#!/bin/sh # # run.smtp # John Simpson 2003-07-05 # # Generic daemontools "run" script for qmail "smtp" or "smtpssl" service. # # SSL support requires the qmail-smtp-auth patch, as well as vpopmail. # # Note that it is possible to use SSL=0 and AUTH=1 together, but it's not a # good idea because it will result in your users sending their passwords # over the Internet in plain text. # # You should also not allow POP3 or IMAP connections to happen over the # Internet without SSL encryption, since the same passwords are used. All # it takes is one spammer to find out a user's password and your machine # becomes an open relay. # # 2003-11-24 John Simpson # - added support for recordio to log SMTP conversations. should be # for debugging only, may also be used for low-traffic servers # to keep even more detailed logs. # # 2004-05-22 John Simpson # - modifying for stunnel version 4 (for use with WhiteBox Linux) # # 2004-06-02 John Simpson # - adding RELAYCLIENT="" for 127.0.0.1 server # # 2004-06-24 John Simpson # - added "export SSL" before running the server. my server is running # with the STARTTLS and SMTP-AUTH patches, but i have modified them # so that the server only advertises or supports the AUTH command if # there is a valid checkpasswd program and EITHER the STARTTLS mode # is active, or it sees SSL=1 in the environment (trusing the server # administrator that the connection is secure.) # - changed comments regarding the case of SSL=0 and AUTH=1. # # 2004-08-29 John Simpson # - added a note about the "ALLOW_INSECURE_AUTH" environment variable, # which enables users of my combined patch (version 5b or higher) to # allow the AUTH command without the connection being secure. THIS IS # A VERY BAD IDEA. # # 2005-04-11 jms1 - (no code changed.) changed the copyright notice to # specify that the license is the GPL VERSION 2 ONLY. i'm not comfortable # with the "or future versions" clause until i know what these "future # versions" will look like. # ############################################################################### # # Copyright (C) 2003-2005 John Simpson. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License, version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # or visit http://www.gnu.org/licenses/gpl.txt # ############################################################################### exec 2>&1 VQ="/var/qmail" PATH="$VQ/bin:/usr/local/bin:/usr/bin:/bin" CHECKPW=~vpopmail/bin/vchkpw SMTPD="qmail-smtpd" # specify IP to listen on, or 0 for "all interfaces" IP=0 # listen for SSL (on port 465) or not (on port 25)? SSL=0 # SSL requires stunnel. we need the path and the version, either 3 or 4. STUNNEL_PATH="/usr/sbin/stunnel" STUNNEL_VER=4 # support SMTP AUTH or not? AUTH=0 # this section only applies if you have compiled qmail with my combined patch, # version 5b or higher. see http://www.jms1.net/qmail/ for more information. # # IF SO: even if you enable AUTH here, clients are still required to negotiate # a secure connection, either by connecting to an SSL-enabled server (if you # have SSL=1 above) or by using the STARTTLS extension within a normal server # which doesn't use SSL directly. # # this extra security requirement can be disabled, but it's a very bad idea # since it allows your users' email progrmas to send their passwords over # the network in plain text... and all it takes is for a spammer to get ONE # of your users' passwords and you become an open relay. # ALLOW_INSECURE_AUTH=0 # this should work on most systems, if not you may need to manually set # the location of your "/bin/true" binary (only needed for AUTH support) TRUE=`which true` # number of concurrent incoming connections to allow. # "life with qmail" had this as a /var/qmail/control file, i prefer to # configure it here. MAX=30 # set this to the full path of your "recordio" binary if you want to use # recordio. this should only be used for testing. note that this will end # up logging the contents of peoples' emails and their AUTH passwords, so # the log file should not be world-readable. # NOTE: this setting is ignored for stunnel version 4, since stunnel version 4 # takes over the stderr channel which would normally go to multilog. #RECORDIO="/usr/local/bin/recordio" RECORDIO="" # if you wish to use RBL's to block or anti-block messages, set RBLSMTPD # to the full path of your "rblsmtpd" binary (from the ucspi-tcp package.) # RBL_BAD should contain any RBL lists we wish to use to block mail # RBL_GOOD should contain any RBL lists we wish to use to anti-block mail # (that is, treat them as "good" even if they're listed on a "bad" list.) #RBLSMTPD=/usr/local/bin/rblsmtpd #RBL_BAD="bl.spamcop.net dnsbl.njabl.org relays.ordb.org" #RBL_GOOD="" ############################################################################### ############################################################################### ############################################################################### # # this is where it all begins QDUID=`id -u qmaild` QDGID=`id -g qmaild` LOCAL=`head -1 $VQ/control/me` if [ -z "$QDUID" -o -z "$QDGID" -o -z "$MAX" -o -z "$LOCAL" -o -z "$IP" \ -o -z "$SSL" -o -z "$AUTH" ] then echo QDUID, QDGID, MAX, LOCAL, IP, SSL, or AUTH is unset in the run script. exit 1 fi if [ ! -f $VQ/control/rcpthosts ] then echo Creating emtpy $VQ/control/rcpthosts file to prevent open relay. touch $VQ/control/rcpthosts chmod 644 $VQ/control/rcpthosts fi if [ -f $VQ/bin/qmail-scanner-queue.pl ] then export QMAILQUEUE=$VQ/bin/qmail-scanner-queue.pl elif [ -f $VQ/bin/qmail-spamassassin -a -f /usr/bin/spamassassin ] then export QMAILQUEUE=$VQ/bin/qmail-spamassassin fi if [ "$SSL" == "1" ] then if [ ! -f $VQ/control/servercert.pem ] then echo ERROR: $VQ/control/servercert.pem does not exist exit 1 fi PORT=465 ACDB="/etc/tcp/smtpssl.cdb" if [ "$STUNNEL_VER" == "3" ] then if [ ! -z "$RECORDIO" ] then STUNNEL="$STUNNEL_PATH -f -p $VQ/control/servercert.pem -l $RECORDIO --" else STUNNEL="$STUNNEL_PATH -f -p $VQ/control/servercert.pem -l $SMTPD --" fi elif [ "$STUNNEL_VER" == "4" ] then if [ ! -z "$RECORDIO" ] then echo ERROR: recordio cannot be used with stunnel v4 exit 1 fi STUNNEL=$STUNNEL_PATH else echo ERROR: unknown STUNNEL_VER [$STUNNEL_VER] exit 1 fi else PORT=25 ACDB="/etc/tcp/smtp.cdb" STUNNEL="" fi if [ "$IP" == "127.0.0.1" ] then export RELAYCLIENT="" ACMD="" else ACMD="-x $ACDB" fi if [ "$AUTH" == "1" ] then if [ ! -f $CHECKPW ] then echo ERROR: $CHECKPW program does not exist exit 1 fi if [ -z "$TRUE" ] then echo ERROR: TRUE is not set in the run script exit 1 elif [ ! -e $TRUE ] then echo ERROR: $TRUE is not an executable exit 1 fi ARGS=" $LOCAL $CHECKPW $TRUE" else ARGS="" fi ######################################## # make RBL command (if needed) RBLCMD="" if [ ! -z "$RBLSMTPD" ] then for name in $RBL_GOOD do RBLCMD="$RBLCMD -a $name" done for name in $RBL_BAD do RBLCMD="$RBLCMD -r $name" done if [ ! -z "$RBLCMD" ] then RBLCMD="$RBLSMTPD $RBLCMD" fi fi ######################################## # do the deed export SSL if [ "$SSL" == "1" -a "$STUNNEL_VER" == "4" ] then cat > stunnel.conf <&1 transparent=yes EOF chmod 644 stunnel.conf exec tcpserver -vR -l "$LOCAL" -c "$MAX" -u $QDUID -g $QDGID \ $ACMD $IP $PORT $RBLCMD $STUNNEL stunnel.conf 2>&1 else exec tcpserver -vR -l "$LOCAL" -c "$MAX" -u $QDUID -g $QDGID \ $ACMD $IP $PORT $RBLCMD $STUNNEL $RECORDIO $SMTPD $ARGS 2>&1 fi ######################################## # this will only be reached if the exec fails echo ERROR: command did not run correctly exit 1