• A lot of packages are not maintained or things are maintained by different group of people who don’t use the same patches as you.
• It’s becoming really hard to keep track when you install a new server which patch to apply and at which step(for example i used tap patch but this is rarely used).
• Often you need to understand and adapt the patches to your situation because some might include(partially or fully) other patches that you need also to apply. Basically in the end you start to write your own set of patches which obviously contains pieces of code from there of there. If you forgot something it might break or not work as intended.
• Quite often as well you need support for new technologies and there fewer and fewer people who want to support this.
  For example: if you want ipv6 there is a way via fehQlibs, ucspi-tcp6 and ucspi-ssl but there is no clear indication this will work as intended from the beginning with your own version(i mean your own set of patches) since the owner has his own Qmail version named s/qmail.
• After a long ride with qmail-scanner i went to simscan. This one can support only spamassassin and clamav.(or you start coding at it as well). For most of you it will be enough but if you want better antivirus(yes, commercial) than you’re out of luck. Yes, clamav-unofficial-sigs might give you  a great boost but it might not be sufficient if your client wants the best.

Why Exim ?

Simply because is highly configurable, is popular and you find tons of information. This flexibility might come with a price but at least those are “hopefully” treated fast.
For example i really liked qmail-spp patch and i heavily used(unfortunately this patch is again not included to a lot of different qmail projects available on the market) with a lot of perl scripts and the same principals can be used in exim acl which is great.

Learning curve to exim might be hard. Because of that I’ve encourage you to use in the beginning and old but good ecosystem named exim4u.
You will definitely need to add/modify ACL protections, to change the behavior of the DKIM for forwarded messages(because the default exim4u install want to sign also the forwarded messages which is wrong) and things that you will “learn by doing it”. Again, it’s far from perfect but it’s a great start and i recommend it.

Things not to miss on your migration:

– Compile exim with the support for maildir. In this way you can keep the same structure that you had with vpopmail.(keep in mind that exim4u for you use Maildir instead of .maildir directory so you need to tune a little bit the php files if you use the GUI to create domains/emails/etc.)
– Migrate the users from vpopmail database to exim4u database – i suggest to make your own scripts to do this. Doing it manually it’s taking too much time.
– Don’t forget about greylist db ; exim4u use sqlite3 in /var/spool/exim/db/greylist.db. You need to create the file and the tables.
– Don’t forget to change in dovecot(or the IMAP app used) to use the new database
– If you are using an webmail adapt it and his plugins(for example: if you are using Roundcubemail with password plugin you need to change to reflect the new sql/db)
– If older clamav version is used you might need to use AllowSupplementaryGroups but this should not be case for version above 0.100.(they just announced version 0.103 RC)
– migrate the TLS (server.cert, server.pem)
– migrate the DKIM certifications
– as I’ve already mentioned several times above, exim4u is far from perfect but from my point of view it has a really nasty bug IF you are (still ???) using not encrypted passwords. Please check how eq and crypteq are used in server_condition. More info on the exim manual.

The post qmail to exim migration (thoughts and not commands) appeared first on Random thoughts.

Until you understand the essence please also be very conservative about the policies that you apply. The example of deployment found it on google it provides the way you should do it as well. More exactly:

1. p=none pct=100
2. p=quarantine pct=1
3. p=quarantine pct=5
4. p=quarantine pct=10
5. p=quarantine pct=25
6. p=quarantine pct=50
7. p=quarantine pct=100
8. p=reject pct=1
9. p=reject pct=5
10. p=reject pct=10
11. p=reject pct=25
12. p=reject pct=50
13. p=reject pct=100

Now that you already implemented it you might receive reports(if you provided rua/ruf) about what is happening with your domains.

But what about implementing DMARC in your MTA? Usually the straight answer will be opendmarc but depending your MTA the installation will not be very  easy. Since here we will talk about Qmail the solutions found by me in this moment are:

1) Qpsmtpd and opendmarc. Please also see.

2) A perl plugin written for spam-assassin.

3) Using AskDNS plugin already available in spamassasin like this:

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/

meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif

Obviously edit the scores according to you needs.

4) After this article was written I’ve found out from here (btw great blog about qmail)  there is another tool to use it. You can find it here.

So, what was your solution for Qmail and DMARC ? What do you use ? How do you use it ?

Later edit(17/09/2020): A plugin for spamassassin was created. This is maintained and i believe it will introduced in core in the next releases. You can find references here and here.

The post DMARC / Spamassassin / Qmail appeared first on Random thoughts.