:

  1. Global Settings. In Plans -> Globals, check Antispam and Antivirus and click Submit Query.
  2. Plans. In Plans -> Plans select the plans where you would like to enable spam and virus protection. On the first page of the wizard, enable Antispam and Antivirus. Optionally, set prices for these resources on the subsequent steps.

Configuring ClamAV and SpamAssassin at the Server Level

  • ClamAV: edit file /hsphere/local/config/mail/clamav/clamav.conf. The format and options of this file are fully described in the clamav.conf(5) manual. Remember - you must remove the "Example" directive. Be careful not to change the values of LocalSocket and TCPSocket.

  • SpamAssassin:edit file /hsphere/local/config/mail/spamassassin/local.cf as suggested in Spamassassin documentation. Note that external modules like Bayesian rules, razor2, dcc, and pyzor are not included, so please be careful not to enable related options.

Restarting ClamAV and SpamAssassin

See Restarting Services.

Updating ClamAV Database

Each hour cron updates ClamAV antivirus databases. Execute crontab -l to see the list of cron tasks for a mail server. The following line indicates that ClamAV database is updated each hour:

0 * * * * /hsphere/shared/bin/freshclam --quiet

ClamAV database update is configured in /hsphere/local/config/mail/clamav/freshclam.conf.

User Settings

ClamAV and Spamassasin settings can be configured per maildomain and individual mailbox. Please see User Guide for details.

 

Integrated Antispam Addons

Besides SpamAssassin, H-Sphere Qmail includes a series of third party and in-house antispam addons:

  • Fehcom Spamcontrol patch (based on the spamcontrol-2.4.17 release) provided with opportunity to switch whitelist extensions on and off dynamically;
  • qmail-smtpd badmailfrom-unknown addon
  • Qmail patch to allow Qmail to use a concurrency greater than 240;
  • doublebounce-trim patch to discard doublebounces without queuing them;
  • Jose Luis Painceira's patch that deletes the body of bouncing messages. This patch is based on Fred Lindberg's patch that preserves the MIME-ness of bouncing MIME messages
  • qmail-maildir++.patch (from Vpopmail distribution)
  • Psoft addon that checks if the sender's address in POP-before-SMTP authentication is local and the recipient's address is remote;
  • Psoft addon that checks if domain name in the sender's address matches the domain name used in SMTP authentication.
  • Andre Oppermann's ext-todo patch, which solves the 'silly qmail syndrome'. That's where qmail spends more time processing incoming email than scheduling deliveries.
  • big-DNS patch, which fixes oversize DNS packet problem.
  • Modified version of Qmail chkuser 0.6 patch that checks if the vpopmail recipient is valid before accepting the message.

Important: In the upcoming versions, we are planning to add a series of new features included into our Mail ToDo list.

 

Qmail Server Settings

Default Qmail server settings, including antispam options, can be configured in the admin control panel in the E.Manager/Servers/Mail Servers menu:

  1. Select Mail Servers from the E.Manager -> Servers menu:
  2. Click the Action icon in the Mail Server Settings section:
  3. Edit qmail settings following on-screen explanations and click Submit:
IMPORTANT:

Values can be of three types:

  • Text: can be either a line, like @12.34.56.78, or a list, for example a list of addresses in badmailfrom.
    badmailfrom is the file that containts a list of senders mail isn't accepted from.
  • Number, like 1000 in databytes.
    databytes is the file that contains the maximum allowed size of a message.
  • Boolean, like 0 or 1 in smtpauth.
    0 disables SMTP Auth, 1 enables it.
    Note: 0 is also set by default if the corresponding control file is absent.

Thus, for example, if you have to enable SMTP Auth, you create/modify the /var/qmail/control/smtpauth control file and put 1 in it. To disable SMTP Auth, put 0 in the control file or just delete the control file.

Also, text values may contain patterns: wildcard expressions to set the range of emails, domains and IPs for filtering rules.

Control characters in patterns:

  • Exclamation mark (!): allows you to INCLUDE particular clients/addresses by simply putting an exclamation mark (!) as first character in the line.
  • Asterisk (*): General pattern matching character; one or more preceding.
  • Question Mark (?): Match zero or one preceding.
  • Backslash (\): Literal expression of following character, eg. \[.
  • Match one from a set ([...]): i.e. [Ff][Aa][Kk][Ee] matches FAKE, fake, FaKe, FAKe etc.

