Qmail Rocks Updated
QmailRocks Updated
OS: CENTOS 5, CENTOS 5.1
Author: Muhammad Kamran Azeem
ARCH: i386 [Notes for 64 bit will be added soon]
Objective of this document
Few years ago, I was looking for a better alternative to sendmail. I came across qmail. While looking for a guide, I stumbled upon qmailrocks.org guide. I simply loved the way it was arranged and how easy it was to follow. By the time of this writing I have setup countless mail servers on qmail using this (QMR) guide. However, for past couple of years, I am seeing that it is not being updated any more. The software provided by the qmailrocks.tar.gz package are now outdated. Newer software have few changes in their configuration. So I decided to follow the original QMR guide, but tried to use the latest software in each step from the original websites, respectively. And eventually I ended up with this howto. I hope it would be helpful to the qmail lovers all over the world.
Qmail Rocks Home page: http://www.qmailrocks.org Most of this document is based on original QMR guide.
Here is what I have added in the original QMR guide:
- Installation of Perl Modules
- Antispam tools (Razor, DCC, RBL SMTPD , Grey listing)
- Qmail Mail MRTG graphs for SPAM and Viruses
Here is what I have removed from the QMR guide:
- qmail analog / reporting tools (in the last steps of original QMR guide), because they are no longer compatible with the latest version of qmailscanner.
Scenario
The following howto / tutorial was created using a live deployment, still in production! However, the IPs, hostnames and passwords are changed to protect privacy.
Hostname: www.example.com
IP: 192.168.0.200
Note on installation software directories:
Whatever is unzipped / untarred from the QMR package, will be in /downloads/qmailrocks directory.
Whatever new software I will download/use, will be placed in /downloads/qmailnew directory.
Step: Upgrade OS:
First of all it is absolutely necessary for you to upgrade your OS upto the latest version.
[root@www ~]# yum upgrade
Loading “installonlyn” plugin
Dependencies Resolved
Package Arch Version Repository Size
Installing:
kernel i686 2.6.18-53.1.14.el5 updates 13 M
Updating:
kernel-headers i386 2.6.18-53.1.14.el5 updates 786 k
Transaction Summary
Install 1 Package(s)
Update 1 Package(s)
Remove 0 Package(s)
Total download size: 14 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): kernel-headers-2.6.18-53.1.14.el5.i386.rpm 786 kB 00:01
(2/2): kernel-2.6.18-53.1.14.el5.i686.rpm 13 MB 00:33
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: kernel ################# [1/3]
Updating : kernel-headers ################# [2/3]
Cleanup : kernel-headers ################# [3/3]
Installed: kernel.i686 0:2.6.18-53.1.14.el5
Updated: kernel-headers.i386 0:2.6.18-53.1.14.el5
Complete!
After upgrading the kernel, it is better, to re-install grub / boot loader. I have experienced a few times that once the system is rebooted after a kernel upgrade, it doesn’t come online. But this is a rare case. Still, there is no harm in re-installing grub to be on the safe side.
[root@www ~]# grub-install /dev/hda
Installation finished. No error reported.
This is the contents of the device map /boot/grub/device.map.
Check if this is correct or not. If any of the lines is incorrect,
fix it and re-run the script `grub-install’.
This device map was generated by anaconda
(hd0) /dev/hda
Then do a “sync” and “reboot” the system.
[root@www ~]# sync
[root@www ~]# reboot
Step: SSH key based authentication
This is not directly related to qmail, but I always set this up, whenever I am setting up a new server. This SSH key based authentication “greatly” enhances the security of the server.
I already have my keys generated on my home, which are being used on many servers. So I just need to copy my id_dsa.pub to the home directory of user kamran on the new server.
On my home computer:
WARNING! : Use the following to generate keys ONLY if you don’t have keys already. Make SURE to backup your current id_dsa and id_dsa.pub files before doing it.:
~]$ ssh-keygen -t dsa # generate keys ONLY if you don’t have keys already. Make SURE to backup your current id_dsa and id_dsa.pub files before doing it.
~]$ scp .ssh/id_dsa.pub kamran@192.168.0.200
On my new qmail server:
Log on as user kamran. And then:
~]$ ssh localhost just a lazy way to create .ssh directories in /home/kamran !. not needed if already exists.
I have this pub key arrived from my home computer on this server in /home/kamran. Copy it to the /home/kamran/.ssh/authorized_keys file.
~]$ cat id_dsa.pub >> .ssh/authorized_keys
~]$ chmod 600 .ssh/authorized_keys
Important. Otherwise SSH server will not let you use this file.
~]$ rm id_dsa.pub
Next, Login as root and setup SSH server to allow ONLY key based authentication. Tighten it a bit too. Disable RootLogin, and Password authentication.
vi /etc/ssh/sshd_config
Protocol 2
SyslogFacility AUTHPRIV
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
PermitRootLogin no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding no
MaxStartups 5
Subsystem sftp /usr/libexec/openssh/sftp-server
Restart sshd service:
service sshd restart
Step: Setup / verify name resolution and IP, etc
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.0.200 www.example.com www
cat /etc/resolv.conf
domain example.com
nameserver 72.51.32.92
nameserver 72.51.32.76
options rotate
cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=www.example.com
DOMAIN=example.com
GATEWAYDEV=eth0
cat /etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.200
NETMASK=255.255.255.0
Step: Install Software Prerequisites
- httpd, httpd-devel, apr
- php, php-imap, php-mysql, php-gd, php-pear, php-zlib, php-mbstring, php-xml,
- perl, perl-libwww-perl, perl-Digest-SHA1, perl-Digest-HMAC, perl-Net-DNS, perl-HTML-Tagset, perl-HTML-Parser
perl-Time-HiRes, perl-TimeDate, perl-suidperl, perl-DateManip - gcc, gcc-c++, libtool-ltdl, libtool-ltdl-devel
- mysql-server, mysql-devel, postgresql-devel
- openssl, openssl-devel, openldap-servers
- wget
- patch, patchutils
- pcre-devel
- gdbm-devel
- db4, db4-devel
- fam fam-devel gamin-devel
- net-snmp + net-snmp-utils + net-snmp-libs
- mrtg
- spamassassin, expect, zlib-devel
yum -y install net-snmp net-snmp-utils net-snmp-libs mrtg
httpd httpd-devel php php-imap php-mysql php-gd php-pear php-zlib php-mbstring php-xml
gcc gcc-c++ gdbm-devel pcre-devel libtool-ltdl libtool-ltdl-devel
mysql-server mysql-devel db4 db4-devel postgresql-devel
openssl openssl-devel openldap-servers
perl perl-libwww-perl perl-Digest-SHA1 perl-Digest-HMAC perl-Net-DNS perl-HTML-Tagset perl-HTML-Parser perl-Time-HiRes perl-TimeDate perl-suidperl perl-DateManip
spamassassin expect zlib-devel
fam fam-devel gamin-devel patch patchutils
Step: Install necessary perl modules
You can run the following script from the QMR package to check existance / list of installed perl modules.
/downloads/qmailrocks/scripts/util/check_perlmods.script
The technique used in this script is:
perldoc -l Time::HiRes
You can also use the following technique:
First, are you sure that the module isn’t already on your system? Try:-
perl -MTime::HiRes -e 1
perl -MCPAN -e “install Bundle::CPAN”
perl -MCPAN -e “reload”
perl -MCPAN -e “install Digest::SHA1”
perl -MCPAN -e “install Digest::HMAC”
perl -MCPAN -e “install HTML::Tagset”
perl -MCPAN -e “install HTML::Parser”
perl -MCPAN -e “install Parse::Syslog”
perl -MCPAN -e “install Statistics::Distributions”
perl -MCPAN -e “install ClamAV::Client”
perl -MCPAN -e “install Mail::SpamAssassin”
perl -MCPAN -e “install Mail::SPF::Query”
perl -MCPAN -e “install IP::Country::Fast”
perl -MCPAN -e “install MIME::Base64”
perl -MCPAN -e “install Getopt::Long”
perl -MCPAN -e “install URI::Escape”
perl -MCPAN -e “install Mail::SPF”
perl -MCPAN -e “install IO::Zlib”
perl -MCPAN -e “install Test::Harness”
perl -MCPAN -e “install Test::Simple”
perl -MCPAN -e “install Mail::DKIM”
perl -MCPAN -e “install Mail::DomainKeys”
perl -MCPAN -e “install Crypt::OpenSSL::Bignum”
perl -MCPAN -e “install IO::Socket::INET6”
perl -MCPAN -e “install IO::Socket::SSL”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DCC”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Razor2”
perl -MCPAN -e “install Socket6”
perl -MCPAN -e “install Date::Manip”
perl -MCPAN -e “install DB_File”
perl -MCPAN -e “install Archive::Tar”
perl -MCPAN -e “install IO::Socket::INET6”
perl -MCPAN -e “install IO::Socket::SSL”
perl -MCPAN -e “install Net::Ident”
perl -MCPAN -e “install Time::HiRes” # problem (done manually)
perl -MCPAN -e “install Archive::Tar” # ————————> problem (done manually)
perl -MCPAN -e “install Net::Ident” # ————————–> problem (done manually)
perl -MCPAN -e “install Razor2::Client::Agent” # will be installed with Razor software
perl -MCPAN -e “install File::Copy” # problem
If you are getting the following error in your CRON mails,
Subroutine main::AF_INET6 redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65.
at /usr/bin/mrtg line 97
OR,
if you get the same error while running “env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg”, then install the following:-
mkdir /downloads/qmailnew
cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/J/JG/JGMYERS/Encode-Detect-1.00.tar.gz
tar xzf Encode-Detect-1.00.tar.gz
cd Encode-Detect-1.00
perl Makefile.PL && make && make install
cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/J/JH/JHI/Time-HiRes-1.9715.tar.gz
tar xzf Time-HiRes-1.9715.tar.gz
cd Time-HiRes-1.9715
perl Makefile.PL && make && make install
cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/O/OL/OLAF/Net-DNS-0.63.tar.gz
tar xzf Net-DNS-0.63.tar.gz
cd Net-DNS-0.63
perl Makefile.PL && make && make install
cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/J/JP/JPC/Net-Ident-1.20.tar.gz
tar xzf Net-Ident-1.20.tar.gz
cd Net-Ident-1.20
perl Makefile.PL && make && make install
cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/K/KA/KANE/Archive-Tar-1.38.tar.gz
tar xzf Archive-Tar-1.38.tar.gz
cd Archive-Tar-1.38
perl Makefile.PL && make && make install
cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/G/GO/GOZER/mod_perl-2.0.4.tar.gz
tar xzf mod_perl-2.0.4.tar.gz
cd mod_perl-2.0.4
perl Makefile.PL && make && make install
Specify apxs path by finding through:
rpm -ql httpd-devel | grep -i apxs
/usr/sbin/apxs
perl -MCPAN -e “install Razor2::Client::Agent” # will be installed with Razor software
perl -MCPAN -e “install File::Copy” # problem
perl-Time-HiRes may not get installed. Install that through CPAN/manually.
