What's a POP toaster?
I use Dan Bernstein's definition described at http://cr.yp.to/qmail/toaster.html
What this toaster does and does not do
This "howto" will walk you through building a Linux Qmail "Toaster". While these instructions are intended to work with popular Linux distributions, they will probably work on other flavors of Unix without too much modification.
What this toaster does NOT do is act as a thorough guide to qmail or any of the other packages it installs. Such information is already available in the documentation, Life With Qmail, or other howtos/toasters. I only put this together to document all the commands/urls/procedures that I find myself repeating often. It's intended to have a bit of a "copy and paste" feel to it aimed at the impatient (me). If it's not sufficient for you, take the time to read the documentation of each package that's to be installed. There's no substitute for that.
Assumptions/Support
This document assumes that you are familiar with Unix system administration, mail/web protocols, etc. You don't have to be a guru to make this work, but you will be patching and compiling source code, as well as editing configuration files. If you want a "point and click" install experience, this is not for you.
These instructions come with no warranty or guarantee. If you blow up your server, and lose business in the process, that's your problem.
Support is not provided. There are mailing lists for all these packages, as well as one specific to this toaster. See links in the appendix for more information.
Commercial support is available. See http://merchbox.com/qmail.php for more information. There are also other sources of commercial support for the individual packages. See the respective documentation for each package for further information.
Prerequisites
If you have installed a recent version of your Linux distribution, you shouldn't have any problems, especially if you did a "server" type of install rather than "Desktop". However, this install DOES require that you have the apache web server and PHP installed. Most distributions come with these now. PHP is only required for SquirrelMail. The main issues you might see are missing development libraries, or gdbm, stunnel, kerberos dev files, or openssl. If you are using an rpm based distro, an easy way to make sure they are installed is to use yum, which is likely installed already. Make sure the packages get installed if necessary using this command:
yum install gcc g++ gcc-g++ gdbm gdbm-devel openssl openssl-devel stunnel krb5-devel bzip2 bzip2-devel
Aliases Some distributions setup aliases for common commands that might interfere with this install. I recommend unaliasing some of the more common ones if you are unsure:
unalias rm mv cp
This orignial version of this document was written using RedHat Linux 9.0. However, I now use debian exclusively now, and I fully recommend it. Once you get comfortable with apt, you'll never go back!
Debian Notes
The easy way to make sure you have all the proper debian packages installed is to just execute this command:
apt-get install libgdbm-dev gcc g++ patch make libc-dev stunnel libssl-dev libapache2-mod-php4 wget bzip2
In addition, you probably want these things installed as well:
apt-get install man telnet
Lots of Debian packages require an MTA, and Debian defaults to exim4. This obviously can be a problem for qmail. So lets fix that with a dummy equivs package:
# install equivs
apt-get install equivs
# build the dummy mta package
cd /tmp
cp /usr/share/doc/equivs/examples/mail-transport-agent.ctl .
equivs-build mail-transport-agent.ctl
# remove exim4
dpkg --ignore-depends=exim4 -r exim4
dpkg --ignore-depends=exim4-daemon-light -r exim4-daemon-light
dpkg --ignore-depends=exim4-base -r exim4-base
dpkg --ignore-depends=exim4-base -r exim4-base
# and install the dummy mta package
dpkg -i /tmp/mta-local_1.0_all.deb
mkdir /var/lock/subsys
Apache's DocumentRoot is in /var/www instead of /var/www/html. What I do is use that, and put SquirrelMail's data directory in /etc/apache.
Apache's cgi-bin directory by default is /usr/lib/cgi-bin. You should use that path when configuring qmailadmin.
SpamAssassin needs many perl libraries. If you plan to use SpamAssassin, then install these libraries now:
apt-get install libdigest-sha1-perl libnet-dns-perl \
libmail-spf-query-perl libgeo-ipfree-perl razor pyzor libnet-ident-perl \
libio-socket-ssl-perl libarchive-tar-perl libio-zlib-perl \
libsys-hostname-long-perl libhtml-parser-perl
ClamAV requires the zlib and zlib-dev packages:
apt-get install zlib1g zlib1g-dev libbz2-dev libgmp3 libgmp3-dev
QmailMRTG7 requires the mrtg package:
apt-get install mrtg
Trustix Notes:
Matthew Valentini provided some notes on using this toaster with Trustix 3.0. I have not tested them, I'm just making them available as-is.
