Topic: Upgrading qpsmtpd from 0.84 to 0.93?

[holck]

It seems a lot has been happening with qpsmtpd since version 0.84, the one used in SME 8.0. The newest version, 0.93 (https://github.com/smtpd/qpsmtpd/releases/tag/v0.93) was released quite recently. Is anyone considering an upgrade? What are the pros and cons?

Glædelig jul

Jesper,
Denmark

[idp_qbn]

SME 8.0 is based on CENTOS 5.8.
If qpsmtd v0.93 is not in CENTOS 5.8, it won't be in SME 8.0

Cheers
Ian

[janet]

holck

SME 9beta2 only has
qpsmtpd-0.84-7.el6.sme.noarch.rpm
&
smeserver-qpsmtpd-2.4.0-4.el6.sme.noarch.rpm
as it relies on upstream sources of CentOS6.x.

If you want a newer version it will really be something that is/has to be packaged by SME developers & regularly updated & released with each qpsmtpd update, so the best place to request this is in bugzilla, or you could start a conversation on devinfo mailing lists discussing the pros & cons. There is probably a lot of integration required, so you would have to show good reasons why the latest & greatest should be used.

IMO it is highly unlikely to be included in SME8, & as SME9 is being developed based on SME8 specifications, then it would only be something that may go into a SME9.1 release, so lodge a NFR for SME9.1 in bugzilla.

SME9beta3 (not released but being tested) has
qpsmtpd-0.84-8.el6.sme.noarch.rpm
&
smeserver-qpsmtpd-2.4.0-4.el6.sme.noarch.rpm

Why do you think the 0.93 version of qpsmtpd should be included in SME server ?

[holck]

Thank you for your replies. I can see the problems and extra work that will result from not just inheriting qpsmtpd from CentOS.

For me, one reason for raising the discussion has been that I see new problems showing up in the qpsmtpd log files: attacks where outside clients try thousands of different passwords for standard user names like "payments", "company" etc., with qpsmtpd just politely denying each new password. And problems with handling IPv6 connections, especially from linkedin.com .

Another reason is that after a long period of very low activity, a lot has been happening with qpsmtpd since 2012. I must admit that I'm not sure the new versions will handle the problems, I've been seeing, but it seems like all the effort from the qpsmtpd developers is focused on the newest versions.

Best,
Jesper

[janet]

holck

I suggest you lodge a NFR bug report, against Future release of SME server, as it is the only way to start the process.
Refer to this forum thread & restate your reasons.
You never know, developers may agree with you.

[stephdl]

For me, one reason for raising the discussion has been that I see new problems showing up in the qpsmtpd log files: attacks where outside clients try thousands of different passwords for standard user names like "payments", "company" etc., with qpsmtpd just politely denying each new password. And problems with handling IPv6 connections, especially from linkedin.com .

Please try smeserver-fail2ban, it is made against this kind of attack http://forums.contribs.org/index.php/topic,50162.msg252195.html#msg252195

http://wiki.contribs.org/Fail2ban

[CharlieBrady]

And problems with handling IPv6 connections, especially from linkedin.com .

As far as I've ever seen, all mail from linkedin.com is just spam

IPv6 connection problems should be easily handled by not publishing any AAAA records for your MX records.

Do you have an IPv6 modified version of SME server?

[holck]

@Charlie:

As far as I've ever seen, all mail from linkedin.com is just spam

Agree !

Do you have an IPv6 modified version of SME server?

No, I don't think so. I do receive the spam from linkedin.com, but qpsmtpd complains every time with messages like this:

Code: [Select]

2014-01-01 11:14:05.067528500 Use of uninitialized value in bitwise and (&) at /usr/share/qpsmtpd/plugins/require_resolvable_fromhost line 111.

@stephdl:

I do run fail2ban, but unfortunately fail2ban can't prevent the password attacks on qpsmtpd, because for some reason this version doesn't log the IP addresses. The messages in /var/log/qpsmtpd/current looks like this:

Code: [Select]

2013-12-11 11:50:19.150369500 13420 Authentication failed for payments^@^@^@^@^@^@^@^@^@^@^@^@ - where the trailing garbage are x00 bytes.

@janet:
Thanks, I will lodge a bug report

Thanks for all your help,
Jesper