qmail installation guide - unkie.orgunkie.org/files/qmail.pdf2.4.1 qmail 1.03 Qmail is the set of...

qmail installation guide

Mark Pustjens The Mindlab Hosting3rd September 2004

qmail installation guide

an extensive guide to setup a completeqmail based MDA

Mark Pustjens3rd September 2004

List of adresses

Mark PustjensC. de Houtmanstraat 186045 HP Roermond06-50412316email: [email protected]

The Mindlab HostingMestreech1234 ab

I

Preamble

This guide will describe howto install a qmail based email server, com-plete with virtual domains, pop3, imap, spamassasin and mailinglist (fornow). You should be able to use this guide with OpenBSD, FreeBSD andRedhat Linux.

II

Contents

List of Tables VII

1 TODO 1

2 Preparations 22.1 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 Hardware requirements . . . . . . . . . . . . . . . . . . . . . . 22.3 Software requirements . . . . . . . . . . . . . . . . . . . . . . 2

2.3.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.3.2 OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.4 Software you need . . . . . . . . . . . . . . . . . . . . . . . . 32.4.1 qmail 1.03 . . . . . . . . . . . . . . . . . . . . . . . . . 32.4.2 ucspi-tcp 0.88 . . . . . . . . . . . . . . . . . . . . . . . 42.4.3 ucspi-ssl 0.68 . . . . . . . . . . . . . . . . . . . . . . . 42.4.4 daemontools 0.76 . . . . . . . . . . . . . . . . . . . . . 42.4.5 vpopmail 5.4.5 . . . . . . . . . . . . . . . . . . . . . . 42.4.6 Courier-IMAP 3.0.7 . . . . . . . . . . . . . . . . . . . 42.4.7 Procmail 3.22 . . . . . . . . . . . . . . . . . . . . . . . 52.4.8 Spamassassin 3.00 . . . . . . . . . . . . . . . . . . . . 5

3 Installing the core packages: qmail, ucspi-tcp and daemon-tools 63.1 Obtaining the source . . . . . . . . . . . . . . . . . . . . . . . 63.2 Installing ucspi-tcp . . . . . . . . . . . . . . . . . . . . . . . . 6

3.2.1 Compiling . . . . . . . . . . . . . . . . . . . . . . . . . 63.3 Installing daemontools . . . . . . . . . . . . . . . . . . . . . . 7

3.3.1 Compiling . . . . . . . . . . . . . . . . . . . . . . . . . 73.3.2 Installing . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.4 Some notes on daemontools . . . . . . . . . . . . . . . . . . . 103.4.1 supervise . . . . . . . . . . . . . . . . . . . . . . . . . 103.4.2 softlimit . . . . . . . . . . . . . . . . . . . . . . . . . . 103.4.3 svc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.5 Compiling and Installing qmail . . . . . . . . . . . . . . . . . 11

III


3.6 Replacing the old MTA . . . . . . . . . . . . . . . . . . . . . 173.7 Testing what we have . . . . . . . . . . . . . . . . . . . . . . 18

3.7.1 Checking the daemons . . . . . . . . . . . . . . . . . . 183.7.2 Sending test messages . . . . . . . . . . . . . . . . . . 19

3.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4 Adding services 254.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254.2 Vpopmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.2.1 Compiling and installing vpopmail . . . . . . . . . . . 254.2.2 Configuring vpopmail . . . . . . . . . . . . . . . . . . 274.2.3 Testing vpopmail . . . . . . . . . . . . . . . . . . . . . 284.2.4 Creating the localhost as virtual domain . . . . . . . . 28

4.3 Pop3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.3.1 Service scripts . . . . . . . . . . . . . . . . . . . . . . 294.3.2 Testing the pop3 server . . . . . . . . . . . . . . . . . 29

4.4 IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304.4.1 Compiling Courier-IMAP . . . . . . . . . . . . . . . . 304.4.2 Configuring Courier-IMAP . . . . . . . . . . . . . . . 32

4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5 Securing services 355.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.2 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.3 Installing ucspi-ssl . . . . . . . . . . . . . . . . . . . . . . . . 36


5.4 Securing SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . 375.4.1 Receiving messages, qmail-smtpd . . . . . . . . . . . . 375.4.2 Sending messages, qmail-remote . . . . . . . . . . . . 43

5.5 Securing Pop3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.5.1 Configuring POP3 over SSL . . . . . . . . . . . . . . . 445.5.2 Testing POP3 over SSL . . . . . . . . . . . . . . . . . 44

5.6 Securing IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . 455.6.1 Configuring IMAP over SSL . . . . . . . . . . . . . . . 455.6.2 Testing IMAP over SSL . . . . . . . . . . . . . . . . . 45

5.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

6 Mail Filtering 476.1 Procmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.1.1 Installing . . . . . . . . . . . . . . . . . . . . . . . . . 476.1.2 Global Filter . . . . . . . . . . . . . . . . . . . . . . . 48

IV

6.1.3 Testing the filter . . . . . . . . . . . . . . . . . . . . . 496.2 Basic Spamassassin Filter . . . . . . . . . . . . . . . . . . . . 50

6.2.1 Installing . . . . . . . . . . . . . . . . . . . . . . . . . 516.2.2 configuring spamd . . . . . . . . . . . . . . . . . . . . 536.2.3 Adding spamc to the mail delivery process . . . . . . . 556.2.4 Testing Spamassassin . . . . . . . . . . . . . . . . . . 55

6.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Bibliography I

A OpenBSD fstab II

B svscanboot III

C /var/qmail/rc IV

D /var/qmail/bin/qmailctl V

E qmail service scripts, qmail-smtpd and qmail-send XIIE.1 /var/qmail/supervise/qmail-send/run . . . . . . . . . . . . . XIIE.2 /var/qmail/supervise/qmail-send/log/run . . . . . . . . . . . XIIE.3 /var/qmail/supervise/qmail-smtpd/run . . . . . . . . . . . . XIIE.4 /var/qmail/supervise/qmail-smtpd/log/run . . . . . . . . . . XIII

F vpopmail.mysql XIV

G vlimits.default XV

H qmail service scripts, qmail-pop3d XVIIH.1 /var/qmail/supervise/qmail-pop3d/run . . . . . . . . . . . . XVIIH.2 /var/qmail/supervise/qmail-pop3d/log/run . . . . . . . . . . XVII

I qmail service scripts, courier-imapd XVIIII.1 /var/courier-imap/supervise/courier-imapd/run . . . . . . . . XVIIII.2 /var/courier-imap/supervise/courier-imapd/log/run . . . . . XVIII

J SMTP AUTH Extension example XIX

K qmail service scripts, qmail-smtpsd XXIK.1 /var/qmail/supervise/qmail-smtpsd/run . . . . . . . . . . . . XXIK.2 /var/qmail/supervise/qmail-smtpsd/log/run . . . . . . . . . . XXI

L qmail service scripts, qmail-pop3sd XXIIL.1 /var/qmail/supervise/qmail-pop3sd/run . . . . . . . . . . . . XXIIL.2 /var/qmail/supervise/qmail-pop3sd/log/run . . . . . . . . . . XXII

V

M qmail service scripts, courier-imapsd XXIIIM.1 /var/courier-imap/supervise/courier-imapsd/run . . . . . . . XXIIIM.2 /var/courier-imap/supervise/courier-imapsd/log/run . . . . . XXIII

N mail filter scripts XXIVN.1 procmailrc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIVN.2 qmail-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXVIN.3 qmail-procmail . . . . . . . . . . . . . . . . . . . . . . . . . . XXVI

O spamassassin service script, spamd XXVIIO.1 /var/spamassassin/supervice/spamd/run . . . . . . . . . . . . XXVIIO.2 /var/spamassassin/supervice/spamd/log/run . . . . . . . . . XXVIII

P Installing DBD::mysql using CPAN XXIX

Q Spamassassin configuration file XXX

R spamassassin procmail recipe XXXIII

VI

List of Tables

3.1 qmail groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2 qmail users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

VII

Chapter 1

TODO

This is a list of TODO items. You’ll also find TODO items throughout thismanual.

• qmail-smtpd: tcpserver realblacklist? rblsmtpd (ucspi-tcp). dit moetaan want skip rbl checks in spamassassin staat uit

• /var/qmail/queue on seperate filesystem with small blocksize and nosoftupdates

• max DATABYTES to limit email size, man qmail-smtpd

• systeem aliassen naar mailinglist sturen.

• qmail linken met lib syncdir, of patchen met de fsync patch, qmailwordt veiliger op een fs met soft updates.

• script maken om logs makkelijk te bekijken

• !!! qmail-maildir++ patch !!!

• qmail-remote in ssl wrappen mbv script. als geen ssl beschikbaar isautomatische fallback naar gewoon smtp

• STARTTLS hoeft niet gebruikt te worden als smtp ook in ssl gewrappedword, dit is dubbelop

• vermelden de de source bewaard MOET blijven na het installeren.

• tcpserver-mysql patch gebruiken? hiermee kunnen de access databasesin mysql gezet worden. Of alleen de access db voor smtpd?

• andere database naam voor alle tabellen

• qqtool voor queue management.

1

Chapter 2

Preparations

2.1 Conventions

Do to the nature of what we are about to do, you should use extreme carewith any command you use. Also, in this document we assume you will beusing a test server, this reduces any risk to zero if you make any mistake.

2.2 Hardware requirements

Qmail is able to run on almost all kinds of hardware, provided a UNIX OSruns on it.

2.3 Software requirements

Your system must meet the following requirements.

• Qmail is designed to run on any Unix or Unix-like operating system.Qmail’s licence requires it to distributed in source format which meansyou need a standard C compiler.

• Storage space is no longer a problem on modern systems. You’ll needat least 30 to 40 Megabytes of space for the sources and just a littlemore for building the sources.

• A running mySQL server. Although this is not needed for qmail itself,the IMAP server and virtual domains support package we will installdo need this.

• To be able to use the security features you need an openssl compatibleSSL library.

Although not necessairy, the following is recommended.

2

CHAPTER 2. PREPARATIONS 3

• Qmail was designed for highly connected systems. Although there aresolutions for systems with low availability of an internet connection, astable connection is recommended.

