Spam Control using badip control file

IndiMail has many methods to help deal with spam. For detecting spam, IndiMail uses bogofilter a fast bayesian spam filter. IndiMail's qmail-smtpd which provides SMTP protocol is neatly integrated with bogofilter. When bogofilter detects spam, qmail-smtpd prints the X-Bogosity header as part of SMTP transaction log

% grep "X-Bogosity, Yes" /var/log/svc/smtpd.25/current

@400000004bc8183f01fcbc54 qmail-smtpd: pid 16158 from ::ffff:88.191.35.203 HELO X-Bogosity: Yes, spamicity=0.999616, cutoff=9.90e-01, ham_cutoff=0.00e+00, queueID=6cs66604wfk,

The value "Yes" in X-Bogosity indicates spam. You can tell qmail-smtpd to reject such mails at SMTP just by doing

# echo 1 > /service/qmail-smtpd.25/variables/REJECTSPAM
# svc -d /service/qmail-smtpd.25
# svc -u /service/qmail-smtpd.25

SMTP clients which tries to send a spam mail will get the following error at the end of the SMTP transaction

554 SPAM or junk mail threshold exceeded (#5.7.1)

The mail will get bounced. In some cases you would want to issue temporary error to such clients. In the above SMTP transaction log, the IP address of the client was 88.191.35.203. To put such client's into IndiMail's SPAM blacklist, you just need to put the IP address in the control file /etc/indimail/control/badip

# echo 88.191.35.203 >> /etc/indimail/control/badip

For turning on the BADIP functionality, you need to set the BADIPCHECK or the BADIP environment variable. i.e.

# echo badip > /service/qmail-smtpd.25/variables/BADIP
# svc -d /service/qmail-smtpd.25
# svc -u /service/qmail-smtpd.25

Clients whose IP match an entry in badip will be greeted as below

421 indimail.org sorry, your IP (::ffff:88.191.35.203) is temporarily denied (#4.7.1)

Also the client will not be able to carry out any SMTP transactions like ehlo, MAIL FROM, RCPT TO, etc
A large ISP can run the following command every day once in cron

grep "X-Bogosity, Yes" /var/log/svc/qmail.smtpd.25/current > /etc/indimail/control/badip

If your badip files becomes very large, you can also take advantage of IndiMail's ability to use cdb (or you could use MySQL too)

% sudo /usr/bin/qmail-cdb badip

Web Administration for IndiMail

I always find using the web ugly. It is a pain using the mouse almost all the time to do anything. One of the reasons I have never focussed on building a web administration tool for Indimail.

Lately my users have been pestering me if something can be done about it. I have no knowledge of web scripting, etc. But using some bit of common sense, I have managed to make qmailadmin work with IndiMail by modifying the source code (lucky for me, they are written in C).

For the admin user it provides

1. user addition
2. user deletion
   
3. password change
4. adding autoresponders
5. deleting autoresponders
6. modifying autoresponders
   
7. adding forwarding addresses
8. deleting forwarding addresses
9. modifying forwarding addreses
   
10. quota modification

For users other than the postmaster account it provides

1. Password change
2. add/modify/delete forwarding addresses
3. add/modify/delete autoresponder

iwebadmin can be downloaded from
http://sourceforge.net/projects/indimail/files/iwebadmin

The RPM / Yum Repo file can be downloaded from
http://software.opensuse.org/download.html?project=home:indimail&package=iwebadmin

You can download IndiMail at
http://sourceforge.net/projects/indimail/

The RPM can be downloaded from
http://download.opensuse.org/repositories/home:/indimail/

After installation, you just need to go to http://127.0.0.1/cgi-bin/iwebadmin
The image assets get installed in /var/www/html/images/iwebadmin
The html  assets get installed in /var/indimail/share/iwebadmin