  • tcpsessioncount: the number of concurrent SMTP connections.
    Default: 40. After setting this parameter, Qmail restart is required.
  • concurrencyremote: the number of qmail-send processes of message delivery to remote addresses.
    Default: 100. Max: 500. If Max is exceeded, Max value is set.
  • concurrencylocal: the number of qmail-send processes for message delivery to local addresses.
    Default: 50. Max: 500. If Max is exceeded, Max value is set.
  • databytes: maximum size of a message.
    Default: 0 (unlimited).
  • queuelifetime: the message queue lifetime in seconds.
    Default: 604800 (1 week).
  • bouncefrom: the email user messages are bounced from.
    Default: MAILER-DAEMON;
  • maxrecipients: maximum number of recipients in the "TO:", "CC:", and "BCC" fields.
    Default: 0 (unlimited).
  • maxwrongrcpt ( in hsphere-mail-service-4-14+): maximum number of wrong recipients in the envelope.
    Default: 0 (unlimited).
  • timeoutsmtpd: TCP connection timeout in seconds.
    Default: 1200.
  • newline: accept or reject mail from mail user agents (MUA) that send commands without CR (carriage return).
    Default: 0 (disabled);
  • stripsinglequotes: enable or disable stripping single quotes (referred to in the spamcontrol manual as the feature that may cause unpredictable results).
    Default: 0 (disabled);
  • lowercase: enable or disable conversion of mail address to lowercase; it may be useful in filtering patterns, for case-sensitive rules.
    Default: 0 (disabled).
  • badmailfrom: list of sender addresses whose emails will be rejected. A line in badmailfrom may be of the form @host, meaning every address at host.
    Default: the badmailfrom file is absent (all sender addresses are allowed); See also splithorizon.
  • badmailpatterns: the same as standard badmailfrom but with patterns. Example:
    *@earthlink.net
    !fred@earthlink.net
    [0-9][0-9][0-9][0-9][0-9]@[0-9][0-9][0-9].com
    answerme@save*
    *%*;
    
    Default: the badmailpatterns file is absent (all sender addresses are allowed); See also
    splithorizon.
  • badmailfrom-unknown: if the domain part of sender's address matches a host in this list, qmail checks if sender's IP has a PTR record. Example
    Default: the badmailfrom-unknown file is absent (reverse DNS check is disabled for all IPs);
  • badhelo: filter HELO/EHLO sequence issued by SMTP client; See also splithorizon.
  • badrcptto: list of recepient addresses for which all mail is blocked. A line in badrecipient may be of the form @host, meaning every address at the host.
    Default: the badrcptto file is absent (no recepient addresses are blocked);
  • badrcptpatterns: the same as badrcptto but with patterns. It allows qmail-smtpd to reject SPAM E-Mail including the signature
    *\[dd.dd.dd.dd\]*
    in the badrcptpatterns file, where dd.dd.dd is the IP address in brackets. Default: the badrcptpatterns file is absent (no recepient addresses are blocked);
  • blackholedsender: the same as badmailpatterns but quits the session immediately even if quitasap is disabled;
  • relayclients: list of IP addresses of clients allowed to relay mail through this host. Addresses in relayclients may be wildcarded:
    192.168.0.1:
    192.168.1.:
    
    Default: the relayclients file is absent (all client IPs are allowed to relay mail via this host);
  • relaydomains: list of host and domain names allowed to relay mail through this host. This is an additional mail relay check by the domain name, in case if relay via the tcp.cdb static relay database is forbidden. More on mail relays

    Addresses in relaydomains may be wildcarded:
    heaven.af.mil:
    .heaven.af.mil:
    
    Default: the relaydomains file is absent (all domains are allowed to relay mail);
  • relaymailfrom: list of senders ("Mail From:") allowed to relay independently even if open relay is closed. Entries in relaymailfrom can be E-Mail addresses, or just the domain (with the @ sign). Unlike relaydomains, native addresses should be entered. Examples:
    joeblow@domain1.com
    @domain2.com
    
