|
|
Full Qmail Installation and Configuration Guide
or
Qmail+Vmailmgr+Tcpserver+RBL+SpamAssassin
+Relay-CTRL+Qmail-Scanner+Courier IMAP Guide+POP3S+SMTPS
Foreword
I wrote this guide for a couple of reasons. First, the existing qmail guides
that I've found on the net did not provide a complete qmail solution. My
first qmail installation was such a pain for me, that I had to go through a
tough qmail learning process (yes, qmail can sometimes be a real pain,
especially for newbies) and discover some things by myself. Of course, such
great Internet resources as mailing lists and other qmail contributions made
my life a lot easier :-) Konstantin Riabitsev's
Qmail-Vmailmgr-Courier-Squirrelmail Installation Guide was the first guide
that really helped me out. That's where I borrowed some stuff from while writing
this guide - of course, with his agreement. I think this is the moment when I
should bow down and express my gratitude towards all those who carried the
burden of making qmail one of the best MTAs on the Internet! Second, I simply
love qmail and would like to contribute to its development, even for a little
bit. Third, I think that many admins out there will find this guide useful and
practical. And fourth, every once in a while I do install qmail on different
servers for various reasons and I simply got tired of carrying installation
notes with me all the time. So, in a way, this guide is for myself too ;-)
1) Who should use this guide?
Anyone who wants to install a complete qmail solution.
2) Can this guide be used for productive systems i.e. big servers?
It sure can. I've done some qmail installations in productive environments
with many simultaneous users. And it works perfectly!
3) What about security?
Well, security has never been a problem with qmail. I haven't heard of anyone
breaking a qmail server version 1.03 (the one we'll be installing). As for
everything else we'll be doing here, many people find it pretty secure.
4) On what operating systems has this guide been tested on?
I've done testing mostly on Linux machines (Redhat, Debian, Mandrake). So, I
could say that everything should work flawlessly on any linux machine. It
should also work on BSD systems.
5) Stuff we'll be needing (sources)
Download the following sources to a src directory i.e. /usr/local/src
Qmail-related stuff:
- Qmail v1.03 from
http://www.qmail.org
- Qmail Patches from
http://megaz.arbuz.com
- VMailMgr v0.96.9 from
http://untroubled.org
- Relay-CTRL v3.1.1 from
http://untroubled.org
- Qmail-Autoresponder v0.96.1 from
http://untroubled.org
- Ucspi-UNIX v0.36 from
http://untroubled.org
- Ucspi-TCP v0.88 from
http://cr.yp.to
- Daemontools v0.76 from
http://cr.yp.to
- http://www.courier-mta.org
- MailDrop v1.5.3 from
http://www.courier-mta.org
- TNEF v1.2.1 from
http://sourceforge.net/projects/tnef
- SpamAssassin v2.55 from
http://www.spamassassin.org
- Qmail-Scanner v1.16 from
http://qmail-scanner.sourceforge.net
- Stunnel v3.24 from
http://www.stunnel.org
For domain administration (via www) *:
- oMail-admin v0.99 from
http://omail.omnis.ch
* I'm assuming that Apache web server and PHP are both installed, configured and fully
operational on the machine you are installing qmail on. If you haven't yet
installed Apache, there is another guide written by me which covers Apache
installation with modules such as PHP. It can be accessed from
here.
6) First things first
First, we'll have to get rid of your existing e-mail server. If you have just
finished installing Linux on your machine, most probably sendmail is also
installed. So, let's remove sendmail from your machine:
# rpm -q -a | grep sendmail
sendmail-8.11.6-3
sendmail-cf-8.11.6-3
sendmail-devel-8.11.6-3
# rpm -e sendmail --nodeps
# rpm -e sendmail-cf --nodeps
# rpm -e sendmail-devel --nodeps
|
This should get rid of all sendmail files on your machine.
If you have a FreeBSD system, run pkg_info | grep sendmail
to see if you have sendmail installed on your system. If you do, run
pkg_delete to get rid of sendmail completely.
7) Patch and Install Qmail
All right, now we are going to install Qmail from downloaded sources.
We'll apply some necessary patches to Qmail, to make sure that the solution
we are going to implement works perfectly.
OK, so first, we untar qmail and change directory to qmail sources. Then,
we apply the needed patches to Qmail:
# cd /usr/local/src
# tar zxf qmail-1.03.tar.gz
# tar zxf qmail_patches.tar.gz
# mv qmail_patches/* qmail-1.03/
# rmdir qmail_patches
# cd qmail-1.03
# patch < big-concurrency.patch
# patch < big-todo.103.patch
# patch < qmail-0.0.0.0.patch
# patch < qmail-1.03-dns.patch
# patch < qmail-1.03-mfcheck.3.patch
# patch < qmail-1.03-pop3d-stat.patch
# patch < qmail-bounce.patch
# patch < qmail-bouncecontrol-1.03.patch
# patch < qmailqueue.patch
# patch < tarpit.patch
# patch < qmail-badrcptto.patch
# patch < qmail-smtpd-relay-reject.patch
|
Right now qmail is fully patched. All we need to do is install it. Before
running make, we'll first create necessary user accounts and groups that qmail
needs for running. We will also create a qmail directory /var/qmail. Make sure
that you have enough space in that partition.
# mkdir /var/qmail
# cd /usr/local/src/qmail-1.03
# groupadd -g 5000 nofiles
# groupadd -g 5001 qmail
# useradd -u 5000 -g nofiles -d /var/qmail/alias alias
# useradd -u 5001 -g nofiles -d /var/qmail qmaild
# useradd -u 5002 -g nofiles -d /var/qmail qmaill
# useradd -u 5003 -g nofiles -d /var/qmail qmailp
# useradd -u 5004 -g qmail -d /var/qmail qmailq
# useradd -u 5005 -g qmail -d /var/qmail qmailr
# useradd -u 5006 -g qmail -d /var/qmail qmails
|
If you have a FreeBSD system, the above won't work. You will have to add groups
and users manually into /etc/groups and /etc/master.passwd and then remake
the user database by issuing pwd_mkdb -p /etc/master.passwd. Here is what you would have
to do under FreeBSD:
# cd /etc
# echo "nofiles:*:5000:" >> group
# echo "qmail:*:5001:" >> group
# echo "alias:*:5000:5000::0:0::/var/qmail/alias:" >> master.passwd
# echo "qmaild:*:5001:5000::0:0::/var/qmail:" >> master.passwd
# echo "qmaill:*:5002:5000::0:0::/var/qmail:" >> master.passwd
# echo "qmailp:*:5003:5000::0:0::/var/qmail:" >> master.passwd
# echo "qmailq:*:5004:5001::0:0::/var/qmail:" >> master.passwd
# echo "qmailr:*:5005:5001::0:0::/var/qmail:" >> master.passwd
# echo "qmails:*:5006:5001::0:0::/var/qmail:" >> master.passwd
# pwd_mkdb -p /etc/master.passwd
|
Now, we can run make and install qmail.
# make
# make setup check
|
Note: If you get an error while running
"make" that says: "Oops. Your system's FD_SET() has a hidden limit of 1024 descriptors.
This means that the qmail daemons could crash if you set the run-time concurrency higher
than 509. So I'm going to insist that the concurrency limit in conf-spawn be at most 509.
Right now it's 1000." - edit the file conf-spawn in your qmail directory and change the
concurrency limit from 1000 to 509. Save and run make again.
You might encounter compilation problems with the latest versions of glibc
(especially on Redhat Linux 9). In this case, use
this patch and try recompiling qmail again. To apply the patch, cd to your qmail
directory and type patch -p1 < qmail-1.03.errno.patch
Qmail and all of its subdirectories are installed in /var/qmail. Now we move
to the configuration step.
