Plugins are the heart of qpsmtpd, but as of today, there is no good central repository for them. The qpsmtpd home page points to three locations: the SVN trunk, Peter J. Holzer's page and Gavin Carr's page, but neither of these are complete.

Additional plug-ins are also available at:

• Devin Carraway's page
  
• David Muir Sharnoff's Qpsmtpd-Plugin-Quarantine
  
• Phil Hobson's check_verybadrcptto plug-in

Some plugins from here (and some more) can be found in the SVN contrib dir.

Anti-Spam

Logging

Queue

Authentication

Miscellaneous

http://www.hjp.at/projekte/qpsmtpd/aliases/

Looks up Rcpt addresses in a local aliases file, rejects unknown addresses, expands aliases (preserving the detail string) and sets per rcpt options (which can be used by other modules).

charset

The charset plugin allows or denies selected character sets (such as iso-8859-1, us-ascii, koi8-r, big5, …). It checks the Content-Type: header for a text/* MIME Type and acts on the given charset. This plugin requires the Qpsmtpd::ContentType module found in the same place as the plugin.

check_badmailfrom

Reads the badmailfrom configuration like qmail-smtpd does. From the qmail-smtpd docs:

Unacceptable envelope sender addresses. qmail-smtpd will reject every recipient address for a message if the envelope sender address is listed in badmailfrom. A line in badmailfrom may be of the form @host, meaning every address at host.

They might be extinct by now, but in the past some dumb SMTP clients would not understand a rejection during MAIL FROM, so the plugin saves the rejection until the RCPT stage.

check_badmailfromto

Much like the similar check_badmailfrom, this plugin references both the FROM: and TO: lines, and if they both are present in the badmailfromto config file (a tab delimited list of FROM/TO pairs), then the message is blocked as if the recipient (TO) didn't exist. This is specifically designed to not give the impression that the sender is blocked (good for cases of harassment).

Based heavily on check_badmailfrom.

check_badrcptto

This plugin checks the badrcptto config (like badmailfrom for rcpt address). See also check_verybadrcptto

check_badrcptto_patterns

This plugin checks the badrcptto_patterns config. This allows special patterns to be denied (e.g. percent hack, bangs, double ats).

Configuration file: config/badrcptto_patterns

Patterns are stored in the format pattern\sresponse, where pattern is a Perl pattern expression. Don't forget to anchor the pattern if you want to restrict it from matching anywhere in the string.

qpsmtpd already ensures that the address contains an @, with something to the left and right of the @.

check_basicheaders

Make sure both From and Date headers are present, and do optional range checking on the Date header

Rejects messages that do not have a From or Date header or are completely empty.

Can also reject messages where the date in the Date header is more than some number of the days in the past or future.

Takes one optional parameter, the number of days in the future or past beyond which to reject messages. (The default is to not reject messages based on the date.)

http://www.hjp.at/projekte/qpsmtpd/check_content_type/

This module parses a MIME message into its components and compares the content types of all parts with the contents of config/content_types. It returns OK, DENY or DECLINED on the first match, or DECLINED if there is no match.

check_loop

This plugin detects loops by counting “Received” and “Delivered-To” header lines. It's a kluge but it duplicates what qmail-smtpd does, and it does at least prevent messages from looping forever.

check_goodrcptto

This plugin accepts mail only for recipients in the goodrcptto config file (i.e. like badrcptto, but whitelisting). Supports recipient username extension stripping, and both domain ('@domain.com') and username (bare 'postmaster') wildcard entries in the config file.

Useful where something like check_delivery is overkill or not an option (e.g. relays, bastion hosts).

check_verybadrcptto

This plugin checks the verybadrcptto config (like badmailfrom for rcpt address) and will stop the e-mail being sent to any of the RCPT TO addresses (unlike check_badrcptto which only stops e-mail going to the matching badrcptto addresses)

denybounce is a plugin to make sure that bounces are not accepted for addresses that never send mail.

greylisting Plugin to implement the 'greylisting' algorithm proposed by Evan Harris in http://projects.puremagic.com/greylisting/. Greylisting is a form of denysoft filter, where unrecognised new connections are temporarily denied for some initial period, to foil spammers using fire-and-forget spamware, http_proxies, etc.

Greylisting adds two main features: it tracks incoming connections using a triplet of remote IP address, sender, and recipient, rather than just using the remote IP; and it uses a set of timeout periods (black/grey/white) to control whether connections are allowed, instead of using connection counts or rates.

