Installation and Configuration instructions for qmail+spamcontrol 7/18/06 Laird Bedore Key documents to read: # life with qmail: # http://www.lifewithqmail.org/lwq.html # spamcontrol: # http://www.fehcom.de/qmail/spamcontrol/INSTALL.spamcontrol # http://www.fehcom.de/qmail/spamcontrol/README_spamcontrol.html # ucspi-ssl: # http://www.superscript.com/ucspi-ssl/install.html # ucspi-tls: # http://www.suspectclass.com/~sgifford/ucspi-tls/ # http://www.suspectclass.com/~sgifford/ucspi-tls/ucspi-tls-qmail-howto.html # qmail-qfilter: # http://www.untroubled.org/qmail-qfilter/ # http://www.untroubled.org/bglibs/ # qmailanalog with newanalyze: # http://www.fehcom.de/qmail/newanalyse.html # Software being installed: # qmail 1.03 # spamcontrol 2.4 # checkpassword # (still testing) cmd5checkpw and Linux-PAM # ucspi-tcp # ucspi-ssl (patched to add -tls) # daemontools # qmailctl # qmail-qfilter (MUCH simpler than qmail-scanner) # Some sort of log analysis package is needed! # See http://www.fehcom.de/qmail/newanalyse.html # INSTALL INSTRUCTIONS STILL NEED TO BE WRITTEN # Files expected by this HOWTO: 1. Unpack qmail 1.03 into a directory. % tar zxf /vsn/pub/qmail/original/qmail-1.03.tar.gz 2. Unpack spamcontrol on top of qmail's source. % cd qmail-1.03;tar zxf /vsn/pub/qmail/original/spamcontrol-2415_tgz.bin 3. Edit conf-spamcontrol. Make any changes you want. ## No changes done in this first test implementation. 4. Now, do all the prerequisites for a basic qmail installation: user creation. % mkdir /var/qmail % groupadd -g 101 nofiles % useradd -u 100 -g nofiles -d /var/qmail/alias alias % useradd -u 101 -g nofiles -d /var/qmail qmaild % useradd -u 102 -g nofiles -d /var/qmail qmaill % useradd -u 103 -g nofiles -d /var/qmail qmailp % groupadd -g 102 qmail % useradd -u 104 -g qmail -d /var/qmail qmailq % useradd -u 105 -g qmail -d /var/qmail qmailr % useradd -u 106 -g qmail -d /var/qmail qmails 5. Run ./install_spamcontrol.sh from the source directory. ## It does all of its magic and then tells you to customize a few scripts. ## We will customize them later. 6. Build qmail as per the basics: % make setup check % ./config-fast mail.vectorstar.net 7. Set up SSL certs and keys and such ## Got this info from: # http://www.suspectclass.com/~sgifford/ucspi-tls/ucspi-tls-qmail-howto.html % mkdir /var/qmail/ssl % chown root /var/qmail/ssl % chmod 700 /var/qmail/ssl % cd /var/qmail/ssl ## Create the cert in "cert", the key in "key". Old cert files may need to ## be separated into 2 parts to fit this format. ## Generate a new certificate! % umask 077 % openssl req -new -x509 -keyout key.enc -out cert -days 360 ## Enter a temporary password. Remember it for a few minutes. ## Answer the questions: ## Country: US ## State: Florida ## Locality: Largo ## Org/company: VectorStar Networks ## Org/section: (blank) ## Common name: mail.vectorstar.net ## Email: staff@vectorstar.net ## The next command strips the password from the key, so it can be used to ## automatically launch servers. You must enter the password from above. % openssl rsa -in key.enc -out key ## Create a diffie-hellman parameter file. Not sure what it does. % openssl dhparam -out dhparam 1024 ## Create a user and group for SSL authentication: % groupadd -g 98 ssl % useradd -u 98 -g ssl -d /var/qmail ssl ## Create a file to set shell variables- /var/qmail/ssl/env: # Set these three SSL_USER=ssl SSL_GROUP=ssl SSL_DIR=/var/qmail/ssl # Enable UCSPI-TLS UCSPITLS=1 # The rest are set based on the above three SSL_CHROOT="$SSL_DIR" CERTFILE="$SSL_DIR/cert" KEYFILE="$SSL_DIR/key" DHFILE="$SSL_DIR/dhparam" SSL_UID=`id -u "$SSL_USER"` if [ $? -ne 0 ]; then echo "No such user '$SSL_USER'" >&2; exit; fi