| 1 |
########### |
| 2 |
### WHO ### |
| 3 |
########### |
| 4 |
|
| 5 |
This patch was written by Scott Gifford <sgifford@suspectclass.com>. |
| 6 |
The design and much of the code for supporting "notipme" was |
| 7 |
contributed by Charles Cazabon <charlesc@discworld.dyndns.org>. |
| 8 |
|
| 9 |
|
| 10 |
############ |
| 11 |
### WHAT ### |
| 12 |
############ |
| 13 |
|
| 14 |
This patch may be necessary in some configurations that involve network |
| 15 |
address translation or port forwarding. It prevents a problem caused |
| 16 |
by an MX or other mail routing directive instructing qmail to connect to |
| 17 |
itself without realizing it's connecting to itself. When this happens, |
| 18 |
it accepts the message, finds out where to deliver it to (itself), and |
| 19 |
promptly reconnects to itself to deliver the message. Eventually, when |
| 20 |
it has done this 20 or 30 times, it will give up and bounce the message, |
| 21 |
but not before sucking up all of your CPU while it's happening. |
| 22 |
|
| 23 |
It may also be useful in some configurations that have multiple qmail |
| 24 |
servers configured on different interfaces of the same system. qmail |
| 25 |
will normally refuse to deliver mail by SMTP to the machine it's |
| 26 |
running on, but with multiple copies of qmail, you may want to prevent |
| 27 |
this behavior. |
| 28 |
|
| 29 |
Normally, qmail can detect what IP addresses refer to itself by getting |
| 30 |
a list of all network interfaces with IP addresses from the operating |
| 31 |
system. It uses this list to determine whether connecting to an address |
| 32 |
will cause it to connect to itself, and avoid the situation (it calls |
| 33 |
the perm_ambigmx() function, which prints the message: |
| 34 |
|
| 35 |
Sorry. Although I'm listed as a best-preference MX or A for that host, |
| 36 |
it isn't in my control/locals file, so I don't treat it as local. (#5.4.6) |
| 37 |
|
| 38 |
But in situations where the OS is not aware of all IP addresses that |
| 39 |
connect back to itself, this detection fails, causing the CPU-sucking |
| 40 |
phenomenon described above. This can happen if there is a network |
| 41 |
address translation device in front of the qmail server, such as a |
| 42 |
load-balancer or a router which allows you to share one IP address among |
| 43 |
several machines; if there is a port forwarder forwarding connections |
| 44 |
from some other machine to the SMTP server on the qmail server; or in |
| 45 |
configurations where a "dumb" mailserver is configured to use your qmail |
| 46 |
server as a "smarthost", delivering all mail to it without inspection. |
| 47 |
|
| 48 |
To solve this, other IP addresses which will ultimately connect back to |
| 49 |
your machine can be added to the file "control/moreipme", one per line. |
| 50 |
qmail will treat all addresses in this file exactly as if they were |
| 51 |
local, and if it finds an MX record or other mail routing information |
| 52 |
which would cause it to connect to any of these addresses, it will call |
| 53 |
perm_ambigmx(), and print the above error message. |
| 54 |
|
| 55 |
Additionally, IP addresses which the system detects but which should |
| 56 |
*not* be treated as local can be removed from qmail's ipme list by |
| 57 |
adding them to the file "control/notipme". |
| 58 |
|
| 59 |
IP addresses can be specified as individual addresses in the usual |
| 60 |
dotted-quad format, or as entire networks using a slash followed by |
| 61 |
the full dotted-quad netmask: |
| 62 |
|
| 63 |
127.0.0.1 |
| 64 |
127.0.0.1/255.255.255.255 |
| 65 |
127.0.0.0/255.0.0.0 |
| 66 |
10.0.0.0/255.255.255.0 |
| 67 |
|
| 68 |
