To install netqmail we need also uccpi-tcp-0.88 and daemontools-0.76
Let’s start
- 1. Copy netqmail-1.06.tar.gz file to /usr/local/src and unpack – we get netqmail-1.06 folder
tar zxvf netqmail-1.06.tar.gz
- 2. Unpack ucspi-tcp in /usr/local/src
- 3. Create “package” folder in root tree and unpack deamontools there
- 4. Create /var/qmail folder
mkdir -p /var/qmail
- 5. Link /var/qmail to /etc/qmail
ln -s /var/qmail/control /etc/qmail
- 6. Create users by editing INSTALL.ids file( remove everything besides Linux group, uncomment lines and save changes – there will be 9 lines)
- 7. Set permission 0700 for that file and run command
./INSTALL.ids
8. Check in /etc/passw and in /etc/group if script created following users and groups. On my test server it looks the following:
alias:x:1007:1006::/var/qmail/alias:/bin/sh
qmaild:x:1008:1006::/var/qmail:/bin/sh
qmaill:x:1009:1006::/var/qmail:/bin/sh
qmailp:x:1010:1006::/var/qmail:/bin/sh
qmailq:x:1011:1007::/var/qmail:/bin/sh
qmailr:x:1012:1007::/var/qmail:/bin/sh
qmails:x:1013:1007::/var/qmail:/bin/sh
nofiles:x:1006:
qmail:x:1007:
- 9. Go to /usr/local/src/netqmail-1.06 and compile netqmail-a
make setup check
- 10. Run command
./config
if FQDN is properly configured in DNS or
./config-fast host.naszadomena.pl
I prefer second method, because only few people has full power on PTR records
- 11. Go to ucspi-tcp-0.88 folder and patch ucspi
patch < /usr/local/src/netqmail-1.06/other-patches/ucspi-tcp-0.88.errno.patch
next run command
make
make setup check
- 12. Go to /package/admin/daemontools-0.76/src and similar like ucspi patch it:
patch < /usr/local/src/netqmail-1.06/other-patches/daemontools-0.76.errno.patch
- 13. Leave src/ subfolder. Run command
package/install
- 14. Create rc file in /var/qmail with lines below:
#!/bin/sh
#logging to stdout
#mails are delivered based on control/defaultdelivery
exec env – PATH=”/var/qmail/bin:$PATH” \
qmail-start “`cat /var/qmail/control/defaultdelivery`
- 15. Set permission 0755 to rc file
- 16. Define mail format as a “Maildir” in case of lack of “.qmail” file
echo ./Maildir/ >/var/qmail/control/defaultdelivery
- 17. Create start-script qmailctl in /var/qmail/bin(the best option is to copy it from my site or from http://www.lifewithqmail.org/qmailctl-script-dt70)
#!/bin/sh
# description: the qmail MTA
PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
export PATH
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
case “$1” in
start)
echo “Starting qmail”
if svok /service/qmail-send ; then
svc -u /service/qmail-send /service/qmail-send/log
else
echo “qmail-send supervise not running”
fi
if svok /service/qmail-smtpd ; then
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
else
echo “qmail-smtpd supervise not running”
fi
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/qmail
fi
;;
stop)
echo “Stopping qmail…”
echo ” qmail-smtpd”
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo ” qmail-send”
svc -d /service/qmail-send /service/qmail-send/log
if [ -f /var/lock/subsys/qmail ]; then
rm /var/lock/subsys/qmail
fi
;;
stat)
svstat /service/qmail-send
svstat /service/qmail-send/log
svstat /service/qmail-smtpd
svstat /service/qmail-smtpd/log
qmail-qstat
;;
doqueue|alrm|flush)
echo “Flushing timeout table and sending ALRM signal to qmail-send.”
/var/qmail/bin/qmail-tcpok
svc -a /service/qmail-send
;;
queue)
qmail-qstat
qmail-qread
;;
reload|hup)
echo “Sending HUP signal to qmail-send.”
svc -h /service/qmail-send
;;
pause)
echo “Pausing qmail-send”
svc -p /service/qmail-send
echo “Pausing qmail-smtpd”
svc -p /service/qmail-smtpd
;;
cont)
echo “Continuing qmail-send”
svc -c /service/qmail-send
echo “Continuing qmail-smtpd”
svc -c /service/qmail-smtpd
;;
restart)
echo “Restarting qmail:”
echo “* Stopping qmail-smtpd.”
svc -d /service/qmail-smtpd /service/qmail-smtpd/log
echo “* Sending qmail-send SIGTERM and restarting.”
svc -t /service/qmail-send /service/qmail-send/log
echo “* Restarting qmail-smtpd.”
svc -u /service/qmail-smtpd /service/qmail-smtpd/log
;;
cdb)
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
chmod 644 /etc/tcp.smtp.cdb
echo “Reloaded /etc/tcp.smtp.”
;;
help)
cat <<HELP
stop — stops mail service (smtp connections refused, nothing goes out)
start — starts mail service (smtp connection accepted, mail can go out)
pause — temporarily stops mail service (connections accepted, nothing leaves)
cont — continues paused mail service
stat — displays status of mail service
cdb — rebuild the tcpserver cdb file for smtp
restart — stops and restarts smtp, sends qmail-send a TERM & restarts it
doqueue — schedules queued messages for immediate delivery
reload — sends qmail-send HUP, rereading locals and virtualdomains
queue — shows status of queue
alrm — same as doqueue
flush — same as doqueue
hup — same as reload
HELP
;;
*)
echo “Usage: $0 {start|stop|restart|doqueue|flush|reload|stat|pause|cont|cdb|queue|help}”
exit 1
;;
esac
exit 0
- 18. Set permission 0755 and link it to your $PATH
ln -s /var/qmail/bin/qmaictl /usr/local/sbin
- 19. Create folders “supervise” in the following way:
mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log
- 20. Create script run in /var/qmail/supervise/qmail-send/ and set permission 0755
#!/bin/sh
exec /var/qmail/rc
- 21. Create script run in /var/qmail/supervise/qmail-send/log/ and set permission 0755
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t /var/log/qmail
- 22. Create script run in /var/qmail/supervise/qmail-smtpd/ set permission 0755
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z “$QMAILDUID” -o -z “$NOFILESGID” -o -z “$MAXSMTPD” -o -z “$LOCAL” ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo “No /var/qmail/control/rcpthosts!”
echo “Refusing to start SMTP listener because it’ll create an open relay&
quot;”
exit 1
fi
exec /usr/local/bin/softlimit -m 256000000 \
/usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD” \
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp /var/qmail/bin/qmail-smtpd 2>&1
Set softlimit based on your requirements. I think you should set at least 256 MB but it depends on your server and email traffic
- 23. Create scirpt run in /var/qmail/supervise/qmail-smtpd/log/ and set permission 0755
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd
- 24. Create folder with logs and set appropiate permission
mkdir -p /var/log/qmail/smtpd
chown qmaill /var/log/qmail /var/log/qmail/smtpd
- 25. Create concurrencyincoming file
echo 20 > /var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyincoming
- 26. Link folders supervise to /service
ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service
- 27. Uncomment line in inittab file
SV:123456:respawn:/command/svscanboot
- 28. Restart inittab by using command “init q” to avoid problem like below:
/service/qmail-send: unable to open supervise/ok: file does not exist
/service/qmail-send/log: unable to open supervise/ok: file does not exist
/service/qmail-smtpd: unable to open supervise/ok: file does not exist
/service/qmail-smtpd/log: unable to open supervise/ok: file does not exist
- 29. Create tcp.smtp file where set from which location qmail can allow to send emails,in that case from localhost:
echo ‘127.:allow,RELAYCLIENT=””‘ >>/etc/tcp.smtp
- 30. Create database tcp.smtp file
qmailctl cdb
chmod 644 /etc/tcp.smtp*
Every time you change tcp.smtp file you must run command:
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
or
qmailctl cdb
- 31. Remove default MTA – for Debian it is Exim4(remove also start scripts)
apt-get –purge remove exim4
- 32. Add aliases for postmastera, mailer-daemona and root
echo admin > /var/qmail/alias/.qmail-root
echo admin > /var/qmail/alias/.qmail-postmaster
ln -s .qmail-postmaster /var/qmail/alias/.qmail-mailer-daemon
chmod 644 /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-postmaster
- 33. Replace sendmail file his newer version from qmail
mv /usr/lib/sendmail /usr/lib/sendmail.old
mv /usr/sbin/sendmail /usr/sbin/sendmail.old
chmod 0 /usr/lib/sendmail.old /usr/sbin/sendmail.old
ln -s /var/qmail/bin/sendmail /usr/lib
ln -s /var/qmail/bin/sendmail /usr/sbin
- 34. Check if qmail is working properly
Time (in secs) has to be higher than 1 sec!!!If not you have to find ouy where is the problem
qmailctl stat
/service/qmail-send: up (pid 12092) 11 seconds
/service/qmail-send/log: up (pid 12096) 11 seconds
/service/qmail-smtpd: up (pid 12095) 11 seconds
/service/qmail-smtpd/log: up (pid 12094) 11 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0
- 35. Download “checkpwd” from http://cr.yp.to/checkpwd.html site and copy it to /usr/local/src
- 36. Unpack checkpassword-0.90.tar.gz
tar zxvf checkpassword-0.90.tar.gz
- 37. Go to checkpassword-0.90 folder and run patch
patch < /usr/local/src/netqmail-1.06/other-patches/checkpassword-0.90.errno.patch
- 38. Another option is: open conf-cc file and replace line gcc -O2 to:
gcc -O2 -include /usr/include/errno.h
1 method is recommended!
