What this configuration provides
The purpose of this document is to provide complete instructions for setting
up a Redhat 9 server with Qmail 1.03, and several important add-ons. The final
Install will provide qmail, the world’s most secure MTA, with support
for pop3, imap, pop3-ssl, imap-ssl,smtp, and smtps* with authentication. The setup
will also support virtual domains, SpamAssassin, Clam Anti-virus, and Squirrelmail
with the ability to change your password. The setup will focus on security as
much as possible. With these instructions you will be able to set up a very stable and secure MTA with 100% encrypted communication, and the versatility to make any users happy.
Credits
This document is not the work of one man. It is HEAVILY based on the work done
at http://www.shupp.org/toaster/
and http://www.pipeline.com.au/staff/mbowe/isp/webmail-server.htm. Both are excellant documents which helped me create this one.
Required RPMs
To the best of my abilities, I have listed below what RPMs you will need to
have installed. If you have installed Redhat with the “Server” option,
you should be OK. I list these because my provider gave me a “minimal”
install, and gave me quite a workout when setting up Qmail :)
One more note: Up2date is a wonderful thing, if you don’t have a Redhat subscription get one!
The RPMS:
gdbm
gdbm-devel
openssl
openssl-devel
stunnel
apache (httpd)
patch
gcc
cpp
glibc-devel
glibc-kernheaders
binutils
gcc-c++
krb5
krb5-devel
vim-common
vim-minimal
vim-enhanced (recommended)
zlib (for clamav)
zlib-devel (for clamav)
perl-DB_File
perl-suidperl
expect
tcl
Update System
Next, make sure you have the latest packages installed. From the command line
do this:
up2date -u
Firewall Rules:
I’m not going to get into a deep discussion on how to use iptables here.
What I will do is list what ports are needed for what services. If you are not
familiar with setting up firewall rules with iptables, go to http://www.fwbuilder.org
and download the packages for Redhat 9. This is a great firewall rule builder,
complete with a GUI and a wizard for all you novices :) The site also provides
a forum if you have problems.
Ports:
25 – SMTP
80 – HTTP
106 – COURIERPASSD # For security only allow access to this port from
localhost
110 – POP3
143 – IMAP
443 - HTTPS
993 – IMAPS
995 – POP3S
SETUP TIME SYNCHRONISATION:
Mail servers need to have their clocks set correctly. If you don't have their
time sync'ed, you can experience strange problems.
Redhat comes with the ntpd package which is easy to setup
vi /etc/ntp.conf
look for the "# --- OUR TIMESERVERS -----" section
and then put in the following lines :
restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery
server xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the IP address of your (or your upstream's) NTP server
if you don’t have an upstream server, you can use a public NTP server
such as
ntp0.jensenresearch.com
After making the changes, you will need to restart the ntpd service :
/etc/rc.d/init.d/ntpd restart
Use the ntsysv program and make sure the ntpd service is enabled at bootup time
Download the Needed Files
Some of these files may be version dependant, unless you have a good reason
(and an understanding of the consequences) stick with the versions listed.
For convenience, and because I’m such a nice guy I bundled all of the
required files at http://www.timekiller.org/howtos/files/qmail-files.tar.gz
cd /usr/local/src
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
wget http://www.qmail.org/ucspi-rss.diff
wget http://cr.yp.to/software/qmail-1.03.tar.gz
wget http://people.kldp.org/~eunjea/qmail/patch/qmail-ej-cocktail-14.tar.gz
wget http://shupp.org/patches/vpopmail-5.3.6.tar.gz
wget http://shupp.org/toaster/0.4/qmailadmin-1.0.4.tar.gz
wget http://cr.yp.to/software/ezmlm-0.53.tar.gz
wget http://shupp.org/toaster/0.4/idx.shupp.patch.gz
wget http://telia.dl.sourceforge.net/sourceforge/courier/courier-imap-1.4.6.tar.gz
wget http://shupp.org/toaster/0.4/toaster-scripts.tar.gz
wget ftp://moni.csi.hu/pub/glibc-2.3.1/ezmlm-idx-0.53.400.unified_41.patch
wget ftp://moni.csi.hu/pub/glibc-2.3.1/daemontools-0.76.errno.patch
wget ftp://moni.csi.hu/pub/glibc-2.3.1/ucspi-tcp-0.88.errno.patch
wget http://flow.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.1.tar.bz2
wget http://www.squirrelmail.org/plugins/quota_usage-1.1.tar.gz
wget http://www.squirrelmail.org/plugins/compatibility-1.2.tar.gz
wget http://www.inter7.com/devel/autorespond-2.0.3.tar.gz
wget ftp://ftp.pipeline.com.au/PipeInt/Sources/Linux/WebMail/ezmlm-idx-0.40.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/razor/razor-agents-sdk-2.03.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/razor/razor-agents-2.36.tar.gz
wget http://au2.spamassassin.org/released/Mail-SpamAssassin-2.60.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/tnef/tnef-1.2.1.tar.gz
wget http://twtelecom.dl.sourceforge.net/sourceforge/courier/maildrop-1.6.2.tar.bz2
wget http://heanet.dl.sourceforge.net/sourceforge/clamav/clamav-0.60.tar.gz
wget http://belnet.dl.sourceforge.net/sourceforge/qmail-scanner/qmail-scanner-1.16.tgz
wget http://www.arda.homeunix.net/store/courierpassd-0.30.tar.gz
wget http://www.squirrelmail.org/plugins/change_pass-2.4-1.4.x.tar.gz
INSTALL UCSPI-TCP
Ucspi-tcp contains tcpserver and tcpclient, command line tools for building
client-server applications.