The screen shots are below

Post Handle

IndiMail provides a handle post successful operation of few programs. A post execution handle is a program with the same name as that of the calling program but in the directory /usr/libexec/indimail. On successful completion, such programs will execute the handle program and return the status of the called handle program.
In my experience of setting up mail servers in the corporate world, often it is required that users be added to external databases which could be part of some strange enterprise applications. It could be as simple as adding users to your ldap server when creating a mailbox on IndiMail. Sometimes it could be as bad as adding users to ADS (ugh).
IndiMail (release 1.6.9 onwards) provides you a hook, to execute any program after successful completion of the programs, vadddomain, vaddaliasdomain, vdeldomain, vadduser and vdeluser, vrenamedomain, vrenameuser, vmovuser, vpasswd.
A hook can be defined by creating a script or an executable in /usr/libexec/indimail with the name of the program being executed. e.g. if you create a script named vadduser in the directory /usr/libexec/indimail, the script will get executed whenever the program vadduser is used to add a user to indimail. The execution happens only if the program completes successfully. Depending on what you need to do, you can customize the scripts in a jiffy.
The hook script name can be overridden by setting the POST_HANDLE environment variable.
See the man pages of vadddomain, vaddaliasdomain, vdeldomain, vadduser, vmoduser, vmoveuser, vdeluser, vrenamedomain, vrenameuser, vpasswd.
for more details.
Let me know if you create an interesting script.
Example of using a handle is when adding a user, you want vuserinfo to be run.

% cat /var/indimail/libexec/vadduser
exec /var/indimail/bin/vuserinfo $1

If you have the above, then this is what will happen when you add a user

% sudo /var/indimail/bin/vadduser test05@example.com
New IndiMail password for test05@example.com:
Retype new IndiMail password:
name : test05@example.com
passwd : $1$awb5a5oV$/3rsmlKSu.wzwIFhBzMf7/ (MD5)
uid : 1
gid : 0
-all services available
gecos : test05
dir : /home/mail/T2Zsym/example.com/test05 (missing)
quota : 5242880 [5.00 Mb]
curr quota : 0S,0C
Mail Store IP : 192.168.1.100 (Clustered - local)
Mail Store ID : 1000
Sql Database : 192.168.1.100:indimail:ssh-1.5-
Table Name : indimail
Relay Allowed : NO
Days inact : 0 days 00 Hrs 00 Mins 00 Secs
Added On : ( 127.0.0.1) Sat Apr 24 19:49:06 2010
last auth : Not yet logged in
last IMAP : Not yet logged in
last POP3 : Not yet logged in
PassChange : Not yet Changed
Inact Date : Not yet Inactivated
Activ Date : ( 127.0.0.1) Sat Apr 24 19:49:06 2010
Delivery Time : No Mails Delivered yet / Per Day Limit not configured

I personally use post execution handle for adding some mandatory users every time I add a new domain. So this is what my vadddomain handle looks like

% cat /var/indimail/libexec/vadddomain
/var/indimail/bin/vdominfo $1
/var/indimail/bin/valias -i '&register-spam' register-spam@$1
/var/indimail/bin/valias -i '&register-ham' register-ham@$1
/var/indimail/bin/valias -i '&spam' spam@$1
/var/indimail/bin/valias -i '&ham' ham@$1
/var/indimail/bin/vadduser -e prefilt@$1 xxxxxxxx
/var/indimail/bin/vadduser -e postfilt@$1 xxxxxxxx
/var/indimail/bin/vcfilter -i -t spamFilter -c 3 -k "Yes, spamicity=" -f Spam -b 0 -h 33 prefilt@$1
/bin/ls -dl /var/indimail/domains/$1
/bin/ls -al /var/indimail/domains/$1
exit 0

Envrules for IndiMail

IndiMail allows you to configure most of its functionality through set of environment variables. In fact there more more than 200 features that can be controlled just by setting or un-setting environment variables. envrules is applicable to qmail-smtpd, qmail-inject, qmail-local, qmail-remote as well. It can also be used to control programs called by the above programs (e.g qmail-queue). IndiMail allows you to configure quite many things using environment variables. Just set the environment variable CONTROLDIR=control2 and all qmail components of IndiMail start looking for control files in /var/indimail/control2. You can set CONTROLDIR=/etc/indimail and all control files can be conveniently placed in /etc/indimail.
Some of these environment variables can be set during the startup of various services. IndiMail has all its services configured as directories in the /service directory. As an example, if you want to force authenticated SMTP on all your users, setting the environment variable REQUIREAUTH allows you to do so.

