# *RESOLVED* Qmail + VPOPMAIL + courierimap + NOT WORKING

## BobOki

This CANNOT be that damn dificult!

All I want is a server that allows people external to my network to connect to my server and send mail when authenticated.

What I have got thus far has been 553 rpchosts errors, relay-cntrl headaches, massive multiple conflicting "fixes", horribly written instructions that are so bad they are useless, and still not a damn thing working.

I have managed to get everyhing MOSTLY back to working. I still cannot send mail from an external site (one thats not listed as a relay)

error of:

The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was XXXXXXXXXXXXX. Subject 'Test', Account: 'mail.boboki.com', Server: 'mail.boboki.com', Protocol: SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)', Port: 25, Secure(SSL): No, Server Error: 553, Error Number: 0x800CCC79

My settings are:

```
# Configuration file for qmail-smtpd

# $Header: /home/cvsroot/gentoo-x86/net-mail/qmail/files/1.03-r13/conf-smtpd,v 1.2 2003/11/30 03:00:20 robbat2 Exp $

# Stuff to run before tcpserver

#QMAIL_TCPSERVER_PRE=""

# Stuff to run qmail-smtpd

#QMAIL_SMTP_PRE=""

# Stuff to after qmail-smtpd

#QMAIL_SMTP_POST=""

QMAIL_SMTP_POST="localhost /var/vpopmail/bin/vchkpw /bin/true"

# this turns off the IDENT grab attempt on connecting

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

# You might want to use rblsmtpd with this, but you need to fill in a RBL server here first

# see http://cr.yp.to/ucspi-tcp/rblsmtpd.html for more details

#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} rblsmtpd -r RBL-SERVER"

# If you are interested in providing POP or IMAP before SMTP type relaying,

# emerge relay-ctrl, then uncomment the next 2 lines

#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl

relay-ctrl-chdir"

#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"

# In /etc/courier-imap/authdaemonrc add the next line to the end:

#authmodulelist="${authmodulelist} relay-ctrl-allow"

# Then in /etc/courier-imap/{imapd,imapd-ssl,pop3d,pop3d-ssl}

# Add this at the end

#PRERUN="${PRERUN} envdir /etc/relay-ctrl relay-ctrl-chdir"

# This next block is for SMTP-AUTH

# This provides the LOGIN, PLAIN and CRAM-MD5 types

# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5

# and reads it's data from /etc/poppasswd

# see the manpage for cmd5checkpw for details on the passwords

# uncomment the next four lines to enable SMTP-AUTH

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
```

```
# Configuration file for qmail-pop3d

# $Header: /home/cvsroot/gentoo-x86/net-mail/qmail/files/1.03-r13/conf-pop3d,v 1.1 2003/10/27 09:42:54 robbat2 Exp $

# Stuff to run before tcpserver

#QMAIL_TCPSERVER_PRE=""

# Stuff to run before the authenticator

#QMAIL_POP3_PREAUTH=""

# Stuff to run after the user has authenticated successfully

QMAIL_POP3_POSTAUTH="localhost /var/vpopmail/bin/vchkpw /bin/true"

# this should contain the FQDN of your server

# by default it pulls the value from qmail

# which should be correct

QMAIL_POP3_POP3HOST="$(<${QMAIL_CONTROLDIR}/me)"

# If you want POP3 before SMTP, and you are using this POP3 daemon

# uncomment the next two lines

#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl

relay-ctrl-chdir"

#QMAIL_POP3_POSTAUTH="${QMAIL_POP3_POSTAUTH} /usr/bin/relay-ctrl-allow"

# This controls what password authentication tool POP3 uses

# It must support DJB's checkpassword interface (http://cr.yp.to/checkpwd.html)

#QMAIL_POP3_CHECKPASSWORD="/bin/checkpassword"

QMAIL_POP3_CHECKPASSWPRD="/var/vpopmail/bin/vchkpw"

# cmd5checkpw only validates passwords from /etc/poppasswd

#QMAIL_POP3_CHECKPASSWORD="/bin/cmd5checkpw"
```

```
IMAPDSTART=YES

#Hardwire a value for ${MAILDIR}

MAILDIR=.maildir

#Put any program for ${PRERUN} here

PRERUN=
```

```
POP3DSTART=YES

#Hardwire a value for ${MAILDIR}

MAILDIR=.maildir

#Put any program for ${PRERUN} here

PRERUN=
```

Anything you need, just ask... I am about ready to pull my hair out...

----------

## kashani

Have you added the domains you recieve mail for to the following files?

