At this time /command/svcscanboot should have started qmail: > ps axfww 1905 pts/1 Sl 0:00 /home/vpopmail/bin/vusaged 2008 pts/1 S 0:00 /bin/sh /command/svscanboot 2010 pts/1 S 0:00 \_ svscan /service 2012 pts/1 S 0:00 | \_ supervise qmail-smtpd 2029 pts/1 S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 25 /var/qmail/bin/qmail-smtpd 2013 pts/1 S 0:00 | \_ supervise log 2021 pts/1 S 0:00 | | \_ /usr/local/bin/multilog t /var/log/qmail/smtpd 2014 pts/1 S 0:00 | \_ supervise qmail-send 2027 pts/1 S 0:00 | | \_ qmail-send 2039 pts/1 S 0:00 | | \_ qmail-lspawn 2040 pts/1 S 0:00 | | \_ qmail-rspawn 2041 pts/1 S 0:00 | | \_ qmail-clean 2042 pts/1 S 0:00 | | \_ qmail-todo 2043 pts/1 S 0:00 | | \_ qmail-clean 2015 pts/1 S 0:00 | \_ supervise log 2025 pts/1 S 0:00 | | \_ /usr/local/bin/multilog t /var/log/qmail/send 2016 pts/1 S 0:00 | \_ supervise vpopmaild 2026 pts/1 S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l 0 -u 0 -g 0 0 89 /home/vpopmail/bin/vpopmaild 2017 pts/1 S 0:00 | \_ supervise log 2023 pts/1 S 0:00 | | \_ /usr/local/bin/multilog t /var/log/qmail/vpopmaild 2018 pts/1 S 0:00 | \_ supervise qmail-submission 2024 pts/1 S 0:00 | | \_ /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.submission.cdb -c 20 -u 89 -g 89 0 587 /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2019 pts/1 S 0:00 | \_ supervise log 2022 pts/1 S 0:00 | | \_ /usr/local/bin/multilog t /var/log/qmail/submission 2020 pts/1 S 0:00 | \_ supervise clear 2011 pts/1 S 0:00 \_ readproctitle service errors: ...............................................................................................................................................
If everything is ok you should see something like this. There must be only dots in the readproctitle service errors line. You can always clean the errors' line in this way: svc -o /service/clear or, if you're using my modified qmailctl file, you can do this: qmailctl clear Check the queue and the services uptime: > qmailctl stat /service/qmail-send: up (pid 7987) 4 seconds /service/qmail-send/log: up (pid 6998) 1946 seconds /service/qmail-smtpd: up (pid 7989) 4 seconds /service/qmail-smtpd/log: up (pid 6995) 1946 seconds /service/qmail-submission: up (pid 7991) 4 seconds /service/qmail-submission/log: up (pid 6999) 1946 seconds /service/vpopmaild: up (pid 7993) 4 seconds /service/vpopmaild/log: up (pid 6997) 1946 seconds messages in queue: 0 messages in queue but not yet preprocessed: 0 Of course, you’ll only see the submission service lines if qmail-submission is included in the svclist line in /usr/local/bin/qmailctl. Check that the up time increases by repeating the qmailctl stat command a couple of times. If something fails, check the logs. The next two notes will show how to handle and eventually repair the queue. swaksswaks is a SMTP test tool that you can use to perform all the telnet tests that are described below. Install as follows: cd /usr/local/bin wget http://www./john/code/swaks/latest/swaks chown root.root swaks chmod +x swaks The usage is pretty simple. Adjust to your needs: swaks --to someone@somewhere.net --from postmaster@yourdomain.xy --server localhost --port 587 \ --ehlo test -tls --auth login --auth-user postmaster@yourdomain.xy --auth-password [PASSWORD] You may want to take a look to the reference manual: http://www./john/code/swaks/latest/doc/ref.txt Testing qmail deliveryLook at the TEST.deliver man page and do all suggested tests. Testing SMTP connectionIn this example [your-IP] is an IP that is allowed to use our MTA as a relay according to ~vpopmail/etc/tcp.smtp; usually it is 127.0.0.1 or an address on an allowed localnet such as 10.0.0.5 or 192.168.1.12 This test will fail if you try to use the MTA as an open relay, telnetting from the outnet without the SMTP authentication (see below). > telnet [your IP] 25 Trying [your IP]... Connected to qmail.yourdomain.net. Escape character is '^]'. 