% su

# echo 1 > /service/qmail-smtpd.587/variables/REQUIREAUTH

# svc -d /service/qmail-smtpd.587

# svc -u /service/qmail-smtpd.587

sets the qmail-smtpd running on port 587 to force authentication.
Setting environment variables in your startup script, in your .profile or your shell forces you to permanently set the environment variable to a specific value. Using envrules, IndiMail allows you to set these environment variables specific to different senders or recipients. envrules allows IndiMail platform to be tuned differently for different users. No other messaging platform, to the best of my knowledge, is capable of doing that. Another way of saying is that envrules allows your IndiMail platform to dynamically change its behavior for each and every user.
For the SMTP service, you can set different environment variables for different senders. All that is required is to define the following in the control file /etc/indimail/control/from.envrules. The format of this file is of the form
pattern:envar1=val,envar2=val,...]
where pattern is a regular expression which matches a sender. envar1, envar2 are list of environment variables to be set. If val is omitted, the environment variable is unset. The name of the control file can be overridden by the environment variable FROMRULES. e.g. having the following in from.envrules
*consultant:REQUIREAUTH=1,NORELAY=1
forces all users whose email ids end with 'consultant' to authenticate while sending mails. Also such users will be prevented from sending mails to outside your domain.
ceo@example.com:DATASIZE=
Removes all message size restrictions for the user whose email address is ceo@example.com, by unsetting the environment variable DATASIZE.
You can also set envrules on per recipient basis. This gets set for qmail-local & qmail-remote. The control file to be used in this case is /etc/indimail/control/rcpt.envrules. The filename can be overridden by RCPTRULES environment variable.
.e.g
*.yahoo.com:OUTGOINGIP=192.168.2.100
The OUTGOINGIP environment variable is used by qmail-remote to bind on a specific IP address when connecting to the remote SMTP server. The above envrule forces qmail-remote to use 192.168.2.100 as the outgoing IP address when sending mails to any recipient at yahoo.com.
For SMTP service the following the following list of environment variables can be modified using envrules
REQUIREAUTH, QREGEX, ENFORCE_FQDN_HELO, DATABYTES, BADHELOCHECK, BADHELO, BADHOST, BADHOSTCHECK, TCPPARANOID, NODNSCHECK, VIRUSCHECK, VIRUSFORWARD, REMOVEHEADERS, ENVHEADERS, LOGHEADERS, LOGHEADERFD, SIGNATURES, BODYCHECK, BADMAILFROM, BADMAILFROMPATTERNS, BOUNCEMAIL, CUGMAIL, MASQUERADE, BADRCPTTO, BADRCPTPATTERNS, GOODRCPTTO, GOODRCPTPATTERNS, GREYIP, GREETDELAY, CLIENTCA, TLSCIPHERS, SERVERCERT, BLACKHOLERCPT, BLACKHOLERCPTPATTERNS, SIGNKEY, SIGNKEYSTALE, SPFBEHAVIOR, TMPDIR, TARPITCOUNT, TARPITDELAY, MAXRECIPIENTS, MAX_RCPT_ERRCOUNT, AUTH_ALL, CHECKRELAY, CONTROLDIR, ANTISPOOFING, CHECKRECIPIENT, SPAMFILTER, LOGFILTER, SPAMFILTERARGS, SPAMEXITCODE, REJECTSPAM, SPAMREDIRECT, SPAMIGNORE, SPAMIGNOREPATTERNS, FILTERARGS, QUEUEDIR, QUEUE_BASE, QUEUE_START, QUEUE_COUNT, QMAILQUEUE, QUEUEPROG, RELAYCLIENT, QQEH, BADEXT, BADEXTPATTERNS, ACCESSLIST, EXTRAQUEUE, QUARANTINE, QHPSI, QHPSIMINSIZE, QHPSIMAXSIZE, QHPSIRC, QHPSIRN, USE_FSYNC, SCANCMD, PLUGINDIR, QUEUE_PLUGIN, PASSWORD_HASH, MAKESEEKABLE, MIN_FREE, ERROR_FD, DKSIGN, DKVERIFY, DKSIGNOPTIONS, DKQUEUE, DKEXCLUDEHEADERS, DKIMSIGN, DKIMVERIFY, DKIMPRACTICE, DKIMIDENTITY, DKIMEXPIRE, SIGN_PRACTICE DKIMQUEUE, SIGNATUREDOMAINS, and NOSIGNATUREDOMAINS
The following list of environment variables can be modified using envrules if QMAILLOCAL and QMAILREMOTE is set to /var/indimail/bin/spawn-filter.
QREGEX, SPAMFILTER, LOGFILTER, SPAMFILTERARGS, FILTERARGS, SPAMEXITCODE, HAMEXITCODE, UNSUREEXITCODE, REJECTSPAM, SPAMREDIRECT, SPAMIGNORE, SPAMIGNOREPATTERNS, DATABYTES, MDA, MYSQL_INIT_COMMAND, MYSQL_READ_DEFAULT_FILE, MYSQL_READ_DEFAULT_GROUP, MYSQL_OPT_CONNECT_TIMEOUT, MYSQL_OPT_READ_TIMEOUT, MYSQL_OPT_WRITE_TIMEOUT, QUEUEDIR, QUEUE_BASE, QUEUE_START, QUEUE_COUNT, and TMPDIR