/var/qmail/control/rcpthosts

/var/qmail/control/locals

kashani

----------

## BobOki

Yes I have.

The only way I can get it to send is if I allow relaying to whatever EXTERNAL IP I am on. It makes me think there is something wrong with my courier-pop3d or imapd, yet if I telnet into 110 and go thru the motions it accepts the password.

----------

## kashani

How are you trying to send the email, through imap or smtp? It's a bit unclear from the thread. If through imap, my understanding is that imap would authenticate you, accept the email, and then relay through qmail as localhost. If through smtp then qmail would need to authenticate you and then sends the mail itself.

The error you mentioned is qmail so I'm thinking the problem is with qmail or you don't have 127.0.0.1:allow,RELAYCLIENT="" in your /etc/tcp.smtp.

kashani

----------

## BobOki

I am sending via pop3.

I can send to anywhere from within an ip on my local network, simply because I allowed relaying from 192.168.0.

But anyone on any other ip anywhere else cannot send mail and gets the above error.

I have all my pertinant configs above as well. If anyone needs any other ones, I'll be happy to post them.

Besides that, I don't think Spamassasin and clamav are doing ANYTHING AT ALL. I see no checks in host headers. I see q-mailscanner checking, but nothing else.

----------

## adaptr

 *BobOki wrote:*   

> I am sending via pop3.

 

Tell us - I'm curious how you do that !

Seriously - you're not.

POP3 cannot send anything.

You may mean you're using pop-before-smtp - in that case, pop3 is used to authenticate to qmail.

----------

## BobOki

Let me restate that. 

I am TRYING to send via pop3.   :Laughing: 

I don't have pop3 before smtp setup, but if that would fix my problem, I suppose I can get relay-ctrl or whatever.

I just verified that I get the SAME error if I try to use IMAP on an external ip.

I don't want to setup my server as an open relay, there HAS to be a way to fix it!

----------

## BobOki

Just found some  more errors. This is from my qmail-send current log

```

@40000000405dd8861eca0abc starting delivery 16: msg 288110 to local boboki@animeserver

@40000000405dd8861eca128c status: local 2/10 remote 0/20

@40000000405dd8861f0c3c0c delivery 15: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/

@40000000405dd8861f0c5b4c status: local 1/10 remote 0/20

@40000000405dd8861f1a268c delivery 16: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/

@40000000405dd8861f1a3244 status: local 0/10 remote 0/20

@40000000405dd8a01eeda01c starting delivery 17: msg 287872 to local boboki@animeserver

@40000000405dd8a01eedb78c status: local 1/10 remote 0/20

@40000000405dd8a01f28ebcc delivery 17: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/

@40000000405dd8a01f29033c status: local 0/10 remote 0/20

```

My domain that I am using is boboki.com. animeserver is the pc hostname.. I don't see what its trying to do.

----------

## BobOki

More headaches.

I just did a telnet to port 25 and here is the NON-EDITED result:

220 *****************  

ehlo

502 unimplemented (#5.5.1)

HELO

250 animeserver

AUTh

502 unimplemented (#5.5.1)

AUTH PLAIN

502 unimplemented (#5.5.1)  

Something is seriously not right...

I copyied the original conf-smtpd and conf-pop3d files back over the old ones. then I modified QMAIL_SMTP_POST="boboki.com /var/vpopmail/bin/vchkpw /bin/true"

And uncommented the SMTP_AUTH.

Pop3 seems to check and authenticate just fine:

+OK Hello there.

USER *commented*

+OK Password required.

PASS *comented*

+OK logged in.

However I STILL get the SAME Protocol: SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)', Port: 25, Secure(SSL): No, Server Error: 553, Error Number: 0x800CCC79 so its like NOTHING has changed.

I am very curious about that smtp telnet session, as it looks NOTHING like anyone elses.

----------

## BobOki

 *adaptr wrote:*   

>  *BobOki wrote:*   I am sending via pop3. 
> 
> Tell us - I'm curious how you do that !
> 
> Seriously - you're not.
> ...

 

BAH... now i see what you are saying.

I am trying to send via SMTP.. but I also tried to send IMAP.. neither seemed to work.

----------

## skunkworx

Disclaimer:  I don't use vpopmail, and am not familiar with how it integrates with qmail.

It looks like your original post boils down to this question:  How come server mail.boboki.com is rejecting messages bound for "@boboki.com" addresses, saying, "sorry, that domain is not in my list of allowed rcpthosts"?  If that is what you were asking, kashani gave you the answer: If you want your server to accept messages bound for "@boboki.com" addresses, "boboki.com" must appear in /var/qmail/control/rcpthosts.  If, for example, you have "mail.boboki.com" listed, but not "boboki.com", addresses ending in "@mail.boboki.com" will work, but addresses ending in "@boboki.com" will not.

