Netqmail-1.06 (smtp,pop3,auth,clamav,stunnel4,rbl,

spamassassin,qmailscanner,

qmailanalog,qmailmrtg)

To install netqmail we need also uccpi-tcp-0.88 and daemontools-0.76
Let's start

  • 1. Copy netqmail-1.06.tar.gz file to /usr/local/src and unpack - we get netqmail-1.06 folder

tar zxvf netqmail-1.06.tar.gz

  • 2. Unpack ucspi-tcp in /usr/local/src
  • 3. Create "package" folder in root tree and unpack deamontools there
  • 4. Create /var/qmail folder

mkdir -p /var/qmail

  • 5. Link /var/qmail to /etc/qmail

ln -s /var/qmail/control /etc/qmail

  • 6. Create users by editing INSTALL.ids file( remove everything besides Linux group, uncomment lines and save changes - there will be 9 lines)
  • 7. Set permission 0700 for that file and run command

./INSTALL.ids

  • 8. Check in /etc/passw and in /etc/group if script created following users and groups. On my test server it looks the following:

                                                                 alias:x:1007:1006::/var/qmail/alias:/bin/sh

qmaild:x:1008:1006::/var/qmail:/bin/sh

qmaill:x:1009:1006::/var/qmail:/bin/sh

qmailp:x:1010:1006::/var/qmail:/bin/sh

qmailq:x:1011:1007::/var/qmail:/bin/sh

qmailr:x:1012:1007::/var/qmail:/bin/sh

qmails:x:1013:1007::/var/qmail:/bin/sh

nofiles:x:1006:

qmail:x:1007:

  • 9. Go to /usr/local/src/netqmail-1.06 and compile netqmail-a

make setup check

  • 10. Run command

./config

if FQDN is properly configured in DNS or

./config-fast host.naszadomena.pl

I prefer second method, because only few people has full power on PTR records

  • 11. Go to ucspi-tcp-0.88 folder and patch ucspi

                                  patch < /usr/local/src/netqmail-1.06/other-patches/ucspi-tcp-0.88.errno.patch

next run command

make

make setup check

  • 12. Go to /package/admin/daemontools-0.76/src and similar like ucspi patch it:

patch < /usr/local/src/netqmail-1.06/other-patches/daemontools-0.76.errno.patch

  • 13. Leave src/ subfolder. Run command

package/install

  • 14. Create rc file in /var/qmail with lines below:

#!/bin/sh

#logging to stdout

#mails are delivered based on control/defaultdelivery

exec env - PATH="/var/qmail/bin:$PATH" \

qmail-start "`cat /var/qmail/control/defaultdelivery`

  • 15. Set permission 0755 to rc file
  • 16. Define mail format as a "Maildir" in case of lack of ".qmail" file

echo ./Maildir/ >/var/qmail/control/defaultdelivery

  • 17. Create start-script qmailctl in /var/qmail/bin(the best option is to copy it from my site or from http://www.lifewithqmail.org/qmailctl-script-dt70)

#!/bin/sh

# description: the qmail MTA

PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin

export PATH

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

case "$1" in

start)

echo "Starting qmail"

if svok /service/qmail-send ; then

svc -u /service/qmail-send /service/qmail-send/log

else

echo "qmail-send supervise not running"

fi

if svok /service/qmail-smtpd ; then

svc -u /service/qmail-smtpd /service/qmail-smtpd/log

else

echo "qmail-smtpd supervise not running"

fi

if [ -d /var/lock/subsys ]; then

touch /var/lock/subsys/qmail

fi

;;

stop)

echo "Stopping qmail..."

echo " qmail-smtpd"

svc -d /service/qmail-smtpd /service/qmail-smtpd/log

echo " qmail-send"

svc -d /service/qmail-send /service/qmail-send/log

if [ -f /var/lock/subsys/qmail ]; then

rm /var/lock/subsys/qmail

fi

;;

stat)

svstat /service/qmail-send

svstat /service/qmail-send/log

svstat /service/qmail-smtpd

svstat /service/qmail-smtpd/log

qmail-qstat

;;

doqueue|alrm|flush)

echo "Flushing timeout table and sending ALRM signal to qmail-send."

/var/qmail/bin/qmail-tcpok

svc -a /service/qmail-send

;;

queue)

qmail-qstat

qmail-qread

;;

reload|hup)

echo "Sending HUP signal to qmail-send."

svc -h /service/qmail-send

;;

pause)

echo "Pausing qmail-send"

svc -p /service/qmail-send

echo "Pausing qmail-smtpd"

svc -p /service/qmail-smtpd

;;

cont)

echo "Continuing qmail-send"

svc -c /service/qmail-send

echo "Continuing qmail-smtpd"

svc -c /service/qmail-smtpd

;;

restart)

echo "Restarting qmail:"

echo "* Stopping qmail-smtpd."

svc -d /service/qmail-smtpd /service/qmail-smtpd/log

echo "* Sending qmail-send SIGTERM and restarting."

svc -t /service/qmail-send /service/qmail-send/log

echo "* Restarting qmail-smtpd."

svc -u /service/qmail-smtpd /service/qmail-smtpd/log

;;

cdb)

tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp

chmod 644 /etc/tcp.smtp.cdb

echo "Reloaded /etc/tcp.smtp."

;;

help)

cat <<HELP

stop -- stops mail service (smtp connections refused, nothing goes out)

start -- starts mail service (smtp connection accepted, mail can go out)

pause -- temporarily stops mail service (connections accepted, nothing leaves)

cont -- continues paused mail service

stat -- displays status of mail service

cdb -- rebuild the tcpserver cdb file for smtp

restart -- stops and restarts smtp, sends qmail-send a TERM & restarts it

doqueue -- schedules queued messages for immediate delivery

reload -- sends qmail-send HUP, rereading locals and virtualdomains

queue -- shows status of queue

alrm -- same as doqueue

flush -- same as doqueue

hup -- same as reload

HELP

;;

*)

echo "Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|help}"

exit 1

;;

esac

exit 0

  • 18. Set permission 0755 and link it to your $PATH

ln -s /var/qmail/bin/qmaictl /usr/local/sbin

  • 19. Create folders "supervise" in the following way:

mkdir -p /var/qmail/supervise/qmail-send/log

mkdir -p /var/qmail/supervise/qmail-smtpd/log

  • 20. Create script run in /var/qmail/supervise/qmail-send/ and set permission 0755

 

#!/bin/sh

exec /var/qmail/rc

  • 21. Create script run in /var/qmail/supervise/qmail-send/log/ and set permission 0755

#!/bin/sh

exec /usr/local/bin/setuidgid qmaill \

/usr/local/bin/multilog t /var/log/qmail

  • 22. Create script run in /var/qmail/supervise/qmail-smtpd/ set permission 0755

#!/bin/sh

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`

LOCAL=`head -1 /var/qmail/control/me`

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then

echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in

echo /var/qmail/supervise/qmail-smtpd/run

exit 1

fi

if [ ! -f /var/qmail/control/rcpthosts ]; then

echo "No /var/qmail/control/rcpthosts!"

echo "Refusing to start SMTP listener because it'll create an open relay&

quot;"

exit 1

fi

exec /usr/local/bin/softlimit -m 256000000 \

/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \

-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd 2>&1

Set softlimit based on your requirements. I think you should set at least 256 MB but it depends on your server and email traffic

  • 23. Create scirpt run in /var/qmail/supervise/qmail-smtpd/log/ and set permission 0755

#!/bin/sh

exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd

  • 24. Create folder with logs and set appropiate permission

mkdir -p /var/log/qmail/smtpd

chown qmaill /var/log/qmail /var/log/qmail/smtpd

  • 25. Create concurrencyincoming file

echo 20 > /var/qmail/control/concurrencyincoming

chmod 644 /var/qmail/control/concurrencyincoming

  • 26. Link folders supervise to /service

ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service

  • 27. Uncomment line in inittab file

SV:123456:respawn:/command/svscanboot

 

  • 28. Restart inittab by using command "init q" to avoid problem like below:

/service/qmail-send: unable to open supervise/ok: file does not exist

/service/qmail-send/log: unable to open supervise/ok: file does not exist

/service/qmail-smtpd: unable to open supervise/ok: file does not exist

/service/qmail-smtpd/log: unable to open supervise/ok: file does not exist

  • 29. Create tcp.smtp file where set from which location qmail can allow to send emails,in that case from localhost:

echo '127.:allow,RELAYCLIENT=""' >>/etc/tcp.smtp

  • 30. Create database tcp.smtp file

qmailctl cdb

chmod 644 /etc/tcp.smtp*

Every time you change tcp.smtp file you must run command:

tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp

or

qmailctl cdb

  • 31. Remove default MTA - for Debian it is Exim4(remove also start scripts)

apt-get --purge remove exim4

  • 32. Add aliases for postmastera, mailer-daemona and root

echo admin > /var/qmail/alias/.qmail-root

echo admin > /var/qmail/alias/.qmail-postmaster

ln -s .qmail-postmaster /var/qmail/alias/.qmail-mailer-daemon

chmod 644 /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-postmaster

  • 33. Replace sendmail file his newer version from qmail

mv /usr/lib/sendmail /usr/lib/sendmail.old

mv /usr/sbin/sendmail /usr/sbin/sendmail.old

chmod 0 /usr/lib/sendmail.old /usr/sbin/sendmail.old

ln -s /var/qmail/bin/sendmail /usr/lib

ln -s /var/qmail/bin/sendmail /usr/sbin

  • 34. Check if qmail is working properly

Time (in secs) has to be higher than 1 sec!!!If not you have to find ouy where is the problem

qmailctl stat

/service/qmail-send: up (pid 12092) 11 seconds

/service/qmail-send/log: up (pid 12096) 11 seconds

/service/qmail-smtpd: up (pid 12095) 11 seconds

/service/qmail-smtpd/log: up (pid 12094) 11 seconds

messages in queue: 0

messages in queue but not yet preprocessed: 0

Qmail-pop3d

  • 35. Download "checkpwd" from http://cr.yp.to/checkpwd.html site and copy it to /usr/local/src
  • 36. Unpack checkpassword-0.90.tar.gz

tar zxvf checkpassword-0.90.tar.gz

  • 37. Go to checkpassword-0.90 folder and run patch

patch < /usr/local/src/netqmail-1.06/other-patches/checkpassword-0.90.errno.patch

  • 38. Another option is: open conf-cc file and replace line gcc -O2 to:

gcc -O2 -include /usr/include/errno.h

1 method is recommended!

  • 39.Compile checkpassword and install

make

make setup check

  • 40. Create qmail-pop3d folder in /var/qmail/supervise/

mkdir -p /var/qmail/supervise/qmail-po3d

  • 41. Create script "run" in /var.qmail/supervise/qmail-pop3d/ and set permission 0755

#!/bin/sh

exec /usr/local/bin/softlimit -m 2000000 \

/usr/local/bin/tcpserver -v -R -H -l 0 0 110 /var/qmail/bin/qmail-popup \

FQDN /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 2>&1

where FQDN is name of your pop server,e.g. mail.danpol.net

  • 42. Create "log" folder in /var/qmail/supervise/qmail-popd3/

mkdir -p /var/qmail/supervise/qmail-pop3d/log

  • 43. Create script "run" w /var/qmail/supervise/qmail-pop3d/log/ and set permission 0755

#!/bin/sh

exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \

/var/log/qmail/pop3d

  • 44.Create folder with logs and set "qmaill" as a owner

mkdir -p /var/log/qmail/pop3d

chown qmaill /var/log/qmail/pop3d

  • 45. Link /var/qmail/supervise/qmail-pop3d to /service

ln -s /var/qmail/supervise/qmail-pop3d /service

  • 46. Modify qmailctl script in the following way

- add to section "start"

if svok /service/qmail-pop3d ; then

svc -u /service/qmail-pop3d /service/qmail-pop3d/log

else

echo qmail-pop3d supervise not running

fi

- add to section "stop"

echo " qmail-pop3d"

svc -d /service/qmail-pop3d /service/qmail-pop3d/log

- add to section "stat"

svstat /service/qmail-pop3d

svstat /service/qmail-pop3d/log

- add to section "pause"

echo "Pausing qmail-pop3d"

svc -p /service/qmail-pop3d

- add to section "cont"

echo "Continuing qmail-pop3d"

svc -c /service/qmail-pop3d

- add to section "restart"

echo "* Restarting qmail-pop3d."

svc -t /service/qmail-pop3d /service/qmail-pop3d/log

  • 47. Check script by restarting qmail:

qmailctl restart

Restarting qmail:

* Stopping qmail-smtpd.

* Sending qmail-send SIGTERM and restarting.

* Restarting qmail-smtpd.

* Restarting qmail-pop3d.

qmailctl stat

/service/qmail-send: up (pid 24928) 5 seconds

/service/qmail-send/log: up (pid 24933) 5 seconds

/service/qmail-smtpd: up (pid 24932) 5 seconds

/service/qmail-smtpd/log: up (pid 24931) 5 seconds

/service/qmail-pop3d: up (pid 24934) 5 seconds

/service/qmail-pop3d/log: up (pid 24935) 5 seconds

messages in queue: 0

messages in queue but not yet preprocessed: 0

  • 48. Check if pop3 service is listening

netstat -na --tcp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN

  • 49. Based on that user exists on system create folders where he will keep his own mails:

mkdir /var/spool/mail/username

maildirmake /var/spool/mail/username/Maildir

ln -s /var/spool/mail/username/Maildir/ /home/username/

chown -R username /var/spool/mail/username

  • 50. Set more restictive permission on user's folder,e.g.0700 both home folder and in /var/spool/mail/ - option

Till now we set:

- SMTP server

- POP3 server

- everyone can send email only to domain definied in rcpthosts

In step 51 we allow to send emails from one subnet(we still do not speak about authentication for smtp - it is like open relay for our network)

  • 51. in file /etc/tcp.smtp add

192.168.0.:allow,RELAYCLIENT=""

reload tcp.smtp

qmailctl cdb

This line allows network 192.168.0.0/24 for sending emails without authentication

For one ip it will look like below:

192.168.0.1.:allow,RELAYCLIENT=""

Because it is not practical in larger network in step 52 we will enable user'sauthentication for SMTP

Qmail - auth

  • 52. Download qmail-smtpd-auth-0.31 file by Mariusz DÄ…browski and unpack it
  • 53. Copy files: README.auth base64.c base64.h to netqmaila folder with source code

cp README.auth base64.c base64.h /usr/local/src/netqmail-1.06/

  • 54. Patch

patch -d /usr/local/src/netqmail-1.06 < auth.patch

  • 55. Go to netqmaila and compile him again

make

  • 56. Replace qmail-smtpd from /var/qmail/bin with his newer version

rm /var/qmail/bin/qmail-smtpd

cp qmail-smtpd /var/qmail/bin

  • 57. Modify /var/qmail/supervise/qmail-smtpd/run

At the end of the script before "2&>1" add:

nazwa.serwera.smtp /bin/checkpassword /bin/true

It should look like below:

#!/bin/sh

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`

LOCAL=`head -1 /var/qmail/control/me`

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then

echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in

echo /var/qmail/supervise/qmail-smtpd/run

exit 1

fi

if [ ! -f /var/qmail/control/rcpthosts ]; then

echo "No /var/qmail/control/rcpthosts!"

echo "Refusing to start SMTP listener because it'll create an open relay&

quot;"

exit 1

fi

exec /usr/local/bin/softlimit -m 256000000 \

/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \

-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd \

serwer.pocztowy.pl /bin/checkpassword /bin/true 2>&1

  • 58. Set permission on /bin/checkpassword like below

-rws--x--- 1 root nofiles 10684 sty 24 23:54 checkpassword

  • 59. Restart qmail-a

Rbl

 

  • 60. To check RBL lists, in script /var/qmail/supervise/qmail-smtpd/run add following line just before qmail-smtpd:

/usr/local/bin/rblsmtpd -r zen.spamhaus.org

  • 61. Restart qmail and check if rblsmtpd is working

ps aux | grep rblsmtpd

  • 62. We can set system to not check rbl for particular host by adding line to tcp.smtp and reloading database

1.1.1.1:allow,RBLSMTPD=""

Stunnel4

  • 63. Install stunnel4 by using command:

apt-get install stunnel4

  • 64. Enable stunnel by changing "0" to "1" in line ENABLED in /etc/default/stunnel4

ENABLED=1

  • 65. Open configuration file stunnel.conf. This file is in /etc/stunnel
  • 66. Set server certificate

cert = /path to server certificate

  • 67. Set server key

key = /path to server key

/etc/init.d/stunnel4 start

  • 71. Import CA certificate do user's system and set client to use encrypted connection

Spamassassin

  • 72. Install spamassasina together with dependencies:

apt-get install spamassassin

  • 73. Enable spamassassin by changing "0" to "1" in line ENABLED in /etc/default/spamassassin

ENABLED=1

  • 74. Spamassassin configuration >>here

CLAMAV

  • 75. Install clamav together with dependencies

apt-get install clamav

  • 76. Choose how clamav should work: the best option as a demon
  • 77. Choose virus database repository(The closer to you the better)
  • 78. Set notification about reloading virus signature

Qmail-Scanner

  • 79. Download qmail-scanner from http://qmail-scanner.sourceforge.net/
  • 80. Install following packets

apt-get install perl-suid

apt-get install tnef

apt-get install unzip

apt-get install maildrop

  • 81. Add group "qscand"

groupadd qscand

  • 82. Add user "qscand"

useradd -c "Qmail-Scanner Account" -g qscand -s /bin/false qscand

  • 83. Unpack scanner
  • 84. Configure scanner in accordance to your expectations,e.g.:

./configure --domain mojadomena.pl --sa-quarantine "4"

  • 85. If configuration is ok accept it and repeat but with option -install

./configure --domain mojadomena.pl --sa-quarantine "4" --install

  • 86. Set in file /etc/tcp.smtp:

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

Line above is causing that all emails besides ones sending to local host will be scanned.

  • 87. Reload tcp.smtp

qmailctl cdb

Now qmail is working together with clamav and spamassassin

Qmailanalog

  • 88. Download qmailanalog and unpack it.
  • 89. Apply patch on qmailanalog

patch </usr/local/src/netqmail-1.06/other-patches/qmailanalog-0.70.errno.patch

90. Compile and install

make

make setup check

Qmailmrtg

  • 91. Download and unpack
  • 92. Add to qmailmrtg7.c file

#include <stdlib.h>

  • 93. make
  • 94. make install
  • 95. Create folder "qmailmrtg" in place where you keep sites,e.g./var/www/qmailmrtg
  • 96. Copy index.html and qmail.mrtg.cfg and change FQDN to name of your email server
  • 97. Change "WorkDir" to your created folder
  • 98. Add line to cron and wait at least 15 minutes

*/5 * * * * /usr/bin/mrtg /var/www/qmailmrtg/qmail.mrtg.cfg 2>&1 > /dev/null


dzbanek 2011-05-11


This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.