Messages

211

Kloxo-MR Development / Re: [QMAIL] Recipient Verification to avoid spamming

« on: 2014-02-25, 12:33:00 »

Hi Mustafa,

You have complied qmail-toaster with deactivated parameters. So most of the options in CHKUSER of 2.0.9 -DOES-NOT-WORK- IN THE CURRENT KLOXOMR 6.5.0f.

I suggest that you recompile the toaster and make an update of kloxomr.

Further, please also update spamdyke from 4.3.1 to 5.0.0.

The latest version of spamdyke includes exactly the feature to reject non-existing recipients. I made the update and got spamdyke 5 working. However all emails to non-existing recipients are accepted because the chkuser parameters are not properly compiled.

The modification or activation of chkuser + spamdyke 5 is a must. Until then, all kloxomr servers are vulnerable to such attacks.

212

Kloxo-MR Development / Re: Why there is prefix instead of username inside databases ?

« on: 2014-02-23, 07:59:29 »

Hui Mustafa,

Why move with manually. Why not using change owner?.

By changing owner, - until the change from official - kloxo did not enter all details in mysql database in grant tables. I must admit that I do not know if this was modified or eradicated in the later versions of official kloxo. So I do not know about Kloxo-MR.

I would better suggest to have a /script/changeowner and /script/fix-owner.

This would help from the command line as well as kloxomr could use it as well.

Apart from that, I would love to see a feature Admin Home ---> Fix-Home : under Admin. We have many fix scripts. One could have a webpage for that.

213

Kloxo-MR Development / Re: logout / status overlap - time

« on: 2014-02-23, 07:50:42 »

Hi Chris,

How about a setting for change time format?  USA goes with 12 hour format.

And Chris, USA is a very tiny world in comparision of the population of the whole world.

Europe goes with 24 hour format.

Kloxo-MR _MUST_ support both.

214

Kloxo-MR Bugs and Requests / [BUG] /script/fix-all creates mailboxes under root

« on: 2014-02-21, 19:40:57 »

Hi Mustafa,

/script/fix-all creates mailboxes under root on my installation, not always though! I have not been able to figure out under which combination it does.

Now that it repeatedly happened, and I needed to delete all mainboxes under root dir "/", I began to notice that this is a phenomenon that only occurs after /script/fix-all

Ofcourse, on your installation you will not be able to reproduce a bug, which I can reproduce, right. Thus, it is not a bug.

215

Kloxo-MR Development / Re: [QMAIL] Recipient Verification to avoid spamming

« on: 2014-02-21, 08:51:00 »

Hi Chris,

I just tested multiple email accounts that didn't exist, but domain did.  They were all deleted, no bounce.

Now if Qmailtoaster checks - in addition to the available delete function - if the recipient exists much earlier, even before an email is delivered, then any requirement of ( catchall ==delete ) function is not necessary. This also means:

if ( config-catch-all == "activated" ) then
....... $check_config_of_catchall == "delete" || $check_config_of_catchall == "bounce"
else
...... §check_recipient_exists // by SPAMCONTROL or other less vigourous plugins
end

So, if $check_config_of_catchall is delete or bounce, only then email is accepted by the server.

Can you endorse if the programming logic to be correct, that  catchall=delete should be there and remain, even if it worked for you? Is that what you are saying?

I find catchall=delete childish, and beyond that, and find it silly and stupid function. I cannot endorse.

216

Kloxo-MR Development / Re: [QMAIL] Recipient Verification to avoid spamming

« on: 2014-02-20, 19:10:19 »

Hi Chris,

Under domain, mail settings, catchall configure, set to delete, not bounce.

I always had catch-all setup to delete. None of the affected - or any other - accounts has bounce or any other mapping.

Until I used official Kloxo, I had absolutely no problems with catch-all. I ran into problems of the nature described above, only after I switched to Kloxo-MR.

Kloxo-MR did not delete those emails to non-existent email addresses to a domain existing in rcphosts file.

217

Kloxo-MR Development / Re: [QMAIL] Recipient Verification to avoid spamming

« on: 2014-02-20, 07:13:51 »

Hello,

We have spamdyke for this...

We both are using kloxo and spamdyke from its begining!
Knowing that we have spamdyke and having configured spamdyke, I have placed the above message as spamdyke has failed.

Investigating the issue, I found that a combination od spamdyke and qmail has a fundamental flaw, which is well known to experts. For many years I thought that. Not anymore, looking at the new spammiing techniques used by spammers in the last weeks on my server. So let me explain you and Mustafa why I have placed this:

When an incoming connection is made from sender/spammer to the server, spamdyke will only check certain parameters of that connection.

One of them is rcphost.

Spamdyke fails to check is if an email address exists in the system at all. This means that if a domain exists in rcphost but not the email address, then spamdyke allows that connection.

