In order to limit the connections made from a certain IP address, one needs to patch tcpserver, the process which receives all incoming connections and passes them through to QMail. These steps describe how to patch tcpserver on a FreeBSD system, where the QMail SMTP and POP servers are executed with the supervise (svc) daemon.

On a recently installed machine, the Nagios check for mailq did not work. Instead it returned the following error:

This is on a QMail based machine running on FreeBSD. I compared the setup with an older FreeBSD machine, where the check works properly. This box was also running QMail but with an older set of Nagios plugins. The configuration was equal, except the check_mailq script itself, because it has evolved a little in the meantime.

chkuser is a patch for QMail 1.03 which checks if the recipient address is a valid user on the system. If not, it will block the mail right away. This is nice, because usually this is checked after scanning a mail for virusses and spam. Now this is checked beforehand, which saves you a lot of CPU cycles.

After upgrading simscan, mails did not seem to be scanned anymore.

In order to debug what was going on, I entered the following command in order to see what happened to QMail:

QMail is quite a challenge to set up right, this will take you hours if you don't install it on a weekly basis. When you closed all holes from the outside to prevent acting like a open relay, there is the security on the localhost itself. It happened a few times already that a PHP script had an impromper loop condition which had a mail() call inside. This will guarantee you for having 10.000s of mails in your queue. Or think of a leak in a contact form abused by spammers.

At some point, an local SMTP server (QMail) responded really slow on connection attempts. There was no traffic between the client and server so it was a bit unclear why it was locked for about 30 seconds until the so-called '220' response.

Google suggested me (indirectly) to disable reverse DNS lookups on the tcpserver (with the -R, -P, -l 'hostname') flags. But that didn't help.

The POP3 server which comes together with QMail had some severe problems: it stopped working after 1 or 2 days. Before that, it worked like a charm, but at some point it just decided to stop accepting incoming calls. The server process didn't die, it was still active and listening on port 110 (according to sockstat -l).

After setting up a QMail SMTP server, it seems some spammers found a way to relay through our host. Of course, I installed the rcpthosts file with a list of allowed domains, but somehow they got through.

After installing simscan I was no longer able to send any message. The following message was being spitted out upon sending an e-mail through this SMTP-server:

Setting up a POP server with the QMail/VPopmail combination wasn't too much hassle until the point I tried to authenticate.

Telnetting into the POP server and giving authenticating myself resulted in the following error: