README
INCLUDED PATCHES IN THIS BIG PATCH (md24)
===========================================
NEW SMTP SERVER FEATURES (qmail-smtpd)
----------------------------------------
- ESMTP STARTTLS command (rfc2595)
- via tls patch by Scott Gifford http://www.suspectclass.com/~sgifford/
- ESMTP AUTH command (rfc2554)
- with 6 sasl methods (plain,login,cram-md5,cram-sha1,cram-ripemd,digest-md5)
- control/auth/* controls that
- see README.auth
- ESMTP SIZE command (rfc1870)
- control/databytes and control/databytes+
- ESMTP ENHANCEDSTATUSCODES (rfc3463, rfc2034, rfc1893)
- see README.status
- qmailqueue patch
- by Bruce Guenter <bguenter-djb-qmail@qcc.sk.ca>
- tarpitting
- control/tarpitcount
- the value of $TARPITCOUNT overrides the control file
- control/tarpitdelay
- the value of $TARPITDELAY overrides the control file
- if $NO_TARPITTING is set, then tarpitting will be disabled
- ipme patch
- ip 0.0.0.0 is a special address which always refers to this host (rfc1122)
-> http://www.suspectclass.com/~sgifford/qmail/
- two patches from Paul Jarc
- realrcptto (checking for real existance of accounts)
- qmail-branch (more control in .qmail files)
- outgoing ip patch
- by Sergio Gelato and Andy Reptonis
- some additions by me
- bmcheck() -> badmailfrom + badmailto + badhelo checks
- variable logging of these checks
- one environment variable for each bmcheck, so you can set it with tcpserver
- the bad* controlfiles accept regex.7 expressions
- see README.bmchecks for additional information
- bigdns patch
- handling of oversized dns responses
- big concurrency patch by Johannes Erdfelt
- see http://qmail.org/big-concurrency.patch
- the big-todo patch
- from Dave Smith, Russell Nelson and Bruce Guenter
- countrol/mfcheck
- mail from dns check
- if 1: only dns will be looked up
- if 2: SMTP callback/sender verification will be done
- control/goodmailfrom
- accept always mail from the envelope MAIL FROM
- you can use mail addresses, which wouldn't get through mfcheck :)
-> e.g. root@some.stupidhost.local -> adminmails@host.de
- control/maxrcpt
- max recipients a unauthorized session can have
- client gets tarpitted
- control/maxhops
- the value can be changed now on the fly
- control/maxcmdlen
- max length of a smtp command
- client gets tarpitted, if over the max.
- control/maxaddrlen
- max length of an email address given to RPCPT TO or MAIL FROM
- client gets tarpitted, if over the max.
- control/smtpgreeting can have multiple lines
- control/rcptcheck
- see README.antispam
- control/datechecks
- news-YYYYMMDD checking against RCPT TO
- see qmail-smtpd.8
- if the environment variable BLACKLISTED is set, than we have a spammer and
feed our spamassassin :)
- "RCPT TO" is ignored, the mail is sent to $BLACKLISTED
- for setting this variable, just use my patch against rblsmtpd from
http://www.mcmilk.de/qmail/dl/djb-ware/ucspi-tcp-0.88-rbl.diff.bz2
- $RCPTTOFIXED can be used for delivering all mail to one special address
- HELO/EHLO requires explicit a hostname, or the client gets an error
- "501 5.5.4 syntax error, I need your hostname"
NEW SMTP CLIENT FEATURES (qmail-remote)
-----------------------------------------
- ESMTP AUTH command (rfc2554)
- with 5 sasl methods (plain,login,cram-md5,cram-sha1,cram-ripemd)
- control/smtprelays controls that
- ESMTP SIZE command (rfc1870)
- when the remote server supports the SIZE extension, we issue a SIZE=xyz
- logs all SMTP traffic to control/log/remote_fd (but not the DATA!)