The following list of environment variables which can be modified using envrules are specfic to qmail-remote.
CONTROLDIR, SMTPROUTE, SIGNKEY, OUTGOINGIP, DOMAINBINDINGS, AUTH_SMTP, MIN_PENALTY, and MAX_TOLERANCE
The following list of environment variables which can be modified using envrules are specfic to qmail-local.
USE_SYNCDIR, USE_FSYNC, and LOCALDOMAINS

Do man qmail-smtpd(8), spawn-filter(8) to know the full list of environment variables that can be controlled using envrules.

qmail control files in plain text, cdb or MySQL

IndiMail provides enormous flexibility in where you can put your control files. If you define environment variable CONTROLDIR=/var/indimail/control and all IndiMail programs will look for control files in /var/indimail/control. Define CONTROLDIR=/etc/indimail and all programs look for configuration files in /etc/indimail.

A little known feature of IndiMail allows some of your control files to be in plain text, cdb or in MySQL. These control files include authdomains, badhelo, badext, badmailfrom, badrcptto, blackholedsender, blackholedrcpt, chkrcptdomains, goodrcptto, relaymailfrom and spamignore. If you have quite a large number of entries in any of the above control files, you can expect a significant performance gains by having these control files in cdb or MySQL.

The mechanism is quite simple. For example, if you have the control file badmailfrom, qmail-smtpd will use badmailfrom. If you have the file badmailfrom.cdb, qmail-smtpd will first do cdb lookup in badmailfrom.cdb. To create badmailfrom.cdb, you need to run the command.

% sudo /var/indimail/bin/qmail-cdb badmailfrom

You can also have your entries in a MySQL table. Let say you have a MySQL server on the server localhost, a database named 'indimail' with user 'indimail' having password 'ssh-1.5-'. To enable the control file in MySQL you need to create the control file with a .sql extension. The following enables the badmailfrom in MySQL

# echo "localhost:indimail:ssh-1.5-:indimail:badmailfrom" > badmailfrom.sql

Once you have created a file badmailfrom.sql, qmail-smtpd will connect to the MySQL server on localhost and look for entry in the column 'email' in the table badmailfrom. If this table does not exist, qmail-smtpd will create an empty table using the following create statement

create table badmailfrom (email char(64) NOT NULL, timestamp timestamp NOT NULL,
primary key (email), index timestamp (timestamp))

You can use the MySQL client to insert entries. e.g.

MySQL > insert into badmailfrom (email) values ('testuser@example.com');

If you have all the 3 versions of control files existing, IndiMail will first do a cdb lookup, followed by MySQL lookup and finally look into the plain text control file.

Version 1.7.4 of indiMail will come with a utility qmail-sql which will allow you to create the MySQL table and also insert values from command line or convert an existing plain text version to MySQL.

Configuring Dovecot with IndiMail

IndiMail stores it's virtual user information in MySQL. However, IndiMail can work with virtually any IMAP/POP3 server which has a mechanism to authenticate using PAM and can use the system's passwd database for user's home directory. This is because IndiMail provides a PAM module and a NSS service described below. The beauty of providing both PAM and NSS is that you do not have to modify a single line of code anywhere. In this respect, IndiMail is probably the most flexible messaging server available at the moment.

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory. Though I do not use dovecot, I have heard excellent reviews from users about dovecot. It took me less than 20 minutes to download dovecot today and have it working with IndiMail with all existing mails intact and accessible. So at the moment, my IndiMail installation is working with both courier-imap and dovecot simultaneously (with different IMAP/POP3 ports assigned to courier-imap and dovecot).

Like most of imap/pop3 servers, dovecot is configurable and can use multiple methods to authenticate and as well get other information about the user such as home directory, user id, etc.

IndiMail provides pam-multi(8) as a flexible Password Authentication Module. For providing the userdb information using the standard passwd mechanism, IndiMail provides the pwdlookup service. The pwdlookup service uses nssd(8) daemon which provides Name Service Switch. NSS provides a mechanism by which standard functions, which look into /etc/passwd, /etc/shadow, can be extended to look into external sources. nssd provides IndiMail's database as an alternate UNIX configuration database for /etc/passwd, /etc/shadow and /etc/group. The additional source for passwd database can be enabled by adding 'nssd' in /etc/nsswitch.conf as an alternate source for passwd database.

% grep passwd /etc/nsswitch.conf
#passwd: db files nisplus nis
passwd: files nssd

pam-multi along with pwdlookup services makes it easy to have dovecot work with IndiMail without modifying a single line of code of dovecot. You just need to configure 3 additonal config files - /var/indimail/etc/nssd.conf, /etc/pam.d/pam-multi and /etc/dovecot.conf. Here is what is required

File /var/indimail/etc/nssd.conf

getpwnam SELECT pw_name,'x',555,555,pw_gecos,pw_dir,pw_shell \
FROM indimail \
WHERE pw_name='%1$s' and pw_domain='%2$s' \
LIMIT 1
getspnam SELECT pw_name,pw_passwd,'1','0','99999','0','0','-1','0' \
FROM indimail \
WHERE pw_name='%1$s'and pw_domain='%2$s' \
LIMIT 1
getpwent SELECT pw_name,'x',555,555,pw_gecos,pw_dir,pw_shell \
FROM indimail LIMIT 100
getspent SELECT pw_name,pw_passwd,'1','0','99999','0','0','-1','0' \
FROM indimail

host localhost
database indimail
username indimail
password ssh-1.5-
socket /tmp/mysql.sock
pidfile /tmp/nsvsd.pid
threads 5
timeout -1
facility daemon
priority err

File /etc/pam.d/pam-multi
#
# auth required pam-multi.so args -s /var/indimail/modules/iauth.so -d
# account required pam-multi.so args -s /var/indimail/modules/iauth.so -d
#
auth required pam-multi.so args -s /var/indimail/modules/iauth.so
account required pam-multi.so args -s /var/indimail/modules/iauth.so
#pam_selinux.so close should be the first session rule
session required pam_selinux.so close
#pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke

The above is for fedora. You may have to change the configuration for your OS. Consult your OS pam documentation

If you have installed IndiMail using RPM, you will be having pwdlookup service configured and running. Ensure that pwdlookup service is running

% sudo /var/indimail/bin/svstat /service/pwdlookup
/service/pwdlookup/: up (pid 8397) 1091 seconds

To improve passwd lookup performance, you may want to have nscd(8) daemon started.

