SPAMCONTROL is a qmail extension. Though mainly used to filter and control unsolicited commercial E-Mails (UCE/SPAM), since release 2 it includes substantial ESMTP protocol enhancements for qmail.
Enhancements for qmail-smtpd
- ESMTP enhancements
- Strict RFC 2821 conformance.
- Reference 'Mail From:' parameter parser, supporting SIZE (RFC 1870) and AUTH options.
- Customizable SMTP Authentication (RFC 2554) support for LOGIN, PLAIN, and CRAM-MD5 including SUBMISSION feature.
- Optional STARTTLS (RFC 2487) support in conjunction with sslserver.
- X.509 client certificate based relaying.
- SMTP envelope Anti-Spam-Tools
- Wildmat Filters for the HELO/EHLO greeting and the 'Mail From:
' in Split-Horizon fashion.
- DNS Lookup for the HELO/EHLO greeting (A/MX) and the domain part of the 'Mail From:' (MX).
- Customizable HELO/EHLO greeting checks supporting smart exceptions.
- Tarpitting and Smart Rejection in case of too many invalid Recipients.
- SPF and RBLSMTPD hook to display information in the email header.
- Mail From: Address Verification (MAV)
- Check, whether for Relayclients the domain part of
corresponds to a local address (Reverse Split-Horizon).
- Full control of outgoing Mail From: SMTP envelope addresses in case of a SMTP authenticated user.
- Enhanced control/badmailfrom support
- Wildmat filter.
- 'badmailfromunknown' capabilities.
- Additional 'badmailfromwellknown' filter (ie. 'hotmail.com', 'yahoo.com'), thus the domain part of the address has to match the sending host's domain.
- Anti-spoofing of own addresses.
- Recipients extensions
- control/badrcptto wildmat filter.
- Restricting the number of allowed 'Rcpt To:' per SMTP session.
- Whitelisting: Controlling the reception of mails not only
on a control/rcpthosts base but rather on the complete
with domain-based, fast, and extensible cdb and /or PAM lookup. including wilddomains and VERP support, as well as fail-open and fail-close behavior.
- Customizable 550 or 450 return messages.
- qmail-smtpam in addition to the ldapam.pl.
- Virus prevention
- Reference badmimetypes implementation.
- Additional badloadertypes filter.
- Qmail High Performance Scanner Interface (QHPSI).
- Customizable SMTP 554 Reply Message.
- qmail-smtpd logging
- Extensible logging format.
- Logging for failed and accepted SMTP sessions.
- qmail-smtpd gadgets
- Customizable qmail-smtpd 5xy failure return messages.
- Interrogatable SMTP envelope and protocol information.
- Deliverto capability: Mail can be forwarded to any recipient.
- X-RBL-Info: header.
Enhancements for qmail-remote
- Flexible SMTPS and STARTTLS implementation based on UCSPI-SSL libraries.
- Extensible control of SMTP server validation/verification via tlsdestinations.
- Sending Domain based presentation of client X.509 certificate by means of domaincerts.
- Domain-IP feature.
- Bind qmail-remote to available IPs based on Sender address by means of control file domainips.
- Issue specific Helo greeting per Domain-IP.
- QMTP support.
- Additional qmtproutes control files (with delivery precedence of authsenders and smtproutes).
- SMTP Authentication
- Supported are Auth types LOGIN, PLAIN, and CRAM-MD5.
- Additional authsenders control file.
- Authenticated relaying by means of control/smtproutes .
- Fast delivery
- Delivery to any DNS listed MX for that domain instead just the primary.
- Increased read buffer for delivery.
- Bounce Host support:
- Forward qmail-send bounces to dedicated QMTP hosts.
- Forward qmail-send bounces to dedicated SMTP hosts.
Enhancements for qmail-pop3d
- STLS support.
- Flexibel demand for TLS encrypted POP3 connections.
- CAPA User announcement (RFC 2449).
- Logging of accepted and rejected session.
Enhancements for qmail-queue
- High speed virus scanner by means of QHPSI.
- Additional QMAILQUEUE (Extra) usage.
- Additional qmail-queue.scan script for virus and spam scanning on a RAM disk.
- BIGTODO support.
Enhancements for qmail-send:
- Restricting the size of bounces.
- Seamless support for djbdns lib instead libresolv.
- qmail-mrtg interface.
- Newanalyse for log-file processing.
- SPAMCONTROL Version 2.7.32 (MD5: f7ce15ff81d0cff14cdd10d359961301:).
- Previous: SPAMCONTROL Version 2.6.24 (MD5: f1b3a118aa80bfc0352c2b5a1bb467f5).
- Previous: SPAMCONTROL Version 2.5.27 (MD5: 94e9948c3d7dfa25f4e85c90502188c2).
- Patch for clamav 0.9x.y to enable logging to STDERR; this patch might need to be modified for forthcoming ClamAV versions.
- ucspi-ssl providing 'delayed' (i.e. STARTTLS/STLS) TLS support.
- ucspi-tcp6 with IPv6 capabilities, CIDR support and RBLSMTPD promotion to qmail-smtpd.
- badmimetypes (date: 20.8.2010 - including double and triple Base64 encoded Windows executables and some patterns for current trojans).
