smtpserver.c patch docs

These patches to Zmailer 2.2e10's smtpserver/smtpserver.c file add several features to the SMTP server. You must rebuild and reinstall smtpserver to enable them, and some of them require new command line or configuration file options.

TCP Wrappers support

smtpserver will now use Wietse Venema's TCP Wrappers if compiled with -DWRAPPERS (you will also need to add appropriate -I and -L/-l options to the Makefile). smtpserver continues to run standalone, not from inetd; all expanded TCP Wrappers options (such as twist) work fine. The daemon name it looks for in your TCP Wrappers control file is hardcoded as smtpserver.

Two environment variables can be set in TCP Wrappers lines to control the subsequent behavior of the SMTP server for both accepted and rejected connections. On rejected connections:

if OPTLOG is none, no syslog() will be done
if OPTREJECT is none, the connection is dropped without a message
if OPTLOG is set, its text is added at the end of the message syslog()'d
if OPTREJECT is set, its text is used as the 550 message sent; the text should not have a leading 550
if OPTREJECT is not set, a 550 Connection rejected due to connection origin message is sent

On accepted connections:

if OPTLOG is set, its text is added at the end of a syslog()
if OPTLOG is not set or is none, no syslog() is done (the smtpserver still does its normal other logging)

Messages syslog()'d by the TCP Wrappers code are logged to the daemon class instead of to the mail class; on our systems, this accumulates them with the rest of the TCP Wrappers messages. OPTREJECT should be set to none only if you want the source to keep trying over and over again.

Connection limits

There are two new command line flags that let you limit how many simultaneous connections the SMTP server will accept, plus a new option to set the listen() backlog size. They are:

-m NUM: Limit us to NUM simultaneous connections. The default is to have no limit.
-M: When there are too many connections, reject excess connections with a 421 greeting code instead of silently dropping the connection. With this option enabled, every excess connection still requires the smtpserver to fork().
-L NUM: Set the listen() backlog to NUM. The default (and maximum on old systems) is five. A large listen() backlog is useful if you are using loopback routes to ignore packets from spam sources.

You would normally modify the SMTPOPTIONS line in /etc/zmailer.conf to add these options.

Optional HELO verification

This adds a new smtpserver.conf option, h, that enables verification of the hostname given in HELO greetings. If you use this your $MAILSHARE/cf/server.cf file MUST support the helo key in the server function. Failure to do this will cause all mail to be rejected.

In our server.cf file, we require HELO names to be fully qualified. You can do any verification you want to (or none, and just save the HELO address for later use). Some of our antispam mods require the HELO name being available. If you require fully qualified HELO names, you will need to specifically exempt any machines that HELO with partially qualified ones that you want to talk to from this check.

This check doesn't conform with the letter of RFC 821 as amended by the Hosts Requirement RFC. But then again, neither do people who send bad HELO names in the first place, and it does deal with the spammers who like making them up at random. We've chosen rejecting spam and badly configured machines over the strict letter of RFC 821 compliance.

Reject spaces in the HELO name

The original code for smtpserver-based HELO syntax checking incorrectly accepted spaces in the HELO name due to use of sscanf(). This is fixed (or at least changed) in this patch.

Messages printed from the router do not have % signs mangled

Messages from the underlying router process used to be used as the argument to a printf() call and as a result had any % signs expanded in random ways. This has been fixed.

This page and these modifications are maintained by Chris Siebenmann, who hates junk email and other spam.