1.1 Creating Users & Groups for Qmail & Vpopmail
We add groups and users with special gid (group id) and uid (user id). It is necessary for the security.
Group and user should be set to "89" under Redhat.
Group/user 98 is in use by ident
mkdir /var/qmail
groupadd -g 98 vchkpw
useradd -u 98 -g 98 -c Vpopmail-Master -d /home/vpopmail -s /bin/false vpopmail
groupadd -g 91 nofiles
groupadd -g 92 qmail
useradd -u 91 -g 91 -d /var/qmail/alias -s /bin/false alias
useradd -u 92 -g 91 -d /var/qmail -s /bin/false qmaild
useradd -u 93 -g 91 -d /var/qmail -s /bin/false qmaill
useradd -u 94 -g 91 -d /var/qmail -s /bin/false qmailp
useradd -u 95 -g 92 -d /var/qmail -s /bin/false qmailq
useradd -u 96 -g 92 -d /var/qmail -s /bin/false qmailr
useradd -u 97 -g 92 -d /var/qmail -s /bin/false qmails Under redhat/fedora change the uid(97) to 90, because the dovecot programs used it.
echo "/bin/false" >> /etc/shells Only if you don't have this line in /etc/shells
1.2 Make directories for Logging and Special Modules
mkdir /var/log/qmail
mkdir /var/log/qmail/qmail-send
mkdir /var/log/qmail/qmail-smtpd
mkdir /var/log/qmail/qmail-pop3d
chown -R qmaill.root /var/log/qmail
chmod -R 750 /var/log/qmail
1.3 Install of qmail / netqmail
Now, I use netqmail which is a *version* of qmail with a lot of patch (
http://qmail.agarik.com/netqmail/CHANGES).
Why qmail does not include all that stuff ?
Because of the licence used by djb.
wget http://qmail.agarik.com/netqmail-1.05.tar.gz
tar -zxvf netqmail-1.05.tar.gz
cd netqmail-1.05/
./collate.sh
cd netqmail-1.05
You should get something like :
You should see 7 lines of text below. If you see anything
else, then something might be wrong.
[1] Extracting qmail-1.03...
tar: Read 1024 bytes from -
[2] Patching qmail-1.03 into netqmail-1.05. Look for errors below:
24
[4] The previous line should say 24 if you used GNU patch.
[5] Renaming qmail-1.03 to netqmail-1.05...
[6] Continue installing qmail using the instructions found at:
[7] http://www.lifewithqmail.org/lwq.html#installation
Edit the file
conf-split (it will increase the queue subdirectory split) If the queue will be stored on ReiserFS, set conf-split to 1.
23
;replace 23 with 199
then
conf-spawn It is the silent concurrency limit control file
120
;replace 120 with 255
Compile qmail :
wget http://www.qmail.org/qmail-1.03-mfcheck.3.patch
wget http://sylvestre.ledru.info/howto/qmail/netqmail-maildir++.patch
patch -p1 < qmail-1.03-mfcheck.3.patch
patch -p1 < netqmail-maildir++.patch Enable the quota for maildir
make WITH_QMAILQUEUE_PATCH=yes setup check WITH_QMAILQUEUE_PATCH is set to specify that we will use qmail-scanner
./config-fast tractopel.ecranbleu.orgChange it for your host
echo 255 > /var/qmail/control/concurrencyremote
chmod 644 /var/qmail/control/concurrencyremote
echo 1 > /var/qmail/control/mfcheck Only if you want to do a dns check immediatly at the smtp connexion
You may have to patch daemontools in order to compile it with the Glib v. 2.3.1
mkdir /package
chmod 1755 /package
cd /package
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
tar -zxvf daemontools-0.76.tar.gz
mv admin/daemontools-0.76/ daemontools-0.76
rmdir admin/
wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/daemontools-0.76.errno.patch
patch -p0 < daemontools-0.76.errno.patch
cd daemontools-0.76/
./package/install
cd ..
rm daemontools-0.76.tar.gz daemontools-0.76.errno.patch
You may want to remove the respawn of qmail (it is a very borring option when you have to shutdown qmail). To do that, you have to edit
/etc/inittab andcomment the last line (
SV:123456:respawn:/command/svscanboot) and kill -HUP 1. -- remove other smtp if you already have one installed
for example, comment smtp/pop/imap stuff in /etc/inetd.conf or /etc/xinetd.conf
remove exim in /etc/rc2.d/
If you want to check if it works or not, check if you have links in this directory /command/ pointing to /package/daemontools/command/.wget http://mesh.dl.sourceforge.net/sourceforge/courier/maildrop-2.0.2.tar.bz2
tar -jxvf maildrop-2.0.2.tar.bz2
cd maildrop-2.0.2/
./configure
make
make install
cd ..
You may have to insall pcre (
apt-get install libpcre3-dev under Debian)
Check :
if the file /usr/local/bin/maildrop existsTCPserver is used to manage network connexions and also the roaming (POP/IMAP before SMTP, allow a user to use the SMTP once he checked his emails).
Here, for the roaming, there is two solutions :
- the classical way with the famous ~vpopmail/etc/tcp.smtp
- store all the relay in the Mysql database (
more info)
Which one is the best ?
Well, it really depends want you need. If you want to configure a multiserver mail server, the Mysql solution is very good. This solution has also the advantage to be quite easy to maintaint (I had a few times troubles with the tcp.smtp file: I had to rehash the file by hand which is a bit borring).
