I'm leaving this page up for the benefit of those who've linked to it. But be advised that we are retiring Qmail. Despite the best efforts of its user community, Qmail has fallen into disrepair. Its author stopped maintaining it five years ago, but the email environment kept getting more difficult. Qmail has architectural problems that can't be fixed without such extensive add-ons and patching that its quality assurance is compromised. Those problems were just an annoyance five years ago, but they're enough to encourage other sites to block your messages today.Unfortunately for Qmail users, Qmail's quirky copyright has prevented effective ongoing maintenance without its author's cooperation. A copylefted MTA can be forked into a new project if necessary. But Qmail just accumulates its heap of patches, and there's no way for the user to know which patch might break which other patch. Most of the patches and add-ons at Qmail.org have been, themselves, abandoned by their authors.
This list is in the format used by
D J Bernstein's tcprules
.
When a computer on the Internet wants to forward mail to us, it opens
port 25 and connects to our tcpserver
. The tcpserver
looks up the
sender's IP address in the database prepared by tcprules
.
Chronic spam sources cause tcpserver
to export a message in
the environment variable RBLSMTPD
. Whitelisted sources
get an empty RBLSMTPD
string.
Then tcpserver
passes the connection to
rblsmtpd
, which queries Spamhaus.
If the sender is okay (whitelisted in tcprules
or no entry in Spamhaus),
rblsmtpd
queries NJABL.
If either database returns a block list entry,
rblsmtpd
pretends to be an SMTP server and tells the sender to go away.
If all three tests pass, the second rblsmtpd
invokes Qmail's
qmail-smtpd
which receives the message.
We don't run Qmail from inetd
because inetd
is not reliable.
To get inetd
out of the way, comment the
``smtp
'' line out of /etc/inetd.conf
and send your inetd
process a hangup signal to make it
let go of port 25. For example,
vi /etc/inetd.conf kill -1 `cat /var/run/inetd.pid`
This contraption is best run from a script invoked by a daemon supervisor
such as supervise
. If you don't have supervise
yet
you can just run the script in the background. The ./run
script
looks like this:
#!/bin/sh PATH=/var/qmail/bin:/usr/sbin \ tcpserver -x/etc/tcp/r.cdb 0 25 \ rblsmtpd \ -b -r sbl-xbl.spamhaus.org\ -b -r dnsbl.njabl.org\ qmail-smtpd 2>&1The
PATH
is restricted to the places the three programs
(and the other Qmail binaries) are located. The arguments to
tcpserver
tell it where to find the static blacklist,
and to listen to all hosts on port 25.
(Of course, if you're concerned some skript kiddy might look for stuff
in /var/qmail/bin you might want to install Qmail someplace else. Read
INSTALL
in the Qmail source and edit qmail-conf
before compiling anything.)