News
Ads help server costs, we rely on their revenue (and donations, too) to fund hosting.
maindebian
- qemu
- apache
- screen
- bash
hosted services
Some people can't understand why I prefer qmail to other mailers.
The simplest reason is that its safe and easy to apply changes to. Each of the processes can have a small wrapper applied to them for example.
readproctitle
Sometimes something bad happens and you get a lot of errors recorded in readproctitle's output in ps. To clear this, I've found the following bit of perl solves this:
perl -e 'print "." x 512;' | sudo tee /proc/$(pgrep readproctitle)/fd/0
You may find better ways, but this does the job for me.
delivered-to
Sometimes spammers cotton on to the idea that qmail bounces mail which has multiple delivered-to lines. Sometimes this can be a pathetic attempt to use a mail server to fan out junk.
The delivered-to bounce message looks like this:
Hi. This is the qmail-send program at s5h.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<redacted@s5h.net>:
This message is looping: it already has my Delivered-To line. (#5.4.6)
After a bit of searching I found a patch which allows more than zero Delivered-To lines. As this is a small patch to qmail-local it currently works ok with the jms1 combined patch.
After a bit of work I've combined the above patches and added some manual page context along with a configuration file in control/maxdeliveredto. You can download the qmail-1.03 combined patch here. If the control/maxdeliveredto file is not present then normal delivery happens (no duplicate Deliered-To allowed). A value of -1 in this file results in infinite Delivered-To entries, any other positive number will specify the number of Delivered-To headers permitted.
svscan
Sometimes you may get into a situation where you need to stop daemontools entirely, system load etc.
The process tree looks like this:
,--------,
| init |
`---+----'
|
| ,------------,
+-------+ svscanboot |
| '------+-----'
| | ,---------------,
| +---------+ readproctitle |
| | '---------------'
| | ,--------------,
| +---------| svscan |
| | `----+---------'
| | | ,-----------,
| | +--+ supervise |
| | | `-----+-----'
| | | | ,-----------,
| | | +----+ tcpserver |
| | | | `-----------'
| | | |
One of the very good things about daemontools is just how hard it is to kill off, the supervise processes respawn very well. The simplest way is to down all the services gracefully with:
# cd /service && svc -d *
Followed by commenting SV:123456:respawn:/command/svscanboot from /etc/inittab, and running pkill -HUP -u root init.
Once you've done the maintenance, remove the comment and send init a HUP.
ciphers
There's been quite a few SSL issues of late (CVE-2014-3566 and CVE-2014-8730). It really boils down to downgrading attacks. To avoid use of SSL, and to allow only TLS then in a sane way (with current thinking), you may wish to put the following in your control/tlsserverciphers and control/tlsclientciphers files:
cd /var/qmail \
&& echo 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH:!RC4:TLSv1' \
| tee control/tls{server,client}ciphers
Currently you need SSLv3 ciphers for TLSv1 to work.
I've created a patch for the TLS/SSL method, this is also in the patch above. To use it, set the TLS protocol method in control/tlsclientmethod and control/tlsservermethod. This can be TLSv1, TLSv1_1 or TLSv1_2.
queue clearing
Sometimes the queue can hold spam, sometimes a user's mail client may be exploited and they'll start filling the queue with spam. It happens and is not limited to mail server software.
To purge the queue I find the following process works well:
qmailctl stop
cd /var/qmail/queue
grep -Rl spam_string mess | sed -e 's,.*/,,g' | while IFS= read -r N; do
find /var/qmail/queue -name "$N" -exec rm '{}' \;
done
qmailctl start