Common part : wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
tar -zxvf ucspi-tcp-0.88.tar.gz
cd ucspi-tcp-0.88
wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/ucspi-tcp-0.88.a_record.patch
patch -p1 < ucspi-tcp-0.88.a_record.patch
wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/ucspi-tcp-0.88.errno.patch
patch -p1 < ucspi-tcp-0.88.errno.patch
wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/ucspi-tcp-0.88.nobase.patch
patch -p1 < ucspi-tcp-0.88.nobase.patch
All the three patches here are used to fix a compilation issue with a recent glibc.
Classical way (~vpopmail/tcp.smtp) : -- relay permissions
edit /home/vpopmail/etc/tcp.smtp
127.0.0.1:allow,RELAYCLIENT=""
198.168.1.:allow,RELAYCLIENT="" Change this address to your network
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
/usr/local/bin/tcprules /home/vpopmail/etc/tcp.smtp.cdb /home/vpopmail/etc/tcp.smtp.tmp < /home/vpopmail/etc/tcp.smtp
chmod 644 /home/vpopmail/etc/tcp.smtp.cdb
The MySQL way : First, under fedora, you have to edit the conf-ld file in order to add the path to the mysql lib.
wget http://sylvestre.ledru.info/howto/qmail/ucspi-tcp-0.88-mysql.patch
patch -p0 < ucspi-tcp-0.88-mysql.patch
For this part, you will need the mysql developement library.
apt-get install libmysqlclient10-dev (debian)
Then, you need to create the configuration in order to access to the mysql database. Edit the
/var/qmail/control/sql file and change the values to match your configuration.
server sql.mailserver.com
port 3306
database vpopmail
table relay
user vpopmail_edit
pass vpass
time 1800
The table structure is :
CREATE TABLE relay (
ip_addr char(18) NOT NULL default '',
timestamp char(12) default NULL,
PRIMARY KEY (ip_addr)
);
For the mysql configuration, just look few lines under.
If you want to had an "always authorized ip address" for the SMTP, you have to insert an record by hand. For example, you may (will) want to authorized 127.0.0.1 to use the smtp server all the time :
mysql> insert into relay (ip_addr) values ('127.0.0.1');
mysql> select * from relay;
| + | ---------------------- | + | -------------------- | + |
| | | ip_addr | | | timestamp | | |
| + | ---------------------- | + | -------------------- | + |
| | | 62.210.141.XX | | | 1094032768 | | |
| | | 217.167.120. | | | NULL | | |
| | | 80.201.115.XX | | | 1094032739 | | |
| | | 212.239.131.XX | | | 1094027678 | | |
| | | 127.0.0.1 | | | NULL | | |
| + | ---------------------- | + | -------------------- | + |
5 rows in set (0.00 sec)
Common : make
make setup check
mkdir -p /home/vpopmail/etc/
Vpopmail is used as virtual POP server (ie it is not at all linked with the /etc/passwd file).
Create a vpopmail database and two users. The first one who can access and the other one who can modify the database. For example, connect to mysql (
mysql -u root -p) and :
mysql> create database vpopmail;
mysql> grant update, create, delete, insert, select on vpopmail.* to vpopmail_edit@localhost identified by "vpass"; Change localhost to the vpopmail host and the password
mysql> flush privileges;
If the following line works, the vpopmail database should work.
[sly@reloaded] ~$ mysql -h localhost -u vpopmail_edit -pvpass vpopmail
If you get problems, you should look the
mysql documentation With vpopmail 5.4.X, which is the lastest version of vpopmail (release as stable the 1 february 2004)
wget http://heanet.dl.sourceforge.net/sourceforge/vpopmail/vpopmail-5.4.17.tar.gz
tar -zxvf vpopmail-5.4.17.tar.gz
mkdir -p ~vpopmail/etc/
cd vpopmail-5.4.17/
echo "localhost|0|vpopmail_edit|vpass|vpopmail" > ~vpopmail/etc/vpopmail.mysql
Change your informations
chown vpopmail.vchkpw ~vpopmail/etc/vpopmail.mysql
chmod 640 ~vpopmail/etc/vpopmail.mysql
apt-get install libmysqlclient10-dev If you are under debian, otherwise, you must have the mysql sources available
apt-get install zlib1g-dev If you are under debian, otherwise, you must have these sources available (Thanks to Ken MacFerrin).
./configure --enable-roaming-users=y --enable-logging=y --enable-ip-alias-domains=y --enable-auth-module=mysql --enable-clear-passwd=n --enable-libdir=/usr/include/mysql/ --enable-tcpserver-path=/home/vpopmail/etc/ --enable-tcpserver-file=/home/vpopmail/etc/tcp.smtp --enable-qmail-ext --enable-logging=e --enable-tcprules-prog=/usr/local/bin/tcprules --enable-rebuild-tcpserver-file --enable-domainquotas For redhat/fedora, change /usr/include/mysql to /usr/lib/mysql
If you use the mysql relay solution for tcpserver, remove --enable-tcpserver-file=/home/vpopmail/etc/tcp.smtp
make
make install-strip
The roaming option means that if a user check his email, it will open the smtp just for this user.
Now, edit the crontab with :
crontab -e
and add this inside :
40 * * * * /home/vpopmail/bin/clearopensmtp 2>&1 > /dev/null
Every time clearopensmtp is run, list of IP's which can relay through the smtp server is checked for time stamps which are older than the --enable-relay-clear-minutes option (The default is 3 hours). And it will delete too old "connections".
If you want to check if it works or not, try /home/vpopmail/bin/vadddomain if you get some "vmysql: sql error[c]: MySQL server has gone away" or "Failed while attempting to add user to auth backend", you may have some trouble with your mysql account configuration. (If you don't get anything, that works !) It is an autoresponder which allows an automatic return email to be sent to the original sender.
wget http://www.inter7.com/devel/autorespond-2.0.2.tar.gz
tar -zxvf autorespond-2.0.2.tar.gz
cd autorespond-2.0.2
make
make install
wget ftp://mirrors.kernel.org/gnu/gdbm/gdbm-1.8.3.tar.gz
tar -zxvf gdbm-1.8.3.tar.gz
cd gdbm-1.8.3/
./configure
make
make install
Ezmlm is the mailing list manager.
wget http://sylvestre.ledru.info/howto/qmail/ezmlm-idx-0.40.tar.gz
wget http://cr.yp.to/software/ezmlm-0.53.tar.gz
wget http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/ezmlm-idx-0.53.400.unified_41.patch
tar -zxvf ezmlm-0.53.tar.gz
tar -zxvf ezmlm-idx-0.40.tar.gz
mv ezmlm-idx-0.40/* ezmlm-0.53/
cd ezmlm-0.53
patch < idx.patch
patch < ../ezmlm-idx-0.53.400.unified_41.patch
edit sub_mysql/conf-sqlld
replace:
-L/usr/lib/mysql -lmysqlclient -lnsl -lm
by:
-L/usr/local/lib/mysql -lmysqlclient -lm
make clean
make
make man
make setup
I wrote some bit about
spamassassin with qmail, it is almost the same thing...
Spamassassin is a very powerfull program which checks if the receveid email is a spam or not. The analys is based on a list of mark. If the sum of all the mark exceed a specified amount (for example 5), the email will be tagged (****SPAM**** in the topic).
With this, it is very easy to create a rule which will move all emails into a specific directory (i.e. trash:).
apt-get install spamassassin If you use debian sarge (ie testing)
wget http://old.spamassassin.org/released/Mail-SpamAssassin-2.64.tar.gz
tar -zxvf Mail-SpamAssassin-2.64.tar.gz
cd Mail-SpamAssassin-2.64
perl Makefile.PL
make
make install
cp spamd/debian-rc-script.sh /etc/init.d/spamassassin You can replace debian by redhat, solaris, netbsd, suse ...
chmod +x /etc/init.d/spamassassin
Edit /etc/init.d/spamassassin
change DAEMON=/usr/sbin/spamd to :
DAEMON=/usr/bin/spamd
Create the file /etc/default/spamassassin with this 2 lines :
ENABLED=1
OPTIONS="-v -m 50 --auto-whitelist"
With that stuff, you can launch spamd which is bascilly a spamassassin deamon (provides great performances).
-m 50 : 50 childs
-v : vpopmail config
--auto-whitelist : Use auto whitelist (friend list)
Then, edit /etc/mail/spamassassin/local.cf (for
more details)
required_hits 5.0
add_header all Report _REPORT_
rewrite_header Subject 1
add_header spam Flag _YESNOCAPS_
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
add_header all Level _STARS(*)_
add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_
dns_available yes
dcc_add_header 0
skip_rbl_checks 0
bayes_auto_learn 1
use_bayes 1
bayes_path /var/qmail/spamassassin/
auto_whitelist_path /var/qmail/spamassassin/auto_whitelist
use_pyzor 1 (Only if you have installed pyzor)
use_razor2 1 (Only if you have installed razor2)
Then start the spamassassin server and test it :
/etc/init.d/spamassassin start
spamc < sample-spam.txt It will produce the test spam result
spamc < sample-nonspam.txt It should return the original email
For the spam, you should get :
X-Spam-Level: **************************************************
X-Spam-Status: Yes, hits=1000.0 required=6.0 tests=GTUBE autolearn=no version=2.60
This should be enough to use SpamAssassin on the whole system.
Before the clamav installation, you have to install unzoo, unrar, lha, arj and unzip (in order to unpack email attachements).
Under debian : apt-get install clamav
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
[ Install the source version of clamav ]
In the file /etc/clamav/clamd.conf, change the line :
User clamav
to
User qscand
Then, change the property of the running directory :
chown -R qscand. /var/run/clamav/
And the restart clamav
Qmail-scanner is an email parser (like Amavis) which means that qmail-scanner will parse the email and call spamassassin and/or clamav in order to check what they have to check.
I now use a patched version a qmail-scanner which enabled great features like auto delete/reject/quarantine spam over a specified score but also to select which scanners will be used for a domain and even for a user, then, it is possible to configure the spamassassin / antivirus just for one domain/user.
You need perl-suid. (apt-get install perl-suid)
wget http://heanet.dl.sourceforge.net/sourceforge/qmail-scanner/qmail-scanner-2.01.tgz
wget http://toribio.apollinare.org/qmail-scanner/download/q-s-2.01st-20060626.patch.gz
tar -zxvf qmail-scanner-2.01.tgz If you are updating your system, don't forget to delete the old source tree
gunzip q-s-2.01st-20060626.patch.gz
cd qmail-scanner-2.01
patch -p1 < ../q-s-2.01st-20060626.patch
groupadd qscand
useradd -c "Qmail-Scanner Account" -g qscand -s /bin/false qscand
./configure --domain trunks.ecranbleu.org \
--admin postmaster \
--local-domains "`cat /var/qmail/control/rcpthosts | tr "\n" ","`" \
--add-dscr-hdrs yes \
--dscr-hdrs-text "X-Antivirus-ecranbleu" \
--ignore-eol-check yes \
--sa-quarantine 0 \
--admin-fromname "Mail admin" \
--settings-per-domain yes \ In a recent version qmail-scanner st, the name of this parameter changed from scanners-per-domain to settings-per-domain. You have also to rename your scanners_per_domain.txt file to settings-per-domain.txt
--sa-delete 5 \
--sa-reject no \
--sa-subject "*****SPAM*****" \
--sa-alt no \
--sa-debug no \
--notify sender,recips \
--redundant yes
cp qmail-scanner-queue.pl /var/qmail/bin/
If you are updating qmail-scanner, rename /var/spool/qmailscan to /var/spool/qscan/
If you want to enable/disable some scanners, edit the
/var/spool/qmailscan/settings_per_domain.txtTo rehash the scanner per domain file : /var/qmail/bin/qmail-scanner-queue.pl -p
To rehash the quarantine attachement file : /var/qmail/bin/qmail-scanner-queue.pl -g
Since the version 4.4 of qms-analog, this file can be customise more deeply. It is possible to change sa_subject, sa_delete... for each address/domain which can be very useful and avoid "global configuration".
Here is the syntax of this file (for more information : have a look to
this url):
trunks.ecranbleu.org:sa,ps,clamdscan_scanner
tizio@domain.com:sa,ps'** SPAM **'2.5''3.9'0
polio.be:sa,ps
myaddress@microsoft.com:sa,ps
# sa = spamassassin
# ps = perl scanner
# clamdscan_scanner
Thanks to this solution, it is possible to produce daily/weekly/monthly total stats about the email traffic. In order to use it,edit this two line in this file :
/var/qmail/bin/qmailstats echo "To: myaddr@domain.org" > $EMAILMSG echo "From: admin@server.com" >> $EMAILMSG
Uncomment the echo/cat lines if you want to display weekly/mothly stats. be carreful, the mail can be huge :
#### Last 7 days
#echo "" >> $EMAILMSG
#echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" >> $EMAILMSG
#echo "~~~~~~~~~~~~~~~~~~~~~~~~~~ L a s t 7 D a y s ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" >> $EMAILMSG
#cat /var/spool/qmailscan/qms-events.log | qms-analog 168 >> $EMAILMSG
####
#### Last 30 days
#echo "" >> $EMAILMSG
#echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" >> $EMAILMSG
#echo "~~~~~~~~~~~~~~~~~~~~~~~~~~ L a s t 3 0 D a y s ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" >> $EMAILMSG
#cat /var/spool/qmailscan/qms-events.log | qms-analog 5040 >> $EMAILMSG
####
If you want to launch it every night (5:00) :
crontab -e
0 5 * * * /var/qmail/bin/qmailstats &>/dev/null
It will produce this kind of stats :
mailstats.txt11. Scripts and directories
11.1 Alias and default directories mkdir ~alias
chown alias.qmail ~alias
echo "address@email.com" > /var/qmail/alias/.qmail-root
echo "address@email.com" > /var/qmail/alias/.qmail-postmaster
echo "address@email.com" > /var/qmail/alias/.qmail-mailer-daemon
chmod 2755 ~alias
chmod 644 ~alias/.qmail*
edit
/var/qmail/users/assign +ecranbleu.org-:ecranbleu.org:98:98:/home/vpopmail/domains/ecranbleu.org:-:: Change the domain here
.
Don't forget the final .
11.2 Supervise/Svscan Startupmkdir /service
chmod 755 /service
mkdir /var/qmail/supervise
chmod 755 /var/qmail/supervise
mkdir /var/qmail/supervise/qmail-smtpd
mkdir /var/qmail/supervise/qmail-smtpd/log
chmod +t /var/qmail/supervise/qmail-smtpd
mkdir /var/qmail/supervise/qmail-send
mkdir /var/qmail/supervise/qmail-send/log
chmod +t /var/qmail/supervise/qmail-send
mkdir /var/qmail/supervise/qmail-pop3d
mkdir /var/qmail/supervise/qmail-pop3d/log
chmod +t /var/qmail/supervise/qmail-pop3d
ln -s /var/qmail/supervise/* /service/
edit
/var/qmail/rc #!/bin/sh
exec env - PATH="/var/qmail/bin:/usr/local/bin" \
qmail-start ./Maildir/
then :
chmod 700 /var/qmail/rc
11.3 pop3edit
/var/qmail/supervise/qmail-pop3d/run#!/bin/sh
exec /usr/local/bin/tcpserver -H -R -v -c100 0 pop3 /var/qmail/bin/qmail-popup tractopel.ecranbleu.org /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1 Change tractopel.ecranbleu.org your server
Call the pop server throught tcpserver with username/password check (with qmail-popup and vchkpw).
-R : don't try to get $TCPREMOTEINFO
-H : don't look up the hostname
-v : verbose
-c : number of simultaneous handled connections
0 : the ip address of the server (0 means allow connections to any local IP address)
pop3 : the port used (here, defined in
/etc/services but can be an integer ie 110)
qmail-popup : this program reads a POP username and password and call a program (here
vchkpw)
vchkpw : this program authenticates a POP user and grant him access to his pop directory
qmail-pop3d : this program distributes email via POP3
then :
chmod 755 /var/qmail/supervise/qmail-pop3d/run
edit
/var/qmail/supervise/qmail-pop3d/log/run #!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-pop3d 2>&1
Call the multilog program under the uid (user id) and gid (group id) which will call the qmail-pop3d program.
The
t option means that the log file will have a timestamp on the beginning of the line (tai64n format).
s100000 : is the size of a log file (here 100 000 bytes). It is between 4096 and 16777215.
n20 : is the number of log file (here 20). At least 2.
then :
chmod 755 /var/qmail/supervise/qmail-pop3d/log
chmod 755 /var/qmail/supervise/qmail-pop3d/log/run
11.4 smtpedit
/var/qmail/supervise/qmail-smtpd/run#!/bin/sh
export QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" If you use the TCP server mysql solution
exec /usr/local/bin/tcpserver -p -R -x /home/vpopmail/etc/tcp.smtp.cdb -u92 -g91 -v -c100 0 smtp /usr/local/bin/rblsmtpd -r relays.ordb.org /var/qmail/bin/qmail-smtpd 2>&1
If you use the mysql relay solution for tcpserver, replace -x /home/vpopmail/etc/tcp.smtp.cdb by -S
Call the smtp server throught tcpserver with a rbl check.
-u : user id which will be used by qmail-smtpd
-g : group id which will be used by qmail-smtpd
-p : paranoid mode (check if the remote host in the DNS matches with the client address)
-R : don't try to get $TCPREMOTEINFO
-v : verbose
-c : number of simultaneous handled connections
0 : the ip address of the server (0 means allow connections to any local IP address)
smtp : the port used (here, defined in
/etc/services but can be an integer)
rblsmtpd : this program blocks mail from RBL-listed sites (I use relays.ordb.org) and call a program (here
qmail-smtpd)
chmod 755 /var/qmail/supervise/qmail-smtpd/run
edit
/var/qmail/supervise/qmail-smtpd/log/run#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-smtpd 2>&1
Call the multilog program under the uid (user id) and gid (group id) which will call the qmail-smtpd program.
The
t option means that the log file will have a timestamp on the beginning of the line (tai64n format).
s100000 : is the size of a log file (here 100 000 bytes). It is between 4096 and 16777215.
n20 : is the number of log file (here 20). At least 2.
then :
chmod 755 /var/qmail/supervise/qmail-smtpd/log
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run
edit
/var/qmail/supervise/qmail-send/run #!/bin/sh
exec env - PATH="/var/qmail/bin:/usr/local/bin" \
qmail-start ./Maildir/
then :
chmod 755 /var/qmail/supervise/qmail-send/run
edit
/var/qmail/supervise/qmail-send/log/run #!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s100000 n20 /var/log/qmail/qmail-send 2>&1
then :
chmod 755 /var/qmail/supervise/qmail-send/log
chmod 755 /var/qmail/supervise/qmail-send/log/run
With the command, you can generate a generic Maildir (ie when you create a new user, it will copy the Maildir dir automatically) :
/var/qmail/bin/maildirmake /etc/skel/Maildir This can depend the linux distribution
Finally, you must create a startup script.
Under debian, it will be in the /etc/init.d/. So, it will be
/etc/init.d/qmail.
#!/bin/sh
case "$1" in
start)
echo -n "Starting qmail: svscan"
if cd /var/qmail/supervise; then
env - PATH="/var/qmail/bin:/usr/local/bin:/usr/bin:/bin" svscan &
echo $! > /var/run/svscan.pid
fi
echo "."
;;
stop)
echo -n "Stopping qmail: svscan"
kill `cat /var/run/svscan.pid`
echo -n " qmail"
svc -dx /var/qmail/supervise/*
echo -n " logging"
svc -dx /var/qmail/supervise/*/log
echo "."
;;
stat)
cd /var/qmail/supervise
svstat * */log
;;
doqueue|alrm)
echo "Sending ALRM signal to qmail-send."
svc -a /var/qmail/supervise/qmail-send
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
echo "Sending HUP signal to qmail-send."
svc -h /var/qmail/supervise/qmail-send
echo "Sending HUP signal to qmail-pop3d."
svc -h /var/qmail/supervise/qmail-pop3d
;;
pause)
echo "Pausing qmail-send"
svc -p /var/qmail/supervise/qmail-send
echo "Pausing qmail-smtpd"
svc -p /var/qmail/supervise/qmail-smtpd
echo "Pausing qmail-pop3d"
svc -p /var/qmail/supervise/qmail-pop3d
;;
cont)
echo "Continuing qmail-send"
svc -c /var/qmail/supervise/qmail-send
echo "Continuing qmail-smtpd"
svc -c /var/qmail/supervise/qmail-smtpd
echo "Continuing qmail-pop3d"
svc -c /var/qmail/supervise/qmail-pop3d
;;
restart)
echo "Restarting qmail:"
echo "* Stopping qmail-smtpd."
svc -d /var/qmail/supervise/qmail-smtpd
echo "* Sending qmail-send SIGTERM and restarting."
svc -t /var/qmail/supervise/qmail-send
echo "* Restarting qmail-smtpd."
svc -u /var/qmail/supervise/qmail-smtpd
echo "* Sending qmail-pop3d SIGTERM and restarting."
svc -t /var/qmail/supervise/qmail-pop3d
;;
cdb)
tcprules /home/vpopmail/etc/tcp.smtp.cdb /home/vpopmail/etc/tcp.smtp.tmp < /home/vpopmail/etc/tcp.smtp
chmod 644 /home/vpopmail/etc/tcp.smtp*
echo "Reloaded /home/vpopmail/etc/tcp.smtp."
;;
*)
echo "Usage: $0
{start|stop|restart|doqueue|reload|stat|pause|cont|cdb|queue}"
exit 1
esac
exit 0
chmod 750 /etc/init.d/qmail
rm -f /usr/lib/sendmail
rm -f /usr/sbin/sendmail
ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
QmailAdmin is the web administration which enables the management of a domain by an lambda user.
wget http://heanet.dl.sourceforge.net/sourceforge/qmailadmin/qmailadmin-1.2.9.tar.gz
tar -zxvf qmailadmin-1.2.9.tar.gz
cd qmailadmin-1.2.9/
./configure --enable-htmldir=/var/www/qmailadminhtml --enable-imagedir=/var/www/images --enable-imageurl=/images --enable-cgibindir=/var/www/cgi-bin/ --enable-autoresponder-bin=/usr/local/bin --enable-vpopuser=vpopmail --enable-ezmlmdir=/usr/local/bin/ezmlm/ --enable-ezmlmidx=y --enable-modify-quota --disable-ipauth --enable-help
Change directories to adapt to your webserver configuration
make
make install-strip
If you get that stuff when you compile qmailadmin :
gcc -I. -g -O2 -c qmailadmin.c
qmailadmin.c:29:22: vpopmail.h: No such file or directory
qmailadmin.c:30:19: vauth.h: No such file or directory
Try this command :
echo "-I/home/vpopmail/include" >> /home/vpopmail/etc/inc_deps
If you get
qmailadmin.o(.text+0xc6): In function `main':
/package/qmailadmin-1.0.6/qmailadmin.c:240: undefined reference to `vclose'
qmailadmin.o(.text+0x17b):/package/qmailadmin-1.0.6/qmailadmin.c:199: undefined reference to `vget_assign'
qmailadmin.o(.text+0x1cd):/package/qmailadmin-1.0.6/qmailadmin.c:210: undefined reference to `vauth_user'
Check if /home/vpopmail/etc/lib_deps contains :
-L/home/vpopmail/lib -lvpopmail -L/usr/include/mysql/ -lmysqlclient -lz Now, configure your webserver in order to activate cgi-bin for qmailadmin. For example, for Apache :
<VirtualHost 217.167.120.134>
ServerAdmin sylvestre-howto@ecranbleu.org
DocumentRoot /var/www/
ServerName qmailadmin.ecranbleu.org
ErrorLog logs/qmailadmin.ecranbleu.org-error.log
CustomLog logs/qmailadmin.ecranbleu.org-access.log combined
<Directory /var/www/>
AllowOverride AuthConfig Limit
Options SymLinksIfOwnerMatch Includes
</Directory>
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
ScriptAlias /global-cgi/ /usr/lib/cgi-bin/
</VirtualHost>
If you get an error like :
[Tue Aug 10 18:10:23 2004] [error] [client xx.xx.xx.xx] Premature end of script headers: /var/www/cgi-bin/qmailadmin in the apache error logfile, it should be linked with your apache configuration. I met some problems with suexec which was enabled : comment the User/Group lines should be enough (Thanks Julien Lefevre).
By default, the apache configuration file (httpd.conf) includes an alias directory which is
images/. This directory overrides the default of qmailadmin. Don't forget to comment it is you want images.
Vqadmin a virtual domains manager. Basically, with this program, it is possible to manage email domains.
wget http://www.inter7.com/vqadmin/vqadmin-2.3.2.tar.gz
tar -zxvf vqadmin-2.3.2.tar.gz
cd vqadmin-2.3.2
./configure --enable-cgibindir=/var/www/cgi-bin
make
make install-strip
Add the following directives to the apache configuration, httpd.conf (for example, the qmailadmin virtualhost) :
<Directory "/var/www/cgi-bin/vqadmin">
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>
You
must add a htaccess in order to securise these pages.
Edit
/var/www/cgi-bin/vqadmin/.htaccess AuthType Basic
AuthUserFile /etc/apache/vqadmin.passwd
AuthName vQadmin
require valid-user
satisfy any
chown www-data:www-data /var/www/cgi-bin/vqadmin/.htaccess The user/group will be nobody/nogroup under Redhat
chmod 600 /var/www/cgi-bin/vqadmin/.htaccess
htpasswd -bc /etc/apache/vqadmin.passwd admin adminpass
courier is used here for the IMAP server. Since the version 4.X, they split courier to a thirdparty library called authlib which contains authentication stuffs.
But it may cause some issue with the pop-before-smtp system. If it the case, don't hesitate to switch to the version 3.X. (however, don't hesitate to send me a fix for this issue).PROCEDURE FOR COURIER 3.X (only use if courier 4.X is not working)
wget http://unc.dl.sourceforge.net/sourceforge/courier/courier-imap-3.0.8.tar.bz2
tar -jxvf courier-imap-3.0.8.tar.bz2
cd courier-imap-3.0.8
export CFLAGS="-DHAVE_OPEN_SMTP_RELAY -DHAVE_VLOGAUTH"
./configure --prefix=/usr/local/courier-imap --disable-root-check --without-authpam --without-authldap --without-authpwd --without-authmysql --without-authpgsql --without-authshadow --without-authuserdb --without-authcustom --without-authcram --without-authdaemon --with-authvchkpw --with-ssl [ Go for a walk ]
make
make install
make install-configure
FOR COURIER 4.X :
wget http://unc.dl.sourceforge.net/sourceforge/courier/courier-authlib-0.55.tar.bz2
tar -jxvf courier-authlib-0.55.tar.bz2
cd courier-authlib-0.55
./configure --prefix=/usr/local/courier-authlib --without-authpam --without-authldap --without-authpwd --without-authmysql --without-authpgsql --without-authshadow --without-authuserdb --without-authcustom --without-authcram --without-authdaemon --with-authvchkpw --with-mailuser=vpopmail --with-mailgroup=vchkpw
make
make install
make install-configure
wget http://unc.dl.sourceforge.net/sourceforge/courier/courier-imap-4.0.2.tar.bz2
tar -jxvf courier-imap-4.0.2.tar.bz2
cd courier-imap-4.0.2
export CFLAGS="-DHAVE_OPEN_SMTP_RELAY -DHAVE_VLOGAUTH"
export COURIERAUTHCONFIG=/usr/local/courier-authlib/bin/courierauthconfig
export CPPFLAGS=-I/usr/local/courier-authlib/include
./configure --prefix=/usr/local/courier-imap --disable-root-check --with-ssl [ Go grab a pizza/beer, this will take some time ]
make
make install
make install-configure
Common part :
cp courier-imap.sysvinit /etc/init.d/courier-imap
chmod +x /etc/init.d/courier-imap
mkdir -p /var/lock/subsys/
Once the server is launched :
chown vpopmail:vchkpw /usr/local/courier-imap/share/imapd.pem
If you get this error :
tlspasswordcache.c:9:25: openssl/ssl.h: No such file or directory
tlspasswordcache.c:10:25: openssl/err.h: No such file or directory
tlspasswordcache.c:11:26: openssl/rand.h: No such file or directory
install the ssl development library (
apt-get install libssl-dev under Debian)
If you get some errors about vpopmail libs, type this 2 commands : [ thank to
Alberto Manzoni ]
echo "-I/home/vpopmail/include/" > /home/vpopmail/etc/inc_deps
echo "-L/home/vpopmail/lib -lvpopmail" > /home/vpopmail/etc/lib_deps
But if you get errors about include with vpopmail and stuff like :
/home/vpopmail/lib/libvpopmail.a(vauth.o) in function `vauth_open_update': check if the
/home/vpopmail/etc/lib_deps file looks like :
-L/home/vpopmail/lib -lvpopmail -L/usr/include/mysql/ -lmysqlclient -lz -lcrypt
After the installation, you must edit some configuration files.
Rename /usr/local/courier-imap/etc/imapd.dist to /usr/local/courier-imap/etc/imapd and in
/usr/local/courier-imap/etc/imapd, change the TCPDOPTS / AUTHMODULES lines to :
TCPDOPTS="-nodnslookup -noidentlookup -user=vpopmail -group=vchkpw"
Finally, don't forget to change this line (at the end of the file)
IMAPDSTART=NO
To YES
For the imap-ssl, rename /usr/local/courier-imap/etc/imapd-ssl.dist to /usr/local/courier-imap/etc/imapd-ssl and in
/usr/local/courier-imap/etc/imapd-ssl IMAPDSSLSTART=YES
and
/usr/local/courier-imap/etc/imapd.cnf for the ssl certificat :
[...]
[ req_dn ]
C=FR
ST=PA
L=Paris
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key
CN=tractopel.ecranbleu.org
emailAddress=tech@avenceprod.com
[...]
For the pop3d-ssl, rename /usr/local/courier-imap/etc/pop3d-ssl.dist to /usr/local/courier-imap/etc/pop3d-ssl and in
/usr/local/courier-imap/etc/pop3d-ssl POP3DSSLSTART=YES
If you want to start the IMAP server :
/etc/init.d/courier-imap start Can take a little while the first time
After the first start, you may get stuff like :
Dec 23 13:01:59 nw-tel2-mail-2 imapd: couriertls: /usr/local/courier-imap/var/couriersslcache: Permission denied
Dec 23 13:01:59 nw-tel2-mail-2 imapd: couriertls: /usr/local/courier-imap/share/imapd.pem: error:0200100D:system library:fopen:Permission denied chown vpopmail:vchkpw /usr/local/courier-imap/var/
chown vpopmail:vchkpw /usr/local/courier-imap/share/imapd.pem
chown vpopmail:vchkpw /usr/local/courier-imap/share/pop3d.pem
If you want to rebuild the certificat, you have to use the commands (after deleting the pem file) :
/usr/local/courier-imap/share/mkimapdcert
/usr/local/courier-imap/share/mkpop3dcert
You may need the package openssl
We use an imapproxy in order to decrease the time of the connection between the imap client and the server (IMAP Proxy)
wget http://www.imapproxy.org/downloads/up-imapproxy-1.2.3.tar.gz
tar -zxvf up-imapproxy-1.2.3.tar.gz
cd up-imapproxy-1.2.3
./configure
make
make install
make install-conf
make install-init
To compile imapproxy, you need the lib ncurses 5 dev (apt-get install libncurses5-dev).
If you try to start the program and if you get this :
/etc/init.d/imapproxy: line 1: /bin/basename: No such file or directory
: Starting IMAP proxy server.
Edit
/etc/init.d/imapproxy and change the line 58 (
Pgm=`/bin/basename $0`) to
Pgm=`/usr/bin/basename $0` (maybe it is only necessary under debian)
Edit
/etc/imapproxy.conf to adapt everything to your configuration. Most of the time, change only this :
server_hostname tractopel.ecranbleu.org Change it to your host
proc_groupname nobody Under debian, it is "nogroup"
listen_port 144 If the proxy is running on the same server as courier-imap, change this line (ie not 143, the IMAP port) otherwise the proxy won't work
wget http://heanet.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.3a.tar.gz
tar xzvf squirrelmail-1.4.3a.tar.gz
cd squirrelmail-1.4.3a
mkdir attachments
chown -R www-data data attachments
chmod go-w data attachments
chgrp www-data data attachments
cd config
./conf.pl
Change the following options (you can also add great plugins to squirremail with the program):
ORGANIZATION PREFERENCES Change name.
SERVER SETTINGS Change Domain
Change IMAP server
Don't forget to set the ip/port of the IMAP Proxy set before (otherwise the proxy will lose his interest) Change SMTP server
GENERAL OPTIONS Change Data Directory, (optional).
Change Attachment Directory
Set pre-defined settings for specific IMAP servers Select courier = Courier IMAP server
Add a virtual host to your webserver configuration and restart it :
<VirtualHost 217.167.120.134>
ServerAdmin sylvestre-howto@ecranbleu.org
DocumentRoot /var/www/webmail.avence.info
ServerName webmail.avence.info
ServerAlias mail.avence.info
ErrorLog logs/webmail.avence.info-error.log
CustomLog logs/webmail.avence.info-access.log combined
</VirtualHost>
The webmail install should be ok. Test it on http://webmail.xxxxxxxxxxxxx.xxx/.
wget http://www.enderunix.org/isoqlog/isoqlog-2.2.1.tar.gz
tar -zxvf isoqlog-2.2.1.tar.gz
cd isoqlog-2.2.1
./configure
make
make install
ln -s /var/qmail/control/rcpthosts /usr/local/etc/isoqlog.domains
mkdir -p /var/www/qmail-stats/isoqlog
Here is my
/usr/local/etc/isoqlog.conf file :
logtype = "qmail-multilog"
logstore = "/var/log/qmail/qmail-send"
domainsfile = "/usr/local/etc/isoqlog.domains"
outputdir = "/var/www/qmail-stats/isoqlog"
htmldir = "/usr/local/share/isoqlog/htmltemp"
langfile = "/usr/local/share/isoqlog/lang/french"
hostname = "tractopel.ecranbleu.org" Change this to your host
maxsender = 100
maxreceiver = 100
maxtotal = 100
maxbyte = 100
Edit your crontab and put the following line in it (it will run the isoqlog stat generation every 58 minutes) :
58 * * * * /usr/local/bin/isoqlog 1>/dev/null 2>/dev/null
Check out the graphs : http://yourhost/qmail-stats/isoqlog/
First, you have to install mrtg if you don't have it.
wget http://www.inter7.com/qmailmrtg7/qmailmrtg7-4.2.tar.gz
tar -zxvf qmailmrtg7-4.2.tar.gz
cd qmailmrtg7-4.2
make
make install
mkdir -p /var/www/qmail-stats/mrtg/
cp index.html /var/www/qmail-stats/mrtg/
Get
this file and save it into /etc/ It is the modified configuration file with the good path to the log files. Change paths to your configuration.
Run this command 3 times:
/usr/bin/mrtg /etc/qmail.mrtg.cfg
You should get some error messages. Don't worry. Anyway, you can check if the new files exist in /var/www/qmail-stats/mrtg/
Edit your crontab and put that into
2-57/5 * * * * /usr/bin/mrtg /etc/qmail.mrtg.cfg > /dev/null
Check out the graphs : http://yourhost/qmail-stats/mrtg/
19. Tools
Here is a tool which can read the qmail queue to see who send the email to who. It is called
qmhandle wget http://cesnet.dl.sourceforge.net/sourceforge/qmhandle/qmhandle-1.2.0.tar.gz
tar -zxvf qmhandle-1.2.0.tar.gz
It produces this kind of result when you call the program with the -l parameter (qmHandle -l) :
109816 (167, R)
Return-path: 294drowzow@sentry33221.com
From: "Johnny Champion" <294drowzow@sentry33221.com>
To: at@choum.com
Subject: *****SPAM***** A platinum card who cares? dpplo
Date: Sun, 04 Jan 04 08:41:16 GMT
Size: 8009 bytes
You can also alter the queue with this program :
-a : try to send queued messages now (qmail must be running)
-l : list message queues
-L : list local message queue
-R : list remote message queue
-s : show some statistics
-mN : display message number N
-dN : delete message number N
-Stext : delete all messages that have/contain text as Subject
-D : delete all messages in the queue (local and remote)
20. Redhat
With redhat/fedora, you have to install these packages :
yum update
yum upgrade
yum install mysql
yum install mysql-server
yum install mysql-devel
yum install php-mysql
yum install expect
yum install perl-Time-HiRes
yum install perl-suidperl
Then, don't forget to edit this file : /etc/sysconfig/network in order to specify the right hostname.
It is also important to :
- Change the user id (uid) of the user qmails to 90 (instead of 97).
- Change the mysql dir from /usr/include/mysql/ to /usr/lib/mysql
21. Files
/etc/tcp.smtp [ Tcpserver ]
/etc/mail/spamassassin/local.cf [ Spamassassin ]
/etc/default/spamassassin [ Spamassassin ]
/var/qmail/supervise/qmail-pop3d/run [ qmai ]
/var/qmail/supervise/qmail-pop3d/log/run [ qmail ]
/var/qmail/supervise/qmail-smtpd/run [ qmail ]
/var/qmail/supervise/qmail-smtpd/log/run [ qmail ]
/var/qmail/supervise/qmail-send/run[ qmail ]
/var/qmail/supervise/qmail-send/log/run[ qmail ]
/usr/local/courier-imap/etc/imapd [ courier-imap ]
/etc/init.d/qmail [ qmail ]
/usr/local/etc/isoqlog.conf [ isoqlog ]
/etc/qmail.mrtg.cfg [ qmailmrtg ]
Here is a list of the most important files :
| Control | Default | Used by | Purpose |
| badmailfrom | none | qmail-smtpd | blacklisted From addresses |
| bouncefrom | MAILER-DAEMON | qmail-send | username of bounce sender |
| bouncehost | me | qmail-send | hostname of bounce sender |
| concurrencyincoming | none | /service/qmail-smtpd/run | max simultaneous incoming SMTP connections |
| concurrencylocal | 10 | qmail-send | max simultaneous local deliveries |
| concurrencyremote | 20 | qmail-send | max simultaneous remote deliveries |
| defaultdelivery | none | /var/qmail/rc | default .qmail file |
| defaultdomain | me | qmail-inject | default domain name |
| defaulthost | me | qmail-inject | default host name |
| databytes | 0 | qmail-smtpd | max number of bytes in message (0=no limit) |
| doublebouncehost | me | qmail-send | host name of double bounce sender |
| doublebounceto | postmaster | qmail-send | user to receive double bounces |
| envnoathost | me | qmail-send | default domain for addresses without "@" |
| helohost | me | qmail-remote | host na |
