Commit graph

86 commits

Author SHA1 Message Date
schmonz
38e20c84e9 Keep it simple: set PKG_SYSCONFSUBDIR to match mail/qmail's. Bump version just in case. 2019-06-19 17:49:13 +00:00
schmonz
3e65287660 Check case-insensitively whether recipient is exempt from greylisting.
Since ucspi-tcp6's tcpserver can no longer listen to 127.0.0.1 without
specifying -4, specify it by default. Bump version.
2019-04-14 13:28:44 +00:00
schmonz
55c526cd2c Defer SSL_UID and SSL_GID to qmailfoo_enable_tls(). Listen on ":0",
the updated dual-stack pseudo-host for ucspi-tcp6 and ucspi-ssl.
Bump version.
2019-03-21 15:33:06 +00:00
schmonz
ef42f45fb5 To override sslserver's default cipher list, set qmailfoo_tls_ciphers.
While here, make it easier to use envdir by prepending to
${qmailfoo_postenv} rather than appending.

At least one Linux shell needs "--" between greetdelay and rblsmtpd, and
this doesn't break NetBSD.

Bump version.
2019-01-18 18:25:33 +00:00
schmonz
b7ada6e391 Use RCD_SCRIPTS_DIR in MESSAGE and README.pkgsrc, and SUBST_VARS the latter. 2019-01-07 04:29:46 +00:00
schmonz
10557fca50 Require latest acceptutils and rejectutils. While here, remove ancient
chkconfig comment in the qmail rc.d script (not sure this ever worked,
and now we have rc.d-boot). Bump version.
2018-12-30 19:09:04 +00:00
schmonz
4a6a8b834c rc.d scripts:
- ucspi-ssl and ucspi-tcp6 correctly dual-stack v4/v6 on NetBSD, so we
  can go back to "0" (instead of "0.0.0.0") as the default host to
  listen on.
- FreeBSD's /bin/sh needs continuation characters to understand what
  we're assigning to `command` in foo_precmd(). This seems sensible and
  doesn't break NetBSD.

Bump version.
2018-12-16 05:32:07 +00:00
schmonz
e00c4dd287 Fix previous: required_files the tcprules, not the cdb (which gets
autogenerated if it doesn't exist). Point more actionably at SRS and TLS
setup docs. Bump version.
2018-12-15 06:31:34 +00:00
schmonz
4077468b68 K&R-style braces in rc.d scripts. NFCI. 2018-12-14 06:55:07 +00:00
schmonz
3e091a8b5a Extract most of MESSAGE to README.pkgsrc. (MESSAGE was getting too long.)
Comment out qmail-qfilter-viruscan in control/smtpfilters. It's not a
very precise tool, so the cost (false positives) probably outweighs the
benefit (blocked malware attachments) for many users.

Also not a sensible default: rejecting incoming mail on SPF
explicit-fail. This needs to be an admin decision because, among other
reasons, it would also reject messages forwarded through servers that
haven't configured SRS. Document SPF setup, including how to reject
(with this caveat) and how to greylist SPF explicit-pass (which would
otherwise be exempted from greylisting).

Rename greylisting-spp-with-exemptions to greylisting-spp-wrapper. Add a
feature: to effectively omit IP from the (IP,sender,recipient) tuple,
add GL_WRAPPER_TCPREMOTEIP="127.127.127.127" to control/tcprules/smtp.

rc.d scripts:

- Location of tcprules file is configurable
- By default, CDB is auto-rebuilt as needed on service start
- CDB auto-rebuilding can be configured off

Bump version.
2018-12-14 06:49:30 +00:00
schmonz
a5778f1116 Make sure ${VARBASE}/run exists before creating the qmail-send pidfile.
On a freshly bootstrapped Debian 9, somehow it didn't. Bump version.
2018-12-12 01:08:30 +00:00
schmonz
f38de5391d Add SPF checks via qmail-spp-spf (new dependency):
- On "fail", reject
- On "pass", skip any greylisting
- Else, accept mail as we otherwise would.

qmail-spp-spf adds a `Received-SPF:` header to all incoming messages.

Migrate ${PKG_SYSCONFDIR}/tcp.* to ${PKG_SYSCONFDIR}/control/tcprules.