• The filesystem should perform link() calls synchronously. This willprevent loss of email on a system failure, as all data is immidiatelywritten to the disk without delay.

• I possible, a seperate filesystem for qmail’s queue and mailstore. Thisfilesystem should be equiped with a small blocksize1. This filesystemshould also have a large amount of inodes, increasing the amount offiles which can be stored on the filesystem.

2.3.1 Linux

If you are using a seperate filesystem for the queue and mailstore, you canspeed up disk access a bit by using the following mount options for thatfilesystem:

• noatime; do not update access times.

• sync; no caching, this not needed with the syncdir library, reducesperformance

2.3.2 OpenBSD

If you are planning to install qmail on a system running OpenBSD 3.2 andhigher, you need to disable the “nosuid” mount option for the filesystem onwhich qmail will reside. You can remove this option by editing /etc/fstab.An example is provided in appendix A.

2.4 Software you need

The following software packages are used in this guide.

2.4.1 qmail 1.03

Qmail is the set of applications which together make up the mail server.Besides the main qmail package we will need some patches to extend and

fix various parts of qmail.

• qmail-queue patch

• sendmail -f flag patch1Email files are typically very small. With a small blocksize less space is wasted.


• qmail 0.0.0.0 patch

• qmail-local patch

• qmail glibc errno patch

• qmail identity = netqmail patch

• qmail 64bit compatibility patch

• qmail-smtpd patch

• qmail AUTH and STARTTLS patch

Most of those patches are distributed together with qmail in the netqmaildistribution[2]. The instructions in this manual are based on the netqmaildistribution.

2.4.2 ucspi-tcp 0.88

This package contains serveral utilities to modularize a tcp server/clientenvironment.

2.4.3 ucspi-ssl 0.68

This package contains SSL enabled versions of the programs in the ucspi-tcppackage. We will use those programs to setup SSL wrapped version of theservices.

2.4.4 daemontools 0.76

Daemontools is a set of applications to manage services, or daemons. Oneprogram monitors a service and restarts it if it fails. Another applicationserves a an automatic loggin facility.

We also need to apply a patch to the source if you are using a version ofopenSSL higher than 0.9.6.

2.4.5 vpopmail 5.4.5

Using the applications in this package we can manage virtual domains.Vpopmail supports the use of mySQL for storing its domains configuration.

2.4.6 Courier-IMAP 3.0.7

Courier-IMAP is a server which gives user IMAP access to their mailboxes.Courier-IMAP only supports the Maildir mailbox format, and allows theuse of the Maildir++ extension. The Maildir++ extension adds folder andquota support.


2.4.7 Procmail 3.22

Procmail is a general purpose mail filter. Procmail has a powerfull filteringlanguage which allows almost any kind of filtering.

2.4.8 Spamassassin 3.00

Spamassassin claims to be an extensible mail filter. This is very true butits power lies in the fact that it is very effective in identifing spam messagesand tagging them as such. Spamassassin has support to store various partsof its configuration in a database, this appears to be working fine althoughthis functionality is still in beta testing stage.

At the time of writing, spamassassin 3.00 rc 2 was the latest availableversion. I expect the instructions given in this document will be compatiblewith the final release of this version.

Chapter 3

Installing the core packages:qmail, ucspi-tcp anddaemontools

We begin by installing the three core packages: qmail, ucspi-tcp and dae-montools. With qmail being the most important, the MTA1. ucspi-tcp Ac-cepts connections and will pass those though to the appropriate qmail pro-grams. And daemontools will make sure qmail is running, it will start, stop,restart and log services as necessairy.

3.1 Obtaining the source

You can find the download locations in the Bibliography in section 6.3. Forthe first part of this guide you need the packages netqmail, daemontools anducspi-tcp.

3.2 Installing ucspi-tcp

Ucspi-tcp should be installed first. This tools in this package are used in thedaemontools scripts.

3.2.1 Compiling

Before you unpack the tar.gz file, make sure your umask is set correctly, itshould be 0022. If it isn’t, set it to 0022.

# umask0002

1Message Transer Agent

6

CHAPTER 3. INSTALLING THE CORE PACKAGES: QMAIL, UCSPI-TCP AND DAEMONTOOLS7

# umask 0022# umask0022

Move to your source directory, and unpack the netqmail[2] distribution.The netqmail distribution contains various patches we need not only forucspi-tcp, but also for daemontools.

Now unpack the ucspi-tcp[5] distribution and enter the new directory.

# cd /usr/src/ucspi-0.88

You can set your compiler options in the file conf-cc. Acceptable valuescan be found in your systems make defaults files2 The netqmail also containssome patches for ucspi-tcp, which are located in the netqmail-1.05/other-patches/ folder. Those patches need to be applied too.

# patch < ../netqmail-1.05/other-patches/ucspi-tcp-0.88.a_record.patch# patch < ../netqmail-1.05/other-patches/ucspi-tcp-0.88.errno.patch# patch < ../netqmail-1.05/other-patches/ucspi-tcp-0.88.nodefaultrbl.patch

The rest of the installation is very easy:

# cd /usr/src/ucspi-0.88# make# make setup check

This will install the binaries into /usr/local/bin. The installation ofucspi-tcp is now completed.

3.3 Installing daemontools

Daemontools uses packages from ucspi-tcp, and qmail will be started usingthe daemontools.

3.3.1 Compiling

Before you unpack the daemontools[4] package, check your umask. See sec-tion 3.2.1 for details.

There is a patch for daemontools in the netqmail package. Apply it likethis:

# cd /usr/src/admin/daemontools-0.76/src/# patch < ../../../netqmail-1.05/other-patches/daemontools-0.76.errno.patch

2OpenBSD: /etc/mk.conf, FreeBSD: /etc/make.conf, Redhat Linux: ?


Editing the conf-cc file will allow you to set your compiler options, justlike with ucspi-tcp. You could also you just copy this file from the ucspi-tcpsource tree.

Now you can build and install daemontools.

# cd /usr/src/admin/daemontools-0.76/# sh package/install

3.3.2 Installing

The steps in the section above installed daemontools using the defaults. Thisis not what whe want.

The installation installed two folders /service and /command, added aline to your startup scripts3, and finally, made symbolic links to the binairiesin the source tree. Lets change this to something more standard.

OpenBSD and Linux

# mkdir /etc/daemontools# mv /service /command /etc/daemontools# cd /etc/daemontools/command# rm *

FreeBSD

# mkdir /usr/local/etc/daemontools# mv /service /command /usr/local/etc/daemontools# cd /usr/local/daemontools/command# rm *# ln -s /usr/local/etc/daemontools /etc/daemontools

All systems

# cd /etc/daemontools/command# rm -rf *# cp /usr/src/admin/daemontools/command/* .# chmod 755 *# chown root:wheel *

# cd /usr/local/bin# rm envdir envuidgid fghack multilog pgrphack readproctitle setlock \> setuidgid softlimit supervise svc svok svscan svscanboot svstat \> tai64n tai64nlocal

3OpenBSD, FreeBSD: /etc/rc.local, Linux: /etc/inittab


# ln -s /etc/daemontools/command/* .

The file svscanboot is a startup script for the svscan4 daemon. Currentlythis script still uses some standard paths, which should be changed to reflectour changes. Also it uses readproctitle as a “logging” service. We will replacereadproctitle with multilog.

First we need to create the folders for multilog to store its logfiles under.

# mkdir -p /var/log/daemontools/svscan/# chmod -R 700 /var/log/daemontools/svscan/

Now we need to modify the svscanboot script to actually use multilog.See appendix B for an example.

The standard installation modified some system files to make sure thesvscanboot script will run when the system boots.

Under OpenBSD and FreeBSD it added a command to /etc/rc.localwhich needs to be modified to reflect the new path of the svscanboot script.

Under Linux it added a line to /etc/inittab. If you are using a Sysem Vcompatible distribution, we will create a control script and remove this linefrom /etc/inittab. This will be done later on and it is discussed in paragraph3.5.2.

To be able to test if the svscan startup script works, we can start itmanually, and see if it spawned some processes. Note that svscanboot keepsitself on the foreground, so you should put it in the background.

# cd /etc/daemontools/command# ./svscanboot &shutting down running services...svc: warning: unable to chdir to /etc/daemontools/service/*: file does not existsvc: warning: unable to chdir to /etc/daemontools/service/*/log: file does not existrestarting services ...# ps wauxUSER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND...snip...root 19898 0.0 0.1 388 284 C0- I 8:28PM 0:00.01 /bin/sh /etc/daemontools/command/svscanbootroot 15332 0.0 0.2 68 316 C0- S 8:28PM 0:00.04 /etc/daemontools/command/svscan /etc/daemontools/serviceroot 6121 0.0 0.2 48 300 C0- I 8:28PM 0:00.01 /etc/daemontools/command/multilog t /var/log/daemontools/svscan

As you can see, the script first tries to shutdown any running services,which fails, because we have not yet installed any services. Then, it tries tostart all known services. Here also see the output of the “ps waux” command.You can see that there are three seperate processes running which have todo with svscanboot, this is how it should be.

You can check the logfile for any errors.4Part of the daemontools


# cd /var/log/daemontools/svscan# tai64nlocal < current2004-08-25 20:47:30.629504500 ** Starting svscan on /etc/daemontools/service#

In this example, no error was reported.You should now stop svscanboot, and check if it will automatically start

when you reboot.

# fg^C# reboot

Please note that you can use the commands above at any time to startsvscanboot manually. This is usefull when testing. However, if svscanbootstarts successfully when booting the system, this won’t be necesairy.

3.4 Some notes on daemontools

Please read the notes below carefully, as they will help you to solve problems.

3.4.1 supervise

• The first time you will create run scripts for a service they will beloaded automatically, and the service will be started. At this pointyou should check the logfile to check i an error occured.

• Whenever you modify a run script, the service needs to be restartedfor the run script to be reloaded.

3.4.2 softlimit

Softlimit is an application which runs another application with other re-source limits. In the run scripts we will create this program will allways beused.

The only limit we will set is the memory limit. The memory limitsimposed in the scripts should work on most systems. When your new mailserver is up and running you should tune these values to suit your system.E.g. on a OpenBSD system you could easily lower the memory limit to20000005 or less.

You should closely monitor the log files whenever you start a new server6.If you see a line similar to the following examples, it means the memory limitwas not set high enough and you should raise it.

5About 2 Megabytes6The phrasing making it known to supervise is used often in this document.


/var/qmail/bin/qmail-smtpd: error while loading sharedlibraries: libc.so.6: failed to map segment from shared object: Cannot allocatememory

/usr/libexec/ld.so: tcpserver: libc.so.29.0: Cannot allocate memory

3.4.3 svc

Svc controls services which are monitored by supervise. You can use thisprogram to stop and start a service. The following command shows how tostop and then start the qmail-pop3sd service.

# svc -d /etc/daemontools/service/qmail-pop3sd# svc -u /etc/daemontools/service/qmail-pop3sd

You can do the same with the qmailctl control script we will install later.

# /etc/qmailctl stop qmail-pop3sd* stopping services...stopping qmail-pop3sd: qmail-pop3sd down* done stopping services# /etc/qmailctl start qmail-pop3sd* starting services...starting qmail-pop3sd: qmail-pop3sd up* done starting services

3.5 Compiling and Installing qmail

3.5.1 Compiling

Before you unpack the compressed archive[2], make sure your umask is setcorrectly, it should be 0022. If it isn’t, set it to 0022. See section 3.2.1 fordetailed instructions. We also need an additional patch[?], which implementsSTARTTLS and AUTH smtp extensions.

We had to uncpress the netqmail sources earlier so we can skip thatstep now. Because qmail may only be distributed as unmodified source, allpatches have to be applied. Netqmail provides a script for this:

# cd netqmail-1.05# sh collate.sh# cd netqmail-1.05# patch -p0 < ../../netqmail-1.05-tls-smtpauth-20040705.patch

Now the build tree is ready, you can setup compiler options in the fileconf-cc. If you use RedHat Linux, openssl was compiled with kerberos


Table 3.1: qmail groups

gid name200 nofiles201 qmail

support. Without a extra compiler option compilation will fail. Add -I/usr/kerberos/include/ as option to conf-cc.

# vi conf-cc#

Now you can create various forlders and symbolic links for qmail. Don’tworry about the permissions on these folders, the qmail makefile will changethese to their appropriate settings. The symbolic links will make the con-figuration files available under standard locations.

# mkdir /var/qmail# cd /var/qmail# ln -s /usr/local/man . # to have the manpages on a central location

FreeBSD only:

# ln -s /var/qmail/control /usr/local/etc/qmail

OpenBSD and Linux:

# ln -s /var/qmail/control /etc/qmail

Creating users and groups7. Create a number of users and groups ac-cording to tables 3.2 and 3.1. I chose to have all userids and groupids in therange 200 - 210.

Now qmail can be compiled. The commands below will compile andinstall qmail in “/var/qmail/bin”.

# make setup check

3.5.2 Installing

The “make setup check” command allready put the binaries in the rightplace. Now qmail has to get a basic configuration.

7The use of several seperate system accounts is very important for qmail’s securitymodel


Table 3.2: qmail users

name uid group homedir shellalias 200 nofiles /var/qmail/alias /bin/falseqmaild 201 nofiles /var/qmail /bin/falseqmaill 202 nofiles /var/qmail /bin/falseqmailp 203 nofiles /var/qmail /bin/falseqmailq 204 qmail /var/qmail /bin/falseqmailr 205 qmail /var/qmail /bin/falseqmails 206 qmail /var/qmail /bin/false

# sh config

This will lookup your hostname, and create a number of configurationfiles based on that. For this to work properly, your dns servers need to havebeen configured properly. If this command fails to lookup your hostname,you can use the following command to do it manually.

# sh config-fast your.fully.qualified.domain.name

Configuring the default delivery method

Now we need to to tell qmail how to deliver its email. Although the file wewill create with the next command is not a standard file, the scripts we aregoing to create will use this file. Putting this configuration in a seperate filealso allows us to change this setting easily without changing every seperatescript.

# echo ./Maildir/ > /var/qmail/control/defaultdelivery

Setting a SMTP greeting message

Optionally you can set the message sent as a SMTP greeting. This messageis sent to the client when connection to the SMTP service. The first wordof this message should be your hostname.

# echo your.hostname The Mindlab Hosting mail server > /var/qmail/control/smtpgreeting

Qmail boot script

Qmail also needs a boot script. Create the file “/var/qmail/rc” according toappendix C. As you can see, this script logs any output to the standard out-put. In normal cases this would mean that these error messages dissappear.We are going to setup qmail as a service using the daemontools programs.


The service that will start this script will get its own logging service, whichcatches all output generated by this script. The script has to be executable,so set the permissions to allown that.

# chmod 755 /var/qmail/rc

Qmail control script

Using the qmail programs seperately to get status information can be cum-bersome. Also, starting the daemontools programs to start the right servicescan be a bit obscure. Therefore we will make a script for this. Create thefile /var/qmail/bin/qmailctl, you will find a listing of this script in appendixD. This script has to be executable, so set the rights accordingly. Use thesame commands you used for the “rc” script.

This script has the form of an init.d control script, and can be used asone. We will make sure it can be used as a one, by creating symbolic linksto a few places.

# cd /var/qmail/bin

FreeBSD

# ln -s qmailctl /usr/local/etc/init.d/qmailctl

Linux

# ln -s qmailctl /etc/init.d/qmailctl# cp /etc/inittab /etc/inittab.old# cat /etc/inittab | grep -v svscanboot > /etc/inittab

For Linux users, the line with svscanboot will be removed using the lastcommand.

OpenBSD does not use the System V style init, so the above does notapply. FreeBSD also doesn’t use System V style init, but it does provide adirectory for the scripts so one can use them manually.

We want qmail to start every time the system boots. We can acomplishthis by running the command qmailctl start every time the system boots.On BSD like systems, we need to add this command to the file etc/rc.local.On System V style systems, we can link the qmailctl script to the directory’sof the approriate runlevels. For RedHat Linux, use the following commands.This will make sure the qmailctl start command will run in runlevels 2, 4and 5.

# cd /etc/init.d# ln -s qmailctl ../rc0.d/K30qmail


# ln -s qmailctl ../rc1.d/K30qmail# ln -s qmailctl ../rc2.d/S80qmail# ln -s qmailctl ../rc3.d/K30qmail# ln -s qmailctl ../rc4.d/S80qmail# ln -s qmailctl ../rc5.d/S80qmail# ln -s qmailctl ../rc6.d/K30qmail#

Installing the qmail services

As said before, we will use daemontools to run qmail as a service. In fact, wewill need two services. One to listen for incoming mail, and one to send mail.First a few directories need to be created to store the files with instructionsfor the service in.

# mkdir -p /var/qmail/supervise/qmail-send/log# mkdir -p /var/qmail/supervise/qmail-smtpd/log# chmod 1750 /var/qmail/supervise/qmail-send \> /var/qmail/supervise/qmail-smtpd

The chmod command shown will set the sticky bit on two directories.Supervise, part of daemontools, will recognise this, and will start the loggingservice of that service.

Now we need to create some scripts in the previously create directories.You can find those scripts, four in total, in appendix E. After the scripthave been made, the correct permissions should be set on them. We alsoneed to create the directories where multilog will write it’s log files to. Andlast, one of the scripts created uses another non-standard configuration file,that file has to be created too.

# cd /var/qmail/supervise# chmod 750 */run */log/run

# mkdir -p /var/log/qmail/send# mkdir /var/log/qmail/smtpd# chown -R qmaill:qmail /var/log/qmail

# echo 20 > /var/qmail/control/concurrencysmtp# chmod 640 /var/qmail/control/concurrencysmtp

We need to set some permissions on various files and folders.

OpenBSD

# chown root:qmail /var/qmail/bin/*


# chown qmailq:qmail /var/qmail/bin/qmail-queue# chmod 755 /var/qmail# chmod 755 /var/qmail/alias

If you are using OpenBSD and you have not yet disabled the nosuid flagfor the /var filesystem, do this now and add the suid flag to the “qmail-queue” binairy.

All the files necessairy for the services have been created. No we canmake those services known to supervise.

# cd /etc/daemontools/service# ln -s /var/qmail/supervise/qmail-send .# ln -s /var/qmail/supervise/qmail-smtpd .

SMTP access control

In the file “/etc/tcp.smtp” you can change the way certain hosts are treatedconcerning relaying of email. We want the localhost to be able to relay email.Based on this file an access database will be built. We have to rebuild thisdatabase after every change to this file.

# echo ’127.:allow,RELAYCLIENT=""’ > /etc/tcp.smtp# /var/qmail/bin/qmailctl cdbReloaded /etc/tcp.smtp.

We also want users with an email adress on this system to be able torelay if they are working from a remote locating. The AUTH smtp extensionsmakes this already possible. When a user wants to send a message using oursmtp server, it must login to the smtp server. Without logging in, relayingis prohibited.

System aliases

System aliases in this context are aliases for the email adress of the systemadministrators. There are a few email adresses which should be on any emailserver. We can create those using the following commands.

# cd /var/qmail/alias# echo \&admin > .qmail-root# ln -s .qmail-root .qmail-postmaster# ln -s .qmail-root .qmail-mailer-daemon# chmod 644 .qmail-root


Now, everything sent to “root@yourdomain”, “postmaster@yourdomain”and “mailer-daemon@yourdomain” will be sent to the local user “admin”.You can change “admin” to any local username or email adress. If you usean email adress, please do make sure it is a valid adress, since delivery failurereports get sent there. Of course you can also use seperate receiving adressesfor the different system aliasses.

3.6 Replacing the old MTA

Now that we have everything installed, it’s time that we replace the oldMTA. Once the old MTA has been removed, we can start testing our qmailinstallations. It is also possible to disable an other MTA temporarily. Inthis document however, we just remove the old MTA completely.

In most cases the old MTA used is sendmail, so the instructions beloware specific to that MTA.

RedHat Linux

On RedHat Linux, or any other rpm based distro, you can use the “rpm”command to completely remove sendmail.

# rpm -e sendmail

OpenBSD

On OpenBSD follow the following instructions.

# rm -rf /usr/share/sendmail# rm -rf /usr/libexec/sendmail

On OpenBSD there is also a crontab job for sendmail. You can dis-able this crontab by opening your crontab for editing using the command“crontab -e”. There you can comment out the line with sendmail in it.

Although sendmail is no longer present, there still is a script that triesto start it if it was enabled. Open your “/etc/rc.conf” for editing, and findthe line containing sendmail. Change the line to look like this:

sendmail_flags=NO

Another file needs to be edited for OpenBSD. This time it is “/etc/mailer.conf”.All the lines in this file point to the origional sendmail binary. Change thefile in such a way that all lines point the qmail sendmail compatibility pro-gram. Use the following location for that program:

/var/qmail/bin/sendmail


FreeBSD

TODO instructies voor FreeBSD

All systems

Now that the old sendmail binaries are gone, we need to replace them withqmail’s sendmail program.

# ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail

3.7 Testing what we have

Now every piece of software has been installed, we must test if everythingworks before continueing the installation.

3.7.1 Checking the daemons

First we will try to start and stop qmail, and see if any errors are reported.

# cd /var/qmail/bin# ./qmailctl startStarting qmail# ./qmailctl stopStopping qmail...

qmail-smtpdqmail-send

Then we start qmail again for the rest of the tests. After this is done, weuse the qmailctl control script again to see if all the daemons are running.

# ./qmailctl stat/etc/daemontools/service/qmail-send: up (pid 31158) 4 seconds/etc/daemontools/service/qmail-send/log: up (pid 10458) 277 seconds/etc/daemontools/service/qmail-smtpd: up (pid 25674) 4 seconds/etc/daemontools/service/qmail-smtpd/log: up (pid 31109) 277 secondsmessages in queue: 0messages in queue but not yet preprocessed: 0

Every service, four at this point, need to be up. You can use the “ps”command to check if those processes are really running.

After you are sure everything is ok you have to reboot. This way we cancheck if the qmail services are started automatically at system boot. Afterthe reboot run the “qmailctl stat” command again to check if the servicesare running.

Check the log files, and check if there are any abnormalities.


# cd /var/log/qmail/send# tai64nlocal < current2004-06-13 22:50:36.342876500 status: local 0/10 remote 0/20

You can use “cat”, “more” or “less” on the logfile, but the date will bein an unreadable time format. In this example, the status is displayed, noerror is reported. You can also check the logfile of the smtpd daemon. Thelog format is almost the same. Also check for a status message in the report.

3.7.2 Sending test messages

Now that we know that the daemons are running fine, we should send sometest messages and see if they arrive. The following testing method was takenform the book “The qmail Handbook”[1].

Since the testing involves sending messages from and to test users, youwill need at least two local accounts. Use other accounts then those youused for the system aliasses, eg. not root. In the example we use the twousers sandra andbob. For remote adress, we will use [email protected].

Local user to local user

Send youself a test message:

# echo to: bob | /var/qmail/bin/qmail-inject

Now check that the message has arrived.

# ls ~bob/Maildir/new1087161947.16348.your.domain#

In the example there is one new message in the “new” directory. Themessage arrived.

Local user to invalid local user

Log in as user sandra, and send a message to a non-existing user.

# su - sandra$ echo to: nonexisting | /var/qmail/bin/qmail-inject

Since the user the message was sent to does not exist, user sandra shouldhave received a bounce message. Check if the message arrived, and checkits contents.


$ ls ~/Maildir/new1087393864.1945.your.domain$ cat ~/Maildir/new/1087393864.1945.your.domainReturn-Path: Delivered-To: [email protected]: (qmail 18709 invoked for bounce); 16 Jun 2004 13:51:04 -0000Date: 16 Jun 2004 13:51:04 -0000From: [email protected]: [email protected]: failure notice

Hi. This is the qmail-send program at your.domain.I’m afraid I wasn’t able to deliver your message to the following addresses.This is a permanent error; I’ve given up. Sorry it didn’t work out.

:Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: Received: (qmail 29203 invoked by uid 1002); 16 Jun 2004 13:51:04 -0000Date: 16 Jun 2004 13:51:04 -0000Message-ID: From: [email protected]: [email protected]$

The qmail-send logfile should also contain a report about what happened.

# cd /var/log/qmail/send/# tai64nlocal < current...snip...2004-06-16 15:51:04.071999500 new msg 115862004-06-16 15:51:04.072219500 info msg 11586: bytes 244 from qp 29203 uid 10022004-06-16 15:51:04.110192500 starting delivery 3: msg 11586 to local [email protected] 15:51:04.110305500 status: local 1/10 remote 0/202004-06-16 15:51:04.120796500 delivery 3: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/2004-06-16 15:51:04.140128500 status: local 0/10 remote 0/202004-06-16 15:51:04.200546500 bounce msg 11586 qp 187092004-06-16 15:51:04.210082500 end msg 115862004-06-16 15:51:04.288922500 new msg 115882004-06-16 15:51:04.289057500 info msg 11588: bytes 838 from qp 18709 uid 2062004-06-16 15:51:04.328117500 starting delivery 4: msg 11588 to local [email protected]


2004-06-16 15:51:04.328226500 status: local 1/10 remote 0/202004-06-16 15:51:04.367889500 delivery 4: success: did_1+0+0/2004-06-16 15:51:04.374925500 status: local 0/10 remote 0/202004-06-16 15:51:04.375181500 end msg 11588...snip...#

Here you can first see the origional message being delivered, which fails.Then you see the bounce message being sent.

Local user to remote adress

Now we’ll try to send a message to a remote adress8.

$ echo to: [email protected] | /var/qmail/bin/qmail-inject

When you check the email for that adress, an empty message shouldhave arrived.

Besides this, we can also check the qmail-send logfile to see if the messagewas sent.

# cd /var/log/qmail/send/# tai64nlocal < current...snip...2004-06-16 16:09:38.352290500 info msg 11586: bytes 227 from qp 26999 uid 10022004-06-16 16:09:38.390208500 starting delivery 5: msg 11586 to remote [email protected] 16:09:38.390319500 status: local 0/10 remote 1/202004-06-16 16:09:39.070024500 delivery 5: success: 217.67.234.253_accepted_message./Remote_host_said:_250_ok_1092405836_qp_18158/2004-06-16 16:09:39.080113500 status: local 0/10 remote 0/202004-06-16 16:09:39.080363500 end msg 11586...snip...#

In this example, the message was successfully received by the remoteMTA.

Local user to system alias

We will try to send a message the the postmaster.

$ echo to: postmaster | /var/qmail/bin/qmail-inject

In this guide we used the user admin as receiver of all messages to systemaliasses. Check if the message arrived in the users mailbox.

8You should login as user sandra.


Invalid local user to invalid local user

Messages which are sent to an invalid adress should bounce to the sendingadress. If the sending adress doesn’t exist, the message should bounce tothe postmaster.

$ echo to: invalidreceipient | /var/qmail/bin/qmail-inject -f invalidsender

The mailbox of the user admin should contain the double bounce mes-sage.

Program delivery

With qmail it is possible to deliver email to any program. This way you cantake special action when a message arrives for a special user.

We will create a script for user bob. This script will create a file when amessage arrives at his account.

First login as user bob, and create the script. Then create a “.qmail”file with instructions to dilever to the script.

# su - bob$ echo ’groups > MYGROUPS’ > script.sh$ chmod +x script.sh$ echo ’|/home/bob/script.sh; exit 0’ > /home/bob/.qmail

Send a test message to user bob and check if the file “MYGROUPS”exists. Also check the contents of this file. This file should contain onlythe groups names of which user bob is a member, which proves all mail isdeliverd using the userid of the receiving user.

After this test was successfull, remove the “.qmail” file and the script.

Using the SMTP daemon directly

Testing the SMTP daemon is relatively simple. If you know allready knowhow to talk to the server, just telnet to localhost on port 25 and send atest message. If you do not know the protocol then follow the instructionsbelow. Commands typed by the user are prefixed with a >.

> $ telnet localhost 25Connected to localhost.Escape character is ’^]’.220 your.domain.here ESMTP

> ehlo smtp server250 your.domain250-STARTTLS250-PIPELINING


250-8BITMIME250 AUTH LOGIN PLAIN CRAM-MD5

> mail from: username@domain # insert your email adress here250 ok

> rcpt to: username@domain # insert your email adress here250 ok

> data354 go ahead

> Subject: test message>> This is a test message> .

250 ok 1087161947 qp 17121> quit

221 your.serverConnection closed by foreign host.$

Now check if the message is in your mailbox.

Remote user to local user

Try sending a message from an adress on a remote system to a user on thissystem. User [email protected] as the reciepient adress. Verify that themessage arrived.

Remote user to invalid local user

Send a message from a remote adress to an invalid local user. You shouldreceive a bounce message on the remote adress. You can use [email protected] as recipient adress.

Remote user to system alias

Send a test message to a system alias, eg [email protected], andcheck that i arrived ok.

Mail user agent test

Try to send messages using a MUA9 on the system. This is not needed ifno user will login locally. You should test this if the system will also run awebserver.

9E.g. pine, mail, mutt.


3.8 Conclusion

Using the instructions in this chapter, we setup a very basic , but functionalemail system. Email can be received, and email can be sent using localaccounts.

You have learned how to setup ucspi-tcp, a set of applications to modu-larize a tcp-ip client-server environment, daemontools, a set of programs toeasily maintain running services and logging of those services, netqmail, theqmail distribution including serveral essential patches.

In chapter 4 we will add services to enhance the functionality of theemail system.

Chapter 4

Adding services

4.1 Overview

In this chapter we will be adding an IMAP and POP3 server to our existinginstallation.

4.2 Vpopmail

In most qmail installation documentation, Courier-IMAP and qmail-pop3dare installed first and then vpopmail is added. I think this is unnecessairy.

In our case, we will be using mysql to store all virtual domains relatedconfiguration. If we would install Courier-IMAP and qmail-pop3d first, wewould have modify the configuration of those servers when we would installvpopmail. By installing vpopmail first, the configuration and programsCourier-IMAP and qmail-pop3d need to use for authentication are alreadyin place.

4.2.1 Compiling and installing vpopmail

First download vpopmail[8] and unpack it somewhere, eg: /usr/src. Thenconfigure and compile the source.

# setenv CFLAGS=’your flags’# ./configure --prefix=/var/vpopmail \> --exec-prefix=/var/vpopmail \> --enable-tcpserver-file=/etc/tcp.smtp \> --enable-file-sync \> --enable-qmail-ext \> --enable-domainquotas \> --enable-auth-module=mysql \> --enable-logging=y \> --enable-valias

25

CHAPTER 4. ADDING SERVICES 26

...snip...vpopmail 5.4.5Current settings

---------------------------------------

vpopmail directory = /var/vpopmailuid = 89gid = 89

roaming users = OFF --disable-roaming-users (default)tcpserver file = /etc/tcp.smtpopen_smtp file = /var/vpopmail/etc/open-smtp

rebuild tcpserver file = ON --enable-rebuild-tcpserver-file (default)password learning = OFF --disable-learn-passwords (default)

md5 passwords = ON --enable-md5-passwords (default)file locking = ON --enable-file-locking (default)

vdelivermail fsync = ON --enable-file-syncmake seekable = ON --enable-make-seekable (default)clear passwd = ON --enable-clear-passwd (default)

user dir hashing = ON --enable-users-big-dir (default)address extensions = ON --enable-qmail-ext

ip alias = OFF --disable-ip-alias-domains (default)domain quotas = ON --enable-domainquotasauth module = mysql --enable-auth-module=mysql

mysql replication = OFF --disable-mysql-replication (default)mysql logging = OFF --disable-mysql-logging (default)mysql limits = OFF --disable-mysql-limits (default)MySQL valias = ON --enable-valias

auth inc = -I/usr/local/include/mysqlauth lib = -L/usr/local/lib/mysql -lmysqlclient -lz -lm

system passwords = OFF --disable-passwd (default)pop syslog = show successful and failed login attempts

--enable-logging=yauth logging = ON --enable-auth-logging (default)

all domains in one SQL table = --enable-many-domains (default)# make install-strip

And if ‘make install-strip’ fails:

# make install# chmod 6711 /var/vpopmail/bin/vchkpw


4.2.2 Configuring vpopmail

Creating mySQL user

For vpopmail to be able to use mySQL for authentication, seperates useraccounts should be created for read access and read/write access. Vpopmailis able to use different settings for readonly operations and database mainte-nance operations. In this case we will make an account vpopmail read for allread operations, and an account vpopmail write for all database maintenaceoperations. And last, a database needs to be created where the informationwill be stored.

# mysql -u root -pEnter password:Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 2 to server version: 3.23.55

Type ’help;’ or ’\h’ for help. Type ’\c’ to clear the buffer.

mysql> CREATE DATABASE vpopmail;Query OK, 1 row affected (0.10 sec)

mysql> GRANT select ON vpopmail.* TO vpopmail_read@localhost IDENTIFIED BY "password_read";Query OK, 0 rows affected (0.09 sec)

mysql> GRANT update,create,delete,insert,select ON vpopmail.* TO vpopmail_write@localhost IDENTIFIED BY "password_write";Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;flush privileges;Query OK, 0 rows affected (0.04 sec)

mysql> exitBye#

The accounts and database have been created. No try to login to thedatabase using the two accounts.

# mysql -u vpopmail_read -ppassword_read vpopmail# mysql -u vpopmail_write -ppassword_write vpopmail

If the test succeeded we can tell vpopmail how to connect to mysql.Modify the file /var/vpopmail/etc/vpopmail.mysql to look like the listing inappendix F.


Default limits

In the file /var/vpopmail/etc/vlimits.default you can set some default lim-itations on newly create domains and user accounts. You can edit this fileusing any text editor. I set the options as shown in appendix G.

4.2.3 Testing vpopmail

Now we should test vpopmail to make sure everything works correctly. Tryadding a domain and user, eg “test.com”. If this succeeds, remove thedomain. This test will make sure that vpopmail can access the mySQLserver.

# cd /var/vpopmail/bin# ./vadddomain test.com# ./vadduser [email protected]# ./vdeldomain test.com

4.2.4 Creating the localhost as virtual domain

Now that vpopmail is up and running, we should add the domain as thelocalhost as a virtual domain. Then, we need to forward all messages to thethree system aliasses to email adresses in the virtual domain.

# cd /var/vpopmail/bin# ./vadddomain -b your.domain postmaster-password# ./vadduser [email protected] password# ./vadduser [email protected] password# cd /var/qmail/alias# rm .qmail-postmaster .qmail-mailer-daemon .qmail-root# echo "&[email protected]" > .qmail-postmaster# echo "&[email protected]" > .qmail-mailer-daemon# echo "&[email protected]" > .qmail-root

Now we should send a test message to one of the system acounts to makesure everything works. Use the following commands.

# echo to: postmaster | /var/qmail/bin/qmail-inject# cd /var/vpopmail/domain/your.domain/postmaster/Maildir/new/# ls1092838607.22188.your.domain,S=244#

The second-last line should look like the one in the example.


4.3 Pop3

4.3.1 Service scripts

The default installation already installed most applications needed for apop3 daemon. The remaining application was provided for by the vpopmailinstallation. All that needs to be done is creating the scripts which will runthe pop3 daemon.

# cd /var/qmail/supervise/# mkdir -p qmail-pop3d/log# chmod 1750 qmail-pop3d# mkdir /var/log/qmail/pop3d# chown qmaill:qmail /var/log/qmail/pop3d

Now create two scripts, /var/qmail/supervuse/qmail-pop3d/run and /var/qmail/supervuse/qmail-pop3d/log/run according to appendix H. Don’t forget to replace “your.domain”with your domain name. The first script of those two uses a non-standardconfiguration file. Create this configuration file and set some permissionsusing the following commands.

# cd /var/qmail/supervise# chmod 750 */run */log/run# echo 20 > /var/qmail/control/concurrencypop3

Just like for stmp access, there should be an access database. Createthis database. In this example, pop3 access is allowed from anywhere.

# echo :allow > /etc/tcp.pop3# tcprules /etc/tcp.pop3.cdb /etc/tcp.pop3.tmp < /etc/tcp.pop3

Now that all needed files are created. We can make the qmail-pop3dservice known to supervise.

# cd /etc/daemontools/service# ln -s /var/qmail-supervise/qmail-pop3d .

4.3.2 Testing the pop3 server

After making the service known to supervise, it should have automaticallystarted. Examine if this is the case using the qmailctl control script.

# /etc/qmailctl stat/etc/daemontools/service/qmail-send: up (pid 14007) 8033 seconds/etc/daemontools/service/qmail-send/log: up (pid 30172) 8033 seconds/etc/daemontools/service/qmail-smtpd: up (pid 14239) 8033 seconds


/etc/daemontools/service/qmail-smtpd/log: up (pid 21878) 8033 seconds/etc/daemontools/service/qmail-pop3d: up (pid 20556) 28 seconds/etc/daemontools/service/qmail-pop3d/log: up (pid 27534) 28 secondsmessages in queue: 0messages in queue but not yet preprocessed: 0#

No try and connect to the pop3 server and check for new email. In thisexample there is one message in the users inbox. Commands typed by theuser are prefixed with a >.

# telnet localhost 110Trying 127.0.0.1...Connected to localhost.Escape character is ’^]’.+OK user [email protected]+OK

> pass password+OK

> list+OK1 344.

> quit+OKConnection closed by foreign host.#

4.4 IMAP

As an IMAP server, we will be using CourierIMAP. Courier is a fast andlightweight IMAP server, furthermore, it can use vpopmail’s libraries toauthenticate users.

4.4.1 Compiling Courier-IMAP

The source package[9] must be untarred and compiled using a normal useraccount. Trying this as root will not work. After you have unpacked thesource, use the following command to configure the source.

$ ./configure --prefix=/var/courier-imap \> --enable-unicode \> --without-authpwd \


> --without-authshadow \> --without-authpam \> --without-authuserdb \> --without-authcram \> --without-authldap \> --without-authldap \> --without-authpgsql \> --without-authdaemon \> --without-authcustom \> --without-authmysql \> --with-authvchkpw \> --with-ssl

Now build the code, and test the code.

Linux:

$ make$ make check

OpenBSD and FreeBSD:

$ gmake$ gmake check

If the test completed successfully, we can check if the correct authenti-cation modules were chosen. Do this using the following command.

$ cd authlib$ ./authinfoAUTHENTICATION_MODULES="authvchkpw"SASL_AUTHENTICATION_MODULES="PLAIN LOGIN"$ cd ..

Now we must reconfigure the source to include an extra option, and thenrebuild the applications.

$ ./configure --prefix=/var/courier-imap \> --enable-unicode \> --without-authpwd \> --without-authshadow \> --without-authpam \> --without-authuserdb \> --without-authcram \


> --without-authldap \> --without-authldap \> --without-authpgsql \> --without-authdaemon \> --without-authcustom \> --without-authmysql \> --with-authvchkpw \> --with-ssl> --with-trashquota \$ make # or gmake for OpenBSD and FreeBSD

The actual installation of the programs should be done as the root user.

$ suPassword:# make install-strip# make install-configure

If you are using FreeBSD or OpenBSD, use gmake instead of make. Also,if make install-strip fails, use make install instead.

4.4.2 Configuring Courier-IMAP

Courier-IMAP is now almost completely installed. By default, it installssome scripts which allow you to run it as a standalone daemon. We aregoing to create some scripts which allows us to run courier-imap using dae-montools.

Service scripts

First create the folders where the supervise scripts and logs will be stored in.Then create the two files /var/courier-imap/supervise/courier-imapd/runand /var/courier-imap/supervise/courier-imapd/log/run according to ap-pendix I.

# cd /var/courier-imap/# mkdir -p supervise/courier-imapd/log \> supervise/courier-imapd/env# chmod 1750 supervise/courier-imapd# mkdir /var/log/qmail/imapd# chown qmaill:qmail /var/log/qmail/imapd

In one of the scripts a nonstandard configuration file is used and anaccess database for the imap service is needed. We also need to set somepermissions.


# echo 20 > /var/courier-imap/etc/concurrencyimap# echo :allow > /etc/tcp.imap# tcprules /etc/tcp.imap.cdb /etc/tcp.imap.tmp < /etc/tcp.imap

# cd /var/courier-imap/supervise# chmod 750 */run */log/run

All necessairy scripts and configuration is now in place. The next step isto make the service known to supervise. After this, the imap daemon shouldbe running and functioning.

# cd /etc/daemontools/service# ln -s /var/courier-imap/supervise/courier-imapd .

Testing IMAP

Try to connect to the imap server using telnet. Commands typed by theuser are prefixed with a >.

# telnet 127.0.0.1 143Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is ’^]’.* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE ...snip...

> a1 login [email protected] passworda1 OK LOGIN Ok.

> a2 select inbox* FLAGS (\Draft \Answered \Flagged \Deleted \Seen \Recent)* OK [PERMANENTFLAGS (\* \Draft \Answered \Flagged \Deleted \Seen)] Limited* 1 EXISTS* 1 RECENT* OK [UIDVALIDITY 1092924408] Ok* OK [MYRIGHTS "acdilrsw"] ACLa2 OK [READ-WRITE] Ok

> 3 logout* BYE Courier-IMAP server shutting downa3 OK LOGOUT completedConnection closed by foreign host.#

In the example above, I logged in as the postmaster of the your.domaindomain. Then i selected the inbox. There was a total of 1 message, and 1message was not you seen. After this, I logged out.


4.5 Conclusion

In this chapter you enhanced the functionality of the basic qmail installationby providing pop3 and IMAP access to the users mailboxes. You can nowmanage multiple virtual email domains and users, and all this informationis stored in a mySQL database server.

In chapter 5 we will setup secure versions of the SMTP, pop3 and IMAPservices.

Chapter 5

Securing services

5.1 Overview

Now that all services are up and running, we can begin to add secure versionsof those services. We will wrap the SMTP, POP3 and IMAP services in aSSL1 using the sslserver program which is a part of the ucspi-ssl package.

We will also discuss what security measures are already present in thecurrent setup.

5.2 Certificates

To be able to secure the services effectively, we need to have a SSL certificate.In this document we will place the certificate in /var/certs/. If you alreadyhave a certificate for your server, create symbolic links to those files, andplace them in the previously mentioned folder. You need four files in total,a private key, in the file privatekey.pem, a certificate certificate.pem a cer-tificate in the format privatekey–certificate certificate-qmail.pem and a DHparameter file dh1024.pem. The file certificate-qmail.pem can be created us-ing the command cat privatekey.pem certificate.pem ¿ certificate-qmail.pem.

If you do not have the necessairy files, use the instructions below tocreate them. Lines requiring user input are prefixed with a >.

> # mkdir /var/certs> # chmod 755 /var/certs> # cd /var/certs> # openssl genrsa -out privatekey.pem 1024Generating RSA private key, 1024 bit long modulus...............................++++++.++++++e is 65537 (0x10001)

1Secure Socket Layer

35

CHAPTER 5. SECURING SERVICES 36

> # openssl req -new -x509 -key privatekey.pem \> -out certificate.pem -days 1095You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ’.’, the field will be left blank.-----

> Country Name (2 letter code) []:NL> State or Province Name (full name) []:Limburg> Locality Name (eg, city) []:SomeCity> Organization Name (eg, company) []:The Mindlab Hosting> Organizational Unit Name (eg, section) []:> Common Name (eg, fully qualified host name) []:your.domain

Email Address []:[email protected]> # cat privatekey.pem certificate.pem > certificate-qmail.pem> # openssl dhparam 1024 -out dh1024.pem

Generating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time.......+..................+....+.+........++*++*++*

> # chmod 644 *

Please note that the “Common Name” should be your fully qualifieddomain name for that machine.

5.3 Installing ucspi-ssl

Ucspi-ssl [6] is a package which offers to SSL2 enabled versions of tcpserverand tcpclient called sslserver and sslclient. This makes it easy to to wrapservices in an encryption layer. In most daemontools service scripts thetcpserver command can directly be replaced by the sslserver command.

5.3.1 Compiling

First download ucspi-ssl[6] and unpack it. Then get a patch[7]. Then usethe following commands to prepare and build the source.

# cd /usr/src/host/superscript.com/net/ucspi-ssl-0.68# mv ucspi-ssl-0.68-openssl_0.9.7.patch /usr/src/host/superscript.com/net/# patch -p1 < ../ucspi-ssl-0.68-openssl_0.9.7.patch# vi src/conf-cc# package/compile

2Secure Socket Layer


# package/rts

The conf-cc file contains the commandline to compile the source. Youcan optionally use the same file you used for daemontools.

The output of the package/rts command should be empty.

5.3.2 Installing

To install the applications we can simple copy the programs to where weput the daemontools programs, and create a few symlinks.

# cd command# cp sslcat sslclient sslconnect sslperl sslserver \> /etc/daemontools/command/# chown root:wheel /etc/daemontools/command/*# cd /etc/daemontools/command/# ln -s sslcat /usr/local/bin# ln -s sslclient /usr/local/bin# ln -s sslconnect /usr/local/bin# ln -s sslperl /usr/local/bin# ln -s sslserver /usr/local/bin

5.4 Securing SMTP

SMTP takes up two parts in our qmail installation.The first part is the receiving of messages using SMTP, the second is the

sending of messages to other systems.There is another aspect in securing SMTP which has to do with the re-

laying of messages. The AUTH extension adds authentication to the SMTPprotocol. When a user is authenticated this user can relay messages throughtthis server. An example of authentication over an SMTP session is given inappendix J.

5.4.1 Receiving messages, qmail-smtpd

During the installation of qmail itself3, we added a patch which which im-plements the STARTTLS and AUTH smtp extensions.

By defaullt the smtpd daemon allows relaying of messages from anyadress to any adress. We changed this so that only the local system mayrelay to other systems. This was setup in the file /etc/tcp.smtp. You canchange the settings per ip-adress in this file.

Since we are now offiring pop3 and IMAP access to the users mailboxes, itmust be possibe for remote users to send messages to other systems through

3Paragraph 3.5.1


our system. The AUTH extension in our qmail installation allows users toauthenticate themselves before sending email. Only authenticated users areallowed to relay messages through our mail system.

Configuring TLS

Normally all traffic over a smtp connection is sent in plaintext. This trafficcould be monitored and recorded by other systems on the network. TheSTARTTLS extension allows the traffic over the smtp connection to be en-crypted, this is called TLS4. The STARTTLS extension is already activated,but not yet configured. You can check it like this:

$ telnet 192.168.2.200 25Trying 192.168.2.200...Connected to 192.168.2.200.Escape character is ’^]’.220 your.domain ESMTP

> starttls454 TLS missing certificate: error:02001002:system library:fopen:No such file or directory (#4.3.0)

> quit221 your.domainConnection closed by foreign host.$

Using the certificate created in paragraph 5.2 we can easily configureqmail-smtpd to enable the secure connection.

# cd /var/qmail/control# ln -s /var/certs/certificate-qmail.pem servercert.pem

Now verify that the certificate was accepted.

> # telnet localhost 25Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is ’^]’.220 your.domain ESMTP

> starttls220 ready for tls

As you can see the error message is gone. When using TLS we can’t usetelnet to send messages because a certificate handshake needs to take placeand the communication is encrypted.

4Transport Layer Security


Testing TLS

Using the openssl command we can connect to the smtp daemon and senda test message. Please note that you need at least openssl version 0.9.7 forthis. In the following listing you can see an example. Commands typed bythe user are prefixed with a >.

> $ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25CONNECTED(00000003)depth=0 /C=NL/ST=SomeState/L=SomeCity/O=themindlab hosting/CN=your.domain/[email protected] error:num=18:self signed certificateverify return:1depth=0 /C=NL/ST=SomeState/L=SomeCity/O=themindlab hosting/CN=your.domain/[email protected] return:1---Certificate chain0 s:/C=NL/ST=SomeState/L=SomeCity/O=themindlab hosting/CN=your.domain/[email protected]:/C=NL/ST=SomeState/L=SomeCity/O=themindlab hosting/CN=your.domain/[email protected]

---Server certificate-----BEGIN CERTIFICATE-----MIICoDCCAgmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlTELMAkGA1UEBhMCTkwxEjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGzAZBgNVBAoTEnRoZW1pbmRsYWIgaG9zdGluZzEiMCAGA1UEAxMZZ2FsYWRyaWVsLnRodWlzLnVua2llLm9yZzEeMBwGCSqGSIb3DQEJARYPcHVzdGplbnNAZGRzLm5sMB4XDTA0MDgyMDE4NTIyNloXDTA1MDgyMTE4NTIyNlowgZUxCzAJBgNVBAYTAk5MMRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRswGQYDVQQKExJ0aGVtaW5kbGFiIGhvc3RpbmcxIjAgBgNVBAMTGWdhbGFkcmllbC50aHVpcy51bmtpZS5vcmcxHjAcBgkqhkiG9w0BCQEWD3B1c3RqZW5zQGRkcy5ubDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1R3z4HdqMKfeOooyMZpKYKZar99ss2ipUBfUUpe/hz0Twn78UYU6mVlV8tucP6Za2qxc0DNPQfzY0VWETPsUUSHoXEISfvDqlfQ1NKyeD7obcYXbIdYIoUqqRpDQ7eTUWwNCLXNGP4rkC4jTh0gXc1nrwo7CGl/1lVqaca09PzcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQAa5mJo9VJlViAE+HDbirQCI+uNYa7BorccCPD4XXesubtHWZcf8dlkLsM/7FdPqKT4HViSAmVaHGbX/33pQvMEIrUkVofSuSFLKTNsrVCBEsVx3Fe2RcVX1r2TbhmEQYx3w4nH2KXqWB95s/bxTOX4a+tXAbR4tPJu2QebE+DWYQ==-----END CERTIFICATE-----subject=/C=NL/ST=SomeState/L=SomeCity/O=themindlab hosting/CN=your.domain/[email protected]=/C=NL/ST=SomeState/L=SomeCity/O=themindlab hosting/CN=your.domain/[email protected] client certificate CA names sent---SSL handshake has read 1296 bytes and written 350 bytes---New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA


Server public key is 1024 bitSSL-Session:

Protocol : TLSv1Cipher : DHE-RSA-AES256-SHASession-ID: 3A6430067F90D570224FB94E51E678B5F81866F42A7AF21EC3B89CD119261B1ASession-ID-ctx:Master-Key: 508CEAB91173FE2A29C4E13A5B12A125F762D500878EA2C32078FEF842351FE26EC522D210993BFAF2F92475A82875C7Key-Arg : NoneKrb5 Principal: NoneStart Time: 1093352037Timeout : 300 (sec)Verify return code: 18 (self signed certificate)

---220 your.domain ESMTP

> ehlo there250-your.domain250-PIPELINING250-8BITMIME250 AUTH LOGIN PLAIN CRAM-MD5

> mail from: [email protected] ok

> rcpt to: [email protected] ok

> data354 go ahead

> test message.250 ok 1093443943 qp 18664

> quit221 your.domainclosed#

In the example we first created a file which contained the commandswhich we would normally type in the telnet application. Then we convertedthe file to the DOS format. This is nessecairy because we need to sendCR-LF as newline character. Openssl sends only the LF character, whichis invalid in our case. Then we use the openssl program to connec to andinitiate a TLS session with the smtp server.

You should now check the postmaster account for email. The shouldbe a new message. Check for the following email header in the message toverify that the message was sent encryted.

Received: from unknown (HELO there) (192.168.1.100)


by 0 with (DHE-RSA-AES256-SHA encrypted) SMTP; 24 Aug 2004 12:52:14 -0000

Configuring SMTP over SSL

We will now setup a service which will be completely encrypted. This mayseem unnesseceiry after enabling TLS form the smtp daemon. Some MUA’showerver only support SSL and not TLS to retreive mail. Also, clients whichsupport both will now be able to connect using a SSL encrypted connection,and then issue the STARTTLS command to add another layer of encryption.

First we will create a directory in which we will put our global SSLconfiguration. This directory will be used by the envdir5 command. Wewill also use this directory when setting up other SSL wrapped services.

# cd /var/qmail/control# mkdir sslenv# cd sslenv# echo /var/certs/certificate.pem > CERTFILE# echo /var/certs/privatekey.pem > KEYFILE# echo /var/certs/dh1024.pem > DHFILE

Use the following commands to create the service directories for oursmtps service. Then create the two files /var/qmail/supervise/qmail-smtpsd/runand /var/qmail/supervise/qmail-smtpsd/log/run according to paragraph K.

# cd /var/qmail/supervise/# mkdir -p qmail-smtpsd/log# chmod 1750 qmail-smtpsd

# mkdir /var/log/qmail/smtpsd# chown qmaill:qmail /var/log/qmail/smtpsd

# echo 20 > /var/qmail/control/concurrencysmtps# chmod 640 /var/qmail/control/concurrencysmtps

# echo :allow > /etc/tcp.smtps# tcprules /etc/tcp.smtps.cdb /etc/tcp.smtps.tmp < /etc/tcp.smtps

Now create the files


The main run script for the qmail-smtpsd server uses a non-standardconfiguration file, /var/qmail/control/concurrencysmtps.

5Envdir runs a command using environment variables found in a directory


Now that all scripts are in place we can make the new service known todaemontools.

# cd /etc/daemontools/service# ln -s /var/qmail/supervise/qmail-smtpsd .

The service will be started automatically

Testing SMTP over SSL

The last steps of the previous paragraph should have started the service.Use the following commands to check if the service is running and working.Commands entered by the user are prefixed with a >.

> $ openssl s_client -connect 127.0.0.1:465CONNECTED(00000004)depth=0 /C=NL/ST=Limburg/L=SomeCity/O=The Mindlab Hosting/CN=your.server/[email protected] error:num=18:self signed certificateverify return:1depth=0 /C=NL/ST=Limburg/L=SomeCity/O=The Mindlab Hosting/CN=your.server/[email protected] return:1---Certificate chain0 s:/C=NL/ST=Limburg/L=SomeCity/O=The Mindlab Hosting/CN=your.server/[email protected]

i:/C=NL/ST=Limburg/L=SomeCity/O=The Mindlab Hosting/CN=your.server/[email protected] certificate-----BEGIN CERTIFICATE-----MIICnjCCAgegAwIBAgIBADANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB0xpbWJ1cmcxETAPBgNVBAcTCFNvbWVDaXR5MRwwGgYDVQQKExNUaGUgTWluZGxhYiBIb3N0aW5nMSIwIAYDVQQDExlnYWxhZHJpZWwudGh1aXMudW5raWUub3JnMR4wHAYJKoZIhvcNAQkBFg9wdXN0amVuc0BkZHMubmwwHhcNMDQwODI1MTQxNDM5WhcNMDcwODI1MTQxNDM5WjCBlDELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB0xpbWJ1cmcxETAPBgNVBAcTCFNvbWVDaXR5MRwwGgYDVQQKExNUaGUgTWluZGxhYiBIb3N0aW5nMSIwIAYDVQQDExlnYWxhZHJpZWwudGh1aXMudW5raWUub3JnMR4wHAYJKoZIhvcNAQkBFg9wdXN0amVuc0BkZHMubmwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANekcta8S2cJmoslV8GdHA/TxOXAAh/NLfyCCYb0hNybalR1ZMlaXEvDVFJyMFJeFVQ88pBCmZfHNmDili5cdDW57dPoomF+qZOQpK0DaGUKyE2SbxYjTJJOmh3w3yN8EDmL/QqrTUKmcmvOxkGPGZjmAgtxf/EYUi3zO+Sib5hVAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAgHQws4ju/tfUOQNCcOxH/mWnKD/RuPG+JP4I9PY3ugvekvkrpJQL7m8b4KobPWfz/a7G+oPW6kSkZbjko3/gz4ndN6PfTrc+xBNn728xh46jnUh3gymfpIghAECX7153mYfm3kS0Vj12AiN0JxwfRlhLax+0YEP5l4dNUWEkQxI=-----END CERTIFICATE-----subject=/C=NL/ST=Limburg/L=SomeCity/O=The Mindlab Hosting/CN=your.server/[email protected]


issuer=/C=NL/ST=Limburg/L=SomeCity/O=The Mindlab Hosting/CN=your.server/[email protected] client certificate CA names sent---SSL handshake has read 1238 bytes and written 340 bytes---New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHAServer public key is 1024 bitSSL-Session:

Protocol : TLSv1Cipher : DHE-RSA-AES256-SHASession-ID: A6B1B8256298393A3BE6456EECEEE9C9B2672A3BA87DCB73FA046B54CAE6BFF9Session-ID-ctx:Master-Key: 98EE0DBDE02074982F22ED304B58C0D502D9E39EAABBD7764E6E99873588AF91640FB6BDE7781329BA36E0DF9F277B7DKey-Arg : NoneStart Time: 1093449553Timeout : 300 (sec)Verify return code: 18 (self signed certificate)

---220 your.server ESMTP

> quit221 your.serverclosed#

You could also send a test message. At this point you should be able tofigure the correct commands by yourself.

5.4.2 Sending messages, qmail-remote

The possibilities to have qmail send messages are limited. The STARTTLSextension in our qmail installation is automatically enabled. This meansthat when a message is being delivered to a remote host, qmail-remote triesto send the STARTTLS command. When this is successfull the rest of theconversation is encrypted.

Just like configuring the starttls for the smtp daemon, we only need toinstall a certificate to make it work.

# cd /var/qmail/control# ln -s /var/certs/servercert.pem servercert.pem

You can verify if messages are being sent encrypted when possible bysending a message to a remote server you know supports STARTTLS. Thereshould be a header in the message similar to the following.


Received: from unknown (HELO there) (192.168.1.100)by 0 with (DHE-RSA-AES256-SHA encrypted) SMTP; 24 Aug 2004 12:52:14 -0000

5.5 Securing Pop3

Securing POP3 is mostly the same as securing SMTP. We need to wrap theservice in a SSL layer.

5.5.1 Configuring POP3 over SSL

Create the directories for the service scripts and log files. Then create twofiles, namely: /var/qmail/supervise/qmail-pop3sd/run and /var/qmail/supervise/qmail-pop3sd/log/run according to appendix L. We also need to create a newconfiguration file and an access database.

# cd /var/qmail/supervise# mkdir -p qmail-pop3sd/log# chmod 1750 qmail-pop3sd

# mkdir /var/log/qmail/pop3sd# chown qmaill:qmail /var/log/qmail/pop3sd

# echo 20 > /var/qmail/control/concurrencypop3s

# echo :allow > /etc/tcp.pop3s# tcprules /etc/tcp.pop3s.cdb /etc/tcp.pop3s.tmp < /etc/tcp.pop3s



Now make the service known to daemontools.

# cd /etc/daemontools/service# ln -s /var/qmail/supervise/qmail-pop3sd .

5.5.2 Testing POP3 over SSL

Using the following command you can easily test if the new POP3 over SSLservice is working.

openssl s_client -connect 192.168.2.200:995 -crlf

You should already know how to talk POP3 at this stage. If not, usethe example in paragraph 4.3.2.


5.6 Securing IMAP

There are hardly any differences between securing POP3 and securing IMAP.The instructions below whould work perfectly if you managed to securePOP3.

5.6.1 Configuring IMAP over SSL

Create the directories for the service scripts and log files. Then create twofiles, namely: /var/courier-imap/supervise/courier-imapsd/run and /var/courier-imap/supervise/courier-imapsd/log/run according to appendix M. We alsoneed to create two new configuration files and an access database.

# cd /var/courier-imap/supervise# mkdir -p courier-imapsd/log# mkdir -p courier-imapsd/env# chmod 1750 courier-imapsd

# mkdir /var/log/qmail/imapsd# chown qmaill:qmail /var/log/qmail/imapsd

# cd /var/courier-imap/etc# echo 20 > concurrencyimaps# cat imapd | sed ’s/imapd.pid/imapsd.pid/; s/143/993/’ > imapsd

# echo :allow > /etc/tcp.imaps# tcprules /etc/tcp.imaps.cdb /etc/tcp.imaps.tmp < /etc/tcp.imaps


# cd /var/courier-imap/supervise# chmod 750 */run */log/run

Now make the service known to daemontools.

# cd /etc/daemontools/service# ln -s /var/courier-imap/supervise/courier-imapsd .

5.6.2 Testing IMAP over SSL

Using the following command you can easily test if the new IMAP over SSLservice is working.

openssl s_client -connect 192.168.2.200:993 -crlf

You should already know how to talk IMAP at this stage. If not, usethe example in paragraph 4.4.2.


5.7 Conclusion

During the course of this chapter, we secured the services we offer by in-stalling ucspi-ssl which makes it very easy to create a SSL wrapped ser-vice. We then used the sslserver application of this package to create SSLwrapped versions of SMTP, POP3 and IMAP. For SMTP, we also config-ured the STARTTLS extension to be fully functional during the receivingof messages, but also the sending of messages.

Chapter 6

Mail Filtering

Basic mail filtering capabilities are very usefull in virtually all circumstances.In this chapter we will setup the infrastructure which allows you to writeyou own filters. Our infrastructure will have a global filter script, but itdoes allow per domain filters.

We will then setup a spam filter which filters spam into a seperate mail-box. The spamfilter configuration can be defined per user, domain andglobally.

6.1 Procmail

Procmail[10] is a mail processing utilty with filtering capabilities. One ofthe advantages of procmail is that it is fast and widely spread. The maindisadvantage is its configuration language.

6.1.1 Installing

The process of installing procmail is very simple. No special configurationis needed. Almost all systems allready come with a version of procmailinstalled. Please verify you have the latest version, 3.22 at time of writing.

The following paragraphs describe how to install procmail on varionsUNIX versions.

OpenBSD and FreeBSD

Your ports collection has procmail. For OpenBSD you could use the follow-ing commands.

# cd /usr/ports/mail/procmail# make install

47

CHAPTER 6. MAIL FILTERING 48

Linux, RPM

There are RPM’s for almost any RPM based linux. You can find RPM’s onwww.rpmfind.net.

Other systems

In rare situations its necessairy to compile and install procmail yourself. Usethe following instructions to install procmail.

# zcat procmail-3.22.tar.gz | tar xvf -# cd procmail-3.22# vi Makefile

When editing the Makefile, BASENAME should be /usr/local. CFLAGSshould be changed to your systems cflags.

# make install...snip...==============================================================================Would you like to skip running autoconf and use the existing autoconf.h file?When in doubt, press return [n]:n==============================================================================...snip...I will temporarily use a testdirectory named _locktestin the following directories:

/tmp .

If you would like to add any, please specify them below,press return to continue:

...snip...#

Procmail is now successfully installed.

6.1.2 Global Filter

We will now make procmail a part of our mail delivery traject. We firstneed to create a procmail configuration file and a dot-qmail1. file. Alisting of those two files is available in appendix N. Put both files in/var/vpopmail/etc. Both files need to have their permissions set.

1Qmail reads its delivery instructions from .qmail files


# chown vpopmail:vchkpw qmail-users procmailrc# chmod 640 qmail-users procmailrc

A wrapper script for procmail is needed to translate error codes gener-ated by procmail. Create the script /var/qmail/bin/qmail-procmail accord-ing to appendixN. Also set the permissions on this script.

# chmod 755 /var/qmail/bin/qmail-procmail

Now all the needed scripts and configuration files are in place we canstart altering the domains to use the new infrastructure. At this pointthere should be only one domain. We need to create symbalic links to theprocmailrc configuration file and the qmail-users dot-qmail file. The dot-qmail files need to be linked for every mailbox. The procmailrc files onlyonce per domain.

# cd /var/vpopmail/domains/your.domain/# ls -la-rw------- 1 vpopmail vchkpw 54 Sep 2 18:42 .qmail-defaultdrwx------ 3 vpopmail vchkpw 512 Aug 18 16:03 mailer-daemondrwx------ 3 vpopmail vchkpw 512 Aug 18 15:53 postmasterdrwx------ 3 vpopmail vchkpw 512 Aug 18 16:03 root# ln -s /var/vpopmail/etc/procmailrc .procmailrc# for user in postmaster root mailer-daemon; do> ln -s /var/vpopmail/etc/qmail-users .qmail-$user> done#

By symlinking the configuration files you get a central place where youcan change those files if the need arised. It will also leave the possibility toremove the symlink and create a specialized filter per domain.

Please remember that those files must be created for every domain/user.If they are not in place no filtering is possible and delivery proceeds usingthe delivery instruction in the .qmail-default2 file.

6.1.3 Testing the filter

Testing the filter is very simple. Just send a message to a valid email adress.E.g. [email protected]. Verify that the message has arrived. Readthe message to verify its content. When reading the message also read theheaders.

If the message did not arrive check the qmail-send logfile to see if therewere any errors. If there were no obvious errors, try a dry run of procmaillike this:

2This file is automatically generated by vadddomain when creating a new virtual do-main.


# cd /var/vpopmail/etc# procmail -m -t -p \> VERBOSE=on _HOST_=your.domain EXT=postmaster \> procmailrc < testmessage.txtprocmail: [17355] Thu Sep 2 20:38:31 2004procmail: Assigning "_HOST_=your.domain"procmail: Assigning "EXT=postmaster"procmail: Assigning "MAILDIR=."procmail: Rcfile: "procmailrc"procmail: Assigning "HEAD=/usr/bin/head"procmail: Assigning "USERINFO=/var/vpopmail/bin/vuserinfo"procmail: Executing "test,onx,=,onx,-o,onx,=,yesx"procmail: Match on "test onx = onx -o onx = yesx"procmail: Assigning "LOGFILE=/var/vpopmail/etc/procmail.log"procmail: Opening "/var/vpopmail/etc/procmail.log"# cat procmail.logprocmail: Assigning "LOGABSTRACT=all"procmail: Assigning "MAILDIR=/var/vpopmail/domains/your.domain"procmail: Executing "/var/vpopmail/bin/vuserinfo,-d,[email protected]"procmail: Assigning "_MAILDIR_=/var/vpopmail/domains/your.domain/postmaster/Maildir/"procmail: Executing "test,-d,/var/vpopmail/domains/your.domain/postmaster/Maildir/"procmail: Match on "test -d /var/vpopmail/domains/your.domain/postmaster/Maildir/"procmail: Assigning "LASTFOLDER=/var/courier-imap/bin/deliverquota -c /var/vpopmail/domains/your.domain/postmaster/Maildir/"From [email protected] Thu Sep 02 18:21:57 2004

Folder: /var/courier-imap/bin/deliverquota -c /var/vpopmail/domains/ 627procmail: Executing "/var/courier-imap/bin/deliverquota,-c,/var/vpopmail/domains/your.domain/postmaster/Maildir/"#

As you can see you get some debugging information on the console andsome in a logfile.

If the dry run did not display any errors, try adding VERBOSE=onin qmail-procmail just before the HOST assignment. In this case somedebugging information will get into the qmail-send logfile and some in thefile /var/vpopmail/etc/procmail.log.

6.2 Basic Spamassassin Filter

No that the filtering infrastructure is in place we will add one filter; spa-massassin. Spamassassin is widely spread a tested spamfilter. Spamassassinwork by testing a message against a number of spam detection algorithms.

We will setup spamassassin as a daemon using the daemontools utilities.Our spamassassin configuration will allow seperate configuration per user


and domain. Also, the bayes3 database will be stored in a mySQL databasefor speed, and the possibility of a fallback database.

6.2.1 Installing

First downaload spamassassin[11] and unpack the sourcecode somewhereconvinient.

Then we need to create the makefiles like in the example below. The com-mandline we use will put all spamassassin related files in /var/spamassassin/and will also enable SSL on the spamd program. Please note that this com-mand requires some user input.

# perl Makefile.PL PREFIX=/var/spamassassin ENABLE_SSL=yes \> SYSCONFDIR=/var/spamassassin/etc CONFDIR=/var/spamassassin/etcWhat email address or URL should be used in the suspected-spam reporttext for users who want more information on your filter installation?(In particular, ISPs should change this to a local Postmaster contact)default text: [the administrator of that system] www.themindlab-hosting.com

Checking if your kit is complete...Looks goodWriting Makefile for Mail::SpamAssassinMakefile written by ExtUtils::MakeMaker 6.03#

If you get any warnings like the one below, you can install the neededpackage from the CPAN4. If you get a warning that DBD::mysql was notfound, install it using the instruction in appendix P.

Warning: prerequisite HTML::Parser 3.24 not found.Writing Makefile for Mail::SpamAssassinMakefile written by ExtUtils::MakeMaker 6.03# perl -MCPAN -e shell

cpan shell -- CPAN exploration and modules installation (v1.61)ReadLine support available (try ’install Bundle::CPAN’)

cpan> o conf prerequisites_policy askprerequisites_policy ask

cpan> install HTML::ParserCPAN: Storable loaded ok

3A spam detection algorith which requires learning.4Comprehensive Perl Archive Network


LWP not availableCPAN: Net::FTP loaded okFetching with Net::FTP:...snip...Do you want decoding on unicode entities? [no]Checking if your kit is complete...Looks good...snip...Writing /usr/local/libdata/perl5/site_perl/i386-openbsd/auto/HTML/Parser/.packlistAppending installation info to /usr/libdata/perl5/i386-openbsd/5.8.0/perllocal.pod

/usr/bin/make install -- OK

cpan> quitLockfile removed.#

Now the source can be built. First set you CFLAGS environment vari-able to your comiler flags. The build the source. Please note that the maketest command requires user input, and can take a long while.

Linux:

# CFLAGS="your flags here" export CFLAGS

OpenBSD:

setenv CFLAGS "your flags here"

All systems:

# make...snip...# make test...snip...t/body_mod..................okt/cidrs.....................okt/db_awl_path...............okt/db_based_whitelist........okt/db_based_whitelist_ips....ok...snip...All tests successful, 8 tests skipped.Files=67, Tests=1458, 779 wallclock secs (451.19 cusr + 43.89 csys = 495.08 CPU)# make install

qmail installation guide - unkie.orgunkie.org/files/qmail.pdf2.4.1 qmail 1.03 Qmail is the set of...

Documents

Transcript of qmail installation guide - unkie.orgunkie.org/files/qmail.pdf2.4.1 qmail 1.03 Qmail is the set of...