Environment

chkuser works with qmail 1.03 or netqmail 1.05, and vpopmail > 5.3.*.

External database libraries used by vpopmail are automatically integrated.

Recipients checked

chkuser checks, at SMTP level, if the message is going to be delivered to valid recipients, otherwise the message is rejected.

Recipients checked:

  • accounts (vpopmail accounts)
  • aliases (.qmail format)
  • aliases (valias format)
  • EZMLM mailing lists
  • mailman mailing lists

Additional checkings

Additionally, other checks may be done:

  • valid format of sender address
  • valid MX domain of sender address
  • valid format of recipient address
  • valid MX domain of recipient address
  • check if recipient has bouncing flag enabled

RFC 2476: Submission port

chkuser may help dedicating a port (like 587) to receive only authenticated SMTP traffic.

Tarpitting and logging

chkuser performs customized tarpitting and logging actions:

  • delay on wrong recipients
  • delay on wrong senders
  • give always error if too much wrong recipients have been used
  • give always error if too much recipients have been used
  • define initial delay time
  • define increments of delay for each additional wrong recipient
  • logging of accepted/rejected senders
  • logging of accepted/rejected recipients
  • logging of accepted/rejected senders
  • logging of additional informations on systems and users trying to deliver


Safe security model

Checking of users, aliases and mailing-lists requires qmail-smtpd running as vpopmail user.

qmail-smtpd, patched with chkuser, may run in secure mode, switching between qmaild and vpopmail users (so running as vpopmail only when needed); it may also be started directly as vpopmail, for compatibility with SSL patches.

Further customizations

chkuser may also be customized to:

  • check for user's quota
  • accept user extensions on recipients (ex. TMDA)
  • accept further characters in sender address
  • be enabled in several ways, in order to be usable by maildrop or other delivery agents not compatible woth vdeliver, or to be enabled always despite of single domains settings.