November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Dual MTA Qmail

Dual MTA Qmail

 

Recently i installed two qmails in a single server to handle mails from inner and outer domains. I will be posting a step by step tutorial of the same in the coming days.

Why dual MTA?

Basically i wanted two different queues to handle mails in different ways.
Queue 1) To get the mails(incoming) and pass it on to queue 2.
Queue 2) Will receive mails only from queue 1, runs virus scan, spamassassin and delivers mails to local or remote mail boxes(outgoing).

While i could have achieved the same functionality with single queue i doubted it may not suit my needs in the future. Say if the server can handle 250 mails and the queue is already full then we may see some delay in receiving mails from remote machines and/or may completely loose some mails. More over I don’t have to change the incoming queue’s setup and continue receiving mails until i needed. It provides me the flexibility to pass the message to different server/s altogether whenever needed.

How the setup will look like?

Queue 1: Two qmail-smtpd instances one listening on port 25 and the other listening on port 465(SSL).
port 25 – To receive mails from public domains such as yahoo/google.
port 465 – For internal users to send mails(auth + encryption).

Queue 2: qmail-smtpd listens on port 2000. Receives mail only from localhost(127.0.0.1). Calls qmailscanner and have it scanned with clamav & spamassassin. If it has virus the mail is quarantined. If tagged SPAM then the mail’s subject is prepend with [SPAM] and delivered to user’s mail box. If the user is local, the mail will be delivered to Junk directory.

Also there were some specific needs for me. We had many aliases in the server and only certain people must be able to send mail to those aliases. While this can be done with mailing list software like ezmlm i thought of discovering more. When a unauthorized user sends a mail to particular alias it will send a mail to the moderator. I wanted the mail to be bounced back to the sender(ezmlm has that option) and also give my own message for the bounce(reason). I wrote my own perl script to achieve this and it was simple enough. Ezmlm is also installed in my server and serving other purposes.

Enough for tonight. I will be posting

For the inside queue(that scans and delivers mail) i followed the instructions from qmailrocks. Disk space, pre-installation check list & other instructions are here

Note: I installed vpopmail without mysql since the number of domains i manage is small. If you are going to have more than 10 domains consider using vpopmail with mysql backend. Remember to replace all example.net entries with your own domain. For hostnames enter the FQDN of your server.

After installing qmailrocks, make sure that mails to & from your domain works. The qmail installation from qmailrocks listens on port 25, alter it to listen on port 2000.

Last few lines in ‘/var/qmail/supervise/qmail-smtpd/run’ looks like this

# tail -4 /var/qmail/supervise/qmail-smtpd/run

 /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 127.0.0.1 2000 \ /var/qmail/bin/qmail-smtpd your.hostname.here \ /home/vpopmail/bin/vchkpw /usr/bin/true 2>&1 

With the above setting, the QMR installation will serve us as a separate queue which will scan any mail that comes to it. Now we have everything setup to install our other queue.

Note: I used /var/qmail-inside as my qmail directory(for all incoming mails). You can choose any other directory you want. Also for this queue i patched qmail with jms’s combined patch set 6cd

Below are the steps:

 cd /usr/local/src wget ftp://ftp.jp.qmail.org/qmail/qmail-1.03.tar.gz wget http://qmail.jms1.net/patches/qmail-1.03-jms1.6cd.patch wget http://untroubled.org/qmail-qfilter/qmail-qfilter-2.1.tar.gz wget http://qmail.jms1.net/scripts/service-qmail-send-run wget http://qmail.jms1.net/scripts/service-qmail-smtpd-run tar zxfv qmail-1.03.tar.gz mv qmail-1.03 qmail-inside cd qmail-inside/ 

Edit conf-qmail and change the directory entry from /var/qmail to /var/qmail-inside

 echo 211 > conf-split echo 255 > conf-spawn patch < /usr/local/src/qmail-1.03-jms1.6cd.patch make setup check 

Next we have to copy create necessary control files for qmail. Copying all the control files from the /var/qmail/control will do. But we have remove some unwanted files too. virtualdomains file has the names of the virtual domains created with vpopmail. However, having this file means that the mail will be directly delivered to the vpopmail user rather than passing it to out other queue.

 cd /var/qmail-inside/control/ cp /var/qmail/control/* /var/qmail-inside/control/ rm -f virtualdomains.lock locals.lock rcpthosts.lock clientcert.pem rm -f virtualdomains 

It is better to link some files directly from /var/qmail so that when there are new virtual domains we don’t have to change the file each time we add a new virtual domain.

 /var/qmail-inside/control rm -f rcpthosts ln -s /var/qmail/control/rcpthosts rm -f plusdomain ln -s /var/qmail/control/plusdomain 

Now we are gonna created necessary aliases and cbd file.

 cd /var/qmail-inside/alias echo "postmaster" > .qmail-root echo "postmaster@example.net" > .qmail-postmaster echo "postmaster" > .qmail-mailer-daemon cp .qmail-root .qmail-abuse echo "127.0.0.1:allow,RELAYCLIENT=\"\"" > /etc/tcp.smtp.inside tcprules /etc/tcp.smtp.inside.cdb /etc/tcp.smtp.inside.tmp < /etc/tcp.smtp.inside 

Next step is to create all supervise and log directories

 mkdir -p /var/qmail-inside/supervise/qmail-inside-send/log mkdir -p /var/qmail-inside/supervise/qmail-smtpd-25/log mkdir -p /var/qmail-inside/supervise/qmail-smtpd-465/log chmod +t /var/qmail-inside/supervise/qmail-inside-send chmod +t /var/qmail-inside/supervise/qmail-smtpd-25 chmod +t /var/qmail-inside/supervise/qmail-smtpd-465 mkdir -p /var/log/qmail-inside/qmail-inside-send mkdir -p /var/log/qmail-inside/qmail-smtpd-25 mkdir -p /var/log/qmail-inside/qmail-smtpd-465 chown -R qmaill /var/log/qmail-inside/ chown vpopmail.qmail servercert.pem 

Create run files for both smtpd instances:
vi /var/qmail-inside/supervise/qmail-smtpd-25/log/run

 #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s2500000 /var/log/qmail-inside/qmail-smtpd-25 

vi /var/qmail-inside/supervise/qmail-inside-send/log/run

 #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail-inside/qmail-inside-send 

Now we are going to create the supervise directories:

 cd /var/qmail-inside/supervise cp /usr/local/src/service-qmail-smtpd-run qmail-smtpd-25/ cp /usr/local/src/service-qmail-smtpd-run qmail-smtpd-465/ cp /usr/local/src/service-qmail-send-run qmail-inside-send/ cp qmail-smtpd-25/log/run qmail-smtpd-465/log/ 

vi qmail-smtpd-465/log/run

change the directory qmail-smtpd-25 to qmail-smtpd-465

 chmod 755 qmail-smtpd-465/log/run qmail-smtpd-25/log/run\ qmail-inside-send/log/run cd /var/qmail-inside/supervise/qmail-inside-send/ mv service-qmail-send-run run 

Edit the file run: vi run

and change the following entries

 VQ=/var/qmail to VQ=/var/qmail-inside 

and save the file

 chmod 755 run cd ../qmail-smtpd-25/ mv service-qmail-smtpd-run run vi run 

Change the following:

 VQ="/var/qmail-inside" SMTP_CDB="/etc/tcp.smtp.inside.cdb" GREETDELAY=30 IP=0 uncomment RBLSMTPD_PROG, RBL_BAD , save the file and make it executable. # chmod 755 run 

We have to install sslserver for enabling secured smtp connections(i configured it to listen on port 465).

Installing sslserver

 cd /usr/local/src/ wget http://www.superscript.com/ucspi-ssl/ucspi-ssl-0.70.tar.gz cd /package/ tar zxfv /usr/local/src/ucspi-ssl-0.70.tar.gz cd host/superscript.com/net/ucspi-ssl-0.70 package/compile package/rts # output should be empty package/install cd /var/qmail-inside/supervise/qmail-smtpd-465/ mv service-qmail-smtpd-run run vi run 

change the following

 VQ="/var/qmail-inside" SMTP_CDB="/etc/tcp.smtp.cdb" QUSER=vpopmail IP=0 PORT=465 SSL=1 AUTH=1 REQUIRE_AUTH=1 

Save the file

 chmod 755 run cd /var/qmail-inside/control/ echo ":127.0.0.1:2000" > smtproutes cd /service/ ln -s /var/qmail-inside/supervise/qmail-smtpd-25/ ln -s /var/qmail-inside/supervise/qmail-inside-send/ ln -s /var/qmail-inside/supervise/qmail-smtpd-465/ 

ps -ef|grep qmail-inside

will show that the processes are started and running. Check the corresponding services logs and make sure that they don’t throw errors.

If you followed the above steps word by word then, log files for the above services will be at: /var/log/qmail-inside/qmail-smtpd-25/current and /var/log/qmail-inside/qmail-smtpd-465/current

Errors and fixes:
When configuring your mail client to send mail you get auth failure. You have to use useid@example.net as username. Also make sure that SSLis enbaled and the port is set as 465.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>