SSL_GID=`id -g "$SSL_GROUP"` if [ $? -ne 0 ]; then echo "No such group '$SSL_GROUP'" >&2; exit; fi #Enable SMTP Auth SMTPAUTH="" # Export the variables used by other scripts export SSL_CHROOT SSL_UID SSL_GID UCSPITLS CERTFILE KEYFILE DHFILE SMTPAUTH ## EOF ## Set security on the env file: % chmod 600 /var/qmail/ssl/env ## Certificate generation is done. 8. Install DJB's checkpassword ## In emergency, use copy of binary in /vsn/pub/qmail/addons/checkpassword % cd /usr/src % tar zxf /vsn/pub/qmail/original/checkpassword-0.90.tar.gz % cd checkpassword-0.90 ## Edit error.h. Replace "etern int errno;' with "#include ". % make % make setup check % chmod 4755 /bin/checkpassword ## Test! % /var/qmail/bin/qmail-popup blah /bin/checkpassword id +OK <...@blah> user (real user) +OK pass (real password) -ERR authorization failed (means error) returning with the output of the "id" program means success. ### Sections 9 and 10 are in for testing purposes ### 9. Install Linux-PAM (for cmd5checkpw) Currently the only known implementation of this for Slackware is a package downloadable from www.linuxpackages.net. Slackware itself does not support PAM for reasons of security policy. Download the package and install it using "installpkg". % installpkg /vsn/pub/qmail/extra/Linux-PAM-0.99.3.0-i486-1cjm.tgz 10. (Optional?) Install cmd5checkpw from SPAMCONTROL's site. % cd /usr/src % tar zxf /vsn/pub/qmail/extra/cmd5checkpw-030_tgz.bin % cd cmd5checkpw-0.30 % make % make setup ## Should we consider using a different account than "ssl" for this? % echo "ssl:ssl" > /var/qmail/users/authuser % chown ssl /var/qmail/users/authuser % chmod 400 /var/qmail/users/authuser % chown ssl /bin/cmd5checkpw % chmod a+s /bin/cmd5checkpw ## Test! (I cannot get this one to test successful!!) % /var/qmail/bin/qmail-popup blah /bin/cmd5checkpw id +OK <...@blah> user (real user) +OK pass (real password) -ERR authorization failed (means error) returning with the output of the "id" program means success. ### End Testing Purposes ### 11. Set up qmail aliases % cd ~alias % echo "|sh /dev/null" > .qmail-mailer-daemon % cp .qmail-mailer-daemon .qmail-postmaster % cp .qmail-mailer-daemon .qmail-root % echo "&frankie" > .qmail-frankiemob % chmod 644 ~alias/.qmail* 12. Configure qmail for startup using .mail/INBOX as defaultdelivery: ## There are more extensible ways of doing this, as described in the ## "Life with qmail" faq. ## *** NOTE *** SOME other documentation mentions getting rid of ## splogger because multilog handles the logging now! % cd /var/qmail/boot % cat home | sed -e "s/.\/Mailbox/.mail\/INBOX/g" | sed -e "s/splogger qmail//g" > ../rc % chmod 755 /var/qmail/rc 13. Install tcpserver/sslserver with ucspi-tls patch: ## 3 parts: ## ucspi-tcp (from dan bernstein, qmail creator) ## ucspi-ssl (from http://www.superscript.com/ucspi-ssl/install.html) ## ucspi-tls (from http://www.suspectclass.com/~sgifford/ucspi-tls/) ## ## This is used to execute qmail-smtpd. It also provides the ## mechanism for qmail-smtpd to accept the STARTTLS command. % cd /usr/src % tar zxf /vsn/pub/qmail/original/ucspi-tcp-0.88.tar.gz % cd ucspi-tcp-0.88 ## Edit error.h. Replace "etern int errno;' with "#include ". % make % make setup check % cd .. ## Time for ucspi-ssl. % mkdir /package % chmod 1755 /package % cd /package % tar zxf /vsn/pub/qmail/original/ucspi-ssl-0.70.tar.gz % cd host/superscript.com/net/ucspi-ssl-0.70 % patch -p1 < /vsn/pub/qmail/original/ucspi-ssl-0.70-ucspitls-0.1.patch % package/compile base % package/install base ## This installs "sslserver" in /usr/local/bin, along with the other stuff ## from tcpserver/ucspi-tcp 14. Install DJB's daemontools: ## (Instructions from