qmail is vulnerable… switch to postfix [HOWTO]

It just got to my ears that qmail contains a known vulnerability that might lead to massive abuse of the mail system and your server. What happens now is that usually mail transfer agents (MTA’s) require that you write a complete e-mail address when sending an e-mail, something like “george@wirelessisfun.com” but qmail may accept mails addressed to simple usernames like “administrator” or “george“. When trying to send those e-mails, of course it will realize that the  address is incorect, and it will send a non delivery report back to the originating user.

Now, do the math, and count the reports sent back for a spam frenzy of a few thousand SPAM mails sent by a malicious user. That will put quite a strain on your server, and possibly on other servers.

I only had qmail on a Parallels Plesk powered server, so below you can read how to switch from qmail to postfix, the other Plesk supported MTA.

Use an ssh client to connect to your server, make sure you have root privileges, and run the following command:

/usr/local/psa/admin/bin/mailmng –features | grep -i smtp_server

if the output of that command is:

$features[‘SMTP_Server’] = “Postfix”;
$features[‘SMTP_Server_package’] = “postfix”;

you are safe, and good to go, but if the output of the above command is:

$features[‘SMTP_Server’] = “QMail”;
$features[‘SMTP_Server_package’] = “psa-qmail”;

you should change to postfix. It’s quite simple, you just need to run the following command:

/usr/local/psa/admin/sbin/autoinstaller –select-release-current –install-component postfix

That should be it. The Parallels Plesk knowledge base has an MTA change article aswell, here: http://kb.parallels.com/5801

[TUTORIAL] Parallels Plesk update all domain zones at once

I had to change all SPF records for a client today from the Parallels Plesk default : “v=spf1 +a +mx -all” to something like “v=spf1 a mx a:server.name.tld -all” and the fun part was that the customer had something like 50+ domains on his server.

Since the Parallels Plesk Panel holds 99.99% of it’s data in the psa database, DNS settings are stored there as well, in two tables.

  • dns_recs_t which holds the DNS template information, and
  • dns_recs which holds the actual domain information.

I started with changing the template, then the domains info:

-bash-3.2# mysql -u admin -p`cat /etc/psa/.psa.shadow`
mysql>
mysql> USE psa;
mysql> UPDATE dns_recs_t SET val = ‘v=spf1 a mx a:server.name.tld -all’ WHERE val = ‘v=spf1 +a +mx -all’;
mysql> UPDATE dns_recs_t SET displayVal = ‘v=spf1 a mx a:server.name.tld -all’ WHERE displayVal = ‘v=spf1 +a +mx -all’;
mysql> UPDATE dns_recs SET val = ‘v=spf1 a mx a:server.name.tld -all’ WHERE val = ‘v=spf1 +a +mx -all’;
mysql> UPDATE dns_recs SET displayVal = ‘v=spf1 a mx a:server.name.tld -all’ WHERE displayVal = ‘v=spf1 +a +mx -all’;

you can now check the records if they match:

mysql> SELECT FROM dns_recs WHERE val LIKE ‘%spf%’;
mysql> SELECT FROM dns_recs_t WHERE val LIKE ‘%spf%’;

If you got what you were looking for, now you need to change the actual DNS zone files using the dnsmng utility provided by Parallels Plesk Panel. I used the following script:

-bash-3.2# vi dns_update.sh
#!/bin/sh

ADMIN_PASS=`cat /etc/psa/.psa.shadow`
MYSQL_BIN_D=`grep MYSQL_BIN_D /etc/psa/psa.conf | awk ‘{print $2}’`
mysql="${MYSQL_BIN_D}/mysql -N -uadmin -p${ADMIN_PASS} psa"

query="select name from domains;"
domains=`echo $query | $mysql `

for i in ${domains}; do
    echo "found $i"
    /usr/local/psa/admin/sbin/dnsmng update $i
    echo "zone for $i updated"
done

Then just run the script:

-bash-3.2# sh dns_update.sh

Now all you have to do is a final check in the zones directory, I did something like:

-bash-3.2# cd /var/named/run-root/var
-bash-3.2# grep -i spf *

Have fun, and use the above at your own risk.