Toaster License
This document is covered by the same license as Life With Qmail, and the license is detailed here:
http://www.opencontent.org/opl.shtml
DNS
Before we begin, make sure DNS (mx record) is properly setup. If you were using "merchbox.com" as your virtual domain, here's how your host lookups would look after setting up dns:
[shupp@ns1 toaster]$ host -t mx merchbox.com
merchbox.com. mail is handled by 0 mail.merchbox.com.
[shupp@ns1 toaster]$ host -t a mail.merchbox.com
mail.merchbox.com. has address 216.234.249.114
Remove existing smtp/pop/imap servers
Now we must remove any existing installations of sendmail/postfix and disable pop/imap servers. To remove sendmail and postfix from an rpm based distribution, try this:
rpm -e --nodeps sendmail postfix
Unless you have other services that absolutely have to run on this machine, I recommend shutting down inetd or xinetd altogether and removing it from your startup scripts. The only thing you'll need (outside of what we're about to isntall) is ssh, which is probably installed already. This will likely shut off any pop3 or imap servers, as well as other unneccessary ports. Otherwise, disable them manually.
To be sure that these services are disabled, try telnetting to ports 25, 110, and 143 and make sure your connections are refused.
Download Packages
I keep my software source in /var/src. If you want to put it in another location, set the location below, and all paths will be updated.
umask 0022
mkdir -p /var/src/tar
cd /var/src/tar
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
wget http://shupp.org/software/netqmail-1.05.tar.gz
wget http://shupp.org/software/libdomainkeys-0.68.tar.gz
wget http://shupp.org/patches/libdomainkeys.diff
wget http://shupp.org/patches/qmail-toaster-0.9.1.patch.bz2
wget http://shupp.org/patches/doublebounce-trim.patch
wget http://shupp.org/software/vpopmail-5.4.18.tar.gz
wget http://shupp.org/patches/vpopmail-5.4.18-cumulative.patch
wget http://shupp.org/software/autorespond-2.0.4.tar.gz
wget http://shupp.org/patches/autorespond-2.0.4-2.0.5.patch
wget http://shupp.org/software/qmailadmin-1.2.11.tar.gz
wget http://shupp.org/software/qmailadmin-help-1.0.8.tar.gz
wget http://cr.yp.to/software/ezmlm-0.53.tar.gz
wget http://shupp.org/software/ezmlm-idx-0.443.tar.gz
wget http://shupp.org/software/courier-imap-4.1.2.tar.bz2
wget http://shupp.org/software/courier-authlib-0.59.1.tar.bz2
wget http://shupp.org/patches/vpopmail_courier_cram-1.diff
wget http://shupp.org/software/squirrelmail-1.4.9a.tar.bz2
wget http://shupp.org/software/quota_usage-1.3.1-1.2.7.tar.gz
wget http://shupp.org/software/toaster-scripts-0.9.0.tar.gz
cd ../
tar -xzf tar/netqmail-1.05.tar.gz
cd netqmail-1.05
./collate.sh
Now that you have downloaded all the software packages to /var/src, please go through each of these installation steps as the appear, and in this order, unless you really know what you're doing. (Because if you did, you wouldn't be reading this, right?)
The below steps assume that your "rc" directories are in /etc/ and your "init.d" path is "/etc/init.d" . If yours are different, please substitue paths accordingly.
daemontools
daemontools is a collection of tools for managing UNIX services. It will monitor qmail-send, and qmail-smtpd, and qmail-pop3d services.
Info: http://cr.yp.to/daemontools.html
Install:
mkdir -p /package
chmod 1755 /package
cd /package
tar -xpzf /var/src/tar/daemontools-0.76.tar.gz
cd admin/daemontools-0.76
patch -p1 < /var/src/netqmail-1.05/other-patches/daemontools-0.76.errno.patch
package/install
# add the "clear" service
cd ../
mkdir clear
touch clear/down
cat > clear/run <<EOF
#!/bin/sh
yes '' | head -4000 | tr '\n' .
# When you want to clear the service errors, just run this:
# svc -o /service/clear
EOF
chmod +x clear/run
chmod a-w clear/down
ln -s /package/admin/clear /service/clear
To verify that daemontools is running, make sure that `ps ax` reports '/bin/sh /command/svscanboot' and 'svscan /service' as running.
ucspi-tcp
ucspi-tcp contains tcpserver and tcpclient, command line tools for building client-server applications.
Info: http://cr.yp.to/ucspi-tcp.html
Install:
cd /var/src
tar -xzf tar/ucspi-tcp-0.88.tar.gz
cd ucspi-tcp-0.88
patch -p1 < /var/src/netqmail-1.05/other-patches/ucspi-tcp-0.88.errno.patch
# NOTE: If you are on the x86_64 platform, you need to remove the "-02" argument to gcc in conf-cc. See this for details
make
make setup check
qmail
qmail is allegedly the second most popular MTA in use, known for speed and security.
Info: http://www.qmail.org
The patch you will apply later is a composite of these existing patches:
Install:
mkdir /var/qmail
groupadd nofiles
useradd -g nofiles -d /var/qmail/alias alias
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails
cd /var/src
tar -xzf tar/toaster-scripts-0.9.0.tar.gz
cd netqmail-1.05/netqmail-1.05
# NOTE: RedHat/Fedora users may need to link certain include files for the TLS patch.
# Issue the command below only if make fails:
ln -s /usr/kerberos/include/com_err.h /usr/kerberos/include/krb5.h \
/usr/kerberos/include/profile.h /usr/include/
# as well as remove the sendmail link if it still exists:
rm /usr/sbin/sendmail
make
make setup check
# NOTE: qmail will be patched AFTER vpopmail is installed
# turn on SPF checking
echo 3 > /var/qmail/control/spfbehavior
# Setup the primary administrator's email address.
# This address will receive mail for root, postmaster, and mailer-daemon.
# Replace "[email protected]" with your email address
(cd ~alias; echo "[email protected]" > .qmail-postmaster ;\
echo "[email protected]" > .qmail-mailer-daemon ;\
echo "[email protected]" > .qmail-root )
chmod 644 ~alias/.qmail*
./config-fast `hostname --long`
Configure:
add qmail man pages to MANPATH Edit /etc/man.config
- Add "MANPATH /var/qmail/man"
- NOTE: Debian users should set MANDATORY_MANPATH rather than MANPATH
cd /var/src
cp toaster-scripts-0.9.0/rc /var/qmail/rc
chmod 755 /var/qmail/rc
mkdir /var/log/qmail
echo ./Maildir/ >/var/qmail/control/defaultdelivery
cp toaster-scripts-0.9.0/qmailctl /var/qmail/bin/
chmod 755 /var/qmail/bin/qmailctl
ln -s /var/qmail/bin/qmailctl /usr/bin
ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
# Now create the supervise directories/scripts for the qmail services:
mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log
mkdir -p /var/qmail/supervise/qmail-pop3d/log
mkdir -p /var/qmail/supervise/qmail-pop3ds/log
cp /var/src/toaster-scripts-0.9.0/send.run /var/qmail/supervise/qmail-send/run
cp /var/src/toaster-scripts-0.9.0/send.log.run /var/qmail/supervise/qmail-send/log/run
cp /var/src/toaster-scripts-0.9.0/smtpd.run /var/qmail/supervise/qmail-smtpd/run
cp /var/src/toaster-scripts-0.9.0/smtpd.log.run /var/qmail/supervise/qmail-smtpd/log/run
cp /var/src/toaster-scripts-0.9.0/pop3d.run /var/qmail/supervise/qmail-pop3d/run
cp /var/src/toaster-scripts-0.9.0/pop3d.log.run /var/qmail/supervise/qmail-pop3d/log/run
# NOTE: If you are using stunnel version 4, you should use pop3ds.run.v4
# instead of pop3ds.run below.
# Type "stunnel -V" (v. 3) or "stunnel -version" (v. 4) to see what version is installed.
# You will also need to copy over stunnel.conf like so:
#
# cp /var/src/toaster-scripts-0.9.0/stunnel.conf /var/qmail/supervise/qmail-pop3ds/
cp /var/src/toaster-scripts-0.9.0/pop3ds.run /var/qmail/supervise/qmail-pop3ds/run
cp /var/src/toaster-scripts-0.9.0/pop3ds.log.run /var/qmail/supervise/qmail-pop3ds/log/run
echo 20 > /var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyincoming
chmod 755 /var/qmail/supervise/qmail-send/run
chmod 755 /var/qmail/supervise/qmail-send/log/run
chmod 755 /var/qmail/supervise/qmail-smtpd/run
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run
chmod 755 /var/qmail/supervise/qmail-pop3d/run
chmod 755 /var/qmail/supervise/qmail-pop3d/log/run
chmod 755 /var/qmail/supervise/qmail-pop3ds/run
chmod 755 /var/qmail/supervise/qmail-pop3ds/log/run
mkdir -p /var/log/qmail/smtpd
mkdir -p /var/log/qmail/pop3d
mkdir -p /var/log/qmail/pop3ds
chown -R qmaill /var/log/qmail
# allow daemontools to start qmail
ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service
# verify that it's running with qmailctl
sleep 5
qmailctl stat
Now let's compile libdomainkeys, we'll need that later:
cd /var/src
tar -xzf tar/libdomainkeys-0.68.tar.gz
cd libdomainkeys-0.68
patch -p0 < ../tar/libdomainkeys.diff
make
Vpopmail
Vpopmail is a virtual domain package add-on for qmail. It can handle multiple domains on a single IP address, and none of the user accounts are /etc/passwd or "system" accounts.
Info: http://vpopmail.sf.net
Install:
groupadd -g 89 vchkpw
useradd -u 89 -g vchkpw vpopmail
cd /var/src
tar -xzf tar/vpopmail-5.4.18.tar.gz
cd vpopmail-5.4.18
patch -p0 < ../tar/vpopmail-5.4.18-cumulative.patch
# NOTE: If you are on the x86_64 platform, you need to set the CFLAGS compiler environment by prefacing the next command with "CFLAGS=-fPIC" , like so: "CFLAGS=-fPIC ./configure ..."
./configure --enable-logging=v
make
make install-strip
# NOTE: If you are on the x86_64 platform, you need to edit cdb/compile to add the -fPIC argument to cc. It should look something like this: 'exec gcc -fPIC -02 -c ${1+"$@"}' After editing compile, do "make && make install-strip" again. see this post for more details
echo '127.:allow,RELAYCLIENT=""' > ~vpopmail/etc/tcp.smtp
(cd ~vpopmail/etc ; tcprules tcp.smtp.cdb tcp.smtp.tmp < tcp.smtp)
# install the vpopmail start script
cp ../toaster-scripts-0.9.0/vpopmailctl /var/qmail/bin/vpopmailctl
chmod 755 /var/qmail/bin/vpopmailctl
ln -s /var/qmail/bin/vpopmailctl /usr/bin
# add qmail toaster patch now that vpopmail is installed
cd /var/src/netqmail-1.05/netqmail-1.05
bunzip2 -c ../../tar/qmail-toaster-0.9.1.patch.bz2 | patch -p0
make clean
make
qmailctl stop
make setup check
# NOTE: the following command needs to be run after any future re-installs of qmail as it will chown this directory back to qmail
chown -R vpopmail:vchkpw /var/qmail/spam
make cert
# enter your company's information
make tmprsadh
# NOTE: This may take a LONG time
# now add the followowing line to your crontab via `crontab -e` to update these temp keys each night
01 01 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
# start qmail back up
qmailctl start
# allow daemontools to start vpopmail
ln -s /var/qmail/supervise/qmail-pop3d /var/qmail/supervise/qmail-pop3ds /service
# verify that it's running with vpopmailctl
sleep 5
vpopmailctl stat
Courier-IMAP
Courier-IMAP will supply IMAP/SIMAP access.
Info: http://www.courier-mta.org/imap/
NOTE: If you are on a system that does not use GNU make, such as FreeBSD, install GNU make and substitue 'gmake' for 'make' during the install of courier-authlib and courier-imap. Most Linux systems use GNU make.
Install Courier's Auth Library:
cd /var/src
tar -xjf tar/courier-authlib-0.59.1.tar.bz2
cd courier-authlib-0.59.1
patch -p0 < ../tar/vpopmail_courier_cram-1.diff
./configure
# NOTE: RedHat/Fedora users need to add "--with-redhat"
make
make install-strip
make install-configure
cp courier-authlib.sysvinit /etc/init.d/courier-authlib
chmod 755 /etc/init.d/courier-authlib
ln -s ../init.d/courier-authlib /etc/rc0.d/K30courier-authlib
ln -s ../init.d/courier-authlib /etc/rc1.d/K30courier-authlib
ln -s ../init.d/courier-authlib /etc/rc2.d/S80courier-authlib
ln -s ../init.d/courier-authlib /etc/rc3.d/S80courier-authlib
ln -s ../init.d/courier-authlib /etc/rc4.d/S80courier-authlib
ln -s ../init.d/courier-authlib /etc/rc5.d/S80courier-authlib
ln -s ../init.d/courier-authlib /etc/rc6.d/K30courier-authlib
Configure:
Edit /usr/local/etc/authlib/authdaemonrc
- Change authmodulelist= "..." to authmodulelist= "authvchkpw"
- Start Authlib's Authdaemon Server
- /etc/init.d/courier-authlib start
Install Courier-IMAP:
cd /var/src
tar -xjf tar/courier-imap-4.1.2.tar.bz2
cd courier-imap-4.1.2
# build as vpopmail
chown -R vpopmail:vchkpw ../courier-imap-4.1.2
su vpopmail
umask 0022
# configure may take some time...
./configure
# NOTE: RedHat/Fedora users need to add '--with-redhat'
make
exit
make install-strip
make install-configure
cp courier-imap.sysvinit /etc/init.d/courier-imap
chmod 755 /etc/init.d/courier-imap
ln -s ../init.d/courier-imap /etc/rc0.d/K30courier-imap
ln -s ../init.d/courier-imap /etc/rc1.d/K30courier-imap
ln -s ../init.d/courier-imap /etc/rc2.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc3.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc4.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc5.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc6.d/K30courier-imap
Configure:
Edit /usr/lib/courier-imap/etc/imapd
Edit /usr/lib/courier-imap/etc/imapd-ssl
- Change 'IMAPDSTART=NO' to 'IMAPDSTART=YES'
- add " AUTH=CRAM-MD5" to IMAP_CAPABILITY to enable secure authentication (CRAM-MD5)
- Change 'IMAPDSSLSTART=NO' to 'IMAPDSSLSTART=YES'
- optional: The first time courier-imap is started, the SSL certificate is first created using 'localhost' as the 'common name'. If you want to change this to match your hostname, you can customize the CN line in /usr/lib/courier-imap/etc/imapd.cnf (and pop3d.cnf of you choose to use courier's pop3d) so that the common name matches your server name BEFORE you start the server for the first time.
Start IMAP server
/etc/init.d/courier-imap start
SquirrelMail
SquirrelMail is a web based IMAP client
Info: http://www.squirrelmail.org
NOTE: This section assumes that your apache ServerRoot is /var/www and that your DocumentRoot is /var/www/html, and also that your web server runs as apache:apache
Install:
cd /var/src
tar -xjf tar/squirrelmail-1.4.9a.tar.bz2
cd squirrelmail-1.4.9a
cd plugins
tar -xzf ../../tar/quota_usage-1.3.1-1.2.7.tar.gz
cp quota_usage/config.php.sample quota_usage/config.php
cd ../
./configure
here you will have to set a few options:
- go to Server Settings (2), Server Software (8) and change the Server Software from "other" to "courier" (a)
- From the main menu, go to General Options (4) and change Data Direcotry (2) to "/var/www/data/" , change "Allow server thread sort" (10) to y, and change "Allow server-side sorting" (11) to y.
- From the main menu, go to Plugins and enable the quota_usage plugin, along with any others you prefer
- Save settings
- quit
# move the data directory into place and change permissions to the user:group that the web server runs as:
mv data /var/www/
chown -R apache:apache /var/www/data
# install squirrelmail
cd ../
mv squirrelmail-1.4.9a /var/www/html/
autorespond
Autorespond is compatible autoresponder/vacation type tool that works well with vdelivermail and qmailadmin.
Info: http://qmailadmin.sf.net
Install:
cd /var/src
tar -xzf tar/autorespond-2.0.4.tar.gz
cd autorespond-2.0.4
patch -p1 < ../tar/autorespond-2.0.4-2.0.5.patch
make
make install
ezmlm-idx
Fast, full featured Mailing List Manager configureable from qmailadmin.
Info: http://www.ezmlm.org
Install:
cd /var/src
tar -xzf tar/ezmlm-0.53.tar.gz
tar -xzf tar/ezmlm-idx-0.443.tar.gz
mv ezmlm-idx-0.443/* ezmlm-0.53/
cd ezmlm-0.53
patch -p0 < idx.patch
make
make setup
QmailAdmin
QmailAdmin can handle nearly all virtual email administration tasks for you from a web browser, except for adding and removing virtual domains.
Info: http://sourceforge.net/projects/qmailadmin
Install:
cd /var/src
tar -xzf tar/qmailadmin-1.2.11.tar.gz
cd qmailadmin-1.2.11
./configure --enable-help --enable-htmldir=/var/www/html --enable-cgibindir=/var/www/cgi-bin
make
make install-strip
cd ../
tar -xzf tar/qmailadmin-help-1.0.8.tar.gz
cd qmailadmin-help-1.0.8
mkdir /var/www/html/images/qmailadmin/help
cp -rp * /var/www/html/images/qmailadmin/help
Your toaster installation is done! Now we're ready to take it for a test drive.
Here we'll add a virtual domain, 'test.com', and test sending/receiving mail. Substitue 'test.com' for whatever domain you setup DNS for.
# Add the domain to vpopmail
/home/vpopmail/bin/vadddomain test.com [password]
This creates the default "postmaster" account for test.com. You will use this account with qmailadmin. Try adding/removing users with qmailadmin here:
http://mail.test.com/cgi-bin/qmailadmin
To test out quota usage support, create a user with a 6MB quota like so:
/home/vpopmail/bin/vadduser -q 6MB [email protected] [password]
# verify the user settings, and create the "maildirsize" file
/home/vpopmail/bin/vuserinfo [email protected]
Now, to log into SquirrelMail as [email protected], point your browser here:
http://mail.test.com/squirrelmail-1.4.9a/
Send yourself a message. If you get it, it's likely you're up and running.
To test your POP server, try telnetting to port 110 and logging in.
# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
+OK <25248.1175148975@localhost>
user [email protected]
+OK
pass [password]
+OK logged in.
quit
+OK
Connection closed by foreign host.
Test your IMAP server in the same way:
# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
* OK Courier-IMAP ready. Copyright 1998-2001 Double Precision, Inc. See COPYING for distribution information.
a001 login [email protected] [password]
a001 OK LOGIN Ok.
a001 logout
* BYE Courier-IMAP server shutting down
a001 OK LOGOUT completed
Connection closed by foreign host.
To test our SSL/TLS connections, all you need to do is duplicate the same tests above, but use openssl's s_client tool to handle encryption.
# for pop:
openssl s_client -connect localhost:995
# for imap:
openssl s_client -connect localhost:993
# for smtp/tls:
openssl s_client -crlf -starttls smtp -connect localhost:25
NOTE: If you get an error like this:
20656:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:473:
your qmail install might need the cipher lists. Debian does this, I don't know why. The following commands will fix it:
openssl ciphers > /var/qmail/control/tlsclientciphersHere, you can add 4 tools that together will prevent viruses from reaching your system via email, and tag spam for client filtering
SpamAssassin
SpamAssassin is the leading open source spam scanner. We'll be installing SpamAssassin via CPAN below.
NOTE: Debian users should have installed the SpamAssassin prerequisites during 'Debian Notes' eariler. RPM distributions may want to use 'yum install spamassassin' instead of CPAN below, so that you get all the dependencies. If the RPM of SpamAssassin is out of date, you could then simply do 'yum uninstall spamassassin', and follow the CPAN installation below, as you'll have the dependencies.
Info: http://www.spamassassin.org
Install:
cd /root
perl -MCPAN -e shell
o conf prerequisites_policy ask
install Mail::SpamAssassin
quit
# run spamd under daemontools
mkdir -p /var/qmail/supervise/spamd/log
mkdir -p /var/log/spamd
chown qmaill /var/log/spamd
cp /var/src/toaster-scripts-0.9.0/spamd.run /var/qmail/supervise/spamd/run
cp /var/src/toaster-scripts-0.9.0/spamd.log.run /var/qmail/supervise/spamd/log/run
chmod 755 /var/qmail/supervise/spamd/run
chmod 755 /var/qmail/supervise/spamd/log/run
cp /var/src/toaster-scripts-0.9.0/local.cf /etc/mail/spamassassin/local.cf
mkdir /etc/mail/spamassassin/.spamassassin/
chown vpopmail /etc/mail/spamassassin/.spamassassin/
ln -s /var/qmail/supervise/spamd /service
ClamAV
This open source virus scanner will be called by simscan.
Info: http://clamav.sf.net
NOTE: You need gmp-devel installed to verify the digital signatures of the virus database.
Install:
groupadd clamav
useradd -g clamav clamav
cd /var/src/tar
wget http://shupp.org/software/clamav-0.90.2.tar.gz
wget http://shupp.org/patches/clamav-0.90.2.patch
cd ../
tar -xzf tar/clamav-0.90.2.tar.gz
cd clamav-0.90.2
patch -p0 < ../tar/clamav-0.90.2.patch
./configure
make
make install-strip
# setup freshclam
touch /var/log/freshclam.log
chmod 600 /var/log/freshclam.log
chown clamav /var/log/freshclam.log
cp /var/src/toaster-scripts-0.9.0/freshclam /etc/init.d/freshclam
chmod 755 /etc/init.d/freshclam
ln -s ../init.d/freshclam /etc/rc0.d/K30freshclam
ln -s ../init.d/freshclam /etc/rc1.d/K30freshclam
ln -s ../init.d/freshclam /etc/rc2.d/S80freshclam
ln -s ../init.d/freshclam /etc/rc3.d/S80freshclam
ln -s ../init.d/freshclam /etc/rc4.d/S80freshclam
ln -s ../init.d/freshclam /etc/rc5.d/S80freshclam
ln -s ../init.d/freshclam /etc/rc6.d/K30freshclam
# add freshclam.log to logrotate
cp /var/src/toaster-scripts-0.9.0/freshclam.logrotate /etc/logrotate.d/freshclam
# run clamd under daemontools
mkdir -p /var/qmail/supervise/clamd/log
mkdir -p /var/log/clamd
chown clamav /var/log/clamd
cp ../toaster-scripts-0.9.0/clamd.run /var/qmail/supervise/clamd/run
cp ../toaster-scripts-0.9.0/clamd.log.run /var/qmail/supervise/clamd/log/run
chmod 755 /var/qmail/supervise/clamd/run
chmod 755 /var/qmail/supervise/clamd/log/run
# Start clamd and freshclam
ln -s /var/qmail/supervise/clamd /service
/etc/init.d/freshclam start
ripmime
ripmime is a tool for extracting MIME attachments from email, and is used by simscan.
Info: http://www.pldaniels.com/ripmime/
Install:
cd /var/src/tar
wget http://shupp.org/software/ripmime-1.4.0.6.tar.gz
cd ..
tar -xzf tar/ripmime-1.4.0.6.tar.gz
cd ripmime-1.4.0.6
make
make install
Simscan
Your qmail installation is already patched (qmail-queue patch) to support simscan, a new tool for using virus/spam scanners with qmail. The nice thing is that it prevents viruses (and optionally spam) from even getting into your queue. This is different from qmail-scanner, which will quarantine infected messages instead of stopping them at the SMTP level.
Info: http://inter7.com/?page=simscan
Install:
cd /var/src/tar
wget http://shupp.org/software/simscan-1.3.1.shupp2.tar.gz
cd ../
tar -xzf tar/simscan-1.3.1.shupp2.tar.gz
cd simscan-1.3.1.shupp2
./configure --enable-user=clamav \
--enable-clamav=y \
--enable-spam=y \
--enable-spam-passthru=y \
--enable-per-domain=y \
--enable-ripmime \
--enable-attach=y \
--enable-received=y
make
make install-strip
# add default rules for simscan
echo ":clam=yes,spam=yes,spam_passthru=yes,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif" > /var/qmail/control/simcontrol
# update /var/qmail/control/simcontrol.cdb
/var/qmail/bin/simscanmk
# put versions for received header in /var/qmail/control/simversions.cdb
/var/qmail/bin/simscanmk -g
# turn on scanning
echo ':allow,QMAILQUEUE="/var/qmail/bin/simscan"' >> ~vpopmail/etc/tcp.smtp
qmailctl cdb
TMDA
If you want the option to be very aggressive about spam control, TMDA (Tagged Message Delivery Agent) is a challenge based tool that requires a sender to confirm their sending address before the incoming message is delivered. I don't use it myself, but many people do.
Info: http://www.tmda.net
Install:
cd /var/src/tar
wget http://shupp.org/software/tmda-1.1.11.tgz
wget http://shupp.org/software/tmda-cgi-0.16.3.tar.bz2
wget http://shupp.org/patches/tmda-cgi-parent_re.patch
cd ../
tar -xzf tar/tmda-1.1.11.tgz
cd tmda-1.1.11
./compileall
cd ../
mv tmda-1.1.11 /usr/local/
ln -s /usr/local/tmda-1.1.11 /usr/local/tmda
# Now we'll install the vpopmail related scripts
cp /var/src/toaster-scripts-0.9.0/vadduser-tmda /home/vpopmail/bin/
cp /var/src/toaster-scripts-0.9.0/vpopmail-vdir.sh /home/vpopmail/bin/
cp /var/src/toaster-scripts-0.9.0/vtmdarc /home/vpopmail/etc/
# Setup tmda-ofmipd
mkdir -p /var/qmail/supervise/tmda-ofmipd/log
mkdir -p /var/qmail/supervise/tmda-ssl/log
mkdir /var/log/tmda-ofmipd/
mkdir /var/log/tmda-ssl/
chown vpopmail /var/log/tmda-*
cp /var/src/toaster-scripts-0.9.0/tmda-ofmipd.run /var/qmail/supervise/tmda-ofmipd/run
cp /var/src/toaster-scripts-0.9.0/tmda-ofmipd.log.run /var/qmail/supervise/tmda-ofmipd/log/run
# NOTE: If you are using stunnel version 4, you should use tmda.ssl.run.v4 instead of tmda-ofmipd.ssl.run below. Type 'stunnel -V' (v. 3) or 'stunnel -version' (v. 4) to see what version is installed. You will also need to copy over stunnel.conf like so: cp /var/src/toaster-scripts-0.9.0/tmda-stunnel.conf /var/qmail/supervise/tmda-ssl/stunnel.conf
cp /var/src/toaster-scripts-0.9.0/tmda-ofmipd.ssl.run /var/qmail/supervise/tmda-ssl/run
cp /var/src/toaster-scripts-0.9.0/tmda-ofmipd.ssl.log.run /var/qmail/supervise/tmda-ssl/log/run
chmod 755 /var/qmail/supervise/tmda-ofmipd/run
chmod 755 /var/qmail/supervise/tmda-ofmipd/log/run
chmod 755 /var/qmail/supervise/tmda-ssl/run
chmod 755 /var/qmail/supervise/tmda-ssl/log/run
ln -s /var/qmail/supervise/tmda-ofmipd /var/qmail/supervise/tmda-ssl /service/
# Setup tmda-cgi
cd /var/src
tar -xjf tar/tmda-cgi-0.16.3.tar.bz2
cd tmda-cgi-0.16.3
patch -p0 < ../tar/tmda-cgi-parent_re.patch
rm -r skel/uninstall/%\(Parent\)s/
cd ../
mv tmda-cgi-0.16.3 /usr/local/
cd /usr/local/tmda-cgi-0.16.3
./configure \
-t /var/www/cgi-bin/tmda.cgi \
-p /home/vpopmail/bin/vchkpw \
-m single-user \
-l "vpopmail1 /home/vpopmail/bin/vuserinfo ~" \
-i /usr/local/tmda-cgi-0.16.3/ \
-d /display
# NOTE: If you installed vpopmail somewhere other than /home/vpopmail, you'll need to update refernces in defaults.ini here
make
make install
chown vpopmail:vchkpw /var/www/cgi-bin/tmda.cgi
chmod ug+s /var/www/cgi-bin/tmda.cgi
- Now, you'll need to add an alias directive to your web server. Add the following to /etc/httpd/httpd.conf (or where ever your conf file is), and restart Apache:
Alias /display /usr/local/tmda-cgi-0.16.3/display/
Now, you should be able to point your browser to /cgi-bin/tmda.cgi, log in with your email address and password, and add/edit/remove tmda for your account. Note that the .qmail files created by tmda WILL show up in QmailAdmin.
QmailMRTG7
This is a great tool for graphing your mail server's activity.
Info: http://inter7.com/?page=qmailmrtg7
Install:
cd /var/src/tar
mkdir /var/www/html/qmailmrtg
wget http://shupp.org/software/qmailmrtg7-4.2.tar.gz
wget http://shupp.org/patches/qmailmrtg7-4.2-cfg.patch
cd ../
tar -xzf tar/qmailmrtg7-4.2.tar.gz
cd qmailmrtg7-4.2
patch -p0 < ../tar/qmailmrtg7-4.2-cfg.patch
make
make install
# Edit qmail.mrtg.cfg and change all instances of FQDN to your hostname
cp qmail.mrtg.cfg /etc/
indexmaker --section=title /etc/qmail.mrtg.cfg > /var/www/html/qmailmrtg/index.html
# now run mrtg 3 times to get rid of initial cron errors
env LANG=C mrtg /etc/qmail.mrtg.cfg
env LANG=C mrtg /etc/qmail.mrtg.cfg
env LANG=C mrtg /etc/qmail.mrtg.cfg
Add the following line to your crontab
0-55/5 * * * * env LANG=C /usr/bin/mrtg /etc/qmail.mrtg.cfg > /dev/null
http://www.shupp.org/toaster/?page=toc