    Default: the relaymailfrom file is absent (no senders are allowed to relay independently).
    Important: For antispam security reasons, we strongly recommend not to add this parameter to SMTP configuration.
  • quitasap: enables (1) or disables (0) quitting SMTP session immediately if one of the above rules works.
    Default: 0 (no quitting).
    Enabling this option is recommeded only in case of spam attacks or huge spam traffic to your server. If working, quitasap breakes SMTP connection if at least one of the following parameters is enabled, the result of its check being negative: Use quitasap option with precaution as breaking SMTP connection is contrary to the requirements of correct SMTP server operation.
  • tarpitcount: the number of recepients after which qmail switches on delay before sending the message to the next portion of recipients.
    Default: 0 (no tarpitting);
  • tarpitdelay: tarpitdelay is the time in seconds of delay to be introduced after each subsequent RCPT TO:.
    Default: 5.
  • mfdnscheck: enables (1) or disables (0) DNS check of domain name in sender's address. If enabled, no local domain check is performed.
    Default: 0 (disabled);
  • nomfdnscheck: list of domain names that aren't checked for existence. The list has the same format as for relaymailfrom.
    Default: the nomfdnscheck file is absent (if mfdnscheck is enabled, all domains are checked for existence);
  • helodnscheck: in a manner similar to mfdnscheck, performs check for HELO/EHLO smtp commands instead of RCPT TO:. See also splithorizon.
  • splithorizon: if 1, helodnscheck, badhelo, badmailfrom, and badmailpatterns checks for SMTP sessions with open relay mfdnscheck are not performed.
  • userchk: enables (1) or disables (0) check that the vpopmail recipient is valid before accepting the message.
    Default: 0 (disabled);
  • smdcheck: allows only local domains in the MAIL FROM address if mail is sent remotely.
    If the option is enabled, SMTP is used, otherwise - Sendmail is.
    Default: 0 (any sender address is allowed);
  • authsender: if set to 1, it requires the domain name in user address during SMTP authentication to coincide with the domain name in the MAIL FROM address field.
    a. By default: '0' if smtpauth parameter is OFF.
    b. By default: '2' if smtpauth parameter is ON. (3.0 Patch 5+)
    Note: value '2' is used as additional procedure providing correct traffic calculation in case of dynamic open relay. In this case, instead of recording mail envelop sender domain, traffic log records the domain used in SMTP authentication).
  • rblhosts: RBL (Remote Black List) database hosts. Example:
    dnsbl.njabl.org
    spamguard.leadmon.net
    
    (3.0 RC4+) Allowed anti-RBL source addition. Format of anti-RBL source : a:domainname
    Default: the rblhosts file is absent (RBL check is disabled: no external RBL databases is being checked).  

    Note 1:
    H-Sphere Qmail MTA is built with "A" record patch, so it's possible to enable DNSBL, which doesn't support "TXT" DNS records. For instance, Trend Micro Network Reputation Services DNSBL. In HS 3.0 Patch 5 +, you can enable its support via Mail Service Settings in the Admin CP. At the moment, you can do it by adding the string:

    "activationcode.r.mail-abuse.com:blocked using Trend Micro RBL+, please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=%IP%"

    Note 2:
    a. quotation marks are necessary
    b. for commercial RBL, like Trend Micro RBL+, after the service is rendered, the corresponding value should be set instead of activationcode

  •  (3.0 RC4+) qmailspp: Enables Qmail plugin support.
    Default: 0 (disabled);
  • (3.0 RC4+) flagfailclosed: Always consider dns lookups failure as a temporary error, 451.
    Default: 0 (disabled)
  • (3.0 RC4+) flagrblbounce: Consider RBL error status code as a fatal (553), instead of default policy, temporary error (451).
    Default: 0 (disabled)
  • (3.0+) stricthelocheck parameter (options file, disabled by default), which considers HELO command obligatory.
  •  (3.0+) chksignature: (options file), which provide badsignatures filtering for mail resources with enabled antivirus check. Default: 0 (disabled)
  • (3.0+) chkloadertype: (options file), which provide badloadertypes filtering for mail resources with enabled antivirus check. Default: 0 (disabled)

    Both chksignature and chkloadertype include a wire-speed filtering of E-Mails containing BASE64 encoded attachments with about 99,5% efficiency: http://www.fehcom.de/qmail/docu/virus_2004.pdf