Info: http://cr.yp.to/ucspi-tcp.html
cd /usr/local/src
tar xzf ucspi-tcp-0.88.tar.gz
cd ucspi-tcp-0.88
# Patch rblsmtpd so that it can be used with all the newer RBL zones.
# This patch also lets you specify a custom error message to be returned to
the sender.
patch -p0 rblsmtpd.c < ../ucspi-rss.diff
# Modify rblsmtpd.c to increase the maximum size of the error text that is
allowed
# to be returned to the sender from 200 to 500 chars.
# This allows you to create some nice and descriptive text to send to people
who
# are being blocked by your RBL filters
vi rblsmtpd.c
go to line 166 and change it from
if (text.len > 200) text.len = 200;
to
if (text.len > 500) text.len = 500;
#Apply glibc 2.3.1 patch
patch -p1 < ../ucspi-tcp-0.88.errno.patch
make
make setup check
INSTALL DAEMONTOOLS
Daemontools is a collection of tools for managing UNIX services. It will monitor
qmail-send, and qmail-smtpd, and qmail-pop3d services.
Info: http://cr.yp.to/daemontools.html
mkdir -p /package
chmod 1755 /package
cd /package
tar zxvfp /usr/local/src/daemontools-0.76.tar.gz
cd admin/daemontools-0.76
#Apply glibc 2.3.1 patch
patch -p1 < /usr/local/src/daemontools-0.76.errno.patch
package/install
To verify that daemontools is running, make sure that `ps ax` reports '/bin/sh /command/svscanboot' and 'svscan /service' as running.
INSTALL QMAIL
Info: http://www.qmail.org
The patch you will apply below is a composite of existing patches. For more
info on the individual patches, go to http://people.kldp.org/~eunjea/qmail/patch/.
Create the users and groups required for qmail
mkdir /var/qmail
groupadd nofiles
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
useradd -g nofiles -d /var/qmail/alias alias
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails
Make the vpopmail user accounts
#You may need to run the following command if postfix is installed:
#userdel postfix
groupadd -g 89 vchkpw
useradd -g vchkpw -u 89 vpopmail
Unzip the sources, apply the required patches, compile
tar zxvf qmail-1.03.tar.gz
tar zxvf qmail-ej-cocktail-14.tar.gz
cd qmail-1.03
#Apply Cocktail Patch
patch -p1 < ../qmail-ej-cocktail-14/cocktail.patch
#Edit conf-spawn
vi conf-spawn
change value from 1000 to 120
# Redhat 9 kerberos fix
Redhat moved where they keep the Kerberos header files. This is a hack, but
it works!
Info: http://www.raditha.com/linux/krb5.h.php
ln -s /usr/kerberos/include/krb5.h /usr/include/krb5.h
ln -s /usr/kerberos/include/profile.h /usr/include/profile.h
ln -s /usr/kerberos/include/com_err.h /usr/include/com_err.h
#Edit qmail-smtpd.c and change the code on the straynewline function (around
line 71 after patching) from 451 to 553
Without this you will get nasty loops forming when a remote server send you
a message with invalid formatting. By default qmail will says something like
"I am not going to accept that message at the moment, you can try again
later". However in my experience the sending server will try sending the
same message again a few seconds later, and this will go around and around in
a loop for days on end - consuming valuable bandwidth and resources. By changing
the error code to 553, it is making the error be permanent ie "I am not
going to accept that message, don't try sending it again"
make
make setup check
# on the next line replace "full.hostname" with the hostname of
your mail server
./config-fast full.hostname
#Remove Postfix and Sendmail
rpm -e --nodeps postfix-ver
rpm -e --nodeps sendmail-ver
# Link in qmail's replacement "sendmail-like" tools
ln -s /var/qmail/bin/sendmail /usr/lib
ln -s /var/qmail/bin/sendmail /usr/sbin
#Generate SSL Cert
make cert
(Enter Your Info)
cd /var/qmail/control
rm clientcert.pem
cp servercert.pem clientcert.pem
chown vpopmail.qmail servercert.pem
chown qmaild.qmail clientcert.pem
# Setup RC scripts
cd /usr/local/src
tar zxvf toaster-scripts.tar.gz
cp toaster-scripts/rc /var/qmail/rc
chmod 755 /var/qmail/rc
mkdir /var/log/qmail
echo ./Maildir/ >/var/qmail/control/defaultdelivery
cp toaster-scripts/qmailctl /var/qmail/bin/
#Make qmail start at boot time.
