Project: Qmail GMFCheck (goodmailfrom)

by Dion Sasmito

Description

I had this problem sometime ago. Presented my problem to a mailing list but no solution was given.
Problem number 1 was, 
A user in our LAN got infected with malware and it starts sending spam. 
As this is in our LAN, RELAYCLIENT is set, spam passes through.
In addition, there was problem number 2, namely 
If a spam spoofed its sender address (most are), then any bounced email will be sent to that address. 
A mail admin somewhere will get mad at me and bandwidth wasted.

Solution
Create a control file called goodmailfrom
/var/qmail/control/goodmailfrom

If envelope sender address (the part after mail from:) is not listed in goodmailfrom, qmail-smtpd will reject it.

Now any spam that spoofed its sender address will be rejected. 
The ones that pass through but bounced will be bounced back to me. 
Problems solved.

My goodmailfrom is copied from rcpthosts, at each line add '@'

There are ways to bypass goodmailfrom check
1. rm -f control/goodmailfrom
It wont do any checking and allow any envelope address (except if you configured badmailfrom etc)
2. with environment variable GMFCHECK="0" 
some IPs in our LAN are reserved for guests, they may send any mail
therefore put 
192.168.0.194:allow,RELAYCLIENT="",GMFCHECK="0"
in your tcprules cdb file (etc/tcp.smtp)

Here is my configuration

This is my control/goodmailfrom
--snip--
@metesek.com
@sasmito.net
--snap--

Note: you can also put dion@metesek.com, friend@metesek.com etc instead of @metesek

Here's a copy of my tcp.smtp
--snip--
# localhost is allowed to do _anything_
127.:allow,RELAYCLIENT="",GMFCHECK="0"
# this IP is for public access (ie laptop) so we don't do any goodmailfrom checking
203.201.183.194:allow,RELAYCLIENT="",GMFCHECK="0"
# for the rest of the LAN, we do check
203.201.183.:allow,RELAYCLIENT=""
# this is for other mailservers that are sending emails for us
# you MUST include this or else you won't receive any emails
:allow,GMFCHECK="0"
--snap--

Pick one
- netqmail-1.05.gmfcheck.patch is the patch against netqmail-1.05
- qmail-smtpd_gmfcheck.patch is the patch against qmail-smtpd.c
- qmail-smtpd.c is the patched qmail-smtpd.c

Files are here

As always, comments and suggestions are welcomed. 
My email address is located in the main page.