HOME
Andrew Schwabe's Blog: vchkrcpt.sh - my kick butt script for vpopmail

vchkrcpt.sh - my kick butt script for vpopmail

Posted At : January 12, 2007 8:20 PM | Posted By : Andrew
Related Categories: Qmail

This script is for those who have build a qmail+vpopmail server (including qmr and some of the other distributions).

This script also requires the vchkrcpt patch, which you may need to mangle to work with your config.  It seems that this patch fell through the cracks and didn't get into most of the main distributions.  It is a terrible shame, because almost all default qmail setups have a severe security issue:  they accept all email for a domain, and if an account doesn't exist, they bounce it later.  This is terrible, what with the age of SpamCop and other "spam trap" and realtime black hole lists out there. 

Ponder this batman:  Somebody spams you at your domain with a bad recipient address like not_there@yourcompany.com and forges the sender to be some spamtrap like qazwsx123@spamcop.net.  If your server accepts all mail for "yourcompany.com" and then bounces it later, then it will accept this message.  It will then generate a bounce message, which it sends to the forged email address.  In this scenario, somebody else spammed you, but you sent email to a spam trap, which often automatically blacklists your mail server.  nice, huh...

SO... the point of that little bunny trail is that you shouldn't accept email when it is addressed to a non-existant mailbox.  Thats where vchkrcpt comes in.  Patch your qmail so you can use it (not covered here), and once you can support it, use my script.

And here it is in all its goodness and tested wonder.  Quick warranty and disclaimer:  don't be dumb.  edit this for your server and tested it on a non-production server.  If you don't do these things, its nobody's fault but your own for crashing your mail server.

#!/bin/bash
#
# Andrew's kick-ass chkrcpt script for qmail+vpopmail
# Author: aschwabe@gmail.com
#
# This script makes qmail check for the existance of a user before email is accepted.
# Will check vpopmail accounts, and look for .qmail* files to determine real accounts.
# Logs all checks in the /var/log/maillog, and then refers to it to throttle spammers.

set -- $RECIPIENT
set -- $SENDER
MY_TEST=""

#echo `whoami`

if [ "$RECIPIENT" == "" ]; then
    # uncomment these lines and the "echo" lines throughout to test at the command line
    #echo "sender:"
    #read SENDER
    #echo "recipient:"
    #read RECIPIENT
    exit 100
fi

# email sender addresses explicitly allowed:
allowed[1]="override@yourcompany.comiexp.com"
for index in 1 2
do
  if [ "$SENDER" == "${allowed[index]}" ]; then
        /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : ok (sender explicitly allowed: ${allowed[index]})"
        exit 0
  fi
done

USERPART=`echo "$RECIPIENT" |cut -d@ -f1`
DOMAIN=`echo "$RECIPIENT" |cut -d@ -f2`

# We reject any emails with more than one @ sign
THIRDPART=`echo "$RECIPIENT" |cut -d@ -f3`
if [ "$THIRDPART" != "" ]; then

  #echo "Invalid username - multiple or no @ signs"
  /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : illegal username"
  exit 100

fi
# We reject any emails with ! in the name
EXCL_CHECK=`echo $USERPART |grep '!' >/dev/null 2>&1; echo $?|grep "1" > /dev/null 2>&1 ; echo $?`
if [ "$EXCL_CHECK" == "1" ]; then

  #echo "Invalid username"
  /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : illegal username"
  exit 100

fi

# We reject any emails with a percent sign in the name
PERCENT_CHECK=`echo $USERPART |grep '%' >/dev/null 2>&1; echo $?|grep "1" > /dev/null 2>&1 ; echo $?`
if [ "$PERCENT_CHECK" == "1" ]; then