220 mail.yourdomain.net ESMTP mail from:<user@yourdomain.net> 250 ok rcpt to:<someone@somewhere.else.net> 250 ok data 354 go ahead subject: This is the subject to: someone@somewhere.else.net from: user@yourdomain.net This is the msg body FOLLOWING A BLANK LINE . 250 ok 1286469273 qp 31969 quit 221 www.yourdomain.net Connection closed by foreign host. *********** Of course it may happen that something goes wrong > telnet [your IP] 25 Trying [your IP]... Connected to [yout IP]. Escape character is '^]'. Connection closed by foreign host. Let's check the smtp log: > more /var/log/qmail/smtpd/current @400000004cb7145314702f74 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libcrypt.so.1: failed to map segment from shared object: Cannot allocate memory If you see an error like this, your softlimit is too low. Try to increase it editing /var/qmail/supervise/qmail-smtp/run *********** > more /var/log/qmail/smtpd/current @400000004cc5baaf076df464 /var/qmail/bin/qmail-smtpd: error while loading shared libraries: libmysqlclient.so.16: cannot open shared object file: No such file or directory I faced this error in a 64b virtual mail server. Mysql was in a different virtual server and the mysql dir was mounted locally but qmail-smtp cannot load it. I fixed this error copyng (not linking!) the library inside the guest in this way: cp -p /usr/local/mysql/lib/libmysqlclient.so.16.0.0 /usr/lib64/libmysqlclient.so.16 *********** Check if the messages has been sent opening /var/log/qmail/send/current *********** Try to send a message to yourself and look for the message in the Maildir/new folder: > telnet [your IP] 25 Trying [your IP]... Connected to qmail.yourdomain.net. Escape character is '^]'. 220 mail.yourdomain.net ESMTP mail from:<user@yourdomain.net> 250 ok rcpt to:<user@yourdomain.net> 250 ok data 354 go ahead subject: This is the subject to: user@yourdomain.net from: user@yourdomain.net This is the msg body FOLLOWING A BLANK LINE . 250 ok 1286469273 qp 31969 quit 221 www.yourdomain.net Connection closed by foreign host. > ls -l /home/vpopmail/domains/yourdomain.net/user/Maildir/new total 4 -rw------- 1 vpopmail vchkpw 211 2010-12-09 13:22 1291897368.13072.qmail,S\=211 Testing vpopmail auth> telnet [your-IP] 89 Trying [your-IP]... Connected to [your-IP]. Escape character is '^]'. +OK login userid@yourdomain.net PASSWORD +OK+ vpopmail_dir /home/vpopmail domain_dir /home/vpopmail/domains/yourdomain.net uid 89 gid 89 name userid comment userName userSurname quota NOQUOTA user_dir /home/vpopmail/domains/yourdomain.net/userid encrypted_password $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx clear_text_password xxxxxxxxxxxxxxxxx no_password_change 0 no_pop 0 no_webmail 0 no_imap 0 bounce_mail 0 no_relay 0 no_dialup 0 user_flag_0 0 user_flag_1 0 user_flag_2 0 user_flag_3 0 no_smtp 0 domain_admin_privileges 0 override_domain_limits 0 no_spamassassin 0 delete_spam 0 no_maildrop 0 system_admin_privileges 0 . quit +OK Connection closed by foreign host. Testing chkuserIf you perform this test from localhost or from one of the localnets that are allowed to relay according to ~vpopmail/etc/tcp.smtp... 10.0.0.:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" ...before continuing, you have to deny yourself from relaying. Clean and reaload tcp.smtp: cd ~vpopmail/etc mv tcp.smtp tcp.smtp.bck touch tcp.smtp qmailctl cdb Now we are ready for the test. No valid MX test, mailbox syntax testchkuser rejects the messages if the MX record in the from field is non existent. This is a rare case since spammers will try to use your own domain in the from field. > telnet [yourIP] 25 Trying [yourIP]... Connected to [yourIP]. Escape character is '^]'. 220 yourdomain.net ESMTP mail from: unexistent@fakedomain.xxx 550 5.1.8 sorry, can't find a valid MX for sender domain (chkuser) mail from: unexistent@fake_domain.xxx 553 5.1.7 sorry, mailbox syntax not allowed (chkuser) quit No mailbox testqmail/control/rcpthosts file determines whether the recipient will be accepted: it will be accepted if and only if the domain of the address given in the RCPT TO command is listed in rcpthosts. Anyway chkuser is programmed to reject msg for non existent users of these domains: > telnet [yourIP] 25 Trying [yourIP]... Connected to [yourIP]. Escape character is '^]'. 