Step: Setup and harden Apache, Generate SSL certificate for apache
cd /etc/httpd/conf.d
mv manual.conf manual.conf.disabled
mv proxy_ajp.conf proxy_ajp.conf.disabled
mv python.conf python.conf.disabled
mv squid.conf squid.conf.disabled
mv welcome.conf welcome.conf.disabled
vi /etc/httpd/conf/httpd.conf
( Unload un-neccessary modules )
#LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
User apache
Group apache
ServerAdmin webmaster@example.com
ServerName www.example.com:80
ServerSignature Off
UseCanonicalName Off
DocumentRoot “/var/www/html”
DirectoryIndex index.html index.php index.html.var
AccessFileName .htaccess
<Files ~ “ ^ \ .ht “>
Order allow,deny
Deny from all
< /Files>
ServerSignature Off
Comment out the following ( MUST )
##AddDefaultCharset UTF-8
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis
## AddDefaultCharset UTF-8
NameVirtualHost *:80
< VirtualHost *:80>
ServerAdmin
DocumentRoot /var/www/vhosts/example.com/httpdocs
ServerName www.example.com
ErrorLog /var/www/vhosts/example.com/logs/error_log
CustomLog /var/www/vhosts/example.com/logs/access_log common
on the OS, you need:-
#mkdir /var/www/vhosts/example.com/{httpdocs,logs} -p
#chown apache:apache /var/www/vhosts/example.com -R
#useradd -g users -s /sbin/nologin -d /var/www/vhosts/example.com/ examplecom
#passwd examplecom
#chown examplecom:apache /var/www/vhosts/example.com/httpdocs -R
#chmod 0750 /var/www/vhosts/example.com
#chmod 2750 /var/www/vhosts/example.com/httpdocs
< /VirtualHost>
service httpd restart
Step: Transfer web content from your old server to new one [optional]
Time to transfer web content from old server to our new server.
Login to new example server, as root and go in the parent directory of the document root of example.com. In my case the document root is /var/www/vhosts/example.com/httpdocs. So I would go in /var/www/vhosts/example.com .
Start lftp from this new server’s command prompt, and connect to remote old server.
Type mirror on the commmand prompt and press enter. Let the magic happen.
[root@www example.com]# lftp -u example www.oldserver.com
Password:
lftp example@www.oldserver.com
~> ls
drwxr-xr-x 5 example psacln 4096 Nov 12 14:30 anon_ftp
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 bin
drwxr-xr-x 3 example psacln 4096 Jul 22 2006 cgi-bin
drwxr-xr-x 2 example psacln 4096 Mar 29 15:08 conf
drwxr-xr-x 2 example psacln 4096 Jul 22 2006 error_docs
drwxr-xr-x 16 example psacln 4096 May 6 07:27 httpdocs
drwxr-xr-x 7 example psacln 4096 Nov 12 21:04 httpsdocs
drwxr-xr-x 2 example psacln 4096 Mar 29 15:08 pd
drwxr-xr-x 2 example psacln 4096 Jul 22 2006 private
dr-xr-xr-x 7 example psacln 4096 Nov 12 14:30 statistics
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 subdomains
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 web_users
lftp example@www.oldserver.com
/> mirror
…
`squid3.avi’ at 51904512 (30%) 963.6K/s eta:2m [Receiving data]
Step: Setup Time Zone for new server
Local Time
[root@www example.com]# cat /etc/localtime
TZif2UTCTZif2UTC
UTC0
[root@www example.com]# rm /etc/localtime
rm: remove regular file `/etc/localtime'? y
[root@www example.com]# ln -s /usr/share/zoneinfo/Asia/Karachi /etc/localtime
[root@www example.com]# cat /etc/localtime
FPLMTISTKARTPKSTPKTTZif2�����~������2������t�����ݨ��O�0<�E�=�(�>�MX[hFT`
PKT-5
Step: Shutdown unnecessary services
service sendmail stop
chkconfig --level 35 sendmail off
service cups stop
chkconfig --level 35 cups off
nmap localhost
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
225/tcp open unknown
443/tcp open https
[root@www ~]# netstat -antp | grep 225
tcp 0 0 0.0.0.0:225 0.0.0.0:* LISTEN 1972/sbadm
[root@www ~]# chkconfig --level 35 sbadm off
[root@www ~]# service sbadm stop
[root@www ~]# nmap localhost
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
[root@www ~]# netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:40147 0.0.0.0:* LISTEN 2131/perl
tcp 0 0 :::80 :::* LISTEN 1985/httpd
tcp 0 0 :::22 :::* LISTEN 1926/sshd
tcp 0 0 :::443 :::* LISTEN 1985/httpd
40147 is webmin . And I NEVER want it on my server.
[root@www ~]# /etc/rc.d/init.d/webmin stop
Stopping Webmin server in /usr/local/webmin-1.330
[root@www ~]# rm -fr /usr/local/webmin-1.330
[root@www ~]# netstat -antp | grep LISTEN
tcp 0 0 :::80 :::* LISTEN 1985/httpd
tcp 0 0 :::22 :::* LISTEN 1926/sshd
tcp 0 0 :::443 :::* LISTEN 1985/httpd
chkconfig --level 35 sendmail off
chkconfig --level 35 cups off
chkconfig --level 35 firstboot off
chkconfig --level 35 bluetooth off
chkconfig --level 35 ip6tables off
chkconfig --level 35 pcscd off
chkconfig --level 35 sbadm off
chkconfig --level 35 setroubleshoot off
chkconfig --level 35 webmin off
Step: Setup and Secure MySQL
chkconfig --level 35 mysqld on
service mysqld start
/usr/bin/mysqladmin -u root password 'secretpassword'
/usr/bin/mysqladmin -u root -h www.example.com password 'secretpassword'
mysql -u root -D mysql -p
mysql> select user,password from user;
+------+------------------+
| user | password |
+------+------------------+
| root | 09ac555e5b93c437 |
| root | 09ac555e5b93c437 |
| | |
| | |
+------+------------------+
4 rows in set (0.00 sec)
We need to delete these two lines with balnk user names to further tighten the security.
mysql> delete from user where user="";
Query OK, 2 rows affected (0.00 sec)
mysql> commit;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
Step: Setup FTP (VSFTPD)
useradd -g users -s /sbin/nologin -d /var/www/vhosts/example.com/ examplecom
passwd examplecom
[root@www httpd]# vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
nopriv_user=nobody
ftpd_banner=Welcome to blah FTP service at example.com . You are being watched.
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
chkconfig --level 35 vsftpd on
[root@www conf.d]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
[root@www conf.d]# ps aux | grep -i vsftpd
root 6459 0.0 0.0 5056 508 ? Ss 11:37 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root 6462 0.0 0.0 4096 584 pts/0 R+ 11:37 0:00 grep -i vsftpd
Step: Setup SNMP and MRTG
yum -y install net-snmp net-snmp-utils net-snmp-libs
vi /etc/snmp/snmpd.conf
com2sec notConfigUser default secretsnmp
group notConfigGroup v1 notConfigUser
view roview included .1
access notConfigGroup "" any noauth exact roview rwview none
syslocation SomewhereinUS
syscontact Root <kamran@example.com
disk /
load 12 14 14
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
service snmpd start
chkconfig --level 35 snmpd on
MRTG:
yum -y install mrtg
cfgmaker --global "Options[_]: growright, bits, unknaszero" --ifref=ip --ifdesc=descr --noreversedns --global "WorkDir: /var/www/mrtg" --output=/etc/mrtg/mrtg.cfg secretsnmp@localhost
indexmaker --output=/var/www/mrtg/index.html --title="www.example.com System Graphs" /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
# vi /etc/httpd/conf.d/mrtg.conf
Alias /mrtg /var/www/mrtg
<Location /mrtg>
Order deny,allow
Allow from all
</Location>
service httpd restart
Add additional graphs:
vi /etc/mrtg/mrtg.cfg
...
...
LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt, /usr/share/snmp/mibs/TCP_MIB.txt, /usr/share/snmp/mibs/HOST-RESOURCES-MIB.txt
Target[example_root]:dskPercent.1&dskPercent.1:secretsnmp@localhost
MaxBytes[example_root]: 100
Title[example_root]: DISK USAGE - /
PageTop[example_root]: <h1>DISK Usage in % (/)</h1>
Unscaled[example_root]: ymwd
ShortLegend[example_root]: %
YLegend[example_root]: DISK Utilization
Legend1[example_root]: /:
Legend2[example_root]: /:
Legend3[example_root]:
Legend4[example_root]:
LegendI[example_root]: /:
LegendO[example_root]: /:
Options[example_root]: growright, unknaszero, gauge,nopercent
Target[example_loadavg]: laLoad.2&laLoad.3:secretsnmp@localhost
MaxBytes[example_loadavg]: 5000
Title[example_loadavg]: Load Average
PageTop[example_loadavg]: <h1>Load Average</h1>
YLegend[example_loadavg]: Load Average
ShortLegend[example_loadavg]:
Legend1[example_loadavg]: Load average 5 min
Legend2[example_loadavg]: Load average 15 min
LegendI[example_loadavg]: 5min load avg
LegendO[example_loadavg]: 15min load avg
Options[example_loadavg]: nopercent,growright,noinfo,gauge, unknaszero
Target[example_cpusum]:ssCpuRawUser.0&ssCpuRawUser.0:secretsnmp@localhost + ssCpuRawSystem.0&ssCpuRawSystem.0:secretsnmp@localhost + ssCpuRawNice.0&ssCpuRawNice.0:secretsnmp@localhost
MaxBytes[example_cpusum]: 100
Title[example_cpusum]: CPU Usage % (User+System+Nice)
PageTop[example_cpusum]: <H1>CPU Usage % (User+System+Nice)</H1>
ShortLegend[example_cpusum]: %
YLegend[example_cpusum]: CPU Usage
Legend1[example_cpusum]: CPU usage in %
Legend2[example_cpusum]:
Legend3[example_cpusum]:
Legend4[example_cpusum]:
LegendI[example_cpusum]: Active
LegendO[example_cpusum]:
Options[example_cpusum]: growright,nopercent, unknaszero
Target[example_memory]: memTotalReal.0&memAvailReal.0:secretsnmp@localhost
Options[example_memory]: nopercent,growright,gauge,noinfo, unknaszero
Title[example_memory]: Free Memory
PageTop[example_memory]: <H1>Free Memory</H1>
MaxBytes[example_memory]: 2147483648
YLegend[example_memory]: bytes
ShortLegend[example_memory]: bytes
kMG[example_memory]: k,M
Legend1[example_memory]: Total Physical Memory
Legend2[example_memory]: Free Physical Memory
LegendI[example_memory]: Total Memory
LegendO[example_memory]: Free Memory
# Need to specify the download location of the mysql-load software.
Target[example_mysql]: `/usr/local/mrtg-mysql/mrtg-mysql-load -c /usr/local/mrtg-mysql/mysql-load.conf`
Options[example_mysql]: perminute, nopercent, integer, growright, unknaszero
MaxBytes[example_mysql]: 200
AbsMax[example_mysql]: 2000
Unscaled[example_mysql]: dwmy
Title[example_mysql]: MySQL load analysis
PageTop[example_mysql]: <H1>MySQL load Analysis</H1>
ShortLegend[example_mysql]: q/m
Run index maker again:
indexmaker --output=/var/www/mrtg/index.html --title="www.example.com System Graphs" /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
Step: Setup Webalizer
WEBALIZER
mv /etc/httpd/conf.d/webalizer.conf /etc/httpd/conf.d/webalizer.conf.orig
cat >> /etc/httpd/conf.d/webalizer.conf << EOF
Alias /usage /var/www/usage
<Location /usage>
Order deny,allow
Allow from all
</Location>
EOF
service httpd restart
Step: Actual Qmail Mail Server setup
*Step: Create the necessary users and directories:
Note: In case you are going to setup multiple machines as Qmail servers in a cluster formation, you will need to create the users and groups with the “same” UIDs and GIDs . This will ensure correct functionality of the Qmail system when the mail directories are mounted on a central NFS mount, or over an ISCSI based IPSAN, etc. Doing so even on the single node setup also help in standardization, and is a good practice.
