QmailRocks Updated

OS: CENTOS 5, CENTOS 5.1
Author: Muhammad Kamran Azeem
ARCH: i386 [Notes for 64 bit will be added soon]

Objective of this document

Few years ago, I was looking for a better alternative to sendmail. I came across qmail. While looking for a guide, I stumbled upon qmailrocks.org guide. I simply loved the way it was arranged and how easy it was to follow. By the time of this writing I have setup countless mail servers on qmail using this (QMR) guide. However, for past couple of years, I am seeing that it is not being updated any more. The software provided by the qmailrocks.tar.gz package are now outdated. Newer software have few changes in their configuration. So I decided to follow the original QMR guide, but tried to use the latest software in each step from the original websites, respectively. And eventually I ended up with this howto. I hope it would be helpful to the qmail lovers all over the world.

Qmail Rocks Home page: http://www.qmailrocks.org Most of this document is based on original QMR guide.

Here is what I have added in the original QMR guide:

  • Installation of Perl Modules
  • Antispam tools (Razor, DCC, RBL SMTPD , Grey listing)
  • Qmail Mail MRTG graphs for SPAM and Viruses

Here is what I have removed from the QMR guide:

  • qmail analog / reporting tools (in the last steps of original QMR guide), because they are no longer compatible with the latest version of qmailscanner.

Scenario

The following howto / tutorial was created using a live deployment, still in production! However, the IPs, hostnames and passwords are changed to protect privacy.

Hostname: www.example.com
IP: 192.168.0.200

Note on installation software directories:

Whatever is unzipped / untarred from the QMR package, will be in /downloads/qmailrocks directory.

Whatever new software I will download/use, will be placed in /downloads/qmailnew directory.

Step: Upgrade OS:

First of all it is absolutely necessary for you to upgrade your OS upto the latest version.

[root@www ~]# yum upgrade
Loading “installonlyn” plugin

Dependencies Resolved

Package Arch Version Repository Size

Installing:
kernel i686 2.6.18-53.1.14.el5 updates 13 M
Updating:
kernel-headers i386 2.6.18-53.1.14.el5 updates 786 k

Transaction Summary

Install 1 Package(s)
Update 1 Package(s)
Remove 0 Package(s)

Total download size: 14 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): kernel-headers-2.6.18-53.1.14.el5.i386.rpm 786 kB 00:01
(2/2): kernel-2.6.18-53.1.14.el5.i686.rpm 13 MB 00:33
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: kernel ################# [1/3]
Updating : kernel-headers ################# [2/3]
Cleanup : kernel-headers ################# [3/3]

Installed: kernel.i686 0:2.6.18-53.1.14.el5
Updated: kernel-headers.i386 0:2.6.18-53.1.14.el5
Complete!

After upgrading the kernel, it is better, to re-install grub / boot loader. I have experienced a few times that once the system is rebooted after a kernel upgrade, it doesn’t come online. But this is a rare case. Still, there is no harm in re-installing grub to be on the safe side.

[root@www ~]# grub-install /dev/hda
Installation finished. No error reported.
This is the contents of the device map /boot/grub/device.map.
Check if this is correct or not. If any of the lines is incorrect,
fix it and re-run the script `grub-install’.

This device map was generated by anaconda
(hd0) /dev/hda

Then do a “sync” and “reboot” the system.

[root@www ~]# sync

[root@www ~]# reboot

Step: SSH key based authentication

This is not directly related to qmail, but I always set this up, whenever I am setting up a new server. This SSH key based authentication “greatly” enhances the security of the server.

I already have my keys generated on my home, which are being used on many servers. So I just need to copy my id_dsa.pub to the home directory of user kamran on the new server.

On my home computer:

WARNING! : Use the following to generate keys ONLY if you don’t have keys already. Make SURE to backup your current id_dsa and id_dsa.pub files before doing it.:

~]$ ssh-keygen -t dsa # generate keys ONLY if you don’t have keys already. Make SURE to backup your current id_dsa and id_dsa.pub files before doing it.

~]$ scp .ssh/id_dsa.pub kamran@192.168.0.200

On my new qmail server:

Log on as user kamran. And then:

~]$ ssh localhost just a lazy way to create .ssh directories in /home/kamran !. not needed if already exists.

I have this pub key arrived from my home computer on this server in /home/kamran. Copy it to the /home/kamran/.ssh/authorized_keys file.

~]$ cat id_dsa.pub >> .ssh/authorized_keys

~]$ chmod 600 .ssh/authorized_keys

Important. Otherwise SSH server will not let you use this file.

~]$ rm id_dsa.pub

Next, Login as root and setup SSH server to allow ONLY key based authentication. Tighten it a bit too. Disable RootLogin, and Password authentication.

vi /etc/ssh/sshd_config

Protocol 2
SyslogFacility AUTHPRIV
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no
ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

PermitRootLogin no
UsePAM yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding no
MaxStartups 5

Subsystem sftp /usr/libexec/openssh/sftp-server

Restart sshd service:

service sshd restart

Step: Setup / verify name resolution and IP, etc

cat /etc/hosts

127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.0.200 www.example.com www

cat /etc/resolv.conf

domain example.com
nameserver 72.51.32.92
nameserver 72.51.32.76
options rotate

cat /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=www.example.com
DOMAIN=example.com
GATEWAYDEV=eth0

cat /etc/sysconfig/network-scripts/ifcfg-eth0

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.200
NETMASK=255.255.255.0

Step: Install Software Prerequisites

  1. httpd, httpd-devel, apr
  2. php, php-imap, php-mysql, php-gd, php-pear, php-zlib, php-mbstring, php-xml,
  3. perl, perl-libwww-perl, perl-Digest-SHA1, perl-Digest-HMAC, perl-Net-DNS, perl-HTML-Tagset, perl-HTML-Parser
    perl-Time-HiRes, perl-TimeDate, perl-suidperl, perl-DateManip
  4. gcc, gcc-c++, libtool-ltdl, libtool-ltdl-devel
  5. mysql-server, mysql-devel, postgresql-devel
  6. openssl, openssl-devel, openldap-servers
  7. wget
  8. patch, patchutils
  9. pcre-devel
  10. gdbm-devel
  11. db4, db4-devel
  12. fam fam-devel gamin-devel
  13. net-snmp + net-snmp-utils + net-snmp-libs
  14. mrtg
  15. spamassassin, expect, zlib-devel

yum -y install net-snmp net-snmp-utils net-snmp-libs mrtg httpd httpd-devel php php-imap php-mysql php-gd php-pear php-zlib php-mbstring php-xml gcc gcc-c++ gdbm-devel pcre-devel libtool-ltdl libtool-ltdl-devel mysql-server mysql-devel db4 db4-devel postgresql-devel openssl openssl-devel openldap-servers perl perl-libwww-perl perl-Digest-SHA1 perl-Digest-HMAC perl-Net-DNS perl-HTML-Tagset perl-HTML-Parser perl-Time-HiRes perl-TimeDate perl-suidperl perl-DateManip spamassassin expect zlib-devel fam fam-devel gamin-devel patch patchutils

Step: Install necessary perl modules

You can run the following script from the QMR package to check existance / list of installed perl modules.

/downloads/qmailrocks/scripts/util/check_perlmods.script

The technique used in this script is:

perldoc -l Time::HiRes

You can also use the following technique:

First, are you sure that the module isn’t already on your system? Try:-


perl -MTime::HiRes -e 1

perl -MCPAN -e “install Bundle::CPAN”
perl -MCPAN -e “reload”

perl -MCPAN -e “install Digest::SHA1”
perl -MCPAN -e “install Digest::HMAC”
perl -MCPAN -e “install HTML::Tagset”
perl -MCPAN -e “install HTML::Parser”
perl -MCPAN -e “install Parse::Syslog”
perl -MCPAN -e “install Statistics::Distributions”
perl -MCPAN -e “install ClamAV::Client”
perl -MCPAN -e “install Mail::SpamAssassin”
perl -MCPAN -e “install Mail::SPF::Query”
perl -MCPAN -e “install IP::Country::Fast”
perl -MCPAN -e “install MIME::Base64”
perl -MCPAN -e “install Getopt::Long”
perl -MCPAN -e “install URI::Escape”
perl -MCPAN -e “install Mail::SPF”

perl -MCPAN -e “install IO::Zlib”
perl -MCPAN -e “install Test::Harness”
perl -MCPAN -e “install Test::Simple”
perl -MCPAN -e “install Mail::DKIM”
perl -MCPAN -e “install Mail::DomainKeys”
perl -MCPAN -e “install Crypt::OpenSSL::Bignum”
perl -MCPAN -e “install IO::Socket::INET6”
perl -MCPAN -e “install IO::Socket::SSL”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DCC”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Razor2”
perl -MCPAN -e “install Socket6”
perl -MCPAN -e “install Date::Manip”
perl -MCPAN -e “install DB_File”

perl -MCPAN -e “install Archive::Tar”
perl -MCPAN -e “install IO::Socket::INET6”
perl -MCPAN -e “install IO::Socket::SSL”
perl -MCPAN -e “install Net::Ident”

perl -MCPAN -e “install Time::HiRes” # problem (done manually)
perl -MCPAN -e “install Archive::Tar” # ————————> problem (done manually)
perl -MCPAN -e “install Net::Ident” # ————————–> problem (done manually)
perl -MCPAN -e “install Razor2::Client::Agent” # will be installed with Razor software
perl -MCPAN -e “install File::Copy” # problem

If you are getting the following error in your CRON mails,

Subroutine main::AF_INET6 redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65.
at /usr/bin/mrtg line 97

OR,

if you get the same error while running “env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg”, then install the following:-

mkdir /downloads/qmailnew

cd /downloads/qmailnew

wget http://search.cpan.org/CPAN/authors/id/J/JG/JGMYERS/Encode-Detect-1.00.tar.gz  
tar xzf Encode-Detect-1.00.tar.gz  
cd Encode-Detect-1.00  
perl Makefile.PL && make && make install

cd /downloads/qmailnew  
wget http://search.cpan.org/CPAN/authors/id/J/JH/JHI/Time-HiRes-1.9715.tar.gz  
tar xzf Time-HiRes-1.9715.tar.gz  
cd Time-HiRes-1.9715  
perl Makefile.PL && make && make install  

cd /downloads/qmailnew  
wget http://search.cpan.org/CPAN/authors/id/O/OL/OLAF/Net-DNS-0.63.tar.gz  
tar xzf Net-DNS-0.63.tar.gz  
cd Net-DNS-0.63  
perl Makefile.PL && make && make install  

cd /downloads/qmailnew  
wget http://search.cpan.org/CPAN/authors/id/J/JP/JPC/Net-Ident-1.20.tar.gz  
tar xzf Net-Ident-1.20.tar.gz  
cd Net-Ident-1.20  
perl Makefile.PL && make && make install  

cd /downloads/qmailnew  
wget http://search.cpan.org/CPAN/authors/id/K/KA/KANE/Archive-Tar-1.38.tar.gz  
tar xzf Archive-Tar-1.38.tar.gz  
cd Archive-Tar-1.38  
perl Makefile.PL && make && make install  

cd /downloads/qmailnew  
wget http://search.cpan.org/CPAN/authors/id/G/GO/GOZER/mod_perl-2.0.4.tar.gz  
tar xzf mod_perl-2.0.4.tar.gz  
cd mod_perl-2.0.4  
perl Makefile.PL && make && make install  

Specify apxs path by finding through:

rpm -ql httpd-devel | grep -i apxs
/usr/sbin/apxs

perl -MCPAN -e “install Razor2::Client::Agent” # will be installed with Razor software
perl -MCPAN -e “install File::Copy” # problem

perl-Time-HiRes may not get installed. Install that through CPAN/manually.