- badloadertypes (including recognition of KERNEL32.DLL).
- IPv6 support
for SPAMCONTROL 2.7.28 contributed by Robert Sandner
Available are the following add-ons:
- cmd5checkpw Version
0.30 (MD5: 73dee86cde7759a2a670cf14c34015d1)
checkpassword compliant PAM to allow CRAM-MD5 authentication for qmail-smtpd.
- newanalyse A must to maintain and analyze the qmail logs; in particular SPAMCONTROL's output. newanalyse version 1.80 supports SPAMCONTROL 2.7 !
- qmail-mrtg version 3.01
Enhanced version of the Qmail MRTG to read qmail-smtpd's logs provided by SPAMCONTROL.
For a working sample please check FEHCom.net.
- A LDAP-Pam (Version 0.9.2) to query the Mail-Attribute for existing Users in the LDAP directory.
qmail-smtpd as well as now qmail-remote will use my version of Superscripts' UCSPI-SSL libraries. Thus, UCSPI-SSL has to be installed before.
Note: In order to succeed with X.509 client certificate relaying, ucspi-ssl version ≥ 0.94 is required (providing option '-m').
SPAMCONTROL is suited for Internet Mail Gateway using Qmail, not for an end-user trying to get rid of Spam E-Mails.
- SPAMCONTROL should be applied against qmail-1.03 and not netqmail-1.0x because it incorporates most of it's fixes.
- SPAMCONTROL modifies the behavior of qmail-smtpd heavily (far above what was intentionally designed by Dan Bernstein).
- SPAMCONTROL can be customized prior of compilation (conf-XXX).
- SPAMCONTROL supports the AMD64 environment and can be compiled with clang.
It is important to have a good understanding of the pros'n'cons using SPAMCONTROL. Please consult the
- detailed README
- cmd5checkpw Version 0.30 (MD5: 73dee86cde7759a2a670cf14c34015d1)
- INSTALL instructions
- in addition, upgraders from SPAMCONTROL 2.6 to 2.7 need to
read the Release notes.
Note: The badmailfrom settings have been slightly enhanced!
Further note: The BADLMIMETPYE and BADLOADERTYPE environment variable have been extended!
- GREETDELAY is explained here.
- Here's my documentation about SMTP Authentication.
- Some background informations regarding TLS, SMTP with StartTLS and SMTPS is now available in my SMTP and Transport Layer Security (TLS) tutorial.
- This site from Willem Froehling is a good start about TLS (in German language!).
- If you like to know how to secure your TLS connections with qualified Cipher-Suites, Ralf Ertzinger provides the required information.
- Renato Botelho and my contribution explaining the qmail+spamcontrol port for FreeBSD on the EuroBSDCon 2010 in Karlsruhe.
- [2.7.32] Fixed TLSv1 negotiation error for qmail-remote;
disables SSLv2/SSLv3 connections for qmail-remote (Poodle bug in SSL).
- [2.7.31] Fixed bug in UCSPI="!" promotion to qmail-smtpd.
Fixed wrong call of 'received.c' in qmail-qmqtd and qmail-qmqpd.
Supports for qmail-pop3d/qmail-popup now the same UCSPI set of variables.
Added support of X.509 client certificate based authentication for qmail-smtpd.
- [2.7.30] Fixed severe bug for qmail-smtpd logging due to missing
declaration of variabels (AMD64 only) in case of SMTP Auth.
Improved BADMIMETYPE and BADLOADERTYPE handling.
Fixed a (common) bug evaluating domainips and domaincerts control files.
Added additional HELO greeting feature in domainips.
- [2.7.29] Recovered 'lost' multiple MX connectivity; added CAPA=User announcement (MacOS X Mavericks).
- [2.7.28] Fixed segfault bug in qmail-smtpd after
rejection of spam/virus mails due to missing declaration of
variables during logging.
Updated qmail-queue.scan script.
- [2.7.27] Added 'Anonymous Diffie-Hellman' ADH support for
New parameter for control/tlsdestinations "-domain:"; domain may be '*'.
- [2.7.26] Added POSIX compliant <utmpx.h> support for qbiff.c (required by FreeBSD 9.1).
Note: In order to access qmail's man-pages under FreeBSD 9.1 add the following file into /usr/local/etc/man.d/:
echo "MANPATH /var/qmail/man" > /usr/local/etc/man.d/qmail.conf
- [2.7.25] Fixed (C/)R conversion bug for qmail-smtpd;
added provisional Greylisting recognition for qmail-remote.
- [2.7.24] Streamlined with qmail-authentication 0.8.1.
- [2.7.23] Fixed some residual integration bugs and streamlined/updated docs;
added badmail from mismatched domains; SPF hook working now,
aligned with SMTP Authentication 0.8 to provided authenticated smarthost relaying.
- [2.7.20] Integration bug: installation stops with missing man/man3 and man/cat3 directory.
Workaround: Simply create those and continue installation.
- [2.7.20] TLS vulnerability VU#555316 is fixed.
- [2.6.24] Includes the RECIPIENTS bug fix for wilddomains. Last public version of the 2.6 development cycle.
- [2.5.27] Last public version of release 2.5.