This plugin allows connection tracking on any or all of IP address, sender, and recipient (but uses IP address only, by default), with configurable greylist timeout periods. A simple dbm database is used for tracking connections, and relayclients are always allowed through. The plugin supports whitelisting using the whitelist_soft plugin (optional).

http://www.hjp.at/projekte/qpsmtpd/majordomo/

This module reads the majordomo configuration for recipi­ ents marked as majordomo lists and does some checks before accepting the mail.

Currently the only check implemented is “restrict_post”: If this option is set for the mailing-list, mails from senders which aren't on the lists are rejected.

http://www.hjp.at/projekte/qpsmtpd/rcpt_ok/

(Note: This plugin used to be called rcpt_ok, but the distribution now contains a different plugin with this name)

This module simply returns OK for each rcpt request. It is meant to be called after other plugins which return DECLINED for addresses which are ok (e.g, the aliases plugin).

rcpt_ldap

This plugin looks up users in an LDAP Directory, it uses the 'ldap_rcpt_filter' to match the recipient address. The default 'ldap_rcpt_filter' assumes the qmail.schema from qmail-ldap.org (inside the diff against qmail). Any filter will work, as long as at least one result is returned. Requires the Net::LDAP modules.

The rcpt_regexp check recipients against a list of regular expressions. It reads a list of regular expressions, return codes and comments from the rcpt_regexp config file. If the regular expression does NOT match m#^(/.*/)$#, it is used as a string which is compared with eq lc($rcpt). The recipient addresses are checked against this list, and if the first matches, the return code from that line and the comment are returned to qpsmtpd. Return code can be any valid plugin return code from Qpsmtpd::Constants. Matching is always done case insenstive.

spamtrap – a plugin to trap spam, and deliver it to other places than the spammer intended.

whitelist

The whitelist plugin allows portions of the SMTP conversation to override other plugins which might otherwise reject mail from a known-good sender, or where spam detection is less important than other factors.

whitelist_soft

The whitelist_soft plugin allows selected hosts or senders or recipients to be whitelisted as exceptions to later plugin processing. It is a more conservative variant of Devin Carraway's whitelist plugin.

All these plugins/programs are for working with a BerkeleyDB, the general format for this db is:

KEY=IP, DATA=timestamp|moredata

At this time (but other format/modes could be very easily implemented) it has several modes:

• The IP and a yes/no flag (and the timestamp)
• The IP and a Algorithm::TokenBucket object (and the timestamp) for blacklisting IP's based on rates of events.

Several things could be done with this plugins, for example, deny dictionary attacks, I configure the berkeley_tokenbucketadd plugin at deny hook (for example on rcpt to), and count the bad rcpt the IP is making. If the IP is having a log of bad rcpt's, the plugin, starts denying/blacklist the sender ip

Another example, would be based on a logfile count IP's and blacklist the top xxx of those IP's for a while.

Something like (pseudopseudocode, for examples look at the perldocs of the plugins):

tail -n xxxx logfile | grep "things" | sed -e 's/allgarbage_so_only_the_ip_is_left//' | sort | uniq -c | sort -n | tail | cut -f 2 | berkeley_operation --param1 --param2 ...

This would insert the top n IP's in the db, so they will be blacklisted for a while

berkeley_ipblacklist – This is the plugin that returns declined/deny/denysoft/log at connection time. (This is only reading the BerkeleyDB)

berkeley_tokenbucketadd – This is the plugin I use in Algorithm::TokenBucket mode, to save the rates of event's to the BerkeleyDB. For example, I could count the deny's for an IP

berkeley_ipblacklist_ignore – This is the whitelist plugin for all this BerkeleyDB stuff.

berkeley_operation – This is a script to mantain (add/clean) the BerkeleyDB

Remember to run db_verify at start

check_norelay

This plugin checks the norelayclients config file to see if relaying is denied.

This allows specific clients, such as the gateway, to be denied relaying, even though they would be allowed relaying by the relayclients file.

check_relay

This plugin checks the relayclients config file and $ENV{RELAYCLIENT} to see if relaying is allowed.

check_earlytalker

Checks to see if the remote host starts talking before we've issued a 2xx greeting. If so, we're likely looking at a direct-to-MX spam agent which pipelines its entire SMTP conversation, and will happily dump an entire spam into our mail log even if later tests deny acceptance.

Depending on configuration, clients which behave in this way are either immediately disconnected with a deny or denysoft code, or else are issued this on all mail/rcpt commands in the transaction.

check_spamhelo

Check a HELO message delivered from a connecting host. Reject any that appear in the badhelo config – e.g. yahoo.com and aol.com, which neither the real Yahoo or the real AOL use, but which spammers use rather a lot.