  #echo "Invalid username"
  /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : illegal username"
  exit 100

fi

# We reject if this sender has had 3 or more bad recipients recently
if [ "$SENDER" != "" ]; then

    SPAMMER_CHECK=`tail -n300 /var/log/maillog|grep vchkrcpt|grep $SENDER |grep 'bounce-no-mailbox'|wc -l`
    #echo 'result of spammer check:'
    #echo $SPAMMER_CHECK

    if [ "$SPAMMER_CHECK" -gt "2" ]; then
        #echo "Too many invalid recipients.  Mail will not be accepted."
        /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : spammer=bounce-no-mailbox"
        exit 100
    fi
fi

# check for valid account
MY_TEST=`/home/vpopmail/bin/vuserinfo -d $RECIPIENT |/usr/bin/head -n1`

if [ "$MY_TEST" == "" ] || [ "${MY_TEST:0:7}" == "no such" ]; then

  # it wasn't a real pop user, so check if its an alias
  MY_TEST=`/home/vpopmail/bin/valias $RECIPIENT|/usr/bin/head -n1`

  # if the address has a dash in it, re-build a default alias address
  USER_ALIAS_CHECK=`echo $USERPART |grep '\-' >/dev/null 2>&1; echo $?|grep "1" > /dev/null 2>&1 ; echo $?`
  if [ "$USER_ALIAS_CHECK" == "1" ]; then
    ALIAS_USERPART=`echo $USERPART | cut -d - -f1`
    ALIAS_USERPART=$ALIAS_USERPART"-default"
    ALIAS_RECIPIENT=$ALIAS_USERPART"@"$DOMAIN
    MY_TEST2=`/home/vpopmail/bin/valias $ALIAS_RECIPIENT|/usr/bin/head -n1`
  else
    MY_TEST2=""
  fi

  if [ "$MY_TEST" != "" ]; then

    # this is a valid alias
    #echo "valid alias"
    /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : alias ok"
    exit 0

  elif [ "$MY_TEST2" != "" ]; then

    # this is a valid user alias
    #echo "valid user-alias"
    /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : user-alias ok"
    exit 0

  else

    # look for a .qmail-default file, and see it if has a real account in it

    DEFAULT_RECIPIENT="default@"$DOMAIN
    #echo "default recipient = $DEFAULT_RECIPIENT"

    DEFAULT_BOUNCE=`/home/vpopmail/bin/valias $DEFAULT_RECIPIENT | /usr/bin/head -n1|grep bounce-no-mailbox \
        >/dev/null 2>&1; echo $? |grep "1" > /dev/null 2>&1 ; echo $?`
    #echo "DEFAULT_BOUNCE result = $DEFAULT_BOUNCE"

    if [ "$DEFAULT_BOUNCE" == "1" ]; then
      #echo ".qmail-default = bounce"
      #echo "invalid recipient"
      /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : catchall=bounce-no-mailbox"
      exit 100
    fi
    DEFAULT_DELETE=`/home/vpopmail/bin/valias $DEFAULT_RECIPIENT | /usr/bin/head -n1|grep ' delete' \
        >/dev/null 2>&1; echo $? |grep "1" > /dev/null 2>&1 ; echo $?`
    #echo "DEFAULT_DELETE result = $DEFAULT_DELETE"

    if [ "$DEFAULT_DELETE" == "1" ]; then
      #echo ".qmail-default = delete"
      #echo "invalid recipient"
      /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : catchall=delete"
      exit 100
    fi

    MY_TEST=`/home/vpopmail/bin/valias $DEFAULT_RECIPIENT | /usr/bin/head -n1`
    #echo "ALIAS DEFAULT result = $MY_TEST"

    if [ "$MY_TEST" == "" ]; then

      #echo "invalid recipient (no default alias)"
      /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : catchall=none"
      exit 100

    else

      #echo "valid recipient (.qmail-default)"
      /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : catchall=ok"
      exit 0

    fi

  fi
else

  #echo "valid mailbox"
  /usr/bin/logger -p mail.info -t vchkrcpt "mail from <$SENDER> to <$RECIPIENT> : account ok"
  exit 0

fi

 

Comments (0) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 68 Views
Comments

There are no comments for this entry.

[Add Comment]
  All content ©2006-2009 Schwabe.Net    andrew[at]schwabe.net