Full Qmail Installation and Configuration Guide
or
Qmail + Vmailmgr + Tcpserver + RBL + SpamAssassin + Relay-CTRL + Qmail-Scanner + Courier IMAP Guide + POP3S + SMTPS
1) Who should use this guide?
Anyone who wants to install a complete qmail solution.
2) Can this guide be used for productive systems i.e. big servers?
It sure can. I’ve done some qmail installations in productive environments with many simultaneous users. And it works perfectly!
3) What about security?
Well, security has never been a problem with qmail. I haven’t heard of anyone breaking NetQmail version 1.05 (the one we’ll be installing). As for everything else we’ll be doing here, many people find it pretty secure.
4) On what operating systems has this guide been tested on?
I’ve done testing mostly on Linux machines (Fedora, Redhat, Debian, Mandrake). So, I could say that everything should work flawlessly on any linux machine. It should also work on BSD systems.
5) Stuff we’ll be needing (sources)
Download the following sources to a src directory i.e. /usr/local/src
Qmail-related stuff:
- NetQmail v1.06 from http://www.qmail.org
- Qmail Patches from http://megaz.arbuz.com
- VMailMgr v0.97 from http://untroubled.org
- VMailMgr Tools v0.2 from http://untroubled.org
- Relay-CTRL v3.1.1 from http://untroubled.org
- Qmail-Autoresponder v0.97 from http://untroubled.org
- Ucspi-UNIX v0.36 from http://untroubled.org
- Ucspi-TCP v0.88 from http://cr.yp.to
- Daemontools v0.76 from http://cr.yp.to
- Courier-IMAP v3.0.8 from http://www.courier-mta.org
- MailDrop v2.0.4 from http://www.courier-mta.org
- TNEF v1.4.4 from http://sourceforge.net/projects/tnef
- SpamAssassin v3.2.5 from http://spamassassin.apache.org
- Qmail-Scanner v2.05 from http://qmail-scanner.sourceforge.net
- Stunnel v3.26 from http://www.stunnel.org
For domain administration (via www) *:
- oMail-admin v1.2rc1 from http://omail.omnis.ch/
* I’m assuming that Apache web server and PHP are both installed, configured and fully operational on the machine you are installing qmail on. If you haven’t yet installed Apache, there is another guide written by me which covers Apache installation with modules such as PHP. It can be accessed from here.
6) First things first
First, we’ll have to get rid of your existing e-mail server. If you have just finished installing Linux on your machine, most probably sendmail is also installed. So, let’s remove sendmail from your machine:
# rpm -q -a | grep sendmail
sendmail-8.13.8-2
sendmail-cf-8.13.8-2
sendmail-devel-8.13.8-2 # rpm -e sendmail –nodeps
# rpm -e sendmail-cf –nodeps
# rpm -e sendmail-devel –nodeps
This should get rid of all sendmail files on your machine.
If you have a FreeBSD system, run pkg_info | grep sendmail to see if you have sendmail installed on your system. If you do, run pkg_delete to get rid of sendmail completely.
7) Patch and Install Qmail
All right, now we are going to install Qmail from downloaded sources. We’ll apply some necessary patches to Qmail, to make sure that the solution we are going to implement works perfectly.
OK, so first, we untar qmail and change directory to qmail sources. Then, we apply the needed patches to Qmail:
# cd /usr/local/src
# tar zxf netqmail-1.06.tar.gz
# tar zxf qmail_patches.tar.gz
# mv qmail_patches/* netqmail-1.06/
# rmdir ../qmail_patches
# cd netqmail-1.06
# patch < qmail-big-ext-todo.patch
# patch < qmail-big-concurrency.patch
# patch < qmail-doublebounce-trim.patch
# patch < qmail-1.03-dns.patch
# patch < qmail-1.03-mfcheck.4.patch
# patch < qmail-1.03-pop3d-stat.patch
# patch < qmail-bounce.patch
# patch < qmail-bouncecontrol-1.03.patch
# patch < qmail-tarpit.patch
# patch < qmail-badrcptto.patch
# patch < qmail-smtpd-relay-reject.patch
# patch < qmail-accept-5xx.patch
# patch < qmail-nullenvsender.patch
Some of the above patches were modified by me because of some code conflicts. I did not create one big patch for everything since some of you might not want to install a specific patch. If you are interested in what each of the above patches does, here is some info:
qmail-big-ext-todo.patch: The exttodo patch addresses a problem known as the silly qmail (queue) problem. This problem is found only on systems with high injection rates. qmail with a big local and remote concurrency could deliver a tremendous amount of messages but normally this can not be achieved because qmail-send becomes a bottleneck on those high volume servers. qmail-send preprocesses all new messages before distributing them for local or remote delivering. In one run qmail-send does one todo run but has the ability to close multiple jobs. Because of this layout qmail-send can not feed all the new available (local/remote) delivery slots and therefore it is not possible to achieve the maximum throughput. This would be a minor problem if one qmail-send run could be done in extreme short time but because of many file system calls (fsync and (un)link) a todo run is expensive and throttles the throughput. The exttodo patch tries to solve the problem by moving the todo routine into an external program. This reduces the run time in qmail-send.
qmail-big-concurrency.patch: Allows qmail to use a concurrency greater than 240 (current qmail limit). It has been reported to work well in almost all environments and might be handy if you are expecting high volumes of mail traffic.
qmail-doublebounce-trim.patch: I decided to integrate this patch because I got sick of double bounce messages sitting in qmail queue forever. Spammers usually fake the from field with an invalid email address, which results in thousands of bounce messages. This patch allows you to complete discard all double bounce messages to save server load and traffic.
qmail-1.03-dns.patch: Christopher Davis’s oversize DNS patch - it makes qmail accept oversized DNS packets. If you do not want some of the legitimate mail to get lost, I would recommend you to use this patch.
qmail-1.03-mfcheck.4.patch: I consider this patch mandatory for any qmail installation. A lot of spammers use fake domain names in their messages - this patch checks if the domain in “from” field exists. If it doesn’t, the email simply gets rejected.
qmail-1.03-pop3d-stat.patch: This patch changes the number of messages returned in qmail-pop3d’s reponse to STAT. The patch makes qmail fully compliant with RFC 1939, which specifies that deleted messages aren’t counted in total.
qmail-bounce.patch: Allows you to specify the limit for bounce messages in /var/qmail/control/bouncemaxbytes.
qmail-bouncecontrol-1.03.patch: Allows you to control the appearance of bounce messages. Very handy if you want to change the default bounce message or add a message in another language.
qmail-tarpit.patch: The tarpit patch is targeted towards spammers who try to bomb your mail server with a long list of recipients. It inserts small delays in an smtp session for each recipient in the mail message (after some set number of recipients). This slows down their session, resulting in timeouts in spammer’s mail software.
qmail-badrcptto.patch: Lets you reject e-mail at the smtp envelope (rcpt) phase, which can produce a considerable bandwidth saving when a lot of e-mail is directed at non-existing users. Instead of receiving the body of the e-mail and then rejecting it in qmail-send, you can reject it before receiving the body. This can be very useful in a setup where you have one qmail box accepting all the e-mail, which then passes it on to another (q)mail box behind it.
qmail-smtpd-relay-reject.patch: Russell Nelson’s patch to reject relay probes generated by “anti-spammers”. These relay probes have ‘!’, ‘%’ and ‘@’ in the local (username) part of the address. The patch detects them and issues a 553 error “we don’t relay”.
qmail-accept-5xx.patch: Adrian Ho’s patch to increase qmail-remote’s compliance with RFC2821. Some smtp servers are now emitting 5xx responses from the get-go, and mere RFC821 behavior doesn’t deal well with them.
qmail-nullenvsender.patch: A lot of your spam will be arriving with a null envelope sender. When those spam messages have multiple envelope recipients, they cannot be bounce messages. This patch rejects emails addressed to multiple recipients with a null envelope sender.