Add domains or hostnames to the badhelo configuration file; one per line.

The check_spamhelo plugin can be configured in a number of ways.

count_unrecognized_commands

Disconnect the client if it sends too many unrecognized commands. Good for rejecting spam sent through open HTTP proxies.

nodialup is a crude attempt at stopping direct-connects from DSL and dialup lines.

tarpit – Slows smtp conversation on errors

dns_whitelist_soft

The dns_whitelist_soft plugin allows selected host to be whitelisted as exceptions to later plugin processing. It is strongly based on the original dnsbl plugin as well as Gavin Carr's original whitelist_soft plugin. It is most suitable for multisite installations, so that the whitelist is stored in one location and available from all.

dnsbl

Checks the IP address of connecting peers against DNS-based blacklists such as ORDB or the SpamHaus SBL.

You may also want to have a look at some sample configuration and other hints.

rhsbl

The purpose of the plugin is to deny mail based sender’s domains who don’t obey RFCs (Request for Comments). Note that it checks the right-hand side (rhs) of the envelope sender, not the domain name of the connecting peer.

Sample configuration and more information for this plugin.

domainkeys

DomainKey signature verification plugin for qpsmtpd. Requires Mail::DomainKeys and Crypt::OpenSSL::RSA libraries.

domainkeys_sign to sign outgoing mail with DomainKeys signatures.

hashcash – a plugin to add HashCash to messages.

Also see the section on SMTP AUTH and qpsmtpd

The auth_vpopmail_sql plug-in uses a vpopmail SQL database for authentication.

The authcheckpassword plug-in works with djb's (or any other) checkpassword function.

The authpam plug-in makes use of PAM to authenticate users.

The auth_smtpd plug-in allows authentication by an SMTP server, you need to specify the server name and port in the plugins configuration file.

The auth_imap plug-in allows authentication by an IMAP server, you need to specify the server in the plugins configuration file.

content_log

A simple example of a plugin that logs all incoming mail to a file. Useful for debugging other plugins or keeping an archive of things.

http-forward This plugin allows you to send your email to a HTTP web-server using HTTP or HTTPS POST. Could be useful if you want to transport your received emails out through a firewall or if you want to make a “backup” of your emails using a remote CGI script. The plugin is using the Perl Module LWP::UserAgent - install it via 'perl -MCPAN -e shell' if you dont have it.

zmailer-queue – This plugin delivers mails to a zmailer spool dir

The virus/clamav plug-in allows you to run the ClamAV open source anti-virus tool as a virus scanner for qpsmtpd.

This plug-in adds a notes method to the Qpsmtpd::Address class. This allows arbitrary data to be attached to an address similar to the connection and transaction notes. One possible use would be to use it to pass per-recipient configuration between plug-ins.

http://www.hjp.at/projekte/qpsmtpd/address_notes/ http://svn.perl.org/viewcvs/qpsmtpd/contrib/hjp/address_notes/

http://www.hjp.at/projekte/qpsmtpd/cf_wrapper/

The cf_wrapper plugin provides a framework for content filters which may reject or accept a mail for different recipients.

connection_time

This is a simple module written as a test module for the pre- and post-connection hooks. It logs the time of a SMTP connection.

http_config

An example plugin to retrieve configuration via HTTP.

mailinglist_simple This plugin adds very simple mailinglist functionality to alias-file based distribution lists. It reads its config-file “config/mailinglist_simple” and checks if the RCPT is a defined 'mailinglist'. If true, it adds a 'Reply-to' header to the email before it gets queued. It also adds a 'Precedence: bulk' and 'X-Mailing-List' header to prevent mail-loops/bounces from auto-reply applications. Its also possible to define a mailinglist as PUBLIC or PROTECTED - meaning if everyone can send an email to the list or just members of the list. You can also have a different signature for each list that will be added to the end of the mail.

milter

This plugin allows you to attach to milter filters (yes, those written for sendmail) as though they were qpsmtpd plugins.

In order to do this you need the Net::Milter module from CPAN.

To be continued

— TyskJohan 2006/02/07 08:43

http://www.nntp.perl.org/group/perl.qpsmtpd/5243

This plugin checks for ~/.redirect. If it exists, it uses the recipient address contained there to inform the sender that this user is actualy somewhere else. This is specialy useful as an alternative for traditional forwarding because:

It doesn't break when the sender has published SPF records. It gives the final recipient's MTA a chance to perform its own delivery-time anti-spam checks (greylisting, spf, etc), in addition to whatever checks we have (or have not) performed on our side.

Check out the documentation for the Plug-in API to learn how to write your own plug-ins.