The DynDN.eS Blog

About DynDN.eS, eQmail, Gentoo & some other network stuff

User Tools

Site Tools

eQmail 1.09

The response to eQmail-1.08 forces me to improve it and update to the new version eQmail-1.09. Shortening my thoughts there were the following goals:

  • KISS[IS] (keep it simple and stupid is secure), which means that not every functionality have to be patched
  • stay with the UNIX (and qmail) philosophy that a program should do one thing only
  • keep independence against third party software, so e.g. the chkuser patch will never be part of eQmail because it depends on vpopmail
  • Update of patches if necessary (e.g. latest of Frederik Vermeulen's qmail-tls patch)

As a result of these points eQmail-1.09 is still patched conservative. It is well known that many patches can not applied cleanly if other patches are applied already. The qmail-spp patch as fix part of eQmail provides an API for easily calling external programs during the smtp dialogue. This way there can be done tarpitting, greylisting, receipient checks, envelope sender checks (mfcheck), SPF validation and other stuff without patching. Just to mention this here, because it seems not to be known by a lot of people. It depends on the situation also, that some of these functionalities can be done by e.g. Spamdyke (see this article) - btw. eQmail keeps the modularity of qmail and goes close to the original code base. It was clearly deliberated which things should be done and why they are be done.

Download: eqmail-1.09 (sha256sum)

eQmail will be discussed on the openqmail mailing list.

Changes

  • IPv6 implemented for remote connections
  • removed domainbindings patch (cause of IPv6)
  • TLS implementation updated to 20151215
  • Implemented force of TLS for AUTH PLAIN/LOGIN
  • man pages qmail-spp and smtpplugins new created
  • install routine improved, e.g. config file smtpplugins will be created through config/config-fast
  • submission port feature added
  • execute before  qmail-remote  feature added, as plugin into the pipe qmail-rspawn–>(qmail-bfrmt–>)qmail-remote
  • some code changes to prevent compiler warnings (alloc.c, timeoutconn.c)
  • qmail doesn't crash anymore if config file was not found (fix to qmail-spp)
  • default delimiter for address extensions is now “+” (plus sign)

Maybe somebody is interrested to have a look at these additional tools:

  • qmail-chkpw - a checkpassword compliant tool including CRAM-MD5 auth
  • qmail-pwrap - a checkpassword wrapper to use multiple checkpassword tools
  • qmail-xdkim - handle DKIM signing and verifying

Details

IPv6 implementation

eQmail has now IPv6 support even for remote connections, heavily based on the  qmail-1.03-jms1.7.08-ipv6.patch  by Brandon Turner. This was the main and most important requirement. Due to this it was needed to remove the  qmail-1.03-domainbindings-1.2-20141019.patch  . Remember that IPv6 for incoming connections will be done by tcpserver (or a similar tool).

Authentication and TLS/SSL

eQmail 1.09 was updated to the netqmail-1.06-tls-20151215.patch with some adjustments. Surprisingly this version increases the key sizes which was an important requirement and a projected improvement of eQmail 1.09 too.

The smtp authentication is now qmail-smtpd-auth-0.59 by implementing the submission port feature. It was clearly decided to NOT use a newer authentication patch, because (still keep KISS in mind):

  • remote authentication is based on initial work (see here) using AUTH LOGIN through smtproutes and works since years without any issues (as far as known)
  • as far as seen newer smtp authentication patches have no real improvements, instead they seems to be a bit overfeatured and makes the configuration more complex

This should not blame anybody or their work in any case! I highly respect the work of others, but keep the right to think by myself and made my own decisions!

Make eQmail-1.09 listen on the submisson port (usually 587) can be done by creating a second instance of  qmail-smtpd  . It should be clear that authentication is required on submission port. The port number can be changed by setting an environment variable  SUBMISSION=<port>  .

TLS required

Basically the idea was “stolen” from the roberto-netqmail-1.06_force-tls.patch by Roberto Puzzanghera ;-). The functionality is a bit different, so it

  • have to be enabled by setting the environment variable  TLSREQUIRED=1  (default is disabled)
  • forces TLS for AUTH PLAIN and LOGIN only, but not for CRAM-MD5

Hint: By setting TLSREQUIRED through  qmail-spp  therefore it can be changed on-the-fly (this works with some other environment variables too)!

The functionality will be important by using the submission port feature.

qmail-bfrmt plugin

This allows to execute command(s) before qmail-remote will be invoked. It is one more a plugin API. More detailed and separate documentation is available here.

Install/Upgrade

eQmail-1.09 conforms with the traditional routine of qmail:  make  ,  make setup check  and  config/config-fast  . Refer to package documentation or LWQ. Before upgrading it is a good idea always to make a backup of your qmail directory.

Technical notes

  • Against eQmail-1.08 the 1.06-readwrite.patch was removed
Creation Date: 2016/03/01 13:12, Last modified:: 2016/04/28 13:11, Author: Kai Peter, Tags: