Chkuser 2.0 - settings

chkuser can be customized using the #define within chkuser_settings.h.

chkuser_settings.h must be kept through successive updates, and should be modified only if new features must be enabled, or important changes on defines have been done in newer releases/updates.

Note on version 2.0.9

Logging has been extended, and starting variables checking has been improved (changed).

define CHKUSER_ENABLE_VAUTH_OPEN has been substituted by CHKUSER_VAUTH_OPEN_CALL: this new define must contain the name of the call used to open the auth DB.

CHKUSER_ALWAYS_ON and CHKUSER_STARTING_VARIABLE cannot be defined together and in such a case a fatal error is displayed.

New variable CHKUSER_DISABLE_VARIABLE is always evaluated after CHKUSER_ALWAYS_ON is set or CHKUSER_STARTING_VARIABLE is evaluated.

A new class of defines is introduced: CHKUSER_EXTRA_*: it is and will be used when a function must be used despite of other chkuser settings (mainly CHKUSER ALWAYS_ON and similar).

Note on version 2.0.8

NULL SENDER is now always accepted. This is a base rule of RFC, used by rejected messages, read and delivery receipts. Old settings related to NULL_SENDER are now not working anymore.

The following settings are now undefined (commented) by default. If you want them, add or uncomment them.

CHKUSER_RCPT_FORMAT
CHKUSER_RCPT_MX
CHKUSER_SENDER_FORMAT
CHKUSER_SENDER_MX

Another new important define existing since 2.0.7 is here documented: CHKUSER_DB_CLEANUP defined by default. This #define let chkuser close any open connection to vpopmail. This should improve usage of MySQL and others DB resources.

Settings

Defines are here grouped in homogeneous classes:

Debugging
Enabling chkuser
vpopmail depending features
UID/GID switching
Checking addresses format & MX
Logging
Tarpitting
Quota checking
Error strings
chkuser EXTRA: must auth / submission port

Debugging

A lot of debugging lines are included in the "devel" package. Otherwise, these flags will only emit your added debugging lines.

#define	Initial version	Default status	Default value
		Description
CHKUSER_DEBUG	2.0.5	commented
		Enables displaying of debugging instructions. When enabled, the calls CHKUSER_DBG ("string") and CHKUSER_DBG_INT (integer) display debugging informations to terminal.
CHKUSER_DEBUG_STDERR	2.0.5	commented
		Enables displaying of debugging informations to STDERR, instead of STDOUT.

Enabling chkuser

#define	Initial version	Default status	Default value
		Description
CHKUSER_ALWAYS_ON	2.0.5	commented
		Enables chkuser ALWAYS, despite of any other global or domain setting. When this define is activated, your .qmail-default, or any other setting or variable is no more important; if the domain is within rcpthosts it will be checked for valid recipients. Incompatible with CHKUSER_STARTING_VARIABLE since 2.0.9.
CHKUSER_STARTING_VARIABLE	2.0.5	commented	"CHKUSER_START"
		Sets the variable that must be read, at qmail-smtpd start, in order to understand how to use chkuser for any domain. The variable must be filled with the following values: NONE = chkuser will not work ALWAYS = chkuser will work always DOMAIN = chkuser will work depending on single domain settings Any other value, or a missing value, will disable chkuser. Incompatible with CHKUSER_ALWAYS_ON since 2.0.9
CHKUSER_DISABLE_VARIABLE	2.0.9	commented	"CHKUSER_MUSTAUTH"
		Evaluated after CHKUSER_ALWAYS_ON or CHKUSER_STARTING_VARIABLE.
CHKUSER_ENABLE_USERS	2.0.5	defined
		Enables checking of users
CHKUSER_ENABLE_USERS_EXTENSIONS former CHKUSER_ENABLE_EXTENSIONS	2.0.7	commented
		Enables checking of user's extensions. Used by some customized installations, or some products (like TMDA) In versions 2.0.5 and 2.0.6 it was named CHKUSER_ENABLE_EXTENSIONS
CHKUSER_USERS_DASH former CHKUSER_EXTENSION_DASH	2.0.7	defined	'-'
		Defines the character used to start user's extensions. Has no effect on mailing lists extensions. [must always be defined if CHKUSER_ENABLE_USER_EXTENSIONS is defined] in versions 2.0.5 and 2.0.6 it was named CHKUSER_EXTENSION_DASH.
CHKUSER_ENABLE_ALIAS	2.0.5	defined
		Enables checking of aliases
CHKUSER_ENABLE_VALIAS	2.0.5	defined
		Enables checking of valiases
CHKUSER_ENABLE_EZMLM_LISTS former CHKUSER_ENABLE_LISTS	2.0.7	defined
		Enables checking of EZMLM mailing lists. In versions 2.0.5 and 2.0.6 it was named CHKUSER_ENABLE_LISTS.
CHKUSER_EZMLM_DASH	2.0.5	defined	'-'
		Defines the character used to start the extensions of mailing lists. [must always be defined if CHKUSER_ENABLE_LISTS is defined]
CHKUSER_ENABLE_MAILMAN_LISTS	2.0.7	commented
		Enables checking of MAILMAN mailing lists.
CHKUSER_SPECIFIC_BOUNCING	2.0.5	commented	".qmailchkuser-bouncing"
		Defines an alternative file to use while checking if bouncing must be done for a domain. If defined, this file must exist in the domain dir in order to enable chkuser checking for that domain.
CHKUSER_BOUNCE_STRING	2.0.5	defined	"bounce-no-mailbox"
		String to look for inside .qmail-default in order to check for bouncing. [must always be defined if domain checking must be done and CHKUSER_SPECIFIC_BOUNCING is not defined]
CHKUSER_ENABLE_ALIAS_DEFAULT	2.0.8	defined
		Enables checking of .qmail-alias-default files

