Qmail + Spamdyke and validrcpto
by BenV on Sep.16, 2011, under Software
Today I decided it was time to get rid of both backscatter and the useless spamfiltering of mail that will bounce anyway.
Obviously I’m not running a vanilla qmail, but a patched version (by John M. Simpson) of Qmail that adds lovely antispam features such as checks for reverse dns records, SPF records, fixes a ton of annoyances and generally makes Qmail a lot nicer.
On top of that I run Spamdyke to apply graylisting for some domains, add blacklists/whitelists and do some more spam checking.
One of the problems of I ran into over the years is that when someone starts spamming you at random addresses that it generates a lot of backscatter. The qmail patch also enables the option to check for valid recipients.
So instead of:
Server: Hello, I’m a mailserver
Asshole: I’m sending mail from $here
Server: Right right
Asshole: Source of the mail is from $someone_I_Hate
Server: Sure
Asshole: It should go to thisdoesntexist@yourserver.com
Server : Sure, bye!
Server: *SPAMCHECK* (wasting 10 hours of CPU cycles)
Server:*Try to deliver locally because yourserver.com is a local domain*
Server: Heej, that user doesn’t exist on this domain! * BOUNCE *
Server: *tries to send bounce to $someone_I_hate*
Other server: Hej, stop trying to send spam to me! Also that address doesn’t exist! *BYE!*
Server: *bounce bounced* -> *sends double bounce to postmaster*
It will be as simple as:
Server: Hello, I’m a mailserver
Asshole: I’m sending mail from $here
Server: Right right
Asshole: Source of the mail is from $someone_I_Hate
Server: Sure
Asshole: It should go to thisdoesntexist@yourserver.com
Server: *checks* … GET BENT!!! *DISCONNECT*
Asshole: What the.
A lot more efficient, and it also prevents people who are the target of a Joe-Job from receiving a ton of bounces.
So after setting up the scripts etc to generate the validrcpto.cdb file and enabling it in the daemontools run script, I tried a telnet session.
$ telnet localhost 25
Trying 123.45.67.8...
Connected to localhost.
Escape character is '^]'.
220 mail.yourserver.com ESMTP
EHLO localhost
250-mail.yourserver.com
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-STARTTLS
250-SIZE 0
250-PIPELINING
250 8BITMIME
MAIL FROM: benv@localhost
250 ok
RCPT TO: thisdoesnexistatthisserver@thisdoesatthisserver.com
250 ok
What the heck. It was supposed to ignore it!
After digging through both qmail-smtpd.c and spamdyke.c it came to my attention that:
1. the SPF check is ignored when RELAYCLIENT environment variable is set.
2. Spamdyke by default sets the RELAYCLIENT variable in order to be able to provide AUTH support.
Yay.
Solution: relay-level = no-check in spamdyke.conf. Qmail does the relay checks just fine and already has AUTH support through the patch I use.