This article is largely based on these following sites. I haven’t invented anything new here, just arranged in a way I found myself helpful.
http://www.qmailrocks.org/http://goodcleanemail.com/
http://qmail.jms1.net/
http://toribio.apollinare.org/qmail-scanner/
Upgrading from a qmailrocks installation
Before you continue on, there are 2 things you need to know about. First you should check out John Simpson’s “Upgrading from qmailrocks” page which is at http://qmail.jms1.net/upgrade-qmr.shtml
Second, when you do the upgrade from qmailrocks to Johns combined patch, smtp-auth will not work with plain text passwords. Its better having a migration plan setup ahead of time so this doesn’t upset anyone. If you really need a smtp server setup with plain-text passwords, setup another box to do smtp only. There are many other patches included in Johns Combined patch that will enhance your server’s performance and security.
For details go to:
http://qmail.jms1.net/patches/combined-details.shtml
Download the new qmail-smtpd/run file so we can get it prepared and ready to go. PLEASE NOTE: We are *NOT* going to replace the run file until AFTER we patch the system first. Changing the file won’t take very long after we run the patch.
# cd /service/qmail-smtpd/
# cp run bak_run
# wget http://qmail.jms1.net/scripts/service-qmail-smtpd-run
# vi service-qmail-smtpd-run
Now the list of available options for service-qmail-smtpd-run is listed below
http://qmail.jms1.net/tls-auth.shtml
If you want to accept messages on port 25 and also allow users to send mail via TLS, use the following options:
IP=X.X.X.X (Substitute your own IP address. Do not leave this set to 0 without a good reason.)
PORT=25 (Set the port number we will be listening on.) SSL=0 (Do not run an SSL-only service.)
FORCE_TLS=0 (Refuse to accept mail from clients who have not done STARTTLS.)
DENY_TLS=0 (Do not refuse to process the STARTTLS command.)
AUTH=1 (Allow the AUTH command after STARTTLS has been completed.)
REQUIRE_AUTH=0 (Refuse to accept mail from clients who have not done AUTH.)
Now that we have the qmail-smtp/run file prepared, we need to download the current version of the patch from:
http://qmail.jms1.net/patches/combined-details.shtml
For example:
# cd ~root
# wget http://qmail.jms1.net/patches/qmail-1.03-jms1.7.07.patch
Now download the qmail source and extract it
# cd ~root
# wget http://cr.yp.to/software/qmail-1.03.tar.gz
# tar xvzf qmail-1.03.tar.gz # cd qmail-1.03
# patch < ../ qmail-1.03-jms1.7.07.patch
Once the patch is complete we are ready to compile qmail with all the new enhancements. Please make sure there are no messages in the qmail queue when you stop qmail below. The output of qmailctl stat will tell you if there are any local/remote messages in the queue. THIS IS VERY IMPORTANT!! When you stop qmail and run make or make setup check, it may tell you if something is running. If it is, it is safe to kill it.
# make
# qmailctl stop
# ps ax | grep qmail-send (if it’s still running, wait a few seconds and try it again)
# ps ax | egrep qmail-send …
# make setup check
Before we start qmail again, we now need to copy over the new qmail-smtpd/run file:
# cd /service/qmail-smtpd/
# cp service-qmail-smtpd-run run
# chmod 755 run
We will also replace the qmail-smtpd/log/run file with a new one as well
# cd /service/qmail-smtpd/log
# wget http://qmail.jms1.net/scripts/service-any-log-run
# cp run bak_run
# cp service-any-log-run run
# chmod 0600 bak_run
# chmod 755 run
Before we start qmail, we need to make sure TLS works with vpopmail so lets run the following:
#chmod 6711 ~vpopmail/bin/vchkpw
Setting up the tcpserver access files (optional)
# mkdir -m 755 /etc/tcp # cd /etc/tcp
# wget http://goodcleanemail.com/files/fbsd/etc-tcp-makefile
# mv etc-tcp-makefile Makefile
Creating the smtp file At this point it should be ready to go; all you need to do is create the “smtp” file, containing the normal access control list. It may look something like this:
127.:allow,RELAYCLIENT=”" :allow
Run
# make
Ok, everything is set to start so let’s start qmail.
# qmailctl start
# svc -u /service/*
# qmailctl stat
Important note: Don’t forget to check http://qmail.jms1.net/upgrade-qmr.shtml
Here are two important problems I faced
1. Permissions on SSL .pem files
You may get error like this: “454 TLS not available”
The ownership and permissions of the cert.pem files should look like as shown below.
# cd /var/qmail/control
# ls -laF *.pem
-rw-r—– 1 root qmail 2142 Jun 24 2004 clientcert.pem
-rw-r—– 1 root nofiles 2142 Jun 24 2004 servercert.pem
2. Problem with the “locals” file
Error: 553 Sorry, that domain isn’t in my list of allowed rcpthosts …
This one isn’t so much a difference as it is an outright incorrect step in the qmailrocks documents. On this page in the qmailrocks setup instructions you will find an instruction which tells you to run the command
# ./config-fast your_fqdn_hostname (ex: ./config-fast mail.mydomain.com)
The config-fast script that you’re running is not designed to be used on a pure-virtual system (like what qmailrocks builds.) The name you enter as your_fqdn_hostname above will end up being placed in the /var/qmail/control/locals file. However, if that name will later be used as the name of a domain in vpopmail, it should not be listed in the locals file.