ln -s ../init.d/qmail /etc/rc.d/rc0.d/K30qmail
ln -s ../init.d/qmail /etc/rc.d/rc1.d/K30qmail
ln -s ../init.d/qmail /etc/rc.d/rc2.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc3.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc4.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc5.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc6.d/K30qmail
ln -s /var/qmail/bin/qmailctl /etc/rc.d/init.d/qmail
chmod 755 /var/qmail/bin/qmailctl
ln -s /var/qmail/bin/qmailctl /usr/bin
#Now create the supervise directories/scripts for the qmail services:
mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log
mkdir -p /var/qmail/supervise/qmail-pop3d/log
mkdir -p /var/qmail/supervise/qmail-pop3ds/log
chmod +t /var/qmail/supervise/qmail-send
chmod +t /var/qmail/supervise/qmail-smtpd
chmod +t /var/qmail/supervise/qmail-pop3d/log
chmod +t /var/qmail/supervise/qmail-pop3ds/log
cp /usr/local/src/toaster-scripts/send.run /var/qmail/supervise/qmail-send/run
cp /usr/local/src/toaster-scripts/send.log.run /var/qmail/supervise/qmail-send/log/run
cp /usr/local/src/toaster-scripts/smtpd.run /var/qmail/supervise/qmail-smtpd/run
cp /usr/local/src/toaster-scripts/smtpd.log.run /var/qmail/supervise/qmail-smtpd/log/run
cp /usr/local/src/toaster-scripts/pop3d.run /var/qmail/supervise/qmail-pop3d/run
cp /usr/local/src/toaster-scripts/pop3d.log.run /var/qmail/supervise/qmail-pop3d/log/run
cp /usr/local/src/toaster-scripts/pop3ds.run /var/qmail/supervise/qmail-pop3ds/run
cp /usr/local/src/toaster-scripts/pop3ds.log.run /var/qmail/supervise/qmail-pop3ds/log/run
echo 20 > /var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyincoming
chmod 755 /var/qmail/supervise/qmail-send/run
chmod 755 /var/qmail/supervise/qmail-send/log/run
chmod 755 /var/qmail/supervise/qmail-smtpd/run
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run
chmod 755 /var/qmail/supervise/qmail-pop3d/run
chmod 755 /var/qmail/supervise/qmail-pop3d/log/run
chmod 755 /var/qmail/supervise/qmail-pop3ds/run
chmod 755 /var/qmail/supervise/qmail-pop3ds/log/run
mkdir -p /var/log/qmail/smtpd
mkdir -p /var/log/qmail/pop3d
mkdir -p /var/log/qmail/pop3ds
chown qmaill /var/log/qmail /var/log/qmail/smtpd
chown qmaill /var/log/qmail/pop3d /var/log/qmail/pop3ds
#Adjust various aspects of the qmail configuration to suite our tastes
# use postmaster@hostname.yourdomain.com as sender in bounce messages
# rather than the default MAILER-DAEMON@hostname.yourdomain.com
echo 'postmaster' > /var/qmail/control/bouncefrom
# Define how to handle "double bounces".
# The server admin has two choices here, either to receive double bounces
# or to discard them. If your server doesn't handle a lot of mail then it
# wouldn't hurt to receive all double bounces for the admin's inspection.
# But if your server handles a lot of mail, then it is more likely that you
# are going to want to discard double-bounces, because you will end up with
# potentially thousands of these every day.
#
# If you want to keep double-bounces, use these commands to nominate what
# email address to send them through to (eg doublebounce@yourdomain.com) :
echo 'doublebounce' > /var/qmail/control/doublebounceto
echo 'yourdomain.com' > /var/qmail/control/doublebouncehost
# (dont forget that you will need to make sure you have created a mailbox
# to receive these mails. You could use qmailadmin to create a dedicated
# mailbox, or perhaps setup an alias on an existing mailbox)
#
# Or if you would prefer to silently discard any doublebounces,
# then use these commands instead
echo 'doublebounce' > /var/qmail/control/doublebounceto
echo 'hostname.yourdomain.com' > /var/qmail/control/doublebouncehost
echo '#' > ~alias/.qmail-doublebounce
chmod 644 ~alias/.qmail-doublebounce
# set maximum message size to be 8Mb
echo '8000000' > /var/qmail/control/databytes
# queue mail for up to 4 days
echo '345600' > /var/qmail/control/queuelifetime
# Note, this following command is optional!
#
# If you want qmail to send all outbound mail via a particular mail server
# rather than to send it direct to the recipient's mail server, then this
# can be achieved with the smtproutes command.
#
# SEND ALL OUTBOUND MAIL VIA SMARTHOST
echo ':yoursmarthost.yourdomain.com' > /var/qmail/control/smtproutes
# redirect any mail sent to root@hostname.yourdomain.com to 'postmaster@yourdomain.com
# redirect any mail sent to postmaster@hostname.yourdomain.com to 'postmaster@yourdomain.com
# redirect any mail sent to mailer-daemon@hostname.yourdomain.com to 'postmaster@yourdomain.com
echo 'postmaster@yourdomain.com' > ~alias/.qmail-root
echo 'postmaster@yourdomain.com' > ~alias/.qmail-postmaster
echo 'postmaster@yourdomain.com' > ~alias/.qmail-mailer-daemon
chmod 644 ~alias/.qmail-*
#Start qmail-send and qmail-smtpd
ln -s /var/qmail/supervise/qmail-send /service
ln -s /var/qmail/supervise/qmail-smtpd /service
#verify that it's running with qmailctl
qmailctl stat
ps axf
#Note the 2 qmail daemons : qmail-send, qmail-smtpd, as well as their associated logging processes. If there is anything wrong with your install, an error message will generally be visible on the "readproctitle" line.