Step: Setup and harden Apache, Generate SSL certificate for apache

cd /etc/httpd/conf.d

mv manual.conf manual.conf.disabled  
mv proxy_ajp.conf proxy_ajp.conf.disabled  
mv python.conf python.conf.disabled  
mv squid.conf squid.conf.disabled  
mv welcome.conf welcome.conf.disabled  

vi /etc/httpd/conf/httpd.conf

( Unload un-neccessary modules )

#LoadModule ldap_module modules/mod_ldap.so

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

#LoadModule dav_module modules/mod_dav.so

#LoadModule dav_fs_module modules/mod_dav_fs.so

#LoadModule speling_module modules/mod_speling.so

#LoadModule userdir_module modules/mod_userdir.so

#LoadModule proxy_module modules/mod_proxy.so

#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

#LoadModule proxy_http_module modules/mod_proxy_http.so

#LoadModule proxy_connect_module modules/mod_proxy_connect.so

User apache
Group apache

ServerAdmin webmaster@example.com

ServerName www.example.com:80
ServerSignature Off

UseCanonicalName Off

DocumentRoot “/var/www/html”

DirectoryIndex index.html index.php index.html.var

AccessFileName .htaccess

<Files ~ “ ^ \ .ht “>
Order allow,deny
Deny from all
< /Files>

ServerSignature Off

Comment out the following ( MUST )

##AddDefaultCharset UTF-8

AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5

AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8

AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis

## AddDefaultCharset UTF-8

NameVirtualHost *:80

< VirtualHost *:80>
ServerAdmin

DocumentRoot /var/www/vhosts/example.com/httpdocs

ServerName www.example.com
ErrorLog /var/www/vhosts/example.com/logs/error_log
CustomLog /var/www/vhosts/example.com/logs/access_log common

on the OS, you need:-

#mkdir /var/www/vhosts/example.com/{httpdocs,logs} -p  
#chown apache:apache /var/www/vhosts/example.com -R  
#useradd -g users -s /sbin/nologin -d /var/www/vhosts/example.com/ examplecom  
#passwd examplecom  
#chown examplecom:apache /var/www/vhosts/example.com/httpdocs -R  
#chmod 0750 /var/www/vhosts/example.com  
#chmod 2750 /var/www/vhosts/example.com/httpdocs

< /VirtualHost>

service httpd restart

Step: Transfer web content from your old server to new one [optional]

Time to transfer web content from old server to our new server.

Login to new example server, as root and go in the parent directory of the document root of example.com. In my case the document root is /var/www/vhosts/example.com/httpdocs. So I would go in /var/www/vhosts/example.com .

Start lftp from this new server’s command prompt, and connect to remote old server.

Type mirror on the commmand prompt and press enter. Let the magic happen.

[root@www example.com]# lftp -u example www.oldserver.com Password:

lftp example@www.oldserver.com

~> ls
drwxr-xr-x 5 example psacln 4096 Nov 12 14:30 anon_ftp
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 bin
drwxr-xr-x 3 example psacln 4096 Jul 22 2006 cgi-bin
drwxr-xr-x 2 example psacln 4096 Mar 29 15:08 conf
drwxr-xr-x 2 example psacln 4096 Jul 22 2006 error_docs
drwxr-xr-x 16 example psacln 4096 May 6 07:27 httpdocs
drwxr-xr-x 7 example psacln 4096 Nov 12 21:04 httpsdocs
drwxr-xr-x 2 example psacln 4096 Mar 29 15:08 pd
drwxr-xr-x 2 example psacln 4096 Jul 22 2006 private
dr-xr-xr-x 7 example psacln 4096 Nov 12 14:30 statistics
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 subdomains
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 web_users

lftp example@www.oldserver.com

/> mirror


`squid3.avi’ at 51904512 (30%) 963.6K/s eta:2m [Receiving data]

Step: Setup Time Zone for new server

Local Time

[root@www example.com]# cat /etc/localtime  
TZif2UTCTZif2UTC  
UTC0  
  
[root@www example.com]# rm /etc/localtime  
rm: remove regular file `/etc/localtime'? y  
  
[root@www example.com]# ln -s /usr/share/zoneinfo/Asia/Karachi /etc/localtime  
  
[root@www example.com]# cat /etc/localtime  
FPLMTISTKARTPKSTPKTTZif2�����~������2������t�����ݨ��O�0<�E�=�(�>�MX[hFT`  
PKT-5

Step: Shutdown unnecessary services

service sendmail stop  
chkconfig --level 35 sendmail off  
  
service cups stop  
chkconfig --level 35 cups off  
  
nmap localhost  
  
PORT STATE SERVICE  
22/tcp open ssh  
80/tcp open http  
225/tcp open unknown  
443/tcp open https  
  
[root@www ~]# netstat -antp | grep 225  
tcp 0 0 0.0.0.0:225 0.0.0.0:* LISTEN 1972/sbadm  
  
[root@www ~]# chkconfig --level 35 sbadm off  
  
[root@www ~]# service sbadm stop  
  
[root@www ~]# nmap localhost  
  
PORT STATE SERVICE  
22/tcp open ssh  
80/tcp open http  
443/tcp open https  
  
[root@www ~]# netstat -antp | grep LISTEN  
tcp 0 0 0.0.0.0:40147 0.0.0.0:* LISTEN 2131/perl  
tcp 0 0 :::80 :::* LISTEN 1985/httpd  
tcp 0 0 :::22 :::* LISTEN 1926/sshd  
tcp 0 0 :::443 :::* LISTEN 1985/httpd  
  
  
40147 is webmin . And I NEVER want it on my server.  
  
[root@www ~]# /etc/rc.d/init.d/webmin stop  
Stopping Webmin server in /usr/local/webmin-1.330  
  
[root@www ~]# rm -fr /usr/local/webmin-1.330  
  
[root@www ~]# netstat -antp | grep LISTEN  
tcp 0 0 :::80 :::* LISTEN 1985/httpd  
tcp 0 0 :::22 :::* LISTEN 1926/sshd  
tcp 0 0 :::443 :::* LISTEN 1985/httpd  
  
  
chkconfig --level 35 sendmail off  
chkconfig --level 35 cups off  
chkconfig --level 35 firstboot off  
chkconfig --level 35 bluetooth off  
chkconfig --level 35 ip6tables off  
chkconfig --level 35 pcscd off  
chkconfig --level 35 sbadm off  
chkconfig --level 35 setroubleshoot off  
chkconfig --level 35 webmin off  

Step: Setup and Secure MySQL

chkconfig --level 35 mysqld on  
service mysqld start  
  
/usr/bin/mysqladmin -u root password 'secretpassword'  
  
/usr/bin/mysqladmin -u root -h www.example.com password 'secretpassword'  
  
mysql -u root -D mysql -p  
  
mysql> select user,password from user;  
+------+------------------+  
| user | password |  
+------+------------------+  
| root | 09ac555e5b93c437 |  
| root | 09ac555e5b93c437 |  
| | |  
| | |  
+------+------------------+  
4 rows in set (0.00 sec)  
  
  
We need to delete these two lines with balnk user names to further tighten the security.  
  
  
mysql> delete from user where user="";  
Query OK, 2 rows affected (0.00 sec)  
  
mysql> commit;  
Query OK, 0 rows affected (0.00 sec)  
  
mysql> flush privileges;  
Query OK, 0 rows affected (0.00 sec)  
  

Step: Setup FTP (VSFTPD)

useradd -g users -s /sbin/nologin -d /var/www/vhosts/example.com/ examplecom  
passwd examplecom  
 
[root@www httpd]# vi /etc/vsftpd/vsftpd.conf  
  
anonymous_enable=NO  
local_enable=YES  
write_enable=YES  
local_umask=022  
anon_upload_enable=NO  
anon_mkdir_write_enable=NO  
dirmessage_enable=YES  
xferlog_enable=YES  
connect_from_port_20=YES  
xferlog_file=/var/log/vsftpd.log  
xferlog_std_format=YES  
nopriv_user=nobody  
ftpd_banner=Welcome to blah FTP service at example.com . You are being watched.  
chroot_local_user=YES  
listen=YES  
pam_service_name=vsftpd  
userlist_enable=YES  
tcp_wrappers=YES  
  
  
chkconfig --level 35 vsftpd on  
  
[root@www conf.d]# service vsftpd restart  
Shutting down vsftpd: [ OK ]  
Starting vsftpd for vsftpd: [ OK ]  
  
[root@www conf.d]# ps aux | grep -i vsftpd  
root 6459 0.0 0.0 5056 508 ? Ss 11:37 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf  
root 6462 0.0 0.0 4096 584 pts/0 R+ 11:37 0:00 grep -i vsftpd  

Step: Setup SNMP and MRTG

yum -y install net-snmp net-snmp-utils net-snmp-libs  
  
  
vi /etc/snmp/snmpd.conf  
  
com2sec notConfigUser default secretsnmp  
group notConfigGroup v1 notConfigUser  
view roview included .1  
access notConfigGroup "" any noauth exact roview rwview none  
syslocation SomewhereinUS  
syscontact Root <kamran@example.com  
disk /  
load 12 14 14  
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat  
  
  
service snmpd start  
chkconfig --level 35 snmpd on  

MRTG:

yum -y install mrtg  
  
  
cfgmaker --global "Options[_]: growright, bits, unknaszero" --ifref=ip --ifdesc=descr --noreversedns --global "WorkDir: /var/www/mrtg" --output=/etc/mrtg/mrtg.cfg secretsnmp@localhost  
  
indexmaker --output=/var/www/mrtg/index.html --title="www.example.com System Graphs" /etc/mrtg/mrtg.cfg  
  
  
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg  
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg  
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg  
  
  
# vi /etc/httpd/conf.d/mrtg.conf  
  
Alias /mrtg /var/www/mrtg  
  
<Location /mrtg>  
Order deny,allow  
Allow from all  
</Location>  
  
  
service httpd restart  
  
  
  
Add additional graphs:  
  
vi /etc/mrtg/mrtg.cfg  
...  
...  
  
LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt, /usr/share/snmp/mibs/TCP_MIB.txt, /usr/share/snmp/mibs/HOST-RESOURCES-MIB.txt  
  
  
Target[example_root]:dskPercent.1&dskPercent.1:secretsnmp@localhost  
MaxBytes[example_root]: 100  
Title[example_root]: DISK USAGE - /  
PageTop[example_root]: <h1>DISK Usage in % (/)</h1>  
Unscaled[example_root]: ymwd  
ShortLegend[example_root]: %  
YLegend[example_root]: DISK Utilization  
Legend1[example_root]: /:  
Legend2[example_root]: /:  
Legend3[example_root]:  
Legend4[example_root]:  
LegendI[example_root]: /:  
LegendO[example_root]: /:  
Options[example_root]: growright, unknaszero, gauge,nopercent  

  
Target[example_loadavg]: laLoad.2&laLoad.3:secretsnmp@localhost  
MaxBytes[example_loadavg]: 5000  
Title[example_loadavg]: Load Average  
PageTop[example_loadavg]: <h1>Load Average</h1>  
YLegend[example_loadavg]: Load Average  
ShortLegend[example_loadavg]:  
Legend1[example_loadavg]: Load average 5 min  
Legend2[example_loadavg]: Load average 15 min  
LegendI[example_loadavg]: 5min load avg  
LegendO[example_loadavg]: 15min load avg  
Options[example_loadavg]: nopercent,growright,noinfo,gauge, unknaszero  
 
  
  
Target[example_cpusum]:ssCpuRawUser.0&ssCpuRawUser.0:secretsnmp@localhost + ssCpuRawSystem.0&ssCpuRawSystem.0:secretsnmp@localhost + ssCpuRawNice.0&ssCpuRawNice.0:secretsnmp@localhost  
MaxBytes[example_cpusum]: 100  
Title[example_cpusum]: CPU Usage % (User+System+Nice)  
PageTop[example_cpusum]: <H1>CPU Usage % (User+System+Nice)</H1>  
ShortLegend[example_cpusum]: %  
YLegend[example_cpusum]: CPU Usage  
Legend1[example_cpusum]: CPU usage in %  
Legend2[example_cpusum]:  
Legend3[example_cpusum]:  
Legend4[example_cpusum]:  
LegendI[example_cpusum]: Active  
LegendO[example_cpusum]:  
Options[example_cpusum]: growright,nopercent, unknaszero  

  
  
Target[example_memory]: memTotalReal.0&memAvailReal.0:secretsnmp@localhost  
Options[example_memory]: nopercent,growright,gauge,noinfo, unknaszero  
Title[example_memory]: Free Memory  
PageTop[example_memory]: <H1>Free Memory</H1>  
MaxBytes[example_memory]: 2147483648  
YLegend[example_memory]: bytes  
ShortLegend[example_memory]: bytes  
kMG[example_memory]: k,M  
Legend1[example_memory]: Total Physical Memory  
Legend2[example_memory]: Free Physical Memory  
LegendI[example_memory]: Total Memory  
LegendO[example_memory]: Free Memory  
  
  
# Need to specify the download location of the mysql-load software.  
  
Target[example_mysql]: `/usr/local/mrtg-mysql/mrtg-mysql-load -c /usr/local/mrtg-mysql/mysql-load.conf`  
Options[example_mysql]: perminute, nopercent, integer, growright, unknaszero  
MaxBytes[example_mysql]: 200  
AbsMax[example_mysql]: 2000  
Unscaled[example_mysql]: dwmy  
Title[example_mysql]: MySQL load analysis  
PageTop[example_mysql]: <H1>MySQL load Analysis</H1>  
ShortLegend[example_mysql]: q/m  
  