The problem develops later on. If a given domain name is listed in both locals and virtualdomains (where it must be listed in order for vpopmail to use it) then the listing in locals takes precedence, and mail sent to that domain will try to be delivered to system userid’s which have the same names as the mailboxes.
The solution is to remove the domain name from the locals file. In fact, if all of your mailboxes are managed through vpopmail, the locals file should be empty.
Note, however, that even if the locals file is empty, it must still exist. Otherwise, the contents of the /var/qmail/control/me file will be treated as if the locals file contained it.
Just make sure here that the /service/qmail-smtpd and /service/qmail-smtpd/log ones are up for more than one second. If not, take a look at the log file
# tai64nlocal < /service/qmail-smtpd/log/main/current
Other than that, you are good to go! You now need to tell your users to send smtp via TLS. If you want to setup smtp via SSL, You need to setup a separate service. Take a look at
http://goodcleanemail.com/index.php?option=com_content&task=view&id=73&Itemid=25
Or setup SMTP with TLS on a separate service:
http://goodcleanemail.com/index.php?option=com_content&task=view&id=47&Itemid=25
If you want to enable validrcptto, take a look at the following URLs
http://qmail.jms1.net/patches/validrcptto.cdb.shtml
http://qmail.jms1.net/scripts/mkvalidrcptto.shtml
If you would like to enable jgreylist, follow this website:
http://qmail.jms1.net/scripts/jgreylist.shtml
Vpopmail installation with pop-b4-smtp and no clear password
Download the latest vpopmail source file from
http://www.inter7.com/index.php?page=vpopmail
Run the following commands to untar it first then configure and install it.
# tar jxf vpopmail-5.4.27.tar.bz2
# ./configure –enable-logging=p –enable-roaming-users –disable-clear-passwd
# make && make install-strip
If you get error like vchkpw-smtp: vpopmail user not found; check attributes/permission: Try:
# chmod ug+s /home/vpopmail/bin/vchkpw
Qmailadmin installation
Download the latest version of qmailadmin source from
http://www.inter7.com/index.php?page=qmailadmin
Run the following commands to untar it first then configure and install it.
# tar -zxf qmailadmin-1.2.12.tar.gz
#./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/
# make && make install-strip
Qmailscanner 2.05 installation
Download a complete patched distribution (q-s-2.05st-20080728.tgz) from
http://toribio.apollinare.org/qmail-scanner/download/q-s-2.05st-20080728.tgz
For complete configuration options and examples check
http://toribio.apollinare.org/qmail-scanner/
Configure
# ./configure --domain DOMAIN-NAME \
--admin antivirus \
--admin-description "Antivirus DOMAIN-NAME" \
--add-dscr-hdrs yes \
--dscr-hdrs-text "X-Antivirus-DOMAIN-NAME" \
--ignore-eol-check yes \
--redundant yes \
--max-zip-size 80000000 \
--max-unpacked-files 2000 \
--virus-to-delete yes \
--settings-per-domain yes \
--sa-maxsize 512000 \
--sa-quarantine 2.1 \
--sa-delete 4.2 \
--sa-reject yes \
--sa-subject "SPAM *** " \
--sa-delta 0.5 \
--sa-alt yes \
--sa-debug yes \
--sa-report yes \
Install
Make an install.sh script with the following and run it. It will replace your old qmailscanner.pl file in /var/qmail/bin directory. So you may like to take a backup of your old qmailscanner.pl file before running this.
mkdir -p /var/spool/qscan
mkdir -p /var/spool/qscan/quarantine/viruses/tmp /var/spool/qscan/quarantine/viruses/cur /var/spool/qscan/quarantine/viruses/new
mkdir -p /var/spool/qscan/quarantine/spam/tmp /var/spool/qscan/quarantine/spam/cur /var/spool/qscan/quarantine/spam/new
mkdir -p /var/spool/qscan/quarantine/policy/tmp /var/spool/qscan/quarantine/policy/cur /var/spool/qscan/quarantine/policy/new
mkdir -p /var/spool/qscan/working/tmp /var/spool/qscan/working/cur /var/spool/qscan/working/new
mkdir -p /var/spool/qscan/archive/tmp /var/spool/qscan/archive/cur /var/spool/qscan/archive/new
cp quarantine-events.txt /var/spool/qscan/
chown -R qscand:qscand /var/spool/qscan/
cp qmail-scanner-queue.pl /var/qmail/bin/qmail-scanner-queue.pl
chown qscand:qscand /var/qmail/bin/qmail-scanner-queue.pl
chmod 4755 /var/qmail/bin/qmail-scanner-queue.pl
/var/qmail/bin/qmail-scanner-queue.pl -z
/var/qmail/bin/qmail-scanner-queue.pl -g
