[toaster] qmail-smtpd-viruscan-1.3.patch

[Mike McCallister]

Greetings,

I am a big fan of this patch:

http://qmail.org/qmail-smtpd-viruscan-1.3.patch

Since installing it, me and about 2000 others stopped getting MS 
viruses/worms.  I am currently in the process of migrating a mail server 
over to new hardware and thought I would see what was new in the qmail 
arena.  Then I found shupp.org and learned of netqmail and the 
qmail-toaster patch - nifty!  After installing this patch:

http://shupp.org/patches/qmail-toaster-0.6.patch.bz2

I get this when trying to install the qmail-smtpd-viruscan-1.3.patch - 
any advice is appreciated since although I don't run Windows, a lot of 
people around here do and they will get on my case if all this mydoom 
nonsense starts creeping through - I don't know C (I program on PHP and 
Perl though) and don't really understand what happened in the error 
message below - please excuse my ignorance on this:

[EMAIL PROTECTED] netqmail-1.05]# patch < 
../../tar/qmail-smtpd-viruscan-1.3.patch
patching file case_startb.c
patching file Makefile
Hunk #1 succeeded at 221 (offset 4 lines).
patching file qmail-smtpd.c
Hunk #1 FAILED at 96.
Hunk #2 succeeded at 191 with fuzz 2 (offset 72 lines).
Hunk #3 succeeded at 261 (offset 48 lines).
Hunk #4 succeeded at 408 (offset 109 lines).
Hunk #5 succeeded at 578 (offset 48 lines).
Hunk #6 succeeded at 661 (offset 109 lines).
1 out of 6 hunks FAILED -- saving rejects to file qmail-smtpd.c.rej
[EMAIL PROTECTED] netqmail-1.05]# cat qmail-smtpd.c.rej
***
*** 96,101 
 int bmfok = 0;
 stralloc bmf = {0};
 struct constmap mapbmf;

 void setup()
 {
--- 96,103 
 int bmfok = 0;
 stralloc bmf = {0};
 struct constmap mapbmf;
+ int sigsok = 0;
+ stralloc sigs = {0};
 void setup()
 {


If I had to guess - something went wrong in the "setup" some sort of C 
function that doesn't return a value?  From the looks of it, this 
"function" was heavily modifed by the qmail-toaster patch (bunch of 
tarpit, TLS, mfcheck in there) and that is why it didn't get patched 
correctly?



void setup()
{
 char *x;
 unsigned long u;
 if (control_init() == -1) die_control();
 if (control_rldef(&greeting,"control/smtpgreeting",1,(char *) 0) != 1)
   die_control();
 liphostok = control_rldef(&liphost,"control/localiphost",1,(char *) 0);
 if (liphostok == -1) die_control();
 if (control_readint(&timeout,"control/timeoutsmtpd") == -1) die_control();
 if (timeout <= 0) timeout = 1;
 if (control_readint(&tarpitcount,"control/tarpitcount") == -1) 
die_control();
 if (tarpitcount < 0) tarpitcount = 0;
 x = env_get("TARPITCOUNT");
 if (x) { scan_ulong(x,&u); tarpitcount = u; };
 if (control_readint(&tarpitdelay,"control/tarpitdelay") == -1) 
die_control();
 if (tarpitdelay < 0) tarpitdelay = 0;
 x = env_get("TARPITDELAY");
 if (x) { scan_ulong(x,&u); tarpitdelay = u; };

 if (rcpthosts_init() == -1) die_control();

 if (control_readint(&mfchk,"control/mfcheck") == -1) die_control();
 x = env_get("MFCHECK");
 if (x) { scan_ulong(x,&u); mfchk = u; }
 bmfok = control_readfile(&bmf,"control/badmailfrom",0);
 if (bmfok == -1) die_control();
 if (!constmap_init(&mapbmf,bmf.s,bmf.len,0)) die_nomem();
 bmtok = control_readfile(&bmt,"control/badmailto",0);
 if (bmtok == -1) die_control();
 if (!constmap_init(&mapbmt,bmt.s,bmt.len,0)) die_nomem();
 sigsok = control_readfile(&sigs,"control/signatures",0);
 if (sigsok == -1) die_control();
 if (control_readint(&databytes,"control/databytes") == -1) die_control();
 x = env_get("DATABYTES");
 if (x) { scan_ulong(x,&u); databytes = u; }
 if (!(databytes + 1)) --databytes;
 remoteip = env_get("TCPREMOTEIP");
 if (!remoteip) remoteip = "unknown";
 local = env_get("TCPLOCALHOST");
 if (!local) local = env_get("TCPLOCALIP");
 if (!local) local = "unknown";
 remotehost = env_get("TCPREMOTEHOST");
 if (!remotehost) remotehost = "unknown";
 remoteinfo = env_get("TCPREMOTEINFO");
 relayclient = env_get("RELAYCLIENT");
#ifdef TLS
 if (env_get("SMTPS")) { smtps = 1; tls_init(); }
 else
#endif
 dohelo(remotehost);
}