8) Qmail post-install configuration
Before moving any further, it is best to create a link to qmail sendmail
wrapper. The reason why we want this, is because many programs use sendmail
to send email messages. By default, sendmail is installed in /usr/sbin/sendmail
or /usr/lib/sendmail. We are going to symlink the wrapper:
# ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
# ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
|
Now we need to create necessary control files in /var/qmail/control. The
examples below assume that your domain is "yourserver.com". Of course, you have
replace the occurence of yourserver.com with your qualified MX host.
# cd /var/qmail/control
# echo yourserver.com > defaultdomain
# echo localhost > locals
# echo yourserver.com > me
# echo yourserver.com > plusdomain
# echo localhost > rcpthosts
# echo yourserver.com >> rcpthosts
# echo checkvpw > checkpassword
# echo 1 > mfcheck
# echo 20 > tarpitcount
# echo 5 > tarpitdelay
|
The next step is to create various messages such as bounce and double bounce
messages.
# echo @nowhere.edu > badmailfrom
# echo @nowhere.edu > badrcptto
# echo mailer-daemon > bouncefrom
# echo yourserver.com > bouncehost
# echo 50000 > bouncemaxbytes
# echo text > bouncemessage
# echo failure notice > bouncesubject
# cp bouncehost doublebouncehost
# cp bouncemessage doublebouncemessage
# cp bouncesubject doublebouncesubject
|
I will explain below in section 18.1 what "badmailfrom" and "badrcptto" are for
and how to use them to fight against nasty spammers.
Now we need to edit two files - bouncemessage and doublebouncemessage.
Therefore, launch your favorite editor and replace "text" with your bounce message.
These files will contain the text that's going to be displayed when a message
bounces or double bounces. The example below uses vi to edit the files.
# vi bouncemessage
# vi doublebouncemessage
|
OK, the control files are all completed. Qmail configuration is now complete.
The last thing that we need to do is set up a qmail startup script.
Copy-paste the following into the file:
#!/bin/sh
PATH="/var/qmail/bin:/usr/local/bin"
export PATH
qmail-start ./Maildir | setuidgid qmaill \
multilog t n50 s1000000 \
/var/qmail/logs/qmail &
|
The first two lines of the script specify the path to executable files (so that we don't
have to write the complete path to qmail-start, setuidgid and multilog). The third line
starts qmail, specifying Mailbox as the default directory for a mail user and sets "qmaill"
as the user account under which multilog will be executed. The next line executes multilog,
which is the logger we will be using for qmail. Here, we specify the number of maximum log
files allowed in log directory (50) and the maximum size of a log file (1 MB). When a log
file reaches 1 MB in size, the log will automatically rotate by renaming "current" log and
creating a new empty log. When the number of log files reaches 50, it will automatically
remove the oldest log prior to creating a new one. The last line represents the log directory.
Of course, we should not forget about making the startup script executable and creating
qmail log directories:
# chmod 755 /var/qmail/rc
# mkdir /var/qmail/logs
# mkdir /var/qmail/logs/qmail
# chown -R qmaill:qmail /var/qmail/logs
|
9.1) Installing Ucspi-UNIX
# cd /usr/local/src
# tar zxf ucspi-unix-0.36.tar.gz
# cd ucspi-unix-0.36
# make
# make install
|
Note: If ucspi-unix fails during compilation
with an error in env.c (sysdeps.h not found) you need to get
bglibs and install it.
After untarring the source, cd into the directory and run "make" followed by "./installer".
If you get an error saying "Could not change directory to '/usr/local/bglibs'", type
"mkdir /usr/local/bglibs" and type "./installer" again. All the libraries and include
files will be created in that directory. Try recompiling ucspi-unix again. If compilation
of ucspi-unix finishes without an error, type "make install" or "./installer" to install
binaries and manuals into /usr/local/bin and /usr/local/man, respectively.
9.2) Installing Ucspi-TCP
The process is similar to qmail installation:
# cd /usr/local/src
# tar zxf ucspi-tcp-0.88.tar.gz
# cd ucspi-tcp-0.88
# wget http://www.qmail.org/ucspi-rss.diff
# patch -p1 < ucspi-rss.diff
patching file rblsmtpd.c
# make
# make setup check
|
Note: If ucspi-tcp fails during compilation
with an error "collect2: ld returned 1 exit status", you need to get three patches
(patch 1,
patch 2,
patch 3) and apply them to ucspi-tcp.
Put these patches into /usr/local/src/ucspi-tcp-0.88 directory and type
"patch -p1 < ucspi-tcp-0.88.a_record.patch",
"patch -p1 < ucspi-tcp-0.88.errno.patch" and
"patch -p1 < ucspi-tcp-0.88.nobase.patch". As usual, you'll have to rerun
"make" and "make setup check" to compile and install ucspi-tcp.
Now let's configure tcpserver. Create a script called
tcprulesedit in /usr/local/bin and copy-paste the following:
#!/bin/sh
vi /etc/tcp.smtp
/usr/local/bin/tcprules /etc/tcp.smtp.cdb \
/etc/tcp.smtp.tmp < /etc/tcp.smtp
|
This script will take care of creating and editing relay rules in qmail. You can
substitute "vi" with your favorite editor, if you want to.
As usual, make the script executable:
# chmod 755 /usr/local/bin/tcprulesedit
# tcprulesedit
|
The second line above runs the tcprulesedit script
we've just created. Copy-paste the following lines into the editor:
127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
|
Note: If you are not planning to install
qmail-scanner, you should remove the QMAILQUEUE definitions above. Of course, don't
forget to get rid of all "," (commas) at the end of the lines as well.
For security purposes, we are only allowing localhost (127.) to relay messages.
Since messages coming from localhost will most probably not contain spam or viruses,
we are specifying qmail-queue as the default executable for incoming mail. This
will also decrease the server load when processing mail between local mail users.
The second line of the script just tells tcpserver to process all other mail
using qmail-scanner (to fight against spammers and viruses), the installation of
which I will be covering later in this guide.
10) Moving on with Daemontools
Daemontools installation differs from other installations, because you don't have
to "configure" or "make" the package. A directory is created in your root
structure, and all working files are placed there. Follow the instructions
below to properly install Daemontools on your system.
# mkdir -p /package
# chmod 1755 /package
# cd /package
# mv /usr/local/src/daemontools-0.76.tar.gz /package
# tar zxf daemontools-0.76.tar.gz
# mv daemontools-0.76.tar.gz /usr/local/src
# cd admin/daemontools-0.76
# package/install
|
Note: If daemontools fails during compilation
with an error "collect2: ld returned 1 exit status", you need to get a
patch and apply it on daemontools.
Put the patch into /package/admin/daemontools-0.76 and type
"patch -p1 < daemontools-0.76.errno.patch". After the patch is
applied successfully, cd into /package/admin/daemontools-0.76 and type "package/install".
Daemontools should now be installed and fully operational.
That's it, Daemontools package is installed.
11) Installing and configuring VMailMgr
To install VMailMgr, we need to run configure and make just like we do on any
other source distributions:
# cd /usr/local/src
# tar zxf vmailmgr-0.96.9.tar.gz
# cd vmailmgr-0.96.9
# ./configure
# make
# make install
|
Warning! The current version of VMailMgr does not compile on
gcc version 3. Konstantin Riabitsev was kind
enough to send me a patch that makes vmailmgr 0.96.9 compile on gcc3. The patch
can be downloaded from here.