INSTALL Vpopmail
Vpopmail is a virtual domain package add-on for qmail. It can handle multiple
domains
on a single IP address, and none of the user accounts are /etc/passwd or "system"
accounts.
Info: http://www.inter7.com/vpopmail
Because we will only be using vchkpw (the pop authentication tool) with qmail-smtpd for SMTP-AUTH, we don't want it to open relays. The patch applied below fixes this.
Build the program:
cd /usr/local/src
tar zxvf vpopmail-5.3.6.tar.gz
cd vpopmail-5.3.6
./configure --enable-roaming-users=y --enable-logging=v --enable-defaultquota=20971520S
--enable-ip-alias-domains=n --enable-passwd=n --enable-clear-passwd=y --enable-domain-quotas=n
--enable-auth-logging=y
make
make install-strip
echo '127.:allow,RELAYCLIENT=""' >/home/vpopmail/etc/tcp.smtp
qmailctl cdb
# add the followowing line to your crontab via `crontab -e`
9-59,10 * * * * /home/vpopmail/bin/clearopensmtp 2>&1 > /dev/null
# install the vpopmail start script
cp ../toaster-scripts/vpopmailctl /var/qmail/bin/vpopmailctl
#Make vpopmail start at boot time.
ln -s ../init.d/vpopmail /etc/rc.d/rc0.d/K30vpopmail
ln -s ../init.d/vpopmail /etc/rc.d/rc1.d/K30vpopmail
ln -s ../init.d/vpopmail /etc/rc.d/rc2.d/S80vpopmail
ln -s ../init.d/vpopmail /etc/rc.d/rc3.d/S80vpopmail
ln -s ../init.d/vpopmail /etc/rc.d/rc4.d/S80vpopmail
ln -s ../init.d/vpopmail /etc/rc.d/rc5.d/S80vpopmail
ln -s ../init.d/vpopmail /etc/rc.d/rc6.d/K30vpopmail
ln -s /var/qmail/bin/vpopmailctl /etc/rc.d/init.d/vpopmail
chmod 755 /var/qmail/bin/vpopmailctl
ln -s /var/qmail/bin/vpopmailctl /usr/bin
Optionally, nominate a "default domain". Users in this domain can login to POP3 etc using just their username. Users from all other domains need to use their full email address as their login name.
echo "yourdomain.com" > /home/vpopmail/etc/defaultdomain
Setup the quota warning message that is sent to users when they are at 90% quota
vi quotawarn.msg
From: SomeCompany Postmaster <postmaster@yourdomain.com>
Reply-To: postmaster@yourdomain.com
To: SomeCompany User:;
Subject: Mail quota warning
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Your mailbox on the server is now more than 90% full.
So that you can continue to receive mail,
you need to remove some messages from your mailbox.
If you require assistance with this,
please contact our support department :
email : support@yourdomain.com
Tel : xx xxxx xxxx
cp quotawarn.msg /home/vpopmail/domains/.quotawarn.msg
If you want, you can alter the standard message that gets sent to the sender in an overquota situation
echo "Message rejected. Not enough storage space in user's mailbox to accept message." > /home/vpopmail/domains/.over-quota.msg
#allow daemontools to start vpopmail
ln -s /var/qmail/supervise/qmail-pop3d /var/qmail/supervise/qmail-pop3ds /service
#verify that it's running with vpopmailctl
vpopmailctl stat
Some example vpopmail commands :
To add a domain :
/home/vpopmail/bin/vadddomain yourdomain.com yourpassword
# this creates the domain and makes a mailbox postmaster@yourdomain.com
To add a mailbox:
/home/vpopmail/bin/vadduser someone@yourdomain.com apassword
(Or you can do it via qmailadmin)
To remove a mailbox
/home/vpopmail/bin/vdeluser someone@yourdomain.com
(Or you can do it via qmailadmin)
To remove a domain :
/home/vpopmail/bin/vdeldomain yourdomain.com
To change a user's password
/home/vpopmail/bin/vpasswd someone@yourdomain.com newpassword
(Or you can do it via qmailadmin)
To lookup info about a user
/home/vpopmail/bin/vuserinfo someone@yourdomain.com
This gives you info such as name, crypted password, cleartext password, dir,
quota, usage%, last auth.
It has a number of flags to let you see the individual fields, or you can see
them all if you dont use any flags.