Re: [toaster] qmail-smtpd-viruscan-1.3.patch

[Bill Shupp]

Mike McCallister wrote:
Greetings,

I am a big fan of this patch:

http://qmail.org/qmail-smtpd-viruscan-1.3.patch

Since installing it, me and about 2000 others stopped getting MS 
viruses/worms.  I am currently in the process of migrating a mail server 
over to new hardware and thought I would see what was new in the qmail 
arena.  Then I found shupp.org and learned of netqmail and the 
qmail-toaster patch - nifty!  After installing this patch:

http://shupp.org/patches/qmail-toaster-0.6.patch.bz2

I get this when trying to install the qmail-smtpd-viruscan-1.3.patch - 
any advice is appreciated since although I don't run Windows, a lot of 
people around here do and they will get on my case if all this mydoom 
nonsense starts creeping through
My recommendation is to use the qmail-scanner/clamav solution rather 
than this virus patch.  Netqmail already comes with the qmailqueue 
patch, which is required for qmail-scanner to work.  And clamav already 
had MyDoom added to its virus definitions before MyDoom had a name 
(that's why they called it WORM.SCO.A (meaning the clamav guys are very 
much on the ball).  Since using this solution, I have not had a 
complaint of a single virus getting through.

Regards,

Bill Shupp

Re: [toaster] qmail-smtpd-viruscan-1.3.patch

[Tom Collins]

On Feb 12, 2004, at 9:45 AM, Bill Shupp wrote:
My recommendation is to use the qmail-scanner/clamav solution rather 
than this virus patch.  Netqmail already comes with the qmailqueue 
patch, which is required for qmail-scanner to work.  And clamav 
already had MyDoom added to its virus definitions before MyDoom had a 
name (that's why they called it WORM.SCO.A (meaning the clamav guys 
are very much on the ball).  Since using this solution, I have not had 
a complaint of a single virus getting through.
And I highly recommend Qscanq, 
, as a 
replacement for qmail-scanner.  It's a C-based program that replaces 
qmail-queue and does virus scanning on inbound messages.  If a message 
contains a virus, it's denied by qmail-smtpd.  No bounces to forged 
senders, no virus warnings to annoy the recipient, no bounces for 
non-existent recipients, no spam scanning of viruses, no Perl overhead 
of qmail-scanner.

I use it in conjunction with qmail-spamc (in SpamAssassin's qmail 
directory) to scan all incoming messages for viruses and spam without 
invoking Perl.  At some point, I will probably replace qmail-spamc with 
Ken Jones' patch for vpopmail that adds SpamAssassin scanning to 
vdelivermail.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter handheld Network Tester: http://sniffter.com/

Re: [toaster] qmail-smtpd-viruscan-1.3.patch

[Bill Shupp]

Tom Collins wrote:

On Feb 12, 2004, at 9:45 AM, Bill Shupp wrote:

My recommendation is to use the qmail-scanner/clamav solution rather 
than this virus patch.  Netqmail already comes with the qmailqueue 
patch, which is required for qmail-scanner to work.  And clamav 
already had MyDoom added to its virus definitions before MyDoom had a 
name (that's why they called it WORM.SCO.A (meaning the clamav guys 
are very much on the ball).  Since using this solution, I have not had 
a complaint of a single virus getting through.


And I highly recommend Qscanq, 
, as a 
replacement for qmail-scanner.  It's a C-based program that replaces 
qmail-queue and does virus scanning on inbound messages.  If a message 
contains a virus, it's denied by qmail-smtpd.  No bounces to forged 
senders, no virus warnings to annoy the recipient, no bounces for 
non-existent recipients, no spam scanning of viruses, no Perl overhead 
of qmail-scanner.
Tom, this is great, thanks for mentioning it.  It doesn't appear to use 
TNEF for unpacking such encoded emails.. have you found this to be a 
detriment?  Or have I missed something?

Also, qmail-scanner has a nice mechanism for specifying your own 
quarantine-attachments via the tab delimited text file.  This is great 
for blocking all attachments with specific suffixes, like .vbs or .scr. 
 Is there any equivalent for qscanq?

I use it in conjunction with qmail-spamc (in SpamAssassin's qmail 
directory) to scan all incoming messages for viruses and spam without 
invoking Perl.  At some point, I will probably replace qmail-spamc with 
Ken Jones' patch for vpopmail that adds SpamAssassin scanning to 
vdelivermail.
And I assume qmail-spamc will also reject mail at the smtpd level?

Lastly, I could not quickly find Ken's patch.  Do you have a link for it?