To apply the patch, cd into the vmailmgr directory and type
"patch -p1 < vmailmgr-0.96.9-gcc32.patch".
If you don't want to use the patch, you must install an earlier version of gcc
(gcc 2.95.3 is a good release) if you want to compile VMailMgr. Overall, it is a
good idea to install gcc 2.95 anyway, especially if you want to build mySQL,
mod_perl or apache from sources. There is a separate guide that I wrote on how
to install gcc 2.95.3 on Linux. It is accessible from here.
If make and make install did not give any errors, VMailMgr is installed
properly. Let's configure VMailMgr to work with our domain.
# groupadd email
# mkdir /home/email
# chmod 755 /home/email
|
Apart from the main installation, we'll have to configure VMailMgr as well.
This step is required for controlling user quotas, auto-responder and some
other things.
# mkdir /etc/vmailmgr
# chmod 755 /etc/vmailmgr
# cd /etc/vmailmgr
# ln -s /etc/vmailmgr /usr/local/etc/vmailmgr
# echo ./Maildir/ > default-maildir
# echo maildir > maildir-arg-str
# echo passwd > password-file
# echo /tmp/.vmailmgrd > socket-file
# echo users > user-dir
# echo '#!/bin/sh' > vdeliver-predeliver
# echo '/usr/local/bin/vcheckquota' >> vdeliver-predeliver
# chmod 755 /etc/vmailmgr/*
|
The directory /etc/vmailmgr is created for
vmailmgr configuration files. The echo commands given above
control the way vmailmgr will be handling directories and mail processing.
Basically, we are telling vmailmgr that the password file for keeping
users' passwords will be "passwd" and the directory that will contain
individual user accounts will be "users". The "vdeliver-predeliver" lines
will launch "vcheckquota", which will check a user's quota limits
before delivering a message. You can change the above settings to fit
your needs, but I would recommend using the default settings provided
in this guide.
Now we need to create a set of scripts that should help us out a lot in
adding and removing virtual domains. Create a file called
add_virt in /usr/local/bin and copy paste the script below.
#!/bin/sh
DGID="email"
DHOME="/home/email"
QHOME="/var/qmail"
# Check if we're root.
if [ "$UID" != "0" ]; then
echo "Error: Must be root"
exit 1
fi
# Check for omitted params
if [ -z "$1" ]; then
echo "Usage: `basename $0` newdomain.com"
exit 1
fi
# Check if this domain already exists in virtualdomains.
if [ -f $QHOME/control/virtualdomains ]; then
if egrep -q "^$1:" $QHOME/control/virtualdomains; then
echo "Error: Domain $1 exists"
exit 1
fi
fi
NEWDOM=$1
BASEUSER=`echo $NEWDOM | sed 's/\./_/g'`
echo -n "Base Username [$BASEUSER]: "
read REPLY
if test ! -z $REPLY; then BASEUSER=$REPLY; fi
# Check if we already have this baseuser. Loop if necessary.
while egrep -q "^$BASEUSER:" /etc/passwd; do
echo "Base username $BASEUSER already exists. Please provide another."
echo -n "Base Username [$BASEUSER]: "
read REPLY
if test $REPLY; then BASEUSER=$REPLY; fi
done
echo "Creating new domain '$NEWDOM'."
UFLAGS="-d $DHOME/$NEWDOM -g $DGID -m"
useradd $UFLAGS $BASEUSER
echo "Domain base user created in $DHOME/$NEWDOM."
echo "Please provide domain password for VmailMgr."
passwd $BASEUSER
echo -n "Adding domain to control/virtualdomains..."
echo "$NEWDOM:$BASEUSER" >> $QHOME/control/virtualdomains
echo "done"
echo -n "Adding records to control/rcpthosts..."
echo "$NEWDOM" >> $QHOME/control/rcpthosts
echo "done"
echo "Setting up the domain dir for vmailmgr..."
su $BASEUSER -c "/usr/local/bin/vsetup"
echo "...done"
echo -n "Restarting Qmail..."
killall qmail-lspawn
killall qmail-send
$QHOME/rc &
echo
echo "All done! Domain $NEWDOM created."
|
Looks ugly huh? In fact, the script is pretty simple. The first line
sets a variable DGID (group ID) to "email", which is used while executing
useradd to add a virtual domain to the system.
The second line sets DHOME to "/home/email", which will be the base directory
for all virtual domains you'll be creating in the future. QHOME is the
directory where qmail is installed. The next four lines check if the user
is root (remember, only root account will be able to execute this script).
If nothing is given in command line, the script will print "Usage: add_virt
newdomain.com", for those who don't know or forgot the script usage.
Next, the script checks if the virtual domain already exists, by going through
the system /etc/passwd file. Don't worry, the scipt will not screw up or damage
your passwd file. Vmailmgr uses *nix authentication to verify virtual domains.
However, it does not necessarily mean that you are leaving security holes.
After creating the first test user, I will show you how to disable shell
access to all created virtual domains for security purposes.
When all the checks are completed successfully, the script will attempt
to create the virtual domain you specified in command line. It will first
launch useradd and add the domain. Then, it will prompt you to change
the password for the created virtual domain. Next, the script will add
the domain to /var/qmail/control/virtualdomains and /var/qmail/control/rcpthosts.
The next line executes vsetup, which takes care of setting up a virtual domain
for its first use. And finally, the last three commands will restart qmail,
so that the new settings take effect. If everything went without a glitch,
the script will print out "All done! Domain newdomain.com created."
Now, create another file called remove_virt also in
/usr/local/bin and copy paste the script below.
#!/bin/sh
QHOME="/var/qmail"
# Check for su
if test $UID != 0 ; then
echo "Error: Must be root"
exit 1
fi
# Check for omitted parameters.
if test -z "$1"; then
IAM=`basename $0`
echo "Usage: $IAM domain.com"
exit 1
fi
# Check if this domain actually exists.
if ! egrep -q "^$1:" $QHOME/control/virtualdomains; then
echo "Error: No such domain $1"
exit 1
fi
# get the baseuser.
BASEUSER=`egrep "^$1:" $QHOME/control/virtualdomains | sed 's/^.*://'`
# Check if there are discrepancies between qmail lists and /etc/passwd.
if egrep -q "^$BASEUSER:" /etc/passwd; then
echo "This will delete '$1' and all its users."
echo -n "Proceed? y/[n]: "
read YN
if test -z "$YN"; then YN="n"; fi
if test $YN != "y" ; then
echo "Aborted."
exit 1
fi
else
echo "Error: Cannot remove domain. Base User not found in system files"
exit 1
fi
OLDDOM=$1
echo -n "Removing the domain with all user files..."
userdel -r $BASEUSER
echo "done"
echo -n "Removing domain from qmail's control files..."
cd $QHOME/control
grep -v $OLDDOM virtualdomains > virt.new
grep -v $OLDDOM rcpthosts > rcpt.new
mv virt.new virtualdomains
mv rcpt.new rcpthosts
echo "done"
echo -n "Restarting qmail..."
killall qmail-lspawn
killall qmail-send
$QHOME/rc &
echo "done"
echo
echo "All done! Domain $OLDDOM deleted."
|
This script does the reverse of add_virt - i.e. it will remove the specified virtual
domain from the system. Again, QHOME is where your qmail is installed. Another
check for root user is run to prevent regular users from attempting to execute
this script. If nothing is specified in command line, the script prints "Usage:
remove_virt domain.com". Next, a quick check that tests the existence of
the virtual domain in /etc/passwd is run. If the domain is found, the root account
will be asked to confirm the deletion of the specified domain and all of its users.
If "y" is received, the account is deleted from the system via
userdel. If nothing or "n" is received, the script
exits with "Aborted." message. Once userdel removes the system account,
the script changes directory to /var/qmail/control and removes the deleted
virtual domain from "virtualdomains" and "rcpthosts" files (the grep and mv lines).
The last three commands restart qmail, for changes to take effect. If everything went
smoothly, the script prints out "All done! Domain deleteddomain.com deleted."
Good, now we need to chmod those scripts, so that they are be executable. Plus,
let's test those scripts by creating a virtual domain (yourserver.com):
# chmod 755 /usr/local/bin/add_virt
# chmod 755 /usr/local/bin/remove_virt
# add_virt yourserver.com
Creating new domain 'yourdomain.com'.
Domain holder user created in /home/email/yourdomain.com.
Please provide domain password for VmailMgr.
Changing password for user yourdomain.com.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Adding domain to control/virtualdomains...done
Adding records to control/rcpthosts...done
Setting up the domain dir for vmailmgr...
vsetup: created users directory.
vsetup: wrote '.qmail-default' file.
vsetup: added alias 'mailer-daemon'
vsetup: added alias 'postmaster'
vsetup: added alias 'root'
...done
Restarting Qmail...
All done! Domain yourdomain.com created.
|
After your type add_virt yourserver.com you'll be
asked for a password. Type the domain password and remember it - we'll need
it for domain administration later on. The script output will be similar to
what you see above. If you get an error saying
bash: /root/.bashrc: Permission denied in the middle of the script,
just ignore it.
Let's now create a test user at our domain. This user will be created solely
for testing purposes. We'll delete it after we are sure that everything
is working properly.
# su - yourserver.com
# vadduser test
Enter the user's new password:
Please type it again for verification:
vadduser: user 'test' successfully added
|
The account is created successfully. Remember or write down the password you
specified - we'll need the password later for testing our mail server.
Once you are done adding the user, type "exit" to return to superuser shell.
Now we need to disable the created virtual domains' shell access for security
purposes. Launch your favorite editor and open /etc/passwd.
Find the line with your created virtual domain. It will look something like this:
yourserver.com:x:5009:1002::/home/email/yourserver.com:/bin/bash.
Replace "/bin/bash" with either "/sbin/nologin" or "/bin/false". This makes sure
that even if someone steals your domain password, he/she will not be able to use
the shell.
12) Installing Relay-CTRL
You might wonder what Relay-CTRL is. Well, this small program performs
smtp authorization. Basically, it serves those clients who want to send
email messages through our server. It will protect the mail server from
thousands of abusers who send unsolicited mail through open-relay servers.
Not only does Relay-CTRL solve the relaying problem, but it also verifies
that only local accounts are able to send mail to outside servers.
The install procedure is fairly easy. This is what you have to do:
# cd /usr/local/src
# tar zxf relay-ctrl-3.1.1.tar.gz
# cd relay-ctrl-3.1.1
# make
# ./installer
# mkdir /var/qmail/relay-ctrl
# mkdir /var/qmail/relay-ctrl/allow
# chmod 700 /var/qmail/relay-ctrl
# chmod 777 /var/qmail/relay-ctrl/allow
# mkdir /etc/relay-ctrl
# echo /var/qmail/relay-ctrl/allow > /etc/relay-ctrl/RELAY_CTRL_DIR
# echo 900 > /etc/relay-ctrl/expiry
# echo /etc/tcp.smtp.cdb > /etc/relay-ctrl/smtpcdb
# echo /var/qmail/relay-ctrl > /etc/relay-ctrl/spooldir
# echo /usr/local/bin/tcprules > /etc/relay-ctrl/tcprules
|
What are we doing here? After installing relay-ctrl, we are setting up
"/var/qmail/relay-ctrl/allow" as the directory where temporary access
files will be written. If a user with IP "100.100.100.10" is successfully
authenticated, a file called "100.100.100.10" is created in this directory.
The file will contain "USER=yourdomain.com" (yourdomain.com being the domain
that the user belongs to). The user is now able to send messages but only
for a specified amount of time (expiry). The expiry is located in
/etc/relay-ctrl/expiry. In this guide, the expiry time is 900 seconds, which means
that after 15 minutes the user will no longer be able to send messages
through the mail server, unless he/she authenticates again.
Also, don't forget to add the following cron job to your system. You can either
put the line into /etc/crontab or create a file relay-ctrl
in /etc/cron.d
* * * * * root /usr/local/bin/envdir /etc/relay-ctrl /usr/local/bin/relay-ctrl-age
Restart the cron daemon for changes to take effect.
13) Preparing POP3 and SMTP startup environment
Qmail is useless without POP3 and SMTP protocols. You can't send and receive
e-mail from remote hosts without running these services. We have already
installed most of the stuff now. It is a good idea to test our accomplishments
so far, by running Qmail with POP3 and SMTP.
Create a file called runmail in /usr/local/bin and
copy-paste the following script (again, use your favorite editor):
#!/bin/sh
PATH="/var/qmail/bin:/usr/local/bin:/usr/local/sbin"
export PATH
cd /
exec softlimit -m 10000000 \
unixserver /tmp/.vmailmgrd vmailmgrd 2>&1 \
| setuidgid qmaill \
multilog t n100 s1000000 /var/qmail/logs/vmailmgrd & \
exec softlimit -m 10000000 \
envdir /etc/relay-ctrl relay-ctrl-chdir \
tcpserver -v -H -R -l $HOSTNAME -x /etc/tcp.smtp.cdb \
-c200 -u5002 -g5000 0 smtp rblsmtpd \
-b -r relays.ordb.org rblsmtpd -r sbl.spamhaus.org \
fixcrio relay-ctrl-check qmail-smtpd 2>&1 \
| setuidgid qmaill \
multilog t n100 s1000000 /var/qmail/logs/smtp & \
exec softlimit -m 10000000 \
envdir /etc/relay-ctrl relay-ctrl-chdir \
tcpserver -v -H -R -l $HOSTNAME -x /etc/tcp.smtp.cdb \
-c200 -u0 -g0 0 110 qmail-popup localhost \
checkvpw relay-ctrl-allow qmail-pop3d Maildir 2>&1 \
| setuidgid qmaill \
multilog t n100 s1000000 /var/qmail/logs/pop3 &
|
The above script will definitely confuse many of you. But don't worry,
I am here to explain you what each line of the above code does :-)
The script can be divided into three parts - the first one runs vmailmgr
daemon, the second one runs an smtp server and the third one runs a pop3
server. Remember, that you'll be needing both smtp and pop3
servers if you want to be able to send and receive mail. The vmailmgr daemon
is needed for web-based administration, which I will be covering in
"oMail-admin" section below.
Again, the first two lines specify the paths to executables to make
our lives easier and our script smaller. The third line changes the
directory to root. Softlimit -m 10000000 sets the maximum memory usage
to 10MB. You can limit it to a smaller amount of memory, if you want to.
Just make sure that the limit is reasonable - otherwise the program
could simply fail to execute because of memory limitations.
The next line executes vmailmgr daemon, which is needed if you want to
be able to add/remove/modify mail users through a web interface. We run
vmailmgrd through unixserver, which creates a socket and waits for
incoming connections. All vmailmgrd connections are logged in
/var/qmail/logs/vmailmgrd.
The second part of the script runs an SMTP server. Again, we limit
the memory usage to 10MB via softlimit. The envdir lines set the config
directory to /etc/relay-ctrl for relay-ctrl. The next line starting with
tcpserver is rather compicated. The "-v" switch given to tcpserver makes
sure that all error and status messages are printed out (if they occur).
The "-H" switch disables DNS lookups. We don't need to do DNS lookups,
since our patched qmail already does that. The "-R" switch will stop
tcpserver from attempting to obtain $TCPREMOTEINFO variable from remote
hosts (we don't need it). The "-l $HOSTNAME" switch will force tcpserver
not to lookup local host name in DNS (no need to resolve ourselves).
The "-x /etc/tcp.smtp.cdb" switch forces tcpserver to follow the rules
compiled by our tcprulesedit script. The "-c200" switch limits the maximum
number of simultaneous connections to 200. The "-u5002" switch sets tcpserver
user id to "qmaill" and "-g5000" sets group id to "nofiles". Next 0 and smtp
simply tell tcpserver to listen on any available interface on port 25.
The "rblsmtpd -b -r relays.ordb.org rblsmtpd -r sbl.spamhaus.org"
command executes anti-spam filter for denying blacklisted servers on
the Internet. If the first blacklist server fails, the second one
(sbl.spamhaus.org) takes over. You can check whether your blacklist
settings work by sending a test message to
nelson-sbl-test@crynwr.com.
If you receive only one message with "Terminating conversation" message
at the end, settings are good to go. If you receive two messages with one saying
"Uh-oh, your SBL block is not working!", it means that either the relay servers
are unreachable at the moment or something is wrong with your settings.
The "fixcrio" command will insert missing CRs at the end of messages. Some
old mail servers send messages that contain bare linefeeds and fixcrio will
deal with those. It's very unlikely that such servers exist, but adding
this executable will make sure that we are not denying messages from some old
non-blacklisted servers. The next "relay-ctrl-check" command checks if the
mail user has already been authenticated. If /var/qmail/relay-ctrl/allow directory
does not contain sender's IP address, the message is rejected with 553 error
message "sorry, that domain isn't in my list of allowed rcpthosts". If
everything is good and the user did authenticate before, the message is
successfully delivered through "qmail-smtpd", which is the next command
we are executing. The "setuidgid qmaill" makes multilog execute under
"qmaill" user. I've already explained multilog switches above, so
I will not go through that part again.
The third part of the script deals with running a pop3 server on port 110.
Just like we did for smtp server, we execute softlimit followed by envdir for
relay-ctrl. This is needed because relay-ctrl must record authenticated
user's IP address and domain into the temp allow directory. Next, we run
tcpserver - only this time we execute it under "root" account (the -u0
and -g0 switches). Plus, we now specify port 110 to listen on instead of
smtp (port 25). The next command "qmail-popup localhost" will read a POP
username and password from the connecting client. You can either specify
"localhost" or your fully qualified domain name after "qmail-popup". The
next line starts with "checkvpw" which is the default password authentication
utility for vmailmgr. So, all it does is - it checks whether the specified
username and password are correct. Of course, if the authentication fails,
checkvpw exits causing tcpserver to disconnect the user with a failure
message. If the authentication is successful, the next command
"relay-ctrl-allow" is executed. It will make sure that the user's IP
address and domain are recorded into a temp file in relay-ctrl's allow
directory. Next, "qmail-pop3d" is run, allowing the user to receive and
delete his/her messages from the server. Once more, we are switching to
"qmaill" user id for multilog and using /var/qmail/logs/pop3 log directory
to log all pop3 connections.
The script is ready. Now, all we need to do is make it executable:
|
# chmod 755 /usr/local/bin/runmail
|
14) Testing Qmail installation
Before we go any further, let's make sure that everything we've done so far
works properly. For that, we'll have to execute Qmail, POP3 and SMTP. Then,
we will send and receive a couple of test messages. Only then will there
be a point in continuing and completing qmail installation.
So, let's get Qmail, POP3 and SMTP running:
# /var/qmail/rc &
# /usr/local/bin/runmail
|
Type ps ax | grep qmail in shell prompt. The command
should return 8-9 different processes (qmail-send, qmail-rspawn, qmail-clean
and etc). The output will look similar to this:
17295 pts/1 S 0:00 qmail-send
17296 pts/1 S 0:00 multilog t n100 s1000000 /var...
17297 pts/1 S 0:00 qmail-lspawn ./Maildir
17298 pts/1 S 0:00 qmail-rspawn
17299 pts/1 S 0:00 qmail-clean
17315 pts/1 S 0:00 multilog t n100 s1000000 /var...
25459 pts/1 S 0:00 multilog t n100 s1000000 /var...
25461 pts/1 S 0:00 multilog t n100 s1000000 /var...
25736 pts/1 S 0:00 grep qmail
|
Now type ps ax | grep tcpserver again in shell prompt.
The command should return only three lines. The output will look similar to this:
25458 pts/1 S 0:00 tcpserver -v -H -R -l server ...
25460 pts/1 S 0:00 tcpserver -v -H -R -l server ...
25801 pts/1 S 0:00 grep tcpserver
|
If you have something similar to examples above, your installation is most
probably up and running. If you receive an empty output, something went wrong.
In that case, check out the "current" log files in /var/qmail/logs.
Our current objective is to test how our system is working. Create an account
in your e-mail client (Outlook Express, Bat or whatever you have there) on
another computer using the domain, login and password you've supplied before.
In our case, your login is "test@yourserver.com" and password is the password
that you typed in when you issued a "vadduser" command. The settings for both
POP3 and SMTP should remain default to e-mail client's values. For POP3 and
SMTP server address, either supply your new mail server's IP address or its
valid hostname. I usually type in an IP address (less DNS queries and faster).
Click send/receive and see what happens. If you get an error, see what type
of error you get. Make sure that everything you specify in your mail client
is valid and working. Sometimes people type in something wrong and then
blame it on others. I hope you are not the nut case :-) Anyway, if you get
a window that asks you to retype your password, that means that you have either
mistyped your password, or supplied a wrong login. By the way, did I mention
that you must supply your login and domain for authentication? (type in
your full e-mail address as your login - ex: test@yourserver.com).
Warning: Don't try to send an e-mail
to check how everything works yet. You will simply get an error message "unable
to exec qq". This is because we have /var/qmail/bin/qmail-scanner-queue.pl to
process the qmail queue and this file simply does not exist!
15) Qmail-Autoresponder Installation
The installation is very easy. All you need to do, is run "make", copy
the compiled binary to /usr/local/bin and make it executable.
# cd /usr/local/src
# tar zxf qmail-autoresponder-0.96.1.tar.gz
# cd qmail-autoresponder-0.96.1
# make
# cp qmail-autoresponder /usr/local/bin
# chmod 755 /usr/local/bin/qmail-autoresponder
|
Note: If you don't have MySQL
and qmail-autoresponder fails to compile giving a bunch of MySQL errors
(such as mysql.h: No such file or directory), just type "make
qmail-autoresponder" instead of "make" to compile just the autoresponder
binary.
Call qmail-autoresponder right after the delivery is successful:
# cd /etc/vmailmgr
# echo '#!/bin/sh' > vdeliver-postdeliver
# echo 'if test -s $MAILDIR/autoresponse/message.txt' >> vdeliver-postdeliver
# echo 'then' >> vdeliver-postdeliver
# echo ' qmail-autoresponder message.txt $MAILDIR/autoresponse' >> vdeliver-postdeliver
# echo 'fi' >> vdeliver-postdeliver
# chmod 755 vdeliver-postdeliver
|
16) Courier-IMAP Installation
First, we'll install Courier-IMAP to /usr/lib/courier-imap. Then, we will
configure it to work with VMailMgr by changing the password checker
(authvmailmgr).
# cd /usr/local/src
# bzip2 -d courier-imap-1.7.3.tar.bz2
# tar xf courier-imap-1.7.3.tar
# cd courier-imap-1.7.3
# ./configure --disable-root-check
# make
# make install
|
It will take a while for the configure script to be done. When I installed
courier for the first time, I thought that the script was looping and something
went wrong, so I terminated it. Don't do that - it looks like the script does
the same thing over and over again, so just be a little patient and wait.
Courier-IMAP has its own authentication scheme which needs to be changed for our
installation. This is what we need to do:
# cd /usr/local/src/vmailmgr-0.96.9
# cp authenticate/authvmailmgr /usr/lib/courier-imap/libexec/authlib
# cd /usr/lib/courier-imap/etc
# cp imapd.dist imapd
# cp imapd-ssl.dist imapd-ssl
# vi imapd
|
While editing the file imapd, change "MAXPERIP"
(Maximum connections per IP) to 20. Then, change "AUTHMODULES"
(Authentication modules) and "AUTHMODULES_ORIG"
to "authvmailmgr relay-ctrl-allow". Save and close the file.
Now do "cp authdaemonrc.dist authdaemonrc" and edit the file
authdaemonrc, delete the line that
says authmodulelist="authcustom........" and insert
authmodulelist="authvmailmgr relay-ctrl-allow". Save and close the file.
Next, do the following:
# cd /usr/lib/courier-imap/libexec/authlib
# mv authdaemond authdaemond.old
# ln -s /usr/local/bin/relay-ctrl-allow relay-ctrl-allow
# echo '#! /bin/sh' > authdaemond
# echo 'DIR=`dirname $0`' >> authdaemond
# echo 'AUTHDAEMOND=authdaemond.plain' >> authdaemond
# echo '. /usr/lib/courier-imap/etc/authdaemonrc' >> authdaemond
# echo 'if test "$version" != ""' >> authdaemond
# echo 'then' >> authdaemond
# echo ' AUTHDAEMOND="$version"' >> authdaemond
# echo 'fi' >> authdaemond
# chmod 755 authdaemond
|
Now edit imapd.rc and make some minor changes to work with relay-ctrl:
|
# vi /usr/lib/courier-imap/libexec/imapd.rc
|
Search for "/usr/lib/courier-imap/libexec/couriertcpd -address=$ADDRESS \"
line and insert "/usr/local/bin/envdir /etc/relay-ctrl /usr/local/bin/relay-ctrl-chdir \"
above it. Thus, relay-ctrl will get initialized before "couriertcpd" is called.
Let's run the IMAP server and see if it works fine:
# /usr/lib/courier-imap/libexec/imapd.rc start
# ps ax | grep courier
1698 ? S 0:00 /usr/lib/courier-imap/libexec/cour...
1711 ? S 0:00 /usr/lib/courier-imap/libexec/cour...
|
The command ps ax should return two lines. If the two
lines are present, then everything is running properly. It is now time to
test the IMAP server. Let's set up another test mail account on a windows box
and e-mail client. Only this time, instead of specifying POP3, we specify IMAP
server. After the account is all set, check if it works. Your client should
be able to download the IMAP directory structure to your PC. If it does not
work for some reason, or your password gets denied - you did something wrong.
My recommendation to you then is to recheck the guide again and make sure that
you do everything right.
Assuming that everything worked just fine, we'll take another step forward -
installing Qmail extras.
17.1) MailDrop, TNEF, SpamAssassin + Perl Utils Installation
Since we'll be running a mail scanner utility to check for spam and viruses,
some tools must be installed. Let's start with the first one - MailDrop.
# cd /usr/local/src
# bzip2 -d maildrop-1.5.3.tar.bz2
# tar xf maildrop-1.5.3.tar
# cd maildrop-1.5.3
# ./configure
# make
# make install-strip
# make install-man
|
Now TNEF unpacker. This program is used by Qmail-Scanner, which we will
be installing later.
# cd /usr/local/src
# tar zxf tnef-1.2.1.tar.gz
# cd tnef-1.2.1
# ./configure
# make
# make check
# make install
|
Installing SpamAssassin is very easy. You must have Perl installed and fully
operational in order to be able to build and install SpamAssassin. If you
prefer installing Perl modules from sources, get SpamAssassin source file from
the location specified above and run the commands "perl Makefile.PL" "make"
"make test" and "make install" respectively. Otherwise, my recommendation is
to install from CPAN shell. Execute the following command in shell:
# perl -MCPAN -eshell
cpan shell -- CPAN exploration and modules installation (v1.63)
ReadLine support enabled
cpan>
|
After the command is executed, you'll be presented to the cpan
prompt*. Just type install
Mail::SpamAssassin and press Enter. Cpan will start downloading
the sources from other servers and install SpamAssassin for you. If you
get a dependency warning, accept the default "yes" and let cpan install
whatever is needed.
* If you've never used perl CPAN, you will be presented with
a perl configuration script, which will ask some questions regarding the
installation of CPAN module. Just accept the defaults and specify the closest
location for your source downloads. When the process is complete, you should
be able to type commands in the cpan prompt. Type
install Bundle::CPAN to get and install the latest CPAN modules.
If you get an error saying something like "Makefile:91: *** missing separator. Stop."
in Redhat Linux 9, edit the file /etc/sysconfig/i18n and replace LANG="en_US.UTF-8"
with LANG="en_US". This helped me to cure module installations.
Furthermore, don't forget to install the following Perl Modules (from sources or CPAN):
Time::HiRes
DB_File
Sys::Syslog
Running Perl SpamAssassin on every mail call is expensive and inefficient,
which is why a separate "spamd" daemon written in C is included in SpamAssassin
package. To get spamd up and running, we will have to first cd to the
SpamAssassin source directory. If you have downloaded SpamAssassin and installed
it from shell, type the following in shell prompt:
# cd /usr/local/src/Mail-SpamAssassin-2.55/spamd
# cp spamc /usr/bin
# cp spamd /usr/bin
# chmod 755 /usr/bin/spam*
# cp redhat-rc-script.sh /etc/rc.d/init.d/spamd
# chmod 755 /etc/rc.d/init.d/spamd
# chkconfig --add spamd
# chkconfig spamd on
# /etc/rc.d/init.d/spamd start
Starting spamd: [ OK ]
|
If you have installed from CPAN, then change the first line to
"cd /root/.cpan/build/Mail-SpamAssassin-2.55/spamd".
Of course, you should not forget about changing the installation script
name (redhat-rc-script.sh in this case) to whatever platform you are
installing on.
Now perform the last step to make spamassassin work under qmail-scanner:
# cd /var/qmail
# mkdir .spamassassin
# chmod 700 .spamassassin
# chown qmaill:qmail .spamassassin
# cd .spamassassin
# echo 'required_hits 5' > user_prefs
|
Attention: In some cases, only changing ownership to
qmailq:qmail will make spamassassin work.
Make sure that /etc/mail/spamassassin/local.cf exists (should be created
during the install). If it doesn't, create it and copy-paste the following
into the file:
required_hits 5
rewrite_subject 1
report_header 1
use_terse_report 1
|
17.2) Sophos Antivirus and Sophie
Warning: Please skip this step if you have less than 256 MB
RAM on your mail server! Running antivirus on every single mail message
will definitely slow down your server and might consume too much memory.
It gets especially dangerous if your server is under heavy load or if you have
many simultaneous mail users. The best configuration is 512 MB of RAM used
solely for mail delivery purposes.
I have tested many different antivirus programs for Qmail, and the best one
so far has been "sweep" from Sophos. Combined with sophie (a daemon) sweep
is definitely one of the fastest solutions.
First, download Sophos Antivirus for Linux (or whatever the platform is) from
www.sophos.com. Sophos Antivirus is still
free for *nix platforms, therefore, there should not be any problem in
downloading the antivirus. Place it in /usr/local/src and execute the following
commands:
# cd /usr/local/src
# tar zxf linux.intel.libc6.tar.Z
# cd sav-install
# rm -f /usr/local/lib/libsavi.*
# ./install.sh -ni
Sophos Anti-Virus installation utility [Linux/Intel]
Copyright (c) 1998,2001 Sophos Plc, Oxford, England
|
Sophos "sweep" should be installed in /usr/local/bin. Run "sweep -v" to see
if sweep works. Download the latest version of sophie from
www.vanja.com/tools/sophie
and install it:
# cd /usr/local/src
# tar zxf sophie-1.40rc1.tar.gz
# cd sophie-1.40rc1
# ./configure --with-user=qmaill --with-group=nofiles \
--with-savilib=/usr/local/lib
# make
# cp sophie /usr/local/bin
# chmod 755 /usr/local/bin/sophie
# /usr/local/bin/sophie -D
|
Run ps ax and make sure that a sophie process exists.
18) Final touch - Qmail-Scanner
This is the last step we'll take to finish the installation - installing and
configuring Qmail-Scanner. Execute the following commands in shell:
# cd /usr/local/src
# tar zxf qmail-scanner-1.16.tgz
# cd qmail-scanner-1.16
# ./configure --spooldir /var/qmail/qmailscan \
--qmaildir /var/qmail --admin login --domain yourserver.com \
--local-domains "domain.one.com,domain.two.com" --install
Building Qmail-Scanner 1.16...
This script will search your system for the virus
scanners it knows about, and will ensure that all
external programs qmail-scanner-queue.pl uses are
explicitly pathed for performance reasons.
Continue? ([Y]/N)
|
Don't forget to change "login" to your login and
"yourserver.com" to your default domain. Also change
"domain.one.com,domain.two.com" to whatever
other domains you have on your system. If you only have one domain, specify
one and get rid of everything after comma. If you have more than two domains,
don't forget to separate them with a "," (comma).
Press enter afterwards and answer "Y" when it asks you to Continue.
Qmail-Scanner should be able to detect "spamd" (SpamAssassin) and "sophie"
(Antivirus) if you installed it. It will create directories under
/var/qmail/qmailscan and change necessary file ownerships. Then, do the
following:
# /usr/local/bin/setuidgid qmaill \
"/var/qmail/bin/qmail-scanner-queue.pl" -g
perlscanner: generate new DB file
perlscanner: total of 9 entries.
|
If the above doesn't work for you and produces an error, try changing "qmaill"
to "qmailq". If changing to "qmailq" works, you'll most probably have to modify
permissions for spamassassin and sophie as well.
This is a weird behavior that I'm unable to figure out.
Type "./contrib/test_installation.sh -doit" and then
check your e-mail. If you received three messages, everything is running
properly :-) If you haven't received anything, view
/var/qmail/qmailscan/qmail-queue.log for clues.
If something fails and you are receiving a "451 qq temporary problem", check
ownership and permissions for /var/qmail/qmailscan. The directory owner
should be qmaill:qmail and permissions should be set to 770.
Attention: In some cases,
only changing ownership to qmailq:qmail will make qmail-scanner work.
My recommendation is to always check the logs - most of the problems
will be spotted from there.
Change "$DEBUG=1" to
"$DEBUG=0" in /var/qmail/bin/qmail-scanner-queue.pl -
this will disable Qmail-Scanner's dumping of every single message delivery
process to qmail-queue.log. Furthermore, if you want messages identified as spam
to be "seen" as spam messages (very useful for filtering mail), find the line
"my $spamc_subject='';" and change it to
"my $spamc_subject='POTENTIAL SPAM:';". You could
then setup your email client to deliver messages with words "POTENTIAL SPAM"
to other mailboxes or automatically move them to trash. Sweet huh?
Phew...Qmail is now installed and fully operational :-)
18.1) Post-installation and spam control
The installation covered above should filter out most of the spam out there. But
it's not perfect. Spammers are so smart nowadays...they will do everything
possible to pass their message and advertise their products/services you
will never need. They will even fake their messages so good, that spamassassin
will be unable to identify them as spam. So, what do we do with them? There is another
solution, which for some users will be a pain, but it will definitely help you
out a lot. If you remember, earlier in the guide I said that I would explain
"badmailfrom" and "badrcptto" in more detail. Well, here we go :-)
These two files placed in /var/qmail/control directory are used by qmail to
identify the bad guys. Sometimes the bad guys are from outside networks - those
hungry spammers that just love to waste your mail traffic. In some cases, the bad
guys are your own users! I've had some users before, who advertised their e-mails
on the Internet and subscribed to gazillion newsletters. As soon as the mailbox
is full, the server starts generating failure replies, adding to traffic and
server load. And the sad thing is - even if you remove the damn user, e-mails will
keep on coming and failure replies will be generated even more. So, how do we
fight them?
The "badmailfrom" file is sort of your internal blacklist,
in which you specify domains or individual e-mail addresses from which you are
not willing to receive e-mails from. For example, if you don't want to receive
e-mails from yahoo users, simply add "@yahoo.com" in a new line. If a particular
yahoo mail user is bothering you, add his/her full e-mail address to "badmailfrom".
The next time the user tries to send a message, your server will simply deny
the message, before even processing it. Here is a good example of "badmailfrom" file:
@yahoo.com
@mail.ru
@hotmail.com
devil@netscape.net
president@whitehouse.gov
|
Here, we are denying all yahoo.com, mail.ru and hotmail.com users. Plus, we
are denying messages from individual e-mail accounts - devil@netscape.net and
president@whitehouse.gov :)
The "badrcptto" file will help you control your
local "bad guys". Every account specified in "badrcptto" will no longer receive
any e-mails. The sender will receive a delivery failure message "553 sorry, this
recipient is in my badrecipientto list" after sending an e-mail to blacklisted
local user. The "badrcptto" file is processed line by line, just like badmailfrom.
So, if you need to block access to several users, type their e-mail
addresses one per line.
There are some new tools appearing now on the Internet that help to better
fight spam, but I haven't checked them out yet. If something good is released, I will
definitely add it to this guide.
19) oMail-admin
oMail-admin is a great program written by Olivier Mueller. It allows you
to manage virtual users on your system (create users and aliases, forwarding,
mailing lists, automated replies, etc.)
oMail-admin needs "vmailmgrd" daemon to run, which should already be up and running
from the "runmail" script we've created before. Again, type ps ax
to see if a process called unixserver exists.
This step assumes that an Apache server compiled with PHP is up and running.
(If you haven't installed Apache yet, I would highly recommend my Apache
guide which is available here).
Place the oMail files into your htdocs directory, and edit your apache
configuration (httpd.conf) as necessary. Open your browser and then type
the URL for oMail-admin. Type your domain (yourserver.com) in "Email Address
or Domain Name" box and the domain password that you entered during
the "add_virt" command. Then, click "Login" and a new page with account
management should come up. It is very easy to go from there - just read "Help"
if you don't understand how it works.
20) Startup environment
Now we need to make sure that Qmail and all other extra stuff we've been
installing so far starts up properly when the machine is rebooted.