220 yourdomain.net ESMTP mail from: someone@gmail.com 250 ok rcpt to: nobody@yourdomain.net 550 5.1.1 sorry, no mailbox here by that name (chkuser) quit No rcpt hosts testTo allow clients to send outgoing messages through this MTA, you must authorize the relay from their IP addresses inside tcp.smtp: 111.222.333.444:allow,RELAYCLIENT="" In this case we have purged tcp.smtp, so we are allowed to send messages only to local users (domains inside rcpthosts) and chkuser can't find the external domain in his list of allowed rcpthosts > telnet [yourIP] 25 Trying [yourIP]... Connected to [yourIP]. Escape character is '^]'. 220 yourdomain.net ESMTP mail from: someone@gmail.com 250 ok rcpt to: someone@gmail.com 553 5.7.1 sorry, that domain isn''t in my list of allowed rcpthosts (chkuser) quit In addition look for chkuser messages inside the smtp log /var/log/qmail/smtp/current. Don't forget to restore the tcp.smtp rm tcp.smtp mv tcp.smtp.bck tcp.smtp qmailctl cdb Testing smtp-auth and TLSLet's suppose that you have enabled the submission service (port 587). If you have enabled smtp-auth on port 25 replace 587 with 25 below. Check that auth and TLS are present: > telnet [your-IP] 587 Trying [your-IP]... Connected to [your-IP]. Escape character is '^]'. 220 smtp.yourdomain.net ESMTP EHLO test 250-smtp.yourdomain.net 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 3000000 250 AUTH LOGIN PLAIN mail from:someone@somewhere.net 530 Authorization required (#5.7.1) AUTH PLAIN 538 auth not available without TLS (#5.3.3) STARTTLS 220 ready for tls ?(?S^F?^@???^\?^^CR?^??*LV^?^Y+ ^W^C^A^@ o?^?&@?????^N^?>??^?.d[^ZE?^?2^?^F^?Xr?XN^W^C^A^@P?^?^?4H&>/4^UG^?^??Njg^]?^_^F;@?^T?^? ^@i?>r^F??g4??{^C??bc^^N?^Qb???^@?n^???8`?W^\?5?^?^HT?F^?X?(^?+ ^W^C^A^@ ?+^??2??W]^Y??}?^?^B^[??n?w^?qs^???^N^B^[^W^C^A^@@^CC3^?f?^Y.^?^?x#?j?^D?+?u^F^?^H?0^?^U??^@i?c$ ^CConnection closed by foreign host. The server seems to correctly provide STARTTLS and AUTH support. As you can see the authorization is required and the auth is not available without TLS. When the server is "ready for tls" the connection goes encrypted and you have to quit with a ^C. Be aware that you can choose between 3 authentication methods:
Since we support TLS I use to disable CRAM-MD5 in my run file. So we will test just LOGIN and PLAIN. If you want to enable CRAM-MD5 refer to the README.auth file. Testing the relay with "AUTH LOGIN"- Encoding the login - To test the "AUTH LOGIN" method (it is safe since the entire connection is secure) you have to encode the BASE64 string of the username, let's say "test@test.net", and the password, let's say "test" as shown below. > printf "test@test.net" | base64 dGVzdEB0ZXN0Lm5ldA== > printf "test" | base64 dGVzdA== Thus, the username "test@test.net" translates to "dGVzdEB0ZXN0Lm5ldA==" and the corresponding password "test" becomes "dGVzdA==" - Testing the relay - Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented: > openssl s_client -starttls smtp -crlf -connect [your-IP]:587 CONNECTED(00000003) depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net verify error:num=18:self signed certificate verify return:1 depth=0 /C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net verify return:1 --- Certificate chain 0 s:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net i:/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp./emailAddress=postmaster@yourdomain.net --- Server certificate -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END CERTIFICATE----- subject=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourdomain.net/emailAddress=postmaster@yourdomain.net issuer=/C=IT/ST=Italy/L=Cagliari/O=Your Name/CN=smtp.yourname.net/emailAddress=postmaster@yourname.net --- No client certificate CA names sent --- SSL handshake has read 1650 bytes and written 354 