# Qmail & Invaild RCPT's

## CrackFarmer

So here is where i am at:  I am running Qmail with Vpopmail and all that (used the tutorial and got it all working).  Lately i have noticed that i am getting hit with 2 - 10 viruses a second.  Here is what my clamav log looks like:

Thu Dec 22 13:12:52 2005 -> /var/spool/qmailscan/tmp/digitalwebpros.com11352859707181646/jennifer the wild girl xxx07.jpg.pif: Worm.Zafi.B FOUND

Thu Dec 22 13:12:55 2005 -> /var/spool/qmailscan/tmp/digitalwebpros.com11352859737181653/huffyuv.pif: Worm.Zafi.B FOUND

Thu Dec 22 13:13:04 2005 -> /var/spool/qmailscan/tmp/digitalwebpros.com11352859807181663/www.ecard.com.funny.picture.index.nude.php356.pif: Worm.Zafi.B FOUND

Thu Dec 22 13:13:06 2005 -> /var/spool/qmailscan/tmp/digitalwebpros.com11352859787181660/www.ecard.com.funny.picture.index.nude.php356.pif: Worm.Zafi.B FOUND

Thu Dec 22 13:13:07 2005 -> /var/spool/qmailscan/tmp/digitalwebpros.com11352859857181670/huffyuv.pif: Worm.Zafi.B FOUND

Thu Dec 22 13:13:15 2005 -> /var/spool/qmailscan/tmp/digitalwebpros.com11352859787181661/www.ecard.com.funny.picture.index.nude.php356.pif: Worm.Zafi.B FOUND

After looking @ my SMTP logs i saw that the users these emails are being sent to don't even exists on my mail server!  After looking around to see why i found this:

"Qmail generally accepts all mail except relay attempts (provided /var/qmail/control/rcpthosts exists) and mail from blacklisted senders (/var/qmail/control/badmailfrom). That means: if someone sends a mail to you for a non-existent user (some spammers are notorious for grabbing Message-IDs and considering them as e-mail addresses) at your site, qmail will happily take the mail in, say "250 Ok" to the sender, then figure it has no user to deliver to, generate a bounce and send it back. Now assume someone sends a 5 MB mail: qmail accepts 5 MB in, and tries to send a 5 MB bounce out: 10 MB wasted.

Even worse, if the sender address is forged, qmail may annoy the wrong site with the 5 MB bounce, or it may not be able to deliver the bounce at all, and it may happen that the bounce sticks in your queue until its lifetime is expired. qmail does log the sender's IP, but that usually does not help much, particularly not if the bounce has been sent to an innocent."

So that really sucks, my server is accepting all of these worms for users that don't exist, and it is just using up bandwidth and proc time.  I have started banning IPs in my tcp file, but i have to keep adding ip's to it, which is a pain.

People have made patchs to fix this "problem", but you have to patch the source, plus i am not sure if any of the patchs even work with r16.

My questions is:  Is every one that uses qmail just living with this (seemingly serious) problem?  Is there a goodrcptto patch or something that i haven't found yet for gentoo (i hope so)?  Or just any solution to make qmail not accept mail for invaild accounts, and stop the SMTP conversation at the invaild RCPT command?  Thanks for any feed back.

----------

## codexwilkes

I am also trying to find a solution to this same problem -- has anyone solved this?

----------

## codexwilkes

Okay, I should have searched more.  I used http://gentoo-wiki.com/Qmail_Anti-Spam_Configuration, and this worked well.

----------

## eltech

 *codexwilkes wrote:*   

> Okay, I should have searched more.  I used http://gentoo-wiki.com/Qmail_Anti-Spam_Configuration, and this worked well.

 What happened to this page? it vanished  :Sad:  Anyway to explain what you did do to put together a good solution?

EDIT: Nevermind.. I had click the hyperlink with the "," in it..   :Laughing: 

----------

## codexwilkes

This is the script that I used: http://perolo.vantage.at/qmail-spp/qmail-spp.plugin.vpopmail_check_recipient.html .

----------

## eltech

 *codexwilkes wrote:*   

> This is the script that I used: http://perolo.vantage.at/qmail-spp/qmail-spp.plugin.vpopmail_check_recipient.html .

 How did you install it? are you running gentoo qmail or original source qmail?

----------

## codexwilkes

I use Gentoo qmail (mail-mta/qmail-1.03-r16), and the cited script uses the plugin feature of qmail (see http://qmail-spp.sourceforge.net/doc/ ). I use vpopmail, which is why I choose this particular method to reject non-valid users at the SMTP exchange.  It does require you to use valias for aliases rather than hard-coding them in the .qmail files, FYI.  In brief, this was my install procedure as best as I can recall:

