Brandon's Blog » ipv6

IPv6 support for qmail-jms1

Brandon — Fri, 07 Aug 2009 21:13:34 +0000

This post is part of a series of posts dedicated to IPv6 support for qmail:

Qmail IPv6 support
- tcpserver and rblsmtpd
- sslserver
- jgreylist
- jms1 combined patch

IPv6 support in qmail

Supporting IPv6 in qmail largely revolves around DNS lookups. Patches for tcpserver and sslserver allow incoming connections over IPv6. In order to support IPv6 in qmail:

DNS lookups should prefer AAAA records, falling back to A records only if AAAA records are not available
All code referencing IP addresses should support IPv4 and IPv6 addresses
SPF queries should support IPv6 addresses

The fujiwara patch

A qmail IPv6 patch has existed since 2002 that covers the first two issues above. It is written to apply cleanly on the base qmail-1.03 distributed on Daniel Bernstein’s site. It does not include support for SPF queries as SPF is not included in the original version of qmail.

John Simpson’s combined patch

I use John Simpson’s combined patch for my qmail installs. This patch adds support for SPF as well as many other things. I have modified the fujiwara patch to apply on top of John’s combined patch as well as support SPF queries.

You can download my modified patch: qmail-1.03-jms1.7.08-ipv6.patch. Installing it is simple:

$ wget http://cr.yp.to/software/qmail-1.03.tar.gz
$ wget http://qmail.jms1.net/patches/qmail-1.03-jms1.7.08.patch
$ wget http://www.bltweb.net/qmail/qmail-1.03-jms1.7.08-ipv6.patch
$ tar -xzf qmail-1.03.tar.gz
$ mv qmail-1.03 qmail-1.03-jms1.7.08
$ cd qmail-1.03-jms1.7.08
$ patch < ../qmail-1.03-jms1.7.08.patch
$ patch -p1 < ../qmail-1.03-jms1.7.08-ipv6.patch
$ sed -ie ’1s/$/ -DINET6/’ conf-cc
$ make
$ make man
$ sudo make setup check

Configuration and running

No special configuration is needed for this patch.

When applied, connections will prefer IPv6, transparently falling back to IPv4 if no IPv6 addresses are available. This patch allows sending outbound messages over IPv6. For inbound messages, you must apply the tcpserver or sslserver patches.

Email addresses on my bltweb.net domain are IPv6 enabled thanks to a free IPv6 tunnel provided by Hurricane Electric. Feel free to send me an email once you are IPv6 enabled!

Summary

Feel free to leave any comments, corrections or questions below. Remember Gentoo users can apply all of my qmail patches automatically by using the ebuilds in my gentoo-overlay.

Once you have compiled qmail with IPv6 support, you should re-visit my main qmail IPv6 post for information about testing and using your new IPv6 qmail install.

IPv6 support for jgreylist

Brandon — Fri, 07 Aug 2009 21:13:23 +0000

This post is part of a series of posts dedicated to IPv6 support for qmail:

Qmail IPv6 support
- tcpserver and rblsmtpd
- sslserver
- jgreylist
- jms1 combined patch

jgreylist Changes

jgreylist is a program provided by John Simpson to allow greylisting in qmail. John provides two versions, one written in Perl, and one written in C. I chose to only patch the C version.

jgreylist works by using the unix timestamps of empty files to track when individual IP address or class C blocks last visited your qmail server. John does a great job of explaining how this works on his jgreylist page. You should understand how his program, especially the C version, works and is configured before continuing.

Normally, the IP addresses are stored in a directory such as /var/qmail/jgreylist. Each byte of the IP address is stored in a directory so that the IP address 127.0.0.1 would be stored in /var/qmail/jgreylist/127/000/000/001. To reduce the number of files needed, by default jgreylist actually only stores the first 3 bytes, so 127.0.0.1 would actually be stored in /var/qmail/jgreylist/127/000/000. Which behavior jgreylist uses depends on the value of the JGREYLIST_BY_IP environment variable.

