Chkuser 2.0 - settings

chkuser can be customized using the #define within chkuser_settings.h.

chkuser_settings.h must be kept through successive updates, and should be modified only if new features must be enabled, or important changes on defines have been done in newer releases/updates.

Note on version 2.0.9

Logging has been extended, and starting variables checking has been improved (changed).

define CHKUSER_ENABLE_VAUTH_OPEN has been substituted by CHKUSER_VAUTH_OPEN_CALL: this new define must contain the name of the call used to open the auth DB.

CHKUSER_ALWAYS_ON and CHKUSER_STARTING_VARIABLE cannot be defined together and in such a case a fatal error is displayed.

New variable CHKUSER_DISABLE_VARIABLE is always evaluated after CHKUSER_ALWAYS_ON is set or CHKUSER_STARTING_VARIABLE is evaluated.

A new class of defines is introduced: CHKUSER_EXTRA_*: it is and will be used when a function must be used despite of other chkuser settings (mainly CHKUSER ALWAYS_ON and similar).

Note on version 2.0.8

NULL SENDER is now always accepted. This is a base rule of RFC, used by rejected messages, read and delivery receipts. Old settings related to NULL_SENDER are now not working anymore.

The following settings are now undefined (commented) by default. If you want them, add or uncomment them.

  • CHKUSER_RCPT_FORMAT
  • CHKUSER_RCPT_MX
  • CHKUSER_SENDER_FORMAT
  • CHKUSER_SENDER_MX

Another new important define existing since 2.0.7 is here documented: CHKUSER_DB_CLEANUP defined by default. This #define let chkuser close any open connection to vpopmail. This should improve usage of MySQL and others DB resources.

Settings

Defines are here grouped in homogeneous classes:

  • Debugging
  • Enabling chkuser
  • vpopmail depending features
  • UID/GID switching
  • Checking addresses format & MX
  • Logging
  • Tarpitting
  • Quota checking
  • Error strings
  • chkuser EXTRA: must auth / submission port

Debugging

A lot of debugging lines are included in the "devel" package. Otherwise, these flags will only emit your added debugging lines.

#define

Initial version

Default status

Default value

Description

CHKUSER_DEBUG

2.0.5

commented

Enables displaying of debugging instructions. When enabled, the calls CHKUSER_DBG ("string") and CHKUSER_DBG_INT (integer) display debugging informations to terminal.

CHKUSER_DEBUG_STDERR

2.0.5

commented

Enables displaying of debugging informations to STDERR, instead of STDOUT.

Enabling chkuser

#define

Initial version

Default status

Default value

Description

CHKUSER_ALWAYS_ON

2.0.5

commented

Enables chkuser ALWAYS, despite of any other global or domain setting. When this define is activated, your .qmail-default, or any other setting or variable is no more important; if the domain is within rcpthosts it will be checked for valid recipients.
Incompatible with CHKUSER_STARTING_VARIABLE since 2.0.9.

CHKUSER_STARTING_VARIABLE

2.0.5

commented

"CHKUSER_START"

Sets the variable that must be read, at qmail-smtpd start, in order to understand how to use chkuser for any domain. The variable must be filled with the following values:

  • NONE = chkuser will not work
  • ALWAYS = chkuser will work always
  • DOMAIN = chkuser will work depending on single domain settings

Any other value, or a missing value, will disable chkuser.
Incompatible with CHKUSER_ALWAYS_ON since 2.0.9

CHKUSER_DISABLE_VARIABLE

2.0.9

commented

"CHKUSER_MUSTAUTH"

Evaluated after CHKUSER_ALWAYS_ON or CHKUSER_STARTING_VARIABLE.

CHKUSER_ENABLE_USERS

2.0.5

defined

Enables checking of users

CHKUSER_ENABLE_USERS_EXTENSIONS
former CHKUSER_ENABLE_EXTENSIONS

2.0.7

commented

Enables checking of user's extensions. Used by some customized installations, or some products (like TMDA)
In versions 2.0.5 and 2.0.6 it was named CHKUSER_ENABLE_EXTENSIONS

CHKUSER_USERS_DASH
former CHKUSER_EXTENSION_DASH

2.0.7

defined

'-'

Defines the character used to start user's extensions. Has no effect on mailing lists extensions. [must always be defined if CHKUSER_ENABLE_USER_EXTENSIONS is defined]
in versions 2.0.5 and 2.0.6 it was named CHKUSER_EXTENSION_DASH.

CHKUSER_ENABLE_ALIAS

2.0.5

defined

Enables checking of aliases

CHKUSER_ENABLE_VALIAS

2.0.5

defined

Enables checking of valiases

CHKUSER_ENABLE_EZMLM_LISTS
former CHKUSER_ENABLE_LISTS

2.0.7

defined

Enables checking of EZMLM mailing lists.
In versions 2.0.5 and 2.0.6 it was named CHKUSER_ENABLE_LISTS.

CHKUSER_EZMLM_DASH

2.0.5

defined

'-'

Defines the character used to start the extensions of mailing lists. [must always be defined if CHKUSER_ENABLE_LISTS is defined]

CHKUSER_ENABLE_MAILMAN_LISTS

2.0.7

commented

Enables checking of MAILMAN mailing lists.

CHKUSER_SPECIFIC_BOUNCING

2.0.5

commented

".qmailchkuser-bouncing"

Defines an alternative file to use while checking if bouncing must be done for a domain. If defined, this file must exist in the domain dir in order to enable chkuser checking for that domain.

CHKUSER_BOUNCE_STRING

2.0.5

defined

"bounce-no-mailbox"

String to look for inside .qmail-default in order to check for bouncing. [must always be defined if domain checking must be done and CHKUSER_SPECIFIC_BOUNCING is not defined]

CHKUSER_ENABLE_ALIAS_DEFAULT

2.0.8

defined

Enables checking of .qmail-alias-default files

vpopmail depending features

#define

Initial version

Default status

Default value

Description

CHKUSER_ENABLE_VGET_REAL_DOMAIN
(Missing in 2.0.5 release documentation and missing inside 2.0.5 chkuser_settings.h, but existing in code)

2.0.5

commented

Before version 5.3.25, vpopmail used the function vget_real_domain() to get the real name of a domain (useful if rcpt domain is aliasing another domain).
From version 5.3.25, this call is not available and has been substituted by other calls.
Must be enabled if vpopmail version < 5.3.25, otherwise must be disabled.

CHKUSER_ENABLE_VAUTH_OPEN
Substituted by CHKUSER_VAUTH_OPEN_CALL from version 2.0.9

2.0.5

commented

Enables a call checking for correct opening of MySQL/PostgreSQL/LDAP connection. Not existing anymore since 2.0.9

CHKUSER_VAUTH_OPEN_CALL

2.0.5

commented

vauth_open_update

Enables a call checking for correct opening of MySQL/PostgreSQL/LDAP connection.
Must be set to the name of the routine opening the DB:

  • For MySQL standard installation: vauth_open_update
  • For MySQL with separate servers for read and write: vauth_open


For other DB servers check by yourself the most appropriate function.

CHKUSER_VPOPMAIL

2.0.5

defined

Sets the virtual mail manager used. Up to now only vpopmail is supported, so this define is just here for future use.

CHKUSER_DB_CLEANUP

2.0.8

defined

Enables closing of connections opened for query to vpopmail archives or databases.

UID/GID switching

#define

Initial version

Default status

Default value

Description

CHKUSER_ENABLE_UIDGID

2.0.5

defined (commented in Shupp's toaster patch)

Used to switch between UIDS/GIDS, used if you want to apply a more safe mechanism, and if you're NOT using TLS (as TLS seems not to like switching of UID/GID). When not defined, qmail-smtpd must be executed as vpopmail user. When defined, qmail-smtpd runs as inoffensive qmail user, switching to vpopmail user only while executing chkuser operations.

Checking addresses format & MX

#define

Initial version

Default status

Default value

Description

CHKUSER_DOMAIN_WANTED

2.0.5

defined

Emits error if a recipient address does not contain a domain.

CHKUSER_RCPT_FORMAT

2.0.5

undefined

Default was "defined" up to version 2.0.7.
Now default is undefined.
Enables checking of valid format for recipients addresses

  • user = [a-z0-9_-.=]
  • domain = [a-z0-9-.]

without consecutive "-" or ".", without leading or ending "-" or "."

CHKUSER_RCPT_MX

2.0.5

undefined

Default was "defined" up to version 2.0.7.
Now default is undefined.
Enables checking of valid MX for recipient addresses

CHKUSER_SENDER_NOCHECK_VARIABLE

2.0.5

commented

"SENDER_NOCHECK"

This define enable usage of a variable excluding any check on the sender. The variable should be set in tcp.smtp for known clients, with static IP, whose mailer is composing bad sender addresses

CHKUSER_SENDER_FORMAT

2.0.5

undefined

Default was "defined" up to version 2.0.7.
Now default is undefined.
Enables checking of valid format for sender address

  • user = [a-z0-9_-.=]
  • domain = [a-z0-9-.]

without consecutive "-" or ".", without leading or ending "-" or "."

CHKUSER_ALLOW_SENDER_SRS

2.0.5

commented

When CHKUSER_SENDER_FORMAT is enabled, this define add "#" and "+" as permitted characters within sender address. It is used by SRS (Sender Rewriting Scheme)

CHKUSER_ALLOW_SENDER_CHAR_1

2.0.5

commented

"$"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_2

2.0.5

commented

"%"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_3

2.0.5

commented

"£"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_4

2.0.5

commented

"?"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_5

2.0.5

commented

"*"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_6

2.0.9

commented

"^"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_7

2.0.9

commented

"~"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_8

2.0.9

commented

"&"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_9

2.0.9

commented

"#"

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_SENDER_CHAR_10

2.0.9

commented

"="

This defines allow to accept further characters within the sender address.

CHKUSER_ALLOW_RCPT_SRS

2.0.7

commented

When CHKUSER_RCPT_FORMAT is enabled, this define add "#" and "+" as permitted characters within recipient address. It is used by SRS (Sender Rewriting Scheme)

CHKUSER_ALLOW_RCPT_CHAR_1

2.0.7

commented

"$"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_2

2.0.7

commented

"%"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_3

2.0.7

commented

"£"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_4

2.0.7

commented

"?"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_5

2.0.7

commented

"*"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_6

2.0.9

commented

"^"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_7

2.0.9

commented

"~"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_8

2.0.9

commented

"&"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_9

2.0.9

commented

"#"

This defines allow to accept further characters within the recipient address.

CHKUSER_ALLOW_RCPT_CHAR_10

2.0.9

commented

"="

This defines allow to accept further characters within the recipient address.

CHKUSER_SENDER_MX

2.0.5

undefined

Default was "defined" up to version 2.0.7.
Now default is undefined.
Enables checking of valid MX for sender address

CHKUSER_MIN_DOMAIN_LEN

2.0.5

defined

4

This is a sub checking enabled by CHKUSER_SENDER_FORMAT define. Sets the minimum length of a domain, as formal control of the address. As far as I know, k.st is the shortest domain, so 4 characters is the minimum length.
If CHKUSER_SENDER_FORMAT is undefined, no check is done.
If CHKUSER_MIN_DOMAIN_LEN is undefined, no check is done.

CHKUSER_ENABLE_NULL_SENDER
_WITH_TCPREMOTEHOST

no more existing from 2.0.8

2.0.5

defined

No more existing from 2.0.8
Null senders are now always accepted..
Enables accepting null sender "<>" from hosts which have a name associated to their IP

CHKUSER_ENABLE_NULL_SENDER
no more existing from 2.0.8

2.0.7

defined

No more existing from 2.0.8
Null senders are now always accepted..
Enables accepting null sender "<>" from hosts which have a name associated to their IP

CHKUSER_ENABLE_DOUBLEBOUNCE_VARIABLE
no more existing from 2.0.8

2.0.9

defined

When the variable is defined, chkuser accepts senders which have qmail doublebounce address: <#@[]>

Logging

#define

Initial version

Default status

Default value

Description

CHKUSER_ENABLE_LOGGING

2.0.5

defined

Enables chkuser logging. If this is undefined, no logging will be done.

CHKUSER_LOG_VALID_RCPT

2.0.5

defined

Enables logging of valid recipients

CHKUSER_LOG_VALID_SENDER

2.0.5

defined

Enables logging of valid senders

CHKUSER_IDENTIFY_REMOTE_VARIABLE

2.0.7

defined

"CHKUSER_IDENTIFY"

This can be used (within tcp.smtp) to give a well readable name to IP authorized to relay. This name will be used inside chkuser logging.

Tarpitting

#define

Initial version

Default status

Default value

Description

CHKUSER_RCPT_LIMIT_VARIABLE

2.0.5

defined

"CHKUSER_RCPTLIMIT"

Defines the variable which contains the maximum number of allowed recipients. When the first value, between CHKUSER_RCPT_LIMIT_VARIABLE's variable and CHKUSER_WRONGRCPT_LIMIT_VARIABLE's variable is reached, chkuser rejects everything

CHKUSER_WRONGRCPT_LIMIT_VARIABLE

2.0.5

defined

"CHKUSER_WRONGRCPTLIMIT"

Defines the variable which contains the maximum number of wrong recipients. When the first value, between CHKUSER_RCPT_LIMIT_VARIABLE's variable and CHKUSER_WRONGRCPT_LIMIT_VARIABLE's variable is reached, chkuser rejects everything

CHKUSER_ERROR_DELAY

2.0.5

defined

1000

Delay, expressed in milliseconds, to wait for each not existing recipient

CHKUSER_ERROR_DELAY_INCREASE

2.0.5

defined

100

Increase of delay, expressed in milliseconds, to be added to the default value, for each additional wrong recipient found

CHKUSER_RCPT_DELAY_ANYERROR

2.0.5

defined

Unable delay for each error on recipients

CHKUSER_SENDER_DELAY_ANYERROR

2.0.5

defined

Enable delay for each error on senders

Quota checking

#define

Initial version

Default status

Default value

Description

CHKUSER_MBXQUOTA_VARIABLE

2.0.5

defined

"CHKUSER_MBXQUOTA"

Enables the usage of the environment variable containing the limit percent of quota.
Here you only define which variable will be used to set the percent limit, then in tcp.smpt you must set the environment variable. If the variable is not found, or variable is <= 0, quota checking is not performed.

Error strings

#define

Initial version

Default status

Default value

Description

CHKUSER_NORCPT_STRING

2.0.5

defined

"511 sorry, no mailbox here by that name (#5.1.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_RESOURCE_STRING

2.0.5

defined

"430 system temporary unavailable, try again later (#4.3.0 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_MBXFULL_STRING

2.0.5

defined

"522 sorry, recipient mailbox is full (#5.2.2 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_MAXRCPT_STRING

2.0.5

defined

"571 sorry, reached maximum number of recipients for one session (#5.7.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_MAXWRONGRCPT_STRING

2.0.5

defined

"571 sorry, you are violating our security policies (#5.1.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_DOMAINMISSING_STRING

2.0.5

defined

"511 sorry, you must specify a domain (#5.1.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_RCPTFORMAT_STRING

2.0.5

defined

"511 sorry, recipient address has invalid format (#5.1.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_RCPTMX_STRING

2.0.5

defined

"511 sorry, can't find a valid MX for rcpt domain (#5.1.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_SENDERFORMAT_STRING

2.0.5

defined

"571 sorry, sender address has invalid format (#5.7.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_SENDERMX_STRING

2.0.5

defined

"511 sorry, can't find a valid MX for sender domain (#5.1.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_RCPTMX_TMP_STRING

2.0.7

defined

"451 DNS temporary failure (#4.5.1 - chkuser)\r\n"

String emitted if there is a soft DNS error on recipient domain.

CHKUSER_SENDERMX_TMP_STRING

2.0.7

defined

"451 DNS temporary failure (#4.5.1 - chkuser)\r\n"

String emitted if there is a soft DNS error on sender domain.

CHKUSER_INTRUSIONTHRESHOLD_STRING

2.0.5

defined

"571 sorry, you are violating our security policies (#5.7.1 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

CHKUSER_NORELAY_STRING

2.0.5

defined

"553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)\r\n"

Error handled by chkuser and emitted by qmail-smtpd as error response. You may change it , if you don't like it

chkuser EXTRA: Must auth / Submission port

#define

Initial version

Default status

Default value

Description

CHKUSER_EXTRA_MUSTAUTH_VARIABLE

2.0.9

undefined

"CHKUSER_MUSTAUTH"

Enables the usage of the environment variable requesting acceptance on messages coming from authenticated senders.
When the variable is set, RELAYCLIENT must be set to accept messages.
This is usable with a submission port, according to RFC 2476.
This feature, when enabled, is always working despite of general chkuser on/off settings.