mkdir -p /var/qmail
mkdir -p /usr/src/qmail
groupadd -g 700 nofiles
useradd -u 701 -g nofiles -d /var/qmail/alias -s /sbin/nologin -p '*' alias
useradd -u 702 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmaild
useradd -u 703 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmaill
useradd -u 704 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmailp
groupadd -g 701 qmail
useradd -u 705 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmailq
useradd -u 706 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmailr
useradd -u 707 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmails
groupadd -g 702 vchkpw
useradd -u 708 -g vchkpw -d /home/vpopmail -s /sbin/nologin -p '*' vpopmail
mkdir -p /package
chmod 1755 /package
mkdir -p /var/log/qmail/qmail-send
mkdir -p /var/log/qmail/qmail-smtpd
mkdir -p /var/log/qmail/qmail-pop3d
chown -R qmaill:root /var/log/qmail
chmod -R 750 /var/log/qmail
mkdir -p /var/qmail/supervise/qmail-smtpd/log
mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-pop3d/log
chmod +t /var/qmail/supervise/qmail-smtpd
chmod +t /var/qmail/supervise/qmail-send
chmod +t /var/qmail/supervise/qmail-pop3d
From
Note: The qmail bin directory must reside on a filesystem that allows the use of executable and setuid() files. Some OS distributions automatically mount /var with the nosuid or noexec options enabled. On such systems, either these options should be disabled or /var/qmail/bin should reside on another filesystem without these options enabled. The Create directories section describes how to use symbolic links to accomplish the latter. If /var is mounted nosuid, you’ll probably see the following error message in the qmail-send logs:
delivery : deferral: Sorry,message_has_wrong_owner.(#4.3.5)
For ease of management, all software will be downloaded in /downloads/qmailrocks directory, so lets create that as well.
mkdir -p /downloads/qmailrocks
mkdir -p /downloads/qmailnew
Download the qmailrocks.tar.gz from www.qmailrocks.org in /downloads and untar it at the same location. This will create /downloads/qmailrocks and will have all the QMR files in it. This will help as a source of comparison of various software versions. Current stable release: 2.2.1 - 4/19/2006
cd /downloads/
wget http://www.qmailrocks.org/downloads/qmailrocks.tar.gz
tar xzf qmailrocks.tar.gz
The official Qmail website http://cr.yp.to/qmail.html , has the same version available on it which is supplied by QMR. So we will use the ones provided by QMR.
cd /usr/src/qmail
tar xzf /downloads/qmailrocks/qmail-1.03.tar.gz
tar xzf /downloads/qmailrocks/ucspi-tcp-0.88.tar.gz
cd /package
tar xzf /downloads/qmailrocks/daemontools-0.76.tar.gz
Set up conf-split and conf-spawn (Don’t use the figure 255 in the line below)
echo 211 > /usr/src/qmail/qmail-1.03/conf-split
echo 255 > /usr/src/qmail/qmail-1.03/conf-spawnDon’t do it else the JMS patch will fail one Hunk. See below.
Step: Time to apply various patches to Qmail-1.03
Get latest combined patch (version 7.05) by jms1 from http://qmail.jms1.net/patches/combined-details.shtml
cd /downloads/qmailnew
wget http://qmail.jms1.net/patches/qmail-1.03-jms1.7.05.patch
This patch already contains the FORCE_TLS patch, so no need to further patch the qmail for forcetls (as it is done in the QMR guide).
Note that this combined patch does not contain patch for tarpitting! And we don’t need tarpitting as we are not using it.
Lets do the actual patching.
cd /usr/src/qmail/qmail-1.03/
patch < /downloads/qmailnew/qmail-1.03-jms1.7.05.patch
Note that one hunk will fail for conf-spawn, “IF” the value in it is 255, as setup by the original QMR guide. The hunk wanted to write 120 to conf-spawn whereas it already has 255. Note the value cannot be “more” than 255. And in some cases it cannot be more than 125.
[So I am forgiving this error at the moment and moving on. I do not think it is that serious.]
Sine I did not change the value and retained it as 120 in the conf-spawn, the hunk did not fail.
Step: Compile Qmail
Patching done. ( I am not going to use the tarpit patch) .
Let’s do the actual compilation of Qmail now:
cd /usr/src/qmail/qmail-1.03
make clean
make man && make setup check
Alhumdulillah. Qmail compiled successfully.
Let’s move on.
Run the config-fast script.
./config-fast www.example.com
[root@www qmail-1.03]# ./config-fast www.example.com
Your fully qualified host name is www.example.com.
Putting www.example.com into control/me…
Putting example.com into control/defaultdomain…
Putting example.com into control/plusdomain…
Putting www.example.com into control/locals…
Putting www.example.com into control/rcpthosts…
Now qmail will refuse to accept SMTP messages except to www.example.com.
Make sure to change rcpthosts if you add hosts to locals or virtualdomains!
[root@www qmail-1.03]#
Important From: http://www.antagonism.org/qmr-faq.shtml
7.11 What is the difference between the locals and rcpthosts files in /var/qmail/control?
The locals file contains domains which reside locally on the machine. This means accounts listed in locals should have shell accounts on the machine. If you use vpopmail, your locals file should be empty but exist. This problem is prevalent in many qmailrocks installs as the instruction set wrongly instructs users to configure qmail using the “config-fast” shell script. Unless the user desires email accounts for his shell accounts the is not the correct method. The following commands correct this error.
If /var/qmail/control/locals exists, run the first command. If not, you may skip to the second command.
# rm -f /var/qmail/control/locals
# touch /var/qmail/control/locals
# chmod 644 /var/qmail/control/locals
# chown root.root /var/qmail/control/locals
The rcpthosts file contains the domains for which qmail-smtpd will accept email. The rcpthosts file should contain the domain names only. Do not put in email addresses, hostnames or IP addresses into this file.
Though I have read the note above and implemented on a few live servers. I do not agree with it. The reason is that if I do as advised above, in this note, then mails destined for root, postmaster, etc do not get delivered to the mailbox of postmaster. So we won’t act upon this advice. I have only copied this text/note here, to warn you.
Step: Generate the certificate (QMR guide)
make cert
[root@www qmail-1.03]# make cert
Country Name (2 letter code) [GB]:PK
State or Province Name (full name) [Berkshire]:Punjab
Locality Name (eg, city) [Newbury]:Islamabad
Organization Name (eg, company) [My Company Ltd]:example
Organizational Unit Name (eg, section) []:www
Common Name (eg, your name or your server’s hostname) []:www.example.com
Email Address []: webmaster@example.com
chmod 640 /var/qmail/control/servercert.pem
chown qmaild.qmail /var/qmail/control/servercert.pem
ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
[root@www qmail-1.03]#
chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem
Step: Build ucspi-tcp
cd /usr/src/qmail/ucspi-tcp-0.88/
Before we build ucspi, we need to patch it for errno. This patch is included in the QMR package and also mentioned at www.lifewithqmail.org/lwq.html .
cd /usr/src/qmail/ucspi-tcp-0.88/
patch < /downloads/qmailrocks/patches/ucspi-tcp-0.88.errno.patch
make && make setup check
Now we build the daemontools….
Daemon tools also need to be patched for errno. This patch is included in the QMR package and also mentioned at http://www.lifewithqmail.org/lwq.html#install-daemontools
cd /package/admin/daemontools-0.76/src
patch < /downloads/qmailrocks/patches/daemontools-0.76.errno.patch
cd /package/admin/daemontools-0.76
./package/install
You should be able to see svscanboot running:-
[root@www daemontools-0.76]# ps aux | grep svscan
root 26092 0.0 0.0 2424 1012 ? Ss 12:13 0:00 /bin/sh /command/svscanboot
root 26094 0.0 0.0 1664 340 ? S 12:13 0:00 svscan /service
root 26097 0.0 0.0 4100 584 pts/0 R+ 12:13 0:00 grep svscan
Step: EZMLM
You will need the mysql-devel package to be installed on the system before compiling this software.
yum install mysql-devel
The QMR package provides ezmlm-0.53-idx-0.41.tar.gz . The actual / raw version of this software is ezmlm-0.53 at http://cr.yp.to/ezmlm.html . However an extended version is at http://www.ezmlm.org.
At the time of this writing, The most recent stable version of ezmlm-idx is 6.0.1, and is available at the link: http://www.ezmlm.org/archive/6.0.1/ . (Even the most recent version in the older stable series is 0.444, which is “newer” than what QMR package provides.) .
There is a twist. the documentation from the 6.0.1 INSTALL file tells us to download the actual 0.53 (non-idx) version from «http://cr.yp.to> /ezmlm.html> . Untar both 0.53 and 6.0.1 versions in two separate directories. Then copy / move evereything from 6.0.1 to 0.53 directory. Then patch the 0.53 code with the idx.patch file provided in 6.0.1 . Configure various files. And complile the 0.53 directory.
Lets downlaod both.
cd /downloads/qmailnew
wget http://cr.yp.to/software/ezmlm-0.53.tar.gz
## wget http://www.ezmlm.org/archive/5.1.2/ezmlm-idx-5.1.2.tar.gz
wget http://www.ezmlm.org/archive/6.0.1/ezmlm-idx-6.0.1.tar.gz
tar xzf ezmlm-0.53.tar.gz
tar xzf ezmlm-idx-6.0.1.tar.gz
cp -r /downloads/qmailnew/ezmlm-idx-6.0.1/* /downloads/qmailnew/ezmlm-0.53/ --reply=yes
cd /downloads/qmailnew/ezmlm-0.53
patch < idx.patch
Configure various config files:
vi conf-etc
/usr/local/etc/ezmlm
vi conf-bin
/usr/local/bin/ezmlm
vi conf-qmail
/var/qmail
Edit the conf-sub, and change the storage from standard file location to mysql.
vi conf-sub
mysql
Choose a subscription database support. Available supports are:
- std (Default) filesystem
- mysql MySQL database
- pgsql Postgres database
####################### Removed in 6.0.1 ########
vi sub_mysql/conf-sqlcc
-I/usr/include/mysql
From the INSTALL.idx:-
5.RDBM Support.
MySQL:
If you want to compile ezmlm with MySQL support http://www.mysql.com,
edit conf-cc (include files) and conf-ld (library paths) to reflect
your MySQL installation (see MySQL documentation). The package
should work with MySQL version 3.22 and up.
vi conf-cc
gcc -O -g -I/usr/include/mysql -I/usr/include/pgsql
vi conf-ld
cc -g -B /usr/lib/mysql/
OR
echo "/usr/local/etc/ezmlm" > conf-etc
echo "/usr/local/bin/ezmlm" > conf-bin
echo "/var/qmail" > conf-qmail
echo "mysql" > conf-sub
Time to compile.
make clean
make
make man
make mysql # new in 6.0.1
make setup
[root@www ezmlm-0.53]# ./ezmlm-test
Verifying message header and body contents…
ezmlm-make: fatal: unable to stat /downloads/qmailnew/ezmlm-0.53/lang/default: file does not exist
ezmlm-make failed
[root@www ezmlm-0.53]# vi conf-lang
[root@www ezmlm-0.53]# ls /downloads/qmailnew/ezmlm-0.53/lang/
ch_GB cs da de en_US es fr hu id it ja nl pl pt pt_BR ru sv
[root@www ezmlm-0.53]# ls /downloads/qmailnew/ezmlm-0.53/lang/en_US/
ezmlmrc mailinglist sed text
[root@www ezmlm-0.53]#
ln -s /downloads/qmailnew/ezmlm-0.53/lang/en_US /downloads/qmailnew/ezmlm-0.53/lang/default
You may want to create a ezmlm MySQL Database at this point.
mysql -u root -p
create database ezmlm;
grant all on ezmlm.* to ezmlm@localhost identified by 'mysecret';
flush privileges;
Now, Create ezmlm tables in the database: You must use the “-f” option with mysql, which will force mysql to continue even in case of failures.