- overview of available controlfiles
- smtprelays (forward/relay with authentication, creating virtual relays)
- smtproutes (relay to servers without autentication, relay to virtual relays)
- qmtproutes (sending via qmtp protocol, if remote system can handly that)
- outgoingip (bind to an outgoing ip, when sending)
- timeoutconnect / timeoutremote
NEW POP3 FEATURES
-------------------
- sasl authentication via the AUTH command (rfc1734)
- with 6 sasl methods (plain,login,cram-md5,cram-sha1,cram-ripemd,digest-md5)
- pop3 LAST command is now rfc1460 valid
- pop3 STLS command is now supported
- via tls patch by Scott Gifford http://www.suspectclass.com/~sgifford/
- netscape progressbar patch
- Netscape's download indicator doesn't progress
- pop3 CAPA command
- including RESP-CODES (rfc2449) + AUTH-RESP-CODE (rfc3206)
- begin with pop3 EXPIRE + LOGIN DELAY capabilities ... but how to use them?
CONTROLFILES FOR LOGGING
--------------------------
- control/log/bmchecks
-> enable/disable logging of the pattern matching in the bad* controlfiles
- control/log/datechecks
-> enable/disable logging of the foo-bar-YYYYMMDD@domain.com checks
- control/log/orchecks
-> enable/disable logging of the open relay tests
- control/log/tarpitting
-> enable/disable the logging of some info about the client which gets
tarpitted
- control/log/pop3_in
- 1 = on / 0 = off
- log all the incoming pop3 commands from the client
- control/log/pop3_out
- 1 = on / 0 = off
- log outgoing server responses from qmail-pop3d + qmail-popup
- control/log/pop3_fd
- logging filedescriptor
- used for logging qmail-popup and qmail-pop3d (in/out)
- control/log/smtp_in
- 1 = on / 0 = off
- log all the incoming commands from the client
- control/log/smtp_out
- 1 = on / 0 = off
- log outgoing server responses from qmail-smtpd
- control/log/smtp_fd
- logging filedescriptor
- used for logging qmail-smtpd (in/out)
- control/log/remote_fd
- logging filedescriptor / 0 means off
- logs always the full session
MISCELLANEOUS OTHER CHANGES
-----------------------------
- qmail-send:
- reread control/concurrencylocal + control/concurrencyremote on SIGHUP
- explicit use of struct utimbuf
- qmail-local, quota-1.1 patch
- by Jeff Hayward <j.hayward@ots.utexas.edu>
- see README.quota
- preline patch
- adds the -p option to preline, which is telling it to ignore EPIPE
- sendmail
- flagf, http://david.acz.org/software/sendmail-flagf.patch
- flagN is ignored (DSN option)
- patch to fix minor bug in parsing .qmail files
- qmail-queue reads now control/bigbrother
- address queue extra feature
- sample: "badguy@example.net:bigbrother@example.net"
- automatically forward all mail _to_ and _from_ <badguy@example.net> to
<bigbrother@example.net>
- is required in germany since 2005-01-01 (TKÜV)
- see also http://www.nrg4u.com/
- fixed some security issues:
- Wietse Venema has two DOS attacks against qmail:
1. "run a qmail system out of swap space by feeding long SMTP commands"
-> solved via checking of input length
-> control/maxcmdlen should define a maximum value
2. "run a qmail system out of swap space by feeding an infinite amount of recipients"
-> solved via counting of recipients
-> control/maxrcpt should define a maximum value
- Georgi Guninski has an advisory
- see http://www.guninski.com/qmailcrash.html for info
- I don't know if it is really that bad, but i changed the "int pos" to an
"unsigned int pos" :)
- fixed serveral gcc warning issues:
- type of void main() to int main()
- added also some stupid return xxx
- replaced the puts() function with out()
- added all the missing headers, to avoid implicit declarations
- use of struct utimbuf in qmail-send.c
|
last change: 2007-07-28 @ 18:02:47 |
|
