How to Configure Qmail to be a Selective Relay

Last Updated: 980208 How to Configure Qmail to be a Selective Relay

Introduction

I wrote this document, because I was observing on the Qmail mailing list that people were having trouble configuring Qmail not to be an open relay.

In this document, I will go through in detail the steps involved in getting Qmail to be a relay only for the hosts you wish to be a relay for. There are a number of alternative methods for doing this, but this is the way that has worked best for me, and many others.

How to configure Qmail to only accept mail bound to your hosts

This is a required step in making sure you are not an open relay, as it will mean that you only accept mail bound to hosts that you wish to receive mail for, which in the next section, I will explain how to selectively override this mechanism.

Basically, it is as easy as creating a file in control/rcpthosts (relative to your Qmail base directory, which is /var/qmail/ by default) with a list of hosts you wish Qmail to accept mail for by SMTP, one host/domain per line. This is only read by qmail-smtpd, so other parts of Qmail, like qmail-inject or Qmail's Sendmail wrapper on your local machine are completely ignorant of this file.

Russ Nelson put a tip up on www.qmail.org on a way you can make a rcpthosts file, and I thought I might put it in this document:
From /var/qmail/control, type this in:

sed 's/:.*//' < virtualdomains | cat - locals | sort > rcpthosts

Then, all you need to do, is to add any hosts that you are a secondary MX for, or you receive mail for, then forward via smtproutes.

How to allow relaying for selected clients

This is the tricky part of the configuration, as there are many ways you could go about this. I will explain the method that is going to be the same on almost all systems, and doesn't require patching to Qmail's source code.

First, using your favourite ftp client, download from ftp://koobera.math.uic.edu/pub/software/ the ucspi-tcp-0.80.tar.gz package (in binary mode - Netscape may have problems downloading - try holding down the shift key).

Untar the package, by doing this:

tar xvzf ucspi-tcp-0.80.tar.gz

or if you don't have gnu tar, try these commands:

gunzip -c ucspi-tcp-0.80.tar.gz | tar -xf -

Then, become root, then compile and install the ucspi-tcp package by doing this:

cd ucspi-tcp-0.80
make
make man
make setup

Next, create a file /etc/tcp.smtp, and in it, put something like this:

1.2.3.4:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""
:allow

(replacing 1.2.3.4 with either an IP address, or an IP range such as 1.2.3.)

If you are running a system which is an outbound relay only, and doesn't accept incoming mail from the outside world, you can change the last line to ":deny" instead of ":allow", as the file is read from the top down. (see tcprules(5))

The default behaviour of tcpserver is to allow, so the last line in my example is currently redundant, but it doesn't hurt, and if it changes in a newer version of ucspi-tcp or in a 3rd-party patch, you won't be left wondering why the outside world can't send you mail.

Next, run this command:

cat /etc/tcp.smtp | tcprules /etc/tcp.smtp.cdb ~/tcp.smtp.tmp

This will make /etc/tcp.smtp.cdb, which is a compiled cdb, for fast access control.

Next, comment out your smtp line in /etc/inetd.conf, and restart inetd. On most systems, this can be done with this command:

killall -HUP inetd

ps -ax | grep inetd
kill -HUP [PID of inetd]

(replacing [PID of inetd] with the number that the ps command gave you, e.g. 54 (NOT 1)

Then, on the command line, run this:

/usr/local/bin/tcpserver -R -x/etc/tcp.smtp.cdb -c100 -u666 -g102 0 smtp \
/var/qmail/bin/qmail-smtpd &

You may want to customize this command, and you NEED to change -u666 to -u[UID of qmaild] and -g102 to -g[GID of qmaild]. (Hint: grep qmaild /etc/passwd)

The -R option is to tell tcpserver not to do an ident lookup (which can cause a bit of slowdown sometimes).

The -c100 option tells tcpserver to only accept 100 connections simultaneously. If this option is omitted, it defaults to 40. Raise or lower according to your needs or system capabilities.

The 0 (zero) on it's own is the bind() address, which is the interface it binds to. 0 means that you should bind to all interfaces, which is what you want in most situations.

Be careful not to forget the & at the end, unless you're starting tcpserver from either supervise (in the daemontools package) or from your inittab. ( hint )

You could also log the incoming connections (remote IP etc.) by replacing the & with 2>&1 then pipe it to your favourite logger. Here is an example line:

/usr/local/bin/tcpserver -c100 -x/etc/tcp.smtp.cdb -u666 -g102 0 smtp \
/var/qmail/bin/qmail-smtpd 2>&1 | /var/qmail/bin/splogger smtpd &

In this example, it is usually desirable to remove the "-R" option, as if you want logs, you probably want the ident info.

Then, copy the command into your start-up file that you use to start Qmail (Being _VERY_ careful not to forget the "&" at the end of the line!).

And that should be it!

You can test your configuration out now, see if relaying from one of your allowed hosts works, and see if your machine accepts mail properly etc.

Good luck!

Written by Michael Samuel