I imagine vpopmail has its own interface for editing /var/qmail/control/rcpthosts, so you may want to use that.

Depending on how vpopmail handles virtual users, "boboki.com" will also need to appear in either /var/qmail/control/locals or /var/qmail/control/virtualdomains.  I suspect the latter file is used, and again, you may want to use vpopmail's interface for configuring these files.

 *Quote:*   

> Just found some more errors. This is from my qmail-send current log
> 
> ```
> 
> @40000000405dd8861eca0abc starting delivery 16: msg 288110 to local boboki@animeserver 
> ...

 

qmail has received a message for boboki@animeserver, and is trying to deliver it to local user "boboki".  The maildir (mailbox directory) for boboki cannot be accessed (which can happen when the directory doesn't exist or has the wrong file permissions), and qmail has no other instructions on what to do with boboki's email.  So, qmail is instead deferring the delivery of those messages, hoping to be told what to do with them before it has to give up and return those messages to their senders.

I suspect vpopmail is at work here, and that what it's trying to do is reroute any messages bound for "@boboki.com" addresses to the local address "boboki@animeserver" (an entry in /var/qmail/control/virtualdomains could be responsible for this rerouting).  Local user "boboki" should have additional forwarding rules set up to deliver the message to the right virtual user's mailbox.  Perhaps these forwarding rules are missing; that would explain why qmail is instead trying to deliver the message directly to boboki's maildir.  See if vpopmail provides a tool for rebuilding the necessary configuration for each local user that is in charge of processing virtual users' email.

 *Quote:*   

> More headaches. 
> 
> I just did a telnet to port 25 and here is the NON-EDITED result: 
> 
> 220 ***************** 
> ...

 

That is not output from qmail.  Either you have another SMTP program running, or perhaps you are hitting a router/firewall that is diverting SMTP traffic.  Was this when you tried to connect to your server from outside of your network?  Some ISPs do not allow people to set up their own mail servers, and either block or reroute port-25 traffic to enforce this ban.  Hopefully that's not the case here; check your server and make sure there are no conflicting email server programs at work (postfix, sendmail, ssmtp, etc.), and also check your router/firewall (if you have one) and make sure it is forwarding SMTP traffic to the right server.

----------

## BobOki

Great post. Let me get to the answers.

I can recive mail to boboki.com just fine. All messages that are sent to say boboki@boboki.com (my address) have no problems getting there.

The virtualdomains file DOES have boboki.com. The problem comes in when I am trying to send an e-mail OUT to ANYWHERE in the world from an external ip via pop or imap. It seems that when I am sending from an IP that is NOT set in the tcp.smtp as a open relay, it will NOT send e-mail and get the standard 533 error. Also, I verified that there are not other smtp programs loaded.. emerge -C ssmtp exium postfix sendmail

Let me take a second to reitterate that I can recive ALL mail fine, be it from webfrontend, imap, or pop3. HOWEVER, I cannot send with pop3 or imap, I can ONLY send using the webfrontend, and the only reason I belive i can do that is becuase i have 127.0.0.1 and 192.168.0 as open relays.

The output I came to find out is what smtp looks like when it goes thru a PIX 501 firewall. I will look a tad bit more into that, make sure thats not conflicting with authentication. As far as I know it however, the pix is configured to allow smtp, and the ports are forwarded to that internal ip.

With the same configuration (I didn't change it when I switched to linux from windows 2003) it worked on my older setup, windows 2003 and mdaemon.

----------

## skunkworx

 *Quote:*   

> I can recive mail to boboki.com just fine. All messages that are sent to say boboki@boboki.com (my address) have no problems getting there. 

 

Okay, so everything for receiving email is set up correctly, or otherwise has been fixed.  Those entries you posted from qmail's logs could still be cause for concern, however, if you're now satisfied with how your server is handling "@boboki.com" addressed email, then that's something you can investigate later, after the bigger problems have been solved.

 *Quote:*   

> Let me take a second to reitterate that I can recive ALL mail fine, be it from webfrontend, imap, or pop3. HOWEVER, I cannot send with pop3 or imap, I can ONLY send using the webfrontend, and the only reason I belive i can do that is becuase i have 127.0.0.1 and 192.168.0 as open relays.

