Comment out qmail-qfilter-viruscan in control/smtpfilters. It's not a
very precise tool, so the cost (false positives) probably outweighs the
benefit (blocked malware attachments) for many users.
Also not a sensible default: rejecting incoming mail on SPF
explicit-fail. This needs to be an admin decision because, among other
reasons, it would also reject messages forwarded through servers that
haven't configured SRS. Document SPF setup, including how to reject
(with this caveat) and how to greylist SPF explicit-pass (which would
otherwise be exempted from greylisting).
Rename greylisting-spp-with-exemptions to greylisting-spp-wrapper. Add a
feature: to effectively omit IP from the (IP,sender,recipient) tuple,
add GL_WRAPPER_TCPREMOTEIP="127.127.127.127" to control/tcprules/smtp.
rc.d scripts:
- Location of tcprules file is configurable
- By default, CDB is auto-rebuilt as needed on service start
- CDB auto-rebuilding can be configured off
Bump version.
- On "fail", reject
- On "pass", skip any greylisting
- Else, accept mail as we otherwise would.
qmail-spp-spf adds a `Received-SPF:` header to all incoming messages.
Migrate ${PKG_SYSCONFDIR}/tcp.* to ${PKG_SYSCONFDIR}/control/tcprules.
Bump version.
config files. Removing them on uninstall if they haven't been changed
is already mail/qmail's job; creating them on install was being done
here, and this combination was probably responsible for `pkgin
full-upgrade` removing some config files and qmail no longer running.
Thanks to Nathan Arthur for the bug report.
Instead of running config-fast-pkgsrc here, rely on mail/qmail to do it.
For similar reasons, also expect mail/qmail to handle the three basic
aliases (root, mailer-daemon, postmaster) and QUEUE_EXTRA.
While here, set QMAILREMOTE in qmailsend_postenv in preparation for a
future update.
Bump version.
new filter to add a Received header with TLS protocol and ciphers. Add
qmail-qfilter-addtlsheader to control/smtpfilters, too. Bump acceptutils
dependency to get this program.
Point to qmail-qfilter-queue in tcp.ofmip and tcp.smtp. This replaces
the formerly separate qmail-queue wrappers for ofmipd and smtpd. Bump
rejectutils dependency to get this program.
rc.d scripts:
- ofmipd, pop3d, smtpd: let a standalone TLS key file be configured
in rc.conf.
- ofmipd, pop3d: let pre- and post-checkpassword commands be configured
in rc.conf.
- pop3d: fix typo in default TLS file paths.
Bump version.
in control/smtpplugins. Extract a "Greylisting" stanza in MESSAGE. Merge
"Local non-root users to see the queue" into previous section (and
provide qmail-qread-client in example mailer.conf to begin with).
Mention port numbers where applicable.
Enable defaults that are sensible: realrcptto in control/rcptchecks and
viruscan in control/smtpfilters.
Add fixsmtpio rules to make greylisting-spp's tempfails look more like
qmail's other messages.
Bump dependency on qmail for config-fast-pkgsrc, which is like
config-fast but lets us simulate CONF_FILES-like behavior. As before, we
install these minimal config files, and won't deinstall them. (But the
updated qmail package will.)
Bump version.
sensible default, we wrap it in "greylisting-spp-with-exemptions", which
lets recipient addresses and domains be exempted from greylisting by
editing control/greylist/exemptrcpt{s,hosts}.
qmailofmipd: enable user CDB by default and remove the verbiage.
qmailsmtpd: bump datalimit (seeing occasional "fixsmtpio: out of memory" in production).
Improve MESSAGE a bit more.
Bump version.
SPP-compatible qmail-rcptcheck. Create control/smtpplugins so that the
RCPTCHECK-compatible programs continue to run as before. No functional
change intended.
Bump version.
(obviating the need for qmail-smtpd(8) to be patched to link OpenSSL).
Make TLS configurable for submission, POP3, and now also incoming SMTP:
- "yes" (startup will fail if cert or DH params are missing)
- "no" (even if they're present, don't offer TLS)
- "auto" (the default: offer TLS iff they're present)
Mention TLS setup in MESSAGE.
Delay SMTP greeting by 2 seconds. Enable zen.spamhaus.org RBL.
Bump version.
the tag; for instance, "nbqmailofmipd" becomes "nbqmail/ofmipd". Vaguely
redolent of Postfix, and easier to glance at logs now that just about
everything runs similarly from rc.d. Turn off sslserver verbosity by
default. Bump version.