An individual address is treated exactly like a network with a mask of |
| 69 |
255.255.255.255. Addresses of interfaces found on the system are |
| 70 |
added with their individual addresses. In addition, these addresses |
| 71 |
are implicitly added: |
| 72 |
|
| 73 |
0.0.0.0 |
| 74 |
127.0.0.0/255.0.0.0 |
| 75 |
|
| 76 |
So the list of system addresses (the "ipme" list) is, in order, |
| 77 |
127.0.0.0/255.0.0.0, 0.0.0.0, then all actual interfaces on the system |
| 78 |
in the order they are reported, then the contents of the "moreipme" |
| 79 |
file. The list of excluded addresses (the "notipme" list) is just the |
| 80 |
contents of the "notipme" file. |
| 81 |
|
| 82 |
If an address appears in both the ipme list and the notipme list, the |
| 83 |
entry with the longest netmask wins. If the netmask lengths are the |
| 84 |
same, notipme wins. |
| 85 |
|
| 86 |
For example, if the ipme list has 127.0.0.0/255.0.0.0 and notipme has |
| 87 |
127.0.0.2, then 127.0.0.2 will not be considered me because the entry |
| 88 |
in notipme has a 32-bit mask. If the notipme list has |
| 89 |
127.0.0.0/255.0.0.0, all of 127.* will not be considered me. |
| 90 |
|
| 91 |
You can run the program "ipmeprint" from the source directory to see |
| 92 |
what interfaces qmail is detecting or finds in moreipme. |
| 93 |
|
| 94 |
You can run the program "ipmetest" from the source directory to test |
| 95 |
your configuration. It takes as its first and only parameter an IP |
| 96 |
address to test, and prints either "me" or "not me". |
| 97 |
|
| 98 |
########### |
| 99 |
### HOW ### |
| 100 |
########### |
| 101 |
|
| 102 |
To apply the patch, download and save it somewhere, then cd into your |
| 103 |
qmail source directory. |
| 104 |
|
| 105 |
For stock qmail, download qmail-1.03-moreipme-0.6.patch then run: |
| 106 |
|
| 107 |
cd qmail-1.03 |
| 108 |
patch -p1 </path/to/qmail-1.03-moreipme-0.6.patch |
| 109 |
|
| 110 |
For netqmail, first download netqmail-1.05, and run the included |
| 111 |
collate.sh script. Then download netqmail-1.05-moreipme-0.6.patch and |
| 112 |
apply it to the netqmail base directory, after runn: |
| 113 |
|
| 114 |
cd netqmail-1.05 |
| 115 |
patch -p1 </path/to/netqmail-1.05-moreipme-0.6.patch |
| 116 |
|
| 117 |
|
| 118 |
################### |
| 119 |
### OTHER NOTES ### |
| 120 |
################### |
| 121 |
|
| 122 |
This patch also incorporates the "0.0.0.0" patch, which causes qmail |
| 123 |
to recognize the IP address 0.0.0.0 as a local address. See: |
| 124 |
|
| 125 |
http://www.suspectclass.com/~sgifford/qmail/qmail-0.0.0.0.README |
| 126 |
|
| 127 |
for more information, and |
| 128 |
|
| 129 |
http://www.suspectclass.com/~sgifford/qmail/qmail-0.0.0.0.patch |
| 130 |
|
| 131 |
for a copy of the patch. |
| 132 |
|
| 133 |
|
| 134 |
############### |
| 135 |
### HISTORY ### |
| 136 |
############### |
| 137 |
|
| 138 |
2004 May 22 - Patch version 0.6 released. Fix from Richard Dawe where |
| 139 |
masks weren't handled properly, removed some dead code, |
| 140 |
updated comments and docs. Produce a copy of the patch |
| 141 |
for netqmail-1.05. |
| 142 |
|
| 143 |
2003 Apr 29 - Patch version 0.5 released. Added support for netmasks |
| 144 |
in moreipme and notipme, ipmetest utility, 127/8 as |
| 145 |
implicit ipme. |
| 146 |
|
| 147 |
2002 Apr 26 - Patch version 0.4 released. Includes support for "notipme" file. |
| 148 |
Many other small fixes and cleanups. Fixes ipmeprint to |
| 149 |
chdir(/var/qmail) before running. |
| 150 |
|
| 151 |
2001 Oct 8 - Original release of patch. |
| 152 |
|
| 153 |
2001 Jan 22 - (roughly) Original release of 0.0.0.0 patch. |
| 154 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
