Contribution Idea: I have a suggestion for RCPT TO user validation.

[cystein]

Add support for validating RCPT TO recipients against a vpopmail+MySQL backend.

• Useful for configurations where user accounts are stored vpopmail+MySQL.
• Simscan should reject messages at RCPT TO stage if recipient is unknown.
• Prevents unnecessary virus/spam scanning for invalid recipients.

I haven't thought about the details yet, but I think such a feature would be useful for preventing system resources and backskatter issues. Also, the vpopmail+MySQL server where the mail accounts are located does not have to be on the same machine where the simscan code is running. If simscan is running on a mail gateway, verification can also be done from the remote server where the accounts are located.

What do you think about this?

[sagredo-dev]

Hi,
It's not very clear to me why you would modify simscan to validate the recipient by calling the server where the mailboxes are stored and where vpopmail/MySQL possibly resides. I see simscan as a program that calls external programs to analyze messages autonomously, not as something that performs operations such as mail verification itself. I think the best way would be to act at the qmail-smtpd level by creating a plugin for qmail-spp (I already did it).
That said, I'm always open to new contributions, so feel free to post your PR. 👍

[cystein]

I thought it would be good for system resource consumption if a message that came to a mailbox that does not exist was rejected by simscan before it was put into resource-consuming applications such as clamav and spamassasin. Yes, I know that there are qmail patches that provide this feature. However, I thought it would be good to add such a feature to simscan as well.

[cystein]

Hi Again,

I've pretty much finished the work I planned to do and I'm testing the code right now. I think it is a feature that will be useful for those who use Qmail as a mailgateway like me.

My code works in summary as follows;

Just before spamassasin and clamav start working, it is checked whether there is a mail recipient for a vpopmail set up with MySQL support. If there is a user, spam and virus scanning processes continue. Otherwise, the mail is rejected. The parameters to be used to connect to the MySQL database are read from the simcontrol.cdb file. If the connection to the database cannot be established, a softfail error message is returned. I continue to work on how to create logs and display them according to levels.

I would like to show you some logs produced by the running code;

2025-06-26 09:59:41.600215500 simscan:[83197]: cdb looking up for rcptmysql mysql_cfg
2025-06-26 09:59:41.600216500 simscan:[83197]: cdb for mysql_cfg found host=ip,port=3306,user=rcptchck,pass=password,db=vpopmail
2025-06-26 09:59:41.600219500 simscan:[83197]: rcptmysql: config loaded
2025-06-26 09:59:41.600220500 simscan:[83197]: rcptcheck: local=user domain=domain.com
2025-06-26 09:59:41.655602500 simscan:[83197]: rcptcheck: user@domain.com ok
2025-06-26 09:59:41.656624500 simscan: size limit is 10000000 bytes
2025-06-26 09:59:41.657141500 simscan:[83197]: calling spamc
2025-06-26 09:59:42.039055500 simscan:[83197]: cdb looking up version spam
2025-06-26 09:59:42.040379500 simscan: PDHits: 3.00 tmpHits: 3.00, SpamHits: 5.20, IsSpam: 1, PerDomainHits: 1

Another log;

2025-06-26 10:05:24.935539500 simscan:[83224]: cdb looking up for rcptmysql mysql_cfg
2025-06-26 10:05:24.935540500 simscan:[83224]: cdb for mysql_cfg found host=ip,port=3306,user=rcptchck,pass=password,db=vpopmail
2025-06-26 10:05:24.935573500 simscan:[83224]: rcptmysql: config loaded
2025-06-26 10:05:24.935573500 simscan:[83224]: rcptcheck: local=user domain=domain.com
2025-06-26 10:05:25.014920500 simscan:[83224]: rcptcheck: unknown user user@domain.com – reject 550
2025-06-26 10:05:25.016094500 simscan:[83224]: exit error code: 31

I would be very happy if you could share your thoughts with me.

Best regards..

[sagredo-dev]

Hi cystein, I don't like the fact that RCPT check is done at simscan stage, but I think it should be done earlier while checking mail format and MX validity. Anyway, I wouldn't show the attempted password in the logs and I would add an option in configure.ac so that it can be enabled at configure time (disabled by default)