Bump version.
2018-12-11 17:49:40 +00:00
schmonz
d53fd5dd1f qmail will not start (under qmail-run or otherwise) without a few basic
config files. Removing them on uninstall if they haven't been changed
is already mail/qmail's job; creating them on install was being done
here, and this combination was probably responsible for `pkgin
full-upgrade` removing some config files and qmail no longer running.
Thanks to Nathan Arthur for the bug report.

Instead of running config-fast-pkgsrc here, rely on mail/qmail to do it.
For similar reasons, also expect mail/qmail to handle the three basic
aliases (root, mailer-daemon, postmaster) and QUEUE_EXTRA.

While here, set QMAILREMOTE in qmailsend_postenv in preparation for a
future update.

Bump version.
2018-12-04 17:00:59 +00:00
schmonz
6c2504c4a2 Sort rc.conf defaults to match the order in which they're used. 2018-11-28 16:42:44 +00:00
schmonz
12f4cde308 Install control/ofmipfilters containing qmail-qfilter-addtlsheader, a
new filter to add a Received header with TLS protocol and ciphers. Add
qmail-qfilter-addtlsheader to control/smtpfilters, too. Bump acceptutils
dependency to get this program.

Point to qmail-qfilter-queue in tcp.ofmip and tcp.smtp. This replaces
the formerly separate qmail-queue wrappers for ofmipd and smtpd. Bump
rejectutils dependency to get this program.

rc.d scripts:

- ofmipd, pop3d, smtpd: let a standalone TLS key file be configured
  in rc.conf.
- ofmipd, pop3d: let pre- and post-checkpassword commands be configured
  in rc.conf.
- pop3d: fix typo in default TLS file paths.

Bump version.
2018-11-28 16:22:41 +00:00
schmonz
ee2a30e3ec Bump version and acceptutils dependency for authup regression fix. 2018-11-24 17:12:00 +00:00
schmonz
dc77ac161a Bump dependency on qmail-acceptutils for new STARTTLS behavior, and
provide the necessary configuration entry.
2018-11-24 16:38:14 +00:00
schmonz
ae7f127384 On second thought, greylisting isn't a sensible default. Comment it out
in control/smtpplugins. Extract a "Greylisting" stanza in MESSAGE. Merge
"Local non-root users to see the queue" into previous section (and
provide qmail-qread-client in example mailer.conf to begin with).
Mention port numbers where applicable.

Enable defaults that are sensible: realrcptto in control/rcptchecks and
viruscan in control/smtpfilters.

Add fixsmtpio rules to make greylisting-spp's tempfails look more like
qmail's other messages.

Bump dependency on qmail for config-fast-pkgsrc, which is like
config-fast but lets us simulate CONF_FILES-like behavior. As before, we
install these minimal config files, and won't deinstall them. (But the
updated qmail package will.)

Bump version.
2018-11-14 16:46:58 +00:00
schmonz
6249890281 Enable greylisting by default via mail/greylisting-spp. To make this a
sensible default, we wrap it in "greylisting-spp-with-exemptions", which
lets recipient addresses and domains be exempted from greylisting by
editing control/greylist/exemptrcpt{s,hosts}.

qmailofmipd: enable user CDB by default and remove the verbiage.

qmailsmtpd: bump datalimit (seeing occasional "fixsmtpio: out of memory" in production).

Improve MESSAGE a bit more.

Bump version.
2018-11-13 16:34:58 +00:00
schmonz
4a09e0ce90 Bump dependency on qmail for SPP support and on rejectutils for an
SPP-compatible qmail-rcptcheck. Create control/smtpplugins so that the
RCPTCHECK-compatible programs continue to run as before. No functional
change intended.

Bump version.
2018-11-10 15:31:18 +00:00
schmonz
2876c25ca2 Bump acceptutils dependency to get STARTTLS support in fixsmtpio(8)
(obviating the need for qmail-smtpd(8) to be patched to link OpenSSL).

Make TLS configurable for submission, POP3, and now also incoming SMTP:

- "yes"  (startup will fail if cert or DH params are missing)
- "no"   (even if they're present, don't offer TLS)
- "auto" (the default: offer TLS iff they're present)

Mention TLS setup in MESSAGE.

Delay SMTP greeting by 2 seconds. Enable zen.spamhaus.org RBL.

