Difference between revisions of "Qpsmtpd/sme11"
From SME Server
Jump to navigationJump to searchUnnilennium (talk | contribs) (Created page with "=qpsmtpd= qpsmtpd has been a core component of SME Server since SME 7, providing advanced spam fighting capabilities. SME Server 9.2 introduced qpsmtpd...") |
Unnilennium (talk | contribs) |
||
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | {{WIP box|this is a work in progress for the new SME 11 qpsmtpd configuration}} | ||
| + | |||
| + | TODO: update [[Email#qpsmtpd]] for SME11 | ||
| + | |||
=qpsmtpd= | =qpsmtpd= | ||
[[Wikipedia:Qpsmtpd|qpsmtpd]] has been a core component of SME Server since SME 7, providing advanced spam fighting capabilities. | [[Wikipedia:Qpsmtpd|qpsmtpd]] has been a core component of SME Server since SME 7, providing advanced spam fighting capabilities. | ||
SME Server 9.2 introduced qpsmtpd 0.96 with several new capabilities. At the same time, smeserver-qpsmtpd has been updated to provide additional SME Server configuration options. | SME Server 9.2 introduced qpsmtpd 0.96 with several new capabilities. At the same time, smeserver-qpsmtpd has been updated to provide additional SME Server configuration options. | ||
| − | SME Server 11 will upgrade to qpsmtpd 1.0. At the same time, smeserver-qpsmtpd has been updated providing separate configuration for each running deamons and introducing a third running deamon now covering all usual SMTP ports 25 (qpsmtpd), 587 (new uqpsmtpd) and 465 (sqpsmtpd). | + | |
| + | SME Server 10 start moving the services to systemd. | ||
| + | |||
| + | SME Server 11 will upgrade to qpsmtpd 1.0. At the same time, smeserver-qpsmtpd has been updated providing separate configuration for each running deamons and introducing a third running deamon now covering all usual SMTP ports 25 (qpsmtpd), 587 (new uqpsmtpd) and 465 (sqpsmtpd). Also SME11 provides a full systemd implementaiton of the services without runit. Softlimit has been increased from 50MB to 150MB. | ||
| + | |||
| + | ==Systemd Configuration == | ||
| + | Some of the setting that were previously arranged using runit run script and multiple called script are all now present in systemd unit, with a dropin file to override default. The dropin file is templated<syntaxhighlight lang="ini"> | ||
| + | # /usr/lib/systemd/system/uqpsmtpd.service | ||
| + | [Unit] | ||
| + | Description=qpsmtpd on submission port | ||
| + | After=network.target network-online.target qpsmtpd.service | ||
| + | |||
| + | [Service] | ||
| + | Type=simple | ||
| + | LimitDATA=150000000 | ||
| + | LimitSTACK=150000000 | ||
| + | LimitMEMLOCK=150000000 | ||
| + | Environment=PORT=587 INSTANCES=40 INSTANCES_PER_IP=5 QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=me | ||
| + | WorkingDirectory=/var/service/qpsmtpd/ | ||
| + | |||
| + | ExecStartPre=/sbin/e-smith/service-status uqpsmtpd | ||
| + | ExecStartPre=/sbin/e-smith/systemd/qpsmtpd-init %N | ||
| + | ExecStart=/usr/bin/qpsmtpd-forkserver \ | ||
| + | -u qpsmtpd \ | ||
| + | -l 0.0.0.0 \ | ||
| + | -p $PORT \ | ||
| + | -c $INSTANCES \ | ||
| + | -m $INSTANCES_PER_IP | ||
| + | ExecReload=/bin/kill -HUP $MAINPID | ||
| + | Restart=always | ||
| + | RestartSec=20s | ||
| + | SyslogIdentifier=uqpsmtpd | ||
| + | |||
| + | [Install] | ||
| + | WantedBy=sme-server.target | ||
| + | |||
| + | # /usr/lib/systemd/system/uqpsmtpd.service.d/50koozali.conf | ||
| + | #------------------------------------------------------------ | ||
| + | # !!DO NOT MODIFY THIS FILE!! | ||
| + | # | ||
| + | # Manual changes will be lost when this file is regenerated. | ||
| + | # | ||
| + | # Please read the developer's guide, which is available | ||
| + | # at http://www.contribs.org/development/ | ||
| + | # | ||
| + | # Copyright (C) 1999-2006 Mitel Networks Corporation | ||
| + | #------------------------------------------------------------ | ||
| + | [Service] | ||
| + | LimitDATA=150000000 | ||
| + | LimitSTACK=150000000 | ||
| + | LimitMEMLOCK=150000000 | ||
| + | Environment= | ||
| + | Environment=QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PORT=587 INSTANCES=10 INSTANCES_PER_IP=5 PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=sme11.example.com | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==Services folders== | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | /var/service/qpsmtpd | ||
| + | /var/service/qpsmtpd/config | ||
| + | /var/service/qpsmtpd/config/dkim | ||
| + | /var/service/qpsmtpd/config/peers | ||
| + | /var/service/qpsmtpd/peers | ||
| + | /var/service/qpsmtpd/ssl | ||
| + | /var/service/sqpsmtpd | ||
| + | /var/service/sqpsmtpd/supervise | ||
| + | /var/service/sqpsmtpd/config | ||
| + | /var/service/sqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim | ||
| + | /var/service/sqpsmtpd/config/peers | ||
| + | /var/service/sqpsmtpd/peers | ||
| + | /var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl | ||
| + | /var/service/uqpsmtpd | ||
| + | /var/service/uqpsmtpd/config | ||
| + | /var/service/uqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim | ||
| + | /var/service/uqpsmtpd/config/peers | ||
| + | /var/service/uqpsmtpd/peers | ||
| + | /var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==Properties in configuration db== | ||
| + | {| class="wikitable mw-collapsible" | ||
| + | |+ | ||
| + | x: use the value of qpsmtpd key property for this key too. | ||
| + | !property | ||
| + | !qpsmtpd | ||
| + | ! sqpsmtpd | ||
| + | !uqpsmtpd | ||
| + | !information | ||
| + | |- | ||
| + | |Authentication | ||
| + | |enabled | ||
| + | |enabled | ||
| + | |enabled | ||
| + | | | ||
| + | |- | ||
| + | |Bcc | ||
