I don't know why anybody cares about this stuff, but this is where I saved it all when re-organizing the page on 2005-05-04. The links probably won't work, but the files involved should be easy enough to find.
Note that I have decided not to make old versions of my combined patch file available through the site any more. If you really need one of them, email me (address at the bottom of the page) and explain why the current combined patch file isn't suitable for your needs- the idea is that if there's any sane thing which has been removed from my combined patch, I need to add it back in.
2003-08-28 I have added support for SpamAssassin at the server level. I use it on my servers to mark messages which "look like" spam, and my users are able to filter the messages based on SpamAssassin's ranking of the message. It requires another script to be installed as /var/qmail/bin/qmail-spamassassin in order to work correctly.
2003-11-24 I have added support for using recordio to log the actual SMTP conversations. This can be used for debugging, for keeping a permanent log of email messages, and for tracking and analyzing the activities of suspected spammers. Note that if you use this feature in conjunction with AUTH, users who authenticate using the LOGIN or PLAIN methods will have their credentials logged as well. Please make sure that the log files are not made available to outsiders.
2004-01-20 A few months ago, one of my clients was the victim of a massive spam bomb which totally filled the drive containing their /var/qmail directory. Some messages were partially written to the queue but a lot of them had files created for the various parts but then couldn't allocate blocks to hold the data meant for those files- but their queue was totally trashed.
At the time, I wrote a perl script to manually fix the ownerships and permissions of the queue directory, as well as check the status of each message number (that the mess file's inode was the same as the filename, that the other combinations of files pertaining to that message represented some sane condition of a message within the queue, and that none of the files involved were zero bytes.) I didn't think at the time that anybody else would need something like this, but...
Today, one of my clients accidentally made a typo with a "chown" command and ended up trashing their queue as well. The same script I wrote for the first client is now coming in handy for another client, so I figure somebody visiting this page may also be interested in looking it over and using it. I call the script qfixq. Enjoy.
While adding qfixq to this site, I also added a few other scripts that I've been using for a while (listed in the "Other Scripts" section above... or it was, back when all of my qmail stuff fit on one page. Now they're all on the scripts page.)
2004-01-29 I recently found a unified qmail patch written by Vlad Galu, which includes the original SMTP-AUTH patch that I've corrected here, along with a whole collection of other useful patches. I found a few typos with his original 2004-01-28 patch and they were fixed immediately, which is always a good thing.
I'm looking into using his unified patch in the future, rather than continuing with my own unified patch. I have sent him an updated version of his patch which incorporates my changes- preventing AUTH from being available if the command line isn't correct, adding the SMTP_AUTH_USER environment variable, and adding my block to the beginning of his README.auth file (producing the README.auth file added by my patch.)
I am also involved with a new open-source project called MailRefinery. It will be a self-booting CD which installs a complete qmail-based mail server, similar to how IPCop gives you a fully functional firewall, complete with VPN support. The set of patches I end up using on my own server will probably end up being the same set of patches which becomes part of the MailRefinery program.
2004-03-25 A friend has become the victim of a "joe-job", meaning that some spammer has decided to use random email addresses ending with his domain name as the forged "From" address in their spam run. My friend's server is being flooded with hundreds of automated bounce reports from the mail servers of the email addresses which no longer exist, as well as "spam reports" from people calling themselves system administrators who don't know how to inspect the Received: headers of the spam to verify where the messages really came from...
I configured his server to use the qmail-nospam script as the "default" target for his virtual domain, so that these "bounce" messages to non-existent userids will be routed directly to the trashcan rather than filling up his mailbox.
Now if only we could teach all of the wannabe "system administrators" out there how to read Received: headers and figure out that these messages did not actually come from my friend's server...
2004-06-01 This server crashed a few weeks ago, due to an old power supply finally giving up the ghost. While building the new server (using White Box Enterprise Linux instead of the RedHat 8.0 which was on the server before) I was forced to figure out the scripting involved to make an SSL-encrypted SMTP server run with stunnel version 4. This file is currently working on the server, but I would like to have other people try it and let me know how it works before I replace the existing one. It should work with either version 3 or version 4, depending on how you set the variables at the top of the script.
2004-06-02 Found a bug in this
script... if you're using it with IP=127.0.0.1, you should also
export RELAYCLIENT="" or it will refuse to relay for
localhost. It totally blows my mind that I didn't notice this before,
but then I don't use 127.0.0.1 for mail that often (although my webmail
server does...) The fix is in the newer version of
/service/smtp/run that I added here yesterday (one paragraph up from
2004-06-04 I got an email which reminded me of one of the issues I ran into when I first set up SMTP-AUTH on my own server... when using the vchkpw program from vpopmail (which is how I run my server), make sure the vchkpw binary is setuid to the vpopmail userid. Otherwise, when qmail-smtpd runs vchkpw to verify the serid and password, it will be running as qmaild and won't be able to read the vpasswd.cdb files.