% /etc/init.d/nscd start
Starting nscd: [ OK ]

Finally, the following configuration will be needed for dovecot
File /etc/dovecot.conf

# User to use for the login process. Create a completely new user for this,
# and don't use it anywhere else. The user must also belong to a group where
# only it has access, it's used to control access for authentication process.
# Note that this user is NOT used to access mails.
login_user = qmaill

#
mail_location = maildir:~/Maildir

# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names.
mail_uid = 555
mail_gid = 555

passdb pam {
# PAM authentication. Preferred nowadays by most systems.
# Note that PAM can only be used to verify if user's password is correct,
# so it can't be used as userdb. If you don't want to use a separate user
# database (passwd usually), you can use static userdb.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work.
# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=]
# [cache_key=] []
args = session=yes pam-multi
}

Restart/start dovecot and your user's should be able to access their Maildirs using dovecot using POP3, IMAP, POP3S or IMAPS

Note: IndiMail's pam-multi is installed in /lib/security, lib64/security or /usr/lib/pam depending on your OS.

If you have installed IndiMail using source, you will also require to install pam-multi, nssd from
https://sourceforge.net/projects/indimail/files/mailpack/mailpack-1.1

Default Quota when adding users

IndiMail has ability to configure various limits for a domain using the vlimit(1) program. You can set password expiry, default quota, allow only POP3 access and even have an expiry date for the domain.

One useful feature of setting domain limits is setting the default quota when adding users using the vaddduser(1) command.

To turn on domain limits for a domain, you need to run the vmodddomain(1) program

% /var/indimail/bin/vmoddomain -l 1 example.com

The compile time default for quota is 5 Mb which may not be what you want. If you want 50 Mb of quota to be assigned by default when adding users, here is what you need to do

% sudo /var/indimail/bin/vlimit -q 50000000 example.com

% sudo /var/indimail/bin/vadduser user01@example.com pass
name : user01@example.com
passwd : $1$O9bi66Kf$chrSBpdPDFZh49XrgpUSt0 (MD5)
uid : 1
gid : 0
-all services available
gecos : user01
dir : /home/mail/T2Zsym/example.com/user01
quota : 50000000 [47.68 Mb] <============ 50 Mb Quota =========
curr quota : 0S,0C
Mail Store IP : 192.168.1.100 (Clustered - local)
Mail Store ID : 1000
Sql Database : localhost:indimail:xxxxxxxx
Table Name : indimail
Relay Allowed : NO
Days inact : 0 days 00 Hrs 50 Mins 56 Secs
Added On : ( 127.0.0.1) Sun Apr 11 11:24:08 2010
last auth : Not yet logged in
last IMAP : Not yet logged in
last POP3 : Not yet logged in
PassChange : Not yet Changed
Inact Date : Not yet Inactivated
Activ Date : ( 127.0.0.1) Sun Apr 11 11:24:08 2010
Delivery Time : No Mails Delivered yet / Per Day Limit not configured

NOTE: vlimit(1) program is vmoddolimits(1) in indimail-1.7.2 and earlier

Setting up QMQP

QMQP is faster than SMTP. You can use QMQP to send mails from your relay servers to a server running QMQP service. The QMQP service can deliver mails to your local mailboxes or/and relay mails to the outside world.

Client Setup
QMQP provides a centralized mail queue within a cluster of hosts. QMQP clients do not require local queue for queueing messages. For a minimal QMQP client installation, you need to have the following

• forward, qmail-inject, sendmail, predate, datemail, mailsubj, qmail-showctl, maildirmake, maildir2mbox, maildirwatch, qail, elq, and pinq in /usr/bin;
• All files in /usr/lib, or /usr/lib64
• a symbolic link to qmail-qmqpc from /usr/sbin/qmail-queue;
• symbolic links to /usr/bin/sendmail from /usr/sbin/sendmail and /usr/lib/sendmail;
• all the manual pages in /usr/share/man;
• a list of IP addresses of QMQP servers, one per line, in /etc/indimail/control/qmqpservers;
• a copy of /etc/indimail/control/me, /etc/indimail/control/defaultdomain, and /etc/indimail/control/plusdomain from your central server, so that qmail-inject uses appropriate host names in outgoing mail; and
• this host's name in /etc/indimail/control/idhost, so that qmail-inject generates Message-ID without any risk of collision.