| + | |disabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |BccMode | ||
| + | |cc | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |BccUser | ||
| + | |maillog | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |DNSBL | ||
| + | |disabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |Instances | ||
| + | |40 | ||
| + | |10 | ||
| + | |10 | ||
| + | | | ||
| + | |- | ||
| + | |InstancesPerIP | ||
| + | |5 | ||
| + | |5 | ||
| + | |5 | ||
| + | | | ||
| + | |- | ||
| + | |LogLevel | ||
| + | |6 | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |MaxScannerSize | ||
| + | |25000000 | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |MaximumDateOffset | ||
| + | |0 | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |PatternsScan | ||
| + | |disabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |Proxy | ||
| + | |blocked | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |RBLList | ||
| + | |bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |RHSBL | ||
| + | |disabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |RelayRequiresAuth | ||
| + | |enabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |SoftLimit | ||
| + | |150000000 | ||
| + | |150000000 | ||
| + | |150000000 | ||
| + | | | ||
| + | |- | ||
| + | |SBLList | ||
| + | |multi.surbl.org,black.uribl.com,rhsbl.sorbs.net | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |TCPPort | ||
| + | |25 | ||
| + | |465 | ||
| + | |587 | ||
| + | | | ||
| + | |- | ||
| + | |TCPProxyPort | ||
| + | |25 | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |TlsBeforeAuth | ||
| + | |1 | ||
| + | |1 (hardcoded) | ||
| + | |1 (hardcoded) | ||
| + | | | ||
| + | |- | ||
| + | |UBLList | ||
| + | |multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |URIBL | ||
| + | |disabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |VirusScan | ||
| + | |enabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |access | ||
| + | |public | ||
| + | |public | ||
| + | |public | ||
| + | | | ||
| + | |- | ||
| + | |qplogsumm | ||
| + | |disabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | |status | ||
| + | |enabled | ||
| + | |enabled | ||
| + | |enabled | ||
| + | | | ||
| + | |- | ||
| + | |tnef2mime | ||
| + | |enabled | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | |- | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |KarmaNegative | ||
| + | |(2) | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |KarmaStrikes | ||
| + | |(3) | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |HeloPolicy | ||
| + | |<nowiki>(lenient)[lenient | rfc | strict]</nowiki> | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |MaximumDateOffset | ||
| + | |(0) | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |MaxLoad | ||
| + | |(7) | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |SPFRejectPolicy | ||
| + | |(0)[0-4] | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |DMARCReject | ||
| + | |<nowiki>(disabled)[enabled|disabled]</nowiki> | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |DMARCReporting | ||
| + | |<nowiki>(enabled)[enabled|disabled]</nowiki> | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |disclaimer | ||
| + | |<nowiki>(disabled)[enabled|disabled]</nowiki> | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |} | ||
| + | |||
| + | ==Config files== | ||
| + | {| class="wikitable" | ||
| + | |+template: is templated individually ; metadata: use another template via a metadata file. | ||
| + | !config file | ||
| + | !qpsmtpd | ||
| + | !sqpsmtpd | ||
| + | !uqpsmtpd | ||
| + | !plugin | ||
| + | !related properties | ||
| + | !information | ||
| + | |- | ||
| + | |badhelo | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |helo | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |badmailfrom | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |badmailfrom | ||
| + | badmailfromto | ||
| + | |||
| + | badrcptto | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |badrcptto | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |badrcptto | ||
| + | check_goodrcptto | ||
| + | | | ||
| + | |fixed output | ||
| + | |- | ||
| + | |badrcptto_ext | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |badrcptto | ||
| + | | | ||
| + | |hide emails when db accounts setprop ACCOUNT Visible internal | ||
| + | |- | ||
| + | |dkim | ||
| + | |folder | ||
| + | |folder | ||
| + | |folder | ||
| + | | | ||
| + | | | ||
| + | |not in use | ||
| + | |- | ||
| + | |dnsbl_allow | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |dnsbl | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |dnsbl_zones | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |dnsbl | ||
| + | per_user_config | ||
| + | |$qpsmtpd{RBLList} | ||
| + | | | ||
| + | |- | ||
| + | |forcespamcheck | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |forcespamcheck | ||
| + | | | ||
| + | |empty file, plugin set in peers | ||
| + | |- | ||
| + | |goodrcptto | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |check_goodrcptto | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |invalid_resolvable_fromhost | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |resolvable_fromhost | ||
| + | | | ||
| + | |fixed output | ||
| + | |- | ||
| + | |IP | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | | | ||
| + | |IP for tcpserver to bind to , 0 for all, fixed to 0 | ||
| + | |- | ||
| + | |loglevel | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |logterse (...) | ||
| + | |$qpsmtpd{LogLevel} | ||
| + | | | ||
| + | |- | ||
| + | |memory_threshold | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | | | ||
| + | |fixed to 1 | ||
| + | |- | ||