Create shell script from http://perolo.vantage.at/qmail-spp/qmail-spp.plugin.vpopmail_check_recipient 

```

nano -w /var/qmail/plugins/vpopmail_check_recipient.sh
```

```

#!/bin/sh

#*

#* Copyright (C) 2004 Perolo Silantico <per.sil@gmx.it> and

#*                    Pawel Foremski <pjf@gna.org>, et al.

#*

#* This program is free software; you can redistribute it and/or

#* modify it under the terms of the GNU General Public License

#* as published by the Free Software Foundation; either

#* version 2 of the License, or (at your option) any later

#* version.

#*

#* This program is distributed in the hope that it will be useful,

#* but WITHOUT ANY WARRANTY; without even the implied warranty of

#* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

#* GNU General Public License for more details.

#*

#* You should have received a copy of the GNU General Public License

#* along with this program; if not, write to the Free Software Foundation,

#* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

#***

#*

#* $Id$

#*

#*

# checks an email address provided as parameter with vpopmail or 

# if called as a qmail-spp plugin using ${SMTPRCPTTO}

# returns

#   0   ... in case the email exists

#   1   ... in case this email does not exists

# path to vpopmail directory

VPOPMAIL_BINDIR=/var/vpopmail/bin

VDOMAININFO=${VPOPMAIL_BINDIR}/vdominfo

VALIAS=${VPOPMAIL_BINDIR}/valias

VUSERINFO="${VPOPMAIL_BINDIR}/vuserinfo -n"

# the recipient to check is the only parameter on the command line - if any present

RECIPIENT="$1"

## --- LOG settings

# trigger log messages

LOG_USE=0

LOG_PREFIX="qmail-spp (`basename $0`) [$$]: "

## --- qmail-spp settings

MSG_ERROR="E511 Sorry, no mailbox here by that name (#5.1.1)"

MSG_OK=""

# if this is a qmail-spp plugin. recipient is passed via environement

if [ ! -z "${SMTPRCPTTO}" ]; then

  RECIPIENT="${SMTPRCPTTO}"

  SPP=1

else

  SPP=0

fi

# if the recipient is empty it does not exist :)

if [ -z "${RECIPIENT}" ]; then

  [ "${LOG_USE}" == "1" ] && echo "${LOG_PREFIX}invalid empty recipient" 1>&2

  [ "${SPP}" == "1" ] && echo "${MSG_ERROR}"

  exit 1 

fi

# get the domain name of the recipient

#DOMAIN=`/bin/echo $RECIPIENT | /bin/sed -e 's#.*@##'`

DOMAIN=${RECIPIENT##*@}

# get the user-name

BOX=${RECIPIENT%%@*}

# check if the box name contains invalid characters

if [ ! -z "`/bin/echo ${RECIPIENT} | /bin/grep '[^-0-9A-Za-z\.@_]'`" ]; then

  [ "${LOG_USE}" == "1" ] && echo "${LOG_PREFIX}invalid characters in recipient name: ${RECIPIENT}" 1>&2

  [ "${SPP}" == "1" ] && echo "${MSG_ERROR}"

  exit 1

fi

# check if the domain exists. If the domain is not on this host, this is

# an relay-attempt

if [ "`${VDOMAININFO} ${DOMAIN} > /dev/null; echo $?`" != "0" ]; then

  # if RELAYCLIENT is set, then the user has authenticated before

  # relaying is allowed

  if [ "`set | /bin/grep RELAYCLIENT > /dev/null; echo $?`" == "0" -o ! -z "${SMTPAUTHUSER}" ]; then

    [ "${LOG_USE}" == "1" ] && echo "${LOG_PREFIX}relaying email to: ${RECIPIENT}"  1>&2

    [ "${SPP}" == "1" ] && echo "${MSG_OK}"

    exit 0

  else

    [ "${LOG_USE}" == "1" ] && echo "${LOG_PREFIX}no such domain: ${DOMAIN}"  1>&2

    [ "${SPP}" == "1" ] && echo "${MSG_ERROR}"

    exit 1

  fi

fi

# check the existence of the user

[ "`${VUSERINFO} ${RECIPIENT} > /dev/null; echo $?`" == "0" ] && exit 0

# check with valias if an alias or an e-mail address of that name exists

if [ ! -z "`${VALIAS} -s ${RECIPIENT} | /bin/grep ^${RECIPIENT}`" ]; then 

  [ "${SPP}" == "1" ] && echo "${MSG_OK}"

  exit 0

fi

# no alias for that recipient email address has been recorded

# and no such user exists.

### get the home directory for that domain and check the existence of 

### a .qmail-${BOX} file

HOMEPATH="`${VDOMAININFO} ${DOMAIN} | /bin/grep dir | /bin/sed -e 's#dir: *##'`"

# if a .qmail-${BOX} file exists, then delivery is possible

#if [ -e "${HOMEPATH}/.qmail-${BOX}" ]; then

if [ ! -z "`/bin/ls ${HOMEPATH}/.qmail-${BOX} 2> /dev/null`" ]; then

  [ "${SPP}" == "1" ] && echo "${MSG_OK}"

  exit 0

fi

# no other checks have prooven the existence of this email address

[ "${LOG_USE}" == "1" ] && echo "${LOG_PREFIX}no such recipient: ${RECIPIENT} (${HOMEPATH}/.qmail-${BOX})" 1>&2

[ "${SPP}" == "1" ] && echo "${MSG_ERROR}"

exit 1

