# Yikles! I'm relaying! Why? (netqmail)

## mr-simon

I'm using netqmail (and vpopmail), and it looks like I'm relaying, which is obviously quite a scary prospect. (abuse.net's tester says:)

```
Mail relay testing

Connecting to uk.widgit.com for anonymous test ...

<<< 220 good.uk.widgit.com ESMTP

>>> HELO www.abuse.net

<<< 250 good.uk.widgit.com

Relay test 1

>>> RSET

<<< 250 flushed

>>> MAIL FROM:<spamtest@abuse.net>

<<< 250 ok

>>> RCPT TO:<securitytest@abuse.net>

<<< 250 ok
```

Obviously this is Very Bad.

I'm running:

```
good tcprules.d # emerge -pv netqmail vpopmail

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] mail-mta/netqmail-1.05-r8  USE="mailwrapper ssl -gencertdaily -highvolume -noauthcram -qmail-spp -vanilla" 0 kB

[ebuild   R   ] net-mail/vpopmail-5.4.20  USE="mysql -clearpasswd -ipalias -maildrop" 0 kB 
```

My /etc/tcprules.d/tcp.qmail-smtp says (with comments removed:)

```
good tcprules.d # grep -v "^#" tcp.qmail-smtp

192.168.1.:allow,RELAYCLIENT="",RBLSMTPD=""

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

:allow

192.168.1.4:allow,RELAYCLIENT="",RBLSMTPD=""

```

My box's internal IP is 192.168.1.4. It's supposed to allow relaying for the local subnet and from itself, and to accept deliveries from the internet.

When I rebuild my databases, it seems to work:

```
good tcprules.d # rm -rf *.cdb && make

+ Rebuilding tcp.qmail-pop3 from tcp.qmail-pop3

tcprules tcp.qmail-pop3.cdb tcp.qmail-pop3.cdb.tmp < tcp.qmail-pop3

+ Rebuilding tcp.qmail-qmqp from tcp.qmail-qmqp

tcprules tcp.qmail-qmqp.cdb tcp.qmail-qmqp.cdb.tmp < tcp.qmail-qmqp

+ Rebuilding tcp.qmail-qmtp from tcp.qmail-qmtp

tcprules tcp.qmail-qmtp.cdb tcp.qmail-qmtp.cdb.tmp < tcp.qmail-qmtp

+ Rebuilding tcp.qmail-smtp from tcp.qmail-smtp

tcprules tcp.qmail-smtp.cdb tcp.qmail-smtp.cdb.tmp < tcp.qmail-smtp
```

What else could be wrong?   :Embarassed: 

I thought the only way to control relaying was that file. I did upgrade from an old qmail installation a couple of weeks ago, I suspect this was when it went wrong.

----------

## returnthis

I would have a look in /var/qmail/control   There are files in there which control what is accepted and what is not.

also iirc, the tcp rules have moved when qmail -> netqmail.  make sure the conf-* are pointing to the correct place

----------

## drkstorm

mr-simon, can you send me a link to the tool you used to test your domain, i'd like to try it on my own for verification

----------

## mr-simon

 *returnthis wrote:*   

> I would have a look in /var/qmail/control   There are files in there which control what is accepted and what is not.

 

Sorry, can you be more specific about this? Where should I be looking?

Here's what I've looked into so far:

rcpthosts, virtualhosts, and friends:

```
good control # cat rcpthosts

good.uk.widgit.com

domain1.org

domain2.com

domain3.com

good control # cat virtualdomains

domain1.org:domain1.org

domain2.com:domain2.com

domain3.com:domain3.com

good control # cat locals

good.uk.widgit.com

good control # cat defaultdomain

widgit.com

good control # cat me

good.uk.widgit.com

good control # cat plusdomain

widgit.com

good control # cat smtproutes

:cluster-d.mailcontrol.com

:cluster-e.mailcontrol.com
```

(obviously my domains are different!)

cont-smtpd (without comments):

```
TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

[[ -n "${QMAIL_SMTP_CHECKPASSWORD}" ]] && {

        [[ -z "${QMAIL_SMTP_POST}" ]] && QMAIL_SMTP_POST=/bin/true

        QMAIL_SMTP_POST="${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"

}
```

 *returnthis wrote:*   

> also iirc, the tcp rules have moved when qmail -> netqmail.  make sure the conf-* are pointing to the correct place

 

Here's what conf-common says about that:

```
good control # pwd

/var/qmail/control

good control # cat conf-common

... <snip> ...

# Host and port to listen on

# We listen on the IPv4 local ip by default

TCPSERVER_HOST=0.0.0.0

TCPSERVER_PORT=${SERVICE}

# you do not need to specify -x, -c, -u or -g in this variable as those are

# added later

TCPSERVER_OPTS="-p -v"

#  This tells tcpserver where to file the rules cdb file

[[ -d /etc/tcprules.d/ ]] && \

        TCPSERVER_RULESCDB=/etc/tcprules.d/tcp.qmail-${SERVICE}.cdb

[[ ! -f "${TCPSERVER_RULESCDB}" ]] && \

        TCPSERVER_RULESCDB=/etc/tcp.${SERVICE}.cdb

...
```

So it looks like it's trying to find them where I'd expect.

 *drkstorm wrote:*   

> mr-simon, can you send me a link to the tool you used to test your domain, i'd like to try it on my own for verification

 

It's at http://www.abuse.net/relay.html.

As far as I can see it should be working. I'm confused.

----------

## returnthis

I have doubled checked with my netqmail config and it all looks the same. I even verified it on that url and mine is not a relay.

Afraid I am going to have to defer to more experience qmail admin on this one. Sorry.

----------