2004-06-24 I found the combined STARTTLS and SMTP-AUTH patch, along with the SPF patch, and got them working and fixed today. Produced a new combined patch file and updated this web page with information about it.
I have also updated /service/smtp/run with comments reflecting the fact that STARTTLS makes it safer to use AUTH on a port 25 SMTP server, provided the server is running qmail with my patches which prevent qmail-smtpd from advertising or supporting the AUTH command unless (1) there is a checkpassword program specified on the command line, and (2) either STARTTLS mode is active, or the server is running within an SSL wrapper (as evidenced by the variable SSL=1 in the environment, presumably set by an administrator.) I have also added "export SSL" to the script, in order to tell qmail-smtpd whether the connection is already secure or not.
I think I've also decided to use my own unified patch set rather than the unified patch listed above... nothing against Vlad Galu's patches, but I'm more familiar with my own patches and customizations, and have it working the way I want it to work. I will be announcing this patch on the MailRefinery mailing list and asking them what they think about it, but unless somebody has a really solid reason to change it, I think I've found the patch set which will be in the MailRefinery 1.0 product.
2004-07-04 I hadn't realized that people were actually using the patch files I've been putting up here! I've gotten some good suggestions from people in terms of which patches to add to the mix, and it's also given me an idea for another patch that I should add to the mix...
2004-07-05 I started looking around and found a patch which makes tcpserver do SSL. I ended up making a combined patch set for ucspi-tcp and am no longer using stunnel for my SMTP-SSL server. NOTE: I am no longer using this patch- it has problems with large mail messages hanging up the works.
2004-08-29 I have added a quick patch to allow AUTH without requiring SSL or TLS, for those administrators who truly don't care about their users sending plain-text passwords over the internet, or the fact that if a spammer happens to get one of these passwords he is free to abuse your server until you find and stop him. I'm running the newly patched version of the code on my own server, but I obviously don't have this "feature" enabled myself.
And if anybody is curious, I started running my server with spfbehavior 3 today... any email which gets a hard failure from spf (i.e. if the message claims to be from "firstname.lastname@example.org" but the spf record for "abc.com" definitively says otherwise, using "-all") is rejected automatically. So far I've had no problems with it.
2004-08-29 I have added another quick (one line) patch to prevent STARTTLS from being advertised if the connection is already SSL-secured (determined by seeing SSL=1 in the environment, which is the same variable that my /service/smtp/run script uses to tell whether to set up an SSL service or a normal service.
2004-11-10 Fixed the URL for SPF above. Thanks for pointing out the typo.
2005-04-11 Added the /service/smtp*/run script which uses ucspi-ssl's sslserver program. Also changed the license on all of the scripts to explicitly say GPL VERSION 2 ONLY instead of "version 2 or later". I'm not comfortable with the "or later" portion, especially where nobody currently knows what the later versions will include. Once GPL-3 is released, if I agree with everything in it, i will update these license notices again.
2005-04-11 (later) Finally joined the qmailrocks.org mailing list, since most of the people using my combined patch are using it because of qmailrocks.org. Turns out the server is hosted on a netblock which is owned by one of the biggest spammers on the planet- or at least it was. The particular IP range where the server lives is not listed on any of the major blacklists, but I had added the entire network to my own blacklist over a year ago and then forgotten about it, which was keeping me from seeing the list responses and making it impossible for me to join.
Wrote the 5f patch, did some basic testing and it seems to work the way I think it should. I'm running it on my machine, and have asked the qmr mailing list for people to help test it before I recommend it be included in the qmr instructions. (Call it a "beta" release at this point.)
2005-04-19 Added the page on how to test AUTH. I'm also playing around with converting the site over to using a consistent stylesheet- if you compare the source of this page to the source of most of my other pages, you will see the difference.
2005-04-20 Added the page on how to make ClamAV and Qmail-Scanner play nice together.
2005-04-20 Added code to qfixq to run qmail-showctl and find out how many buckets are in use, after somebody on the qmailrocks mailing list trashed their queue because they didn't understand where I told them to fix the bucket count, and ran the script with the default 23-bucket count anyway- and destroyed their queue.
2005-08-07 Moved all of the qmail-related stuff to "qmail.jms1.net". Cleaned up this history page a little bit.