It also creates the maildirsize file in the users dir
Logging in via POP3
When your users are setting up their POP3 email clients (eg Outlook Express), they should use settings like this :
My incoming mail server is a POP3 server
Incoming mail server (POP3): pop3.yourdomain.com
Outgoing mail server (SMTP): smtp.yourdomain.com
POP3 account name : theirusername@yourdomain.com
Password: theirpassword
When you configured vpopmail, you had the opportunity to nominate a "default" domain. When users from the default domain authenticate, it is optional for them to add the @yourdomain.com onto the end of their username. If vpopmail sees that no domain has been specified, then it will automatically perform the auth against the nominated default domain. If you are hosting multiple domains, then everyone who is NOT in the default domain MUST add their domain name onto the end of their username. (A small percentage of email programs eg Netscape Mail v4.7 do not permit the use of the @ symbol in account name. In this case you can use the % symbol instead of the @ symbol)
INSTALL Courier-IMAP
Courier-IMAP will supply IMAP/SIMAP (IMAP-SSL) access.
Info: http://www.inter7.com/courierimap
Install:
cd /usr/local/src
tar -xzf courier-imap-1.4.6.tar.gz
cd courier-imap-1.4.6
# configure may take some time...
./configure --disable-root-check --without-authdaemon --without-authpam --without-authldap
--without-authpwd --without-authmysql --without-authpgsql --without-authshadow
--without-authuserdb --without-authcustom --without-authcram --with-authvchkpw
--enable-workarounds-for-imap-client-bugs --with-ssl --with-redhat
make
make install-strip
make install-configure
cp courier-imap.sysvinit /etc/rc.d/init.d/courier-imap
chmod 755 /etc/rc.d/init.d/courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc0.d/K30courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc1.d/K30courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc2.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc3.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc4.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc5.d/S80courier-imap
ln -s ../init.d/courier-imap /etc/rc.d/rc6.d/K30courier-imap
Configure:
Edit /usr/lib/courier-imap/etc/imapd
* Change 'AUTHMODULES="..."' to 'AUTHMODULES="authvchkpw"'
* Change 'IMAPDSTART=NO' to 'IMAPDSTART=YES'
Edit /usr/lib/courier-imap/etc/imapd-ssl
* Change 'IMAPDSSLSTART=NO' to 'IMAPDSSLSTART=YES'
# Run courier-imap as vpopmail.vchkpw
Edit /usr/lib/courier-imap/libexec/imapd.rc
AND /usr/lib/courier-imap/libexec/imapd-ssl.rc as follows:
* Change:
/usr/lib/courier-imap/libexec/couriertcpd -address=$ADDRESS \
To:
/usr/lib/courier-imap/libexec/couriertcpd -address=$ADDRESS \
-user=vpopmail -group=vchkpw \
#Start the IMAP Server
service courier-imap start
# make the new imapd.pem certificate readable by vpopmail since
# that's the user that the imap server runs as
chown vpopmail.vchkpw /usr/lib/courier-imap/share/imapd.pem
# Remove Kerberos symlinks
rm /usr/include/krb5.h /usr/include/profile.h /usr/include/com_err.h
INSTALL Autorespond
Autorespond is compatible autoresponder/vacation type tool that works well
with qmailadmin.
Info: http://www.inter7.com/devel
Install:
cd /var/src
tar -xzf tar/autorespond-2.0.3.tar.gz
cd autorespond-2.0.3
make
make install
INSTALL EZMLM / EZMLM-IDX
This package is a prerequisite for qmailadmin
ezmlm is mailing list software written by the author of qmail
ezmlm-idx is patch that adds extra features to the standard ezmlm program.
EZMLM : http://cr.yp.to/ezmlm.html
EZMLM-IDX PATCH : http://www.ezmlm.org
(although I often find this site unresponsive, and so I use one of the mirrors
instead like http://www.glasswings.com.au/ezmlm/)
cd /usr/local/src
tar xzf ezmlm-0.53.tar.gz
tar xzf ezmlm-idx-0.40.tar.gz
Merge the sources together
cp -R ezmlm-idx-0.40/* ezmlm-0.53/
# (you need to press y quite a few times to allow the patch files to overwrite
the original files)
cd ezmlm-0.53
patch < idx.patch
#Apply patch
patch -p1 < ../ezmlm-idx-0.53.400.unified_41.patch
Build the program
make
make man
make setup
INSTALL QMAILADMIN
Info: http://www.inter7.com/qmailadmin
Current Development location : https://sourceforge.net/projects/qmailadmin/
Description :
The domain postmaster can use this tool to view all the accounts on the domain as well as add/remove accounts, forwards, auto-responders etc.
Domains users can use this tool to modify their own user settings only. ie mailbox password, real name, forwards, vacations.
This tool does not let you create new domains.