    Note: chksignature provides a robust MIME type identification. Particular MIME types can be added on-the-fly (based on the idea of Russell Nelson's (and Charles Cazabon's) to filter Windows executables attached as BASE64 encoded MIME parts in the E-Mail. Included the following signatures, which detect specific common, double and triple Base 64 Windows Executable (control/badsignatures):
    TVqQAAMAA
    TVpQAAIAA
    TVpAALQAc
    TVpyAXkAX
    TVrmAU4AA
    TVrhARwAk
    TVoFAQUAA
    TVoAAAQAA
    TVoIARMAA
    TVouARsAA
    TVrQAT8AA
    TVrvAEQAe
    UEsDBAoAA
    VFZxUUFBT
    VkZaeFVVR
    ZGltIGZpb
    
    Note: chkloadertype provides a high efficient and unique Loader type recognition. Though this procedure is more heavy, than signature check and is less recommended. Predefined loadertype check is oriented on the Kernel32.dll search (specific Loader types for the Windows OS are included in control/badloadertypes):
    Mi5kb
    MzIuZ
    MyLmR
    MyLkR
    Mi5ET
    My5le
    

    Note: The list of signatures is static, not configurable via CP interface. If you want to add something, you should edit the corresponding control files: badloadertypes and badsignatures.

  • (3.0+) sms: Restriction of Max messages for one email value for Mail SMS resource (Max value: 3)
    Default: 3
  •  spamglobal: Antispam check of all incoming mail.
    Default: 0 (disabled);
  • clamglobal: Antivirus check of all incoming mail
    Default: 0 (disabled);
  •  skipcachk: ClamAV (Antivirus Filter) check restriction.
    Default: 0 (disabled);
  •  skipsachk: Spamassassin (AntiSpam Filter) check restriction. Default: 0 (disabled);
  • periplimit: enter the number of simultaneous SMTP connections from the same IP.
  • noathost: demands fully qualified domain email address in RCPT TO and MAIL FROM smtp commands.
    Default: 0 (disabled).
    If you enable this parameter, you will never get reject/bounce messages, or return receipts, and you may get other mail server admins upset at you if they have to deal with your bounce messages. Since this is contrary to the requirements of correct SMTP server operation (Mailservers are required by RFC1123 5.2.9 to accept mail from "<>"), use noathost parameter with precaution.
  • sanetcheck: enables/disables network check for SpamAssassin.
    Default: 0 (disabled).
    By default, SpamAssassin performs only local tests. By enabling this parameter you can also enable network tests for SpamAssassin, such as DCC_CHECK (Distributed Checksum Clearinghouse is an anti-spam content filter), URIDNSBL (look up URLs found in the message against several DNS) etc. These network test use internet resources.
    Network tests must be set in the additional configuration file (/hsphere/local/config/mail/spamassassin/custom.cf). A path to this file is set via the include directive of the main SpamAssasin local.cf file. Use this additional configuration file for plugins and options of SpamAssassin.
  • badurls: (Removed as expired in 2.5 Patch 10 +) enables/disables sending any URLs contained in infected messages to the Comodo antispam database. Default: 0 (disabled).
  • urlscnt: (Removed as expired in 2.5 Patch 10 +) specifies the number of "bad" URLs to be sent to the Comodo antispam database. Default: 5
  • spamdchildren: specifies the number of forked spamd child processes.
    Default: 10. We recommend to increase it for servers with large number of smtpd connections.
  • rcptdnschecks: allows only existing mail domain names of recipients.
    Default: 0 (off).
  • uquotacheck: provides message bouncing during SMTP session in case of mailbox quota overflow.
    Default: 0 (off).
  • localtime: provides generation of date stamps in local timezones for various qmail programs.
    Default: 0 (off).
  • samsgsize: maximum message size, in bytes to be send to spamd.
  • ( in 3.0 Patch 5) catchall: provides ability to disable the work of 'Catch All' options independently of user settings.
    Default: 1 (enabled).
  • ( in 3.0 Patch 5) rejectdiscardedmail: rejects incoming messages to mailboxes with discard option at SMTP level.
    Default: 0 (disabled).
  • skipsachk, skipcachk (in hsphere-mail-service-4-33+): skip Spamassassin (SA)/Antivirus (CA) check:
    • skipcachk=0 and/or skipsachk=0 or absent: default settings - always CA and/or SA check, if enabled
    • skipcachk=1 and/or skipsachk=1: for SMTP authenticated users CA and/or SA heck skipped
    • skipcachk=2 and/or skipsachk=2: for SMTP connections with dynamic or static open relays or for SMTP authenticated users CA and/or SA check skipped