My patch changes the directory structure slightly. All IPv4 addresses are stored inside an ip4 directory. IPv6 addresses are stored in an ip6 directory.

IPv6 addresses are stored in directories for each byte in the address. Unlike IPv4 addresses, each byte is represented in hex rather than decimal. When JGREYLIST_BY_IP is a non-zero value, the entire address is stored. Otherwise only the first 64 bits of the address is stored. For example, the IPv6 2001:470:1f0f:350::1 address would be stored in: /var/qmail/jgreylist/ip6/20/01/04/70/1f/0f/03/50.

Download jgreylist with IPv6 support

John distributes his jgreylist program using a single C file that you compile on your system. I needed to pull in some additional files for the IPv6 stuff so I’ve repackaged John’s file with a Makefile and other dependencies. This modified jgreylist must be run using an IPv6 patched tcpserver or sslserver.

You can download the package here: jgreylist-0.8-ipv6.tar.gz.

Compiling and installing is easy:

$ wget http://www.bltweb.net/qmail/jgreylist-0.8-ipv6.tar.gz
$ tar -xzf jgreylist-0.8-ipv6.tar.gz
$ cd jgreylist-0.8-ipv6
$ make
$ sudo make install

After installing, you should follow John’s instructions on configuring and running.

The jgreylist-clean perl script is included in the tar file above. It required no changes.

Summary

If you have any comments, corrections or questions, feel free to post them below. Remember Gentoo users can apply all of my qmail patches automatically by using the ebuilds in my gentoo-overlay. jgreylist is built in to the qmail-jms1 ebuild, just use the jgreylist USE flag.


Once you've patched jgreylist you should move on to patching qmail-jms1 or IPv6 support.



IPv6 support for sslserver
Brandon — Fri, 07 Aug 2009 21:13:14 +0000
This post is part of a series of posts dedicated to IPv6 support for qmail:

Qmail IPv6 support

tcpserver and rblsmtpd
sslserver
jgreylist
jms1 combined patch



ucspi-ssl
The ucspi-ssl package provides the sslserver program.  sslserver accepts incoming SSL connections and passes them to another program such as qmail-smtpd.  sslserver is almost identical to tcpserver except that it deals with encrypted SSL traffic rather than clear text.
I could not find an IPv6 patch for sslserver, however I was able to port the tcpserver patch to sslserver.  You can easily apply my ucspi-ssl-0.70-ipv6.patch:

$ wget http://www.superscript.com/ucspi-ssl/ucspi-ssl-0.70.tar.gz

$ wget http://www.bltweb.net/qmail/ucspi-ssl-0.70-ipv6.patch

$ tar -xzf ucspi-ssl-0.70.tar.gz

$ cd host/superscript.com/net/ucspi-ssl-0.70

$ patch -p1 < ../../../../ucspi-ssl-0.70-ipv6.patch

$ package/compile

$ sudo package/install

sslserver
To understand what the sslserver portion of the IPv6 patch does, you should be familiar with the sslserver man page and read about how tcpserver handles IPv6 on Fefe’s ucspi-tcp page.  Essentially, if a client connects via IPv4, sslserver exhibits it’s normal behavior.  If a client connects with IPv6, the PROTO environment variable will be set to “SSL6” instead of “SSL“.
The patch also supports using IPv6 addresses in your tcprules files.  A new rule may look like this:

# Don’t delay the greeting for my home server

2001:470:1f0f:350::1:allow,GREETDELAY=”0″

After applying this patch, you may notice that your logs are filled with addresses similar to: ::ffff:192.168.1.1.  This is because internally sslserver treats every IP as an IPv6 address.  IPv4 addresses are represented using their IPv4 mapped address.
Summary
If you have any comments, corrections, or questions, please feel free to leave a comment below.  Remember Gentoo users can apply all of my qmail patches automatically by using the ebuilds in my gentoo-overlay.
Once you’ve patched sslserver, you should move on to patching jgreylist for IPv6.