| + | |norelayclients | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |relay | ||
| + | | | ||
| + | |$GatewayIP if set | ||
| + | |- | ||
| + | |peers | ||
| + | |folder | ||
| + | |folder | ||
| + | |folder | ||
| + | |peers | ||
| + | | | ||
| + | |see peers section | ||
| + | |- | ||
| + | |plugin_dirs | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | | | ||
| + | |fixed output /usr/share/qpsmtpd/plugins | ||
| + | |- | ||
| + | |plugins | ||
| + | |x | ||
| + | |x | ||
| + | |x | ||
| + | |x | ||
| + | |x | ||
| + | |has a copy of peers fragments, hidden by metadata | ||
| + | |- | ||
| + | |relayclients | ||
| + | |template | ||
| + | |'''metadata : to remove?''' | ||
| + | |'''metadata: to remove?''' | ||
| + | |greylisting | ||
| + | relay | ||
| + | |||
| + | spamassassin | ||
| + | | | ||
| + | |IP allowed for relay without auth | ||
| + | |- | ||
| + | |rhsbl_zones | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | |rhsbl | ||
| + | |$qpsmtpd{SBLList} | ||
| + | | | ||
| + | |- | ||
| + | |signatures_patterns | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | | | ||
| + | |uses db mailpatterns | ||
| + | |- | ||
| + | |smtpgreeting | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | |$qpsmtpd{Greeting} | ||
| + | |default to host.domain | ||
| + | |- | ||
| + | |spool_dir | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | | | ||
| + | |fixed output /var/spool/qpsmtpd | ||
| + | |- | ||
| + | |spool_perms | ||
| + | |x | ||
| + | |x | ||
| + | |x | ||
| + | | | ||
| + | | | ||
| + | |file, do not alter | ||
| + | |- | ||
| + | |subject_prefix | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | |$spamassassin{Subject} | ||
| + | | | ||
| + | |- | ||
| + | |timeout | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | |$qpsmtpd{timeout} | ||
| + | |120 as default | ||
| + | |- | ||
| + | |timeoutsmtpd | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | |$qpsmtpd{timeoutsmtpd} | ||
| + | |120 as default | ||
| + | |- | ||
| + | |tls_before_auth | ||
| + | |template | ||
| + | |template | ||
| + | |template | ||
| + | | | ||
| + | |$qpsmtpd{TlsBeforeAuth} | ||
| + | |hardcoded for uqpsmtpd and sqpsmtpd | ||
| + | |- | ||
| + | |tls_ciphers | ||
| + | |template | ||
| + | |template | ||
| + | |template | ||
| + | |tls | ||
| + | |$qpsmtpd{TlsBeforeAuth} | ||
| + | $sqpsmtpd{TlsBeforeAuth} | ||
| + | |||
| + | $uqpsmtpd{TlsBeforeAuth} | ||
| + | |sqpsmtpd default to uqpsmtpd | ||
| + | global default is $modSSL{CipherSuite} | ||
| + | |- | ||
| + | |tls_protocols | ||
| + | |template | ||
| + | |template | ||
| + | |template | ||
| + | |tls | ||
| + | |SSLv2, SLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 | ||
| + | |TLS1.2 minimum for uqpsmtpd and sqpsmtpd | ||
| + | TLS1.1 minimum for qpsmtpd | ||
| + | |||
| + | properties are set individually for each service | ||
| + | |- | ||
| + | |uribl_zones | ||
| + | |template | ||
| + | |metadata | ||
| + | |metadata | ||
| + | | | ||
| + | |$qpsmtpd{UBLList} | ||
| + | | | ||
| + | |} | ||
| + | |||
| + | ==Peer plugin configuration== | ||
| + | SME Server uses a plugin call peers, that set the plugins used depending on the client IP, i.e. 2 configurations are presents one for LAN and another for WAN. | ||
| + | {| class="wikitable" | ||
| + | |+ | ||
| + | X for not present/overriden | ||
| + | !plugin | ||
| + | !config | ||
| + | !qp local | ||
| + | !qp 0 | ||
| + | !sqp /uqp | ||
| + | local | ||
| + | !sqp/uqp | ||
| + | 0 | ||
| + | !TODO | ||
| + | |- | ||
| + | |00setup | ||
| + | |set bounce_unknown_user | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |02logterse | ||
| + | |logging/logterse | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |04tls | ||
| + | |tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |05auth_cvm_unix_local | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |To remove | ||
| + | |- | ||
| + | |06auth_imap | ||
| + | |auth/auth_imap 127.0.0.1 143 | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |09karma | ||
| + | |karma negative $negative strikes $strikes reject naughty db_dir /var/lib/qpsmtpd/karma | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | |enabled by default ? | ||
| + | |- | ||
| + | |10earlytalker | ||
| + | |earlytalker | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | |<nowiki>add wait and check-at [ CONNECT | DATA ] options</nowiki> | ||
| + | |- | ||
| + | |11bogus_bounce | ||
| + | |bogus_bounce | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |12count_unrecognized_commands | ||
| + | |count_unrecognized_commands 4 | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |13bcc | ||
| + | |bcc mode $qpsmtpd{BccMode} all $user | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |add possibility to set direction (all/incoming/outgoing) | ||
| + | |- | ||
| + | |14relay | ||
| + | |relay | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |should we remove from 465 and 581 or set RELAY ONLY ? | ||
| + | |- | ||
| + | |15helo | ||
| + | |<nowiki>helo policy { $qpsmtpd{HeloPolicy} || 'lenient' } reject naughty</nowiki> | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |16resolvable_fromhost | ||
| + | |resolvable_fromhost | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |17headers | ||
| + | |headers future $days past $days" if ($days) | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |19loadcheck | ||
| + | |<nowiki>loadcheck max_load { $qpsmtpd{MaxLoad} || '7' }</nowiki> | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |20rhsbl | ||
| + | |rhsbl | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |221spf | ||