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Session-ID-ctx: Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key-Arg : None Start Time: 1292613625 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 AUTH LOGIN PLAIN AUTH LOGIN 334 VXNlcm5hbWU6 <---- it is a BASE64 encoded string 'Username:' dGVzdEB0ZXN0Lm5ldA== <---- it is a BASE64 encoded string 'test@test.net' 334 UGFzc3dvcmQ6 <---- it is a BASE64 encoded string 'Password:' dGVzdA== <---- it is a BASE64 encoded string 'test' (the user password in this example) 235 ok, go ahead (#2.0.0) mail from:yourself@somedomain.net 250 ok rcpt to:someone@somewhere.net 250 ok data 354 go ahead subject: smtp-auth + tls test to:someone@somewhere.net from:yourself@somedomain.net This is the body FOLLOWING A BLANK LINE . 250 ok 1292613846 qp 14123 quit 221 smtp.yourdomain.net closed Testing the relay with "AUTH PLAIN"- Encoding the login - The correct form of the AUTH PLAIN is "authorization-id\0authentication-id\0passwd'" where \0 is the null byte. If the username is "test@test.net" and the password is "test" you have to encode the BASE64 string of "\0test@test.net\0test": > printf "\0test@test.net\0test" | base64 AHRlc3RAdGVzdC5uZXQAdGVzdA== - Testing the relay - Now let's check if the relay is working fine. To talk with the server during an encrypted dialog we will use an openssl connection with -starttls smtp; first of all the certificate will be presented: > openssl s_client -starttls smtp -crlf -connect [your-IP]:587 CONNECTED(00000003) [THE SAME AS AUTH LOGIN BEFORE] --- 250 AUTH LOGIN PLAIN AUTH PLAIN AHRlc3RAdGVzdC5uZXQAdGVzdA== <---- it is a BASE64 encoded string '\0test@test.net\0test' 235 ok, go ahead (#2.0.0) mail from:yourself@somedomain.net 250 ok rcpt to:someone@somewhere.net 250 ok data 354 go ahead subject: smtp-auth + tls test to:someone@somewhere.net from:yourself@somedomain.net This is the body FOLLOWING A BLANK LINE . 250 ok 1292613846 qp 14123 quit 221 smtp.yourdomain.net closed TroubleshootingIf something goes wrong you can always log the smtp conversation running qmail-smtp in conjunction with Bernstein's recordio program (hopefully from the command line): exec /usr/local/bin/softlimit -m "$SOFTLIMIT" /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" -u "$QMAILDUID" -g "$NOFILESGID" 0 submission /usr/local/bin/recordio /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1 or you can use strace to better investigate how the smtpd session is going on. Testing SPF
First of all, check the header of your incoming messages. For email senders who don’t have SPF enabled, you should find a Received-SPF header that looks something like this: Received-SPF: none (0: domain at <some domain> does not designate permitted sender hosts) For email senders who have SPF enabled, you’ll see a header that looks something like this: Received-SPF: pass(0: SPF record at <some domain> designates x.x.x.x as permitted sender) SPF behavior of your mail server is controlled by the file /var/qmail/control/spfbehavior. You can specify a value between 0 and 6:
You can override the value in /var/qmail/control/spfbehavior by setting the SPFBEHAVIOR environment variable (typically in /etc/tcprules.d/tcp.smtp or, if you’ve used these notes as your guide, in ~/vpopmail/etc/tcp.smtp). Values higher than 3 are strongly discouraged. You probably will want to go with 2 or 3. To run a rejection test, use the highest value (6 ) and restart qmail. Then, from a remote IP address, try telnetting into your mail server and sending a message using a fake email address: > telnet qmail.yourserver.net 25 Trying [remote-IP]... Connected to [remote-IP]. Escape character is '^]'. 220 qmail.yourserver.net ESMTP mail from: test@nospfdomain.net 250 ok rcpt to: user@yourdomain.net 550 See http://spf./why.html?sender=test%40nospfdomain.net&ip=[sender-IP]&receiver=0 (#5.7.1) quit 221 qmail.yourserver.net Connection closed by foreign host. Remember to restore to 2 or 3 your /var/qmail/control/spfbehavior file. |
|
来自: guli3057 > 《smtp ssl》