Right now qmail is fully patched. All we need to do is install it. Before running make, we’ll first create necessary user accounts and groups that qmail needs for running. We will also create a qmail directory /var/qmail. Make sure that you have enough space in that partition.
# mkdir /var/qmail
# cd /usr/local/src/netqmail-1.05/netqmail-1.05
# groupadd -g 5000 nofiles
# groupadd -g 5001 qmail
# useradd -u 5000 -g nofiles -d /var/qmail/alias alias
# useradd -u 5001 -g nofiles -d /var/qmail qmaild
# useradd -u 5002 -g nofiles -d /var/qmail qmaill
# useradd -u 5003 -g nofiles -d /var/qmail qmailp
# useradd -u 5004 -g qmail -d /var/qmail qmailq
# useradd -u 5005 -g qmail -d /var/qmail qmailr
# useradd -u 5006 -g qmail -d /var/qmail qmails
If you have a FreeBSD system, the above won’t work. You will have to add groups and users manually into /etc/groups and /etc/master.passwd and then remake the user database by issuing pwd_mkdb -p /etc/master.passwd. Here is what you would have to do under FreeBSD:
# cd /etc
# echo “nofiles:*:5000:” >> group
# echo “qmail:*:5001:” >> group
# echo “alias:*:5000:5000::0:0::/var/qmail/alias:” >> master.passwd
# echo “qmaild:*:5001:5000::0:0::/var/qmail:” >> master.passwd
# echo “qmaill:*:5002:5000::0:0::/var/qmail:” >> master.passwd
# echo “qmailp:*:5003:5000::0:0::/var/qmail:” >> master.passwd
# echo “qmailq:*:5004:5001::0:0::/var/qmail:” >> master.passwd
# echo “qmailr:*:5005:5001::0:0::/var/qmail:” >> master.passwd
# echo “qmails:*:5006:5001::0:0::/var/qmail:” >> master.passwd
# pwd_mkdb -p /etc/master.passwd
Now, we can run make and install qmail.
# echo “-lssl -lcrypto” > ssl.lib
# make
# make setup check
Note: If you get an error while running “make” that says: “Oops. Your system’s FD_SET() has a hidden limit of 1024 descriptors. This means that the qmail daemons could crash if you set the run-time concurrency higher than 509. So I’m going to insist that the concurrency limit in conf-spawn be at most 509. Right now it’s 1000.” - edit the file conf-spawn in your qmail directory and change the concurrency limit from 1000 to 509. Save and run make again.
If for some reason you are trying to compile qmail-1.03 instead of netqmail-1.05, you might encounter compilation problems with the latest versions of glibc (especially on Redhat Linux 9). In this case, use this patch and try recompiling qmail again. To apply the patch, cd to your qmail directory and type patch -p1 < qmail-1.03.errno.patch
Qmail and all of its subdirectories are installed in /var/qmail. Now we move to the configuration step.
8) Qmail post-install configuration
Before moving any further, it is best to create a link to qmail sendmail wrapper. The reason why we want this, is because many programs use sendmail to send email messages. By default, sendmail is installed in /usr/sbin/sendmail or /usr/lib/sendmail. We are going to symlink the wrapper:
# ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
# ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
Now we need to create necessary control files in /var/qmail/control. The examples below assume that your domain is “yourserver.com”. Of course, you have replace the occurence of yourserver.com with your qualified MX host.
# cd /var/qmail/control
# echo yourserver.com > defaultdomain
# echo localhost > locals
# echo yourserver.com > me
# echo yourserver.com > plusdomain
# echo localhost > rcpthosts
# echo yourserver.com >> rcpthosts
# echo checkvpw > checkpassword
# echo 1 > mfcheck
# echo 20 > tarpitcount
# echo 5 > tarpitdelay
The next step is to create various messages such as bounce and double bounce messages.
# echo @nowhere.edu > badmailfrom
# echo @nowhere.edu > badrcptto
# echo mailer-daemon > bouncefrom
# echo yourserver.com > bouncehost
# echo 50000 > bouncemaxbytes
# echo text > bouncemessage
# echo failure notice > bouncesubject
# cp bouncehost doublebouncehost
# cp bouncemessage doublebouncemessage
# cp bouncesubject doublebouncesubject
I will explain below in section 18.1 what “badmailfrom” and “badrcptto” are for and how to use them to fight against nasty spammers.
Now we need to edit two files - bouncemessage and doublebouncemessage. Therefore, launch your favorite editor and replace “text” with your bounce message. These files will contain the text that’s going to be displayed when a message bounces or double bounces. The example below uses vi to edit the files.
# vi bouncemessage
# vi doublebouncemessage
OK, the control files are all completed. Qmail configuration is now complete. The last thing that we need to do is set up a qmail startup script.
# vi /var/qmail/rc
Copy-paste the following into the file:
#!/bin/sh
PATH=”/var/qmail/bin:/usr/local/bin”
export PATH
cd /
qmail-start ./Maildir | setuidgid qmaill
multilog t n50 s1000000
/var/qmail/logs/qmail &
The first two lines of the script specify the path to executable files (so that we don’t have to write the complete path to qmail-start, setuidgid and multilog). The third line starts qmail, specifying Mailbox as the default directory for a mail user and sets “qmaill” as the user account under which multilog will be executed. The next line executes multilog, which is the logger we will be using for qmail. Here, we specify the number of maximum log files allowed in log directory (50) and the maximum size of a log file (1 MB). When a log file reaches 1 MB in size, the log will automatically rotate by renaming “current” log and creating a new empty log. When the number of log files reaches 50, it will automatically remove the oldest log prior to creating a new one. The last line represents the log directory.
Of course, we should not forget about making the startup script executable and creating qmail log directories:
# chmod 755 /var/qmail/rc
# mkdir /var/qmail/logs
# mkdir /var/qmail/logs/qmail
# chown -R qmaill:qmail /var/qmail/logs
9.1) Installing Ucspi-UNIX
# cd /usr/local/src
# tar zxf ucspi-unix-0.36.tar.gz
# cd ucspi-unix-0.36
# make
# ./installer
Note: If ucspi-unix fails during compilation with an error in env.c (sysdeps.h not found) you need to get bglibs and install it. After untarring the source, cd into the directory and run “make” followed by “make install”. Try recompiling ucspi-unix again. If compilation of ucspi-unix finishes without an error, type “./installer” to install binaries and manuals into /usr/local/bin and /usr/local/man, respectively. In some cases the installer gives an error “installer error: Could not change directory to ‘/usr/local/man’”. If you got this error just type “mkdir /usr/local/man” and then “./installer” again.