- 39.Compile checkpassword and install
make
make setup check
- 40. Create qmail-pop3d folder in /var/qmail/supervise/
mkdir -p /var/qmail/supervise/qmail-po3d
- 41. Create script “run” in /var.qmail/supervise/qmail-pop3d/ and set permission 0755
#!/bin/sh
exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -R -H -l 0 0 110 /var/qmail/bin/qmail-popup \
FQDN /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 2>&1
where FQDN is name of your pop server,e.g. mail.danpol.net
- 42. Create “log” folder in /var/qmail/supervise/qmail-popd3/
mkdir -p /var/qmail/supervise/qmail-pop3d/log
- 43. Create script “run” w /var/qmail/supervise/qmail-pop3d/log/ and set permission 0755
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t \
/var/log/qmail/pop3d
- 44.Create folder with logs and set “qmaill” as a owner
mkdir -p /var/log/qmail/pop3d
chown qmaill /var/log/qmail/pop3d
- 45. Link /var/qmail/supervise/qmail-pop3d to /service
ln -s /var/qmail/supervise/qmail-pop3d /service
- 46. Modify qmailctl script in the following way
– add to section “start”
if svok /service/qmail-pop3d ; then
svc -u /service/qmail-pop3d /service/qmail-pop3d/log
else
echo qmail-pop3d supervise not running
fi
– add to section “stop”
echo ” qmail-pop3d”
svc -d /service/qmail-pop3d /service/qmail-pop3d/log
– add to section “stat”
svstat /service/qmail-pop3d
svstat /service/qmail-pop3d/log
– add to section “pause”
echo “Pausing qmail-pop3d”
svc -p /service/qmail-pop3d
– add to section “cont”
echo “Continuing qmail-pop3d”
svc -c /service/qmail-pop3d
– add to section “restart”
echo “* Restarting qmail-pop3d.”
svc -t /service/qmail-pop3d /service/qmail-pop3d/log
- 47. Check script by restarting qmail:
qmailctl restart
Restarting qmail:
* Stopping qmail-smtpd.
* Sending qmail-send SIGTERM and restarting.
* Restarting qmail-smtpd.
* Restarting qmail-pop3d.
qmailctl stat
/service/qmail-send: up (pid 24928) 5 seconds
/service/qmail-send/log: up (pid 24933) 5 seconds
/service/qmail-smtpd: up (pid 24932) 5 seconds
/service/qmail-smtpd/log: up (pid 24931) 5 seconds
/service/qmail-pop3d: up (pid 24934) 5 seconds
/service/qmail-pop3d/log: up (pid 24935) 5 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0
- 48. Check if pop3 service is listening
netstat -na –tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
- 49. Based on that user exists on system create folders where he will keep his own mails:
mkdir /var/spool/mail/username
maildirmake /var/spool/mail/username/Maildir
ln -s /var/spool/mail/username/Maildir/ /home/username/
chown -R username /var/spool/mail/username
- 50. Set more restictive permission on user’s folder,e.g.0700 both home folder and in /var/spool/mail/ – option
Till now we set:
– SMTP server
– POP3 server
– everyone can send email only to domain definied in rcpthosts
In step 51 we allow to send emails from one subnet(we still do not speak about authentication for smtp – it is like open relay for our network)
- 51. in file /etc/tcp.smtp add
192.168.0.:allow,RELAYCLIENT=””
reload tcp.smtp
qmailctl cdb
This line allows network 192.168.0.0/24 for sending emails without authentication
For one ip it will look like below:
192.168.0.1.:allow,RELAYCLIENT=””
Because it is not practical in larger network in step 52 we will enable user’sauthentication for SMTP
- 52. Download qmail-smtpd-auth-0.31 file by Mariusz DÄ…browski and unpack it
- 53. Copy files: README.auth base64.c base64.h to netqmaila folder with source code
cp README.auth base64.c base64.h /usr/local/src/netqmail-1.06/
- 54. Patch
patch -d /usr/local/src/netqmail-1.06 < auth.patch
- 55. Go to netqmaila and compile him again
make
- 56. Replace qmail-smtpd from /var/qmail/bin with his newer version
rm /var/qmail/bin/qmail-smtpd
cp qmail-smtpd /var/qmail/bin
- 57. Modify /var/qmail/supervise/qmail-smtpd/run
At the end of the script before “2&>1” add:
nazwa.serwera.smtp /bin/checkpassword /bin/true
It should look like below:
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
if [ -z “$QMAILDUID” -o -z “$NOFILESGID” -o -z “$MAXSMTPD” -o -z “$LOCAL” ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo “No /var/qmail/control/rcpthosts!”