You can do it in two ways - either by placing the lines below into
your startup file (/etc/rc.d/rc.local):
# echo '# Qmail and other stuff' >> /etc/rc.d/rc.local
# echo '/var/qmail/rc &' >> /etc/rc.d/rc.local
# echo '/usr/local/bin/runmail' >> /etc/rc.d/rc.local
# echo '/usr/lib/courier-imap/libexec/imapd.rc start' >> /etc/rc.d/rc.local
|
or putting
qmail, courier and
tcpserver startup scripts into your init.d
directory. Don't forget to make those files executable and run automatically
upon reboot:
# mv qmail /etc/rc.d/init.d
# mv courier /etc/rc.d/init.d
# mv tcpserver /etc/rc.d/init.d
# chmod 755 /etc/rc.d/init.d/qmail
# chmod 755 /etc/rc.d/init.d/courier
# chmod 755 /etc/rc.d/init.d/tcpserver
# chkconfig --add qmail
# chkconfig --add courier
# chkconfig --add tcpserver
# chkconfig qmail on
# chkconfig courier on
# chkconfig tcpserver on
|
21) POP3S and SMTPS using stunnel
The way traditional POP3 and SMTP protocols work is so insecure that it's easily
possible to sniff a login/password combination using simple network utilities.
That leads to a security problem, which might result in a hacker stealing
your users' mailbox accounts. Because we are dealing with virtual users
who do not have access to shell, just because of the way the system works,
it might not be a major security problem. At least we do not have to worry
about hackers logging into a shell, stealing information and screwing up our
box. However, it's always good to take precautions no matter how small the impact
could be to your security. Normal sendmail installation, for example, authenticates
through /etc/passwd. If a user is given both mail and shell access, just think
what the end result might be. A hacker might sniff a login/pass combination for
a mailbox and then successfully login into the system via shell, even if you have
telnet disabled and only allow SSH access. Once a hacker has shell account, there
are plenty of tools out there to gain root access. And you never know what's on
hacker's mind when he/she hacks into your box. This is the major advantage of
having a virtual user system. Even if a hacker steals login/pass combination
for a mailbox account, the maximum he/she can do is overtake a mailbox. But again,
you never know. What if a user on your system uses the same combination of
login/password for both mail and shell access? Then basically, you're screwed.
This step will help you to fight the problem of plaintext login/password
authentication with a mail server. I will show you how to configure POP3 and
SMTP via SSL.
To those who wonder how we're going to accomplish this task, let me give
you some quick insight. We will have to install stunnel
first. Stunnel is a universal SSL wrapper, which will allow us to secure
POP3 and SMTP protocols through OpenSSL. Then, we are going to bind tcpserver
to stunnel and add some more options to our runmail script created earlier.
The whole process should take approximately 15 minutes, if we don't have
any compilation problems. I will try to explain each step in as much detail
as possible.
21.1) OpenSSL and Stunnel
Before installing stunnel, please make sure that you have a working version
of OpenSSL installed on the system. Try to look for openssl binary by typing
"whereis openssl" or "locate openssl" in shell. Possible locations of OpenSSL are:
/usr/bin, /usr/local/bin and /usr/local/ssl/bin but a customized installation
might have resulted in OpenSSL being somewhere else on the system. Once you
find out where it is, type "openssl version" (add the real path in front as needed).
If your version is older than 0.9.6j, I personally recommend to upgrade it or
reinstall it, because of some security issues found in previous releases.
If you have an old RPM release, get rid of it and install from source. The latest
version of OpenSSL can be found from here.
Let's install stunnel now:
# cd /usr/local/src/
# tar zxf stunnel-3.24.tar.gz
# cd stunnel-3.24
# CFLAGS="-I/usr/kerberos/include -L/usr/kerberos/lib" \
./configure --with-pem-dir=/usr/local/etc
# make
|
After "make" is done compiling sources, an RSA key will be generated for you.
All you have to do, is enter correct information. Here is a sample for arbuz.com:
Country Name (2 letter code) [PL]:UZ
State or Province Name (full name) [Some-State]:Tashkent
Locality Name (eg, city) []:Tashkent
Organization Name (eg, company) [Stunnel Developers Ltd]:Arbuz.com
Organizational Unit Name (eg, section) []:Arbuz.com
Common Name (FQDN of your server) [localhost]:arbuz.com
|
Make sure that you type your mail hostname in "Common Name (FQDN of your server)"
field. Now do the following:
# cp stunnel.pem /usr/local/etc/
# chmod 600 /usr/local/etc/stunnel.pem
# make install
|
21.2) Modifying the runmail script
The most important step in this process is how our script calls stunnel.
Unfortunately, I couldn't find any information on the web that gives
a working sample of stunnel called via tcpserver. After finding out
more about stunnel and it's command options, I came up with a working
script based on runmail you've seen above.
Add it to your runmail script if you want to have all protocols
(POP3, SMTP, POP3S and SMTPS) up and running for compatibility
or whatever reasons. If you want to have POP3S and SMTPS only,
remove everything after the first part (unixserver), then copy paste
the following into the script:
exec softlimit -m 10000000 \
envdir /etc/relay-ctrl relay-ctrl-chdir \
tcpserver -v -H -R -l $HOSTNAME -x /etc/tcp.smtp.cdb \
-c200 -u0 -g0 0 465 \
stunnel -f -p /usr/local/etc/stunnel.pem \
-l qmail-smtpd -- qmail-smtpd yourdomain.com \
fixcrio relay-ctrl-check qmail-smtpd 2>&1 \
| setuidgid qmaill \
multilog t n100 s1000000 /var/qmail/logs/smtps & \
exec softlimit -m 10000000 \
envdir /etc/relay-ctrl relay-ctrl-chdir \
tcpserver -v -H -R -l $HOSTNAME -x /etc/tcp.smtp.cdb \
-c200 -u0 -g0 0 995 \
stunnel -f -p /usr/local/etc/stunnel.pem \
-l qmail-popup -- qmail-popup yourdomain.com \
checkvpw relay-ctrl-allow qmail-pop3d Maildir 2>&1 \
| setuidgid qmaill \
multilog t n100 s1000000 /var/qmail/logs/pop3s &
|
Don't forget to change "yourdomain.com" to whatever your real domain is.
After you altered the domain, rerun runmail and test if POP3S and SMTPS
really work.
If you get an error in log saying "SSL3_READ_BYTES:tlsv1 alert unknown ca"
that means your mail client doesn't accept the SSL certificate created
earlier. Note that the certificate we created is not trusted. This is
because an authority like VeriSign or Thawte didn't sign it. I personally
don't like paying a couple of hundred dollars for an SSL certificate, but
if money is not an issue for you, you should generate your own SSL key,
and send it to an authority to sign it. That way you can get rid of
annoying warnings from mail clients. I had a couple of issues trying to
send and receive mail with "The Bat" mail client. But I then figured out
that my client didn't want to accept connections from/to an untrusted
connection. So, after adding my certificate into the address book and
into the trusted server list, I got rid of the "unknown ca" error.
I also tested the connection on Outlook Express and everything seemed
to work flawlessly (except that annoying "Internet Security Warning").
Note that POP3S and SMTPS sit on ports 995 and 465, respectively. So,
make sure you specify the ports correctly while configuring your mail
clients.
That's it! You are finally done! Congratulations :-)
If you find this guide useful or helpful, please
e-mail me and
let me know! I would love to hear some feedback.
Used Resources:
1)
Qmail-Vmailmgr-Courier-SquirrelMail Installation Guide by
Konstantin Riabitsev
2) Qmail Homepage
3) Untroubled.org by
Bruce Guenter
4) Cr.yp.to by D.J. Bernstein
5) Courier Mail Server by Double
Precision, Inc.
6) SpamAssassin.org
7) Qmail-Scanner by
Jason Haar
8) Google
|
|
|
| |