9.2) Installing Ucspi-TCP
The process is similar to qmail installation:
# cd /usr/local/src
# tar zxf ucspi-tcp-0.88.tar.gz
# cd ucspi-tcp-0.88
# wget http://www.qmail.org/ucspi-rss.diff
# patch -p1 < ucspi-rss.diff
patching file rblsmtpd.c
# make
# make setup check
Note: If ucspi-tcp fails during compilation with an error “collect2: ld returned 1 exit status”, you need to get two patches (patch 1, patch 2) and apply them to ucspi-tcp. Put these patches into /usr/local/src/ucspi-tcp-0.88 directory and type “patch -p1 < ucspi-tcp-0.88.errno.patch" and “patch -p1 < ucspi-tcp-0.88.nobase.patch". As usual, you’ll have to rerun “make” and “make setup check” to compile and install ucspi-tcp.
Now let’s configure tcpserver. Create a script called tcprulesedit in /usr/local/bin and copy-paste the following:
#!/bin/sh
vi /etc/tcp.smtp
/usr/local/bin/tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
This script will take care of creating and editing relay rules in qmail. You can substitute “vi” with your favorite editor, if you want to.
As usual, make the script executable:
# chmod 755 /usr/local/bin/tcprulesedit
# tcprulesedit
The second line above runs the tcprulesedit script we’ve just created. Copy-paste the following lines into the editor:
127.:allow,RELAYCLIENT=”",RBLSMTPD=”",QMAILQUEUE=”/var/qmail/bin/qmail-queue”
:allow,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
Note: If you are not planning to install qmail-scanner, you should remove the QMAILQUEUE definitions above. Of course, don’t forget to get rid of all “,” (commas) at the end of the lines as well.
For security purposes, we are only allowing localhost (127.) to relay messages. Since messages coming from localhost will most probably not contain spam or viruses, we are specifying qmail-queue as the default executable for incoming mail. This will also decrease the server load when processing mail between local mail users. The second line of the script just tells tcpserver to process all other mail using qmail-scanner (to fight against spammers and viruses), the installation of which I will be covering later in this guide.
10) Moving on with Daemontools
Daemontools installation differs from other installations, because you don’t have to “configure” or “make” the package. A directory is created in your root structure, and all working files are placed there. Follow the instructions below to properly install Daemontools on your system.
# mkdir -p /package
# chmod 1755 /package
# cd /package
# mv /usr/local/src/daemontools-0.76.tar.gz /package
# tar zxf daemontools-0.76.tar.gz
# mv daemontools-0.76.tar.gz /usr/local/src
# cd admin/daemontools-0.76
# package/install
Note: If daemontools fails during compilation with an error “collect2: ld returned 1 exit status”, you need to get a patch and apply it on daemontools. Put the patch into /package/admin/daemontools-0.76 and type “patch -p1 < daemontools-0.76.errno.patch". After the patch is applied successfully, cd into /package/admin/daemontools-0.76 and type “package/install”. Daemontools should now be installed and fully operational.
That’s it, Daemontools package is installed.
11) Installing and configuring VMailMgr
To install VMailMgr, we need to run configure and make just like we do on any other source distributions:
# cd /usr/local/src
# tar zxf vmailmgr-0.97.tar.gz
# cd vmailmgr-0.97
# ./configure
# make
# make install
# cd ..
# tar zxf vmailmgr-tools-0.2.tar.gz
# cd vmailmgr-tools-0.2
# make
# ./installer
If you receive an error for vmailmgr-tools compilation, edit vcheckquota.c, go to line 36 and simply put the sentence “Warning: the soft…blah blah” in one line. Type make again and the problem should go away. Let’s configure VMailMgr to work with our domain.
# groupadd email
# mkdir /home/email
# chmod 755 /home/email
Apart from the main installation, we’ll have to configure VMailMgr as well. This step is required for controlling user quotas, auto-responder and some
other things.
# mkdir /etc/vmailmgr
# chmod 755 /etc/vmailmgr
# cd /etc/vmailmgr
# ln -s /etc/vmailmgr /usr/local/etc/vmailmgr
# echo ./Maildir/ > default-maildir
# echo maildir > maildir-arg-str
# echo passwd > password-file
# echo /tmp/.vmailmgrd > socket-file
# echo users > user-dir
Create a file called vdeliver-predeliver (vi vdeliver-predeliver), then copy-paste the following:
#!/bin/sh
/usr/local/bin/vcheckquota
Then, change permissions of the files in the folder:
# chmod 755 /etc/vmailmgr/*
The directory /etc/vmailmgr is created for vmailmgr configuration files. The echo commands given above control the way vmailmgr will be handling directories and mail processing. Basically, we are telling vmailmgr that the password file for keeping users’ passwords will be “passwd” and the directory that will contain individual user accounts will be “users”. The “vdeliver-predeliver” lines will launch “vcheckquota”, which will check a user’s quota limits before delivering a message. You can change the above settings to fit your needs, but I would recommend using the default settings provided in this guide.
Now we need to create a set of scripts that should help us out a lot in adding and removing virtual domains. Download the file add_virt from this server and place it in /usr/local/bin.
The script is pretty simple. The first line sets a variable DGID (group ID) to “email”, which is used while executing useradd to add a virtual domain to the system. The second line sets DHOME to “/home/email”, which will be the base directory for all virtual domains you’ll be creating in the future. QHOME is the directory where qmail is installed. The next four lines check if the user is root (remember, only root account will be able to execute this script). If nothing is given in command line, the script will print “Usage: add_virt newdomain.com”, for those who don’t know or forgot the script usage. Next, the script checks if the virtual domain already exists, by going through the system /etc/passwd file. Don’t worry, the scipt will not screw up or damage your passwd file. Vmailmgr uses *nix authentication to verify virtual domains. However, it does not necessarily mean that you are leaving security holes. After creating the first test user, I will show you how to disable shell access to all created virtual domains for security purposes. When all the checks are completed successfully, the script will attempt to create the virtual domain you specified in command line. It will first launch useradd and add the domain. Then, it will prompt you to change the password for the created virtual domain. Next, the script will add the domain to /var/qmail/control/virtualdomains and /var/qmail/control/rcpthosts. The next line executes vsetup, which takes care of setting up a virtual domain for its first use. And finally, the last three commands will restart qmail, so that the new settings take effect. If everything went without a glitch, the script will print out “All done! Domain newdomain.com created.”
Now, get the second file remove_virt and also place it in /usr/local/bin.
This script does the reverse of add_virt - i.e. it will remove the specified virtual domain from the system. Again, QHOME is where your qmail is installed. Another check for root user is run to prevent regular users from attempting to execute this script. If nothing is specified in command line, the script prints “Usage: remove_virt domain.com”. Next, a quick check that tests the existence of the virtual domain in /etc/passwd is run. If the domain is found, the root account will be asked to confirm the deletion of the specified domain and all of its users. If “y” is received, the account is deleted from the system via userdel. If nothing or “n” is received, the script exits with “Aborted.” message. Once userdel removes the system account, the script changes directory to /var/qmail/control and removes the deleted virtual domain from “virtualdomains” and “rcpthosts” files (the grep and mv lines). The last three commands restart qmail, for changes to take effect. If everything went smoothly, the script prints out “All done! Domain deleteddomain.com deleted.”
Good, now we need to chmod those scripts, so that they are be executable. Plus, let’s test those scripts by creating a virtual domain (yourserver.com):
# chmod 755 /usr/local/bin/add_virt
# chmod 755 /usr/local/bin/remove_virt
# add_virt yourserver.com
Base Username [yourserver_com]:
Creating new domain ‘yourdomain.com’.
Domain base user created in /home/email/yourdomain.com.
Please provide domain password for VmailMgr.
Changing password for user yourdomain_com.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Adding domain to control/virtualdomains…done
Adding records to control/rcpthosts…done
Setting up the domain dir for vmailmgr…
vsetup: created users directory.
vsetup: wrote ‘.qmail-default’ file.
vsetup: added alias ‘mailer-daemon’
vsetup: added alias ‘postmaster’
vsetup: added alias ‘root’
…done
Restarting Qmail…
All done! Domain yourdomain.com created.
After your type add_virt yourserver.com you’ll be asked for a password. Type the domain password and remember it - we’ll need it for domain administration later on. The script output will be similar to what you see above. If you get an error saying bash: /root/.bashrc: Permission denied in the middle of the script, just ignore it.
Let’s now create a test user at our domain. This user will be created solely for testing purposes. We’ll delete it after we are sure that everything is working properly.
# su - yourserver_com
# vadduser test
Enter the user’s new password:
Please type it again for verification:
vadduser: user ‘test’ successfully added
The account is created successfully. Remember or write down the password you specified - we’ll need the password later for testing our mail server. Once you are done adding the user, type “exit” to return to superuser shell.
Now we need to disable the created virtual domains’ shell access for security purposes. Launch your favorite editor and open /etc/passwd. Find the line with your created virtual domain. It will look something like this: yourserver_com:x:5007:5002::/home/email/yourserver.com:/bin/bash. Replace “/bin/bash” with either “/sbin/nologin” or “/bin/false”. This makes sure that even if someone steals your domain password, he/she will not be able to use the shell.
12) Installing Relay-CTRL
You might wonder what Relay-CTRL is. Well, this small program performs smtp authorization. Basically, it serves those clients who want to send email messages through our server. It will protect the mail server from thousands of abusers who send unsolicited mail through open-relay servers. Not only does Relay-CTRL solve the relaying problem, but it also verifies that only local accounts are able to send mail to outside servers.
The install procedure is fairly easy. This is what you have to do:
# cd /usr/local/src
# tar zxf relay-ctrl-3.1.1.tar.gz
# cd relay-ctrl-3.1.1
# make
# ./installer
# mkdir /var/qmail/relay-ctrl
# mkdir /var/qmail/relay-ctrl/allow
# chmod 700 /var/qmail/relay-ctrl
# chmod 777 /var/qmail/relay-ctrl/allow
# mkdir /etc/relay-ctrl
# echo /var/qmail/relay-ctrl/allow > /etc/relay-ctrl/RELAY_CTRL_DIR
# echo 900 > /etc/relay-ctrl/expiry
# echo /etc/tcp.smtp.cdb > /etc/relay-ctrl/smtpcdb
# echo /var/qmail/relay-ctrl > /etc/relay-ctrl/spooldir
# echo /usr/local/bin/tcprules > /etc/relay-ctrl/tcprules
What are we doing here? After installing relay-ctrl, we are setting up “/var/qmail/relay-ctrl/allow” as the directory where temporary access files will be written. If a user with IP “100.100.100.10″ is successfully authenticated, a file called “100.100.100.10″ is created in this directory. The file will contain “USER=yourdomain.com” (yourdomain.com being the domain that the user belongs to). The user is now able to send messages but only for a specified amount of time (expiry). The expiry is located in /etc/relay-ctrl/expiry. In this guide, the expiry time is 900 seconds, which means that after 15 minutes the user will no longer be able to send messages through the mail server, unless he/she authenticates again.
Also, don’t forget to add the following cron job to your system. You can either put the line into /etc/crontab or create a file relay-ctrl in /etc/cron.d
* * * * * root /usr/local/bin/envdir /etc/relay-ctrl /usr/local/bin/relay-ctrl-age
Restart the cron daemon for changes to take effect.
13) Preparing POP3 and SMTP startup environment
Qmail is useless without POP3 and SMTP protocols. You can’t send and receive e-mail from remote hosts without running these services. We have already installed most of the stuff now. It is a good idea to test our accomplishments so far, by running Qmail with POP3 and SMTP.
Download the file “runmail” from this server and place it in /usr/local/bin.
This script will definitely confuse many of you. But don’t worry, I am here to explain you what each line of the above code does :-) The script can be divided into three parts - the first one runs vmailmgr daemon, the second one runs an smtp server and the third one runs a pop3 server. Remember, that you’ll be needing both smtp and pop3 servers if you want to be able to send and receive mail. The vmailmgr daemon is needed for web-based administration, which I will be covering in “oMail-admin” section below.
Again, the first two lines specify the paths to executables to make our lives easier and our script smaller. The third line changes the directory to root. Softlimit -m 10000000 sets the maximum memory usage to 10MB. You can limit it to a smaller amount of memory, if you want to. Just make sure that the limit is reasonable - otherwise the program could simply fail to execute because of memory limitations. The next line executes vmailmgr daemon, which is needed if you want to be able to add/remove/modify mail users through a web interface. We run vmailmgrd through unixserver, which creates a socket and waits for incoming connections. All vmailmgrd connections are logged in /var/qmail/logs/vmailmgrd. The second part of the script runs an SMTP server. Again, we limit the memory usage to 10MB via softlimit. The envdir lines set the config directory to /etc/relay-ctrl for relay-ctrl. The next line starting with tcpserver is rather compicated. The “-v” switch given to tcpserver makes sure that all error and status messages are printed out (if they occur). The “-H” switch disables DNS lookups. We don’t need to do DNS lookups, since our patched qmail already does that. The “-R” switch will stop tcpserver from attempting to obtain $TCPREMOTEINFO variable from remote hosts (we don’t need it). The “-l $HOSTNAME” switch will force tcpserver not to lookup local host name in DNS (no need to resolve ourselves). The “-x /etc/tcp.smtp.cdb” switch forces tcpserver to follow the rules compiled by our tcprulesedit script. The “-c200″ switch limits the maximum number of simultaneous connections to 200. The “-u5002″ switch sets tcpserver user id to “qmaill” and “-g5000″ sets group id to “nofiles”. Next 0 and smtp simply tell tcpserver to listen on any available interface on port 25. The “rblsmtpd -b -r relays.ordb.org rblsmtpd -r sbl.spamhaus.org” command executes anti-spam filter for denying blacklisted servers on the Internet. If the first blacklist server fails, the second one (sbl.spamhaus.org) takes over. You can check whether your blacklist settings work by sending a test message to [email protected]. If you receive only one message with “Terminating conversation” message at the end, settings are good to go. If you receive two messages with one saying “Uh-oh, your SBL block is not working!”, it means that either the relay servers are unreachable at the moment or something is wrong with your settings. The “fixcrio” command will insert missing CRs at the end of messages. Some old mail servers send messages that contain bare linefeeds and fixcrio will deal with those. It’s very unlikely that such servers exist, but adding this executable will make sure that we are not denying messages from some old non-blacklisted servers. The next “relay-ctrl-check” command checks if the mail user has already been authenticated. If /var/qmail/relay-ctrl/allow directory does not contain sender’s IP address, the message is rejected with 553 error message “sorry, that domain isn’t in my list of allowed rcpthosts”. If everything is good and the user did authenticate before, the message is successfully delivered through “qmail-smtpd”, which is the next command we are executing. The “setuidgid qmaill” makes multilog execute under “qmaill” user. I’ve already explained multilog switches above, so I will not go through that part again.