./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f
You may get output as below:
[root@www ezmlm-0.53]# ./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f
ERROR 1051 (42S02) at line 6: Unknown table 'list'
ERROR 1051 (42S02) at line 7: Unknown table 'list_slog'
ERROR 1051 (42S02) at line 8: Unknown table 'list_digest'
ERROR 1051 (42S02) at line 9: Unknown table 'list_digest_slog'
ERROR 1051 (42S02) at line 10: Unknown table 'list_mod'
ERROR 1051 (42S02) at line 11: Unknown table 'list_mod_slog'
ERROR 1051 (42S02) at line 12: Unknown table 'list_allow'
ERROR 1051 (42S02) at line 13: Unknown table 'list_allow_slog'
ERROR 1051 (42S02) at line 14: Unknown table 'list_deny'
ERROR 1051 (42S02) at line 15: Unknown table 'list_deny_slog'
ERROR 1051 (42S02) at line 17: Unknown table 'list_cookie'
ERROR 1051 (42S02) at line 18: Unknown table 'list_mlog'
ERROR 1051 (42S02) at line 19: Unknown table 'list_digest_cookie'
ERROR 1051 (42S02) at line 20: Unknown table 'list_digest_mlog'
[root@www ezmlm-0.53]#
This is normal. These are just error messages returned when trying to DROP these tables. If you are paranoid, you may want to run this command again. This time it will not give any errors as the tables would not have been already created and will be dropped properly.
[root@www ezmlm-0.53]# ./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f
[root@www ezmlm-0.53]#
Now execute the test program again:
./ezmlm-test -l ezmlm -p mysecret -h localhost
A successful test should look like this:-
[root@www ezmlm-0.53]# ./ezmlm-test -s mysql -p mysecret -u ezmlm -d ezmlm -h localhost
ezmlm-make (1/2): OK
Using subdb plugin: mysql
ezmlm-reject: OK
ezmlm-[un|is]sub[n]: OK
ezmlm SQL: OK
ezmlm non-SQL: OK
ezmlm-send: OK
ezmlm-tstdig: OK
ezmlm-weed: OK
ezmlm-make (2/2): OK
ezmlm-clean: OK
ezmlm-store: OK
ezmlm-return: OK
ezmlm-warn (1/2): OK
ezmlm-manage (1/2): OK
ezmlm-request: OK
ezmlm-split: OK
ezmlm-gate: OK
ezmlm-idx: OK
ezmlm-get (index): OK
ezmlm-get (get): OK
ezmlm-get (thread): OK
ezmlm-get (digest): OK
ezmlm-manage (2/2): OK
ezmlm-moderate: OK
ezmlm-warn (2/2): OK
ezmlm-dispatch: OK
Verifying message header and body contents...
flags and substs: OK
subscribe probe: OK
unsubscribe probe: OK
subscribe: OK
unsubscribe: OK
copylines: OK
ezmlm-send: OK
[root@www ezmlm-0.53]#
Congradulations.
Step: AUTORESPONDER
autorespond-2.0.5.tar.gz is provided by the QMR package. This is the latest version on the net too. So let’s follow it.
cd /downloads/qmailrocks
tar zxf autorespond-2.0.5.tar.gz
cd autorespond-2.0.5
make && make install
Step: Courier Mail Drop
Install Courier MailDrop:- (This step would come after VPOPmail, Qmailadmin and Vqadmin in QMR. But I want to do it before VPOPmail, so I can tell vpopmail to use it / enable it in vpopmail.)
Note: At one time, I thaught that I don’t think we need maildrop at all! But when I removed it, it took away “reformime with” it. And Qmail-scaner stoped working without reformime. So we do need Courier Mail Drop.
Here is the ouput if I remove the maildrop rpm from the system and run the qmail-scanner (doit) script :
[root@www contrib]# ./test_installation.sh -doit
Sending standard test message - no viruses…
qmail-inject: fatal: qq temporary problem (#4.3.0)
Bad error. qmail-inject died
[root@www contrib]#
And I get the following in the /var/log/maillog :-
May 10 14:11:44 www X-Qmail-Scanner-2.04:
After re-isntalling maildrop, everything became fine again.
So, from the QMR site:
Part 7- Maildrop
Maildrop is a mail filtering agent which can be used to filter messages as they arrive on the server. You will probably notice, once this installation in complete, that you don’t really use maildrop. However, it’s a cool tool and it’s worth having around if you ever decide to get crazy with filtering your imcoming mail. …..
And here is from the Qmail-Scanner website:-
Requirements
- Netqmail 1.05 (or qmail-1.03 with patches)
- daemontools-0.76+
- reformime from Maildrop 1.3.8+
Lets install Courier MailDrop
#Make sure you have pcre-devel and gcc-c++ installed on the system
yum install pcre-devel gcc-c++
Ideally, according to myself, this step should have come before vpopmail. Also, from the maildrop homepage:
http://www.courier-mta.org/maildrop/
maildrop is the mail filter/mail delivery agent that’s used by the Courier Mail Server. You do not need to download maildrop from here if you already have Courier installed. This is a standalone build of the maildrop mail filter that can be used with other mail servers.
QMR provides maildrop-1.6.3.tar.gz . Where as the latest is: maildrop-2.0.4.tar.bz2 .
I will use maildrop-2.0.4 and will make an RPM out of the source file to install it.
cd /downloads/qmailnew
wget http://prdownloads.sourceforge.net/courier/maildrop-2.0.4.tar.bz2
tar xjf maildrop-2.0.4.tar.bz2
cd /downloads/qmailnew/maildrop-2.0.4
I have maildrop downloaded from the site and I updated it’s specs file as :-
%configure –with-devel –enable-userdb –enable-maildirquota –enable-syslog=1 –enable-trusted-users=’root mail daemon postmaster qmaild mmdf’ –enable-restrict-trusted=0 –enable-maildrop-uid=root –enable-maildrop-gid=vchkpw
I then repackaged it as tar.bz2 and made an RPM out of it:
rm maildrop-2.0.4.tar.bz2
tar cjf maildrop-2.0.4.tar.bz2 maildrop-2.0.4
rpmbuild -ta maildrop-2.0.4.tar.bz2
Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/maildrop-2.0.4-1-buildroot
Wrote: /usr/src/redhat/SRPMS/maildrop-2.0.4-1.src.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-devel-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-man-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-debuginfo-2.0.4-1.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.76157
- umask 022
- cd /usr/src/redhat/BUILD
- cd maildrop-2.0.4
- rm -rf /var/tmp/maildrop-2.0.4-1-buildroot
- exit 0
Now install the latest RPM
rpm -ivh /usr/src/redhat/RPMS/i386/maildrop-2.0.4-1.i386.rpm
Preparing... ########################################### [100%]
1:maildrop ########################################### [100%]
Step: VPOPMAIL with MySQL support
vpopmail-5.4.13.tar.gz is supplied with QMR package.
Whereas version 5.4.25 is available on inter7’s sourceforge page:
http://sourceforge.net/project/showfiles.php?group_id=85937
Lets download this new version:
cd /downloads/qmailnew
wget http://optusnet.dl.sourceforge.net/sourceforge/vpopmail/vpopmail-5.4.25.tar.gz
tar xzf vpopmail-5.4.25.tar.gz
cd /downloads/qmailnew/vpopmail-5.4.25
Let’s do the preparation first. We already have created a user vpopmail and vchkpw earlier.
mkdir ~vpopmail/etc
chown vpopmail:vchkpw ~vpopmail/etc
echo "localhost|0|vpopmailuser|vpopmailpassword|vpopmail" > ~vpopmail/etc/vpopmail.mysql
Create vpopmail Database:
mysql -u root -p
CREATE DATABASE vpopmail;
GRANT all ON vpopmail.* TO vpopmailuser@localhost IDENTIFIED BY 'vpopmailpassword';
Flush privileges;
quit;
Try connecting:
mysql -u vpopmailuser -D vpopmail -pvpopmailpassword
cd /downloads/qmailnew/vpopmail-5.4.25
Note: QMR guide used the following switches for configuring vpopmail. Don't use them. Instead use the ones I have put below this line.
[QMR Guide = ./configure --enable-logging=p --enable-auth-module=mysql --disable-passwd --enable-clear-passwd
--disable-many-domains --enable-auth-logging --enable-sql-logging --enable-valias --disable-mysql-limits]
⚠️WARNING : DO NOT USE the –enable-maildrop switch in vpopmail otherwise you will not get any mails and will get the following “Unable to open mailbox” errors in the maillog:
May 9 20:04:07 www spamd[31043]: spamd: clean message (-1.4/5.0) forn amran@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view it711 in 1.3 seconds, 934 bytes.
May 9 20:04:07 www spamd[31043]: spamd: result: . -1 - ALL_TRUSTED scantime=1.3,size=934,user=kamran@example.com,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=54894,mid = < n 1830.203.82.59.56.1210345345.squirrel@192.168.0.200his e-mail address is being protected from spambots. You need JavaScript enabled to view it,autolearn=unavailable,shortcircuit=no
May 9 20:04:07 www spamd[31040]: prefork: child states: II
May 9 20:04:07 www maildrop[19011]: Unable to open mailbox.
./configure –enable-logging=p –enable-auth-module=mysql –disable-clear-passwd –disable-many-domains –enable-sql-logging –enable-mysql-replication –enable-valias –enable-roaming-users –enable-spamassassin –enable-mysql-limits
…
…
config.status: creating Makefile
config.status: creating config.h
config.status: executing depfiles commands
vpopmail 5.4.25
Current settings
vpopmail directory = /home/vpopmail
domains directory = /home/vpopmail/domains
uid = 708
gid = 702
roaming users = ON –enable-roaming-users
tcpserver file = /home/vpopmail/etc/tcp.smtp
open_smtp file = /home/vpopmail/etc/open-smtp
rebuild tcpserver file = ON –enable-rebuild-tcpserver-file (default)
password learning = OFF –disable-learn-passwords (default)
md5 passwords = ON –enable-md5-passwords (default)
file locking = ON –enable-file-locking (default)
vdelivermail fsync = OFF –disable-file-sync (default)
make seekable = ON –enable-make-seekable (default)
clear passwd = OFF –disable-clear-passwd
user dir hashing = ON –enable-users-big-dir (default)
address extensions = OFF –disable-qmail-ext (default)
ip alias = OFF –disable-ip-alias-domains (default)
onchange script = OFF –disable-onchange-script (default)
auth module = mysql –enable-auth-module=mysql
mysql replication = ON –enable-mysql-replication
sql logging = ON –enable-sql-logging
mysql limits = ON –enable-mysql-limits
SQL valias table = ON –enable-valias
auth inc = -I/usr/include/mysql
auth lib = -L/usr/lib/mysql -lmysqlclient -lz -lm
system passwords = OFF –disable-passwd (default)
pop syslog = show failed attempts with clear text password –enable-logging=p
auth logging = ON –enable-auth-logging (default)
one domain per SQL table = –disable-many-domains
spamassassin = ON –enable-spamassassin
maildrop = OFF –disable-maildrop (default)
Now compile it:
make && make install-strip
/usr/bin/install -c -o vpopmail -m 711 -g vchkpw -s ‘dotqmail2valias’ ‘/home/vpopmail/bin/dotqmail2valias’
/usr/bin/install -c -o vpopmail -m 711 -g vchkpw -s ‘vpopmaild’ ‘/home/vpopmail/bin/vpopmaild’
make[3]: Leaving directory /downloads/qmailnew/vpopmail-5.4.25'
make[2]: Leaving directory/downloads/qmailnew/vpopmail-5.4.25’
make[1]: Leaving directory `/downloads/qmailnew/vpopmail-5.4.25’
Step: VQADMIN
QMR package provides vqadmin-2.3.6.tar.gz . The homepage of vqadmin http://www.inter7.com/vqadmin provides us vqadmin-2.3.7.tar.gz . Lets use that.
cd /downloads/qmailnew/
wget http://www.inter7.com/vqadmin/vqadmin-2.3.7.tar.gz
tar xzf vqadmin-2.3.7.tar.gz
cd /downloads/qmailnew/vqadmin-2.3.7
mkdir /var/www/vqadmin
chown apache:apache /var/www/vqadmin -R
📝Note that –enable-html directory in the command below seems to be deprecated in newer versions of vqadmin (even in the one I am using, right now). This means it is not required to be mentioned to the configure script as it has no effect.
./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/vqadmin
make && make install-strip
Setup a .conf file in /etc/httpd/conf.d/ as vqadmin.conf
cat » /etc/httpd/conf.d/vqadmin.conf « EOF
Alias /vqadmin /var/www/vqadmin
<Directory /var/www/vqadmin>
Order deny,allow
Allow from all
</Directory>
EOF
Edit the Apache config file and add the following:
vi /etc/httpd/conf/httpd.conf
<Directory “/var/www/cgi-bin/vqadmin”>
Allow from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>
Secure VQADMIN
cat » /var/www/cgi-bin/vqadmin/.htaccess « EOF
AuthType Basic
#AuthUserFile will also be at a common place, such as /var/www/.htpasswd.vqadmin
AuthUserFile /var/www/.htpasswd.vqadmin
AuthName vQadmin
require valid-user
##satisfy any
EOF
chown apache:apache /var/www/cgi-bin/vqadmin/.htaccess
chmod 640 /var/www/cgi-bin/vqadmin/.htaccess
#The QMR guide suggests 644 , which is too lax I think
htpasswd -bc /var/www/.htpasswd.vqadmin admin vqadminpassword
chown apache:apache /var/www/.htpasswd.vqadmin # This step is not in QMR.
chmod 640 /var/www/.htpasswd.vqadmin
service httpd restart
Open the following link in web browser:
http://10.1.2.3/cgi-bin/vqadmin/vqadmin.cgi
If you see a white page with Vqadmin menu on it. Check your apache error log.
Apache error log:-
[Thu May 08 16:51:18 2008] [error] [client 203.82.59.56] File does not exist:
/var/www/vhosts/example.com/httpdocs/images,
referer: http://192.168.0.200/cgi-bin/vqadmin/vqadmin.cgi
The solution is :-
ln -s /var/www/html/images /var/www/vhosts/example.com/httpdocs/
chown apache:apache /var/www/html -R
Add a domain “example.com” in vqadmin .
postmaster passowrd: postmasterpassword
Created Domain
Domain postmaster added
Step: QMAILADMIN:
`
QMR provides qmailadmin-1.2.9.tar.gz .
The is the latest on Inter 7 is 1.2.11.
The latest devel version is 1.2.12 .
cd /downloads/qmailnew/
wget http://internap.dl.sourceforge.net/sourceforge/qmailadmin/qmailadmin-1.2.12.tar.gz
tar xzf qmailadmin-1.2.12.tar.gz
cd /downloads/qmailnew/qmailadmin-1.2.12
—————————————– [ optional ] ————-
mkdir /var/www/qmailadmin
cat >> /etc/httpd/conf.d/qmailadmin.conf << EOF
Alias /qmailadmin /var/www/qmailadmin
<Directory /var/www/qmailadmin>
Order deny,allow
Allow from all
</Directory>
EOF
chown apache:apache /var/www/qmailadmin
service httpd restart
——————————————-[ optional end ]—————
./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/qmailadmin –enable-imageurl=/qmailadmin/images/qmailadmin
./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/qmailadmin
–enable-imagedir=/var/www/qmailadmin/images –enable-imageurl=/qmailadmin/images
–enable-modify-quota
…
…
qmailadmin 1.2.12 Current settings
cgi-bin dir = /var/www/cgi-bin
html dir = /var/www/qmailadmin
image dir = /var/www/qmailadmin/images
image URL = /qmailadmin/images
template dir = /usr/local/share/qmailadmin
qmail dir = /var/qmail
vpopmail dir = /home/vpopmail
autorespond dir = /usr/bin
ezmlm dir = /usr/local/bin/ezmlm
ezmlm idx = yes
mysql for ezmlm = yes
help = no
modify quota = no
domain autofill = no
modify spam check = no
make && make install-strip
Try loggin on to the URL:
http://192.168.0.200/cgi-bin/qmailadmin
, and try add a few users.
Email Accountn amran@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view itMuhammad Kamran Azeem) added successfully
Alhumdulillah.
📝Note: Error: If you are seeing a blank page after you add a user in vqadmin, then read the note below:-
####################### NOTE : start #####################################
Blank page after adding a user.
[Tue Apr 01 05:00:42 2008] [error] [client 210.2.164.144] vmysql: can’t read settings from /home/vpopmail/etc/vpopmail.mysql, referer: http://10.1.2.3/cgi-bin/qmailadmin
[Tue Apr 01 05:00:42 2008] [error] [client 210.2.164.144] Premature end of script headers: qmailadmin, referer: http://10.1.2.3/cgi-bin/qmailadmin
The file permissions of the file /home/vpopmail/etc/vpopmail.mysql are 640, to protect mysql root password from ordinary users. if I change it to 644, to allow apache to read this file, other ordinary users will also be able to look into this file.
May be I should add apache to the group vchkpw .
vi /etc/group
vchkpw:x:702:apache
Still the same problem . I need to investigate it further. At the moment. I am continuing with 644 to this file.
Still the same problem. I notice that :-
[root@www qmailadmin-1.2.12]# ls -l /home/
total 12
drwx------ 4 akhan users 4096 Mar 28 22:05 akhan
drwx------ 2 vmail vmail 4096 Mar 29 02:25 vmail
drwx------ 8 vpopmail vchkpw 4096 Apr 1 03:34 vpopmail
[root@www qmailadmin-1.2.12]# ls -l /var/www/cgi-bin/
total 160
-rwsr-sr-x 1 vpopmail vchkpw 151864 Apr 1 04:57 qmailadmin
Corrected. Basically I incorrectly setup the permission of the directory ~vpopmail/etc as 640. This stupid step of mine, resulted in inability of group vchpw to “change directory into” ~vpopmail/etc and read the vpopmail.mysql file.
Removed apache from the group memberdship of vchkpw from /etc/group.
vi /etc/group
vchkpw:x:702:
Email Accountn amran@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view itMuhammad Kamran Azeem) added successfully
Alhumdulillah. The qmailadmin web interface seems to be behaving correctly.
####################################### NOTE : end #######################################3
Step: FINALIZING QMAIL:
The QMR guide suggests to run the following script:
#/downloads/qmailrocks/scripts/finalize/linux/finalize_linux.script
This script can be viewed online at:
http://www.qmailrocks.org/downloads/scripts/finalize/linux/finalize_linux.script
I will use the actual content of the script to get the tasks done manully.
#First Copy all supervise scripts to their proper locations.:
cp /downloads/qmailrocks/scripts/finalize/linux/pop3d_run /var/qmail/supervise/qmail-pop3d/run
cp /downloads/qmailrocks/scripts/finalize/linux/pop3d_log /var/qmail/supervise/qmail-pop3d/log/run
cp /downloads/qmailrocks/scripts/finalize/linux/smtpd_run /var/qmail/supervise/qmail-smtpd/run
cp /downloads/qmailrocks/scripts/finalize/linux/smtpd_log /var/qmail/supervise/qmail-smtpd/log/run
cp /downloads/qmailrocks/scripts/finalize/linux/send_run /var/qmail/supervise/qmail-send/run
cp /downloads/qmailrocks/scripts/finalize/linux/send_log /var/qmail/supervise/qmail-send/log/run
#Next: Copy rc and qmailctl scripts to proper locations:
cp /downloads/qmailrocks/scripts/finalize/rc /var/qmail/
cp /downloads/qmailrocks/scripts/finalize/qmailctl /var/qmail/bin/
#Setup needed permisions:
chmod 755 /var/qmail/rc /var/qmail/bin/qmailctl
chmod 751 /var/qmail/supervise/qmail-pop3d/run
chmod 751 /var/qmail/supervise/qmail-pop3d/log/run
chmod 751 /var/qmail/supervise/qmail-smtpd/run
chmod 751 /var/qmail/supervise/qmail-smtpd/log/run
chmod 751 /var/qmail/supervise/qmail-send/run
chmod 751 /var/qmail/supervise/qmail-send/log/run
#Setup default values to various control files:
echo ./Maildir > /var/qmail/control/defaultdelivery
echo 255 > /var/qmail/control/concurrencyremote
chmod 644 /var/qmail/control/concurrencyremote
echo 30 > /var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyincoming
#Create symbolic links:
ln -s /var/qmail/bin/qmailctl /usr/bin
ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-pop3d /service
Next edit the run scripts and adjust a few values:
:%s/mail.example.com/www.example.com/g
vi /var/qmail/supervise/qmail-pop3d/run
Find “mail.example.com” and change it to your server’s hostname. For example: wwww.example.com
vi /var/qmail/supervise/qmail-smtpd/run
Find “mail.example.com” and change it to your server’s hostname. For example: www.example.com
Next:
qmailctl stop
echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp
qmailctl cdb
Now we create the common system aliases. These aliases are going to tell Qmail what to do with common server-generated mails.
echon ostmaster@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view it/var/qmail/alias/.qmail-root
echon ostmaster@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view it/var/qmail/alias/.qmail-postmaster
echon ostmaster@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view it/var/qmail/alias/.qmail-mailer-daemon
ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous
chmod 644 /var/qmail/alias/.qmail*
REMOVE SENDMAIL, POSTFIX , EXIM from System:
If you have not removed these pakages before, you can do it now.
service sendmail stop
service postfix stop
service exim stop
service dovecot stop
rpm -e sendmail --nodeps
rpm -e sendmail-cf --nodeps
rpm -e postfix --nodeps
rpm -e exim --nodeps
#Create artificial sendmail path:
rm -f /usr/lib/sendmail
rm -f /usr/sbin/sendmail
ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
START QMAIL:
The QMR guide asks to run the following script:
#/downloads/qmailrocks/scripts/util/qmr_inst_check
The script is long and there is no advantage running it command by command/ manually. When you run the script, it will check for some key required files and folders and will also check permissions and owership settings on many key items. It a needed file does not exist or if the ownership/permissions settings are wrong on a key file, it will tell you and then make a suggestion as to how to correct the error. This script does NOT check the CONTENT or SYNTAX of your scripts, but only for the scripts’ existence and their ownership/permissions settings. If you’ve screwed up the syntax of on the run scripts, this tool will not detect it.
Lets run it:
/downloads/qmailrocks/scripts/util/qmr_inst_check
[root@www qmailadmin-1.2.12]# /downloads/qmailrocks/scripts/util/qmr_inst_check
Congratulations, your Qmailrocks.org Qmail installation looks good!
[root@www qmailadmin-1.2.12]# qmailctl stat
/service/qmail-send: down 228 seconds, normally up
/service/qmail-send/log: down 228 seconds, normally up
/service/qmail-smtpd: down 228 seconds, normally up
/service/qmail-smtpd/log: down 228 seconds, normally up
/service/qmail-pop3d: down 228 seconds, normally up
/service/qmail-pop3d/log: down 228 seconds, normally up
messages in queue: 0
messages in queue but not yet preprocessed: 0
Step: COURIER IMAP + COURIERPASSD:
Courier-imap is the preferred IMAP server to install because it has built in support the vchkpw mail user setup that Vpopmail utilizes. In short, Courier IMAP works with Vpopmail and virtual domains. In addition to installing Courier-imap, we’re going to install Courierpassd. Courierpassd is a utility that allows users to change their mailbox passwords remotely.
#Must have gdbm-devel installed.
yum install gdbm-devel
We are going to use latest releases from http://www.courier-mta.org/download.php Courierpassd is available at: http://erresea.arda.homeunix.net/store/
QMR provides courier-authlib-0.55.tar.bz2 . Latest is courier-authlib-0.60.2.tar.bz2 .
Also QMR package provides courier-imap-4.0.2.tar.bz2 . Whereas the latest is courier-imap-4.3.1.tar.bz2 .
Also QMR provides courierpassd-1.1.0-RC1 , whereas latest is courierpassd-1.1.2.tar.gz .
I may also try Courier-Analog for SMTP,POP,IMAP traffic analysis. http://prdownloads.sourceforge.net/courier/courier-analog-0.15.tar.bz2
Lets see if these latest packages work or not. Otherwise we may have to revert to the ones provided by QMR.
cd /downloads/qmailnew
wget http://prdownloads.sourceforge.net/courier/courier-authlib-0.60.2.tar.bz2
wget http://prdownloads.sourceforge.net/courier/courier-imap-4.3.1.tar.bz2
wget http://www.arda.homeunix.net/store/courierpassd-1.1.2.tar.gz
I am going to build RPMs of these Courier-* files, after putting in the necessary config parameters. The RPM need to be built as ordinary user, say kamran.
—————————»»> See the WAM postfix discarded howto «««««« —————-
Courier-authlib:-
This needs user kamran to be specified in visudo.
kamran ALL=NOPASSWD: ALL
[kamran@www qmailnew]$ cp /downloads/qmailnew/courier* /home/kamran/
cd /home/kamran
[kamran@www ~]$ tar xjf courier-authlib-0.60.2.tar.bz2
[kamran@www ~]$ cd courier-authlib-0.60.2
Added the following in the .spec file in the configure section.
–with-authvchkpw –without-authldap –disable-root-check –with-ssl –with-redhat
QMR suggests “–with-authchangepwdir=/usr/local/libexec/authlib” to be passed to the configure script. But I could not find it in courier-authlib-0.60.2
[kamran@www courier-authlib-0.60.2]$ vi courier-authlib.spec
%configure --with-authvchkpw --without-authldap --disable-root-check --with-ssl --with-redhat
[kamran@www courier-authlib-0.60.2]$ rm courier-authlib-0.60.2.tar.bz2
[kamran@www ~]$ tar cjf courier-authlib-0.60.2.tar.bz2 courier-authlib-0.60.2
sudo yum -y install libtool-ltdl-devel libtool-ltdl postgresql-devel expect
$ sudo rpmbuild -ta courier-authlib-0.60.2.tar.bz2
cd /usr/src/redhat/RPMS/i386/
$ sudo rpm -ivh courier-authlib-0.60.2-1.i386.rpm courier-authlib-devel-0.60.2-1.i386.rpm courier-authlib-mysql-0.60.2-1.i386.rpm
Time to compile/generate RPM for courier-imap as well. Pass the same arguments to its %configure section as well..
cd /home/kamran
tar xjf courier-imap-4.3.1.tar.bz2
cd courier-imap-4.3.1
vi courier-imap.spec
%configure
--with-authvchkpw --without-authldap --disable-root-check --with-ssl
--with-redhat
%{?xflags: %{xflags}}
rm courier-imap-4.3.1.tar.bz2
tar cjf courier-imap-4.3.1.tar.bz2 courier-imap-4.3.0
sudo yum -y install openldap-servers
📝Note: You cannot build courier-imap as sudo. You will get the following error:
Do not run make check as root
make[2]: *** [check-am] Error 1
make[2]: Leaving directory `/usr/src/redhat/BUILD/courier-imap-4.3.1/imap'
make[1]: *** [check] Error 2
make[1]: Leaving directory `/usr/src/redhat/BUILD/courier-imap-4.3.1/imap'
make: *** [check-recursive] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.6589 (%build)
So we need to setup a RPM environment in the /home/kamran directory.
Time to setup environment for RPM Build as user akhan.
su - kamran # if you have not already done so
mkdir $HOME/rpm/{SOURCES,SPECS,BUILD,SRPMS,RPMS} -p
mkdir $HOME/rpm/RPMS/{i386,x86_64}
echo "%_topdir $HOME/rpm" >> $HOME/.rpmmacros
$ rpmbuild -ta courier-imap-4.3.1.tar.bz2
After the build process, the rpm packages can be found in $HOME/rpm/RPMS/i386 ($HOME/rpm/RPMS/x86_64 if you are on an x86_64 system):
Install courier-imap like this:
cd $HOME/rpm/RPMS/i386
sudo rpm -ivh courier-imap-4.3.1-1.i386.rpm
Preparing... ########################################### [100%]
1:courier-imap ########################################### [100%]
Exit from the user kamran's shell at this point.
exit.
Run:-
/usr/lib/courier-imap/sbin/mkimapdcert
[root@www ~]# /usr/lib/courier-imap/sbin/mkimapdcert
/usr/lib/courier-imap/share/imapd.pem already exists.
Edit /usr/lib/courier-imap/etc/imapd.cnf
changen ostmaser@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view itn administrative email address n ostmaster@example.com his e-mail address is being protected from spambots. You need JavaScript enabled to view it
vi /usr/lib/courier-imap/etc/imapd.cnf
vi /usr/lib/courier-imap/etc/imapd
Make sure that the following configuration exists: IMAPDSTART=YES
vi /usr/lib/courier-imap/etc/imapd-ssl
Make sure that the following configuration exists: IMAPDSSLSTART=YES
Make sure that the following configuration exists: TLS_CERTFILE=/usr/lib/courier-imap/share/imapd.pem
IMAPDSSLSTART=YES
##NAME: IMAPDSTARTTLS:0
📝Note this part (CLAMAV) is deprecated. Please refer to this article, instead.
Download latest CLAMAV from http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/
By the time of this writing, 0.93-2 is latest.
cd /downloads/qmailnew/
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-0.93-2.i386.rpm
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-db-0.93-2.i386.rpm
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-server-0.93-2.i386.rpm
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-devel-0.93-2.i386.rpm
rpm -ivh clamav-*
Create a user as qscand:
groupadd -g 710 qscand
useradd -u 710 -g 710 -c "Qmail-Scanner Account" -s /bin/false qscand
vi /etc/clamd.conf
#Lines shown below are default settings, unless specified otherwise.
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes # ———————> default is NO. Change to YES.
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav # —-> This is changed in the newer (0.94-1) version, to /var/clamav.
LocalSocket /var/run/clamav/clamd.sock # ——–> Disabled. Change to enabled/socket file name.
FixStaleSocket yes
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User qscand # ———————-> Most important. Default clamav. Change to qscand.
AllowSupplementaryGroups yes
DetectBrokenExecutables yes
ScanMail yes
ArchiveMaxCompressionRatio 300
ArchiveBlockEncrypted yes
ArchiveBlockMax yes
vi /etc/freshclam.conf
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/clamav/freshclam.log
PidFile /var/run/clamav/freshclam.pid
LogSyslog yes # ———————————–> change to yes
DatabaseOwner qscand # ————————-> Most important. Default clamav. Change to qscand.
AllowSupplementaryGroups yes
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.us.clamav.net
DatabaseMirror database.clamav.net
Checks 24
NotifyClamd /etc/clamd.conf
vi /etc/logrotate.d/clamd
#
#Rotate Clam AV daemon log file
#
/var/log/clamav/clamd.log {
missingok
nocompress
create 640 qscand qscand
postrotate
/bin/kill -HUP cat /var/run/clamav/clamd.pid 2> /dev/null 2> /dev/null || true
endscript
}
vi /etc/logrotate.d/freshclam
#
#Rotate FreshClam daemon log file
#
/var/log/clamav/freshclam.log {
missingok
nocompress
create 640 qscand qscand
postrotate
/bin/kill -HUP cat /var/run/clamav/freshclam.pid 2> /dev/null 2> /dev/null || true
endscript
}
chown qscand:qscand /var/log/clamav -R
chown qscand:qscand /var/lib/clamav -R
chown qscand:qscand /var/run/clamav -R
service clamd restart
chkconfig --level 35 clamd on
service freshclam restart
chkconfig --level 35 freshclam on
########################################################################
Deprecated:-
FreshClam doesn’t need to be called through cron any more:-
# crontab -e
# 25 2 * * * /usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log
#
Becaue, freshclam runs as daemon mode and checks the server once
everyday, itself. The following option can be used in /etc/init.d/freshclam
to set number of checks between 1 and 50
–checks=#n -c #n number of checks per day, 1 <= n <= 50
See the proof below:
May 10 15:10:02 www last message repeated 6 times
May 10 15:11:59 www freshclam[22467]: Received signal: wake up
May 10 15:11:59 www freshclam[22467]: ClamAV update process started at Sat May 10 15:11:59 2008
May 10 15:11:59 www freshclam[22467]: main.cvd is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)
May 10 15:12:00 www freshclam[22467]: Downloading daily-7077.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7078.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7079.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7080.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: Downloading daily-7081.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: Downloading daily-7082.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: daily.cld updated (version: 7082, sigs: 49709, f-level: 26, builder: ccordes)
May 10 15:12:01 www freshclam[22467]: Database updated (281543 signatures) from db.local.clamav.net (IP: 65.120.238.2)
May 10 15:12:01 www clamd[22412]: SelfCheck: Database modification detected. Forcing reload.
May 10 15:12:01 www clamd[22412]: Reading databases from /var/lib/clamav
May 10 15:12:01 www freshclam[22467]: Clamd successfully notified about the update.
May 10 15:12:01 www freshclam[22467]: ————————————–
May 10 15:12:05 www clamd[22412]: Database correctly reloaded (280776 signatures)
#########################################################################
SPAM ASSASSIN
QMR package refers to install perl-Mail-SpamAssassin , but that is not availble through yum. And the provided RPM is too old to be compatible with current spamassassin-3.1.9 . So I installed it through CPAN.
perl -MCPAN -e "install Mail::SpamAssassin"
groupadd -g 711 spamd
useradd -u 711 -g 711 -s /home/spamd spamd
#passwd -l spamd # not in QMR guide. I thought it should be implemented. But do we need it?
`
vi /etc/sysconfig/spamassassin
If the above file exists, replace its contents :
SPAMDOPTIONS=”-d -c -m5 -H”
, with the following line. If the file does not exist, create it and add the following line:
SPAMDOPTIONS=”-x -u spamd -H /home/spamd -d”
spamd Options explained
-c, –create-prefs Create user preferences files (we don’t need it)
-x, –nouser-config Disable user config files
-d, –daemonize Daemonize
-m num, –max-children=num Allow maximum num children
-u username, –username=username Run as username
-g groupname, –groupname=groupname Run as groupname (should we use this too? )
-v, –vpopmail Enable vpopmail config (we “should” need it, but not using at the moment)
-x, –nouser-config Disable user config files
-H [dir], –helper-home-dir[=dir] Specify a different HOME directory
Save and exit from the file.
vi /etc/mail/spamassassin/local.cf
Add the following line…
required_hits 5
Save and exit from the file.
service spamassassin restart
chkconfig --level 35 spamassassin on
The following modules are used by various .pre files. Make sure that they are also installed.
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::RelayCountry”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::URIDNSBL”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Hashcash”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::SPF”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DCC”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Pyzor”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Razor2”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::SpamCop”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::AntiVirus”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::AWL”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::AutoLearnThreshold”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::WhiteListSubject”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DomainKeys”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::MIMEHeader”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::ReplaceTags”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DKIM”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Check”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::HTTPSMismatch”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::URIDetail”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Shortcircuit”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Bayes”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::BodyEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DNSEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::HTMLEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::HeaderEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::MIMEEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::RelayEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::URIEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::WLBLEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::VBounce”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Rule2XSBody”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::ASN”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::ImageInfo”
Created a new local.cf file from the link http://www.yrex.com/spam/spamconfig.php
…
…
#ok_languages should be disabled.
#ok_languages en
#SpamAssassin 3.1 Note: Language checking has been moved to a plugin in version 3.1.
#This setting will not work unless your administrator has enabled the TextCat plugin
#in /etc/mail/spamassassin/v310.pre.
vi /etc/mail/spamassassin/init.pre
…
loadplugin Mail::SpamAssassin::Plugin::RelayCountry
…
vi /etc/mail/spamassassin/v310.pre
…
loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AntiVirus
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::DomainKeys
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
…
vi /etc/mail/spamassassin/v312.pre
…
loadplugin Mail::SpamAssassin::Plugin::DKIM
vi /etc/mail/spamassassin/v320.pre
…
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
loadplugin Mail::SpamAssassin::Plugin::ASN
Now, run sa-compile. But, sa-compile needs re2c .