vpopmail depending features

#define	Initial version	Default status	Default value
		Description
CHKUSER_ENABLE_VGET_REAL_DOMAIN (Missing in 2.0.5 release documentation and missing inside 2.0.5 chkuser_settings.h, but existing in code)	2.0.5	commented
		Before version 5.3.25, vpopmail used the function vget_real_domain() to get the real name of a domain (useful if rcpt domain is aliasing another domain). From version 5.3.25, this call is not available and has been substituted by other calls. Must be enabled if vpopmail version < 5.3.25, otherwise must be disabled.
CHKUSER_ENABLE_VAUTH_OPEN Substituted by CHKUSER_VAUTH_OPEN_CALL from version 2.0.9	2.0.5	commented
		Enables a call checking for correct opening of MySQL/PostgreSQL/LDAP connection. Not existing anymore since 2.0.9
CHKUSER_VAUTH_OPEN_CALL	2.0.5	commented	vauth_open_update
		Enables a call checking for correct opening of MySQL/PostgreSQL/LDAP connection. Must be set to the name of the routine opening the DB: For MySQL standard installation: vauth_open_update For MySQL with separate servers for read and write: vauth_open For other DB servers check by yourself the most appropriate function.
CHKUSER_VPOPMAIL	2.0.5	defined
		Sets the virtual mail manager used. Up to now only vpopmail is supported, so this define is just here for future use.
CHKUSER_DB_CLEANUP	2.0.8	defined
		Enables closing of connections opened for query to vpopmail archives or databases.

UID/GID switching

#define	Initial version	Default status	Default value
		Description
CHKUSER_ENABLE_UIDGID	2.0.5	defined (commented in Shupp's toaster patch)
		Used to switch between UIDS/GIDS, used if you want to apply a more safe mechanism, and if you're NOT using TLS (as TLS seems not to like switching of UID/GID). When not defined, qmail-smtpd must be executed as vpopmail user. When defined, qmail-smtpd runs as inoffensive qmail user, switching to vpopmail user only while executing chkuser operations.