 

I believe what you are trying to say is that you are unable to send email through your server using an external email client.  POP3 cannot be used as a mail sending protocol.  IMAP can be used as such, but that feature isn't widely supported.  Most email clients (Outlook Express, Eudora, Thunderbird, etc.) use POP3 or IMAP for retrieval, and SMTP for sending.

Otherwise, you are correct in your conclusions:  The web page can be used for sending email because it is local to the server, and qmail's configuration is allowing email to be sent from localhost without authentication.

 *Quote:*   

> The output I came to find out is what smtp looks like when it goes thru a PIX 501 firewall. I will look a tad bit more into that, make sure thats not conflicting with authentication. As far as I know it however, the pix is configured to allow smtp, and the ports are forwarded to that internal ip. 

 

I strongly suspect this is the culprit.  Some firewalls are able to filter traffic that they otherwise allow, giving the administrator tighter control over what is passing through open ports.  In fact, I ran into this same problem at a previous job; the firewall allowed SMTP traffic, but did not allow any SMTP commands that it did not know about, including AUTH.  This killed authentication support and effectively barred everyone in the company from sending out email.

If your firewall supports it, I would suggest reconfiguring it to allow SMTP traffic to pass unfiltered.  Then, try a telnet SMTP session again and make sure the output you see is similar to what you would see when connecting from behind the firewall.  That may be enough to get authenticated relaying working again.

----------

## BobOki

Yeah, you hit that on the head.

The pix 501 uses stateful packet filtering... and it is supposed to block attacks to smtp when using fixup, HOWEVER, it does this by stripping the auth headers!

So yeah, no wonder things were not working.

I just did a no fixup protocol smtp 25 and things are running great now.

Here is my WORKING conf-smtpd

```
# Configuration file for qmail-smtpd

# $Header: /home/cvsroot/gentoo-x86/net-mail/qmail/files/1.03-r13/conf-smtpd,v 1.2 2003/11/30 03:00:20 robbat2 Exp $

# Stuff to run before tcpserver

#QMAIL_TCPSERVER_PRE=""

# Stuff to run qmail-smtpd

#QMAIL_SMTP_PRE=""

# Stuff to after qmail-smtpd

#QMAIL_SMTP_POST=""

QMAIL_SMTP_POST="boboki.com /var/vpopmail/bin/vchkpw /bin/true"

# this turns off the IDENT grab attempt on connecting

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

# You might want to use rblsmtpd with this, but you need to fill in a RBL server here first

# see http://cr.yp.to/ucspi-tcp/rblsmtpd.html for more details

#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} rblsmtpd -r RBL-SERVER"

# If you are interested in providing POP or IMAP before SMTP type relaying,

# emerge relay-ctrl, then uncomment the next 2 lines

#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl

#relay-ctrl-chdir"

#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"

# In /etc/courier-imap/authdaemonrc add the next line to the end:

#authmodulelist="${authmodulelist} relay-ctrl-allow"

# Then in /etc/courier-imap/{imapd,imapd-ssl,pop3d,pop3d-ssl}

# Add this at the end

#PRERUN="${PRERUN} envdir /etc/relay-ctrl relay-ctrl-chdir"

# This next block is for SMTP-AUTH

# This provides the LOGIN, PLAIN and CRAM-MD5 types

# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5

# and reads it's data from /etc/poppasswd

# see the manpage for cmd5checkpw for details on the passwords

# uncomment the next four lines to enable SMTP-AUTH

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD}

${QMAIL_SMTP_POST}"

```

----------

## skunkworx

 *BobOki wrote:*   

> Here is my WORKING conf-smtpd
> 
> ```
> 
> <snip>
> ...

 

You've got a bit of redundancy here, which I believe will result in qmail-smtp getting called with more arguments than necessary.  That's not a problem if it works, but just to be clean, you may want to comment out the one or the other definition of QMAIL_SMTP_POST.

Otherwise, looks good.  I'm happy to hear it's working.

----------

## vcihon

I'm having a similar problem. I've been reading till I can't see anymore and my conf-smtpd looks exactly like yours below.  

So since I have the same prob as this:

 *Quote:*   

> I can recive mail to boboki.com just fine. All messages that are sent to say boboki@boboki.com (my address) have no problems getting there.
> 
> The virtualdomains file DOES have boboki.com. The problem comes in when I am trying to send an e-mail OUT to ANYWHERE in the world from an external ip via pop or imap. It seems that when I am sending from an IP that is NOT set in the tcp.smtp as a open relay, it will NOT send e-mail and get the standard 533 error. Also, I verified that there are not other smtp programs loaded.. emerge -C ssmtp exium postfix sendmail 

 

and I've also checked everything ad nauseum - I wonder if my firewall is stripping auth headers. I am using Shorewall and have normal smtp (port 25) open.  Is there any way to work on the fixup issue with Shorewall???  

