|
|
Hello All,
If you re having problems with bounce on qmail, if you re desperate about qmail getting crazy with thousands of email, then, let me tell you, that your quest ends here! The tools that will be used in this “kind of tutorial” are included right here :
qmHandle: a tool to handle and analyse your mail queue
qmhandle-1.3.2.tar.gz [15.06 KiB]
qmail-remove: a tool to clean your queue
qmail-remove-0.95.tar.gz [9.19 KiB]
Basic things you should know
[*]Where are the mail stored ?
Usually, for a mail like hello@mydomain.com you ll find the emails in /var/qmail/mailnames/mydomain.com/hello/Maildir/new or /cur. You can view their content with nano or vi or any text editor, and read them from your linux console, given they do not contains too much html gibberish.
[*]Where is the queue stored ?
The queue, is the as it sounds to be, “all the mails that have not been yet delivered” (delivered to a local user or to a remote user(not hosted on your mail server))
Delivering the queue to the local users is not a big process, but delivering it to remote destination, well, might give a hard time to qMail sometimes ! (as for any other mail system of course)
So, the queue is physically stored in folders within /var/qmail/queue/ Let’s not bother with the details of all folders in that path, for the moment, we dont care.
[*]Why is my qmail getting crazy ?
Back in the good old times, people were nice, internet was new, and the trees were green. Nowaday, a lot of companies or a**holes are also present on internet and gives nightmares to many admins.
One of the nightmare is called SPAM Of course, there are many counters against spammer today, theirs servers IPs are marked as *bad*, anti spam software
are sold and used in every companies, etc… But there is still a way for them, they can take advantage of your mailsystem to deliver their spam .
How do they do that ?
Very easy. Really. They just have to know some of your domain names, for example : @niceguy.com they dont want to know what user you have under this domain name, they wont send any email
to contact@niceguy.com or info@niceguy.com ! no, they will send 10000 emails to imsurethisemaildoesnotexist@niceguy.com and your qmail will generate a “Failure notice”, with the original content of the email, and try to send back a mail saying : I’m sorry, this user does not exists !
Well, here’s the trick, your qmail is only relying on the fact that the bad guy who sent you this email, wrote nicely a “reply to” header in all these 10000 emails. But the bad guy, instead of that, wrote 10000 emails of people he want to spam all over the earth. And your qmail system is now spamming all these 10000 people telling them “I’m sorry, this user does not exists !” and here the content of your email…
See ? you become the spammer ! you ll be marked as a bad guy on the internet in no time if you dont react fast ! So, let’s shield yourself !
STOP THE BOUNCE !
First thing we’ll do, if you agree, is to stop that good old bouncing system (failure notice) We re going to create a “catch all” adress on your server, so, just create a mail called catchall@niceguy.com (replace niceguy.com by a domain hosted by your server of course… ) Now, using a terminal, go into the folder /var/qmail/mailnames/niceguy.com/catchall/ and enter that command
this will just create a text file called “.qmail” and with just a # as a content. This sets a rule for qmail, a rule that say, any mails coming for catchall@niceguy.com must be deleted immedialty, period. We have our catcher ! Now, we have two possibilities, either your using Plesk and all you have to do is to login to it, I Have Plesk so go to your domain list and check them all;
click on Group Operations and Scroll down to Preferences.
For the ‘Mail to nonexistent user’ option click the ‘Switch on’ radio button.
Then click the ‘Forward to address’ radio button and put catchall@niceguy.com in the box.
Now, you just scroll down and click OK .
And that’s it for the first part.
You should do this part wether or not your having problem, cause believe me, you re going to have problems one day or the other if you dont follow that procedure. Too bad it turns off the good old bouncing system, telling people around the world “Ah, maybe you mistyped the email”. That was a pretty good idea, until the spammers came to the internet world, now, it s just a threat to have such an option activated on any mail system.
I don’t Have Plesk
Well, you ll have to write the rules yourself then
in every
/var/qmail/mailnames/domain.com/
/var/qmail/mailnames/domain2.com/
/var/qmail/mailnames/niceguy.com/
/var/qmail/mailnames/123.com/
etc.. you ll have to create a file named .qmail-default with the following content : &catchall@niceguy.com you can do so by typing the following command
echo “&catchall@niceguy.com” > /var/qmail/mailnames/domain2.com/.qmail-default
This set the following rule for qmail : If you dont find such a user on the server, then just forward the mail to catchall@niceguy.com
One may ask, hey, why dont we just put a .qmail-default with # as a content, like that the mail wont be forwarded to any catchall adress, and will just be dropped. Well, this is what a qmail expert told me when i asked him: Quote: If you reject emails they may still bounce back to your server depending on where they appear to be sent from. If someone is spoofing your IP and that is why were they bounced to you in the first place they will come back one final time. So, i dont know if that qmail guru is right or not, but i made the choice to believe him, and use the magic catchall technique !
So, if you followed that simple guide, your server should be fine now… or not… Setting these rules just made the forecoming spam attack harmless to your server, but what if your mail queue is already full ?
and those new rules are nice, but they dont care of the current queue !
Empty the queue now
Very important : Before going any further, stop the qmail service on your server,
The guy who created qmail, as good as this system may or may not be, though you would do everything with nano and vi, and provided very few admin tools to effectively work with it..
Well, there is /var/qmail/bin/qmail-qstat that will tell you how big is your queue, and maybe if your an expert, you’ll tell me that qmail is fantastic and anything can be done easily with it, but this post is not for expert, if you re an expert, I really wonder why you stumble on that post
So, let say your queue is full of thousand of emails . I’m just going to tell you how to empty it (nothing will be lost, just moved to another folder, so qmail is clean again) you have to install that qmail-remove i attached to that post you drop it in /tmp on your server and you type this
tar xvfz qmail-remove-0.95.tar.gz
cd qmail-remove-0.95
make
make install
If that does not work, maybe you dont have “make”, on debian, a “apt-get install” make could do the trick.
Ok, now you ve got qmail-remove on your system, and you have two choices
[*]Choice 1
Empty everything, and start a new life for your server, deleting all the mails that are in the queue, maybe your users wont like that, and maybe they already don’t like you because the mail system is completely crashed since hours or day because of that spam attack. If you go with this choice, just know that all your mails wont be actually deleted, they ll just be moved to the folder /var/qmail/queue/yanked/ all the emails are stored in 3 parts
/var/qmail/queue/info/21321321
/var/qmail/queue/local/21321321
/var/qmail/queue/mess/21321321
and qmail-remove will move all these 3 parts in the folder yanked, renaming them to
/var/qmail/queue/yanked/21321321.info
/var/qmail/queue/yanked/21321321.local
/var/qmail/queue/yanked/21321321.mess (the real mail content is in that file)
Code to empty the whole queue (use with care) :
qmail-remove -r -n 10 -p “”
-r tells qmail-remove to remove the mail (moving it to the folder yanked)
-n 10 tells qmail-remove to analyse the 10 first bytes of the emails
-p “” tells qmail-remove to only remove those mails that contains “” which is true for all the mails
[*]Choice 2
Maybe it wont be necessary to empty everything, and you can start by removing all the mails that contains the words Failure notice
Here’s the code :
qmail-remove -r -n 512 -i -p “Subject: Failure Notice”
-i is to ignore case
if you deleted(moved to yanked) some mails you would like to put back in the mailbox of some of your users, you ll have to find them in the yanked folder, find the XXXXX.mess ones, and move them to the folder of your user /var/qmail/mailnames/niceguy.com/contact/Maildir/new/
I’ll probably update this post later to tell you about qmHandle, basically, it s a viewer of your queue, that allows you do to many things qmail should give you the tools to do with a native installation. If you have any correction, additionnal informations, or else, please create an account on this forum(i m pretty sure the activation email will end in your spam folder cause i m not using a real SMTP server behing this forum, it s only using the basic unix mail command to send mail)
Thanks for reading, and i hope this helped some of you guys and gals !
miracl
Normally, qmail will be able to process the mail queue without any interaction from the system administrator, however, if you want to force it to process everything that is in the queue right now, you can do so:
#kill -ALRM `pgrep qmail-send`
If for some peculiar reason you don’t have pgrep on your server, you can go about it a slightly different way:
#kill -ALRM `ps ax | grep qmail-send | grep -v grep | awk ‘{print $1}’`
Download qmHandle from SourceForge. You actually only need the script ‘qmHandle’ so use that if you have it handy. Upload it to the server and untar it if necessary. You may download the file directly from SourceForge using the wget command:
# wget http://sourceforge.net/projects/qmhandle/files/qmhandle-1.3/qmhandle-1.3.2/qmhandle-1.3.2.tar.gz/download
Then decompress the file using the tar command:
# tar -xvzf qmhandle-1.3.2.tar.gz
First it is recommended to shutdown qmail using the service command to prevent possible corruption of the mail queue:
# service qmail stop
When you are done with qmhandle be sure to start it again using the service command:
# service qmail start
qmHandle can show it’s own options when run without a flag:
./qmHandle
qmHandle v1.3.2 Copyright 1998-2003 Michele Beltrame
Available parameters:
-a : try to send queued messages now (qmail must be running)
-l : list message queues
-L : list local message queue
-R : list remote message queue
-s : show some statistics
-mN : display message number N
-dN : delete message number N
-Stext : delete all messages that have/contain text as Subject
-D : delete all messages in the queue (local and remote)
-V : print program version
Additional (optional) parameters:
-c : display colored output
-N : list message numbers only (to be used either with -l, -L or -R)
You can view/delete multiple message i.e. -d123 -v456 -d567
The Roundcube webmail software is available in
The ports for Roundcube webmail is available in /var/www/html/roundcube. To install roundcube, you will need to type the following (as root):
# cd /usr/ports/mail/roundcube
# make install clean
The ports system will install Apache, PHP4, and MySQL if you do not have them on your system. By default, roundcube is installed in /usr/local/www/roundcube/
Now, I’m going to map the http://localhost/roundcube/ to /var/www/html/roundcube/. To do this you will need to open the apache configuration located in /etc/http/http.d Edit httpd.conf then copy and paste the following:
Alias /roundcube "/usr/local/www/roundcube/" <Directory "/usr/local/www/roundcube"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all </Directory>
Save the file and then restart apache: # apachectl restart
You now need to create a database for roundcube. Once you’ve created the database, you need to open config/db.inc and change the database setting:
$rcmailconfig['dbdsnw'] = 'mysql://username:secretpass@localhost/roundcube';
The format for the above line is db_provider://user:password@host/database.
Now, you want to edit main.inc.php file and change the mailhost setting with your IMAP server address. You can leave them blank, roundcube will display a textbox at login so users can enter the IMAP address manually.
$rcmailconfig['defaulthost'] = 'localhost';
Now, you need to import the database structure into your roundcube database. You can copy and paste them into phpMyAdmin or you can use the following command:
# cd /var/www/html/roundcube/SQL
# mysql -u user -p database < mysql.initial.sql
All done, congratulation you have installed roundcube on your server. You can access your roundcube webmail on http://localhost/roundcube/ (You can change your localhost to your hostname).
You can now login with your username and password on your IMAP server.
This is a document to help you convert your apache certs to qmail.
Please note that the common name you used needs to match the server name in order for your clients not to get the nag screen when they send emails via SSL or TLS.
In order to convert your apache cert, it is important to create the cert correctly. Here is how to do it:
First, We create the key:
# openssl genrsa -out domain.xxx.key 2048
You can substitute 2048 with 4096 for stronger encryption and make sure you replace YOURDOMAIN with your actual domain name.
Next, We need to add a password. Go ahead and type it and confirm.
Now create a csr:
# openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr
It is important to note here to type in all information for your company. When it asks for Common Name (eg, YOUR name) []: it is VERY IMPORTANT this field matches what your users are going to use for their mailserver name. If you are buying a cert for multiple domains, this will be the domain users use the most. When viewing a cert for multiple domains, the common will appear first and the others will show on the cert.
This is the csr you can you to generate your cert when asked by the domain you buy your cert from.
——————————————————————————————————————-
First lets backup the current /var/qmail/control folder first:
# mkdir /var/qmail/backup_control
# cp -Rp /var/qmail/control/* /var/qmail/backup_control
Please copy the .crt, .csr and the .key to the root folder. Then run the following to make a signed cert:
# cat /root/cert.key > /var/qmail/control/servercert.pem
# cat /root/cert.crt >> /var/qmail/control/servercert.pem
# cat /root/intermediate.crt >> /var/qmail/control/servercert.pem
And now lets set the permissions on the servercert.pem:
# chown root:qnofiles /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem
Now lets create the clientcert.pem file and the permissions:
# cp /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown root:qmail /var/qmail/control/clientcert.pem
# chmod 640 /var/qmail/control/clientcert.pem
Now restart qmail in order to make the changes take effect:
# qmailctl restart
If you have any other services that reference the servercert.pem, you will want to restart those services as well. Such services could include smtpd-ssl and smtpd-tls (Just as an example)
Now if you decided to run imap, You can use the following to create imap certs as well.
# cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/imapd.pem
# cp /var/qmail/control/servercert.pem /usr/local/share/courier-imap/pop3d.pem
Now to restart the service(s)
# svc -t /service/courier-*
That will restart ALL the courier- services.
Now your customers will not get the annoying nag screen when people send mail via smtp-ssl, smtp-tls or via imap!
rom Qmailtoaster
Security Certificate
To configure a SSL certificate for TLS and/or SSL over SMTP:
1) Create a private key using the triple des encryption standard (recommended):
# openssl genrsa -des3 -out servercert.key.enc 1024
2) Remove the pass phrase from the private key:
# openssl rsa -in servercert.key.enc -out servercert.key
3) Generate Certificate Request
# openssl req -new -key servercert.key -out servercert.csr
4) Go to DiscountWebCerts and submit servercert.csr for a trusted certificate ($19.95). You will then receive a servercert.crt. Now just do the following.
5) Create standard .pem in /var/qmail/control/servercert.pem
# cat servercert.key servercert.crt > /var/qmail/control/servercert.pem
- NOTE – For reference, here is the command to sign the request for a self signed certificate:
- openssl x509 -req -days 365 -in servercert.csr -signkey servercert.key -out servercert.crt
Here is an additional resource with some good examples.
http://www.madboa.com/geek/openssl/#cert-self
-
- NOTE – Some certificate providers, like GoDaddy for example, will also give you a chain file (also sometimes called intermediate file), dump it into the same servercert.pem like so:
cat /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/intermediate.crt > /var/qmail/control/servercert.pem
This will join all three of them: The key, signed certificate and the intermediate certificate. You can use the same certificate you have obtained for your Apache website.
# chown root:vchkpw /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem
Note, in order to avoid verification errors in email clients (i.e. Outlook, Thunderbird, etc), you need to use the same server name (FQDN) in your client configuration(s) for both incoming (pop/imap) and outgoing (smtp) servers that was entered as the hostname when the certificate request was created. This should also be the same name that is used on the DNS MX record.
That’s all there is to it. There is no need to restart qmail.
You can also use this signed certificate for apache by putting:
- servercert.key in /etc/pki/tls/private/localhost.key
- servercert.crt in /etc/pki/tls/certs/localhost.crt
Be sure to check your /etc/httpd/conf.d/ssl.conf file to be certain that the correct file names are specified, and that the corresponding parameters are not commented out.
You need to restart apache to activate the modified certificate configuration.
See Building a Secure Redhat Apache Server HOWTO for guidance with securing your Apache Server.
Self-signed ssl cert gleaned from the archives
Quick-n-dirty how-to for ssl certs
# cd /usr/share/ssl/certs
# make stunnel.pem
# mv stunnel.pem /var/qmail/control/servercert.pem
Then run these commands to finish:
# cd /var/qmail/control
# chown root:qmail /var/qmail/control/servercert.pem
# chmod 644 /var/qmail/control/servercert.pem
# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
Reference from : http://www.ekrfs.com.au/qmr/home
BEST OF ALL REFERENCE IS: http://qmail.jms1.net/ i Love this author.
I have compressed most of the required files into one file called qmr1.tar.gz and qmr2.tar.gz. You will need to download both then put them in the /downloads/qmr directory that you need to create on your Centos or Fedora box.
Attachments are:
qmr1.tar
qmr2.tar
If you are looking at installing Qmail on a CentOS 5.8 system, you are at the right place. You can either follow the directions on the pages underCentOS 5.5 or just download the pdf install guide (under Qmail Files page).
Either way, you should end up with a great working system. I caution you to please look at the screen output whilst doing the install. If you see errors pop up, google them to solve before moving on. If you do not, you will likely have problems later on. Each program interacts with other programs and if something is broken, the other bits will likely fail as well.
Remember to use your logs as well. They are a great way of detecting problems or success.
Part 1 – Checklist
1. Make sure you have Fedora installed. SELINUX is a huge problem with qmail and I had to firstly put it in permissive mode and then disable it altogether. I do however have a firewall on my router. Security is another topic.
2. Make sure you have the following (on your system)
(Command line is “rpm –qa | grep pkgname”)
Eg rpm –qa | grep php
a. http
b. php
c. perl
d. perl-suidperl
e. gcc
f. gcc-c++
g. mysql
h. openssl
i. openssl-devel
j. wget
k. Personally I use midnight commander so I also install mc
l. patch
3. If any are missing, install them. For example, to install php, type:
yum install php
4. Make sure you update your entire system with “yum update” after all this.
I then run
perl –MCPAN –e shell (and go with it)
When you get cpan>
type “install Bundle::CPAN”
when you get it again, type “install CDB_File”
Type exit when it comes up CPAN3>
This last bit takes a while and you have to answer a few questions – I just hit enter to accept the default Yes answers.