Note: As an example of patterns, see the canonical method filter for spam e-mail in README_SPAMCONTROL

 

Mail Client Headers

Starting with version 2.5.0 Patch 7 X-Originating-IP and X-Envelope-To mail client headers are included in H-Sphere by default. They introduce the following controls:

  • xoriginatingip: includes X-Originating-IP header into mail client according to AOL recommendations (enabled by default)
  • xenveloptoheader: includes X-Envelope-To header which is required by some mail clients to identify real envelope sender (disabled by default)

 

Autoresponder Settings

(H-Sphere 3.1 Beta 1+)

H-Sphere provides autoresponder policy. Enter the necessary parameters and click Submit:

  • patterns_policy - autoresponder is working only if Sender Filter is configured in user CP. The default value is 0 (disabled).
  • autoreply_policy - provides autoreply if SENDER originating IP corresponds to a target receipient IP or Subnet only

Bounce Message Customization

H-Sphere enables bounce and doublebounce messaging in case if mail failed to be delivered. Enter the necessary parameters and click Submit:

  • bouncingip parameter removed in H-Sphere 3.0 RC 2, added a separate Outgoing IP to mail server. Once you add it via Admin CP, it will disappear from Qmail parameters.
  • bouncefrom: the email user messages are bounced from.
    Default: MAILER-DAEMON;
  • bouncehost: the literal name or bouncehost IP. If a message is permanently undeliverable, qmail-send sends a single-bounce notice back to the message's envelope sender, from: bouncefrom@bouncehost. Default: mail server name.
  • doublebouncehost: the literal name doublebouncehost or IP. If a single-bounce notice is permanently undeliverable, qmail-send sends a double-bounce notice to doublebounceto@doublebouncehost. Default: mail server name.
  • doublebounceto: the user email to receive doublebounce messages.
  • bouncesubject: enter bounce message subject.
  • bouncemessage: enter the text of the bounce message.
  • doublebouncesubject: enter doublebounce message subject.
  • doublebouncemessage: enter the text of the doublebounce message.
  • temperror ( hsphere-mail-service-4-14+): considers temporary error a permanent one for local, remote, and local & remote mails (More about error responses)
  • strictbounce ( in hsphere-mail-service-4-14+): strictbounce allows for bounce to act as double bounce and for bounce and double bounce to act as triple bounce (when bounce message is discarded) (More about strictbounce)

Mail Protocols

Choose a system SMTP relay for your mail server - POP before SMTP and SMTP AUTH.

  • smtpauth: enables SMTP AUTH extension
    Default: 0 (AUTH LOGIN/PLAIN/CRAM-MD5 SMTP extension is disabled)
  • popbeforesmtp: enables POP-BEFORE-SMTP
  • opensmtptimeout: allows to set open relay lifetime, in minutes, after POP-before-SMTP authentication. Default: 180 min.

SPF (Sender Policy Framework)

H-Sphere's SPF implementation at the SMTP server level is based on this qmail patch. It introduces the following qmail controls:

  • spfbehavior: turns SPF checking on/off. The default value is 0 (off). You can specify a value between 0 and 6:
    • 0: Never do SPF lookups, don't create Received-SPF headers
    • 1: Only create Received-SPF headers, never block
    • 2: Use temporary errors when you have DNS lookup problems
    • 3: Reject mails when SPF resolves to fail (deny)
    • 4: Reject mails when SPF resolves to softfail
    • 5: Reject mails when SPF resolves to neutral
    • 6: Reject mails when SPF does not resolve to pass

    Values bigger than 3 are strongly discouraged.

