Switching to Postfix

I'm leaving this page up for the benefit of those who've linked to it. But be advised that we are retiring Qmail. Despite the best efforts of its user community, Qmail has fallen into disrepair. Its author stopped maintaining it five years ago, but the email environment kept getting more difficult. Qmail has architectural problems that can't be fixed without such extensive add-ons and patching that its quality assurance is compromised. Those problems were just an annoyance five years ago, but they're enough to encourage other sites to block your messages today.

Unfortunately for Qmail users, Qmail's quirky copyright has prevented effective ongoing maintenance without its author's cooperation. A copylefted MTA can be forked into a new project if necessary. But Qmail just accumulates its heap of patches, and there's no way for the user to know which patch might break which other patch. Most of the patches and add-ons at Qmail.org have been, themselves, abandoned by their authors.

Protecting Qmail from known spam sources

1. My own list of chronic spam sources. This list is no longer actively maintained. We started seeing false negatives when the .cdb file reached about 10 MB. (Hash collisions? Who knows?) So we're migrating to rbldnsd.

   This list is in the format used by D J Bernstein's tcprules.

2. The Spamhaus combined baddies list which includes the Spamhaus Block List (SBL) of known chronic spammers and the Exploited Block List (XBL) of trojaned broadband consumers.

3. Not Just Another Bogus List (NJABL)

When a computer on the Internet wants to forward mail to us, it opens port 25 and connects to our tcpserver. The tcpserver looks up the sender's IP address in the database prepared by tcprules. Chronic spam sources cause tcpserver to export a message in the environment variable RBLSMTPD. Whitelisted sources get an empty RBLSMTPD string.

Then tcpserver passes the connection to rblsmtpd, which queries Spamhaus. If the sender is okay (whitelisted in tcprules or no entry in Spamhaus), rblsmtpd queries NJABL. If either database returns a block list entry, rblsmtpd pretends to be an SMTP server and tells the sender to go away. If all three tests pass, the second rblsmtpd invokes Qmail's qmail-smtpd which receives the message.

We don't run Qmail from inetd because inetd is not reliable. To get inetd out of the way, comment the ``smtp'' line out of /etc/inetd.conf and send your inetd process a hangup signal to make it let go of port 25. For example,

vi /etc/inetd.conf
kill -1 `cat /var/run/inetd.pid`

This contraption is best run from a script invoked by a daemon supervisor such as supervise. If you don't have supervise yet you can just run the script in the background. The ./run script looks like this:

#!/bin/sh
PATH=/var/qmail/bin:/usr/sbin \
  tcpserver -x/etc/tcp/r.cdb 0 25 \
  rblsmtpd \
    -b -r sbl-xbl.spamhaus.org\
    -b -r dnsbl.njabl.org\
  qmail-smtpd 2>&1  

(Of course, if you're concerned some skript kiddy might look for stuff in /var/qmail/bin you might want to install Qmail someplace else. Read INSTALL in the Qmail source and edit qmail-conf before compiling anything.)