  
Run index maker again:  
  
indexmaker --output=/var/www/mrtg/index.html --title="www.example.com System Graphs" /etc/mrtg/mrtg.cfg  
  
  
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg  
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg  
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg  

Step: Setup Webalizer

WEBALIZER

mv /etc/httpd/conf.d/webalizer.conf /etc/httpd/conf.d/webalizer.conf.orig  
  
cat >> /etc/httpd/conf.d/webalizer.conf << EOF  
  
Alias /usage /var/www/usage  
  
<Location /usage>  
Order deny,allow  
Allow from all  
</Location>  
EOF  
  
service httpd restart  
  

Step: Actual Qmail Mail Server setup

*Step: Create the necessary users and directories:

Note: In case you are going to setup multiple machines as Qmail servers in a cluster formation, you will need to create the users and groups with the “same” UIDs and GIDs . This will ensure correct functionality of the Qmail system when the mail directories are mounted on a central NFS mount, or over an ISCSI based IPSAN, etc. Doing so even on the single node setup also help in standardization, and is a good practice.

mkdir -p /var/qmail  
mkdir -p /usr/src/qmail  
  
groupadd -g 700 nofiles  
useradd -u 701 -g nofiles -d /var/qmail/alias -s /sbin/nologin -p '*' alias  
useradd -u 702 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmaild  
useradd -u 703 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmaill  
useradd -u 704 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmailp  
groupadd -g 701 qmail  
useradd -u 705 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmailq  
useradd -u 706 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmailr  
useradd -u 707 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmails  
groupadd -g 702 vchkpw  
useradd -u 708 -g vchkpw -d /home/vpopmail -s /sbin/nologin -p '*' vpopmail  
  
  
mkdir -p /package  
chmod 1755 /package  
  
mkdir -p /var/log/qmail/qmail-send  
mkdir -p /var/log/qmail/qmail-smtpd  
mkdir -p /var/log/qmail/qmail-pop3d  
  
chown -R qmaill:root /var/log/qmail  
  
chmod -R 750 /var/log/qmail  
  
mkdir -p /var/qmail/supervise/qmail-smtpd/log  
mkdir -p /var/qmail/supervise/qmail-send/log  
mkdir -p /var/qmail/supervise/qmail-pop3d/log  
  
chmod +t /var/qmail/supervise/qmail-smtpd  
chmod +t /var/qmail/supervise/qmail-send  
chmod +t /var/qmail/supervise/qmail-pop3d  
  


From :-

Note: The qmail bin directory must reside on a filesystem that allows the use of executable and setuid() files. Some OS distributions automatically mount /var with the nosuid or noexec options enabled. On such systems, either these options should be disabled or /var/qmail/bin should reside on another filesystem without these options enabled. The Create directories section describes how to use symbolic links to accomplish the latter. If /var is mounted nosuid, you’ll probably see the following error message in the qmail-send logs:

delivery : deferral: Sorry,message_has_wrong_owner.(#4.3.5)



For ease of management, all software will be downloaded in /downloads/qmailrocks directory, so lets create that as well.

mkdir -p /downloads/qmailrocks  
mkdir -p /downloads/qmailnew  

Download the qmailrocks.tar.gz from www.qmailrocks.org in /downloads and untar it at the same location. This will create /downloads/qmailrocks and will have all the QMR files in it. This will help as a source of comparison of various software versions. Current stable release: 2.2.1 - 4/19/2006

cd /downloads/  
wget http://www.qmailrocks.org/downloads/qmailrocks.tar.gz  
tar xzf qmailrocks.tar.gz  



The official Qmail website http://cr.yp.to/qmail.html , has the same version available on it which is supplied by QMR. So we will use the ones provided by QMR.

cd /usr/src/qmail  
tar xzf /downloads/qmailrocks/qmail-1.03.tar.gz  
tar xzf /downloads/qmailrocks/ucspi-tcp-0.88.tar.gz  
  
cd /package  
tar xzf /downloads/qmailrocks/daemontools-0.76.tar.gz  

Set up conf-split and conf-spawn (Don’t use the figure 255 in the line below)

echo 211 > /usr/src/qmail/qmail-1.03/conf-split echo 255 > /usr/src/qmail/qmail-1.03/conf-spawnDon’t do it else the JMS patch will fail one Hunk. See below.

Step: Time to apply various patches to Qmail-1.03

Get latest combined patch (version 7.05) by jms1 from http://qmail.jms1.net/patches/combined-details.shtml

cd /downloads/qmailnew  
wget http://qmail.jms1.net/patches/qmail-1.03-jms1.7.05.patch  

This patch already contains the FORCE_TLS patch, so no need to further patch the qmail for forcetls (as it is done in the QMR guide).

Note that this combined patch does not contain patch for tarpitting! And we don’t need tarpitting as we are not using it.

Lets do the actual patching.

cd /usr/src/qmail/qmail-1.03/  
patch < /downloads/qmailnew/qmail-1.03-jms1.7.05.patch  

Note that one hunk will fail for conf-spawn, “IF” the value in it is 255, as setup by the original QMR guide. The hunk wanted to write 120 to conf-spawn whereas it already has 255. Note the value cannot be “more” than 255. And in some cases it cannot be more than 125.

[So I am forgiving this error at the moment and moving on. I do not think it is that serious.]

Sine I did not change the value and retained it as 120 in the conf-spawn, the hunk did not fail.

Step: Compile Qmail

Patching done. ( I am not going to use the tarpit patch) .

Let’s do the actual compilation of Qmail now:

cd /usr/src/qmail/qmail-1.03  
  
make clean  
make man && make setup check  

Alhumdulillah. Qmail compiled successfully.

Let’s move on.

Run the config-fast script.

./config-fast www.example.com  
  
[root@www qmail-1.03]# ./config-fast www.example.com  

Your fully qualified host name is www.example.com.
Putting www.example.com into control/me…
Putting example.com into control/defaultdomain…
Putting example.com into control/plusdomain…
Putting www.example.com into control/locals…
Putting www.example.com into control/rcpthosts…
Now qmail will refuse to accept SMTP messages except to www.example.com.
Make sure to change rcpthosts if you add hosts to locals or virtualdomains!
[root@www qmail-1.03]#



Important From: http://www.antagonism.org/qmr-faq.shtml

7.11 What is the difference between the locals and rcpthosts files in /var/qmail/control?

The locals file contains domains which reside locally on the machine. This means accounts listed in locals should have shell accounts on the machine. If you use vpopmail, your locals file should be empty but exist. This problem is prevalent in many qmailrocks installs as the instruction set wrongly instructs users to configure qmail using the “config-fast” shell script. Unless the user desires email accounts for his shell accounts the is not the correct method. The following commands correct this error.

If /var/qmail/control/locals exists, run the first command. If not, you may skip to the second command.

# rm -f /var/qmail/control/locals  
# touch /var/qmail/control/locals  
# chmod 644 /var/qmail/control/locals  
# chown root.root /var/qmail/control/locals  

The rcpthosts file contains the domains for which qmail-smtpd will accept email. The rcpthosts file should contain the domain names only. Do not put in email addresses, hostnames or IP addresses into this file.



Though I have read the note above and implemented on a few live servers. I do not agree with it. The reason is that if I do as advised above, in this note, then mails destined for root, postmaster, etc do not get delivered to the mailbox of postmaster. So we won’t act upon this advice. I have only copied this text/note here, to warn you.

Step: Generate the certificate (QMR guide)

make cert

[root@www qmail-1.03]# make cert

Country Name (2 letter code) [GB]:PK
State or Province Name (full name) [Berkshire]:Punjab
Locality Name (eg, city) [Newbury]:Islamabad
Organization Name (eg, company) [My Company Ltd]:example
Organizational Unit Name (eg, section) []:www
Common Name (eg, your name or your server’s hostname) []:www.example.com
Email Address []: webmaster@example.com

chmod 640 /var/qmail/control/servercert.pem  
chown qmaild.qmail /var/qmail/control/servercert.pem  
ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem  

[root@www qmail-1.03]#  
  
chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem  
  

Step: Build ucspi-tcp

cd /usr/src/qmail/ucspi-tcp-0.88/

Before we build ucspi, we need to patch it for errno. This patch is included in the QMR package and also mentioned at www.lifewithqmail.org/lwq.html .

cd /usr/src/qmail/ucspi-tcp-0.88/  
patch < /downloads/qmailrocks/patches/ucspi-tcp-0.88.errno.patch  
  
make && make setup check  
  

Now we build the daemontools….

Daemon tools also need to be patched for errno. This patch is included in the QMR package and also mentioned at http://www.lifewithqmail.org/lwq.html#install-daemontools

cd /package/admin/daemontools-0.76/src  
patch < /downloads/qmailrocks/patches/daemontools-0.76.errno.patch  
cd /package/admin/daemontools-0.76  
  
./package/install  
  

You should be able to see svscanboot running:-

[root@www daemontools-0.76]# ps aux | grep svscan  
root 26092 0.0 0.0 2424 1012 ? Ss 12:13 0:00 /bin/sh /command/svscanboot  
root 26094 0.0 0.0 1664 340 ? S 12:13 0:00 svscan /service  
root 26097 0.0 0.0 4100 584 pts/0 R+ 12:13 0:00 grep svscan  

Step: EZMLM

You will need the mysql-devel package to be installed on the system before compiling this software.

yum install mysql-devel

The QMR package provides ezmlm-0.53-idx-0.41.tar.gz . The actual / raw version of this software is ezmlm-0.53 at http://cr.yp.to/ezmlm.html . However an extended version is at http://www.ezmlm.org.

At the time of this writing, The most recent stable version of ezmlm-idx is 6.0.1, and is available at the link: http://www.ezmlm.org/archive/6.0.1/ . (Even the most recent version in the older stable series is 0.444, which is “newer” than what QMR package provides.) .

There is a twist. the documentation from the 6.0.1 INSTALL file tells us to download the actual 0.53 (non-idx) version from «http://cr.yp.to> /ezmlm.html> . Untar both 0.53 and 6.0.1 versions in two separate directories. Then copy / move evereything from 6.0.1 to 0.53 directory. Then patch the 0.53 code with the idx.patch file provided in 6.0.1 . Configure various files. And complile the 0.53 directory.

Lets downlaod both.

cd /downloads/qmailnew  
wget http://cr.yp.to/software/ezmlm-0.53.tar.gz  
## wget http://www.ezmlm.org/archive/5.1.2/ezmlm-idx-5.1.2.tar.gz  
wget http://www.ezmlm.org/archive/6.0.1/ezmlm-idx-6.0.1.tar.gz  
tar xzf ezmlm-0.53.tar.gz  
tar xzf ezmlm-idx-6.0.1.tar.gz  
  
cp -r /downloads/qmailnew/ezmlm-idx-6.0.1/* /downloads/qmailnew/ezmlm-0.53/ --reply=yes  
  
cd /downloads/qmailnew/ezmlm-0.53  
  
patch < idx.patch  
  
Configure various config files:  
  
vi conf-etc  
/usr/local/etc/ezmlm  
  
vi conf-bin  
/usr/local/bin/ezmlm  
  
vi conf-qmail  
/var/qmail  
  
  
  
Edit the conf-sub, and change the storage from standard file location to mysql.  
  
vi conf-sub  
mysql  

Choose a subscription database support. Available supports are:

  • std (Default) filesystem
  • mysql MySQL database
  • pgsql Postgres database

####################### Removed in 6.0.1 ######## vi sub_mysql/conf-sqlcc
-I/usr/include/mysql



From the INSTALL.idx:-

5.RDBM Support.

MySQL:
If you want to compile ezmlm with MySQL support http://www.mysql.com,
edit conf-cc (include files) and conf-ld (library paths) to reflect
your MySQL installation (see MySQL documentation). The package
should work with MySQL version 3.22 and up.

vi conf-cc  
gcc -O -g -I/usr/include/mysql -I/usr/include/pgsql  
    
vi conf-ld  
cc -g -B /usr/lib/mysql/  

  
OR  
  
echo "/usr/local/etc/ezmlm" > conf-etc  
echo "/usr/local/bin/ezmlm" > conf-bin  
echo "/var/qmail" > conf-qmail  
echo "mysql" > conf-sub  
  
  
Time to compile.  
  
make clean  
make  
make man  
make mysql # new in 6.0.1  
make setup  
  
  
[root@www ezmlm-0.53]# ./ezmlm-test  

Verifying message header and body contents…
ezmlm-make: fatal: unable to stat /downloads/qmailnew/ezmlm-0.53/lang/default: file does not exist
ezmlm-make failed

[root@www ezmlm-0.53]# vi conf-lang  
[root@www ezmlm-0.53]# ls /downloads/qmailnew/ezmlm-0.53/lang/  
ch_GB cs da de en_US es fr hu id it ja nl pl pt pt_BR ru sv  
[root@www ezmlm-0.53]# ls /downloads/qmailnew/ezmlm-0.53/lang/en_US/  
ezmlmrc mailinglist sed text  

[root@www ezmlm-0.53]#  
  
ln -s /downloads/qmailnew/ezmlm-0.53/lang/en_US /downloads/qmailnew/ezmlm-0.53/lang/default  
  
You may want to create a ezmlm MySQL Database at this point.  
  
mysql -u root -p  
create database ezmlm;  
grant all on ezmlm.* to ezmlm@localhost identified by 'mysecret';  
flush privileges;  
  

Now, Create ezmlm tables in the database: You must use the “-f” option with mysql, which will force mysql to continue even in case of failures.