This last bit is needed for Spamassassin.
Required Files to complete Setup
These can all be downloaded from the “QMR Files” page.
Firstly however, create a directory for all the files to go into:
mkdir /downloads/qmr
Part 2 – Run Script to create the necessary users etc for qmail install
Run the following script to create all the necessary users and folders / files and also to patch qmail with John Simpsons latest patch (currently 7.10). You should go check that this is still the latest and if not, edit the script and download the latest patch.
cd /downloads/qmr/scripts/install
qmr_install_with_jms1.script
This script will:
Make some necessary directories
Create necessary users and groups
Unpack qmail-1.03 and patch it with John Simpsons 7.10 patch
Unpack ucspi-tcp and daemontools and put them in the correct places on the system
Create logging directories and supervise script directories
Part 3 – Install Qmail (with John Simpsons patches already done)
Then go to the /qmail-1.03-jms1-7.10 directory.
make man && make setup check
Qmail is now installed but you still have a lot to do. When finished, type
./config-fast rmohan.com
For example
./config-fast rmohan.com
# make clean
We are now done getting qmail setup (for now)!
Part 4 – Install ucspi-tcp
cd /usr/src/qmail/ucspi-tcp-0.88
We must also patch this file.
patch < /downloads/qmr/patches/ucspi-tcp-0.88.errno.patch
It will display “pathching file error.h” – this is what we want (even though logically it sounds bad, it is not)
make && make setup check
That is all for this. Now to install qmail…
Part 5 – Install Daemontools
cd /package/admin/daemontools-0.76/src
We must patch this file as well
patch < /downloads/qmr/patches/daemontools-0.76.errno.patch
It will display “pathching file error.h” – this is what we want (even though logically it sounds bad, it is not)
cd ..
package/install
That’s it.
Part 6 – Install Ezmlm-idx
cd /downloads/qmr
tar zxvf ezmlm-idx-7.0.2.tar.gz
cd ezmlm-idx-7.0.2
make && make setup
Part 7 – Install Autorespond
cd /downloads/qmr
tar zxvf autorespond-2.0.5.tar.gz
cd autorespond-2.0.5
make && make install
Part 8 – Qmail-updater
cd /var/qmail/supervise
mkdir –m 1755 qmail-updater
mkdir –m 755 qmail-updater/log
cd qmail-updater/log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
cd ..
cp /downloads/qmr/pipe-watcher pipe-watcher
cp /downloads/qmr/update-qmail update-qmail
cp /downloads/qmr/service-qmail-updater-run run
chmod 755 pipe-watcher update-qmail run
The last step here is to link the qmail-updater directory in the /service directory so daemontools can run it.
ln –s /var/qmail/supervise/qmail-updater /service/
Wait a few seconds then run:
svstat /service/qmail-updater /service/qmail-updater/log
You should see output showing up for more than 3 seconds for both.
Part 9 – Install Vpopmail with onchange
First we need to install Skel
cd ~vpopmail
tar zxvf /downloads/qmr/skel.tgz
chown –R vpopmail:vchkpw skel
chmod –R 700 skel/
chmod 0600 skel/.qmail skel/mailfilter
We want to install vpopmail with the onchange function enabled. The latest version is 5.4.30 currently.
cd /downloads/qmr
tar zxvf vpopmail-5.4.30.tar.gz
cd vpopmail-5.4.30
./configure –enable-logging=p –enable-onchange-script
make install-strip
If that all run without errors, vpopmail is configured and installed. Now we must get the onchange function working.
cd /~vpopmail/etc
cp /downloads/qmr/onchange onchange
This is the script that vpopmail will execute when a user or domain is added or deleted from the system. You need to now set permissions:
chown vpopmail:vchkpw ~vpopmail/etc/onchange
chmod 750 ~vpopmail/etc/onchange
chmod +x ~vpopmail/etc/onchange
Now that the onchange script is in place we can test it with the qmail-updater log file. Open up another session (Ctrl+Alt+F2) and type
tail –f /service/qmail-updater/log/main/current
Go back to the original session (ctrl+Alt+F1) and add a domain and user and you should see your log file in the other session change – stuff goes in it.
cd ~vpopmail/bin
./vadddomain rmohan.com
./vadduser test@rmohan.com password
If the log file fills up with stuff, congratulations.
We need to make a slight modification to the vchkpw file to make it work with SMTP with ssl work.
cd ~vpopmail/bin
chmod 6711 vchkpw
chown vpopmail:vchkpw vchkpw
Part 10 – Validrccptto and Auth
We must then create the validrcptto and auth files which reside in /var/qmail/control.
To do this, we use the mkvalidrcptto and mkauth scripts.
cd /usr/local/bin
wget http://qmail.jms1.net/scripts/mkvalidrcptto
wget http://qmail.jms1.net/scripts/mkauth
chmod 755 mkvalidrcptto mkauth
Then we run the scripts:
mkvalidrcptto –c /var/qmail/control/validrcptto.cdb
mkauth –c /var/qmail/control/auth.cdb
To test
ps axww | grep readproctitle
the output should be something like
0:0 read……..service errors……………………
………………………………………………………………….
………………………………………………………………….
Part 11 – Install Maildrop
You need maildrop aside from anything else, for qmail-scanner – which needs reformime.
Before you install maildrop, you need to install “pcre”. Download the file to the qmr directory.
tar zxvf pcre-8.12
cd /downloads/qmr/pcre-8.12
./configure
make
make install
make clean
Then
cd /downloads/qmr
tar xvf maildrop-2.5.5.tar.bz2
cd maildrop-2.5.5
./configure –enable-maildrop-uid=root –enable-maildrop-gid=vchkpw
make install clean
We now add logging options to maildrop.
cd /var/qmail/supervise
mkdir –m 1755 maildrop-logger
mkdir –m 755 maildrop-logger/log
cd maildrop-logger/log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
cd ..
cp /downloads/qmr/log-maildrop log-maildrop
cp /downloads/qmr/pipe-watcher pipe-watcher
cp /downloads/qmr/maildrop-logger-run run
chmod 755 pipe-watcher log-maildrop run
touch /tmp/log-maildrop
chown vpopmail:vchkpw /tmp/log-maildrop
Now we start the maildrop-logger service
ln –s /var/qmail/supervise/maildrop-logger /service/
Wait a bit then check
svstat /service/maildrop-logger /service/maildrop-logger/log
Again, it all should be running for more than 3 seconds
Part 12 – Uninstall Sendmail
To find out the version numbers to remove type
rpm –qa | grep sendmail
Then
/etc/rc.d/init.d/sendmail stop
Then
rpm –e –nodeps sendmail-x.x.x (version number from results above)
rpm –e –nodeps sendmail-cf-x.x.x (version number from results above)
We now need to establist an artificial sendmail path – or a symbolic link to Qmails sendmail. This is needed to ensure the whole system is able to send mail.
ln –s /var/qmail/bin/sendmail /usr/lib/sendmail
ln –s /var/qmail/bin/sendmail /usr/sbin/sendmail
That’s it for this step.
Part 13 – Install Dovecot
Do not try to install any courier stuff as they do not support vpopmail any more.
The latest stable version is dovecot-1.2.12. As always check this is the latest stable version. I did try the later version of 2.0.11 but that caused issues so I used 1.2.12. Your choice !
cd /downloads/qmr
tar xzf dovecot-1.2.12.tar.gz
cd dovecot-1.2.12
cp /downloads/qmr/configure.dovecot configure.dovecot
chmod 755 configure.dovecot
./configure.dovecot
make
make install
There seems to be a few directories either weren’t created, or were created with bad permissions. The following commands fixed the problems:
mkdir -m 0755 /usr/local/var /usr/local/var/run /usr/local/var/run/dovecot
chmod go=u-w /usr/local/share /usr/local/share/doc
chmod -R go=u-w /usr/local/lib/dovecot /usr/local/libexec/dovecot /usr/local/share/doc/dovecot
The next step is to create a new non-root userid which is used to process authentication requests.
This command is specific to Linux, and will probably need to be adjusted for other systems. The idea is to create a userid which cannot log in, which has no valid shell, and has no home directory- one which, if somebody were to “hack” into it, wouldn’t be able to do much.
useradd -M -d /nohome -s /bin/false -c ‘Dovecot user’ dovecot
________________________________________
Configuring Dovecot
Dovecot itself is configured using a single control file, which will is in
/usr/local/etc/dovecot.conf
When you install the software, it creates a dovecot-example.conf file in this directory, and the directions with the software tell you to rename or copy the file to dovecot.conf and then customize it.
There is a customised dovecot.conf file (thanks to John Simpson). Note that an invalid IP, so you will need to customize the file before using it- either that, or use the dovecot-example.conf file and build your own configuration.
The first thing you’ll need to do is adjust the “first_valid_uid” and “last_valid_uid” values in the file. Find the numeric uid of the vpopmail user…
id -u vpopmail
My result was 508
To copy the dovecot.conf file (mentioned above, then
cd /usr/local/etc
cp /downloads/qmr/dovecot.conf dovecot.conf
chown root:root dovecot.conf
If the IMAP servers will ONLY be used for vpopmail accounts, make sure both of these values are set to that number (in this case, 508.) Also make sure both lines are un-commented (i.e. remove the “#” in front of the “last_valid_uid” line.)
## Mail processes
verbose_proctitle = yes
first_valid_uid = 508
last_valid_uid = 508
You also need to change the ip addresses too your own. – (at ssl_listen twice) eg 192.168.1.6
Building the daemontools service(s)
This shows how to set up a daemontools service which starts the main dovecot process, which will listen for incoming IMAP and/or POP3 connections as specified in the dovecot.conf file.
On my server, all of my daemontools physical service directories are in the
/var/qmail/supervise directory.
Your own server may be different- the physical directory can be anywhere on the system, except within the “/service” directory itself.
cd /var/qmail/supervise
mkdir -m 0755 dovecot dovecot/log
cd dovecot/log
cp /downloads/qmr/service-any-log-run run
chmod 0755 run
cd ..
cp /downloads/qmr/service-dovecot-run run
chmod 0755 run
Use your text editor of choice.
Like the other “service-blah-run” scripts, this one consists of configuration variables at the top, followed by code to build the final command line, and then run it. The variables are:
• IP is the IP address you want to listen on. You can set it to “0” if you want it to listen on every IP attached to your system, however I don’t normally recommend doing things that way.
• PORT is the TCP port number you want to listen on. The standard values are 143 for IMAP, 993 for SSL-IMAP, 110 for POP3, and 995 for SSL-POP3.
I DO NOT RECOMMEND RUNNING NON-SSL POP3 OR IMAP SERVICES on any unsecured network (i.e. on the open Internet) because the authentication methods for both POP3 and IMAP involve sending the password across the wire in plain text. Remember, if some “bad person” happens to get one of your users’ passwords, they not only have access to that user’s email, they will probably have the ability to use that ID and password with an SMTP AUTH command, and use your server as a relay.
• MAX is the maximum number of concurrent connections allowed by this service. If this is blank, a default value of 40 will be used instead.
• ACCESS_CDB gives the name of a .cdb file made by tcprules, which controls which clients are and are not allowed to connect. Note that if you plan to use rules involving remote userids (very few people do, because they are so easily forged) you will need to remove the “R” from the options of tcpserver and/or sslserver within the script itself.
• SVC_LOGIN is the full pathname of the service you wish to run. Normally this will be “imap-login” or “pop3-login”.
• IS_SSL should be set to a number greater than zero if this is to be an SSL-secured service. This tells the script to use sslserver instead of tcpserver, exports the CERTFILE variable (needed by sslserver), and adds a flag to the end of the command line which tells imap-login or pop3-login that the connection is already encrypted.
• CERTFILE should be set to the full pathname to the .pem file containing the server’s encryption key. You can point this to the same servercert.pem file used by qmail-smtpd if you like.
________________________________________
Start up Dovecot
This is just like starting up any other daemontools service – create a symlink from /service/something to the physical service directory, wait about ten seconds, and make sure it’s running.
ln -s /var/qmail/supervice/dovecot/service/
Wait about ten seconds…
svstat /service/dovecot /service/dovecot/log
/service/dovecot: up (pid 23841) 8 seconds
/service/dovecot/log: up (pid 23843) 8 seconds
As we have not yet set up the certfile, the service will not run properly. If you check the log file in /var/qmail/supervise/dovecot/log/main/current
It will show an error about the certificate file.
Fixing that is next…
Part 14 – Install UCSPI-SSL create Certificates
Now we need to install ucspi-ssl so qmail will accept smtp connections with ssl.
cd /package
tar zxvf /downloads/qmr/ucspi-ssl-0.70.tar.gz
cd host/superscript.com/net/ucspi-ssl-0.70
Compile the package
package/compile
Run some tests: Note There are some fatal cypher errors and broken pipe errors only, that is ok – ignore them.
package/rts
Install the package
package/install
That is that. Now we need to create the key:
cd /var/qmail/control
openssl req –newkey rsa:1024 –x509 –nodes –days 3650 –out servercert.pem –keyout servercert.pem
Answer the questions and make sure the Common Name is the name of your mail server!!
Now we give proper ownership
chown root:nofiles servercert.pem
The “nofiles” group is the group which qmaild belongs to. This combination of ownership and permissions allows qmail-smtpd to read the key but not change or delete it.
chmod 640 servercert.pem
cp servercert.pem clientcert.pem
chown root:qmail clientcert.pem
chmod 640 clientcert.pem
You can now go back and check that dovecot is working:
svstat /service/dovecot /service/dovecot/log
/service/dovecot: up (pid 23841) 8 seconds
/service/dovecot/log: up (pid 23843) 8 seconds
Part 14 – Finalise the qmail installation
There is a bit in this but it is not too difficult. I have modified a script from the old qmailrocks site to suit Fedora. To start with run a script which will:
- Copy all the supervise scripts to their correct locations
- Copy qmail.rc and qmailctl to the propper locations and create the necessary symbolic links.
- Set all needed permissions on the supervise scripts
Ok. To get things going:
cd / downloads/qmr/scripts/finalise
chmod 755 finalize_linux.script
./finalize_linux.script
Configuring Qmail
Now we will need to edit a few files to make them work on the new system for this new server.
cd /var/qmail/supervise/qmail-pop3d
We need to edit the run file.
vi run (or mc or whatever editor)
Change the mail server name (line 4 at the end) to your mail server. Eg mail.test.com.au /
cd /var/qmail/supervise/qmail-smtpd
vi run
IP=1.2.3.4 (change this to your ip address obviously)
Port=25 (set the port number we will be listening on)
SSL=0 (This says do not run an SSL-only service)
FORCE_TLS=0 (Refuse to accept mail from clients who have not done STARTTLS)
DENY_TLS=0 (Do not refuse to process the STARTTLS command)
AUTH=0 (We are turning off auth on port 25 and only allow incomming mail)
Require_Auth=0 (Refuse to accept mail from clients who have not done AUTH).
You must also uncomment the following line of the smtp run file or else no mail will be scanned by qmail scanner. Make it this:
QMAILQUEUE=”$VQ/bin/qmail-scanner-queue.pl”
Now we need to set up some qmail aliases. Replace postmaster@test.com.au with the addres you want the mail to go to:
echo postmaster@test.com.au > /var/qmail/alias/.qmail-root
echo postmaster@test.com.au > /var/qmail/alias/.qmail-postmaster
echo postmaster@test.com.au > /var/qmail/alias/.qmail-mailer-daemon
Now we set up selective relaying.
mkdir /etc/tcp
cd /etc/tcp
cp /downloads/qmr/etc-tcp-makefile Makefile
Now create the smtp file. Add your ip address. If your ip address was
192.168.1.1, then it will go like this:
vi /etc/tcp/smtp
Add the following to the new file:
192.168.1.:allow,RELAYCLIENT=””
:allow
save this and then run:
gmake
You should get output saying
tcprules smtp.cdb smtp.tmp < smtp
chmod 644 smtp.cdb smtp
Setting up smtp with SSL
We need to edit the file
vi /var/qmail/supervise/qmail-smtpd-ssl/run
Set the following values:
IP=1.2.3.4 (change this to your own ip address obviously)
Port=465 (set the port number we will be listening on)
SSL=1 (This says to run an SSL-only service)
FORCE_TLS=0 (Ignored for ssl services)
DENY_TLS=0 (Ignored for ssl services)
AUTH=1 (Allow the AUTH command)
Require_Auth=1 (Refuse to accept mail from clients who have not done AUTH).
You must also uncomment the following line of the smtp run file or else no mail will be scanned by qmail scanner. Make it this:
QMAILQUEUE=”$VQ/bin/qmail-scanner-queue.pl”
Save the file then…
Creating the smtpssl file
cd /etc/tcp
vi smtpssl
in this new file, simply put the following and then save it.
:allow
Now you need to edit the Makefile and add smtpssl.cdb after smtp.cdb, save and exit. Now run:
gmake
The final step is to start the service running:
ln –s /var/qmail/supervise/qmail-smtpd-ssl /service/
Now check that the service is running ok by:
svstat /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log
As usual, if you see the output is up for more than 3 seconds, all is OK
Now we want to start qmail:
qmailctl start
You should get output like:
Starting qmail…
Starting qmail-send
Starting qmail-smtpd
Starting qmail-pop3d
To check to make sure it is running ok type:
qmailctl stat
As long as everything is up for more that say 3 seconds you have succeeded. Well done.
That is all that finished.
You could just operate a mail server with what you now have but lets install programs to make life much easier. For example, you could easily just manage all your mail accounts and domains with vpopmail. But using qmailadmin and vqadmin is much nicer and easier. Squirrelmail makes life easier for all your users as they can get their mail via a web browser. Clamav checks for viruses in mail and spamassassin gets rid of a lot of spam.
Anyway lets get on with it…..
Part 16 – Install Spamassassin
I have done this in two different ways – both worked. You can compile from source then install or
The simplist way is just use yum to install it:
yum install spamassassin
Then go and edit /etc/mail/spamassassin/local.cf
All you have to put in this file is
required_score 3.2 (that is what I use)
And if you want you can create a whitelist of good known email addresses – eg friends
whitelist_from good@emailaddress.com.au
Now to set it up under daemontools.
mkdir –m 1755 /var/qmail/supervise/spamd
mkdir –m 755 /var/qmail/supervise/spamd/log
cd /var/qmail/supervise/spamd
cp /downloads/qmr/spamd-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
All we need to do now is create the service:
ln –s /var/qmail/supervise/spamd /service/
Wait a bit then:
svstat /service/spamd /service/spamd/log
Again, make sure the service is up for more than say 3 seconds. If issues, stop the service and then restart it.
I also then type
sa-update
to update spamassassin
That’s it for spamassassin.
Part 17 – Install Clamav – Updated March 2012
For the first time install of Clamav, you need to create a new user and group to your system:
groupadd clamav
groupadd qscand
useradd –g clamav –s /bin/false –c “Clam Antivirus” clamav
useradd –g qscand –s /bin/false –c “Qscand” qscand
Now you need to download Clamav from clamav.net. Get the latest stable version which is currently 0.97.3
cd /downloads/qmr
wget http://downloads.sourceforge.net/clamav/clamav-0.97.3.tar.gz
tar zxvf clamav-x.x.x.tar.gz
cd clamav-x.x.x
./configure
make
make check
make install
make clean
Now you need to create the clamd and freshclam service scripts.
cd /var/qmail/supervise
mkdir –m 1755 clamd
mkdir –m 0755 clamd/log
cd clamd
cp /downloads/qmr/service-clamd-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
cd /var/qmail/supervise
mkdir –m 1755 freshclam
mkdir –m 0755 freshclam/log
cd freshclam
cp /downloads/qmr/service-freshclam-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
Now we need to edit the clamd.conf file so it will run correctly via daemontools.
chmod 744 /usr/local/etc/clamd.conf
vi /usr/local/etc/clamd.conf (or type mc and use midnight commander if you like)
#Example – must be commented out
#LogFile – comment out
#LogSysLog no – comment out
#PidFile /var/run/clamav – comment out
DatabaseDirectory /usr/local/share/clamav
LocalSocket /tmp/clamd.socket – uncomment this
FixStaleSocket yes – optional
User qscand
Foreground yes – this is absolutely required to run via daemontools
chown –R qscand:qscand /usr/local/share/clamav
Configuring freshclam
The freshclam program checks for updated virus definition files and, if it finds them, downloads and installs them automatically. It then sends a message to clamd, telling it to read the new definitions into memory, and can also call another program that we specify. We will be using this “call another program” capability to inform qmail-scanner and/or simscan to update its version database, so the headers that they add to email messages will have accurate version numbers.
To configure freshclam, we will edit a file called freshclam.conf, which will be found in the same directory where we found the clamd.conf file (above.) This is a list of the changes we need to make:
chmod 744 /usr/local/etc/freshclam.conf
vi /usr/local/etc/freshclam.conf (or use mc as above)
#Example – comment out
DatabaseDirectory /usr/local/share/clamav
#UpdateLogFile – comment out
#LogSyslog – no
#Pidfile – comment out
DatabaseOwner qscand
checks 24
Foreground yes
Set up the services to start
ln –s /var/qmail/supervise/clamd /service/
ln –s /var/qmail/supervise/freshclam /service/
Now check the services are running:
svstat /service/clamd /service/clamd/log
and then
svstat /service/freshclam /service/freshclam/log
make sure each is up for more than 3 seconds and all is ok. That is it for Clamav.
Part 18 – Install Qmail-scanner
The latest version (currently) is 2.10 as at March 2012 – you need to google the file to download
cd /downloads/qmr
tar zxvf qmailscanner-2.10.tar.gz
cd qmailscanner-2.10
cp /downloads/qmr/qms-config qms-config
Now you need to change the qms-config to match your settings. The bits in bold must be changed to your domain specific settings. If you have multiple domain names, in local-domains, separate them by a comma (no space).
When you have made your changes, then make it executable and give it a test run:
chmod 755 qms-config
./qms-config
When it asks you Continue? ([Y] / [N]) go ahead and hit Y
It will ask this twice. If all goes well you will get Finished. and a bit more without error messages.
If the above worked, then you will need to actually install:
./qms-config install
Updating the qmail-scanner version files
The first one is the command that updates your version files. It updates your headers when you upgrade ClamAV or SpamAssassin. It also helps keep the /var/spool/qscan folder clear when SMTP sessions are dropped.
Put this one in a cron and run it once a day.
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl –z
Anytime you update qmail-scanner you should also run
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl –g
One final ownership check
chown –R qscand:qscand /var/spool/qscan
Testing Qmail-scanner
Now before we finish, we need to test that it works. Make sure you have set up your main domain and email accounts (in particular the domain that you set the aliases to earlier) as these are where the test emails will go. Then run the following:
/downloads/qmmr/qmail-scanner-2.0.8/contrib/test_installation.sh –doit
When this runs, it will send 4 messages – 2 with viruses, one standard message and a piece of junk mail. So when this runs, you should have 1 in /var/spool/qscan/quarantine/viruses/new , 1 message in /var/spool/qscan/quarantine/policy/new , 1 message in ~vpopmail/domains/domainXXX/postmaster/Maildir/new and 1 in your ~vpopmail/domains/domainXXX/postmaster/Maildir/.Spam/new folder (or this will be in your maildir).
All you need to do to finish is to restart qmail:
qmailctl restart
That’s Qmail-scanner installed! Well done.
Part 19 – Install VqAdmin
VqAdmin is a nice simple web based interface that lets us manage Vpopmail. You can create new domains, new users, net quotas and more.
cd /downloads/qmr
tar zxvf vqadmin-X.x.x
cd vqadmin-X.x.x
./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/html
(If the paths above are not the same on your system, change them to match)
make && make install-strip
If the installation is successful, VqAdmin will install itself in the cgi-bin directory of your website.
Now you need to edit your apache file (or httpd.conf file).
vi /etc/httpd/conf/httpd.conf
Now, on about line 325 (of mine anyway) you need to change it to
AllowOverride ALL
Also on about line 265, make sure your servername is defined.
Insert (on mine I did it on line 575 but that does not really matter)
<Directory “/var/www/cgi-bin/vqadmin”>
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>
That’s that bit done.
cd /var/www/cgi-bin/vqadmin
Now you need to create a .htaccess file to password protect the vqadmin interface. There should already be a .htaccess file in the vqadmin directory, so all you need to do is configure it.
vi .htaccess
AuthType Basic
AuthUserFile /etc/httpd/conf/.htpasswd (in fact you can put this wherever you like)
AuthName vQadmin
require valid-user
satisy any
Now change ownership
chown apache .htaccess
chmod 644 .htaccess
Now you need to create a corresponding .htpasswd file that will contain the username and encrypted password for the VqAdmin administrator.
htpasswd –bc /etc/httpd/conf/.htpasswd admin admin-password
chmod 644 /etc/httpd/conf/.htpasswd
Make sure you leave the user admin as admin else it won’t work. Obviously the admin-password should be a password.
Now we need to restart apache.
apachectl stop
apachectl start
If all has gone well, in you web browser, put:
http://www.rmohan.com/cgi-bin/vqadmin/vqadmin.cgi
Enter admin and whatever password you created and hey presto. You can now add domains, users etc. If you get errors such as 500 Internal Server error, check permissions with vqadmin.cgi file.
Part 19 – Installing Qmailadmin
This provides us with a nice web based interface for administering mail accounts once they are set up through Vpopmail or VqAdmin.
cd /downloads/qmr
tar zxvf qmailadmin-X.xx.x
cd qmailadmin-X.x.x
./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/html –enable-modify-spam –enable-ezmlm.idx
make && make install-strip
Now to make sure when we add new users via qmailadmin that we want Spam Fighting turned on by default edit the following:
vi /usr/local/share/qmailadmin/html/add_user.html
find the line
<input type=”checkbox” name=”spamcheck”>
Change it to:
<input type=”checkbox” name=”spamcheck” checked>
That it for the install.
Now open your web browser and go to:
http://www.rmohan.com/cgi-bin/qmailadmin
You all done here.
Part 21 – install Squirrelmail.
Squirrelmail is a web based program that allows you to access your email via a web browser.
First you must check that you have PHP uploads turned on.
vi /etc/php.ini
The line you want to check / edit is:
file_uploads = On
That’s that. Now on to installing Squirrelmail.
cd /var/www/html
tar zxvf /downloads/qmr/squirrelmail-X.x.x.tar.gz
Now rename the untared folder to something more friendly…
mv squirrelmail-X.x.x webmail
Now we configure squirrelmail..
mkdir /var/local/squirrelmail
mkdir /var/local/squirrelmail/data
chown –R apache:apache /var/local/squirrelmail/data
cd webmail/config
./conf.pl
This will run the squirrelmail setup scriot which allows you to customise the installation and set your server settings. Most of the important things are in area #2 which is called “Server Settings”.
You will be presented with a menu. Under 1 – Organization Preferences, Any one of the setings inside this window are optional. When you are done, hit S to save and then hit Enter and then hit R to go back to the Main Menu.
Now we want to go to 2 – Server settings. Hit 1 for Domain and hit Enter on the keyboard. You can type the name of the server or the local IP or public IP, whichever you prefer. If your mailserver is behind a router/firewall, I use the local IP. If you are on the public side of things, the hostname or the static IP will work fine.
Under Server settings we want to use the following. Please change x.x.x.x to the IP of your mail server:
1. Domain : x.x.x.x
2. Invert Time : false
3. Sendmail or SMTP : Sendmail
A. Update IMAP Settings : localhost:143 (other)
B. Change Sendmail Config : /var/qmail/bin/sendmail
Hit Y and then hit Enter. Hit S to save and then hit Enter again. Hit Q to quit and exit the menu.
If you like there are other features you can customise but not critical. Once you are done here, we must configure Apache to serve our new webmail interface.
Open up the httpd.conf file and add the following down the bottom under Virtual Domains..
vi /etc/httpd/conf/httpd.conf
<VirtualHost 1.2.3.4:80>
ServerName mail.rmohan.com
ServerAlias mail.*
ServerAdmin postmaster@rmohan.com
DocumentRoot /var/www/html
</VirtualHost>
Now all you need to do is restart apache
apachectl stop
apachectl start
Now in your browser:
http://www.rmohan.com/webmail
That is it. You now have a great qmail server with lots of useful extras.
Now for Maintenance of everything we have set up…
Part 22 – notes on Changing and Maintaining your new Qmail Server
Services
To start, stop or restart a service (run under daemontools – ie the ones in the /service directory):
To stop
svc –d /service/name (d is for down)
eg svc /-d /service/spamd will stop spamd
To start
svc –u /service/name (u is for up)
To restart
svc –t /service/name
To check all your services at once
svstat /service/* /service/*/log
Qmail-Scanner
I wanted the subject line to be altered with spam messages. To do this, you need to edit the qmail-scanner-queue.pl file in /var/qmail/bin…
in this file on my system (line 258) says:
my $spamc_subject=’***Spam***’ ;
I set it to delete messages more than 5 over my limit of 3.2. You can edit this two lines below
my $sa_quaratnine_over=’5’ ;
This is all I did.
Update Clamav
This would be the cause of most pain as it changes every 3 months or so. To see info about freshclam and if it is current type: freshclam -v
Or you can look in the file /service/freshclam/log/main/current and see if clamav is outdated. It will say so in the log. To upgrade your clamav, go to the clamav site and download the latest stable source file:
http://www.clamav.net/lang/en/download.sources
Now download the latest and put it in your downloads directory. For example, to download 96.1 version,
cd /downloads
wget http://downloads.sourceforge.net/clamav/clamav-0.97.3.tar.gz
tar zxvf clamav-0.97.3.tar.gz
cd /clamav-0.97.3
I then backup the clamd.conf and freshclam.conf files to be sure.
cd/downloads
cp /usr/local/etc/freshclam.conf freshclam.conf
cp /usr/local/etc/clamd.conf clamd.conf
You must then stop qmail and clamav and also freshclam…
qmailctl stop
svc –d /service/clamd
svc –d /service/freshclam
Now we start the upgrade:
./configure
make (This can take some time)
make check (Same – make sure the tests passed – ie no errors)
make install
make clean
Check the conf files and if they are still the same (they should be unaltered).
Start up the services again:
qmailctl start
svc –u /service/clamd
svc –u /service/freshclam
You must now update qmail-scanner database
setuidgid /var/qmail/bin/qmail-scanner-queue.pl –g
and also update the version number
setuidgid /var/qmail/bin/qmail-scanner-queue.pl –z
Now type freshclam –v and you will see the new version number. That’s it for updating clamav. I just did this exactly and it worked perfectly on my system.
Dual MTA Qmail
Recently i installed two qmails in a single server to handle mails from inner and outer domains. I will be posting a step by step tutorial of the same in the coming days.
Why dual MTA?
Basically i wanted two different queues to handle mails in different ways.
Queue 1) To get the mails(incoming) and pass it on to queue 2.
Queue 2) Will receive mails only from queue 1, runs virus scan, spamassassin and delivers mails to local or remote mail boxes(outgoing).
While i could have achieved the same functionality with single queue i doubted it may not suit my needs in the future. Say if the server can handle 250 mails and the queue is already full then we may see some delay in receiving mails from remote machines and/or may completely loose some mails. More over I don’t have to change the incoming queue’s setup and continue receiving mails until i needed. It provides me the flexibility to pass the message to different server/s altogether whenever needed.
How the setup will look like?
Queue 1: Two qmail-smtpd instances one listening on port 25 and the other listening on port 465(SSL).
port 25 – To receive mails from public domains such as yahoo/google.
port 465 – For internal users to send mails(auth + encryption).
Queue 2: qmail-smtpd listens on port 2000. Receives mail only from localhost(127.0.0.1). Calls qmailscanner and have it scanned with clamav & spamassassin. If it has virus the mail is quarantined. If tagged SPAM then the mail’s subject is prepend with [SPAM] and delivered to user’s mail box. If the user is local, the mail will be delivered to Junk directory.
Also there were some specific needs for me. We had many aliases in the server and only certain people must be able to send mail to those aliases. While this can be done with mailing list software like ezmlm i thought of discovering more. When a unauthorized user sends a mail to particular alias it will send a mail to the moderator. I wanted the mail to be bounced back to the sender(ezmlm has that option) and also give my own message for the bounce(reason). I wrote my own perl script to achieve this and it was simple enough. Ezmlm is also installed in my server and serving other purposes.
Enough for tonight. I will be posting
For the inside queue(that scans and delivers mail) i followed the instructions from qmailrocks. Disk space, pre-installation check list & other instructions are here
Note: I installed vpopmail without mysql since the number of domains i manage is small. If you are going to have more than 10 domains consider using vpopmail with mysql backend. Remember to replace all example.net entries with your own domain. For hostnames enter the FQDN of your server.
After installing qmailrocks, make sure that mails to & from your domain works. The qmail installation from qmailrocks listens on port 25, alter it to listen on port 2000.
Last few lines in ‘/var/qmail/supervise/qmail-smtpd/run’ looks like this
# tail -4 /var/qmail/supervise/qmail-smtpd/run
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 127.0.0.1 2000 \ /var/qmail/bin/qmail-smtpd your.hostname.here \ /home/vpopmail/bin/vchkpw /usr/bin/true 2>&1
With the above setting, the QMR installation will serve us as a separate queue which will scan any mail that comes to it. Now we have everything setup to install our other queue.
Note: I used /var/qmail-inside as my qmail directory(for all incoming mails). You can choose any other directory you want. Also for this queue i patched qmail with jms’s combined patch set 6cd
Below are the steps:
cd /usr/local/src wget ftp://ftp.jp.qmail.org/qmail/qmail-1.03.tar.gz wget http://qmail.jms1.net/patches/qmail-1.03-jms1.6cd.patch wget http://untroubled.org/qmail-qfilter/qmail-qfilter-2.1.tar.gz wget http://qmail.jms1.net/scripts/service-qmail-send-run wget http://qmail.jms1.net/scripts/service-qmail-smtpd-run tar zxfv qmail-1.03.tar.gz mv qmail-1.03 qmail-inside cd qmail-inside/
Edit conf-qmail and change the directory entry from /var/qmail to /var/qmail-inside
echo 211 > conf-split echo 255 > conf-spawn patch < /usr/local/src/qmail-1.03-jms1.6cd.patch make setup check
Next we have to copy create necessary control files for qmail. Copying all the control files from the /var/qmail/control will do. But we have remove some unwanted files too. virtualdomains file has the names of the virtual domains created with vpopmail. However, having this file means that the mail will be directly delivered to the vpopmail user rather than passing it to out other queue.
cd /var/qmail-inside/control/ cp /var/qmail/control/* /var/qmail-inside/control/ rm -f virtualdomains.lock locals.lock rcpthosts.lock clientcert.pem rm -f virtualdomains
It is better to link some files directly from /var/qmail so that when there are new virtual domains we don’t have to change the file each time we add a new virtual domain.
/var/qmail-inside/control rm -f rcpthosts ln -s /var/qmail/control/rcpthosts rm -f plusdomain ln -s /var/qmail/control/plusdomain
Now we are gonna created necessary aliases and cbd file.
cd /var/qmail-inside/alias echo "postmaster" > .qmail-root echo "postmaster@example.net" > .qmail-postmaster echo "postmaster" > .qmail-mailer-daemon cp .qmail-root .qmail-abuse echo "127.0.0.1:allow,RELAYCLIENT=\"\"" > /etc/tcp.smtp.inside tcprules /etc/tcp.smtp.inside.cdb /etc/tcp.smtp.inside.tmp < /etc/tcp.smtp.inside
Next step is to create all supervise and log directories
mkdir -p /var/qmail-inside/supervise/qmail-inside-send/log mkdir -p /var/qmail-inside/supervise/qmail-smtpd-25/log mkdir -p /var/qmail-inside/supervise/qmail-smtpd-465/log chmod +t /var/qmail-inside/supervise/qmail-inside-send chmod +t /var/qmail-inside/supervise/qmail-smtpd-25 chmod +t /var/qmail-inside/supervise/qmail-smtpd-465 mkdir -p /var/log/qmail-inside/qmail-inside-send mkdir -p /var/log/qmail-inside/qmail-smtpd-25 mkdir -p /var/log/qmail-inside/qmail-smtpd-465 chown -R qmaill /var/log/qmail-inside/ chown vpopmail.qmail servercert.pem
Create run files for both smtpd instances:
vi /var/qmail-inside/supervise/qmail-smtpd-25/log/run
#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s2500000 /var/log/qmail-inside/qmail-smtpd-25
vi /var/qmail-inside/supervise/qmail-inside-send/log/run
#!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail-inside/qmail-inside-send
Now we are going to create the supervise directories:
cd /var/qmail-inside/supervise cp /usr/local/src/service-qmail-smtpd-run qmail-smtpd-25/ cp /usr/local/src/service-qmail-smtpd-run qmail-smtpd-465/ cp /usr/local/src/service-qmail-send-run qmail-inside-send/ cp qmail-smtpd-25/log/run qmail-smtpd-465/log/
vi qmail-smtpd-465/log/run
change the directory qmail-smtpd-25 to qmail-smtpd-465
chmod 755 qmail-smtpd-465/log/run qmail-smtpd-25/log/run\ qmail-inside-send/log/run cd /var/qmail-inside/supervise/qmail-inside-send/ mv service-qmail-send-run run
Edit the file run: vi run
and change the following entries
VQ=/var/qmail to VQ=/var/qmail-inside
and save the file
chmod 755 run cd ../qmail-smtpd-25/ mv service-qmail-smtpd-run run vi run
Change the following:
VQ="/var/qmail-inside" SMTP_CDB="/etc/tcp.smtp.inside.cdb" GREETDELAY=30 IP=0 uncomment RBLSMTPD_PROG, RBL_BAD , save the file and make it executable. # chmod 755 run
We have to install sslserver for enabling secured smtp connections(i configured it to listen on port 465).
Installing sslserver
cd /usr/local/src/ wget http://www.superscript.com/ucspi-ssl/ucspi-ssl-0.70.tar.gz cd /package/ tar zxfv /usr/local/src/ucspi-ssl-0.70.tar.gz cd host/superscript.com/net/ucspi-ssl-0.70 package/compile package/rts # output should be empty package/install cd /var/qmail-inside/supervise/qmail-smtpd-465/ mv service-qmail-smtpd-run run vi run
change the following
VQ="/var/qmail-inside" SMTP_CDB="/etc/tcp.smtp.cdb" QUSER=vpopmail IP=0 PORT=465 SSL=1 AUTH=1 REQUIRE_AUTH=1
Save the file
chmod 755 run cd /var/qmail-inside/control/ echo ":127.0.0.1:2000" > smtproutes cd /service/ ln -s /var/qmail-inside/supervise/qmail-smtpd-25/ ln -s /var/qmail-inside/supervise/qmail-inside-send/ ln -s /var/qmail-inside/supervise/qmail-smtpd-465/
ps -ef|grep qmail-inside
will show that the processes are started and running. Check the corresponding services logs and make sure that they don’t throw errors.
If you followed the above steps word by word then, log files for the above services will be at: /var/log/qmail-inside/qmail-smtpd-25/current and /var/log/qmail-inside/qmail-smtpd-465/current
Errors and fixes:
When configuring your mail client to send mail you get auth failure. You have to use useid@example.net as username. Also make sure that SSLis enbaled and the port is set as 465.
Qmail SMTP Access Control with tcp.smtp
Before we can start using qmail smtpd service, we need to define some access control.
This can be done with file
/etc/tcp.smtp
To allow relaying from localhost, you have to add
127.:allow,RELAYCLIENT=””
This setting wil allow Qmail SMTP server to send email from any IP starting with 127.X.X.X
IP 127.0.0.1 is used by localhost
If you need to allow relay from IP address 200.200.200.100 and localhost, Add following
127.:allow,RELAYCLIENT=””
203.200.10.91:allow,RELAYCLIENT=””
Now you need to use tcprules command to add the rule to qmail database (/etc/tcp.smtp.cdb).
# tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
Following commands can delete all mails from your qmail mail server queue.
qmailctl stop
find /var/qmail/queue/mess -type f -exec rm {} \;
find /var/qmail/queue/info -type f -exec rm {} \;
find /var/qmail/queue/local -type f -exec rm {} \;
find /var/qmail/queue/intd -type f -exec rm {} \;
find /var/qmail/queue/todo -type f -exec rm {} \;
find /var/qmail/queue/remote -type f -exec rm {} \;
qmailctl start
Center for Internet Security Benchmark for Apache Web Server
Pre-configuration Checklist
It is important to realize that “Web Security” extends beyond the Web Server itself. There are many different web security vulnerabilities, which do not directly involve the web server itself. In order to truly secure a web infrastructure, many different information technology divisions must work together. These include, but are not limited to Firewalls, Intrusion Detection Systems, DNS, Networks Branch, etc… Take the time to build relationships with these groups and discuss web security issues. Hopefully, you will be able to identify deficiencies in your environment and fix them prior to exploitation attempts. The benchmark reader should review this sample checklist prior to applying the CIS Apache Benchmark. Reviewed and implement my company’s security policies as they relate to web security. Implemented a secure network infrastructure by controlling access to/from your web server by using: Firewalls, Routers and Switches. Implemented a Network Intrusion Detection System to monitor attacks against the web server. Implemented load-balancing/failover capability in case of Denial of Service or server shutdown. Implemented a disk space monitoring process and log rotation mechanism. The WHOIS Domain information registered for our web presence does not reveal sensitive personnel information, which may be leveraged for Social Engineering (Individual POC Names), War Dialing (Phone Numbers) and Brute Force Attacks (Email addresses matching actual system usernames). Domain Name Service (DNS) servers have been properly secured to prevent domain hi-jacking via cache poisoning, etc… Harden the Underlying Operating System of the web server. This should include minimizing listening network services, applying proper patches and hardening the configurations. Educated developers about writing secure code.
o OWASP Top Ten – http://www.owasp.org/index.php/OWASP_Top_Ten_Project
o WASC Threat Classification – http://www.webappsec.org/projects/threat/
1 Level 1 Apache Benchmark Settings
The Prudent Level of Minimum Due Care
Level-I Benchmark settings/actions meet the following criteria.
1. System administrators with any level of security knowledge and experience can understand and perform the specified actions.
2. The action is unlikely to cause an interruption of service to the operating system or the applications that run on the system.
3. The actions can be automatically monitored, and the configuration verified, by Scoring Tools that are available from the Center or by CIS-certified Scoring Tools.
Many organizations running the CIS scoring tools report that compliance with a CIS “Level-1” benchmark produces substantial improvement in security for their systems connected to the Internet.
1.1 Installation
Question Are you planning to use the precompiled Apache httpd binary that is available by default with many Unix Operating Systems or a commercial version supplied by a Vendor (such as WebLogic or Oracle’s Application Server 9iAS/10G)?
If you answered yes, then continue with the section. If you answered no, or in the event vendor binaries are not available or suitable, recommended instructions for downloading, building from the source and installing are included this sample chapter from Apache Security[1] by Ivan Ristic – http://www.apachesecurity.net/download/apachesecurity-ch02.pdf. Description The CIS Apache Benchmark recommends using the Apache binary provided by your vendor for most situations. The benefits of using the vendor supplied binaries include[2]: Ease of installation as it will just work, straight out of the box. It is customized for your OS environment. It will be tested and have gone though QA procedures. Everything you need is likely to be included, probably including some third party modules. Many OS vendors ship Apache with mod_ssl and OpenSSL and PHP, mod_perl and ModSecurity for example. Your vendor will tell you about security issues in all those bits, you have to look in less places. Updates to fix security issues will be easy to apply. The vendor will have already verified the problem, checked the signature on the Apache download, worked out the impact and so on. You may be able to get the updates automatically, reducing the window of risk.
There are times when compilation from source code will be necessary or advantageous, however for most situations the vendor binaries will provide better security by ensuring that updates are applied according to the existing update process. Which Apache Version to use? There are currently three different Apache forks: 1.3.x, 2.0.x and 2.2.x. At the time of this writing, the current stable versions are 1.3.37, 2.0.59 and 2.2.4. There may be restrictions as to which version of Apache you must use, however if it is at all possible it is recommended that you use the 2.2.x fork. The main reasons are security related as this is the current branch where the majority of improvements are made. Additionally, in order to use the ModSecurity 2.x web application firewall package, you must be using either the 2.0.x or 2.2.x version. Action Install the Apache Software using vendor provided binaries if available For Red Hat/Fedora: # yum install httpd2 For Debian systems: # apt-get install apache2-mpm-prefork
1.2 ModSecurity Overview
Important Note ModSecurity has quickly matured over the years and has become the most widely deployed web application firewall. Due to the fact that is open source and free, coupled with its flexible rules language and extensive logging capabilities, the CIS Apache Benchmark highly recommends that all Apache deployments install it. We do however realize that not all deployments will be able to use this application. It is for this reason that many sections will be providing both an Apache and a ModSecurity setting that can be used to mitigate the issues. There were many previous benchmark sections that attempted to leverage Apache modules and directives to achieve a specific security goal. Some of these settings worked to a certain degree however some were not flexible enough to fully handle the issue. ModSecurity, on the other hand, is able to better address these issues. It is for this reason that most of these benchmark settings will include an analogous ModSecurity feature or ruleset in addition to the standard Apache directive or configuration. We will still provide the Apache directive examples, however we will include information about its limitations and a rationale for using ModSecurity. Description
ModSecurity is an open-source, free web application firewall module that integrates into the Apache web server. The project website is www.modsecurity.org. It is available under the open source GPL license, with optional commercial support and licensing
(from Breach Security – www.breach.com). There are two versions of the module, one for each major Apache branch, and they are almost identical in functionality. In the Apache 2 version, mod_security uses the advanced filtering API available in that version, making interception of the response body possible. The Apache 2 version is also more efficient in terms of memory consumption. In short, ModSecurity does the following: Intercepts HTTP requests before they are fully processed by the web server Intercepts the request body (e.g., the POST payload) Intercepts, stores, and optionally validates uploaded files Performs optional anti-evasion actions Performs request analysis by processing a set of rules defined in the configuration Intercepts HTTP responses before they are sent back to the client (Apache 2 only) Performs response analysis by processing a set of rules defined in the configuration Takes one of the predefined actions or executes an external script when a request or a response fails analysis (a process called detection) Depending on the configuration, a failed request may be prevented from being processed, and a failed response may be prevented from being seen by the client (a process called prevention) Performs audit logging
In this section, we will cover the essentials for installation and configuration. For a detailed reference manual, visit the project documentation area at http://www.modsecurity.org/documentation/. Action
In order to ensure that you are using the latest and greatest version, you should download the ModSecurity source code from the project website – http://www.modsecurity.org/download/index.html. As of this writing, the current version is 2.1.2. Follow the steps outlined in the Installation section of the Reference Manual – http://www.modsecurity.org/documentation/modsecurity-apache/2.1.2/modsecurity2-apache-reference.html#02-installation
If you run into any issues with installation, configuration or usage, you should sign up on the ModSecurity users mail-list here – https://lists.sourceforge.net/lists/listinfo/mod-security-users.
1.3 ModSecurity Core Rules Overview
Description
ModSecurity is a web application firewall engine. Being the Swiss army knife of application firewalls it can do everything but requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, ModSecurity includes the Core Rule Set, an open source rule set licensed under GPLv2. ModSecurity Core Rule Set works with ModSecurity 2.1 and above.
Unlike intrusion detection and prevention systems, which rely on signature specific to known vulnerabilities, the Core Rules is based on generic rules in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.
As a generic negative security rule set, the Core Rule Set is only one layer in your application protection. You can learn more about the pros and cons of a negative security model in the presentation “The Core Rule Set: Generic detection of application layer”, presented at OWASP Europe 2007. In addition to the Core Rule Set you may want to harden your Apache installation, for which you can consult Ivan Ristic’s book, Apache Security. You may also consider writing custom rules for providing a positive security envelope to your application or critical parts of it. Breach Security can provide you with training and professional services to assist you in doing that. On additional methodologies which complement the Core Rule Set including positive security and virtual patching you can read in Ryan Barnett’s book, Preventing Web Attacks with Apache Why The Core Rule Set? The focus of the core rule set is to be a “rule set” rather than a set of rules. What makes a rule set different than a set of rules? Performance – The Core Rule Set is optimized for performance. The amount and content of the rules used predominantly determines the performance impact of ModSecurity, so the performance optimization of the rule set is very important. Quality – While there will always be false positives, a lot of effort is put into trying to make the Core Rule Set better. Some of the things done are:
o Regression tests – a regression test is used to ensure that every new version shipped does not break anything. Actually every report of a false positive, once solved, gets into the regression test.
o Real traffic testing – A large amount of real world capture files have been converted to tests and sent through ModSecurity to detect potential false positives. Generic Detection – The core rule set is tuned to detect generic attacks and does not include specific rules for known vulnerabilities. Due to this feature the core rule set has better performance, is more “plug and play” and requires less updates. Event Information – Each rule in the Core Rule Set has a unique ID and a textual message. In the future rules are also going to be classified using a new tag action in ModSecurity, as well as longer information regarding each rule using comments in the files themselves. Plug and Play – The Core Rule Set is designed to be as plug and play as possible. Since its performance is good and it employs generic detection, and since the number of false positives is getting lower all the time, the Core Rule Set can be installed as is with little twisting and tweaking.
Content In order to provide generic web applications protection, the Core Rules use the following techniques:
Protocol compliance: HTTP request validation – This first line of protection ensures that all abnormal HTTP requests are detected. This line of defense eliminates a large number of automated and non targeted attacks as well as protects the web server itself. HTTP protocol anomalies – Common HTTP usage patterns are indicative of attacks. Global constraints – Limiting the size and length of different HTTP protocol attributes, such as the number and length of parameters and the overall length of the request. Ensuring that these attributed are constrained can prevent many attacks including buffer overflow and parameter manipulation. HTTP Usage policy – validate requests against a predefined policy, setting limitations request properties such as methods, content types and extensions.
Attack Detection: Malicious client software detection – Detect requests by malicious automated programs such as robots, crawlers and security scanners. Malicious automated programs collect information from a web site, consume bandwidth and might also search for vulnerabilities on the web site. Detecting malicious crawlers is especially useful against comments spam. Generic Attack Detection – Detect application level attacks such as described in the OWASP top 10. These rules employ context based patterns match over normalized fields. Detected attacks include:
o SQL injection and Blind SQL injection.
o Cross Site Scripting (XSS).
o OS Command Injection and remote command access.
o File name injection.
o ColdFusion, PHP and ASP injection.
o E-Mail Injection
o HTTP Response Splitting.
o Universal PDF XSS. Trojans & Backdoors Detection – Detection of attempts to access Trojans & backdoors already installed on the system. This feature is very important in a hosting environment when some of this backdoors may be uploaded in a legitimate way and used maliciously.
Other: Error Detection – Prevent application error messages and code snippets from being sent to the user. This makes attacking the server much harder and is also a last line of defense if an attack passes through. XML Protection – The Core Rule Set can be set to examine XML payload for most signatures. Search Engine Monitoring – Log access by search engines crawlers to the web site.
Action
CIS_Apache_Benchmark_v2.1
|
|
Recent Comments