    Important: This setting can be overridden using the environment variable SPFBEHAVIOR, e.g. from tcpserver rules.
    Note: If RELAYCLIENT is set, SPF checks won't run at all.
    (This also includes SMTP-AUTH and similar patches)

  • spfrules: sets a line with local rules, i.e., rules that are executed before the real SPF rules for a domain would fail (fail, softfail, neutral).
    They are also executed for domains that don't publish SPF entries.
  • spfguess: sets a line with guess rules, i.e., rules that are used if the domain doesn't publish SPF rules. The local spfrules are always executed afterwards.
  • spfexp: customized SPF explanation. The explanation is the line returned to the SMTP sender when a mail is rejected at the SMTP level. You can use macro expansion. If a domain specifies its own explanation it is going to be used instead. The SMTP answer when rejecting mails will look like: 550 the expanded SPF explanation (#5.7.1)

SRS (Sender Rewriting Scheme)

SRS is implemented with the following qmail control files located in the /var/qmail/control/srs directory:

  • revers_srs_secrets: contains keys called secrets to form hash for SRS address for reverse mail. The file contains the list of secrets, each in separate line. The most recent key is on top of the list. Qmail takes it first when checking SRS address, and if it doesn't fit, Qmail takes these keys one after another. If none fit, the message will be rejected. The file has 400 permissions and vpopmail:vchkpw ownership.
  • srs_secrets: secrets for SRS address in forwards. The file has 400 permissions and qmaill:qmail ownership.
  • srs_secrets_age: an auxiliary file containing information when each key in revers_srs_secrets and srs_secrets was created. It is generated by the /var/qmail/bin/setsrssecret script and consists of the lines in the following format:

    key timestamp

  • srs_max_age: an integer value (in seconds) for the maximum permitted age of a rewritten address. SRS rewritten addresses expire after a specified number of days after which it is assumed no more bounces may be generated in response to the original mail. Mail sent to expired SRS address is dropped without ceremony. The default (about a month) should be appropriate for all purposes.

These controls are initiated and set by running the /var/qmail/bin/setsrssecret script. You can run this script also as cron on mail servers.

Read more about SRS qmail controls at http://www.libsrs2.org/docs/index.html.

 

Command Line Qmail Configuration

Qmail installation directory is usually /var/qmail/.

SMTPd configuration files are also called control files. Each SMTP parameter is configured in its own control file with the same name, for example, /var/qmail/control/smtpauth for smtpauth parameter.

All controls are placed in one configuration file, /var/qmail/control/options.

To view SMTP server configuration, run the qmail-showctl utility, under root:

# /var/qmail/bin/qmail-showctl

You will get the list of SMTP parameters. Each line in the list has the following format:

smtp_parameter: [(Default.)] Value

Each stmp_parameter may be set in its own control file with the same name located in the /var/qmail/control directory.. The file contains the parameter's value. If the file is not found, the default value is taken and the default notification (Default.) shows up in the configuration list.

 

Syslog Facility/Level Configuration For rblsmtpd

rblsmtpd is a generic tool to block mail from RBL-listed sites. It is located in /hsphere/shared/bin/rblsmtpd.

It is possible to customize syslog facility/level settings for rblsmtpd to redirect messages to custom log files. The following facilities/levels are customizable (read man 3 syslog for details):

Facilities Levels
LOG_AUTH
LOG_AUTHPRIV
LOG_CRON
LOG_DAEMON
LOG_FTP
LOG_KERN
LOG_LOCAL0 ... LOG_LOCAL7
LOG_LPR
LOG_MAIL
(default)
LOG_NEWS
LOG_SYSLOG
LOG_USER
LOG_UUCP
LOG_EMERG
LOG_ALERT
LOG_CRIT
LOG_ERR
LOG_WARNING
LOG_NOTICE
(default for FreeBSD)
LOG_INFO
(default for Linux)
LOG_DEBUG

Custom facility/level records are set in the /var/qmail/control/rblsyslog file, for example:

LOG_LOCAL7:LOG_WARNING

Also you must add the respective record in /etc/syslog.conf (see man syslog.conf for details) to redirect messages to a new log file, for example:

local7.warn /var/log/myrbllog

File /var/qmail/control/sysfacility contains name of syslog facility (one from among LOG_LOCAL0 ... LOG_LOCAL7) used to gather mail traffic statistics. This file appears after updating to H-Sphere 2.4.3 Patch 1 or higher.