The third part of the script deals with running a pop3 server on port 110. Just like we did for smtp server, we execute softlimit followed by envdir for relay-ctrl. This is needed because relay-ctrl must record authenticated user’s IP address and domain into the temp allow directory. Next, we run tcpserver - only this time we execute it under “root” account (the -u0 and -g0 switches). Plus, we now specify port 110 to listen on instead of smtp (port 25). The next command “qmail-popup localhost” will read a POP username and password from the connecting client. You can either specify “localhost” or your fully qualified domain name after “qmail-popup”. The next line starts with “checkvpw” which is the default password authentication utility for vmailmgr. So, all it does is - it checks whether the specified username and password are correct. Of course, if the authentication fails, checkvpw exits causing tcpserver to disconnect the user with a failure message. If the authentication is successful, the next command “relay-ctrl-allow” is executed. It will make sure that the user’s IP address and domain are recorded into a temp file in relay-ctrl’s allow directory. Next, “qmail-pop3d” is run, allowing the user to receive and delete his/her messages from the server. Once more, we are switching to “qmaill” user id for multilog and using /var/qmail/logs/pop3 log directory to log all pop3 connections.
The script is ready. Now, all we need to do is make it executable:
# chmod 755 /usr/local/bin/runmail
14) Testing Qmail installation
Before we go any further, let’s make sure that everything we’ve done so far works properly. For that, we’ll have to execute Qmail, POP3 and SMTP. Then, we will send and receive a couple of test messages. Only then will there be a point in continuing and completing qmail installation.
So, let’s get Qmail, POP3 and SMTP running:
# /var/qmail/rc &
# /usr/local/bin/runmail
If you get a permission error with multilog, type “chown qmaill:nofiles /var/qmail/logs” and “chown qmaill:nofiles /var/qmail/logs/qmail”. Kill running qmail with “killall qmail-lspawn” and then retry running the script with “/var/qmail/rc &”.
Type ps ax | grep qmail in shell prompt. The command should return 8-9 different processes (qmail-send, qmail-rspawn, qmail-clean and etc). The output will look similar to this:
17295 pts/1 S 0:00 qmail-send
17296 pts/1 S 0:00 multilog t n100 s1000000 /var/qmail/logs/qmail
17297 pts/1 S 0:00 qmail-lspawn ./Maildir
17298 pts/1 S 0:00 qmail-rspawn
17299 pts/1 S 0:00 qmail-clean
17315 pts/1 S 0:00 multilog t n100 s1000000 /var/qmail/logs/vmailmgrd
25459 pts/1 S 0:00 multilog t n100 s1000000 /var/qmail/logs/smtp
25461 pts/1 S 0:00 multilog t n100 s1000000 /var/qmail/logs/pop3
25736 pts/1 S 0:00 grep qmail
Now type ps ax | grep tcpserver again in shell prompt. The command should return only three lines. The output will look similar to this:
25458 pts/1 S 0:00 tcpserver -v -H -R -l server.com -x /etc/tcp.smtp.cdb…
25460 pts/1 S 0:00 tcpserver -v -H -R -l server.com -x /etc/tcp.smtp.cdb…
25801 pts/1 S 0:00 grep tcpserver
If you have something similar to examples above, your installation is most probably up and running. If you receive an empty output, something went wrong. In that case, check out the “current” log files in /var/qmail/logs.
Our current objective is to test how our system is working. Create an account in your e-mail client (Outlook Express, Bat or whatever you have there) on another computer using the domain, login and password you’ve supplied before. In our case, your login is “[email protected]” and password is the password that you typed in when you issued a “vadduser” command. The settings for both POP3 and SMTP should remain default to e-mail client’s values. For POP3 and SMTP server address, either supply your new mail server’s IP address or its valid hostname. I usually type in an IP address (less DNS queries and faster). Click send/receive and see what happens. If you get an error, see what type of error you get. Make sure that everything you specify in your mail client is valid and working. Sometimes people type in something wrong and then blame it on others. I hope you are not the nut case :-) Anyway, if you get a window that asks you to retype your password, that means that you have either mistyped your password, or supplied a wrong login. By the way, did I mention that you must supply your login and domain for authentication? (type in your full e-mail address as your login - ex: [email protected]).
Warning: Don’t try to send an e-mail to check how everything works yet. You will simply get an error message “unable to exec qq”. This is because we have /var/qmail/bin/qmail-scanner-queue.pl to process the qmail queue and this file simply does not exist!
15) Qmail-Autoresponder Installation
The installation is very easy. All you need to do, is run “make”, copy the compiled binary to /usr/local/bin and make it executable.
# cd /usr/local/src
# tar zxf qmail-autoresponder-0.97.tar.gz
# cd qmail-autoresponder-0.97
# make qmail-autoresponder
# cp qmail-autoresponder /usr/local/bin
# chmod 755 /usr/local/bin/qmail-autoresponder
Create a vdeliver-postdeliver file in /etc/vmailmgr folder and copy-paste the following into it:
#!/bin/sh
if test -s $MAILDIR/autoresponse/message.txt
then
qmail-autoresponder message.txt $MAILDIR/autoresponse
fi
Then make it executable:
# chmod 755 /etc/vmailmgr/vdeliver-postdeliver
16) Courier-IMAP Installation
First, we’ll install Courier-IMAP to /usr/lib/courier-imap. Then, we will configure it to work with VMailMgr by changing the password checker (authvmailmgr).
# cd /usr/local/src
# bzip2 -d courier-imap-3.0.8.tar.bz2
# tar xf courier-imap-3.0.8.tar
# cd courier-imap-3.0.8
# ./configure –disable-root-check
# make
# make install
If you are using RedHat Linux, don’t forget to add –with-redhat at the end of the configure line, otherwise configure will terminate with a warning.
It will take a while for the configure script to be done. When I installed courier for the first time, I thought that the script was looping and something went wrong, so I terminated it. Don’t do that - it looks like the script does the same thing over and over again, so just be a little patient and wait.
Courier-IMAP has its own authentication scheme which needs to be changed for our installation. This is what we need to do:
# cd /usr/local/src/vmailmgr-0.97
# cp authenticate/authvmailmgr /usr/lib/courier-imap/libexec/authlib
# cd /usr/lib/courier-imap/etc
# cp imapd.dist imapd
# cp imapd-ssl.dist imapd-ssl
# vi imapd
While editing the file imapd, change “MAXPERIP”(Maximum connections per IP) to 20. Then, change “AUTHMODULES” (Authentication modules) and “AUTHMODULES_ORIG” to “authvmailmgr relay-ctrl-allow”. Save and close the file.