Everything can be shared across hosts except for /etc/indimail/control/idhost.
Remember that users won't be able to send mail if all the QMQP servers are down. Most sites have two or three independent QMQP servers.
Note that users can still use all the qmail-inject environment variables to control the appearance of their outgoing messages.
If you want to setup a SMTP service, it might be easier to install the entire IndiMail package and remove the services qmail-send.25, indisrvr.4000, proxy-imap*, proxy-pop3*, qmail-imap*, qmail-pop3*, qmail-qm*. You can use svctool to remove the service e.g.
% sudo /usr/sbin/svctool --rmsvc qmail-send.25
In case the mails generated by the client is to be relayed to the outside world, you should set the SMTP service and have /usr/sbin/sendmail, /usr/lib/sendmail linked to /usr/bin/sendmail.sh. This is to ensure that tasks like virus scanning, dk, dkim signing happen at the client end. You can also choose not to have these tasks done at the client end, but rather have it carried out by the QMQP service.
QMQP Service

IndiMail runs a QMQP service which handles incoming QMQP connections on port 628 using tcpserver. It uses multilog to store log messages under /var/log/indimail/qmqpd.628

If you have installed IndiMail using the RPM, QMQP service is installed by default. However, you need to enable it.

% sudo /bin/rm /service/qmail-qmqpd.628/down
% sudo /usr/bin/svc -u /service/qmail-qmqpd.628
If you have installed IndiMail using the source, you may create the QMQP service using the following command

% sudo /usr/sbin/svctool --qmqp=628 --servicedir=/service \
--qbase=/var/indimail/queue --qcount=5 --qstart=1 \
--cntrldir=control --localip=0 --maxdaemons=75 --maxperip=25 \
--fsync --syncdir --memory=104857600 --min-free=52428800

The above command will create a supervised service which runs qmail-qmqpd under tcpserver. In case you are setting up this service to relay mails to outside world, you might want to also specify --dkfilter, --qhpsi, --virus-filter, etc arguments to svctool(8) so that tasks like virus scanning, dk, domainkey signing, etc is done by the QMQP service.

A QMQP server shouldn't even have to glance at incoming messages; its only job is to queue them for qmail-send(8). Hence you should allow access to QMQP service only from your authorized clients. You can edit the file /var/indimail/etc/tcp.qmqp to grant specific access to clients. If you make changes to tcp.qmqp, don't forget to run the qmailctl command

% sudo /usr/bin/qmailctl cdb

Note: Some of the tasks like virus/spam filtering, dk, dkim signing, etc can be done either by the client (if QMAILQUEUE=/usr/bin/qmail-multi), or can be performed by QMQP service if QMAILQUEUE is defined as qmail-multi in the service's variable directory.

CHECKRECIPIENT - Check Recipients during SMTP

IndiMail has a feature called CHECKRECIPIENT which allows indimail to check at SMTP, if the recipient to whom the mail is being addressed exists. It is always better to reject such users at SMTP rather than later during the actual delivery to the mailbox. Due to spam, in most of the cases, the Return Path will be forged or undeliverable. Hence you will be left with a condition where plenty of bounces will be left on your system, impacting the performance of your messaging system.

CHECKRECIPIENT can be also be used to reject mails for inactive users, overquota users and users who do not have the privilege to receive mails. CHECKRECIPIENT can be enabled by setting the environment variable CHECKRECIPIENT to one of the following values

1. Reject the user if not present in IndiMail's MySQL database
2. Reject the user if not present in IndiMail's MySQL database and recipients.cdb
3. Reject user if not present in recipients.cdb

You can selectively turn on CHECKRECIPIENT for selective domains by including those domains (prefixing the domain with '@' sign) in the control file /etc/indimail/control/chkrcptdomains.

If the environment variable MAX_RCPT_ERRCOUNT is set qmail-smtpd will reject an email if in a SMTP session, the number of such recipients who do not exist, exceed MAX_RCPT_ERRCOUNT.

CHECKRECIPIENT also causes the RCPT TO command to be delayed by 5 seconds for every non-existent recipient, to make harvesting of email addresses difficult.

If you do not have large number of users

% su
# echo 1 > /service/qmail-smtpd.25/variables/CHECKRECIPIENT
# svc -d /service/qmail-smtpd.25
# svc -u /service/qmail-smtpd.25
# exit
%