IPv6 support for tcpserver and rblsmtpd
Brandon — Fri, 07 Aug 2009 21:13:07 +0000
This post is part of a series of posts dedicated to IPv6 support for qmail:

Qmail IPv6 support

tcpserver and rblsmtpd
sslserver
jgreylist
jms1 combined patch



ucspi-tcp
The ucspi-tcp package provides the tcpserver and rblsmtpd programs.  tcpserver accepts incoming TCP connections and passes them to another program such as qmail-smtpd.  rblsmtpd blocks connections from RBL listed IPs.
Thanks to Fefe, a patch has been around for a while that adds IPv6 support to tcpserver.  Fefe’s patch does not touch rblsmtpd, however.
I’ve modified Fefe’s patch to patch rblsmtpd as well.  You can easily apply my ucspi-tcp-0.88-ipv6.patch:

$ wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz

$ wget http://www.bltweb.net/qmail/ucspi-tcp-0.88-ipv6.patch

$ tar -xzf ucspi-tcp-0.88.tar.gz

$ cd ucspi-tcp-0.88

$ patch -p1 < ../ucspi-tcp-0.88-ipv6.patch

$ make

$ sudo make install

tcpserver
To understand what the tcpserver portion of the IPv6 patch does, you should read Fefe’s ucspi-tcp page.  Essentially, if a client connects via IPv4, tcpserver exhibits it’s normal behavior.  If a client connects with IPv6, the PROTO environment variable will be set to “TCP6“.
The patch also supports using IPv6 addresses in your tcprules files.  A new rule may look like this:

# Ignore RBL lookups for home server

2001:470:1f0f:350::1:allow:RBLSMTPD=”"

After applying this patch, you may notice that your logs are filled with addresses similar to: ::ffff:192.168.1.1.  This is because internally tcpserver treats every IP as an IPv6 address.  IPv4 addresses are represented using their IPv4 mapped address.
rblsmtpd
When patching rblsmtpd for IPv6 support, I had to decide how to lookup IPv6 addresses.  As far as I know, there aren’t any IPv6 blacklists yet.  There isn’t a spec on how these addresses should be queried.  My patch will use a new namespace, ipv6, when querying RBLs as described here.  This means if you connect via 2001:470:1f0f:350::1, a TXT DNS lookup will be made to:

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.3.0.f.0.f.1.0.7.4.0.1.0.0.2.ipv6.rbl.example.org

If anyone knows of a working RBL that differs, please let me know.
Summary
If you have any comments, corrections, or questions, please feel free to leave a comment below.  Remember Gentoo users can apply all of my qmail patches automatically by using the ebuilds in my gentoo-overlay.
Once you’ve patched tcpserver, you should move on to patching ucspi-ssl (sslserver) for IPv6.



Qmail IPv6
Brandon — Fri, 07 Aug 2009 21:12:56 +0000
Adding IPv6 support to qmail can be a daunting task.  A modern qmail system includes several different components, with various patches and configuration options for each.  There are a few patches on the internet that claim to add IPv6 support for a specific component, but I had trouble finding patches for every piece of my qmail install.
I’m not trying to defend IPv6. I realize there are many people with strong feelings towards the subject, including qmail’s author.  Switching to IPv6 is a monumental task.  It may never happen, but something needs to – we can’t keep NATing forever.
Many software projects have already added support for IPv6.  My Gentoo box has been on an IPv6 network, via Hurricane Electric’s free tunnel broker service for a while now.  Mac OS X has support for IPv6, as do the latest versions of Windows.  Even Windows XP can support IPv6 if enabled.  Postfix, Exim, and Sendmail all support IPv6.
In this series of posts, I will outline the steps I took to add IPv6 support to qmail.  I use John Simpson’s combined patch for qmail as well as many other tools and methodologies described on his site, however many of the patches and instructions in these posts will work for other versions of qmail as well.