./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f

You may get output as below:

[root@www ezmlm-0.53]# ./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f  

ERROR 1051 (42S02) at line 6: Unknown table 'list'  
ERROR 1051 (42S02) at line 7: Unknown table 'list_slog'  
ERROR 1051 (42S02) at line 8: Unknown table 'list_digest'  
ERROR 1051 (42S02) at line 9: Unknown table 'list_digest_slog'  
ERROR 1051 (42S02) at line 10: Unknown table 'list_mod'  
ERROR 1051 (42S02) at line 11: Unknown table 'list_mod_slog'  
ERROR 1051 (42S02) at line 12: Unknown table 'list_allow'  
ERROR 1051 (42S02) at line 13: Unknown table 'list_allow_slog'  
ERROR 1051 (42S02) at line 14: Unknown table 'list_deny'  
ERROR 1051 (42S02) at line 15: Unknown table 'list_deny_slog'  
ERROR 1051 (42S02) at line 17: Unknown table 'list_cookie'  
ERROR 1051 (42S02) at line 18: Unknown table 'list_mlog'  
ERROR 1051 (42S02) at line 19: Unknown table 'list_digest_cookie'  
ERROR 1051 (42S02) at line 20: Unknown table 'list_digest_mlog'  
[root@www ezmlm-0.53]#  

This is normal. These are just error messages returned when trying to DROP these tables. If you are paranoid, you may want to run this command again. This time it will not give any errors as the tables would not have been already created and will be dropped properly.

[root@www ezmlm-0.53]# ./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f [root@www ezmlm-0.53]#

Now execute the test program again:

./ezmlm-test -l ezmlm -p mysecret -h localhost

A successful test should look like this:-


[root@www ezmlm-0.53]# ./ezmlm-test -s mysql -p mysecret -u ezmlm -d ezmlm -h localhost  
ezmlm-make (1/2): OK  
Using subdb plugin: mysql  
ezmlm-reject: OK  
ezmlm-[un|is]sub[n]: OK  
ezmlm SQL: OK  
ezmlm non-SQL: OK  
ezmlm-send: OK  
ezmlm-tstdig: OK  
ezmlm-weed: OK  
ezmlm-make (2/2): OK  
ezmlm-clean: OK  
ezmlm-store: OK  
ezmlm-return: OK  
ezmlm-warn (1/2): OK  
ezmlm-manage (1/2): OK  
ezmlm-request: OK  
ezmlm-split: OK  
ezmlm-gate: OK  
ezmlm-idx: OK  
ezmlm-get (index): OK  
ezmlm-get (get): OK  
ezmlm-get (thread): OK  
ezmlm-get (digest): OK  
ezmlm-manage (2/2): OK  
ezmlm-moderate: OK  
ezmlm-warn (2/2): OK  
ezmlm-dispatch: OK  
Verifying message header and body contents...  
flags and substs: OK  
subscribe probe: OK  
unsubscribe probe: OK  
subscribe: OK  
unsubscribe: OK  
copylines: OK  
ezmlm-send: OK  
  
[root@www ezmlm-0.53]#  

Congradulations.

Step: AUTORESPONDER

autorespond-2.0.5.tar.gz is provided by the QMR package. This is the latest version on the net too. So let’s follow it.

cd /downloads/qmailrocks  
  
tar zxf autorespond-2.0.5.tar.gz  
  
cd autorespond-2.0.5  
  
make && make install  

Step: Courier Mail Drop

Install Courier MailDrop:- (This step would come after VPOPmail, Qmailadmin and Vqadmin in QMR. But I want to do it before VPOPmail, so I can tell vpopmail to use it / enable it in vpopmail.)

Note: At one time, I thaught that I don’t think we need maildrop at all! But when I removed it, it took away “reformime with” it. And Qmail-scaner stoped working without reformime. So we do need Courier Mail Drop.

Here is the ouput if I remove the maildrop rpm from the system and run the qmail-scanner (doit) script :

[root@www contrib]# ./test_installation.sh -doit

Sending standard test message - no viruses…
qmail-inject: fatal: qq temporary problem (#4.3.0)
Bad error. qmail-inject died
[root@www contrib]#

And I get the following in the /var/log/maillog :-

May 10 14:11:44 www X-Qmail-Scanner-2.04: d_m: output spotted from /usr/bin/reformime -x/var/spool/qscan/tmp/www.example.com121041070456210137/ (sh: /usr/bin/reformime: No such file or directory May 10 14:16:19 www X-Qmail-Scanner-2.04: d_m: output spotted from /usr/bin/reformime -x/var/spool/qscan/tmp/www.example.com121041097956210184/ (sh: /usr/bin/reformime: No such file or directory

After re-isntalling maildrop, everything became fine again.

So, from the QMR site:
Part 7- Maildrop

Maildrop is a mail filtering agent which can be used to filter messages as they arrive on the server. You will probably notice, once this installation in complete, that you don’t really use maildrop. However, it’s a cool tool and it’s worth having around if you ever decide to get crazy with filtering your imcoming mail. …..


And here is from the Qmail-Scanner website:-

Requirements

  • Netqmail 1.05 (or qmail-1.03 with patches)
  • daemontools-0.76+
  • reformime from Maildrop 1.3.8+

Lets install Courier MailDrop

#Make sure you have pcre-devel and gcc-c++ installed on the system

yum install pcre-devel gcc-c++

Ideally, according to myself, this step should have come before vpopmail. Also, from the maildrop homepage:

http://www.courier-mta.org/maildrop/

maildrop is the mail filter/mail delivery agent that’s used by the Courier Mail Server. You do not need to download maildrop from here if you already have Courier installed. This is a standalone build of the maildrop mail filter that can be used with other mail servers.

QMR provides maildrop-1.6.3.tar.gz . Where as the latest is: maildrop-2.0.4.tar.bz2 .

I will use maildrop-2.0.4 and will make an RPM out of the source file to install it.

cd /downloads/qmailnew  
  
wget http://prdownloads.sourceforge.net/courier/maildrop-2.0.4.tar.bz2  
  
tar xjf maildrop-2.0.4.tar.bz2  
  
cd /downloads/qmailnew/maildrop-2.0.4  

I have maildrop downloaded from the site and I updated it’s specs file as :-

%configure –with-devel –enable-userdb –enable-maildirquota –enable-syslog=1 –enable-trusted-users=’root mail daemon postmaster qmaild mmdf’ –enable-restrict-trusted=0 –enable-maildrop-uid=root –enable-maildrop-gid=vchkpw

I then repackaged it as tar.bz2 and made an RPM out of it:

rm maildrop-2.0.4.tar.bz2  
  
tar cjf maildrop-2.0.4.tar.bz2 maildrop-2.0.4  
  
rpmbuild -ta maildrop-2.0.4.tar.bz2

Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/maildrop-2.0.4-1-buildroot
Wrote: /usr/src/redhat/SRPMS/maildrop-2.0.4-1.src.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-devel-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-man-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-debuginfo-2.0.4-1.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.76157

  • umask 022
  • cd /usr/src/redhat/BUILD
  • cd maildrop-2.0.4
  • rm -rf /var/tmp/maildrop-2.0.4-1-buildroot
  • exit 0

Now install the latest RPM


rpm -ivh /usr/src/redhat/RPMS/i386/maildrop-2.0.4-1.i386.rpm  
Preparing... ########################################### [100%]  
1:maildrop ########################################### [100%] 

Step: VPOPMAIL with MySQL support

vpopmail-5.4.13.tar.gz is supplied with QMR package.

Whereas version 5.4.25 is available on inter7’s sourceforge page:
http://sourceforge.net/project/showfiles.php?group_id=85937

Lets download this new version:

  
cd /downloads/qmailnew  
wget http://optusnet.dl.sourceforge.net/sourceforge/vpopmail/vpopmail-5.4.25.tar.gz  
  
tar xzf vpopmail-5.4.25.tar.gz  
cd /downloads/qmailnew/vpopmail-5.4.25  

Let’s do the preparation first. We already have created a user vpopmail and vchkpw earlier.

mkdir ~vpopmail/etc  
chown vpopmail:vchkpw ~vpopmail/etc  
echo "localhost|0|vpopmailuser|vpopmailpassword|vpopmail" > ~vpopmail/etc/vpopmail.mysql  

  
Create vpopmail Database:  
  
mysql -u root -p  
  
CREATE DATABASE vpopmail;  
  
GRANT all ON vpopmail.* TO vpopmailuser@localhost IDENTIFIED BY 'vpopmailpassword';  
  
Flush privileges;  

quit;

Try connecting:


mysql -u vpopmailuser -D vpopmail -pvpopmailpassword  
  
cd /downloads/qmailnew/vpopmail-5.4.25  
  
Note: QMR guide used the following switches for configuring vpopmail. Don't use them. Instead use the ones I have put below this line.  
  
[QMR Guide = ./configure --enable-logging=p --enable-auth-module=mysql --disable-passwd --enable-clear-passwd   
--disable-many-domains --enable-auth-logging --enable-sql-logging --enable-valias --disable-mysql-limits]  
  

⚠️WARNING : DO NOT USE the –enable-maildrop switch in vpopmail otherwise you will not get any mails and will get the following “Unable to open mailbox” errors in the maillog:

May 9 20:04:07 www spamd[31043]: spamd: clean message (-1.4/5.0) forn amran@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view it711 in 1.3 seconds, 934 bytes.
May 9 20:04:07 www spamd[31043]: spamd: result: . -1 - ALL_TRUSTED scantime=1.3,size=934,user=kamran@example.com,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=54894,mid = < n 1830.203.82.59.56.1210345345.squirrel@192.168.0.200his e-mail address is being protected from spambots. You need JavaScript enabled to view it,autolearn=unavailable,shortcircuit=no
May 9 20:04:07 www spamd[31040]: prefork: child states: II

May 9 20:04:07 www maildrop[19011]: Unable to open mailbox.



./configure –enable-logging=p –enable-auth-module=mysql –disable-clear-passwd –disable-many-domains –enable-sql-logging –enable-mysql-replication –enable-valias –enable-roaming-users –enable-spamassassin –enable-mysql-limits



config.status: creating Makefile
config.status: creating config.h
config.status: executing depfiles commands

vpopmail 5.4.25
Current settings


vpopmail directory = /home/vpopmail
domains directory = /home/vpopmail/domains
uid = 708
gid = 702
roaming users = ON –enable-roaming-users
tcpserver file = /home/vpopmail/etc/tcp.smtp
open_smtp file = /home/vpopmail/etc/open-smtp
rebuild tcpserver file = ON –enable-rebuild-tcpserver-file (default)
password learning = OFF –disable-learn-passwords (default)
md5 passwords = ON –enable-md5-passwords (default)
file locking = ON –enable-file-locking (default)
vdelivermail fsync = OFF –disable-file-sync (default)
make seekable = ON –enable-make-seekable (default)
clear passwd = OFF –disable-clear-passwd
user dir hashing = ON –enable-users-big-dir (default)
address extensions = OFF –disable-qmail-ext (default)
ip alias = OFF –disable-ip-alias-domains (default)
onchange script = OFF –disable-onchange-script (default)
auth module = mysql –enable-auth-module=mysql
mysql replication = ON –enable-mysql-replication
sql logging = ON –enable-sql-logging
mysql limits = ON –enable-mysql-limits
SQL valias table = ON –enable-valias
auth inc = -I/usr/include/mysql
auth lib = -L/usr/lib/mysql -lmysqlclient -lz -lm
system passwords = OFF –disable-passwd (default)
pop syslog = show failed attempts with clear text password –enable-logging=p
auth logging = ON –enable-auth-logging (default)
one domain per SQL table = –disable-many-domains
spamassassin = ON –enable-spamassassin
maildrop = OFF –disable-maildrop (default)


Now compile it:

make && make install-strip


/usr/bin/install -c -o vpopmail -m 711 -g vchkpw -s ‘dotqmail2valias’ ‘/home/vpopmail/bin/dotqmail2valias’
/usr/bin/install -c -o vpopmail -m 711 -g vchkpw -s ‘vpopmaild’ ‘/home/vpopmail/bin/vpopmaild’
make[3]: Leaving directory /downloads/qmailnew/vpopmail-5.4.25' make[2]: Leaving directory/downloads/qmailnew/vpopmail-5.4.25’
make[1]: Leaving directory `/downloads/qmailnew/vpopmail-5.4.25’


Step: VQADMIN

QMR package provides vqadmin-2.3.6.tar.gz . The homepage of vqadmin http://www.inter7.com/vqadmin provides us vqadmin-2.3.7.tar.gz . Lets use that.

cd /downloads/qmailnew/  
  
wget http://www.inter7.com/vqadmin/vqadmin-2.3.7.tar.gz  
  
tar xzf vqadmin-2.3.7.tar.gz  
  
cd /downloads/qmailnew/vqadmin-2.3.7  
  
mkdir /var/www/vqadmin 

chown apache:apache /var/www/vqadmin -R  
  

📝Note that –enable-html directory in the command below seems to be deprecated in newer versions of vqadmin (even in the one I am using, right now). This means it is not required to be mentioned to the configure script as it has no effect.