```

Remember to 

```
chmod a+x /var/qmail/plugins/vpopmail_check_recipient.sh
```

My notes say to set the sticky bit on vpopmail binaries 

```

/usr/bin/chmod u+s /var/vpopmail/bin/vuserinfo

/usr/bin/chmod u+s /var/vpopmail/bin/vdominfo 

/usr/bin/chmod u+s /var/vpopmail/bin/valias
```

Enable the plugin in /var/qmail/control/smtpplugins under the [rcpt] area

```

nano -w  /var/qmail/control/smtpplugins 

```

```

[rcpt]

plugins/vpopmail_check_recipient.sh

```

I hope this helps.Last edited by codexwilkes on Sat Nov 11, 2006 7:24 pm; edited 1 time in total

----------

## eltech

 *codexwilkes wrote:*   

> I use Gentoo qmail (mail-mta/qmail-1.03-r16), and the cited script uses the plugin feature of qmail (see http://qmail-spp.sourceforge.net/doc/ ). I use vpopmail, which is why I choose this particular method to reject non-valid users at the SMTP exchange.  It does require you to use valias for aliases rather than hard-coding them in the .qmail files, FYI.  In brief, this was my install procedure as best as I can recall:
> 
> Create shell script from http://perolo.vantage.at/qmail-spp/qmail-spp.plugin.vpopmail_check_recipient 
> 
> ```
> ...

 awesome help codex .. i will give this a shot..

question .. will you see the reject msgs when tailing the qmail-smtpd logs? similar to invalid envelope and rbl listed messages?

----------

## codexwilkes

Yes. I use the following in my .bash_profile (as an alias):

```
tail -n 500 /var/log/qmail/qmail-smtpd/current | /usr/bin/tai64nlocal
```

----------

## eltech

 *codexwilkes wrote:*   

> Yes. I use the following in my .bash_profile (as an alias):
> 
> ```
> tail -n 500 /var/log/qmail/qmail-smtpd/current | /usr/bin/tai64nlocal
> ```
> ...

 hmmm why the alias?

----------

## codexwilkes

I don't type well, so I create aliases to make it easy to check my various logs.  So, for example, in my .bash_profile: 

```

alias mm='tail -n 500 /var/log/qmail/qmail-send/current | /usr/bin/tai64nlocal'

alias mmm='tail -n 500 /var/log/qmail/qmail-smtpd/current | /usr/bin/tai64nlocal'

```

Then I type

```
mm
```

 and my qmail-send logs print out with human-readable times (eg the /usr/bin/tai64nlocal part)

----------

## eltech

 *codexwilkes wrote:*   

> I don't type well, so I create aliases to make it easy to check my various logs.  So, for example, in my .bash_profile: 
> 
> ```
> 
> alias mm='tail -n 500 /var/log/qmail/qmail-send/current | /usr/bin/tai64nlocal'
> ...

 ah .. now i understand.. 

Thank you very much for your help .. I will post the results of giving your steps a shot.. thanks again  :Smile: 

----------

## eltech

ok .. followed the steps and it seems that my mail has completely stopped. I can see it coming in by the smtp logs ..

any ideas where i should look?

EDIT: FIXED ..

chmod a+x vpopmail_check_recipient.shLast edited by eltech on Sat Nov 11, 2006 7:16 pm; edited 1 time in total

----------

## codexwilkes

What do your logs say? Also, try manually confirming an email address (if this fails, then acceptable email will be rejected).

```

/var/vpopmail/bin/vuserinfo valid_user_on_your_system@your_domain.com

```

----------

## eltech

 *codexwilkes wrote:*   

> What do your logs say? Also, try manually confirming an email address (if this fails, then acceptable email will be rejected).
> 
> ```
> 
> /var/vpopmail/bin/vuserinfo valid_user_on_your_system@your_domain.com
> ...

 codex it was the chmod.. great going.. its rejecting all non-existant addresses... not even seen in the smtpd logs.. it just straif delivers an ndr to the sender ..

awesome!

----------

## codexwilkes

Thanks for the update -- I have edited the original overview.  This is the first time I have helped someone else on the forum, so thank you for your patience.

----------

## eltech

 *codexwilkes wrote:*   

> Thanks for the update -- I have edited the original overview.  This is the first time I have helped someone else on the forum, so thank you for your patience.

 No thank you and I have updated my 'plea' for help  :Smile:  https://forums.gentoo.org/viewtopic-p-3711355.html#3711355

I help people all the time and Im sure you are feeling just as I do .. great!

----------

## petterg

How does this script work with aliasdomains?

What about use with mailinglists like ezmlm? It looks to me (from reading the code) that it will accept mail to list@domain.tld, but not to list-subscribe@domain.tld. Is that true? In case, is there any fix for this?

----------

## eltech

 *petterg wrote:*   

> How does this script work with aliasdomains?
> 
> What about use with mailinglists like ezmlm? It looks to me (from reading the code) that it will accept mail to list@domain.tld, but not to list-subscribe@domain.tld. Is that true? In case, is there any fix for this?

 It will accept which ever domain exists on your server. As i mentioned I'm running virtual domains so im confused about your question. eitherway if you accept mail for the domain; it will accept the mail.

----------