Checking addresses format & MX

#define	Initial version	Default status	Default value
		Description
CHKUSER_DOMAIN_WANTED	2.0.5	defined
		Emits error if a recipient address does not contain a domain.
CHKUSER_RCPT_FORMAT	2.0.5	undefined
		Default was "defined" up to version 2.0.7. Now default is undefined. Enables checking of valid format for recipients addresses user = [a-z0-9_-.=] domain = [a-z0-9-.] without consecutive "-" or ".", without leading or ending "-" or "."
CHKUSER_RCPT_MX	2.0.5	undefined
		Default was "defined" up to version 2.0.7. Now default is undefined. Enables checking of valid MX for recipient addresses
CHKUSER_SENDER_NOCHECK_VARIABLE	2.0.5	commented	"SENDER_NOCHECK"
		This define enable usage of a variable excluding any check on the sender. The variable should be set in tcp.smtp for known clients, with static IP, whose mailer is composing bad sender addresses
CHKUSER_SENDER_FORMAT	2.0.5	undefined
		Default was "defined" up to version 2.0.7. Now default is undefined. Enables checking of valid format for sender address user = [a-z0-9_-.=] domain = [a-z0-9-.] without consecutive "-" or ".", without leading or ending "-" or "."
CHKUSER_ALLOW_SENDER_SRS	2.0.5	commented
		When CHKUSER_SENDER_FORMAT is enabled, this define add "#" and "+" as permitted characters within sender address. It is used by SRS (Sender Rewriting Scheme)
CHKUSER_ALLOW_SENDER_CHAR_1	2.0.5	commented	"$"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_2	2.0.5	commented	"%"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_3	2.0.5	commented	"£"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_4	2.0.5	commented	"?"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_5	2.0.5	commented	"*"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_6	2.0.9	commented	"^"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_7	2.0.9	commented	"~"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_8	2.0.9	commented	"&"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_9	2.0.9	commented	"#"
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_SENDER_CHAR_10	2.0.9	commented	"="
		This defines allow to accept further characters within the sender address.
CHKUSER_ALLOW_RCPT_SRS	2.0.7	commented
		When CHKUSER_RCPT_FORMAT is enabled, this define add "#" and "+" as permitted characters within recipient address. It is used by SRS (Sender Rewriting Scheme)
CHKUSER_ALLOW_RCPT_CHAR_1	2.0.7	commented	"$"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_2	2.0.7	commented	"%"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_3	2.0.7	commented	"£"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_4	2.0.7	commented	"?"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_5	2.0.7	commented	"*"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_6	2.0.9	commented	"^"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_7	2.0.9	commented	"~"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_8	2.0.9	commented	"&"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_9	2.0.9	commented	"#"
		This defines allow to accept further characters within the recipient address.
CHKUSER_ALLOW_RCPT_CHAR_10	2.0.9	commented	"="
		This defines allow to accept further characters within the recipient address.
CHKUSER_SENDER_MX	2.0.5	undefined
		Default was "defined" up to version 2.0.7. Now default is undefined. Enables checking of valid MX for sender address
CHKUSER_MIN_DOMAIN_LEN	2.0.5	defined	4
		This is a sub checking enabled by CHKUSER_SENDER_FORMAT define. Sets the minimum length of a domain, as formal control of the address. As far as I know, k.st is the shortest domain, so 4 characters is the minimum length. If CHKUSER_SENDER_FORMAT is undefined, no check is done. If CHKUSER_MIN_DOMAIN_LEN is undefined, no check is done.
CHKUSER_ENABLE_NULL_SENDER _WITH_TCPREMOTEHOST no more existing from 2.0.8	2.0.5	defined
		No more existing from 2.0.8 Null senders are now always accepted.. Enables accepting null sender "<>" from hosts which have a name associated to their IP
CHKUSER_ENABLE_NULL_SENDER no more existing from 2.0.8	2.0.7	defined
		No more existing from 2.0.8 Null senders are now always accepted.. Enables accepting null sender "<>" from hosts which have a name associated to their IP
CHKUSER_ENABLE_DOUBLEBOUNCE_VARIABLE no more existing from 2.0.8	2.0.9	defined
		When the variable is defined, chkuser accepts senders which have qmail doublebounce address: <#@[]>

Logging

#define	Initial version	Default status	Default value
		Description
CHKUSER_ENABLE_LOGGING	2.0.5	defined
		Enables chkuser logging. If this is undefined, no logging will be done.
CHKUSER_LOG_VALID_RCPT	2.0.5	defined
		Enables logging of valid recipients
CHKUSER_LOG_VALID_SENDER	2.0.5	defined
		Enables logging of valid senders
CHKUSER_IDENTIFY_REMOTE_VARIABLE	2.0.7	defined	"CHKUSER_IDENTIFY"
		This can be used (within tcp.smtp) to give a well readable name to IP authorized to relay. This name will be used inside chkuser logging.