Now do “cp authdaemonrc.dist authdaemonrc” and edit the file authdaemonrc, delete the line that says authmodulelist=”authcustom……..” and insert authmodulelist=”authvmailmgr relay-ctrl-allow”. Save and close the file.
Next, do the following:
# cd /usr/lib/courier-imap/libexec/authlib
# mv authdaemond authdaemond.old
# ln -s /usr/local/bin/relay-ctrl-allow relay-ctrl-allow
# echo ‘#! /bin/sh’ > authdaemond
# echo ‘DIR=`dirname $0`’ >> authdaemond
# echo ‘AUTHDAEMOND=authdaemond.plain’ >> authdaemond
# echo ‘. /usr/lib/courier-imap/etc/authdaemonrc’ >> authdaemond
# echo ‘if test “$version” != “”‘ >> authdaemond
# echo ‘then’ >> authdaemond
# echo ‘ AUTHDAEMOND=”$version”‘ >> authdaemond
# echo ‘fi’ >> authdaemond
# chmod 755 authdaemond
Now edit imapd.rc and make some minor changes to work with relay-ctrl:
# vi /usr/lib/courier-imap/libexec/imapd.rc
Search for “/usr/lib/courier-imap/libexec/couriertcpd -address=$ADDRESS” line and insert “/usr/local/bin/envdir /etc/relay-ctrl /usr/local/bin/relay-ctrl-chdir \” above it. Thus, relay-ctrl will get initialized before “couriertcpd” is called.
Let’s run the IMAP server and see if it works fine:
# /usr/lib/courier-imap/libexec/imapd.rc start
# ps ax | grep courier
1698 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -stderrlogger…
1711 ? S 0:00 /usr/lib/courier-imap/libexec/courierlogger imapd
The command ps ax should return two lines. If the two lines are present, then everything is running properly. It is now time to test the IMAP server. Let’s set up another test mail account on a windows box and e-mail client. Only this time, instead of specifying POP3, we specify IMAP server. After the account is all set, check if it works. Your client should be able to download the IMAP directory structure to your PC. If it does not work for some reason, or your password gets denied - you did something wrong. My recommendation to you then is to recheck the guide again and make sure that you do everything right.
Assuming that everything worked just fine, we’ll take another step forward - installing Qmail extras.
17.1) MailDrop, TNEF, SpamAssassin + Perl Utils Installation
Since we’ll be running a mail scanner utility to check for spam and viruses, some tools must be installed. Let’s start with the first one - MailDrop.
# cd /usr/local/src
# bzip2 -d maildrop-2.0.4.tar.bz2
# tar xf maildrop-2.0.4.tar
# cd maildrop-2.0.4
# ./configure
# make
# make install-strip
# make install-man
Now TNEF unpacker. This program is used by Qmail-Scanner, which we will
be installing later.
# cd /usr/local/src
# tar zxf tnef-1.4.4.tar.gz
# cd tnef-1.4.4
# ./configure
# make
# make check
# make install
Installing SpamAssassin is very easy. You must have Perl installed and fully operational in order to be able to build and install SpamAssassin. If you prefer installing Perl modules from sources, get SpamAssassin source file from the location specified above and run the commands “perl Makefile.PL” “make” “make test” and “make install” respectively. Otherwise, my recommendation is to install from CPAN shell. Execute the following command in shell:
# perl -MCPAN -eshell
After the command is executed, you’ll be presented to the cpan prompt*. Just type install Mail::SpamAssassin and press Enter. Cpan will start downloading the sources from other servers and install SpamAssassin for you. If you get a dependency warning, accept the default “yes” and let cpan install whatever is needed.
* If you’ve never used perl CPAN, you will be presented with a perl configuration script, which will ask some questions regarding the installation of CPAN module. Just accept the defaults and specify the closest location for your source downloads. When the process is complete, you should be able to type commands in the cpan prompt. Type install Bundle::CPAN to get and install the latest CPAN modules.
If you get an error saying something like “Makefile:91: *** missing separator. Stop.” in Redhat Linux 9, edit the file /etc/sysconfig/i18n and replace LANG=”en_US.UTF-8″ with LANG=”en_US”. This helped me to cure module installations.
Furthermore, don’t forget to install the following Perl Modules (from sources or CPAN):
Time::HiRes
DB_File
Sys::Syslog
Running Perl SpamAssassin on every mail call is expensive and inefficient which is why a separate “spamd” daemon written in C is included in SpamAssassin package. To get spamd up and running, we will have to first cd to the SpamAssassin source directory. If you have downloaded SpamAssassin and installed it from shell, type the following in shell prompt:
# cd /usr/local/src/Mail-SpamAssassin-3.2.5/spamd
# cp redhat-rc-script.sh /etc/rc.d/init.d/spamd
# chmod 755 /etc/rc.d/init.d/spamd
# chkconfig –add spamd
# chkconfig spamd on
The spam daemon (spamd) must be run as “qmaill” user, otherwise you will get permission errors. Modify spamd init script (/etc/init.d/spamd) and add “-u qmaill” to the end of “SPAMDOPTIONS”. Save the file and type:
# /etc/init.d/spamd start
Starting spamd: [ OK ]
If you have installed from CPAN, then change the first line to “cd /root/.cpan/build/Mail-SpamAssassin-3.2.5/spamd”.
Of course, you should not forget about changing the installation script name (redhat-rc-script.sh in this case) to whatever platform you are installing on.
Now perform the last step to make spamassassin work under qmail-scanner:
# cd /var/qmail
# mkdir .spamassassin
# chmod 700 .spamassassin
# chown qmaill:qmail .spamassassin
# cd .spamassassin
# echo ‘required_hits 5′ > user_prefs
# chown qmaill:qmail user_prefs
Attention: In some cases, only changing ownership to qmailq:qmail will make spamassassin work.
Make sure that /etc/mail/spamassassin/local.cf exists (should be created during the install). If it doesn’t, create it and copy-paste the following into the file:
required_score 5.0
rewrite_header Subject *****SPAM*****
lock_method flock
use_bayes 1
bayes_auto_learn 1
17.2) ClamAV Antivirus
Warning: Please skip this step if you have less than 256 MB RAM on your mail server! Running antivirus on every single mail message will definitely slow down your server and might consume too much memory. It gets especially dangerous if your server is under heavy load or if you have many simultaneous mail users. The best configuration is 1 GB of RAM used solely for mail delivery purposes.
I have tested many different antivirus programs for Qmail, and the best one is clearly ClamAV. I used sophos & sophie combination before, but it’s not free anymore…
First, download ClamAV Antivirus from www.clamav.net. Place it in /usr/local/src and execute the following commands:
# cd /usr/local/src
# tar zxf clamav-0.93.3.tar.gz
# groupadd clamav
# useradd -c “Clam AntiVirus Account” -g clamav -s /bin/false clamav
# ./configure
# make
# make install
ClamAV should be installed. Run “clamd –version” to see if it works. If you got a response with the version number, go ahead and edit /usr/local/etc/clamd.conf and /usr/local/etc/freshclam.conf to suit your scanning needs. Then it’s time to update the virus definitions:
# mkdir /var/lib/clamav
# chown clamav:clamav /var/lib/clamav
# touch /var/log/freshclam.log
# chmod 600 /var/log/freshclam.log
# chown clamav /var/log/freshclam.log
# clamd
# freshclam -d -c 6 -l /var/log/freshclam.log
Don’t forget to add “clamd” and “freshclam -d -c 6 -l /var/log/freshclam.log” into your startup scripts.