| + | |<nowiki>sender_permitted_from reject 1 no_dmarc_policy { $qpsmtpd{SPFRejectPolicy} || '0' }</nowiki> | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | |change default to 1 | ||
| + | |- | ||
| + | |222dkim | ||
| + | |dkim reject 0 | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |223dmarc | ||
| + | |<nowiki>marc reject { (( $qpsmtpd{DMARCReject} || 'disabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } reporting { (( $qpsmtpd{DMARCReporting} || 'enabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' }</nowiki> | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |22dnsbl | ||
| + | |dnsbl reject naughty | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |23naughty | ||
| + | |naughty reject mail | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |24uribl | ||
| + | |uribl action deny | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |30badmailfrom | ||
| + | |badmailfrom | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |34badrcptto | ||
| + | |badrcptto | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | |- | ||
| + | |34badrcptto_ext | ||
| + | |badrcptto more_badrcptto badrcptto_ext | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |37check_smtp_forward | ||
| + | |check_smtp_forward | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |needed for submission ? | ||
| + | |- | ||
| + | |38check_goodrcptto | ||
| + | |check_goodrcptto extn - | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |39rcpt_ok | ||
| + | |rcpt_ok | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |62pattern_filter | ||
| + | |virus/pattern_filter check=patterns action=deny | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |62tnef2mime | ||
| + | |tnef2mime | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |65disclaimer | ||
| + | |disclaimer | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | |missing disclaimer_file definition? | ||
| + | |- | ||
| + | |70spamassassin | ||
| + | |spamassassin reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize} | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |71forcespamcheck | ||
| + | |forcespamcheck reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize} | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | |X | ||
| + | | | ||
| + | |- | ||
| + | |80clamav | ||
| + | |virus/clamdscan scan_all yes clamd_socket /run/clamd/clamd.socket defer_on_error yes max_size $max_size | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |90queue-qmail-queue | ||
| + | |queue/qmail-queue | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |also content commented to remove ? | ||
| + | |- | ||
| + | |90queue-smtp-forward | ||
| + | |# commented out | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | | | ||
| + | |} | ||
==Upgrade Considerations== | ==Upgrade Considerations== | ||
| + | we used check_badcountries for a while, but could we switch back to ident/geoip ? | ||
| + | |||
| + | whitelist plugin : adding the ip-range whitelist; add login of ip | ||
| + | |||
===A-Record DNSBL Services=== | ===A-Record DNSBL Services=== | ||
| − | : Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma. | + | :Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma. |
| − | : You can now configure b.barracudacentral.org using (note the single quotes): | + | :You can now configure b.barracudacentral.org using (note the single quotes): |
| − | : <code><nowiki>config setprop qpsmtpd RBLList server1,server2,'b.barracudacentral.org:Blocked - see <http://bbl.barracudacentral.com/q.cgi?ip=%IP%>'</nowiki></code> | + | :<code><nowiki>config setprop qpsmtpd RBLList server1,server2,'b.barracudacentral.org:Blocked - see <http://bbl.barracudacentral.com/q.cgi?ip=%IP%>'</nowiki></code> |
===DKIM & DMARC=== | ===DKIM & DMARC=== | ||
| − | : DKIM & DMARC are now supported natively by SME Server. To enable these you will need to configure appropriate DNS records in your public DNS server. | + | :DKIM & DMARC are now supported natively by SME Server. To enable these you will need to configure appropriate DNS records in your public DNS server. |
| − | : There are forum reports of problems for users who had DKIM enabled using the DKIM contrib. | + | :There are forum reports of problems for users who had DKIM enabled using the DKIM contrib. |
===URIBL=== | ===URIBL=== | ||
| − | : qpsmtpd now supports URIBL - the ability to block emails that contain known malicious URLs within the body of the email. This service is disabled by default. | + | :qpsmtpd now supports URIBL - the ability to block emails that contain known malicious URLs within the body of the email. This service is disabled by default. |
| − | : Enable URIBL with the default services using: | + | :Enable URIBL with the default services using: |
<nowiki>config setprop qpsmtpd URIBL enabled | <nowiki>config setprop qpsmtpd URIBL enabled | ||
| − | signal-event email-update</nowiki> | + | signal-event email-update</nowiki> |
| − | : '''Note:''' If your SME server is using high traffic external DNS forwarders like [https://developers.google.com/speed/public-dns/ google] (8.8.8.8 / 8.8.4.4), [https://www.opendns.com/setupguide/ opendns] (208.67.222.222 / 208.67.220.220), or any large ISP's (Cox, Comcast, Verizon), enabling URIBL may block all incoming email. This will only affect you if you have configured a DNS forwarder in server-manager -- a default SME server installation does its own direct DNS lookups and would not be affected unless you receive over 250,000 emails per day. | + | :'''Note:''' If your SME server is using high traffic external DNS forwarders like [https://developers.google.com/speed/public-dns/ google] (8.8.8.8 / 8.8.4.4), [https://www.opendns.com/setupguide/ opendns] (208.67.222.222 / 208.67.220.220), or any large ISP's (Cox, Comcast, Verizon), enabling URIBL may block all incoming email. This will only affect you if you have configured a DNS forwarder in server-manager -- a default SME server installation does its own direct DNS lookups and would not be affected unless you receive over 250,000 emails per day. |