echo “Refusing to start SMTP listener because it’ll create an open relay&
quot;”
exit 1
fi
exec /usr/local/bin/softlimit -m 256000000 \
/usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD” \
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp /var/qmail/bin/qmail-smtpd \
serwer.pocztowy.pl /bin/checkpassword /bin/true 2>&1
- 58. Set permission on /bin/checkpassword like below
-rws–x— 1 root nofiles 10684 sty 24 23:54 checkpassword
- 59. Restart qmail-a
RBL
- 60. To check RBL lists, in script /var/qmail/supervise/qmail-smtpd/run add following line just before qmail-smtpd:
/usr/local/bin/rblsmtpd -r zen.spamhaus.org
- 61. Restart qmail and check if rblsmtpd is working
ps aux | grep rblsmtpd
- 62. We can set system to not check rbl for particular host by adding line to tcp.smtp and reloading database
1.1.1.1:allow,RBLSMTPD=””
- 63. Install stunnel4 by using command:
apt-get install stunnel4
- 64. Enable stunnel by changing “0” to “1” in line ENABLED in /etc/default/stunnel4
ENABLED=1
- 65. Open configuration file stunnel.conf. This file is in /etc/stunnel
- 66. Set server certificate
cert = /path to server certificate
- 67. Set server key
key = /path to server key
- 68. Link to article how to generate certificates
- 69. Enable logging, at the beginning I suggest debug7, by uncommenting ” ; ” before options: debug oraz output.
- 70. Run stunnel-a
/etc/init.d/stunnel4 start
- 71. Import CA certificate do user’s system and set client to use encrypted connection
- 72. Install spamassasina together with dependencies:
apt-get install spamassassin
- 73. Enable spamassassin by changing “0” to “1” in line ENABLED in /etc/default/spamassassin
ENABLED=1
- 74. Spamassassin configuration >>here
- 75. Install clamav together with dependencies
apt-get install clamav
- 76. Choose how clamav should work: the best option as a demon
- 77. Choose virus database repository(The closer to you the better)
- 78. Set notification about reloading virus signature
- 79. Download qmail-scanner from http://qmail-scanner.sourceforge.net/
- 80. Install following packets
apt-get install perl-suid
apt-get install tnef
apt-get install unzip
apt-get install maildrop
- 81. Add group “qscand”
groupadd qscand
- 82. Add user “qscand”
useradd -c “Qmail-Scanner Account” -g qscand -s /bin/false qscand
- 83. Unpack scanner
- 84. Configure scanner in accordance to your expectations,e.g.:
./configure –domain mojadomena.pl –sa-quarantine “4”
- 85. If configuration is ok accept it and repeat but with option -install
./configure –domain mojadomena.pl –sa-quarantine “4” –install
- 86. Set in file /etc/tcp.smtp:
:allow,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
Line above is causing that all emails besides ones sending to local host will be scanned.
- 87. Reload tcp.smtp
qmailctl cdb
Now qmail is working together with clamav and spamassassin
- 88. Download qmailanalog and unpack it.
- 89. Apply patch on qmailanalog
patch
90. Compile and install
make
make setup check
- 91. Download and unpack
- 92. Add to qmailmrtg7.c file
#include
- 93. make
- 94. make install
- 95. Create folder “qmailmrtg” in place where you keep sites,e.g./var/www/qmailmrtg
- 96. Copy index.html and qmail.mrtg.cfg and change FQDN to name of your email server
- 97. Change “WorkDir” to your created folder
- 98. Add line to cron and wait at least 15 minutes
*/5 * * * * /usr/bin/mrtg /var/www/qmailmrtg/qmail.mrtg.cfg 2>&1 > /dev/null
dzbanek 2011-05-11