Qmail does not check AT THE TIME OF AN INCOMING CONNECTIONif an email address exists. It will first accept an email for processing. That email is delivered in the first place.

Only thereafter Qmail wakes up and finds that the email could not be delivered because the recipients email address does not exists on the server.

Thereafter Qmail sends undelivered to the email address available in the Return-Path.

This is well known and used extensively by spammers.

Spammers use this flaw of Qmail to forge Return-Path != to sender's email address.

As a consequence, the undelivered goes to someone who did not send that email.

With this technique, my server became a spamming server. I needed to use firewall to block IP Address of the spammer.

Until I found above mentioned links, I did not really follow what was happening. Since the undelivered is never registered, an Administrator also never notices this abuse of a sever. Now I have read details of the flaw and respective solutions, I this it is neccesary to use more protection against this flaw of qmail.

Spacedust, let me know if I could change something in spamdyke to achieve the solution, if you think I missed something.

218

Kloxo-MR Development / [QMAIL] Recipient Verification to avoid spamming

« on: 2014-02-19, 20:59:52 »

Hello Mustafa,

I suggest to modify and include "Recipient Verification" for incoming messages.

Recently, we received thousands of emails with bogus_recipients@domain.com. As domain.com is in the rcphosts file, all non-existent emails randomly generated got delivered with bogus Return-Path. They  were relayed to hotmail, yahoo or google.

To prevnt this, the best is to use SPAMCONTROL:

http://www.fehcom.de/qmail/spamcontrol.html

If this is difficult, then atleast RCPTCHECK :

http://www.soffian.org/downloads/qmail/qmail-smtpd-doc.html

Or here:

http://www.memoryhole.net/qmail/

219

Kloxo-MR Technical Helps / Re: How Can I Upload FTP Files Into KloxoMr Backup Home?

« on: 2014-02-19, 06:54:30 »

Hi Mustafa,

Try ftp with port 21. SFTP may not work.

Why should SFTP not work? You have programmed that! You cannot run away with the hidden problem behind it.

SFTP will always work if you manually setup SSL certificate created in admin to use it with kloxo. Thereafter, it will not fail.

I suggest that you create a script to create SSL certificate with a command line and copy in respective directories everywhere with their correct names.

Unless you do this, you prove to fail a good programming of kloxo-mr. I have requested you earlier - before the forum crash and also placed details of most directories that require .cert, .key or .pem.

If this is done correct then SFTP shall work without fail. So I reject politely your answer to use port 21.

220

Kloxo-MR Bugs and Requests / Re: [BUG] Reset Qmail Assign for domains

« on: 2014-02-17, 16:11:49 »

Hi Mustafa,

This is a fresh install and nothing is wrong anywhere. I can replicate it 1000 times that deleting a domain does not delete the information from vpopmail table.

Looking to your adamont mentality, I will not, and never in the future, make the slightest attempt to make you believe that this is a bug.

It is really sad that there is no one who develops kloxo better.

221

Kloxo-MR Bugs and Requests / Re: [BUG] Reset Qmail Assign for domains

« on: 2014-02-17, 14:43:16 »

Hi,

Thanks for confirming the bug.

Deleting domains in Kloxo-MR does not delete domains from the vpopmail database.

222

Kloxo-MR Bugs and Requests / [BUG] Reset Qmail Assign for domains

« on: 2014-02-17, 13:52:03 »

Hello Mustafa,

This is a bug related to 6.5.0.f.

I deleted all domains - except one - after restore.

Thereafter, I executed sh /script/fix-all.

I found that assign was getting created for all those deleted domains. The  sh /script/fix-qmail-assign was creating assign "Reset Qmail Assign for domains". They are somewhere in the system.

I checked in kloxo database that all domains are deleted, although the assign file + cdb gets generated each time.

Can you tel me which file on the harddrive has stored the information on - deleted - domains?

223

Kloxo-MR Bugs and Requests / Re: KloxoMR possible injection bugs

« on: 2014-02-17, 09:01:32 »

By default the installlapp should be turned off.

224

Kloxo-MR Technical Helps / Re: scavenge

« on: 2014-01-06, 07:41:18 »

Hi Christopher,

I am using 6.5.0f.

I suspect that you are using 6.5.1, right? Could that be a difference why you have the scavange  stop maillog i.e. rsyslogd, but have different bugs, than my problem?

225

Kloxo-MR Technical Helps / Re: scavenge

« on: 2014-01-04, 03:58:19 »

Hi,

I have placed my messages regarding scavange. However, I do not know if the problem you describe is somehow related to the problem I have placed in the other thread regarding scavange.

The maillog stops after scavange. As you describe, there must be some bug somewhere.

I have found a solution to my problem, which is related to maillog stopping after scavange.

May be yoou could see if you also have something like this on your servers and confirm, as well as  my solution for your server on maillogging.