I personally stopped running spamassassin site-wide, and use maildrop to 
call spamc on a per-user basis (with the help of qmailadmin's "detect 
spam" feature.  In conjunction with webuserprefs (php interface for 
configuring spamassassin prefs), this works pretty well.  The biggest 
issue is having so many control panels for mail: SquirrelMail's prefs, 
QmailAdmin, WebUserPrefs.  But at least everything is now covered that I 
need.

Thanks!

Bill Shupp

Re: [toaster] qmail-smtpd-viruscan-1.3.patch

[Mike McCallister]

Thank You Bill and Tom,

I guess I should use a "real" virus scanner - blocking win32 executables 
certainly won't stop a macro virus etc.  I am impressed with clamAV - 
very speedy and easy to update virus signatures.  Plus it has a nifty 
RPM that sets everything up for you in one command.

I have a question regarding the toaster instructions - is it normal for 
all courier processes to run as root?  I deviated from the toaster 
instructions in places but not on the courier install.  More 
specifically when I "ps -aux", I can see that authdaemond, couriertcpd, 
courierlogger all run as root and when I telnet to 143, I see this:

vpopmail 22550  0.0  0.0  1792  712 telnet localhost 143
root 22551  0.0  0.0  1404  380 /usr/lib/courier-imap/sbin/imaplogin
I have never run an IMAP server before - POP3 has been fine for the past 
six years.  Now I have enough people asking for IMAP (granted a small 
minority) that I thought I would give it a try - seems like the protocol 
is a lot more complicated than POP3 but I can see why some situations 
call for it.  In other words, please excuse by ignorance on the protocol 
and courier.

I changed these two files slightly (called by /etc/init.d/courier-imap):

/usr/lib/courier-imap/libexec/imapd-ssl.rc
/usr/lib/courier-imap/libexec/imapd.rc
I added -user=vpopmail in both files under the "start)" section (the 
couriertcpd man page references this option).  Now the processes run as 
the vpopmail user except for authdaemond.  Is this a bad idea?  You guys 
obviously know this stuff and I can't help but think I am missing 
something here.  I have not tested it yet but plan to tomorrow (have 
other "emergency" work that has interrupted the mail server setup) - 
just wanted to make sure I wasn't doing anything stupid.  Does courier 
need to write to any part of the filesystem that is not owned by 
vpopmail if I am only running IMAP for vpopmail users (besides 
courierlogger needing write access to logs)?

Mike

P.S.  Does anyone have experience with http://bincimap.org/ (IMAP server 
with Maildir++ support) ?  Looks relatively nifty.  This mailing list 
post brought it to my attention: 
http://www.mail-archive.com/[EMAIL PROTECTED]/msg01013.html 
while I was searching for information on running courier.



Bill Shupp wrote:

Tom Collins wrote:

On Feb 12, 2004, at 9:45 AM, Bill Shupp wrote:

My recommendation is to use the qmail-scanner/clamav solution rather 
than this virus patch.  Netqmail already comes with the qmailqueue 
patch, which is required for qmail-scanner to work.  And clamav 
already had MyDoom added to its virus definitions before MyDoom had 
a name (that's why they called it WORM.SCO.A (meaning the clamav 
guys are very much on the ball).  Since using this solution, I have 
not had a complaint of a single virus getting through.


And I highly recommend Qscanq, 
, as a 
replacement for qmail-scanner.  It's a C-based program that replaces 
qmail-queue and does virus scanning on inbound messages.  If a 
message contains a virus, it's denied by qmail-smtpd.  No bounces to 
forged senders, no virus warnings to annoy the recipient, no bounces 
for non-existent recipients, no spam scanning of viruses, no Perl 
overhead of qmail-scanner.


Tom, this is great, thanks for mentioning it.  It doesn't appear to 
use TNEF for unpacking such encoded emails.. have you found this to be 
a detriment?  Or have I missed something?

Also, qmail-scanner has a nice mechanism for specifying your own 
quarantine-attachments via the tab delimited text file.  This is great 
for blocking all attachments with specific suffixes, like .vbs or 
.scr.  Is there any equivalent for qscanq?

I use it in conjunction with qmail-spamc (in SpamAssassin's qmail 
directory) to scan all incoming messages for viruses and spam without 
invoking Perl.  At some point, I will probably replace qmail-spamc 
with Ken Jones' patch for vpopmail that adds SpamAssassin scanning to 
vdelivermail.


And I assume qmail-spamc will also reject mail at the smtpd level?

Lastly, I could not quickly find Ken's patch.  Do you have a link for it?

I personally stopped running spamassassin site-wide, and use maildrop 
to call spamc on a per-user basis (with the help of qmailadmin's 
"detect spam" feature.  In conjunction with webuserprefs (php 
interface for configuring spamassassin prefs), this works pretty 
well.  The biggest issue is having so many control panels for mail: 
SquirrelMail's prefs, QmailAdmin, WebUserPrefs.  But at least 
everything is now covered that I need.

Thanks!

Bill Shupp