./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/vqadmin

make && make install-strip


Setup a .conf file in /etc/httpd/conf.d/ as vqadmin.conf

cat » /etc/httpd/conf.d/vqadmin.conf « EOF

Alias /vqadmin /var/www/vqadmin

<Directory /var/www/vqadmin>
Order deny,allow
Allow from all
</Directory>
EOF

  
Edit the Apache config file and add the following:  

vi /etc/httpd/conf/httpd.conf

<Directory “/var/www/cgi-bin/vqadmin”>
Allow from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>

  
  
Secure VQADMIN

cat » /var/www/cgi-bin/vqadmin/.htaccess « EOF

AuthType Basic

#AuthUserFile will also be at a common place, such as /var/www/.htpasswd.vqadmin

AuthUserFile /var/www/.htpasswd.vqadmin
AuthName vQadmin
require valid-user

##satisfy any

EOF

chown apache:apache /var/www/cgi-bin/vqadmin/.htaccess

chmod 640 /var/www/cgi-bin/vqadmin/.htaccess

#The QMR guide suggests 644 , which is too lax I think

htpasswd -bc /var/www/.htpasswd.vqadmin admin vqadminpassword

chown apache:apache /var/www/.htpasswd.vqadmin # This step is not in QMR.

chmod 640 /var/www/.htpasswd.vqadmin

service httpd restart


Open the following link in web browser:
http://10.1.2.3/cgi-bin/vqadmin/vqadmin.cgi

If you see a white page with Vqadmin menu on it. Check your apache error log.

Apache error log:-

[Thu May 08 16:51:18 2008] [error] [client 203.82.59.56] File does not exist:
/var/www/vhosts/example.com/httpdocs/images,
referer: http://192.168.0.200/cgi-bin/vqadmin/vqadmin.cgi

The solution is :-

ln -s /var/www/html/images /var/www/vhosts/example.com/httpdocs/

chown apache:apache /var/www/html -R


Add a domain “example.com” in vqadmin .

postmaster passowrd: postmasterpassword

Created Domain
Domain postmaster added

Step: QMAILADMIN: ` QMR provides qmailadmin-1.2.9.tar.gz .
The is the latest on Inter 7 is 1.2.11.
The latest devel version is 1.2.12 .

cd /downloads/qmailnew/
wget http://internap.dl.sourceforge.net/sourceforge/qmailadmin/qmailadmin-1.2.12.tar.gz

tar xzf qmailadmin-1.2.12.tar.gz
cd /downloads/qmailnew/qmailadmin-1.2.12

—————————————– [ optional ] ————-

mkdir /var/www/qmailadmin  
  
cat >> /etc/httpd/conf.d/qmailadmin.conf << EOF  
  
Alias /qmailadmin /var/www/qmailadmin  
  
<Directory /var/www/qmailadmin>  
Order deny,allow  
Allow from all  
</Directory>  
EOF  
  
  
chown apache:apache /var/www/qmailadmin  
  
service httpd restart  

——————————————-[ optional end ]—————

./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/qmailadmin –enable-imageurl=/qmailadmin/images/qmailadmin

./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/qmailadmin
–enable-imagedir=/var/www/qmailadmin/images –enable-imageurl=/qmailadmin/images
–enable-modify-quota

qmailadmin 1.2.12 Current settings

cgi-bin dir = /var/www/cgi-bin
html dir = /var/www/qmailadmin
image dir = /var/www/qmailadmin/images
image URL = /qmailadmin/images
template dir = /usr/local/share/qmailadmin
qmail dir = /var/qmail
vpopmail dir = /home/vpopmail
autorespond dir = /usr/bin
ezmlm dir = /usr/local/bin/ezmlm
ezmlm idx = yes
mysql for ezmlm = yes
help = no
modify quota = no
domain autofill = no
modify spam check = no

make && make install-strip

Try loggin on to the URL:

http://192.168.0.200/cgi-bin/qmailadmin

, and try add a few users.

Email Accountn amran@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view itMuhammad Kamran Azeem) added successfully

Alhumdulillah.

📝Note: Error: If you are seeing a blank page after you add a user in vqadmin, then read the note below:-

####################### NOTE : start #####################################

Blank page after adding a user.

[Tue Apr 01 05:00:42 2008] [error] [client 210.2.164.144] vmysql: can’t read settings from /home/vpopmail/etc/vpopmail.mysql, referer: http://10.1.2.3/cgi-bin/qmailadmin
[Tue Apr 01 05:00:42 2008] [error] [client 210.2.164.144] Premature end of script headers: qmailadmin, referer: http://10.1.2.3/cgi-bin/qmailadmin

The file permissions of the file /home/vpopmail/etc/vpopmail.mysql are 640, to protect mysql root password from ordinary users. if I change it to 644, to allow apache to read this file, other ordinary users will also be able to look into this file.
May be I should add apache to the group vchkpw .

vi /etc/group
vchkpw:x:702:apache

Still the same problem . I need to investigate it further. At the moment. I am continuing with 644 to this file.

Still the same problem. I notice that :-

[root@www qmailadmin-1.2.12]# ls -l /home/  
total 12  
drwx------ 4 akhan users 4096 Mar 28 22:05 akhan  
drwx------ 2 vmail vmail 4096 Mar 29 02:25 vmail  
drwx------ 8 vpopmail vchkpw 4096 Apr 1 03:34 vpopmail  
  
[root@www qmailadmin-1.2.12]# ls -l /var/www/cgi-bin/  
total 160  
-rwsr-sr-x 1 vpopmail vchkpw 151864 Apr 1 04:57 qmailadmin  

Corrected. Basically I incorrectly setup the permission of the directory ~vpopmail/etc as 640. This stupid step of mine, resulted in inability of group vchpw to “change directory into” ~vpopmail/etc and read the vpopmail.mysql file.

Removed apache from the group memberdship of vchkpw from /etc/group.

vi /etc/group
vchkpw:x:702:

Email Accountn amran@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view itMuhammad Kamran Azeem) added successfully

Alhumdulillah. The qmailadmin web interface seems to be behaving correctly.
####################################### NOTE : end #######################################3

Step: FINALIZING QMAIL:

The QMR guide suggests to run the following script:
#/downloads/qmailrocks/scripts/finalize/linux/finalize_linux.script

This script can be viewed online at:
http://www.qmailrocks.org/downloads/scripts/finalize/linux/finalize_linux.script

I will use the actual content of the script to get the tasks done manully.

#First Copy all supervise scripts to their proper locations.:

cp /downloads/qmailrocks/scripts/finalize/linux/pop3d_run /var/qmail/supervise/qmail-pop3d/run  
cp /downloads/qmailrocks/scripts/finalize/linux/pop3d_log /var/qmail/supervise/qmail-pop3d/log/run  
cp /downloads/qmailrocks/scripts/finalize/linux/smtpd_run /var/qmail/supervise/qmail-smtpd/run  
cp /downloads/qmailrocks/scripts/finalize/linux/smtpd_log /var/qmail/supervise/qmail-smtpd/log/run  
cp /downloads/qmailrocks/scripts/finalize/linux/send_run /var/qmail/supervise/qmail-send/run  
cp /downloads/qmailrocks/scripts/finalize/linux/send_log /var/qmail/supervise/qmail-send/log/run  

#Next: Copy rc and qmailctl scripts to proper locations:

cp /downloads/qmailrocks/scripts/finalize/rc /var/qmail/  
cp /downloads/qmailrocks/scripts/finalize/qmailctl /var/qmail/bin/  

#Setup needed permisions:

chmod 755 /var/qmail/rc /var/qmail/bin/qmailctl  
chmod 751 /var/qmail/supervise/qmail-pop3d/run  
chmod 751 /var/qmail/supervise/qmail-pop3d/log/run  
chmod 751 /var/qmail/supervise/qmail-smtpd/run  
chmod 751 /var/qmail/supervise/qmail-smtpd/log/run  
chmod 751 /var/qmail/supervise/qmail-send/run  
chmod 751 /var/qmail/supervise/qmail-send/log/run  

#Setup default values to various control files:

echo ./Maildir > /var/qmail/control/defaultdelivery  
echo 255 > /var/qmail/control/concurrencyremote  
chmod 644 /var/qmail/control/concurrencyremote  
echo 30 > /var/qmail/control/concurrencyincoming  
chmod 644 /var/qmail/control/concurrencyincoming  

#Create symbolic links:

ln -s /var/qmail/bin/qmailctl /usr/bin  
ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-pop3d /service  

Next edit the run scripts and adjust a few values:

:%s/mail.example.com/www.example.com/g

vi /var/qmail/supervise/qmail-pop3d/run

Find “mail.example.com” and change it to your server’s hostname. For example: wwww.example.com

vi /var/qmail/supervise/qmail-smtpd/run

Find “mail.example.com” and change it to your server’s hostname. For example: www.example.com

Next:

qmailctl stop  
  
echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp  
  
qmailctl cdb  

Now we create the common system aliases. These aliases are going to tell Qmail what to do with common server-generated mails.

echon ostmaster@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view it/var/qmail/alias/.qmail-root
echon ostmaster@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view it/var/qmail/alias/.qmail-postmaster
echon ostmaster@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view it/var/qmail/alias/.qmail-mailer-daemon

ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous
chmod 644 /var/qmail/alias/.qmail*

REMOVE SENDMAIL, POSTFIX , EXIM from System:

If you have not removed these pakages before, you can do it now.

service sendmail stop  
service postfix stop  
service exim stop  
service dovecot stop  
  
  
rpm -e sendmail --nodeps  
rpm -e sendmail-cf --nodeps  
rpm -e postfix --nodeps  
rpm -e exim --nodeps  

#Create artificial sendmail path:

rm -f /usr/lib/sendmail  
rm -f /usr/sbin/sendmail  
  
ln -s /var/qmail/bin/sendmail /usr/lib/sendmail  
ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail  

START QMAIL:

The QMR guide asks to run the following script:

#/downloads/qmailrocks/scripts/util/qmr_inst_check

The script is long and there is no advantage running it command by command/ manually. When you run the script, it will check for some key required files and folders and will also check permissions and owership settings on many key items. It a needed file does not exist or if the ownership/permissions settings are wrong on a key file, it will tell you and then make a suggestion as to how to correct the error. This script does NOT check the CONTENT or SYNTAX of your scripts, but only for the scripts’ existence and their ownership/permissions settings. If you’ve screwed up the syntax of on the run scripts, this tool will not detect it.

Lets run it:

/downloads/qmailrocks/scripts/util/qmr_inst_check

[root@www qmailadmin-1.2.12]# /downloads/qmailrocks/scripts/util/qmr_inst_check

Congratulations, your Qmailrocks.org Qmail installation looks good!

[root@www qmailadmin-1.2.12]# qmailctl stat  
/service/qmail-send: down 228 seconds, normally up  
/service/qmail-send/log: down 228 seconds, normally up  
/service/qmail-smtpd: down 228 seconds, normally up  
/service/qmail-smtpd/log: down 228 seconds, normally up  
/service/qmail-pop3d: down 228 seconds, normally up  
/service/qmail-pop3d/log: down 228 seconds, normally up  
messages in queue: 0  
messages in queue but not yet preprocessed: 0  

Step: COURIER IMAP + COURIERPASSD:

Courier-imap is the preferred IMAP server to install because it has built in support the vchkpw mail user setup that Vpopmail utilizes. In short, Courier IMAP works with Vpopmail and virtual domains. In addition to installing Courier-imap, we’re going to install Courierpassd. Courierpassd is a utility that allows users to change their mailbox passwords remotely.

#Must have gdbm-devel installed.

yum install gdbm-devel

We are going to use latest releases from http://www.courier-mta.org/download.php Courierpassd is available at: http://erresea.arda.homeunix.net/store/

QMR provides courier-authlib-0.55.tar.bz2 . Latest is courier-authlib-0.60.2.tar.bz2 .
Also QMR package provides courier-imap-4.0.2.tar.bz2 . Whereas the latest is courier-imap-4.3.1.tar.bz2 .
Also QMR provides courierpassd-1.1.0-RC1 , whereas latest is courierpassd-1.1.2.tar.gz .

I may also try Courier-Analog for SMTP,POP,IMAP traffic analysis. http://prdownloads.sourceforge.net/courier/courier-analog-0.15.tar.bz2

Lets see if these latest packages work or not. Otherwise we may have to revert to the ones provided by QMR.

cd /downloads/qmailnew

wget http://prdownloads.sourceforge.net/courier/courier-authlib-0.60.2.tar.bz2  
wget http://prdownloads.sourceforge.net/courier/courier-imap-4.3.1.tar.bz2  
wget http://www.arda.homeunix.net/store/courierpassd-1.1.2.tar.gz  

I am going to build RPMs of these Courier-* files, after putting in the necessary config parameters. The RPM need to be built as ordinary user, say kamran.

—————————»»> See the WAM postfix discarded howto «««««« —————-

Courier-authlib:-

This needs user kamran to be specified in visudo.

kamran ALL=NOPASSWD: ALL

[kamran@www qmailnew]$ cp /downloads/qmailnew/courier* /home/kamran/  
  
cd /home/kamran  
  
[kamran@www ~]$ tar xjf courier-authlib-0.60.2.tar.bz2  
[kamran@www ~]$ cd courier-authlib-0.60.2  

Added the following in the .spec file in the configure section.

–with-authvchkpw –without-authldap –disable-root-check –with-ssl –with-redhat

QMR suggests “–with-authchangepwdir=/usr/local/libexec/authlib” to be passed to the configure script. But I could not find it in courier-authlib-0.60.2

[kamran@www courier-authlib-0.60.2]$ vi courier-authlib.spec  
  
%configure --with-authvchkpw --without-authldap --disable-root-check --with-ssl --with-redhat  
  
[kamran@www courier-authlib-0.60.2]$ rm courier-authlib-0.60.2.tar.bz2  
  
[kamran@www ~]$ tar cjf courier-authlib-0.60.2.tar.bz2 courier-authlib-0.60.2  
  
sudo yum -y install libtool-ltdl-devel libtool-ltdl postgresql-devel expect  
  
$ sudo rpmbuild -ta courier-authlib-0.60.2.tar.bz2  
  
cd /usr/src/redhat/RPMS/i386/  
  
$ sudo rpm -ivh courier-authlib-0.60.2-1.i386.rpm courier-authlib-devel-0.60.2-1.i386.rpm courier-authlib-mysql-0.60.2-1.i386.rpm  

Time to compile/generate RPM for courier-imap as well. Pass the same arguments to its %configure section as well..

cd /home/kamran  
  
tar xjf courier-imap-4.3.1.tar.bz2  
  
cd courier-imap-4.3.1  
  
vi courier-imap.spec  
  
%configure   
--with-authvchkpw --without-authldap --disable-root-check --with-ssl   
--with-redhat   
%{?xflags: %{xflags}}  
  
rm courier-imap-4.3.1.tar.bz2  
tar cjf courier-imap-4.3.1.tar.bz2 courier-imap-4.3.0  
  
sudo yum -y install openldap-servers  

📝Note: You cannot build courier-imap as sudo. You will get the following error:

Do not run make check as root

make[2]: *** [check-am] Error 1  
make[2]: Leaving directory `/usr/src/redhat/BUILD/courier-imap-4.3.1/imap'  
make[1]: *** [check] Error 2  
make[1]: Leaving directory `/usr/src/redhat/BUILD/courier-imap-4.3.1/imap'  
make: *** [check-recursive] Error 1  
error: Bad exit status from /var/tmp/rpm-tmp.6589 (%build)  

So we need to setup a RPM environment in the /home/kamran directory.

Time to setup environment for RPM Build as user akhan.

su - kamran # if you have not already done so  
  
mkdir $HOME/rpm/{SOURCES,SPECS,BUILD,SRPMS,RPMS} -p  
mkdir $HOME/rpm/RPMS/{i386,x86_64}  
echo "%_topdir $HOME/rpm" >> $HOME/.rpmmacros  
  
  
$ rpmbuild -ta courier-imap-4.3.1.tar.bz2  

After the build process, the rpm packages can be found in $HOME/rpm/RPMS/i386 ($HOME/rpm/RPMS/x86_64 if you are on an x86_64 system):

Install courier-imap like this:

cd $HOME/rpm/RPMS/i386  
sudo rpm -ivh courier-imap-4.3.1-1.i386.rpm  
  
Preparing... ########################################### [100%]  
1:courier-imap ########################################### [100%]    
  
Exit from the user kamran's shell at this point.  
  
exit.  

Run:-

/usr/lib/courier-imap/sbin/mkimapdcert

[root@www ~]# /usr/lib/courier-imap/sbin/mkimapdcert  
/usr/lib/courier-imap/share/imapd.pem already exists.  

Edit /usr/lib/courier-imap/etc/imapd.cnf

changen ostmaser@example.comhis e-mail address is being protected from spambots. You need JavaScript enabled to view itn administrative email address n ostmaster@example.com his e-mail address is being protected from spambots. You need JavaScript enabled to view it
vi /usr/lib/courier-imap/etc/imapd.cnf


vi /usr/lib/courier-imap/etc/imapd

Make sure that the following configuration exists: IMAPDSTART=YES


vi /usr/lib/courier-imap/etc/imapd-ssl

Make sure that the following configuration exists: IMAPDSSLSTART=YES

Make sure that the following configuration exists: TLS_CERTFILE=/usr/lib/courier-imap/share/imapd.pem

IMAPDSSLSTART=YES

##NAME: IMAPDSTARTTLS:0

📝Note this part (CLAMAV) is deprecated. Please refer to this article, instead.

Download latest CLAMAV from http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/

By the time of this writing, 0.93-2 is latest.

cd /downloads/qmailnew/  
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-0.93-2.i386.rpm  
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-db-0.93-2.i386.rpm  
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-server-0.93-2.i386.rpm  
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-devel-0.93-2.i386.rpm  
  
  
rpm -ivh clamav-*  
  
  
Create a user as qscand:  
  
  
groupadd -g 710 qscand  
useradd -u 710 -g 710 -c "Qmail-Scanner Account" -s /bin/false qscand  

vi /etc/clamd.conf

#Lines shown below are default settings, unless specified otherwise.

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes # ———————> default is NO. Change to YES.
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav # —-> This is changed in the newer (0.94-1) version, to /var/clamav.
LocalSocket /var/run/clamav/clamd.sock # ——–> Disabled. Change to enabled/socket file name.
FixStaleSocket yes
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User qscand # ———————-> Most important. Default clamav. Change to qscand.
AllowSupplementaryGroups yes
DetectBrokenExecutables yes
ScanMail yes
ArchiveMaxCompressionRatio 300
ArchiveBlockEncrypted yes
ArchiveBlockMax yes

vi /etc/freshclam.conf

DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/clamav/freshclam.log
PidFile /var/run/clamav/freshclam.pid
LogSyslog yes # ———————————–> change to yes
DatabaseOwner qscand # ————————-> Most important. Default clamav. Change to qscand.
AllowSupplementaryGroups yes
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.us.clamav.net
DatabaseMirror database.clamav.net
Checks 24
NotifyClamd /etc/clamd.conf

vi /etc/logrotate.d/clamd
#
#Rotate Clam AV daemon log file
#

/var/log/clamav/clamd.log {
missingok
nocompress
create 640 qscand qscand
postrotate
/bin/kill -HUP cat /var/run/clamav/clamd.pid 2> /dev/null 2> /dev/null || true
endscript
}

vi /etc/logrotate.d/freshclam

#
#Rotate FreshClam daemon log file
#

/var/log/clamav/freshclam.log {
missingok
nocompress
create 640 qscand qscand
postrotate
/bin/kill -HUP cat /var/run/clamav/freshclam.pid 2> /dev/null 2> /dev/null || true
endscript
}

chown qscand:qscand /var/log/clamav -R  
chown qscand:qscand /var/lib/clamav -R  
chown qscand:qscand /var/run/clamav -R  
 
service clamd restart  
chkconfig --level 35 clamd on  
  
service freshclam restart  
chkconfig --level 35 freshclam on  

########################################################################
Deprecated:-

FreshClam doesn’t need to be called through cron any more:-

# crontab -e  
# 25 2 * * * /usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log  
#  

Becaue, freshclam runs as daemon mode and checks the server once
everyday, itself. The following option can be used in /etc/init.d/freshclam
to set number of checks between 1 and 50

–checks=#n -c #n number of checks per day, 1 <= n <= 50

See the proof below:
May 10 15:10:02 www last message repeated 6 times
May 10 15:11:59 www freshclam[22467]: Received signal: wake up
May 10 15:11:59 www freshclam[22467]: ClamAV update process started at Sat May 10 15:11:59 2008
May 10 15:11:59 www freshclam[22467]: main.cvd is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)
May 10 15:12:00 www freshclam[22467]: Downloading daily-7077.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7078.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7079.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7080.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: Downloading daily-7081.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: Downloading daily-7082.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: daily.cld updated (version: 7082, sigs: 49709, f-level: 26, builder: ccordes)
May 10 15:12:01 www freshclam[22467]: Database updated (281543 signatures) from db.local.clamav.net (IP: 65.120.238.2)
May 10 15:12:01 www clamd[22412]: SelfCheck: Database modification detected. Forcing reload.
May 10 15:12:01 www clamd[22412]: Reading databases from /var/lib/clamav
May 10 15:12:01 www freshclam[22467]: Clamd successfully notified about the update.
May 10 15:12:01 www freshclam[22467]: ————————————–
May 10 15:12:05 www clamd[22412]: Database correctly reloaded (280776 signatures)

#########################################################################

SPAM ASSASSIN

QMR package refers to install perl-Mail-SpamAssassin , but that is not availble through yum. And the provided RPM is too old to be compatible with current spamassassin-3.1.9 . So I installed it through CPAN.

perl -MCPAN -e "install Mail::SpamAssassin"

groupadd -g 711 spamd
useradd -u 711 -g 711 -s /home/spamd spamd
#passwd -l spamd # not in QMR guide. I thought it should be implemented. But do we need it?
` vi /etc/sysconfig/spamassassin

If the above file exists, replace its contents :

SPAMDOPTIONS=”-d -c -m5 -H”

, with the following line. If the file does not exist, create it and add the following line:

SPAMDOPTIONS=”-x -u spamd -H /home/spamd -d”

spamd Options explained
-c, –create-prefs Create user preferences files (we don’t need it)
-x, –nouser-config Disable user config files
-d, –daemonize Daemonize
-m num, –max-children=num Allow maximum num children
-u username, –username=username Run as username
-g groupname, –groupname=groupname Run as groupname (should we use this too? )
-v, –vpopmail Enable vpopmail config (we “should” need it, but not using at the moment)
-x, –nouser-config Disable user config files
-H [dir], –helper-home-dir[=dir] Specify a different HOME directory

Save and exit from the file.

vi /etc/mail/spamassassin/local.cf

Add the following line…

required_hits 5

Save and exit from the file.

service spamassassin restart
chkconfig --level 35 spamassassin on


The following modules are used by various .pre files. Make sure that they are also installed.

perl -MCPAN -e “install Mail::SpamAssassin::Plugin::RelayCountry”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::URIDNSBL”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Hashcash”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::SPF”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DCC”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Pyzor”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Razor2”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::SpamCop”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::AntiVirus”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::AWL”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::AutoLearnThreshold”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::WhiteListSubject”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DomainKeys”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::MIMEHeader”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::ReplaceTags”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DKIM”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Check”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::HTTPSMismatch”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::URIDetail”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Shortcircuit”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Bayes”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::BodyEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::DNSEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::HTMLEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::HeaderEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::MIMEEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::RelayEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::URIEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::WLBLEval”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::VBounce”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::Rule2XSBody”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::ASN”
perl -MCPAN -e “install Mail::SpamAssassin::Plugin::ImageInfo”


Created a new local.cf file from the link http://www.yrex.com/spam/spamconfig.php



#ok_languages should be disabled.