Dowload re2c from:
http://rpmseek.com/download/
http://apt.sw.be/packages/re2c/re2c-0.13.1-1.el4.rf.i386.rpm?hl=com&nid=92223
cd /downloads/qmailnew
Use links to download this:
http://apt.sw.be/packages/re2c/re2c-0.13.1-1.el4.rf.i386.rpm
http://superb-west.dl.sourceforge.net/sourceforge/re2c/re2c-0.13.3-1.src.rpm
cd /downloads/qmailnew
wget http://superb-west.dl.sourceforge.net/sourceforge/re2c/re2c-0.13.3-1.src.rpm
rpmbuild --rebuild re2c-0.13.3-1.src.rpm
rpm -ivh /usr/src/redhat/RPMS/i386/re2c-0.13.3-1.i386.rpm
Now Run sa-compile:
# sa-compile
Then, run sa-update:
sa-update -D
Restart spamassassin service.
service spamassassin restart
DCC howto:
cd /downloads/qmailnew
wget http://www.rhyolite.com/anti-spam/dcc/source/dcc.tar.Z
tar xzf dcc.tar.Z
cd dcc-1.3.90/
./configure
make
make install
vi /etc/mail/spamassassin/local.cf
dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc
#dcc_dccifd_path, should be the path to dccifd socket, which will become available when dcc service is started.
dcc_dccifd_path /var/dcc/dccifd
vi /var/dcc/dcc_conf
. . .
DCCIFD_ENABLE=on
. . .
cp /var/dcc/libexec/rcDCC /etc/rc.d/init.d/dcc
chkconfig --level 35 dcc on
service dcc start
[root@www dcc-1.3.90]# ps aux | grep -i dcc
root 30623 0.0 0.0 2492 268 ? Ss 16:44 0:00 /var/dcc/libexec/dccifd -tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID
root 30624 0.1 0.6 28992 6844 ? Sl 16:44 0:00 /var/dcc/libexec/dccifd -tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID
root 30629 0.0 0.0 4100 580 pts/0 R+ 16:44 0:00 grep -i dcc
Enable the DCC plugin in spamassassin .pre files. Also enable other plugins. Disable pyzor and remove it’s line from local.cf as well.
RAZOR:
Download Razor from: http://razor.sourceforge.net/
cd /downloads/qmailnew
wget http://optusnet.dl.sourceforge.net/sourceforge/razor/razor-agents-2.84.tar.bz2
tar xjf razor-agents-2.84.tar.bz2
cd razor-agents-2.84
perl Makefile.PL && make && make install
Added the following to local.cf file:
#vi /etc/mail/spamassassin/local.cf
#razor_config /etc/razor/razor-agent.conf
OR
echo “razor_config /etc/razor/razor-agent.conf” » /etc/mail/spamassassin/local.cf
Then:
razor-admin -d -home=/etc/razor -create
razor-admin -d -home=/etc/razor -register
[root@www qmailnew]# service spamassassin restart
Stopping spamd: [ OK ]
Starting spamd: [ OK ]
Step: QMAILSCANNER:
QMR package provides qmail-scanner-1.25.tgz. Latest is 2.04 from http://qmail-scanner.sourceforge.net/ .
QMR package provides qms-analog-0.4.2.tar.gz. Latest is from qms-analog-0.4.4 http://www.qms-analog.teel.ws . I don’t think we need qms-analog. QmailScanner has a new reporting tool. From QMS website:
Reporting: in the contrib directory there’s qs2mrtg.pl. A perl script for monitoring your syslog files for qmail-scanner records. It then graphs how Qmail-Scanner is processing your emails. It creates different graphs for incoming vs outgoing email, as well as the flow of spam and viruses.
We would also install TNEF http://sourceforge.net/projects/tnef/ . As per the QMS site:-
Optional: Mark Simpson’s TNEF unpacker. Can decode those annoying MS-TNEF MIME attachments that Microsoft mail servers just love to use. If you don’t have this, there are several classes of email that Qmail-Scanner basically won’t be able to extract attachments in. However, your AV might very well be able to handle them
yum install db4-devel
perl -MCPAN -e "install DB_File"
TNEF:-
cd /downloads/qmailnew
wget http://internap.dl.sourceforge.net/sourceforge/tnef/tnef-1.4.3.tar.gz
tar xzf tnef-1.4.3.tar.gz
cd /downloads/qmailnew/tnef-1.4.3
./configure && make && make install
Decided to install new version of QMS:-
cd /downloads/qmailnew
wget http://superb-west.dl.sourceforge.net/sourceforge/qmail-scanner/qmail-scanner-2.04.tgz
tar xzf qmail-scanner-2.04.tgz
cd /downloads/qmailnew/qmail-scanner-2.04
Create the following (new) file:-
(Don’t use cat » « EOF method to create this file)
vi qms-config
#!/bin/sh
##File: qms-config
##
##Purpose: Provide a file to save personal qmail-scanner configuration
##options. This file should be edited for your server and
##saved somewhere so that it survives qmail-scanner and
##qms-analog upgrades.
##
#Was the “install” option given?
if [ “$1” != “install” ]; then
INSTALL=
else
INSTALL=”–install”
fi
#Qmail Scanner 2.02 configuration:
./configure –domain example.com
–admin postmaster
–local-domains “example.com,sufi-iqbal.net”
–add-dscr-hdrs yes
–ignore-eol-check yes
–notify admin
–redundant yes
“$INSTALL”
Next:
chmod 755 qms-config
./qms-config
then
( 📝 Note QMS will get installed in /var/spool/qscan. NOT /var/spool/qmailscan)
./qms-config install
Testing suid nature of /usr/bin/perl…
Looks OK…
Hit RETURN to create initial directory structure under /var/spool/qscan,
and install qmail-scanner-queue.pl under /var/qmail/bin:
perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt
perlscanner: total of 12 entries.
Finished installation of initial directory structure for Qmail-Scanner
under /var/spool/qscan and qmail-scanner-queue.pl under /var/qmail/bin.
Finished. Please read README(.html) and then go over the script
(/var/qmail/bin/qmail-scanner-queue.pl) to check paths/etc.
“/var/qmail/bin/qmail-scanner-queue.pl -r” should return some well-known virus
definitions to show that the internal perlscanner component is working.
That’s it!
** FINAL TEST **
Please log into an unpriviledged account and run
/var/qmail/bin/qmail-scanner-queue.pl -g
If you see the error “Can’t do setuid”, or “Permission denied”, then
refer to the FAQ.
(e.g. “setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g”)
That’s it! To report success:
% (echo ‘First M. Last’; cat SYSDEF)|mail n jhaar-s4vstats@crom.trimble.co.nz This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Replace First M. Last with your name.
ls -l /var/qmail/bin/qmail-scanner-queue.pl
-rwsr-sr-x 1 qscand qscand 111710 May 9 17:36 /var/qmail/bin/qmail-scanner-queue.pl
Let’s do the test :
logon as user kamran:
#su - kamran
[kamran@www ~]$ /var/qmail/bin/qmail-scanner-queue.pl -g
perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt
perlscanner: total of 12 entries.
[kamran@www ~]$
exit
Note: The path is changed for the Qmail Scanner spool files in the newest version, from “/var/spool/qmailscan”, to “/var/spool/qscan” .
The test is passed. Alhumdulillah. Now run the following:-
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z # also setup a cronjob to do this once a day.
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g # also setup a cronjob to do this once a day.
Set them up to run through cron as well:-
crontab -e
0 1 * * * /usr/local/bin/setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
0 1 * * * /usr/local/bin/setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g
chown -R qscand:qscand /var/spool/qscan # not /var/spool/qmailscan
vi /var/qmail/supervise/qmail-smtpd/run
QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl” ; export QMAILQUEUE
…
(change softlimit to 40000000)
…
…
📝Note: The limit 40000000 (40 MB) is (more than two years) old. And because of all the new requirements of latest version of the participating software, I needed to increase it to 60000000 (60 MB), otherwise my mails were not being dealt correctly by the Qmail Scanner. It is safe to increase this value.
WAIT…….. DISABLE POP3 AND POP3S in COURIER FIRST. QMAIL HAS IT’S OWN POP3 server.
Restart Qmail
qmailctl stop
sleep 5
qmailctl start
sleep 5
qmailctl stat
[root@www qmail-scanner-2.04]# qmailctl stat
/service/qmail-send: up (pid 7749) 5 seconds
/service/qmail-send/log: up (pid 7750) 5 seconds
/service/qmail-smtpd: up (pid 7753) 5 seconds
/service/qmail-smtpd/log: up (pid 7758) 5 seconds
/service/qmail-pop3d: up (pid 7767) 5 seconds
/service/qmail-pop3d/log: up (pid 7768) 5 seconds
messages in queue: 293
messages in queue but not yet preprocessed: 181
Now, try the test_installation.sh script in contrib directory.
cd /downloads/qmailnew/qmail-scanner-2.04/contrib
./test_installation.sh -doit
[root@www contrib]# ./test_installation.sh -doit
Sending standard test message - no viruses…
done!
Sending eicar test virus - should be caught by perlscanner module…
done!
Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)…
Sending bad spam message for anti-spam testing - In case you are using SpamAssassin…
Done!
Finished test. Now go and check Email sent to n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it
You should have 2 messages in the postmaster’s mail box, one clean message and the other marked as **SPAM** ., and the following output in your maillog.
tail -f /var/log/maillog
May 9 17:53:34 www qmail-scanner[8149]: Clear:RC:1(127.0.0.1): 0.022018 313 n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it Qmail-Scanner_test_(1/4):inoffensive_message < n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > orig-www.example.com12103376145628149:313 1210337614.8151-0.www.example.com:68
May 9 17:53:34 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37141
May 9 17:53:34 www spamd[31043]: spamd: processing message < n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:53:34 www qmail-scanner[8162]: Perlscan:EICAR_Test_Virus:RC:1(127.0.0.1): 0.027297 961 n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it Qmail-Scanner_viral_test(2/4):checking_perlscanner… < n 20080509125334.8161.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > 1210337614.8169-0.www.example.com:300 Eicar.com:69 orig-www.example.com12103376145628162:961
May 9 17:53:35 www qmail-scanner[8177]: CLAMDSCAN:Eicar-Test-Signature:RC:1(127.0.0.1): 0.016671 1236 n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it Qmail-Scanner_viral_test(3/4):checking_non-perlscanner_AV… < n 20080509125335.8176.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > sneaky.txt
May 9 17:53:35 www spamd[31044]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37143
May 9 17:53:35 www spamd[31044]: spamd: checking message (unknown) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:53:35 www spamd[31043]: spamd: clean message (0.0/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 0.7 seconds, 616 bytes.
May 9 17:53:35 www spamd[31043]: spamd: result: . 0 - UNPARSEABLE_RELAY scantime=0.7,size=616,user= n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37141,mid=< n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it >,autolearn=ham,shortcircuit=no
May 9 17:53:35 www spamd[31040]: prefork: child states: IB
May 9 17:53:35 www maildrop[8167]: Unable to open mailbox.
May 9 17:53:36 www spamd[31044]: spamd: identified spam (1009.7/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 1.6 seconds, 1893 bytes.
May 9 17:53:36 www spamd[31044]: spamd: result: Y 1009 - DATE_IN_FUTURE_96_XX,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,MISSING_MID,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK scantime=1.6,size=1893,user=n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37143,mid=(unknown),autolearn=no,shortcircuit=no
May 9 17:53:37 www spamd[31040]: prefork: child states: II
May 9 17:53:37 www qmail-scanner[8186]: Clear:RC:1(127.0.0.1):SA:1(1009.7/5.0): 1.755721 1881 n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it Qmail-Scanner_anti-spam_test(4/4):checking_SpamAssassin[if_present]_(There_yo <9PS291LhupY> orig-www.example.com12103376155628186:1881 1210337615.8188-0.www.example.com:818
May 9 17:53:37 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37147
May 9 17:53:37 www spamd[31043]: spamd: processing message <9PS291LhupY> for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:53:38 www spamd[31043]: spamd: identified spam (1009.2/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 1.4 seconds, 2384 bytes.