| − | : | + | :Read more at http://uribl.com/refused.shtml |
==="Naughty" plugin=== | ==="Naughty" plugin=== | ||
| − | : SME Server is now using the 'naughty' plugin which allows early plugins like dnsbl, earlytalker, etc to indicate that the email should be rejected at a later point in the interaction. This allows the server to log extra information for denied emails. Specifically, emails denied by dnsbl will now show the sender and recipient email addresses in the qpsmtpd log | + | :SME Server is now using the 'naughty' plugin which allows early plugins like dnsbl, earlytalker, etc to indicate that the email should be rejected at a later point in the interaction. This allows the server to log extra information for denied emails. Specifically, emails denied by dnsbl will now show the sender and recipient email addresses in the qpsmtpd log |
==Plugins== | ==Plugins== | ||
| Line 34: | Line 923: | ||
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2; border:1px solid grey;"> | <div style="column-count:2;-moz-column-count:2;-webkit-column-count:2; border:1px solid grey;"> | ||
| − | <tt | + | <tt>+ New in SME 11<br> |
<nowiki>* Improved or changed in SME 9.2</nowiki><br> | <nowiki>* Improved or changed in SME 9.2</nowiki><br> | ||
<nowiki>U Unused (by default) in SME Server</nowiki><br> | <nowiki>U Unused (by default) in SME Server</nowiki><br> | ||
| Line 40: | Line 929: | ||
<nowiki>CW Contrib or Wiki page exists that uses this plugin</nowiki><br> | <nowiki>CW Contrib or Wiki page exists that uses this plugin</nowiki><br> | ||
<nowiki>SM Can be configured using server-manager</nowiki><br> | <nowiki>SM Can be configured using server-manager</nowiki><br> | ||
| − | <nowiki>DB Can be configured using db variables</nowiki><br> | + | <nowiki>DB Can be configured using db variables</nowiki></tt> |
| + | |||
| + | <tt>X Provided by a contrib, not in qpsmtpd git<br> | ||
<nowiki>AC Auto-configured by SME Server</nowiki></tt> | <nowiki>AC Auto-configured by SME Server</nowiki></tt> | ||
</div><br> | </div><br> | ||
<div style="column-count:4;-moz-column-count:4;-webkit-column-count:4"> | <div style="column-count:4;-moz-column-count:4;-webkit-column-count:4"> | ||
| − | * [[Qpsmtpd:auth/auth_checkpassword|auth/auth_checkpassword]] (U) | + | *[[Qpsmtpd:auth/auth_checkpassword|auth/auth_checkpassword]] (U) |
| − | * [[Qpsmtpd:auth/auth_cvm_unix_local|auth/auth_cvm_unix_local]] (AC) | + | *[[Qpsmtpd:auth/auth_cvm_unix_local|auth/auth_cvm_unix_local]] (AC) |
| − | * [[Qpsmtpd:auth/authdeny|auth/authdeny]] (U) | + | *[[Qpsmtpd:auth/authdeny|auth/authdeny]] (U) |
| − | * [[Qpsmtpd:auth/auth_flat_file|auth/auth_flat_file]] (U) | + | *[[Qpsmtpd:auth/auth_flat_file|auth/auth_flat_file]] (U) |
| − | * [[Qpsmtpd:auth/auth_imap|auth/auth_imap]] (U) | + | *[[Qpsmtpd:auth/auth_imap|auth/auth_imap]] (U) |
| − | * [[Qpsmtpd:auth/auth_ldap_bind|auth/auth_ldap_bind]] (U) | + | *[[Qpsmtpd:auth/auth_ldap_bind|auth/auth_ldap_bind]] (U) |
| − | * [[Qpsmtpd:auth/auth_vpopmail|auth/auth_vpopmail]] (U) | + | *[[Qpsmtpd:auth/auth_vpopmail|auth/auth_vpopmail]] (U) |
| − | * [[Qpsmtpd:auth/auth_vpopmaild|auth/auth_vpopmaild]] (U) | + | *[[Qpsmtpd:auth/auth_vpopmaild|auth/auth_vpopmaild]] (U) |
| − | * [[Qpsmtpd:auth/auth_vpopmail_sql|auth/auth_vpopmail_sql]] (U) | + | *[[Qpsmtpd:auth/auth_vpopmail_sql|auth/auth_vpopmail_sql]] (U) |
| − | * [[Qpsmtpd:autowhitelist_relayrcpt|autowhitelist_relayrcpt]] (U) | + | *[[Qpsmtpd:autowhitelist_relayrcpt|autowhitelist_relayrcpt]] (U) |
| − | * [[Qpsmtpd:badmailfrom|badmailfrom]] | + | *[[Qpsmtpd:badmailfrom|badmailfrom]] |
| − | * [[Qpsmtpd:badmailfromto|badmailfromto]] (U) | + | *[[Qpsmtpd:badmailfromto|badmailfromto]] (U) |
| − | * [[Qpsmtpd:badrcptto|badrcptto]] (AC) | + | *[[Qpsmtpd:badrcptto|badrcptto]] (AC) |
| − | * [[Qpsmtpd:bcc|bcc]] (U DB) | + | *[[Qpsmtpd:bcc|bcc]] (U DB) |
| − | * [[Qpsmtpd:bogus_bounce|bogus_bounce]] ( | + | *[[Qpsmtpd:bogus_bounce|bogus_bounce]] (DB) |
| − | * [[Qpsmtpd:check_goodrcptto|check_goodrcptto]] (AC) | + | *check_badcountries (X [[GeoIP|CW]]) |
| − | * [[Qpsmtpd:check_smtp_forward|check_smtp_forward]] (AC) | + | *[[Qpsmtpd:check_goodrcptto|check_goodrcptto]] (AC) |
| − | * [[Qpsmtpd_connection_time|connection_time]] (U CW) | + | *[[Qpsmtpd:check_smtp_forward|check_smtp_forward]] (AC) |
| − | * [[Qpsmtpd:content_log|content_log]] (U) | + | *[[Qpsmtpd_connection_time|connection_time]] (U CW) |
| − | * [[Qpsmtpd:count_unrecognized_commands|count_unrecognized_commands]] (DB) | + | *[[Qpsmtpd:content_log|content_log]] (U) |
| − | * [[Qpsmtpd:denysoft_multi_rcpt|denysoft_multi_rcpt]] (U) | + | *[[Qpsmtpd:count_unrecognized_commands|count_unrecognized_commands]] (DB) |
| − | * [[Email#How_do_I_enable_and_configure_a_disclaimer_in_email_messages|disclaimer]] (U DB CW) | + | *[[Qpsmtpd:denysoft_multi_rcpt|denysoft_multi_rcpt]] (U) |
| − | * [[Qpsmtpd:dkim|dkim]] (+ DB E) | + | *[[Email#How_do_I_enable_and_configure_a_disclaimer_in_email_messages|disclaimer]] (U DB CW) |
| − | * [[Qpsmtpd:dkim_sign|dkim_sign]] (+ DB E) | + | *[[Qpsmtpd:dkim|dkim]] (+ DB E) |
| − | * [[Qpsmtpd:dmarc|dmarc]] ( | + | *[[Qpsmtpd:dkim_sign|dkim_sign]] (+ DB E) |
| − | * [[Email#Real-time_Blackhole_List_.28RBL.29|dnsbl]] (* DB CW) | + | *[[Qpsmtpd:dmarc|dmarc]] (DB E) |
| − | * [[Qpsmtpd:dns_whitelist_soft|dns_whitelist_soft]] (U) | + | *[[Email#Real-time_Blackhole_List_.28RBL.29|dnsbl]] (* DB CW) |