Bump version.
2018-11-08 20:57:28 +00:00
schmonz
f570d34c31 When tagging log entries, insert "/" between "nbqmail" and the rest of
the tag; for instance, "nbqmailofmipd" becomes "nbqmail/ofmipd". Vaguely
redolent of Postfix, and easier to glance at logs now that just about
everything runs similarly from rc.d. Turn off sslserver verbosity by
default. Bump version.
2018-11-03 17:08:26 +00:00
schmonz
825d40dedd Point to where servercert.pem actually is. While here, use the regularly
regenerated DH params too. Bump PKGREVISION.
2018-10-28 16:38:36 +00:00
schmonz
094f636e77 Update to 20181028. Changes:
- CERTFILE needs to be set early enough for sslserver. Move it to rc.d.
  UCSPITLS is application-specific and can stay in the CDB.
- Add PYMSGAUTH_TOLERATE_UNCONFIGURED to the CDB.
- Switch qmailpop3d from tcpserver+qmail-popup to sslserver+authup.
  Set UCSPITLS in the CDB to require STLS before USER/PASS.
- Specify a few new required_files.
- Point more precisely at the need to inspect alias/.qmail-*.
2018-10-28 15:01:57 +00:00
schmonz
94a1d2a36f Update to 20181027. Changes:
- Bump qmail-acceptutils for integrated privsep TLS using ucspi-ssl.
- Switch qmailofmipd rc.d script to sslserver, listening on the network.
- Install control/{pop3,smtp}capabilities, as newly required by authup.
- Organize INSTALL a bit better.
- Remove all vestiges of stunnel, including further shortening MESSAGE.
2018-10-27 19:16:16 +00:00
schmonz
abdbc786a6 Add ofmipd-with-user-cdb, a wrapper to let ofmipd users control their
own CDB of address rewriting rules. Ride previous bump.
2018-10-24 16:28:28 +00:00
schmonz
8f8f603410 Remove dependency on mess822, the "sasl" and "tls" options, and their
respective dependencies on spamdyke and stunnel. Depend instead on
qmail-acceptutils, which provides SMTP AUTH (and new filtering
functionality) and brings its own unconditional mess822 and stunnel
dependencies. Update rc.d scripts to match.

Use CONF_FILES instead of a bunch of open-coded INSTALL cleverness.
Clean up even better with a little DEINSTALL cleverness to remove CDB
files if their source CONF_FILES are gone.

Install sensible fixsmtpio rules and viruscan signatures.

Tighten MESSAGE. The basics have gotten pretty easy. Bump version.
2018-10-24 15:46:54 +00:00
schmonz
e32bf9e98a Mention the spamassassin and rspamd wrapper scripts. 2018-09-14 07:58:12 +00:00
schmonz
2454aac709 Add scripts to wrap spamc and rspamc, suitable for use in .qmail files
with e.g. condtomaildir(1). Bump version.
2018-09-10 09:07:49 +00:00
schmonz
b9e067c970 Depend on pkgtools/pkg_alternatives and a new enough mail/qmail to rely
on finding "nbcheckpassword" (which, at present, might be either
checkpassword-pam or DJB's original).

Depend (unconditionally) on mail/qmail-rejectutils, instead of having it
as an option on mail/qmail.

Bump version.
2018-08-01 07:15:21 +00:00
schmonz
a329152215 Detect the checkpassword program of the installed qmail, so we can refer
to it from config files and rc.d scripts. Bump version.
2018-07-29 23:29:17 +00:00
jperkin
5393242c73 *: Move SUBST_STAGE from post-patch to pre-configure
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
2018-07-04 13:40:07 +00:00
schmonz
34e6ffaa8b Un-mention qmail-qfilter wrapper, no longer here. 2018-05-28 13:06:35 +00:00
schmonz
a47c6dc4d0 procname isn't defined in time for logcmd. Bump PKGREVISION. 2017-08-05 15:21:03 +00:00
schmonz
fe83fea0d3 Fix "reload" and "hup" (broken in 20170729).
For all services where we set procname, prefix "nb". This makes it even
harder for observers to fail to notice that this isn't a Life with qmail
install, and happens to match the log tags already being applied.

Bump version.
2017-08-05 03:03:17 +00:00
schmonz
21d79b4676 If there's more than one qmail-send running (e.g., /var/qmail2 running
from /service), the rc.d script can't tell which is ours. Make and use
a pidfile.