18) Final touch - Qmail-Scanner
This is the last step we’ll take to finish the installation - installing and configuring Qmail-Scanner. Execute the following commands in shell:
# cd /usr/local/src
# tar zxf qmail-scanner-2.05.tgz
# cd qmail-scanner-2.05
# groupadd qscand
# useradd -c “Qmail-Scanner Account” -g qscand -s /bin/false qscand
# ./configure –spooldir /var/qmail/qmailscan \
–qmaildir /var/qmail –admin login –domain yourserver.com \
–local-domains “domain.one.com,domain.two.com” –install
Building Qmail-Scanner 1.23…
This script will search your system for the virus
scanners it knows about, and will ensure that all
external programs qmail-scanner-queue.pl uses are
explicitly pathed for performance reasons.
Continue? ([Y]/N)
Don’t forget to change “login” to your login and “yourserver.com” to your default domain. Also change “domain.one.com,domain.two.com” to whatever other domains you have on your system. If you only have one domain, specify one and get rid of everything after comma. If you have more than two domains, don’t forget to separate them with a “,” (comma). Press enter afterwards and answer “Y” when it asks you to Continue.
Qmail-Scanner should be able to detect “spamd” (SpamAssassin) and “sophie” (Antivirus) if you installed it. It will create directories under
/var/qmail/qmailscan and change necessary file ownerships. Then, do the following:
# /usr/local/bin/setuidgid qmaill \
“/var/qmail/bin/qmail-scanner-queue.pl” -g
perlscanner: generate new DB file
perlscanner: total of 9 entries.
If the above doesn’t work for you and produces an error, try changing “qmaill” to “qmailq”. If changing to “qmailq” works, you’ll most probably have to modify permissions for spamassassin and sophie as well. This is a weird behavior that I’m unable to figure out.
Type /usr/local/bin/setuidgid qmaill “contrib/test_installation.sh -doit” and then check your e-mail. If you received three messages, everything is running properly :-) If you haven’t received anything, view /var/qmail/qmailscan/qmail-queue.log for clues. If something fails and you are receiving a “451 qq temporary problem”, check ownership and permissions for /var/qmail/qmailscan. The directory owner should be qmaill:qmail and permissions should be set to 770.
Attention: In some cases, only changing ownership to qmailq:qmail will make qmail-scanner work. My recommendation is to always check the logs - most of the problems will be spotted from there.
Change “$DEBUG=1″ to “$DEBUG=0″ in /var/qmail/bin/qmail-scanner-queue.pl - this will disable Qmail-Scanner’s dumping of every single message delivery process to qmail-queue.log. Furthermore, if you want messages identified as spam to be “seen” as spam messages (very useful for filtering mail), find the line “my $spamc_subject=”;” and change it to “my $spamc_subject=’POTENTIAL SPAM:’;”. You could then setup your email client to deliver messages with words “POTENTIAL SPAM” to other mailboxes or automatically move them to trash. Sweet huh?
Phew…Qmail is now installed and fully operational :-)
18.1) Post-installation and spam control
The installation covered above should filter out most of the spam out there. But it’s not perfect. Spammers are so smart nowadays…they will do everything possible to pass their message and advertise their products/services you will never need. They will even fake their messages so good, that spamassassin will be unable to identify them as spam. So, what do we do with them? There is another solution, which for some users will be a pain, but it will definitely help you out a lot. If you remember, earlier in the guide I said that I would explain “badmailfrom” and “badrcptto” in more detail. Well, here we go :-)
These two files placed in /var/qmail/control directory are used by qmail to identify the bad guys. Sometimes the bad guys are from outside networks - those hungry spammers that just love to waste your mail traffic. In some cases, the bad guys are your own users! I’ve had some users before, who advertised their e-mails on the Internet and subscribed to gazillion newsletters. As soon as the mailbox is full, the server starts generating failure replies, adding to traffic and server load. And the sad thing is - even if you remove the damn user, e-mails will keep on coming and failure replies will be generated even more. So, how do we fight them?
The “badmailfrom” file is sort of your internal blacklist, in which you specify domains or individual e-mail addresses from which you are not willing to receive e-mails from. For example, if you don’t want to receive e-mails from yahoo users, simply add “@yahoo.com” in a new line. If a particular yahoo mail user is bothering you, add his/her full e-mail address to “badmailfrom”. The next time the user tries to send a message, your server will simply deny the message, before even processing it. Here is a good example of “badmailfrom” file:
@yahoo.com
@mail.ru
@hotmail.com
[email protected]
[email protected]
Here, we are denying all yahoo.com, mail.ru and hotmail.com users. Plus, we are denying messages from individual e-mail accounts - [email protected] and [email protected] :)
The “badrcptto” file will help you control your local “bad guys”. Every account specified in “badrcptto” will no longer receive any e-mails. The sender will receive a delivery failure message “553 sorry, this recipient is in my badrecipientto list” after sending an e-mail to blacklisted local user. The “badrcptto” file is processed line by line, just like badmailfrom. So, if you need to block access to several users, type their e-mail addresses one per line.
There are some new tools appearing now on the Internet that help to better fight spam, but I haven’t checked them out yet. If something good is released, I will definitely add it to this guide.
19) oMail-admin
oMail-admin is a great program written by Olivier Mueller. It allows you to manage virtual users on your system (create users and aliases, forwarding,
mailing lists, automated replies, etc.)
oMail-admin needs “vmailmgrd” daemon to run, which should already be up and running from the “runmail” script we’ve created before. Again, type ps ax to see if a process called unixserver exists.
This step assumes that an Apache server compiled with PHP is up and running. (If you haven’t installed Apache yet, I would highly recommend my Apache guide which is available here). Place the oMail files into your htdocs directory, and edit your apache configuration (httpd.conf) as necessary. Open your browser and then type the URL for oMail-admin. Type your domain (yourserver.com) in “Email Address or Domain Name” box and the domain password that you entered during the “add_virt” command. Then, click “Login” and a new page with account management should come up. It is very easy to go from there - just read “Help” if you don’t understand how it works.
20) Startup environment
Now we need to make sure that Qmail and all other extra stuff we’ve been installing so far starts up properly when the machine is rebooted.
You can do it in two ways - either by placing the lines below into your startup file (/etc/rc.d/rc.local):
# echo ‘# Qmail and other stuff’ >> /etc/rc.d/rc.local
# echo ‘/var/qmail/rc &’ >> /etc/rc.d/rc.local
# echo ‘/usr/local/bin/runmail’ >> /etc/rc.d/rc.local
# echo ‘/usr/lib/courier-imap/libexec/imapd.rc start’ >> /etc/rc.d/rc.local
or putting qmail, courier and tcpserver startup scripts into your init.d directory. Don’t forget to make those files executable and run automatically upon reboot:
# mv qmail /etc/rc.d/init.d
# mv courier /etc/rc.d/init.d
# mv tcpserver /etc/rc.d/init.d
# chmod 755 /etc/rc.d/init.d/qmail
# chmod 755 /etc/rc.d/init.d/courier
# chmod 755 /etc/rc.d/init.d/tcpserver
# chkconfig –add qmail
# chkconfig –add courier
# chkconfig –add tcpserver
# chkconfig qmail on
# chkconfig courier on
# chkconfig tcpserver on
21) POP3S and SMTPS using stunnel
The way traditional POP3 and SMTP protocols work is so insecure that it’s easily possible to sniff a login/password combination using simple network utilities. That leads to a security problem, which might result in a hacker stealing your users’ mailbox accounts. Because we are dealing with virtual users who do not have access to shell, just because of the way the system works, it might not be a major security problem. At least we do not have to worry about hackers logging into a shell, stealing information and screwing up our box. However, it’s always good to take precautions no matter how small the impact could be to your security. Normal sendmail installation, for example, authenticates through /etc/passwd. If a user is given both mail and shell access, just think what the end result might be. A hacker might sniff a login/pass combination for a mailbox and then successfully login into the system via shell, even if you have telnet disabled and only allow SSH access. Once a hacker has shell account, there are plenty of tools out there to gain root access. And you never know what’s on hacker’s mind when he/she hacks into your box. This is the major advantage of having a virtual user system. Even if a hacker steals login/pass combination for a mailbox account, the maximum he/she can do is overtake a mailbox. But again, you never know. What if a user on your system uses the same combination of login/password for both mail and shell access? Then basically, you’re screwed.
This step will help you to fight the problem of plaintext login/password authentication with a mail server. I will show you how to configure POP3 and
SMTP via SSL.
To those who wonder how we’re going to accomplish this task, let me give you some quick insight. We will have to install stunnel first. Stunnel is a universal SSL wrapper, which will allow us to secure POP3 and SMTP protocols through OpenSSL. Then, we are going to bind tcpserver to stunnel and add some more options to our runmail script created earlier. The whole process should take approximately 15 minutes, if we don’t have any compilation problems. I will try to explain each step in as much detail as possible.
21.1) OpenSSL and Stunnel
Before installing stunnel, please make sure that you have a working version of OpenSSL installed on the system. Try to look for openssl binary by typing “whereis openssl” or “locate openssl” in shell. Possible locations of OpenSSL are: /usr/bin, /usr/local/bin and /usr/local/ssl/bin but a customized installation might have resulted in OpenSSL being somewhere else on the system. Once you find out where it is, type “openssl version” (add the real path in front as needed). If your version is older than 0.9.6j, I personally recommend to upgrade it or reinstall it, because of some security issues found in previous releases. If you have an old RPM release, get rid of it and install from source. The latest version of OpenSSL can be found from here.
Let’s install stunnel now:
# cd /usr/local/src/
# tar zxf stunnel-3.26.tar.gz
# cd stunnel-3.26
# CFLAGS=”-I/usr/kerberos/include -L/usr/kerberos/lib” \
./configure –with-pem-dir=/usr/local/etc
# make
After “make” is done compiling sources, an RSA key will be generated for you. All you have to do, is enter correct information. Here is a sample for arbuz.com:
Country Name (2 letter code) [PL]:UZ
State or Province Name (full name) [Some-State]:Tashkent
Locality Name (eg, city) []:Tashkent
Organization Name (eg, company) [Stunnel Developers Ltd]:Arbuz.com
Organizational Unit Name (eg, section) []:Arbuz.com
Common Name (FQDN of your server) [localhost]:arbuz.com
Make sure that you type your mail hostname in “Common Name (FQDN of your server)” field. Now do the following:
# cp stunnel.pem /usr/local/etc/
# chmod 600 /usr/local/etc/stunnel.pem
# make install
21.2) Modifying the runmail script
The most important step in this process is how our script calls stunnel. Unfortunately, I couldn’t find any information on the web that gives a working sample of stunnel called via tcpserver. After finding out more about stunnel and it’s command options, I came up with a working script based on runmail you’ve seen above. Add it to your runmail script if you want to have all protocols (POP3, SMTP, POP3S and SMTPS) up and running for compatibility or whatever reasons. If you want to have POP3S and SMTPS only, remove everything after the first part (unixserver), then copy paste the following into the script:
exec softlimit -m 32000000 \
envdir /etc/relay-ctrl relay-ctrl-chdir \
tcpserver -v -H -R -l arbuz.com -x /etc/tcp.smtp.cdb \
-c200 -u0 -g0 0 465 \
stunnel -f -p /usr/local/etc/stunnel.pem \
-N smtps -l relay-ctrl-check — relay-ctrl-check \
fixcrio qmail-smtpd 2>&1 \
| setuidgid qmaill \
multilog t n100 s1000000 /var/qmail/logs/smtps & \
exec softlimit -m 32000000 \
envdir /etc/relay-ctrl relay-ctrl-chdir \
tcpserver -v -H -R -l arbuz.com -x /etc/tcp.smtp.cdb \
-c200 -u0 -g0 0 995 \
stunnel -f -p /usr/local/etc/stunnel.pem \
-N pop3s -l qmail-popup — qmail-popup localhost \
checkvpw relay-ctrl-allow qmail-pop3d Maildir 2>&1 \
| setuidgid qmaill \
multilog t n100 s1000000 /var/qmail/logs/pop3s &
Now go ahead and rerun runmail and test if POP3S and SMTPS really work. If you are running tcp wrappers, make sure you put “smtps: ALL: ALLOW” and “pop3s: ALL: ALLOW” into /etc/hosts.allow - otherwise all secure connections will be denied by your server.
If you get an error in log saying “SSL3_READ_BYTES:tlsv1 alert unknown ca” that means your mail client doesn’t accept the SSL certificate created earlier. Note that the certificate we created is not trusted. This is because an authority like VeriSign or Thawte didn’t sign it. I personally don’t like paying a couple of hundred dollars for an SSL certificate, but if money is not an issue for you, you should generate your own SSL key, and send it to an authority to sign it. That way you can get rid of annoying warnings from mail clients. I had a couple of issues trying to send and receive mail with “The Bat” mail client. But I then figured out that my client didn’t want to accept connections from/to an untrusted connection. So, after adding my certificate into the address book and into the trusted server list, I got rid of the “unknown ca” error. I also tested the connection on Outlook Express and everything seemed to work flawlessly (except that annoying “Internet Security Warning”). Note that POP3S and SMTPS sit on ports 995 and 465, respectively. So, make sure you specify the ports correctly while configuring your mail clients.
That’s it! You are finally done! Congratulations
Used Resources:
1) Qmail-Vmailmgr-Courier-SquirrelMail Installation Guide by Konstantin Riabitsev
2) Qmail Homepage
3) Untroubled.org by Bruce Guenter
4) Cr.yp.to by D.J. Bernstein
5) Courier Mail Server by Double Precision, Inc.
6) SpamAssassin.org
7) Qmail-Scanner by Jason Haar
8) Google
很早以前的东西了,早已遗忘出处。