Download and unpack the source
cd /usr/local/src
tar xzf qmailadmin-1.0.4.tar.gz
cd qmailadmin-1.0.4
(Optional) Make a small mod that affects the look of the qmailadmin login page
edit the html/en file, and change record 112 "Username" rather than
"User Account"
(We found our users knew what to type as their "Username", but didn't
know what to type as a "User Account")
Build the program
./configure --enable-htmldir=/var/www/html/ --enable-cgibindir=/var/www/cgi-bin --enable-maxusersperpage=12 --enable-maxaliasesperpage=12 --enable-modify-quota=n --disable-ezmlm-mysql --enable-help=y
# note, I chose to have 12 accounts per page in the config above,
# because this makes these particular screens fit nicely on my 1024*768 monitor
make
make install-strip
Test to see if it works
SPAM AND VIRUS CHECKING
Right here is where I’d like to tell you to install RAZOR V2. However,
I have not been able to get it to work properly. I keep getting:
razor2 check skipped: Illegal seek Insecure dependency in connect while running
with -T switch at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/IO/Socket.pm
line 114.
If you know the fix for this, I would gladly include it in this howto, and
give appropriate credit!
INSTALL SPAMASSASSIN
Info: http://www.spamassassin.org
Description: SpamAssassin is program that scans email messages using a set of rules, and then assigns a score. If the score is higher than your nominated limit, then the message will be tagged as spam.
# IMPORTANT – Redhat 9 made a change that (in some cases) breaks perl. The following seemed to work to fix it.
export LANG=en_US
Download and compile
tar xzf Mail-SpamAssassin-2.60.tar.gz
cd Mail-SpamAssassin-2.60
perl Makefile.PL
make
make install
"make install" creates the following main files :
/usr/bin/spamassassin <- This is the command-line version of the SpamAssassin program
/usr/bin/spamc <- Daemonised Spamassassin client
/usr/bin/spamd <- Daemonised Spamassassin server
/usr/share/spamassassin/ <- The spamassasin logic/filter files live here
/etc/mail/spamassassin/local.cf <- sitewide configuration settings
Test to see if the installation was successful
spamassassin -t < sample-nonspam.txt
spamassassin -t < sample-spam.txt
To improve security, modify the configuration of the spamd daemon so it runs under its own uid
Create a spamd user for the spamd process to run as
groupadd spamd
useradd -g spamd spamd
Modify / create the spamd configuration file
vi /etc/sysconfig/spamassassin
# Hint : if you want to enable SpamAssassin debugging
# (the debug output goes to /var/log/maillog) then use :
# SPAMDOPTIONS="-x -u spamd -H /home/spamd -d -D"
# Don't leave debugging turned on unnecessarily though,
# because it will slow down a busy server.
#
# Otherwise, for normal operation (debugging disabled) use :
SPAMDOPTIONS="-x -u spamd -H /home/spamd -d"
Configure the spamd daemon so it is running all the time from bootup onwards
cp spamd/redhat-rc-script.sh /etc/rc.d/init.d/spamd
chmod 700 /etc/rc.d/init.d/spamd
chkconfig --add spamd
Setup the SpamAssassin configuration
vi /etc/mail/spamassassin/local.cf
# Define the sensitivity level. Standard level is 5.
# After a lot of testing, I found that 8 was the best option for me.
# We found that anything lower produced too many false positives
required_hits 8
# Allow SpamAssassin to rewrite the subject line of any messages it classifies
as spam
rewrite_subject 1
# This is the value that will prepended to the subject line of messages classified
as spam
subject_tag [SPAM]
# Put spam analysis reports into to the headers of the message (rather than
the body)
report_safe 0
# Spamassassin by default will try and run these following spam-detection utilities
# for every mail message. (You can read about them at http://www.spamassassin.org/dist/INSTALL)
# We don't want to waste any CPU cycles trying to run utilities that we don't
have installed,
# so disable these tests for the moment .
use_dcc 0
use_pyzor 0
# enable razor2 checking
use_razor2 0
# Enable SpamAssassin's RBL checking features :
# Although we have already done some RBL filtering earier in qmail's rblsmtpd
program,
# it is still recommended to turn on RBL checking in SpamAssassin, as it will
run
# checks against a variety of different RBL sources, and the results will help
# tag spam more accurately
skip_rbl_checks 0
# If we haven't received a response from the RBL server in X seconds, then skip
that test
rbl_timeout 3
# Now we want to alter some of the default scores for RBL hits
#
# By default the bl.spamcop.net RBL score is 0 (disabled).
# We will override this and give any hits a score of 3
# Info about this RBL is available from http://spamcop.net/fom-serve/cache/290.html
score RCVD_IN_BL_SPAMCOP_NET 3
use_bayes 1
bayes_auto_learn 1
bayes_path /home/spamd/.spamassassin/bayes
If you wish to view all the possible configuration options, use this command :
perldoc Mail::SpamAssassin::Conf
OK, the SpamAssassin software is now fully installed!
Any mail that SpamAssassin classifies as spam will have [SPAM] added to the subject line. You should now probably setup some docs for your users showing them how they can use message filtering rules in their email client. You can see our message filtering guides here
If you aren't ready to reboot the server now, you can fire up spamd in the mean time with this command :
/etc/rc.d/init.d/spamd start
QMAIL-SCANNER
Info: http://qmail-scanner.sourceforge.net
Description: Qmail-Scanner is an add-on that enables a qmail server to scan messages for certain characteristics. It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial (or open source) virus scanners. It also capable of blocking email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments).