#ok_languages en

#SpamAssassin 3.1 Note: Language checking has been moved to a plugin in version 3.1.
#This setting will not work unless your administrator has enabled the TextCat plugin
#in /etc/mail/spamassassin/v310.pre.


vi /etc/mail/spamassassin/init.pre

loadplugin Mail::SpamAssassin::Plugin::RelayCountry


vi /etc/mail/spamassassin/v310.pre

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AntiVirus
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::DomainKeys
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags


vi /etc/mail/spamassassin/v312.pre

loadplugin Mail::SpamAssassin::Plugin::DKIM


vi /etc/mail/spamassassin/v320.pre

loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
loadplugin Mail::SpamAssassin::Plugin::ASN

Now, run sa-compile. But, sa-compile needs re2c .

Dowload re2c from:

http://re2c.org/

http://rpmseek.com/download/
http://apt.sw.be/packages/re2c/re2c-0.13.1-1.el4.rf.i386.rpm?hl=com&nid=92223

http://rpmseek.com/download/http://apt.sw.be/packages/re2c/re2c-0.13.1-1.el5.rf.i386.rpm?hl=com&nid=92223:589

cd /downloads/qmailnew
Use links to download this:
http://apt.sw.be/packages/re2c/re2c-0.13.1-1.el4.rf.i386.rpm

http://superb-west.dl.sourceforge.net/sourceforge/re2c/re2c-0.13.3-1.src.rpm

cd /downloads/qmailnew  
wget http://superb-west.dl.sourceforge.net/sourceforge/re2c/re2c-0.13.3-1.src.rpm  
rpmbuild --rebuild re2c-0.13.3-1.src.rpm  

rpm -ivh /usr/src/redhat/RPMS/i386/re2c-0.13.3-1.i386.rpm  

Now Run sa-compile:

# sa-compile

Then, run sa-update:

sa-update -D

Restart spamassassin service.

service spamassassin restart

DCC howto:

cd /downloads/qmailnew

wget http://www.rhyolite.com/anti-spam/dcc/source/dcc.tar.Z
tar xzf dcc.tar.Z
cd dcc-1.3.90/

./configure
make
make install

vi /etc/mail/spamassassin/local.cf

dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc

#dcc_dccifd_path, should be the path to dccifd socket, which will become available when dcc service is started.
dcc_dccifd_path /var/dcc/dccifd

vi /var/dcc/dcc_conf
. . .
DCCIFD_ENABLE=on
. . .

cp /var/dcc/libexec/rcDCC /etc/rc.d/init.d/dcc

chkconfig --level 35 dcc on
service dcc start

[root@www dcc-1.3.90]# ps aux | grep -i dcc
root 30623 0.0 0.0 2492 268 ? Ss 16:44 0:00 /var/dcc/libexec/dccifd -tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID
root 30624 0.1 0.6 28992 6844 ? Sl 16:44 0:00 /var/dcc/libexec/dccifd -tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID
root 30629 0.0 0.0 4100 580 pts/0 R+ 16:44 0:00 grep -i dcc

Enable the DCC plugin in spamassassin .pre files. Also enable other plugins. Disable pyzor and remove it’s line from local.cf as well.

RAZOR:

Download Razor from: http://razor.sourceforge.net/

cd /downloads/qmailnew  
wget http://optusnet.dl.sourceforge.net/sourceforge/razor/razor-agents-2.84.tar.bz2  
  
tar xjf razor-agents-2.84.tar.bz2  
cd razor-agents-2.84  
perl Makefile.PL && make && make install  

Added the following to local.cf file:

#vi /etc/mail/spamassassin/local.cf
#razor_config /etc/razor/razor-agent.conf

OR

echo “razor_config /etc/razor/razor-agent.conf” » /etc/mail/spamassassin/local.cf

Then:
razor-admin -d -home=/etc/razor -create
razor-admin -d -home=/etc/razor -register


[root@www qmailnew]# service spamassassin restart
Stopping spamd: [ OK ]
Starting spamd: [ OK ]

Step: QMAILSCANNER:

QMR package provides qmail-scanner-1.25.tgz. Latest is 2.04 from http://qmail-scanner.sourceforge.net/ .
QMR package provides qms-analog-0.4.2.tar.gz. Latest is from qms-analog-0.4.4 http://www.qms-analog.teel.ws . I don’t think we need qms-analog. QmailScanner has a new reporting tool. From QMS website:

Reporting: in the contrib directory there’s qs2mrtg.pl. A perl script for monitoring your syslog files for qmail-scanner records. It then graphs how Qmail-Scanner is processing your emails. It creates different graphs for incoming vs outgoing email, as well as the flow of spam and viruses.

We would also install TNEF http://sourceforge.net/projects/tnef/ . As per the QMS site:-

Optional: Mark Simpson’s TNEF unpacker. Can decode those annoying MS-TNEF MIME attachments that Microsoft mail servers just love to use. If you don’t have this, there are several classes of email that Qmail-Scanner basically won’t be able to extract attachments in. However, your AV might very well be able to handle them

yum install db4-devel

perl -MCPAN -e "install DB_File"

TNEF:-

cd /downloads/qmailnew
wget http://internap.dl.sourceforge.net/sourceforge/tnef/tnef-1.4.3.tar.gz
tar xzf tnef-1.4.3.tar.gz
cd /downloads/qmailnew/tnef-1.4.3
./configure && make && make install

Decided to install new version of QMS:-

cd /downloads/qmailnew

wget http://superb-west.dl.sourceforge.net/sourceforge/qmail-scanner/qmail-scanner-2.04.tgz
tar xzf qmail-scanner-2.04.tgz
cd /downloads/qmailnew/qmail-scanner-2.04

Create the following (new) file:-

(Don’t use cat » « EOF method to create this file)

vi qms-config
#!/bin/sh

##File: qms-config
##
##Purpose: Provide a file to save personal qmail-scanner configuration
##options. This file should be edited for your server and
##saved somewhere so that it survives qmail-scanner and
##qms-analog upgrades.
##

#Was the “install” option given? if [ “$1” != “install” ]; then
INSTALL=
else
INSTALL=”–install”
fi

#Qmail Scanner 2.02 configuration:

./configure –domain example.com
–admin postmaster
–local-domains “example.com,sufi-iqbal.net”
–add-dscr-hdrs yes
–ignore-eol-check yes
–notify admin
–redundant yes
“$INSTALL”

Next:

chmod 755 qms-config

./qms-config

then


( 📝 Note QMS will get installed in /var/spool/qscan. NOT /var/spool/qmailscan)

./qms-config install

Testing suid nature of /usr/bin/perl…
Looks OK…
Hit RETURN to create initial directory structure under /var/spool/qscan,
and install qmail-scanner-queue.pl under /var/qmail/bin:
perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt
perlscanner: total of 12 entries.

Finished installation of initial directory structure for Qmail-Scanner
under /var/spool/qscan and qmail-scanner-queue.pl under /var/qmail/bin.

Finished. Please read README(.html) and then go over the script
(/var/qmail/bin/qmail-scanner-queue.pl) to check paths/etc.

“/var/qmail/bin/qmail-scanner-queue.pl -r” should return some well-known virus
definitions to show that the internal perlscanner component is working.

That’s it!

** FINAL TEST **

Please log into an unpriviledged account and run
/var/qmail/bin/qmail-scanner-queue.pl -g

If you see the error “Can’t do setuid”, or “Permission denied”, then
refer to the FAQ.

(e.g. “setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g”)

That’s it! To report success:

% (echo ‘First M. Last’; cat SYSDEF)|mail n jhaar-s4vstats@crom.trimble.co.nz This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Replace First M. Last with your name.


ls -l /var/qmail/bin/qmail-scanner-queue.pl

-rwsr-sr-x 1 qscand qscand 111710 May 9 17:36 /var/qmail/bin/qmail-scanner-queue.pl


Let’s do the test :

logon as user kamran:

#su - kamran
[kamran@www ~]$ /var/qmail/bin/qmail-scanner-queue.pl -g
perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt
perlscanner: total of 12 entries.
[kamran@www ~]$

exit

Note: The path is changed for the Qmail Scanner spool files in the newest version, from “/var/spool/qmailscan”, to “/var/spool/qscan” .

The test is passed. Alhumdulillah. Now run the following:-

setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z # also setup a cronjob to do this once a day.
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g # also setup a cronjob to do this once a day.

Set them up to run through cron as well:-

crontab -e
0 1 * * * /usr/local/bin/setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
0 1 * * * /usr/local/bin/setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g

chown -R qscand:qscand /var/spool/qscan # not /var/spool/qmailscan

vi /var/qmail/supervise/qmail-smtpd/run
QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl” ; export QMAILQUEUE

(change softlimit to 40000000)

📝Note: The limit 40000000 (40 MB) is (more than two years) old. And because of all the new requirements of latest version of the participating software, I needed to increase it to 60000000 (60 MB), otherwise my mails were not being dealt correctly by the Qmail Scanner. It is safe to increase this value.

WAIT…….. DISABLE POP3 AND POP3S in COURIER FIRST. QMAIL HAS IT’S OWN POP3 server.

Restart Qmail

qmailctl stop
sleep 5
qmailctl start
sleep 5
qmailctl stat

[root@www qmail-scanner-2.04]# qmailctl stat  
/service/qmail-send: up (pid 7749) 5 seconds  
/service/qmail-send/log: up (pid 7750) 5 seconds  
/service/qmail-smtpd: up (pid 7753) 5 seconds  
/service/qmail-smtpd/log: up (pid 7758) 5 seconds  
/service/qmail-pop3d: up (pid 7767) 5 seconds  
/service/qmail-pop3d/log: up (pid 7768) 5 seconds  
messages in queue: 293  
messages in queue but not yet preprocessed: 181  

Now, try the test_installation.sh script in contrib directory.

cd /downloads/qmailnew/qmail-scanner-2.04/contrib

./test_installation.sh -doit

[root@www contrib]# ./test_installation.sh -doit

Sending standard test message - no viruses…
done!

Sending eicar test virus - should be caught by perlscanner module…
done!

Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)…

Sending bad spam message for anti-spam testing - In case you are using SpamAssassin…
Done!

Finished test. Now go and check Email sent to n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it

You should have 2 messages in the postmaster’s mail box, one clean message and the other marked as **SPAM** ., and the following output in your maillog.

tail -f /var/log/maillog

May 9 17:53:34 www qmail-scanner[8149]: Clear:RC:1(127.0.0.1): 0.022018 313 n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it Qmail-Scanner_test_(1/4):inoffensive_message < n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > orig-www.example.com12103376145628149:313 1210337614.8151-0.www.example.com:68
May 9 17:53:34 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37141
May 9 17:53:34 www spamd[31043]: spamd: processing message < n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:53:34 www qmail-scanner[8162]: Perlscan:EICAR_Test_Virus:RC:1(127.0.0.1): 0.027297 961 n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it Qmail-Scanner_viral_test
(2/4):checking_perlscanner… < n 20080509125334.8161.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > 1210337614.8169-0.www.example.com:300 Eicar.com:69 orig-www.example.com12103376145628162:961
May 9 17:53:35 www qmail-scanner[8177]: CLAMDSCAN:Eicar-Test-Signature:RC:1(127.0.0.1): 0.016671 1236 n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it Qmail-Scanner_viral_test
(3/4):checking_non-perlscanner_AV… < n 20080509125335.8176.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > sneaky.txt
May 9 17:53:35 www spamd[31044]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37143
May 9 17:53:35 www spamd[31044]: spamd: checking message (unknown) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:53:35 www spamd[31043]: spamd: clean message (0.0/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 0.7 seconds, 616 bytes.
May 9 17:53:35 www spamd[31043]: spamd: result: . 0 - UNPARSEABLE_RELAY scantime=0.7,size=616,user= n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37141,mid=< n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it >,autolearn=ham,shortcircuit=no
May 9 17:53:35 www spamd[31040]: prefork: child states: IB
May 9 17:53:35 www maildrop[8167]: Unable to open mailbox.
May 9 17:53:36 www spamd[31044]: spamd: identified spam (1009.7/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 1.6 seconds, 1893 bytes.
May 9 17:53:36 www spamd[31044]: spamd: result: Y 1009 - DATE_IN_FUTURE_96_XX,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,MISSING_MID,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK scantime=1.6,size=1893,user=n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37143,mid=(unknown),autolearn=no,shortcircuit=no
May 9 17:53:37 www spamd[31040]: prefork: child states: II
May 9 17:53:37 www qmail-scanner[8186]: Clear:RC:1(127.0.0.1):SA:1(1009.7/5.0): 1.755721 1881 n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it Qmail-Scanner_anti-spam_test
(4/4):checking_SpamAssassin[if_present]_(There_yo <9PS291LhupY> orig-www.example.com12103376155628186:1881 1210337615.8188-0.www.example.com:818
May 9 17:53:37 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37147
May 9 17:53:37 www spamd[31043]: spamd: processing message <9PS291LhupY> for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:53:38 www spamd[31043]: spamd: identified spam (1009.2/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 1.4 seconds, 2384 bytes.
May 9 17:53:38 www spamd[31043]: spamd: result: Y 1009 - AWL,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,INVALID_MSGID,MSGID_SHORT,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY scantime=1.4,size=2384,user=n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37147,mid=<9PS291LhupY>,autolearn=no,shortcircuit=no
May 9 17:53:38 www spamd[31040]: prefork: child states: II
May 9 17:53:38 www maildrop[8204]: Unable to open mailbox.
May 9 17:55:15 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43421
May 9 17:55:15 www spamd[31043]: spamd: processing message < n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it > for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:55:17 www spamd[31044]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43427
May 9 17:55:17 www spamd[31044]: spamd: processing message <9PS291LhupY> for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711
May 9 17:55:17 www spamd[31043]: spamd: clean message (0.0/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 1.3 seconds, 616 bytes.
May 9 17:55:17 www spamd[31043]: spamd: result: . 0 - UNPARSEABLE_RELAY scantime=1.3,size=616,user= n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43421,mid=< n 20080509125334.8148.qmail@www.example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it >,autolearn=unavailable,shortcircuit=no
May 9 17:55:17 www spamd[31040]: prefork: child states: IB
May 9 17:55:17 www maildrop[8590]: Unable to open mailbox.
May 9 17:55:18 www spamd[31044]: spamd: identified spam (1008.9/5.0) for n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it :711 in 1.5 seconds, 2384 bytes.
May 9 17:55:18 www spamd[31044]: spamd: result: Y 1008 - AWL,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,INVALID_MSGID,MSGID_SHORT,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY scantime=1.5,size=2384,user=n postmaster@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43427,mid=<9PS291LhupY>,autolearn=no,shortcircuit=no
May 9 17:55:18 www spamd[31040]: prefork: child states: II
May 9 17:55:18 www maildrop[8602]: Unable to open mailbox.