 

SMTP Log

(updated for H-Sphere 2.5 Patch 1)

In H-Sphere 2.5 Patch 1 and up maillog format is extended:

  • remote IPs of SMTP sessions are logged by default;
  • smtplog parameter is introduced in the /var/qmail/control/options file:
    • 0 default logging mode
    • 1: restricted mode of SMTP session logging
    • 2: complete SMTP logging
    This parameter is not included in CP and is not modified in admin interface, as it serves for debug purpose only.

 

H-Sphere Mail Client and ESMTP Destination Server

(H-Sphere 3.0 Patch 7+)

Starting with hsphere-mail-service-4-32 mail client can check if the following extensions are available on the destination server and, if so, use them.

  • ESMTP STARTTLS extension defined in RfC RFC3207
  • ESMTP SIZE extension defined in RfC 1870
  • ESMTP PIPELINING extension defined in RfC 2920

By default, only ESMTP SIZE/PIPELINING check is provided if destination server supports them.

Switching over qmail-remote client to use them is made via mconnectext control file with content of the following format:

iii
where i equals 0 or 1 and
  • First 'i' corresponds to STARTTLS
  • Second 'i' corresponds to SIZE
  • Third 'i' corresponds to PIPELINING

 

Qmail-spp Support

(for H-Sphere 3.0 RC 4+)

H-Sphere 3.0 RC 4 and up adds a qmail-spp engine which provides plugin support to qmail`s SMTP daemon (qmail-smtpd). It`s written entirely in C using native qmail libraries, so it does not create any dependencies. Qmail-spp engine implementation is aimed to add rblspp plugin as a replacement for rblsmtpd.

To make the server and plugins work faster, follow the rules:

  • Use the engine only as circumstances may require, i.e. to add new plugins
  • Do not run plugins via system shell, that means without adding ":" just before plugin path. Avoid command line parametres or plugins written on shell/perl
  • Use full pathes to plugins
  • Accumulate functionality in one particular plugin rather than use different plugins

Configuration Details

Qmail-spp support can be enabled via CP interface and configured in /var/qmail/control/options file (qmailspp boolean parameter). When qmail-spp engine is involved, qmail-smtpd tries to read the main default configuration file of qmail-spp /var/qmail/control/smtpplugins that consists of few sections one for each command:

connection - for plugins run just after client connection
helo - for HELO/EHLO
mail - for MAIL
rcpt - for RCPT
data - for DATA
auth - for AUTH

Mind that you have to specify full pathes to plugins while configuring qmail-spp. To find more info on syntax, refer to qmail-spp documentation.

To add plugins to conf file, use the following utility:

/var/qmail/bin/spp-conf -h

Usage:

-a|-r|-R -h -b -s -p plugin_name -t category_name
plugins must be located at /var/qmail/control/plugins directory.
plugin_name:  relative plugin name
category_name: connection, auth, helo, mail, rcpt, data
-a :  add plugin (by default)
-r :  remove plugin
-R :  remove all plugins
-b :  input from stdin set of rows, format: category_name;plugin_name
-s :  plugin is executed via shell
-i :  check and fix plugin permissions

 

Qmail TLS Support

(for H-Sphere 3.0 Patch 2+)

In mail service configured with SSL, TLS is disabled by default (mail-ssl-proto script was used to switch it on).

To enable TLS support (with possible protocols: SSLv2, SSLv3, TLSv1, by default SSLv3 only), run:

/hsphere/local/config/mail/scripts/mail-ssl-proto -r -t SSLv3,TLSv1

Where:

  • mail-ssl-proto script sets list of SSL protocols used by mail service.
  • -r provides mail service restart.

 

Integrated Plugins

Rblspp Plugin

(for H-Sphere 3.0 RC 4+)

Rblspp plugin was added as a replacement for rblsmtpd. It resolves the RBL check delay problem for successful SMTP authenticated connections. For this, ucspi-tcp-0.88-rblspp.patch patch was combined with ifauthskip.c, and command line parametres were removed to speed up the plugin launch.

If RBL check is involved but plugin support is disabled, default rblsmtpd scheme is used.


Related Docs:   Introduction to H-Sphere Mail Mail ToDo H-Sphere Mail Installation/Upgrade From Sources Rules Du Jour



© Copyright 2017. Parallels Holdings. All rights reserved.