qmail patch to reject invalid email at the smtp layer

William,
I can confirm that that is the case. Vpopmail is what is actually storing all of your email accounts, aliases, and mail lists. What chkuser does is query the vpopmail service asking for the valid recipients before any other processing happens. If it does not find a match, it will send a 553 bounce message to the sender.
You can read more about the patch at http://www.interazioni.it/opensource/chkuser/

Thanks for that. I was pretty sure with the testing we’ve done that it was operating as requested.

We now have some very happy, spam-free customers.

Woohoo! :smiley:

Hi,

Just to know, which is the version of chkuser Interworx use ? which version the V3.0 use ?

2.0.9 ?

Thanks

Pascal

We’re currently using the 2.0.8 version. iworx 3.0 will use the same version. Is there a specific feature you want that is only in the 2.0.9 version? We’re not in a rush to make changes to important things like e-mail when it works without making changes :slight_smile:

Paul

Hey all,

Jumping in late, but let me see if I understand correctly.

Within Interworx 2.0.3, the chkuser patch is enabled. This allows me to set each SiteWorx account to ‘Bounce Messages’ within the Email Management / Overview page. If it’s set to off, these messages will be silently deleted (blackhole). However, when the messages are silently deleted it utilizes system resources because qmail has to process each piece of inbound mail sent to a non-existent mailbox. This is a problem especially in the case of an smpt attack.

The chkuser patch will have qmail check to see if the incoming mail is headed towards a valid user. If qmail finds that the incoming mail does not have a valid target email address, a bounce message will be delivered to the sender.

If this is correct, my question is:

Wouldn’t it be wise to disable the doublebounce feature as well so that users are not receiving a wad of bounce failure notices (The bounce bounced!) because the outbound bounce message cannot find a legitimate target?

Please, correct me if I’m misunderstanding anything. Any guidance would be appreciated.

Thanks

[QUOTE=ubiquityZach;12991]Hey all,

Jumping in late, but let me see if I understand correctly.

Within Interworx 2.0.3, the chkuser patch is enabled. This allows me to set each SiteWorx account to ‘Bounce Messages’ within the Email Management / Overview page. If it’s set to off, these messages will be silently deleted (blackhole). However, when the messages are silently deleted it utilizes system resources because qmail has to process each piece of inbound mail sent to a non-existent mailbox. This is a problem especially in the case of an smpt attack.

The chkuser patch will have qmail check to see if the incoming mail is headed towards a valid user. If qmail finds that the incoming mail does not have a valid target email address, a bounce message will be delivered to the sender.

If this is correct, my question is:

Wouldn’t it be wise to disable the doublebounce feature as well so that users are not receiving a wad of bounce failure notices (The bounce bounced!) because the outbound bounce message cannot find a legitimate target?

Please, correct me if I’m misunderstanding anything. Any guidance would be appreciated.

Thanks[/QUOTE]

Yes it is correct ! with bounce On, chkuser test if it is a known user at an smtp level

For the double bounce message, you can already disable it in nodeworx ! (System services/mail/MTA)

In the MTA config there is an option for doublebounce

Pascal

gratitude

Pascal,

Thanks for the affirmation. I was also informed through a support ticket I sent in the other evening which was replied to promptly by Paul. Since, I’ve already benefited from his response, I might as well pass it on so that anyone observing this thread will gain from it as well.

Hi Zach,

“The chkuser patch will have qmail check to see if the incoming mail is headed towards a valid user. If qmail finds that the incoming mail does not have a valid target email address, a bounce message will be delivered to the sender.”

That’s almost right. If the chkuser patch finds that there is not a valid target e-mail address, the SMTP server will reject the message then and there. It will just say “no thanks, don’t want any” to the SMTP server that is connecting to it. That SMTP server that is connecting to it MIGHT then generate a bounce message based on that error, and send it to the sender address - but YOUR server will not be generating this bounce message. Your server is just not accepting the message at the SMTP level.

“Wouldn’t it be wise to disable the doublebounce feature as well so that users are not receiving a wad of bounce failure notices (The bounce bounced!) because the outbound bounce message cannot find a legitimate target?”

Yes, in most cases it’s advantageous to just disable the double bounce messages. You can do this from the NodeWorx MTA configuration page.

“(I was also going to edit the original post to address any complications that might occur when a catchall address is assigned.)”

If a catchall is “on” for the domain, then “bounce” will be off and by definition, all e-mail recipients at that domain are valid, and chkuser will accept all at the SMTP level, there will be no SMTP level rejection.

Hope that helps clear things up, let me know if you have any other questions.

Paul

Thanks Paul, Thanks Pascal

Dredging up a really old post here to get information on an interesting aspect of chkuser.

Here’s my scenario:

  • Two domains on an IW box
  • Domain #1’s email is served by an external partner (an Exchange mail service) so no users exist for the domain locally
  • Domain #1’s MX record points to the external service

When someone from Domain #2 tries to email a real user at Domain #1, sending fails with the message “511: sorry, no mailbox here by that name (#5.1.1 - chkuser)”. This is true locally - the account doesn’t exist locally; only on the remote service.

So, how do I make qmail respect the MX record and deliver the email to the external service?

Thanks,
Dave

Hi Orangechicken,

To do this you need to disable the local mail config for the domain, which you can do by editing the following file. This must be done as root in the current release.

/var/qmail/control/virtualdomains

Edit that file, and carefully remove the line like

domain.com:domain.com

Then, restart the smtp service, which you can do with

service smtp restart

This will be configurable via SiteWorx in the next release, but this is what you have to do currently to make it NOT try to deliver the mail locally.

Paul

Thanks Paul. I tried that and it’s still not working. Should I just remove all references to the domain from all files under /var/qmail/control?

The domain also appears in /var/qmail/control/rcpthosts. I’ll try removing it there too.

You definitely restarted the smtp service, right? If it’s still not working I know this command will, it removes all mail config for the domain:

~vpopmail/bin/vdeldomain domain.com

Paul

If I remove it from rcpthosts I get a “553 sorry, that domain isn’t in my list of allowed rcpthosts”. If I leave it, I get the “511 sorry, no mailbox here by that name”.

Using vdeldomain results in the 533 message

Well…at this point, I’d suggest opening a support ticket so we can see what’s going on - those commands definitely should have worked.

https://www.interworx.com/support/helpdesk/

Ticket opened.