(The other rc.d scripts set argv[0] to names that are unlikely to
collide, but there's no easy way to do that for the qmail-send process
exec'd by qmail-start.)

Bump PKGREVISION.
2017-08-04 06:35:28 +00:00
schmonz
6886667ea8 pkgsrc changes:
- Collapse redundant code for invoking service-specific rc.d scripts.
- Don't try to run a service's rc.d script if it isn't enabled in rc.conf.
- Run "pause" in reverse sequence, like "stop" does.
- Support "stat", "pause", and "cont" in qmailqread.

Bump version.
2017-07-30 03:05:58 +00:00
schmonz
ee0e6444dd Update to 20170720. pkgsrc changes:
- Remove qmail-qfilter-*-queue shell scripts, which would conflict with
  the C programs of the same name included in mail/qmail 1.03nb29 with
  the "qmail-rejectutils" option (enabled by default).

- Bump mail/qmail dependency to 1.03nb29.

- Shorten and improve MESSAGE.
2017-07-21 04:08:15 +00:00
schmonz
b9476e6d20 Remove qmail-qfilter-queue, deprecated in 2017Q2. Use qmail-qfilter-smtpd-queue
or qmail-qfilter-ofmipd-queue instead. Bump version.
2017-07-06 15:46:31 +00:00
schmonz
d48ac0ca10 Catch up to djbdns-run:
- Add "reload" as a synonym for "cdb" in qmail{ofmip,pop3,smtp}d.sh
- Shorten tcprules invocations

Bump version.
2017-06-23 15:49:03 +00:00
schmonz
f717f03986 Increase default {ofmip,pop3,smtp}d softlimits by about 20 percent,
to 180000000 bytes. From Nathan Arthur in private mail.

Allow path to tcpserver to be overridden in rc.conf (e.g., by
sslserver from net/ucspi-ssl). From Thomas Lazar in private mail.

Detach processes and their loggers from the controlling terminal
with pgrphack(8).

Include qmailqread in the services driven by the LWQ-style qmail
rc.d script.

Unconditionally depend on mail/mess822, now that it's correctly
marked public-domain. Remove qmail-run-ofmipd option.

Bump version.
2017-06-17 05:58:39 +00:00
schmonz
44e68bd1ad Add dependency on qmail-qfilter. Deprecate qmail-qfilter-queue in favor
of qmail-qfilter-{ofmipd,smtpd}-queue, and document how to enable
filtering for incoming and submitted messages. Bump version.
2017-05-31 07:08:04 +00:00
schmonz
94dcda9c8f If qmailqread runs on a custom host and port, have qmail-qread-client
find it there. Bump version.
2017-04-11 14:04:37 +00:00
schmonz
c6261ecde4 Wrap (or shorten) long lines. Parameterize some qmailqread config to
match other scripts. Bump version.
2017-04-10 15:04:56 +00:00
schmonz
12a07eec08 Add "qmail-run-ofmipd" option that controls the dependency on
mess822. Turn it off by default. This should let us once again
publish binary packages.

To use another ofmipd, set qmailofmipd_ofmipdcmd in rc.conf. Likewise
for qmail-smtpd and qmail-pop3d.

Bump version.
2017-04-09 12:58:46 +00:00
schmonz
26057ad3ff Substitute configured qmail users in rc.d scripts. Un-hardcode some
paths in qmailofmipd.sh, somehow missed in 20170109. Bump version.
2017-04-04 07:51:03 +00:00
schmonz
dfcfa275ea Document more stuff this package includes nowadays. 2017-04-02 22:27:52 +00:00
schmonz
91d2777a2f Conditionalize spamdyke and stunnel dependencies on "sasl" and "tls"
options, respectively. Bump version.
2017-01-14 23:00:31 +00:00
schmonz
65bd9de274 Include new dependency on spamdyke, missed in previous. 2017-01-09 05:03:51 +00:00
schmonz
82f1368308 Update to 20170109. pkgsrc changes:
- Add qmailofmipd service for outgoing submissions.
- Add dependencies on mess822, spamdyke, and stunnel.
- Add sample spamdyke and stunnel configs for SMTP AUTH over TLS.
- Control ofmipd from the main qmail script.
- Fix broken link to "12 Steps to qmail List Bliss".
2017-01-09 04:58:09 +00:00