May 9 17:53:38 www spamd[31043]: spamd: result: Y 1009 - AWL,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,INVALID_MSGID,MSGID_SHORT,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY scantime=1.4,size=2384,user=n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37147,mid=<9PS291LhupY>,autolearn=no,shortcircuit=no
May 9 17:53:38 www spamd[31040]: prefork: child states: II
May 9 17:53:38 www maildrop[8204]: Unable to open mailbox.
May 9 17:55:15 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43421
May 9 17:55:15 www spamd[31043]: spamd: processing message < n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:55:17 www spamd[31044]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43427
May 9 17:55:17 www spamd[31044]: spamd: processing message <9PS291LhupY> for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:55:17 www spamd[31043]: spamd: clean message (0.0/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 1.3 seconds, 616 bytes.
May 9 17:55:17 www spamd[31043]: spamd: result: . 0 - UNPARSEABLE_RELAY scantime=1.3,size=616,user= n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43421,mid=< n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it >,autolearn=unavailable,shortcircuit=no
May 9 17:55:17 www spamd[31040]: prefork: child states: IB
May 9 17:55:17 www maildrop[8590]: Unable to open mailbox.
May 9 17:55:18 www spamd[31044]: spamd: identified spam (1008.9/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 1.5 seconds, 2384 bytes.
May 9 17:55:18 www spamd[31044]: spamd: result: Y 1008 - AWL,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,INVALID_MSGID,MSGID_SHORT,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY scantime=1.5,size=2384,user=n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43427,mid=<9PS291LhupY>,autolearn=no,shortcircuit=no
May 9 17:55:18 www spamd[31040]: prefork: child states: II
May 9 17:55:18 www maildrop[8602]: Unable to open mailbox.
📝Note:
Any SMTP sessions that are dropped (due to network outages/etc) may lead to files lying around in /var/spool/qscan . Running “/var/qmail/bin/qmail-scanner-queue.pl -z”, at least once daily, will ensure such files are deleted when they’re over 30 hours old - make a cronjob to do that (see contrib/ for a logrotate script).
crontab -e
0 2 * * * /var/qmail/bin/qmail-scanner-queue.pl -z
You may want to change the file /etc/tcp.smtp , from :
127.:allow,RELAYCLIENT=””
, to:
#No Qmail-Scanner at all for mail from 127.0.0.1
127.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-queue”
#Use Qmail-Scanner without SpamAssassin on any mail from the local network
#[it triggers SpamAssassin via the presence of the RELAYCLIENT var]
#10.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
#
#Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world
:allow,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
I have setup my /etc/tcp.smtp as follows:-
[root@www contrib]# vi /etc/tcp.smtp
#my users loggin on to the web interface may be uploading virus infeced files.
127.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
#No Qmail-Scanner at all for mail from 127.0.0.1
##127.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-queue”
#Use Qmail-Scanner without SpamAssassin on any mail from the local network
#[it triggers SpamAssassin via the presence of the RELAYCLIENT var]
#10.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
#
#Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world
:allow,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
[root@www contrib]# qmailctl stop
Stopping qmail…
qmail-smtpd
qmail-send
qmail-pop3d
[root@www contrib]# qmailctl cdb
Reloaded /etc/tcp.smtp.
[root@www contrib]# qmailctl start
Starting qmail…
Starting qmail-send
Starting qmail-smtpd
Starting qmail-pop3d
[root@www contrib]# qmailctl stat
/service/qmail-send: up (pid 8801) 4 seconds
/service/qmail-send/log: up (pid 8808) 4 seconds
/service/qmail-smtpd: up (pid 8811) 4 seconds
/service/qmail-smtpd/log: up (pid 8816) 4 seconds
/service/qmail-pop3d: up (pid 8819) 4 seconds
/service/qmail-pop3d/log: up (pid 8820) 4 seconds
messages in queue: 263
messages in queue but not yet preprocessed: 0
Step: Install / configure qs2mrtg:
Install qs2mrtg.pl from the contrib directory of the qmailscanner.
This is for drawing graphs in MRTG.
Step: QMAIL ANALOG:
I could not get this to work with lastest QmailScanner. So It is useless to setup. Also it is not needed based on qs2mrtg.
Step: GREYLISTING and RBLSMTPD:
Greylist software can be downloaded.
cd /downloads/qmailnew
wget http://oss.albawaba.com/files/cqgreylist-0.2.tar.gz
tar xzf cqgreylist-0.2.tar.gz
cd cqgreylist-0.2
mkdir /var/qmail/cqgreylist
chown vpopmail /var/qmail/cqgreylist
vi cqgreylist.c
. . .
/*
- Change anything you want here
/
/ RFC 2821 specifies the timeout for recieving a command to at least 5 mins /
#define TIMEOUT 300
/ specify the greylisting time in which to not accept mail from a sender */
#define GREY_SECONDS 60
char* hostname = “www.example.com”;
char* message = “You are greylisted. Try again.”;
char* base_directory = “/var/qmail/cqgreylist/”;
/*
*End of user editable parameters
*/
make
cp cqgreylist /var/qmail/bin/
crontab -e
. . .
23 * * * * /usr/bin/find /var/qmail/cqgreylist -mtime 1 -type f -exec rm -f {} ;
See next section (RBLSMTPD) to actually include GreyListing in Qmail run file.
RBLSMTPD:
Edit the run script for qmail-smtpd:-
vi /var/qmail/supervise/qmail-smtpd/run
Text before editing:
. . .
exec /usr/local/bin/softlimit -m 40000000
/usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
/var/qmail/bin/qmail-smtpd www.example.com
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1
Text after editing
. . .
exec /usr/local/bin/softlimit -m 40000000
/usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
rblsmtpd
-r sbl.spamhaus.org
-r zen.spamhaus.org
-r bl.spamcop.net
-r list.dsbl.org
/var/qmail/bin/cqgreylist
/var/qmail/bin/qmail-smtpd www.example.com
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1
Restart Qmail service:
qmailctl stop
qmailctl cdb
qmailctl start
sleep 5
qmailctl stat
[root@www cqgreylist-0.2]# qmailctl stat
/service/qmail-send: up (pid 11184) 5 seconds
/service/qmail-send/log: up (pid 11191) 5 seconds
/service/qmail-smtpd: up (pid 11194) 5 seconds
/service/qmail-smtpd/log: up (pid 11199) 5 seconds
/service/qmail-pop3d: up (pid 11202) 5 seconds
/service/qmail-pop3d/log: up (pid 11203) 5 seconds
messages in queue: 21
messages in queue but not yet preprocessed: 0
ALHUMDULILLAH. MAIL SERVER SETUP COMPLETE.
Step: QS2MRTG: [Not fully documented]. Coming soon.
Install qs2mrtg.pl from the contrib directory of the qmailscanner.
cp /downloads/qmailnew/qmail-scanner-2.04/contrib/qs2mrtg.pl /usr/local/bin/
This is for drawing graphs in MRTG.
[root@www contrib]# ./qs2mrtg.pl --syslog-file=/var/log/messages
--offset-file=/var/log/qs2mrtg.offset
--mrtg-output-dir=/var/www/mrtg/ --mailsrv-name=www.example.com
Step: SETUP FIREWALL:
Create a new file /etc/firewall.sh
vi /etc/firewall.sh
#!/bin/bash
###################################################################################
#Author: Muhammad Kamran Azeem ( n kamran@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it )
#Created: 20080410
#Last Updated: 20080410
#Implementation on this sevrer:20080509
#Proposed implementation: On stand alone webmail servers
###################################################################################
#
#Various tools:
#nmap -sU PUBLIChost # scans UDP ports
#
#The following reports total number of connections
#netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
###################################################################################
#User configurable parameters - START - #############################################
#
#The Public interface of this server towards Internet:-
PUBLICIF=eth0
#
#The Public IP of this server (on $PUBLICIF) visible/accessable from the Internet:-
PUBLICIP=192.168.0.200
#
#The full path to the iptables program:-
IPTABLES=/sbin/iptables
#
#User configurable parameters - END - ###############################################
############ Load Modules - Start #############
#
#Load FTP connection tracking module
modprobe ip_conntrack_ftp
#
############# Load Modules - End ##############
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -P INPUT ACCEPT
# ports list:
# 22/tcp - SSH
# 25/tcp - SMTP
# 80/tcp - HTTP
# 443/tcp - HTTPS
# 110/tcp - POP3
# 995/tcp - POP3S
# 143/tcp - IMAP
# 993/tcp - IMAPS
# 123/tcp - NTP
# 123/udp - NTP
# 199/tcp - SNMP
# 161/UDP - SNMP
# 3306/tcp - MySQL
#Setup default INPUT policy as DROP $IPTABLES -P INPUT DROP
##allow packets coming from the machine
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#allow outgoing traffic
$IPTABLES -A OUTPUT -o $PUBLICIF -j ACCEPT
#Block spoofing
#$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
#OR more sophisticated / wide ranged method is below:-
#Add your IP range/IPs here,
#Yes I am sure that the last address has 16 bit subnet for a VALID reason
SPOOFLIST=”0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/3”
for ip in $SPOOFLIST
do
$IPTABLES -A INPUT -i $PUBLICIF -s $ip -j DROP
done
# Allow the following traffic only:- $IPTABLES -A INPUT -i $PUBLICIF -p tcp -m multiport –dport 21,22,25,80,443,110,995,143,993 -j ACCEPT
#Hopefuly spamassassin, NTP, Razor, DNS, DCCIFD, etc will keep working properly,
#because of the following two rules.
$IPTABLES -A INPUT -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state –state RELATED,ESTABLISHED -j ACCEPT
Stop bad packets
$IPTABLES -A INPUT -m state –state INVALID -j DROP
# NMAP FIN/URG/PSH $IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
# stop Xmas Tree type scanning
$IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# stop null scanning
$IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags ALL NONE -j DROP
# SYN/RST
$IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN $IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# If the incoming SYN packets are not NEW, we need to DROP them:- $IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
Stop sync flood. Not using the following because it will result in VERY SLOW SERVER
Incoming syn requests, which may be legitimate Web requests,
coming from many web browsers / clients will get limited to 1 per second,
WHICH, WE DON’T WANT.
I suppose we CANNOT SYN Flood ?
$IPTABLES -N SYNFLOOD
# $IPTABLES -A SYNFLOOD -p tcp –syn -m limit –limit 1/s -j RETURN
# $IPTABLES -A SYNFLOOD -p tcp -j REJECT –reject-with tcp-reset
# $IPTABLES -A INPUT -p tcp -m state –state NEW -j SYNFLOOD
# Stop ping flood attack
# DROP ICMP packets size larger than (64 Data+8 Header)=72 bytes (Below 85 did not help me 🙂
iptables -A INPUT -p icmp –icmp-type echo-request -m length –length 85: -j REJECT –reject-with icmp-host-prohibited
# Allow maximum one incoming ICMP packets per second
iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
# End of Firewall script
exit 0
Create a new startup file /etc/init.d/firewall
vi /etc/init.d/firewall
#firewall Startup script for our personal firewall
#
#chkconfig: 01 99
#description: Our own custom built firewall setup
#processname: firewall
#Source function library.
. /etc/rc.d/init.d/functions
prog=/etc/firewall.sh
lockfile=/var/lock/subsys/firewall
RETVAL=0
start() {
echo -n $”Starting $prog: “
/bin/sh /etc/firewall.sh
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
stop() {
echo -n $”Stopping $prog: “
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile}
}
# See how we were called.
case “$1” in
start)
start
;;
stop)
stop
;;
status)
/sbin/iptables -L
;;
restart)
stop
start
;;
*)
echo $”Usage: $prog {start|stop|status|restart}”
RETVAL=3
esac
exit $RETVAL
chmod +x /etc/firewall.sh
chmod +x /etc/init.d/firewall
chkconfig --level 35 firewall on
service firewall start
=====================================================================
End of QMail Rocks Guide