| − | * [[Qpsmtpd:domainkeys|domainkeys]] | + | *[[Qpsmtpd:dns_whitelist_soft|dns_whitelist_soft]] (U) |
| − | * [[Qpsmtpd:dont_require_anglebrackets|dont_require_anglebrackets]] (U) | + | *[[Qpsmtpd:domainkeys|domainkeys]] |
| − | * [[Qpsmtpd:dspam|dspam]] (U) | + | *[[Qpsmtpd:dont_require_anglebrackets|dont_require_anglebrackets]] (U) |
| − | * [[Qpsmtpd_check_earlytalker|earlytalker]] (AC CW) | + | *[[Qpsmtpd:dspam|dspam]] (U) |
| − | * [[Qpsmtpd:exe_filter|exe_filter]] (U AC) | + | *[[Qpsmtpd_check_earlytalker|earlytalker]] (AC [[Qpsmtpd check earlytalker|CW]]) |
| − | * [[Qpsmtpd:fcrdns|fcrdns]] (U) | + | *[[Qpsmtpd:exe_filter|exe_filter]] (U AC) |
| − | * [[Qpsmtpd:fix_headers_case|fix_headers_case]] (U CW) | + | *[[Qpsmtpd:fcrdns|fcrdns]] (U) |
| − | * [[ | + | *[[Qpsmtpd:fix_headers_case|fix_headers_case]] (U CW) |
| − | * [[Qpsmtpd:handler|handler]] (U) | + | *[[greylisting]] (U CW) |
| − | * [[Qpsmtpd:headers|headers]] (*) | + | *[[Qpsmtpd:handler|handler]] (U) |
| − | * [[Qpsmtpd:helo|helo]] (AC) | + | *[[Qpsmtpd:headers|headers]] (*) |
| − | * [[Qpsmtpd:help|help]] (U) | + | *[[Qpsmtpd:helo|helo]] (AC) |
| − | * [[Qpsmtpd:hosts_allow|hosts_allow]] (AC) | + | *[[Qpsmtpd:help|help]] (U) |
| − | * [[Qpsmtpd:http_config|http_config]] (U) | + | *[[Qpsmtpd:hosts_allow|hosts_allow]] (AC) |
| − | * [[Qpsmtpd:ident/geoip|ident/geoip]] (U) | + | *[[Qpsmtpd:http_config|http_config]] (U) |
| − | * [[Qpsmtpd:ident/p0f|ident/p0f]] (U) | + | *[[Qpsmtpd:ident/geoip|ident/geoip]] (U) |
| − | * [[Qpsmtpd:karma|karma]] (+ U DB) | + | *[[Qpsmtpd:ident/p0f|ident/p0f]] (U) |
| − | * [[Qpsmtpd:karma_tool|karma_tool]] | + | *[[Qpsmtpd:karma|karma]] (+ U DB) |
| − | * [[Qpsmtpd:loadcheck|loadcheck]] (+) | + | *[[Qpsmtpd:karma_tool|karma_tool]] |
| − | * [[Qpsmtpd:logging|logging]] (AC) | + | *[[Qpsmtpd:loadcheck|loadcheck]] (+) |
| − | * [[Qpsmtpd:loop|loop]] (U) | + | *[[Qpsmtpd:logging|logging]] (AC) |
| − | * [[Qpsmtpd:milter|milter]] (U) | + | *[[Qpsmtpd:loop|loop]] (U) |
| − | * [[Qpsmtpd:naughty|naughty]] ( | + | *[[Qpsmtpd:milter|milter]] (U) |
| − | * [[Qpsmtpd:noop_counter|noop_counter]] (U) | + | *[[Qpsmtpd:naughty|naughty]] () |
| − | * [[Qpsmtpd:parse_addr_withhelo|parse_addr_withhelo]] (U) | + | *[[Qpsmtpd:noop_counter|noop_counter]] (U) |
| − | * [[Qpsmtpd:peers|peers]] (AC) | + | *[[Qpsmtpd:parse_addr_withhelo|parse_addr_withhelo]] (U) |
| − | * [[Qpsmtpd:per_user_config|per_user_config]] (U CW) | + | *[[Qpsmtpd:peers|peers]] (AC) |
| − | * [[Qpsmtpd:qmail_deliverable|qmail_deliverable]] (U) | + | *[[Qpsmtpd:per_user_config|per_user_config]] (U CW) |
| − | * [[Qpsmtpd:queue|queue]] (AC) | + | *[[Qpsmtpd:qmail_deliverable|qmail_deliverable]] (U) |
| − | * [[Qpsmtpd:quit_fortune|quit_fortune]] (U) | + | *[[Qpsmtpd:queue|queue]] (AC) |
| − | * [[Qpsmtpd:random_error|random_error]] (U) | + | *[[Qpsmtpd:quit_fortune|quit_fortune]] (U) |
| − | * [[Qpsmtpd:rcpt_map|rcpt_map]] (U) | + | *[[Qpsmtpd:random_error|random_error]] (U) |
| − | * [[Qpsmtpd:rcpt_ok|rcpt_ok]] (AC) | + | *[[Qpsmtpd:rcpt_map|rcpt_map]] (U) |
| − | * [[Qpsmtpd:rcpt_regexp|rcpt_regexp]] (U) | + | *[[Qpsmtpd:rcpt_ok|rcpt_ok]] (AC) |
| − | * [[Qpsmtpd:registry.txt|registry.txt]] (U) | + | *[[Qpsmtpd:rcpt_regexp|rcpt_regexp]] (U) |
| − | * [[Qpsmtpd:relay|relay]] (AC) | + | *[[Qpsmtpd:registry.txt|registry.txt]] (U) |
| − | * [[Qpsmtpd:resolvable_fromhost|resolvable_fromhost]] (AC) | + | *[[Qpsmtpd:relay|relay]] (AC) |
| − | * [[Email#Real-time_Blackhole_List_.28RBL.29|rhsbl]] (* DB CW) | + | *[[Qpsmtpd:resolvable_fromhost|resolvable_fromhost]] (AC) |
| − | * [[Qpsmtpd:sender_permitted_from|sender_permitted_from]] ( | + | *[[Email#Real-time_Blackhole_List_.28RBL.29|rhsbl]] (* DB CW) |
| − | * [[Email#Spamassassin|spamassassin]] (DB SM AC CW) | + | *[[Qpsmtpd:sender_permitted_from|sender_permitted_from]] (?) |
| − | * [[Qpsmtpd:stunnel|stunnel]] (U) | + | *[[Email#Spamassassin|spamassassin]] (DB SM AC CW) |
| − | * [[Qpsmtpd:tls|tls]] (AC) | + | *[[Qpsmtpd:stunnel|stunnel]] (U) |
| − | * [[Qpsmtpd:tls_cert|tls_cert]] | + | *[[Qpsmtpd:tls|tls]] (AC) |
| − | * [[Qpsmtpd:tnef2mime|tnef2mime]] (AC) | + | *[[Qpsmtpd:tls_cert|tls_cert]] |
| − | * [[Qpsmtpd:uribl|uribl]] ( | + | *[[Qpsmtpd:tnef2mime|tnef2mime]] (AC) |
| − | * [[Qpsmtpd:user_config|user_config]] (U) | + | *[[Qpsmtpd:uribl|uribl]] (DB) |
| − | * [[Virus:Email_Attachment_Blocking|virus]] (DB SM CW) | + | *[[Qpsmtpd:user_config|user_config]] (U) |
| − | * [[Qpsmtpd:whitelist|whitelist]] (U?) | + | *[[Virus:Email_Attachment_Blocking|virus]] (DB SM CW) |
| + | *[[Qpsmtpd:whitelist|whitelist]] (U?) | ||
</div> | </div> | ||
---- | ---- | ||
| − | [[Category:Mail]][[Category:Qpsmtpd]] | + | [[Category:Mail]] |
| + | [[Category:Qpsmtpd]] | ||
| + | [[Category:SME11-Development]] | ||
Latest revision as of 23:45, 28 April 2024
TODO: update Email#qpsmtpd for SME11
qpsmtpd
qpsmtpd has been a core component of SME Server since SME 7, providing advanced spam fighting capabilities.
SME Server 9.2 introduced qpsmtpd 0.96 with several new capabilities. At the same time, smeserver-qpsmtpd has been updated to provide additional SME Server configuration options.
SME Server 10 start moving the services to systemd.
SME Server 11 will upgrade to qpsmtpd 1.0. At the same time, smeserver-qpsmtpd has been updated providing separate configuration for each running deamons and introducing a third running deamon now covering all usual SMTP ports 25 (qpsmtpd), 587 (new uqpsmtpd) and 465 (sqpsmtpd). Also SME11 provides a full systemd implementaiton of the services without runit. Softlimit has been increased from 50MB to 150MB.