Install the required supporting modules for Qmail-Scanner
INSTALL TNEF unpacker
Info: http://sourceforge.net/projects/tnef/
tar xzf tnef-1.2.1.tar.gz
cd tnef-1.2.1
./configure
make
make install
INSTALL ReformatMIME (from the Maildrop package)
Info: http://download.sourceforge.net/courier/
bunzip2 maildrop-1.6.2.tar.bz2
tar xvf maildrop-1.6.2.tar
cd maildrop-1.6.2
./configure
make
make install-strip
make install-man
Install ClamAV
Info: http://clamav.elektrapro.com/
Description: Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose
of this software is the integration with mail servers (attachment scanning).
The package provides a flexible and scalable multi-threaded daemon, a command
line scanner, and a tool for automatic updating via Internet. The programs are
based on a shared library distributed with the Clam AntiVirus package, which
you can use with your own software. The virus database is based on the virus
database from OpenAntiVirus, but contains additional signatures (including signatures
for popular polymorphic viruses, too) and is KEPT UP TO DATE.
Add required users:
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
tar zxvf clamav-0.60.tar.gz
cd clamav-0.60
./configure –sysconfdir=/etc
make
make install
Edit /etc/clamav.conf
Remove ‘Example’ from line 8
Go to line 109 and uncomment
#ScanMail
Testing
OK. Let's do some tests. Try to scan the source directory recursively:
$ clamscan -r -l scan.txt clamav-x.yz
It should find the viruses in the clamav-x.yz/test directory. You may check it in the created log - scan.txt. You will find more about clamscan options in the clamscan(1) manual. 3 To test clamd first start it and then use clamdscan (you can also connect directly to clamd and run the SCAN command):
$ clamdscan -l scan.txt clamav-x.yz
Set up auto updating
touch /var/log/clam-update.log
chmod 644 /var/log/clam-update.log
chown clamav /var/log/clam-update.log
freshclam -d -c 2 -l /var/log/clam-update.log
Lastly, schedule the updates by adding them to cron:
crontab -e
and add this line:
0 8 * * * /usr/local/bin/freshclam --quiet -l /var/log/clam-update.log
INSTALL Qmail-Scanner
Info: http://qmail-scanner.sourceforge.net/
tar zxvf qmail-scanner-1.16.tgz
cd qmail-scanner-1.16
Now spend some time reading the documentation
Configure Qmail-Scanner :
./configure --admin virusadmin --domain yourdomain.com --scanners clamscan,verbose_spamassassin --debug no --install
su - qmaild
/var/qmail/bin/qmail-scanner-queue.pl –g
exit
Alter your qmail-smtpd script so that it allocates sufficient resources to support Qmail-Scanner & SpamAssassin
vi /var/qmail/supervise/qmail-smtpd/run
Change the softlimit from 2000000 to something a fair bit larger. We use 15000000.
Define what mail is to be sent through the Qmail-Scanner
At our site, we have configured Qmail-Scanner to virusscan all messages (ie inbound and outbound mail). We did this by setting up our our /var/qmail/supervise/qmail-smtpd/run file like this :
#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the nominated script
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
# softlimit needs to be set at something large such as 15000000
# to allow virusscanning software to run successfully
exec /usr/local/bin/softlimit -m 15000000 \
/usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 30 -R \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
... and the rest of the file snipped ...
However, if you don't want to virusscan all mail, you can selectively nominate
which IP ranges should or shouldn't be checked by setting the QMAILQUEUE variable
via your /etc/tcp.smtp file rather than inside the supervise/qmail-smtpd/run
file. Refer to the Qmail-Scanner home page for setup examples.
Any SMTP sessions that are dropped (due to network outages/etc) may lead to files lying around in /var/spool/qmailscan . Running /var/qmail/bin/qmail-scanner-queue.pl -z at least once daily will ensure such files are deleted when they're over 30 hours old. We will make a cronjob to do that :
crontab -e
0 0 * * * /var/qmail/bin/qmail-scanner-queue.pl -z
INSTALL SQUIRRELMAIL
Info: http://www.squirrelmail.org
cd /var/www/html
bunzip2 /usr/local/src/squirrelmail-1.4.1.tar.bz2
tar xvf /usr/local/src/squirrelmail-1.4.1.tar
ln -s squirrelmail-1.4.1 squirrelmail
mkdir /var/squirrelmail
# create the data dir. This is where users personal preferences are stored if
not using MySQL backend
mkdir /var/squirrelmail/data
# create the attach dir. This is where temp files for emails in progress are
store
mkdir /var/squirrelmail/attach
cd squirrelmail
cp data/default_pref /var/squirrelmail/data
chown -R root.apache /var/squirrelmail
chmod -R 0770 /var/squirrelmail/data
chmod -R 0730 /var/squirrelmail/attach
SquirrelMail allows you to add your company logo to the login page. So whack a copy of your logo into the Apache images directory so it is available for SquirrelMail to use