- CERTFILE needs to be set early enough for sslserver. Move it to rc.d.
UCSPITLS is application-specific and can stay in the CDB.
- Add PYMSGAUTH_TOLERATE_UNCONFIGURED to the CDB.
- Switch qmailpop3d from tcpserver+qmail-popup to sslserver+authup.
Set UCSPITLS in the CDB to require STLS before USER/PASS.
- Specify a few new required_files.
- Point more precisely at the need to inspect alias/.qmail-*.
- Bump qmail-acceptutils for integrated privsep TLS using ucspi-ssl.
- Switch qmailofmipd rc.d script to sslserver, listening on the network.
- Install control/{pop3,smtp}capabilities, as newly required by authup.
- Organize INSTALL a bit better.
- Remove all vestiges of stunnel, including further shortening MESSAGE.
respective dependencies on spamdyke and stunnel. Depend instead on
qmail-acceptutils, which provides SMTP AUTH (and new filtering
functionality) and brings its own unconditional mess822 and stunnel
dependencies. Update rc.d scripts to match.
Use CONF_FILES instead of a bunch of open-coded INSTALL cleverness.
Clean up even better with a little DEINSTALL cleverness to remove CDB
files if their source CONF_FILES are gone.
Install sensible fixsmtpio rules and viruscan signatures.
Tighten MESSAGE. The basics have gotten pretty easy. Bump version.
on finding "nbcheckpassword" (which, at present, might be either
checkpassword-pam or DJB's original).
Depend (unconditionally) on mail/qmail-rejectutils, instead of having it
as an option on mail/qmail.
Bump version.
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
For all services where we set procname, prefix "nb". This makes it even
harder for observers to fail to notice that this isn't a Life with qmail
install, and happens to match the log tags already being applied.
Bump version.
from /service), the rc.d script can't tell which is ours. Make and use
a pidfile.
(The other rc.d scripts set argv[0] to names that are unlikely to
collide, but there's no easy way to do that for the qmail-send process
exec'd by qmail-start.)
Bump PKGREVISION.
- Collapse redundant code for invoking service-specific rc.d scripts.
- Don't try to run a service's rc.d script if it isn't enabled in rc.conf.
- Run "pause" in reverse sequence, like "stop" does.
- Support "stat", "pause", and "cont" in qmailqread.
Bump version.
- Remove qmail-qfilter-*-queue shell scripts, which would conflict with
the C programs of the same name included in mail/qmail 1.03nb29 with
the "qmail-rejectutils" option (enabled by default).
- Bump mail/qmail dependency to 1.03nb29.
- Shorten and improve MESSAGE.
to 180000000 bytes. From Nathan Arthur in private mail.
Allow path to tcpserver to be overridden in rc.conf (e.g., by
sslserver from net/ucspi-ssl). From Thomas Lazar in private mail.
Detach processes and their loggers from the controlling terminal
with pgrphack(8).
Include qmailqread in the services driven by the LWQ-style qmail
rc.d script.
Unconditionally depend on mail/mess822, now that it's correctly
marked public-domain. Remove qmail-run-ofmipd option.
Bump version.
mess822. Turn it off by default. This should let us once again
publish binary packages.
To use another ofmipd, set qmailofmipd_ofmipdcmd in rc.conf. Likewise
for qmail-smtpd and qmail-pop3d.
Bump version.
- Add qmailofmipd service for outgoing submissions.
- Add dependencies on mess822, spamdyke, and stunnel.
- Add sample spamdyke and stunnel configs for SMTP AUTH over TLS.
- Control ofmipd from the main qmail script.
- Fix broken link to "12 Steps to qmail List Bliss".
The find-prefix infrastructure was required in a pkgviews world where
packages installed from pkgsrc could have different installation
prefixes, and this was a way for a dependency prefix to be determined.
Now that pkgviews has been removed there is no longer any need for the
overhead of this infrastructure. Instead we use BUILDLINK_PREFIX.pkg
for dependencies pulled in via buildlink, or LOCALBASE/PREFIX where the
dependency is coming from pkgsrc.
Provides a reasonable performance win due to the reduction of `pkg_info
-qp` calls, some of which were redundant anyway as they were duplicating
the same information provided by BUILDLINK_PREFIX.pkg.