Systemd Configuration
Some of the setting that were previously arranged using runit run script and multiple called script are all now present in systemd unit, with a dropin file to override default. The dropin file is templated
# /usr/lib/systemd/system/uqpsmtpd.service
[Unit]
Description=qpsmtpd on submission port
After=network.target network-online.target qpsmtpd.service
[Service]
Type=simple
LimitDATA=150000000
LimitSTACK=150000000
LimitMEMLOCK=150000000
Environment=PORT=587 INSTANCES=40 INSTANCES_PER_IP=5 QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=me
WorkingDirectory=/var/service/qpsmtpd/
ExecStartPre=/sbin/e-smith/service-status uqpsmtpd
ExecStartPre=/sbin/e-smith/systemd/qpsmtpd-init %N
ExecStart=/usr/bin/qpsmtpd-forkserver \
-u qpsmtpd \
-l 0.0.0.0 \
-p $PORT \
-c $INSTANCES \
-m $INSTANCES_PER_IP
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=20s
SyslogIdentifier=uqpsmtpd
[Install]
WantedBy=sme-server.target
# /usr/lib/systemd/system/uqpsmtpd.service.d/50koozali.conf
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
[Service]
LimitDATA=150000000
LimitSTACK=150000000
LimitMEMLOCK=150000000
Environment=
Environment=QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PORT=587 INSTANCES=10 INSTANCES_PER_IP=5 PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=sme11.example.com
Services folders
/var/service/qpsmtpd
/var/service/qpsmtpd/config
/var/service/qpsmtpd/config/dkim
/var/service/qpsmtpd/config/peers
/var/service/qpsmtpd/peers
/var/service/qpsmtpd/ssl
/var/service/sqpsmtpd
/var/service/sqpsmtpd/supervise
/var/service/sqpsmtpd/config
/var/service/sqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim
/var/service/sqpsmtpd/config/peers
/var/service/sqpsmtpd/peers
/var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl
/var/service/uqpsmtpd
/var/service/uqpsmtpd/config
/var/service/uqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim
/var/service/uqpsmtpd/config/peers
/var/service/uqpsmtpd/peers
/var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl
Properties in configuration db
| property | qpsmtpd | sqpsmtpd | uqpsmtpd | information |
|---|---|---|---|---|
| Authentication | enabled | enabled | enabled | |
| Bcc | disabled | x | x | |
| BccMode | cc | x | x | |
| BccUser | maillog | x | x | |
| DNSBL | disabled | x | x | |
| Instances | 40 | 10 | 10 | |
| InstancesPerIP | 5 | 5 | 5 | |
| LogLevel | 6 | x | x | |
| MaxScannerSize | 25000000 | x | x | |
| MaximumDateOffset | 0 | x | x | |
| PatternsScan | disabled | x | x | |
| Proxy | blocked | x | x | |
| RBLList | bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org | x | x | |
| RHSBL | disabled | x | x | |
| RelayRequiresAuth | enabled | x | x | |
| SoftLimit | 150000000 | 150000000 | 150000000 | |
| SBLList | multi.surbl.org,black.uribl.com,rhsbl.sorbs.net | x | x | |
| TCPPort | 25 | 465 | 587 | |
| TCPProxyPort | 25 | x | x | |
| TlsBeforeAuth | 1 | 1 (hardcoded) | 1 (hardcoded) | |
| UBLList | multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net | x | x | |
| URIBL | disabled | x | x | |
| VirusScan | enabled | x | x | |
| access | public | public | public | |
| qplogsumm | disabled | x | x | |
| status | enabled | enabled | enabled | |
| tnef2mime | enabled | x | x | |
| KarmaNegative | (2) | |||
| KarmaStrikes | (3) | |||
| HeloPolicy | (lenient)[lenient | rfc | strict] | |||
| MaximumDateOffset | (0) | |||
| MaxLoad | (7) | |||
| SPFRejectPolicy | (0)[0-4] | |||
| DMARCReject | (disabled)[enabled|disabled] | |||
| DMARCReporting | (enabled)[enabled|disabled] | |||
| disclaimer | (disabled)[enabled|disabled] |
Config files
| config file | qpsmtpd | sqpsmtpd | uqpsmtpd | plugin | related properties | information |
|---|---|---|---|---|---|---|
| badhelo | template | metadata | metadata | helo | ||
| badmailfrom | template | metadata | metadata | badmailfrom
badmailfromto badrcptto |
||
| badrcptto | template | metadata | metadata | badrcptto
check_goodrcptto |
fixed output | |
| badrcptto_ext | template | metadata | metadata | badrcptto | hide emails when db accounts setprop ACCOUNT Visible internal | |
| dkim | folder | folder | folder | not in use | ||
| dnsbl_allow | template | metadata | metadata | dnsbl | ||
| dnsbl_zones | template | metadata | metadata | dnsbl
per_user_config |
$qpsmtpd{RBLList} | |
| forcespamcheck | template | metadata | metadata | forcespamcheck | empty file, plugin set in peers | |
| goodrcptto | template | metadata | metadata | check_goodrcptto | ||
| invalid_resolvable_fromhost | template | metadata | metadata | resolvable_fromhost | fixed output | |
| IP | template | metadata | metadata | IP for tcpserver to bind to , 0 for all, fixed to 0 | ||
| loglevel | template | metadata | metadata | logterse (...) | $qpsmtpd{LogLevel} | |
| memory_threshold | template | metadata | metadata | fixed to 1 | ||
| norelayclients | template | metadata | metadata | relay | $GatewayIP if set | |
| peers | folder | folder | folder | peers | see peers section | |
| plugin_dirs | template | metadata | metadata | fixed output /usr/share/qpsmtpd/plugins | ||
| plugins | x | x | x | x | x | has a copy of peers fragments, hidden by metadata |
| relayclients | template | metadata : to remove? | metadata: to remove? | greylisting
relay spamassassin |
IP allowed for relay without auth | |
| rhsbl_zones | template | metadata | metadata | rhsbl | $qpsmtpd{SBLList} | |
| signatures_patterns | template | metadata | metadata | uses db mailpatterns | ||
| smtpgreeting | template | metadata | metadata | $qpsmtpd{Greeting} | default to host.domain | |
| spool_dir | template | metadata | metadata | fixed output /var/spool/qpsmtpd | ||
| spool_perms | x | x | x | file, do not alter | ||
| subject_prefix | template | metadata | metadata | $spamassassin{Subject} | ||
| timeout | template | metadata | metadata | $qpsmtpd{timeout} | 120 as default | |
| timeoutsmtpd | template | metadata | metadata | $qpsmtpd{timeoutsmtpd} | 120 as default | |
| tls_before_auth | template | template | template | $qpsmtpd{TlsBeforeAuth} | hardcoded for uqpsmtpd and sqpsmtpd | |
| tls_ciphers | template | template | template | tls | $qpsmtpd{TlsBeforeAuth}
$sqpsmtpd{TlsBeforeAuth} $uqpsmtpd{TlsBeforeAuth} |
sqpsmtpd default to uqpsmtpd
global default is $modSSL{CipherSuite} |
| tls_protocols | template | template | template | tls | SSLv2, SLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 | TLS1.2 minimum for uqpsmtpd and sqpsmtpd
TLS1.1 minimum for qpsmtpd properties are set individually for each service |
| uribl_zones | template | metadata | metadata | $qpsmtpd{UBLList} |
Peer plugin configuration
SME Server uses a plugin call peers, that set the plugins used depending on the client IP, i.e. 2 configurations are presents one for LAN and another for WAN.