Tarpitting

#define	Initial version	Default status	Default value
		Description
CHKUSER_RCPT_LIMIT_VARIABLE	2.0.5	defined	"CHKUSER_RCPTLIMIT"
		Defines the variable which contains the maximum number of allowed recipients. When the first value, between CHKUSER_RCPT_LIMIT_VARIABLE's variable and CHKUSER_WRONGRCPT_LIMIT_VARIABLE's variable is reached, chkuser rejects everything
CHKUSER_WRONGRCPT_LIMIT_VARIABLE	2.0.5	defined	"CHKUSER_WRONGRCPTLIMIT"
		Defines the variable which contains the maximum number of wrong recipients. When the first value, between CHKUSER_RCPT_LIMIT_VARIABLE's variable and CHKUSER_WRONGRCPT_LIMIT_VARIABLE's variable is reached, chkuser rejects everything
CHKUSER_ERROR_DELAY	2.0.5	defined	1000
		Delay, expressed in milliseconds, to wait for each not existing recipient
CHKUSER_ERROR_DELAY_INCREASE	2.0.5	defined	100
		Increase of delay, expressed in milliseconds, to be added to the default value, for each additional wrong recipient found
CHKUSER_RCPT_DELAY_ANYERROR	2.0.5	defined
		Unable delay for each error on recipients
CHKUSER_SENDER_DELAY_ANYERROR	2.0.5	defined
		Enable delay for each error on senders

Quota checking

#define	Initial version	Default status	Default value
		Description
CHKUSER_MBXQUOTA_VARIABLE	2.0.5	defined	"CHKUSER_MBXQUOTA"
		Enables the usage of the environment variable containing the limit percent of quota. Here you only define which variable will be used to set the percent limit, then in tcp.smpt you must set the environment variable. If the variable is not found, or variable is <= 0, quota checking is not performed.

Error strings

#define	Initial version	Default status	Default value
		Description
CHKUSER_NORCPT_STRING	2.0.5	defined	"511 sorry, no mailbox here by that name (#5.1.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_RESOURCE_STRING	2.0.5	defined	"430 system temporary unavailable, try again later (#4.3.0 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_MBXFULL_STRING	2.0.5	defined	"522 sorry, recipient mailbox is full (#5.2.2 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_MAXRCPT_STRING	2.0.5	defined	"571 sorry, reached maximum number of recipients for one session (#5.7.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_MAXWRONGRCPT_STRING	2.0.5	defined	"571 sorry, you are violating our security policies (#5.1.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_DOMAINMISSING_STRING	2.0.5	defined	"511 sorry, you must specify a domain (#5.1.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_RCPTFORMAT_STRING	2.0.5	defined	"511 sorry, recipient address has invalid format (#5.1.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_RCPTMX_STRING	2.0.5	defined	"511 sorry, can't find a valid MX for rcpt domain (#5.1.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_SENDERFORMAT_STRING	2.0.5	defined	"571 sorry, sender address has invalid format (#5.7.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_SENDERMX_STRING	2.0.5	defined	"511 sorry, can't find a valid MX for sender domain (#5.1.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_RCPTMX_TMP_STRING	2.0.7	defined	"451 DNS temporary failure (#4.5.1 - chkuser)\r\n"
		String emitted if there is a soft DNS error on recipient domain.
CHKUSER_SENDERMX_TMP_STRING	2.0.7	defined	"451 DNS temporary failure (#4.5.1 - chkuser)\r\n"
		String emitted if there is a soft DNS error on sender domain.
CHKUSER_INTRUSIONTHRESHOLD_STRING	2.0.5	defined	"571 sorry, you are violating our security policies (#5.7.1 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it
CHKUSER_NORELAY_STRING	2.0.5	defined	"553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)\r\n"
		Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

chkuser EXTRA: Must auth / Submission port

#define	Initial version	Default status	Default value
		Description
CHKUSER_EXTRA_MUSTAUTH_VARIABLE	2.0.9	undefined	"CHKUSER_MUSTAUTH"
		Enables the usage of the environment variable requesting acceptance on messages coming from authenticated senders. When the variable is set, RELAYCLIENT must be set to accept messages. This is usable with a submission port, according to RFC 2476. This feature, when enabled, is always working despite of general chkuser on/off settings.