UP­DATE: There is *an­oth­er* *bet­ter* test suite It is in YAM­L, though, so I need to parse it be­fore I can use it, but that's my prob­lem.

It's hav­ing a test suite that makes no sense.

I have writ­ten, for my ra-­plu­g­ins project (y­ou don't have to know what it is for this post any­way) a piece of code that tries to check mail senders us­ing SPF.

SPF is an open stan­dard. It has stan­dard im­ple­men­ta­tion­s. It has a test suite (http://www.schlit­t.net/spf/test­s/).

The test suite says this:

spf­query -ip=192.0.2.1 -sender=05.spf1-test.­mail­zone.­com -h­elo=05.spf1-test.­mail­zone.­com re­sult /.*/ fail smt­p-­com­ment /.*/ ex­pla­na­tion head­er-­com­ment /.*/ spf­query: do­main of 05.spf1-test.­mail­zone.­com does not des­ig­nate 192.0.2.1 as per­mit­ted sender re­ceived-spf /.*/ Re­ceived-SPF: fail (spf­query: do­main of 05.spf1-test.­mail­zone.­com does not des­ig­nate 192.0.2.1 as per­mit­ted sender) clien­t-ip=192.0.2.1; en­velope-from=­post­mas­ter@05.spf1-test.­mail­zone.­com; helo=05.spf1-test.­mail­zone.­com;

So, yeah:

$ spfquery -ip=192.0.2.1 -sender=05.spf1-test.mailzone.com -helo=05.spf1-test.mailzone.com
fail
Please see http://www.openspf.org/why.html?sender=05.spf1-test.mailzone.com&ip=192.0.2.1&receiver=spfquery
spfquery: domain of 05.spf1-test.mailzone.com does not designate 192.0.2.1 as permitted sender
Received-SPF: fail (spfquery: domain of 05.spf1-test.mailzone.com does not designate
192.0.2.1 as permitted sender) client-ip=192.0.2.1;
envelope-from=05.spf1-test.mailzone.com; helo=05.spf1-test.mailzone.com;

So, the stan­dard im­ple­men­ta­tion does what the test suite says.

Too bad that, if you both­er check­ing the URL you are told to "please see"...

The do­main 05.spf1-test.­mail­zone.­com has pub­lished an SPF pol­i­cy, how­ev­er the pol­i­cy is neu­tral on whether 192.0.2.1 is au­tho­rized to send mail on its be­half.

Ei­ther both the test suite and the sam­ple im­ple­men­ta­tion are wrong, or the site is wrong. And I am lean­ing to­wards "the test suite is wrong", be­cause...

$ host -t txt 05.spf1-test.mailzone.com
05.spf1-test.mailzone.com descriptive text "v=spf1 default=deny"

If you check the record syn­tax (http://www.open­spf.org/SPF_Record_Syn­tax) de­fault is an un­known mod­i­fier, and should be ig­nored, so the record is sim­ply "v=spf1", and in­deed the re­sult is neu­tral and there is no rea­son why this should be a fail.

A few peo­ple have asked me for the code. Ok, here it goes.

First, get qm­rt­g.

Then you need this: qmunin.­tar.bz2

Then build and in­stall it. You may need to mod­i­fy the sources, de­pend­ing on just how your qmail work­s. There are some ex­am­ple munin plug­ins in­clud­ed (in span­ish, I am not trans­lat­ing them ;-), which 99% sure­ly will not work for you, but they are sim­ple shell script­s, so you should be able to hack them.

Cre­at­ing a re­al re­lease of this is just use­less, be­cause ev­ery­one's qmail logs look dif­fer­en­t, so take it and hack it.

And that's it.

Ver­sion 0.2.9 of ra-­plu­g­in­s, my qmail-spp plug­in col­lec­tion is com­ing soon.

In­clud­ing lots and lots of new plu­g­in­s, a re­al build sys­tem, and even two patch­es by some­one else :-)

So, now is a good time to let me know if you are us­ing ra-­plu­g­in­s, if you have any prob­lems with it, and if you have any ideas for cool plug­ins. I can write them.

I have been pro­cras­ti­nat­ing about cre­at­ing my own Lin­ux dis­tro for at least three years. Guess what? I will still pro­cras­ti­nate about it for a few more, but that doesn mean I can't write about how it's sup­posed to work ;-)

So, here is a first piece of the puz­zle...

What do I mean by "Main in not-­mail-server­s"?

If by mail serv­er we mean a box that has the re­spon­s­abil­i­ty to han­dle send­ing mail for user­s, non-­mail-servers are all the rest.

And what is it they do with mail? They gen­er­ate it. Both the users and the pro­cess­es of those box­es gen­er­ate mail. They do it for cron job­s, they do it for main­te­nance pro­cess­es, they do it for alert­s, what­ev­er.

And what is it they do with that email? They send it some­where.

Usu­al­ly, they send it to them­selves. Which is a pret­ty use­less thing.

Go now and check the root mail­box in your com­put­er­s. I bet most of you have a bunch of mails in them you nev­er checked. Ei­ther it's im­por­tan­t, in which case you should have placed it in a mail­box you ac­tu­al­ly read, or it's not, in which case it's use­less to store.

In any case, it should­n't be there.

How does your box send those mail­s? Us­ing ei­ther the send­mail bi­na­ry, or the mail pro­gram (prob­a­bly mailx), which us­es the send­mail bi­na­ry.

Just be­cause it's called send­mail it does­n't mean it is send­mail, of course. Post­fix and qmail pro­vide a send­mail wrap­per to in­ject mail in­to their queues.

But the main prob­lem is that us­ing those means you need to have a well con­fig­ured mail serv­er in ev­ery box, even if they are not mail servers! Yes, your dis­tro gives you a de­cent con­fig­u­ra­tion by de­fault which makes things usu­al­ly work... for lo­cal mail de­liv­ery at least. Which is prob­a­bly not re­al­ly what you wan­t.

En­ter null­mail­er. A sort of heav­i­ly se­dat­ed, neutered qmail.

Con­fig­u­ra­tion:

• De­­fault do­­main name of out­­­go­ing mail in /etc/nul­l­­mail­er/me

• List of SMTP servers in /etc/null­mail­er/re­motes:

  mx1.mydomain.com smtp --user=ralsina --pass=notmyrealpass

You can put sev­er­al, it will try them in or­der.

And that's that. A tiny ser­vice, which us­es no TCP port­s. The whole thing is 59KB (or less if you use di­et libc), has one SUID bi­na­ry (but it is not SUID root), two con­fig files (both one-­lin­er­s), no need for alias­ing the sys­tem user­s.... and you can re­move post­fix/send­mail/q­mail from most of your server­s.

Sounds like a good idea to me.

Tra­di­tion­al­ly, you graphed your sys­tem's sta­tus us­ing MRTG but nowa­days, there are much nicer tool­s, and I like Munin.

For MRT­G+q­mail there are many script­s, but I could­n't find one I liked for Munin.

Since munin is mod­u­lar, it's easy to fix, of course.

First, get the ex­cel­lent qm­rtg which gives you great, quick, awe­some mul­ti­log-crunch­ing tool­s.

Then, check the cod­s, check the munin plug­in doc­s, and it's pret­ty much a 20-­line thingie. In shel­l.

I would post it, but my blog­ging tool hates shell code :-)

And you get your graph­s. I am prob­a­bly go­ing to write a col­lec­tion of these and pub­lish it some­where.