Components
John Simpson has an excellent illustration of a typical qmail system, Anatomy of a typical qmail system [PDF], on his website.  The following articles describe the steps I took to enable IPv6 for each of the necessary components:

tcpserver and rblsmtpd
sslserver
jgreylist
jms1 combined patch

For Gentoo users, the patches described in each of the above posts can be installed automatically using the ebuilds in my gentoo-overlay.  For others, I’ve listed all the IPv6 patches on my qmail patches page.
Testing
Testing your IPv6 enabled qmail setup can be a little confusing.  There aren’t that many IPv6 enabled mail servers out there.  Even worse, most people don’t have IPv6 connections.
Hurricane Electric provides a free IPv6 tunnel broker service that will allocate a /64 block of addresses that you can use.  I host my personal mail server on a Linode which, despite being an excellent VPS, doesn’t have native IPv6.  To get around this I set up a tunnel broker and enabled AAAA entries in DNS.
To test my setup, I had to install two separate qmail installs on different servers.  Email addresses on my bltweb.net domain are now IPv6 enabled.  If you’d like to use them to test, feel free to shoot me an email.  Perhaps one day I’ll set up some type of reflector to automatically test.
IPv6 email experience
I’ve been running IPv6 mail servers at home and work for a few months now.  I haven’t been keeping detailed statistics, but for the most part the only connections I’ve seen over IPv6 thus far have been spam  
Still, enabling IPv6 in qmail wasn’t as hard as I thought it was going to be, thanks to the pre-existing patches on the internet.  Hopefully more and more companies will start to enable IPv6 on their networks, such as Netflix.  While email may still be even further out it never hurts to be ready.
Hopefully these posts have helped you add IPv6 support to your qmail install.  Feel free to leave comments or questions below and I’ll do my best to address them.



Gentoo ebuild for qmail with JMS1 combined patch
Brandon — Thu, 16 Apr 2009 05:07:00 +0000
In a previous post, I introduced a patch to add DKIM and DomainKeys support to Qmail with John Simpson’s combined patch.  In this post I’ll introduce the ebuild I wrote (well, modified) to allow easily installing qmail-jms1 on a Gentoo system.
Though this ebuild makes installing qmail with John’s patch a little easier, it doesn’t make administering a qmail system child’s play.  Before merging this ebuild, you should read through John’s website.  You may also want to read about netqmail on Gentoo.  While this ebuild has nothing to do with netqmail, it does borrow some the conventions presented in the Gentoo doc concerning starting, stopping and controlling qmail.
I didn’t include any of John’s run scripts or configuration files.  Only the combined patch is applied to the base qmail image.  I’ve also included some additional patches I’ve found useful.  They are described in more detail on my qmail patches page.  Most of my extra patches are controlled by use flags (dkim, ipv6) and not applied by default.
For the impatient, here is a direct link to the ebuild:

http://svn.bltweb.net/repos/public/gentoo_overlay/mail-mta/qmail-jms1/qmail-jms1-7.08-r1.ebuild
Install my portage overlay
The easiest way to use the qmail-jms1 ebuild is to use my Gentoo Portage Overlay.  Please see the overlay page for instructions on how to set it up.
You will need the following ebuilds from my overlay:

virtual/qmail
mail-mta/qmail-jms1
sys-apps/ucspi-tcp
mail-filter/libdkim (only needed if using the dkim use flag)

Install Qmail
Once the overlay is set up, installing qmail-jms1 is easy.
Add the following to your /etc/portage/package.keywords file:

mail-mta/qmail-jms1

sys-apps/ucspi-tcp

mail-filter/libdkim

# You may also need these:

net-mail/dot-forward

sys-process/daemontools

sys-apps/ucspi-ssl

virtual/checkpassword

net-mail/checkpassword-pam

Now install qmail-jms1:

$ emerge -pv qmail-jms1

$ sudo emerge qmail-jms1

Configure Qmail
Yeah right…  There is plenty of documentation elsewhere for this.  Try John’s website.
Start Qmail

# ln -s /var/qmail/supervise/qmail-send /service/qmail-send

# ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd

# rc-update add svscan default

# /etc/init.d/svscan start

 

 

That’s all I have for now.  Installing, configuring and administering qmail should not be taken lightly.  This ebuild has made it easier for me to set up and maintain my servers, however you should only consider using it if you are already familiar with setting up a qmail server.
Feel free to leave any comments, suggestions or problems below!