cp /usr/local/src/yourcompanylogo-100.gif /usr/local/apache/htdocs/images
Configure SquirrelMail
cd config
perl conf.pl
1. ORGANIZATION PREFERENCES
1. Organization name : YourCompany
2. Organization Logo : /images/yourcompanylogo-100.gif
3. Org. Logo Height/Width : 100/100
4. Organization title : YourCompany WebMail (v$version)
2. SERVER SETTINGS
1. Domain : yourdomain.com
Press A to update IMAP settings
4. IMAP Server : localhost
5. IMAP Port : 143
6. Authentication type : login
7. Secure IMAP (TLS) : false
8. Server software : courier
9. Delimiter : .
Press B to update SMTP settings
4. SMTP Server : localhost
5. SMTP Port : 25
6. POP before SMTP : false
7. SMTP Authentication : none
8. Secure SMTP (TLS) : false
3. FOLDER DEFAULTS
9. List Special Folders First : false
15. Default Unseen Type : 2
4. GENERAL OPTIONS
2. Data directory : /var/squirrelmail/data
3. Attachment directory : /var/squirrelmail/attach
6. Usernames in lower case : true
8. Hide squirrelmail attributions : true
12. Allow server-side sorting : false
( Note, server-sorting is faster, but I personally find the sort results to
be not as "intuitive"
as when you let SquirrelMail do the sorting. If you toggle this option on/off
and compare the
resultant displays in SquirrelMail you will see what I mean. For example if
you server-sort the
FROM column then the sort will be done senders email address, whereas if you
let SquirrelMail do the
sort then column will be sorted on senders name. I would suggest you try toggling
this
option on and off to make your own decision on which sorting method provides
the better results.)
6. ADDRESS BOOKS
2. Use Javascript Address Book Search : True
D. SET PRE-DEFINED SETTINGS FOR SPECIFIC IMAP SERVERS
Choose Courier
Now Save and quit the config program
You can define what default SquirrelMail settings that users will receive when
they log in.
vi /var/squirrelmail/data/default_pref :
show_html_default=1
language=en_US
use_javascript_addr_book=1
left_size=140
left_refresh=3600
show_username=1
show_username_pos=top
order1=1
order2=2
order3=3
order4=5
order5=4
order6=6
Setup periodic purging of the "attach" directory
When SquirrelMail users are composing a message that has attachment(s), the attachment is temporarily stored in the /var/squirrelmail/attach directory. When the user sends the message, the associated temp files will get deleted.
However sometimes the temp files do not get deleted (eg if the user closes their browser mid-compose?). Since the permissions on this directory are setup (as a security measure) to prevent the webserver from listing the files in this directory, there is no way for Apache/SquirrelMail to do a periodic scan/purge of old files.
So we are going to setup a daily crontab to clean up any attachments that get left hanging around
crontab -e
# delete any files that are more than 2 days old from the SquirrelMail attachment
dir
0 0 * * * find /var/squirrelmail/attach/* -atime +2 -exec /bin/rm {} \;
Install the quota_usage plugin so users can see their mailbox quota usage
cd /var/www/html/squirrelmail/plugins
tar xzf /usr/local/src/quota_usage-1.1.tar.gz
tar xzf /usr/local/src/compatibility-1.2.tar.gz
chown -R root.apache quota_usage
chmod -R o-rx quota_usage
chown -R root.apache compatibility
chmod -R o-rx compatibility
# qmailadmin and the other tools all classify a 1Mb as 1048576 bytes (1024
* 1024 )
# Fix up the quota_plugin so it works with the same units.
# Otherwise your quota would show as 20M in qmailadmin, and 21M in SquirrelMail
:-/
vi quota_usage/functions.php
Go to line 58 and change the value 1000000 to 1048576
cd ../config
perl conf.pl
8. Plugins
choose quota_usage
choose compatibility
Give users the ability to change there passwords in SquirrelMail
INSTALL COURIERPASSD
Info: http://www.arda.homeunix.net/store/
Description: a utility for changing a user's password from across a network.
It uses the same protocol as poppassd to obtain user IDs and passwords.
cd /usr/local/src/
tar zxvf courierpassd-0.30.tar.gz
cd courierpassd-0.30
./configure --with-couriersrc=/usr/local/src/courier-imap-1.4.6
make
make install
Create xinetd script so that only localhost can connect:
vi /etc/xinetd.d/courierpassd
service courierpassd
{
port = 106
socket_type = stream
protocol = tcp
user = root
server = /usr/local/sbin/courierpassd
server_args = -s imap
wait = no
only_from = 127.0.0.1
instances = 4
disable = no
}
Add service to /etc/services
vi /etc/services, scroll to port 106, comment out the 3com lines and add courierpassd:
#3com-tsmux 106/tcp poppassd
#3com-tsmux 106/udp poppassd
courierpassd 106/tcp courierpassd
courierpassd 106/udp courierpassd
Restart xinetd
service xinetd restart
Install SquirrelMail Change Password Plugins
Info http://www.squirrelmail.org/plugin_view.php?id=21
cd /var/www/html/squirrelmail-1.4.1/plugins
tar zxvf /usr/local/src/change_pass-2.4-1.4.x.tar.gz
cd ../config
perl conf.pl
Select option 8. Plugins
Select the number for change_pass
Save and exit config