| plugin | config | qp local | qp 0 | sqp /uqp
local |
sqp/uqp
0 |
TODO |
|---|---|---|---|---|---|---|
| 00setup | set bounce_unknown_user | |||||
| 02logterse | logging/logterse | |||||
| 04tls | tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem | |||||
| 05auth_cvm_unix_local | To remove | |||||
| 06auth_imap | auth/auth_imap 127.0.0.1 143 | |||||
| 09karma | karma negative $negative strikes $strikes reject naughty db_dir /var/lib/qpsmtpd/karma | X | X | enabled by default ? | ||
| 10earlytalker | earlytalker | X | X | add wait and check-at [ CONNECT | DATA ] options | ||
| 11bogus_bounce | bogus_bounce | |||||
| 12count_unrecognized_commands | count_unrecognized_commands 4 | X | X | |||
| 13bcc | bcc mode $qpsmtpd{BccMode} all $user | add possibility to set direction (all/incoming/outgoing) | ||||
| 14relay | relay | should we remove from 465 and 581 or set RELAY ONLY ? | ||||
| 15helo | helo policy { $qpsmtpd{HeloPolicy} || 'lenient' } reject naughty | X | X | |||
| 16resolvable_fromhost | resolvable_fromhost | X | X | |||
| 17headers | headers future $days past $days" if ($days) | |||||
| 19loadcheck | loadcheck max_load { $qpsmtpd{MaxLoad} || '7' } | X | X | |||
| 20rhsbl | rhsbl | X | X | |||
| 221spf | sender_permitted_from reject 1 no_dmarc_policy { $qpsmtpd{SPFRejectPolicy} || '0' } | X | X | change default to 1 | ||
| 222dkim | dkim reject 0 | |||||
| 223dmarc | marc reject { (( $qpsmtpd{DMARCReject} || 'disabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } reporting { (( $qpsmtpd{DMARCReporting} || 'enabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } | X | X | |||
| 22dnsbl | dnsbl reject naughty | X | X | |||
| 23naughty | naughty reject mail | X | X | |||
| 24uribl | uribl action deny | |||||
| 30badmailfrom | badmailfrom | |||||
| 34badrcptto | badrcptto | X | X | |||
| 34badrcptto_ext | badrcptto more_badrcptto badrcptto_ext | X | X | |||
| 37check_smtp_forward | check_smtp_forward | needed for submission ? | ||||
| 38check_goodrcptto | check_goodrcptto extn - | |||||
| 39rcpt_ok | rcpt_ok | |||||
| 62pattern_filter | virus/pattern_filter check=patterns action=deny | |||||
| 62tnef2mime | tnef2mime | |||||
| 65disclaimer | disclaimer | X | X | missing disclaimer_file definition? | ||
| 70spamassassin | spamassassin reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize} | X | X | |||
| 71forcespamcheck | forcespamcheck reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize} | X | X | |||
| 80clamav | virus/clamdscan scan_all yes clamd_socket /run/clamd/clamd.socket defer_on_error yes max_size $max_size | |||||
| 90queue-qmail-queue | queue/qmail-queue | also content commented to remove ? | ||||
| 90queue-smtp-forward | # commented out |
Upgrade Considerations
we used check_badcountries for a while, but could we switch back to ident/geoip ?
whitelist plugin : adding the ip-range whitelist; add login of ip
A-Record DNSBL Services
- Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma.
- You can now configure b.barracudacentral.org using (note the single quotes):
config setprop qpsmtpd RBLList server1,server2,'b.barracudacentral.org:Blocked - see <http://bbl.barracudacentral.com/q.cgi?ip=%IP%>'
DKIM & DMARC
- DKIM & DMARC are now supported natively by SME Server. To enable these you will need to configure appropriate DNS records in your public DNS server.
- There are forum reports of problems for users who had DKIM enabled using the DKIM contrib.
URIBL
- qpsmtpd now supports URIBL - the ability to block emails that contain known malicious URLs within the body of the email. This service is disabled by default.
- Enable URIBL with the default services using:
config setprop qpsmtpd URIBL enabled signal-event email-update
- Note: If your SME server is using high traffic external DNS forwarders like google (8.8.8.8 / 8.8.4.4), opendns (208.67.222.222 / 208.67.220.220), or any large ISP's (Cox, Comcast, Verizon), enabling URIBL may block all incoming email. This will only affect you if you have configured a DNS forwarder in server-manager -- a default SME server installation does its own direct DNS lookups and would not be affected unless you receive over 250,000 emails per day.
- Read more at http://uribl.com/refused.shtml
"Naughty" plugin
- SME Server is now using the 'naughty' plugin which allows early plugins like dnsbl, earlytalker, etc to indicate that the email should be rejected at a later point in the interaction. This allows the server to log extra information for denied emails. Specifically, emails denied by dnsbl will now show the sender and recipient email addresses in the qpsmtpd log
Plugins
Below is a list of all the plugins from /usr/share/qpsmtpd/plugins on a freshly updated SME 9.2 server.
+ New in SME 11
* Improved or changed in SME 9.2
U Unused (by default) in SME Server
E Extra / External Configuration Required
CW Contrib or Wiki page exists that uses this plugin
SM Can be configured using server-manager
DB Can be configured using db variables
X Provided by a contrib, not in qpsmtpd git
AC Auto-configured by SME Server
- auth/auth_checkpassword (U)
- auth/auth_cvm_unix_local (AC)
- auth/authdeny (U)
- auth/auth_flat_file (U)
- auth/auth_imap (U)
- auth/auth_ldap_bind (U)
- auth/auth_vpopmail (U)
- auth/auth_vpopmaild (U)
- auth/auth_vpopmail_sql (U)
- autowhitelist_relayrcpt (U)
- badmailfrom
- badmailfromto (U)
- badrcptto (AC)
- bcc (U DB)
- bogus_bounce (DB)
- check_badcountries (X CW)
- check_goodrcptto (AC)
- check_smtp_forward (AC)
- connection_time (U CW)
- content_log (U)
- count_unrecognized_commands (DB)
- denysoft_multi_rcpt (U)
- disclaimer (U DB CW)
- dkim (+ DB E)
- dkim_sign (+ DB E)
- dmarc (DB E)
- dnsbl (* DB CW)
- dns_whitelist_soft (U)
- domainkeys
- dont_require_anglebrackets (U)
- dspam (U)
- earlytalker (AC CW)
- exe_filter (U AC)
- fcrdns (U)
- fix_headers_case (U CW)
- greylisting (U CW)
- handler (U)
- headers (*)
- helo (AC)
- help (U)
- hosts_allow (AC)
- http_config (U)
- ident/geoip (U)
- ident/p0f (U)
- karma (+ U DB)
- karma_tool
- loadcheck (+)
- logging (AC)
- loop (U)
- milter (U)
- naughty ()
- noop_counter (U)
- parse_addr_withhelo (U)
- peers (AC)
- per_user_config (U CW)
- qmail_deliverable (U)
- queue (AC)
- quit_fortune (U)
- random_error (U)
- rcpt_map (U)
- rcpt_ok (AC)
- rcpt_regexp (U)
- registry.txt (U)
- relay (AC)
- resolvable_fromhost (AC)
- rhsbl (* DB CW)
- sender_permitted_from (?)
- spamassassin (DB SM AC CW)
- stunnel (U)
- tls (AC)
- tls_cert
- tnef2mime (AC)
- uribl (DB)
- user_config (U)
- virus (DB SM CW)
- whitelist (U?)