📝Note:
Any SMTP sessions that are dropped (due to network outages/etc) may lead to files lying around in /var/spool/qscan . Running “/var/qmail/bin/qmail-scanner-queue.pl -z”, at least once daily, will ensure such files are deleted when they’re over 30 hours old - make a cronjob to do that (see contrib/ for a logrotate script).

crontab -e
0 2 * * * /var/qmail/bin/qmail-scanner-queue.pl -z


You may want to change the file /etc/tcp.smtp , from :

127.:allow,RELAYCLIENT=””

, to:

#No Qmail-Scanner at all for mail from 127.0.0.1
127.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-queue”
#Use Qmail-Scanner without SpamAssassin on any mail from the local network
#[it triggers SpamAssassin via the presence of the RELAYCLIENT var]
#10.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
#
#Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world
:allow,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”


I have setup my /etc/tcp.smtp as follows:-

[root@www contrib]# vi /etc/tcp.smtp
#my users loggin on to the web interface may be uploading virus infeced files.
127.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
#No Qmail-Scanner at all for mail from 127.0.0.1
##127.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-queue”
#Use Qmail-Scanner without SpamAssassin on any mail from the local network
#[it triggers SpamAssassin via the presence of the RELAYCLIENT var]
#10.:allow,RELAYCLIENT=”“,RBLSMTPD=”“,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”
#
#Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world
:allow,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”

[root@www contrib]# qmailctl stop
Stopping qmail…

qmail-smtpd
qmail-send
qmail-pop3d

[root@www contrib]# qmailctl cdb
Reloaded /etc/tcp.smtp.

[root@www contrib]# qmailctl start
Starting qmail…

Starting qmail-send
Starting qmail-smtpd
Starting qmail-pop3d

[root@www contrib]# qmailctl stat
/service/qmail-send: up (pid 8801) 4 seconds
/service/qmail-send/log: up (pid 8808) 4 seconds
/service/qmail-smtpd: up (pid 8811) 4 seconds
/service/qmail-smtpd/log: up (pid 8816) 4 seconds
/service/qmail-pop3d: up (pid 8819) 4 seconds
/service/qmail-pop3d/log: up (pid 8820) 4 seconds
messages in queue: 263
messages in queue but not yet preprocessed: 0

Step: Install / configure qs2mrtg:

Install qs2mrtg.pl from the contrib directory of the qmailscanner.

This is for drawing graphs in MRTG.

Step: QMAIL ANALOG:

I could not get this to work with lastest QmailScanner. So It is useless to setup. Also it is not needed based on qs2mrtg.

Step: GREYLISTING and RBLSMTPD:

Greylist software can be downloaded.

cd /downloads/qmailnew  
wget http://oss.albawaba.com/files/cqgreylist-0.2.tar.gz  
tar xzf cqgreylist-0.2.tar.gz  
cd cqgreylist-0.2  
mkdir /var/qmail/cqgreylist  
chown vpopmail /var/qmail/cqgreylist  

vi cqgreylist.c
. . .

/*

  • Change anything you want here
    /
    /
    RFC 2821 specifies the timeout for recieving a command to at least 5 mins /
    #define TIMEOUT 300
    /
    specify the greylisting time in which to not accept mail from a sender */
    #define GREY_SECONDS 60

char* hostname = “www.example.com”;
char* message = “You are greylisted. Try again.”;
char* base_directory = “/var/qmail/cqgreylist/”;

/*
*End of user editable parameters
*/

make
cp cqgreylist /var/qmail/bin/

crontab -e

. . .
23 * * * * /usr/bin/find /var/qmail/cqgreylist -mtime 1 -type f -exec rm -f {} ;

See next section (RBLSMTPD) to actually include GreyListing in Qmail run file.

RBLSMTPD:

Edit the run script for qmail-smtpd:-

vi /var/qmail/supervise/qmail-smtpd/run

Text before editing:
. . .
exec /usr/local/bin/softlimit -m 40000000
/usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
/var/qmail/bin/qmail-smtpd www.example.com
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

Text after editing

. . .
exec /usr/local/bin/softlimit -m 40000000
/usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
rblsmtpd
-r sbl.spamhaus.org
-r zen.spamhaus.org
-r bl.spamcop.net
-r list.dsbl.org
/var/qmail/bin/cqgreylist
/var/qmail/bin/qmail-smtpd www.example.com
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

Restart Qmail service:

qmailctl stop  
qmailctl cdb  
qmailctl start  
sleep 5  
qmailctl stat  
  
[root@www cqgreylist-0.2]# qmailctl stat  
/service/qmail-send: up (pid 11184) 5 seconds  
/service/qmail-send/log: up (pid 11191) 5 seconds  
/service/qmail-smtpd: up (pid 11194) 5 seconds  
/service/qmail-smtpd/log: up (pid 11199) 5 seconds  
/service/qmail-pop3d: up (pid 11202) 5 seconds  
/service/qmail-pop3d/log: up (pid 11203) 5 seconds  
messages in queue: 21  
messages in queue but not yet preprocessed: 0  

ALHUMDULILLAH. MAIL SERVER SETUP COMPLETE.

Step: QS2MRTG: [Not fully documented]. Coming soon.

Install qs2mrtg.pl from the contrib directory of the qmailscanner.

cp /downloads/qmailnew/qmail-scanner-2.04/contrib/qs2mrtg.pl /usr/local/bin/

This is for drawing graphs in MRTG.

[root@www contrib]# ./qs2mrtg.pl --syslog-file=/var/log/messages   
--offset-file=/var/log/qs2mrtg.offset   
--mrtg-output-dir=/var/www/mrtg/ --mailsrv-name=www.example.com  

Step: SETUP FIREWALL:

Create a new file /etc/firewall.sh

vi /etc/firewall.sh

#!/bin/bash

###################################################################################
#Author: Muhammad Kamran Azeem ( n kamran@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it )
#Created: 20080410
#Last Updated: 20080410
#Implementation on this sevrer:20080509
#Proposed implementation: On stand alone webmail servers
###################################################################################
#
#Various tools:
#nmap -sU PUBLIChost # scans UDP ports
#
#The following reports total number of connections
#netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

###################################################################################

#User configurable parameters - START - #############################################
#
#The Public interface of this server towards Internet:-
PUBLICIF=eth0
#
#The Public IP of this server (on $PUBLICIF) visible/accessable from the Internet:-
PUBLICIP=192.168.0.200
#
#The full path to the iptables program:-
IPTABLES=/sbin/iptables
#
#User configurable parameters - END - ###############################################

############ Load Modules - Start #############
#
#Load FTP connection tracking module
modprobe ip_conntrack_ftp
#
############# Load Modules - End ##############

$IPTABLES -F  
$IPTABLES -t nat -F  
$IPTABLES -P INPUT ACCEPT  
  
# ports list:  
# 22/tcp - SSH  
# 25/tcp - SMTP  
# 80/tcp - HTTP  
# 443/tcp - HTTPS  
# 110/tcp - POP3  
# 995/tcp - POP3S  
# 143/tcp - IMAP  
# 993/tcp - IMAPS  
# 123/tcp - NTP  
# 123/udp - NTP  
# 199/tcp - SNMP  
# 161/UDP - SNMP  
# 3306/tcp - MySQL  

#Setup default INPUT policy as DROP $IPTABLES -P INPUT DROP

##allow packets coming from the machine
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#allow outgoing traffic
$IPTABLES -A OUTPUT -o $PUBLICIF -j ACCEPT

#Block spoofing

#$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP

#OR more sophisticated / wide ranged method is below:-

#Add your IP range/IPs here,
#Yes I am sure that the last address has 16 bit subnet for a VALID reason
SPOOFLIST=”0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/3”
for ip in $SPOOFLIST
do
$IPTABLES -A INPUT -i $PUBLICIF -s $ip -j DROP
done

# Allow the following traffic only:- $IPTABLES -A INPUT -i $PUBLICIF -p tcp -m multiport –dport 21,22,25,80,443,110,995,143,993 -j ACCEPT

#Hopefuly spamassassin, NTP, Razor, DNS, DCCIFD, etc will keep working properly,
#because of the following two rules.
$IPTABLES -A INPUT -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state –state RELATED,ESTABLISHED -j ACCEPT

Stop bad packets

$IPTABLES -A INPUT -m state –state INVALID -j DROP

# NMAP FIN/URG/PSH $IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

# stop Xmas Tree type scanning
$IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# stop null scanning
$IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags ALL NONE -j DROP

# SYN/RST
$IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

# SYN/FIN $IPTABLES -A INPUT -i $PUBLICIF -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP

# If the incoming SYN packets are not NEW, we need to DROP them:- $IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

Stop sync flood. Not using the following because it will result in VERY SLOW SERVER

Incoming syn requests, which may be legitimate Web requests,

coming from many web browsers / clients will get limited to 1 per second,

WHICH, WE DON’T WANT.

I suppose we CANNOT SYN Flood ?

$IPTABLES -N SYNFLOOD

# $IPTABLES -A SYNFLOOD -p tcp –syn -m limit –limit 1/s -j RETURN
# $IPTABLES -A SYNFLOOD -p tcp -j REJECT –reject-with tcp-reset
# $IPTABLES -A INPUT -p tcp -m state –state NEW -j SYNFLOOD

# Stop ping flood attack

# DROP ICMP packets size larger than (64 Data+8 Header)=72 bytes (Below 85 did not help me 🙂

iptables -A INPUT -p icmp –icmp-type echo-request -m length –length 85: -j REJECT –reject-with icmp-host-prohibited

# Allow maximum one incoming ICMP packets per second
iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT

# End of Firewall script

exit 0


Create a new startup file /etc/init.d/firewall

vi /etc/init.d/firewall

#firewall Startup script for our personal firewall
#
#chkconfig: 01 99
#description: Our own custom built firewall setup
#processname: firewall

#Source function library.
. /etc/rc.d/init.d/functions

prog=/etc/firewall.sh
lockfile=/var/lock/subsys/firewall
RETVAL=0

start() {
echo -n $”Starting $prog: “
/bin/sh /etc/firewall.sh
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}

stop() {
echo -n $”Stopping $prog: “
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile}
}

# See how we were called. case “$1” in
start)
start
;;
stop)
stop
;;
status)
/sbin/iptables -L
;;
restart)
stop
start
;;
*)
echo $”Usage: $prog {start|stop|status|restart}”
RETVAL=3
esac

exit $RETVAL


chmod +x /etc/firewall.sh
chmod +x /etc/init.d/firewall

chkconfig --level 35 firewall on
service firewall start

=====================================================================

End of QMail Rocks Guide