If it is shorewall, this would also explain why I couldn't get smtp-after-pop3 working either even though I troubleshooted that one for weeks.

Thanks for any help!!!

----------

## skunkworx

 *vcihon wrote:*   

> and I've also checked everything ad nauseum - I wonder if my firewall is stripping auth headers.

 

Only one way to find out.  :Smile: 

 *Quote:*   

> I am using Shorewall and have normal smtp (port 25) open.  Is there any way to work on the fixup issue with Shorewall???  
> 
> If it is shorewall, this would also explain why I couldn't get smtp-after-pop3 working either even though I troubleshooted that one for weeks.
> 
> Thanks for any help!!!

 

Have a look at your firewall's documentation.  Also, you can determine whether or not it's filtering traffic by comparing telnet sessions to your mail server behind and through the firewall.  If you're not familiar with SMTP commands, here's something you can use.  Commands you would type are in green, the rest is what you should see as output.  Of course, replace "yourmailserver" with the hostname of your mail server.

 *Quote:*   

> 
> 
> # telnet yourmailserver 25
> 
> Trying xxx.yyy.zzz.www...
> ...

 

That's what you should see if authorization is working.  At this point, you can use control-] to safely break out of the telnet session if you don't know how to enter the encoded authentication data by hand.

If you see anything different, either authentication is not set up correctly, or your firewall is filtering SMTP traffic.  It should be obvious which one is the problem, depending on whether your see different output behind the firewall than in front of it.

----------

## vcihon

Thanks for the reply skunkworx.

I am using vchkpw for my auth, not md5 (FYI).

Here is the output:

```
Trying 24.123.161.30...

Connected to alextechstudio.com.

Escape character is '^]'.

220 tolkien.alextechstudio.com ESMTP

ehlo alextechstudio.com

250-tolkien.alextechstudio.com

250-STARTTLS

250-SIZE 0

250-PIPELINING

250 8BITMIME

 

502 unimplemented (#5.5.1)

auth login

530 Must issue a STARTTLS command first (#5.7.0)

STARTTTLS

502 unimplemented (#5.5.1)

STARTTLS

454 TLS not available: missing RSA private key (#4.3.0)

^]

 

telnet> exit

```

Any troubleshooting ideas?

----------

## BobOki

 *Quote:*   

> 454 TLS not available: missing RSA private key (#4.3.0) 
> 
> 

 

That sounds to me like its trying to enable SSL or some other form of encryption, but the RSA key is not entered.

Did you create your keys during install?

----------

## vcihon

No but right now, I'm not even trying to get SSL working.  I am only trying to get auth working.  The issue is that I am not clear, given skunkworx's test how to try it with the vchkpw instead of MD5.

----------

## skunkworx

vcihon: It looks like you're using a qmail ebuild newer than 1.03-r13.  The newer ebuilds have an option, which is enabled by default, to force SMTP clients to request an encrypted session before the AUTH command is allowed.  Trying to test AUTH without encryption will fail every time in this scenario.

If you want to allow authentication without encryption, you will need to either use ebuild 1.03-r13 instead, or re-emerge your ebuild with the "notlsbeforeauth" USE flag.  (Note:  I believe I remember reading that this USE flag doesn't actually work as designed in one of the qmail ebuilds, possibly 1.03-r14.  A search through the forums and/or Gentoo's Bugzilla will confirm or deny that.)

The password checking program you use will not have an effect on the output you see when using the SMTP commands I suggested for testing.  However, do keep in mind that the example output is based on the 1.03-r13 ebuild, and may be slightly different with the newer ebuilds (I haven't tried anything past 1.03-r13 yet).  In any case, the response to the AUTH command should start with "334" in order for authentication to work.

----------

## vcihon

skunkworx - thanks for the response. I am using 1.03-r13.

One question, if I remerge qmail, will I lose any of my config settings or will it be smart enough to keep them.  This is a quasi production server already (meaning for my own email  :Smile:  ).

Also, can you give me the correct syntax of the emerge statement - is it:

USE="notslbeforeauth" emerge -U qmail

to go to r15?

Thanks.

----------

## p4m

 *Quote:*   

> USE="notslbeforeauth" emerge -U qmail

 

Warning: emerge -U will break things

You better do:

```
emerge -C qmail

USE="notslbeforeauth" emerge -pv qmail (to check USE flags)

then:

USE="notslbeforeauth" emerge qmail
```

----------