life with qmail, section 2.7) ## http://www.lifewithqmail.org/lwq.html % cd /package % tar zxf /vsn/pub/qmail/original/daemontools-0.76.tar.gz % cd admin/daemontools-0.76/src ## Edit error.h. Replace "etern int errno;' with "#include ". % cd .. % package/install ## This installation makes changes to the inittab. init will actually ## manage the running of svscanboot. in the inittab, the "SV:..." line ## reportedly needs to be moved above the "x1:..." line for slackware. ## make this change by putting the "SV:..." line just below the ## commented-out dialup lines d1: and d2:. % pico /etc/inittab 15. Configure daemontools to manage qmail's operation ## copy the qmailctl script (found in "life with qmail") to /var/qmail/bin % cp /vsn/pub/qmail/original/qmailctl /var/qmail/bin/ % chmod 755 /var/qmail/bin/qmailctl % chgrp qmail /var/qmail/bin/qmailctl % ln -s /var/qmail/bin/qmailctl /usr/bin ## Set up the "supervise" scripts: % mkdir -p /var/qmail/supervise/qmail-send/log % mkdir -p /var/qmail/supervise/qmail-smtpd/log % cd /var/qmail/supervise ## Create the /var/qmail/supervise/qmail-send/run file: % echo "#\!/bin/sh\nexec /var/qmail/rc" > qmail-send/run % chmod 755 qmail-send/run ## Create the /var/qmail/supervise/qmail-send/log/run file (20x10mb logs): % echo "#\!/bin/sh\nexec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n20 /var/log/qmail" > qmail-send/log/run % chmod 755 qmail-send/log/run ## Copy the /var/qmail/supervise/qmail-smtpd/run file from archive ## (original found in "life with qmail", TLS modifications from ucspi-tls-qmail-howto ## located at http://www.suspectclass.com/~sgifford/ucspi-tls/ucspi-tls-qmail-howto.html ## and AUTH modifications from http://www.fehcom.de/qmail/spamcontrol/INSTALL.spamcontrol ): % cp /vsn/pub/qmail/addons/qmail-smtpd-run-tls-auth /var/qmail/supervise/qmail-smtpd/run % chmod 755 qmail-smtpd/run ## Create a "concurrencyincoming" control file, as used by the above script: % echo 20 > /var/qmail/control/concurrencyincoming % chmod 644 /var/qmail/control/concurrencyincoming ## Create the /var/qmail/supervise/qmail-smtpd/log/run file (20x10mb logs): % echo "#\!/bin/sh\nexec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n20 /var/log/qmail/smtpd" > qmail-smtpd/log/run % chmod 755 qmail-smtpd/log/run ## Build the log directories: % mkdir -p /var/log/qmail/smtpd % chown qmaill /var/log/qmail /var/log/qmail/smtpd ## Link the supervise directories into /service: % ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service ## svscanboot should already be running (oh the magic of inittab). ## Qmail should start automagically. Check with "ps -ax". ## Stop it with "qmailctl stop": % qmailctl stop 16. Create your tcpserver cdb rules: ## Documentation suggests that by default localhost should be allowed ## to relay smtp mail. We are bucking that trend. For the sake of ## documentation, I will put both options in here. ## "Allow localhost" method: % echo `127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp % qmailctl cdb ## "dont allow localhost" method: % touch /etc/tcp.smtp % qmailctl cdb 17. Enhance your base configuration % cd /var/qmail/control ## Run /var/qmail/bin/qmail-showctl|less to see what you can configure. ## badloadertypes: blocks MIME/UPX loader types in attachments (a way ## of blocking some viruses) NEED TO DO SOME CDB STUFF WITH THIS INSTEAD! % cp ../doc/badloadertypes ./ ## badmimetypes: blocks certain MIME type strings, as are seen in worms NEED TO DO SOME CDB STUFF WITH THIS INSTEAD! % cp ../doc/badmimetypes ./ ## badrcptto: useful for blocking emails destined to a specific address. IMPROPER FORMAT! Look up wildmat format for this. % echo "\!lmbedore@vectorstar.com\n@vectorstar.com" > badrcptto % echo "vectorstar.net" > bouncehost % echo 51200 > bouncemaxbytes ## 50mb % echo 52428800 > databytes % ln -s bouncehost doublebouncehost % ln -s defaultdomain envnoathost % echo "vectorstar.net\nmail.vectorstar.net" > locals ## 23 hours % echo 82800 > queuelifetime % echo "vectorstar.net\nvectorstar.com\njrlweb.com" >> rcpthosts 18. Install qmail-qfilter, which will give us the ability to run arbitrary filters on email entering the queue ## Unpack bglibs and install % cd /usr/src % tar zxf /vsn/pub/qmail/addons/bglibs-1.041.tar.gz % cd bglibs-1.041 % make % make install ## Create a TEMP directory only accessible to qmail-qfilter % mkdir /var/qmail/qfilter % chmod 700 /var/qmail/qfilter % chown qmaild /var/qmail/qfilter ## Unpack qmail-qfilter % cd /usr/src % tar zxf /vsn/pub/qmail/addons/qmail-qfilter-2.1.tar.gz % cd qmail-qfilter-2.1 ## Edit qmail-qfilter.c. Look at the definitions. ## Change the TMPDIR to "/var/qmail/qfilter". % make % make install ## Create the filtering script that will execute the filters. ## For now it won't filter anything, but it's ready to: % pico /var/qmail/bin/prequeue-filter #!/bin/sh # NOTE: this script runs as qmaild. ## Syntax is qmail-qfilter filter1 f1-args -- filter2 f2-args ..... exec /usr/local/bin/qmail-qfilter /bin/true % chmod 755 /var/qmail/bin/prequeue-filter % chown qmaild /var/qmail/bin/prequeue-filter ## Edit /var/qmail/supervise/qmail-smtpd/run to run an alternate ## queue script. Add this near the top: (takes effect immediately) QMAILQUEUE="/var/qmail/bin/prequeue-filter";export QMAILQUEUE ## If for some reason qmail-qfilter is getting whacky errors, you ## won't see any logs of it anywhere. What you will see is a sudden ## lack of messages making their way into the queue. What is happening ## is that at the point of smtpd finishing its receive, it's issuing ## a temporary failure to process, causing the remote MTA to queue the ## message for later retry. 20. Remove sendmail, symlink in qmail's sendmail-replacement (optional) ## Note that we do NOT provide sendmail-type support on vectorstar. % rm /usr/*/sendmail % ln -s /var/qmail/bin/sendmail /usr/lib/sendmail % ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail 21. Link non-qmail mail daemons to the server's SSL cert ## This is the "new" way, and works. % cat /var/qmail/ssl/key /var/qmail/ssl/cert > /etc/ssl/certs/ipop3d.pem % cat /var/qmail/ssl/key /var/qmail/ssl/cert > /etc/ssl/certs/imapd.pem 22. Configure inetd to launch POP3, IMAP % echo "# Email daemons pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/ipop3d pop3s stream tcp nowait root /usr/sbin/tcpd /usr/sbin/ipop3d imap2 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd imaps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd " >> /etc/inetd.conf % killall -HUP inetd 23. Create and configure virtual mail domains. % cd /var/qmail/alias % useradd -u 107 -g qmail -d /var/qmail/alias/mailvsc mailvsc % mkdir mailvsc % echo "&lmbedore@vectorstar.net" > mailvsc/.qmail-lmbedore % chown -R mailvsc mailvsc % useradd -u 108 -g qmail -d /var/qmail/alias/mailjrl mailjrl % mkdir mailjrl % echo "&jrlewis@vectorstar.net" > mailjrl/.qmail-jrlewis % chown -R mailjrl mailjrl % echo "vectorstar.com:mailvsc\njrlweb.com:mailjrl" > /var/qmail/control/virtualdomains 24. Set system to restart qmail weekly. It seems that this qmail implementation has some memory leaks that causes the system to hold on to a lot of extra memory. Restarting qmail once a week keeps the memory usage within reasonable limits. % touch /etc/cron.weekly/qmail-restart % chmod 755 /etc/cron.weekly/qmail-restart % pico /etc/cron.weekly/qmail-restart (File Contents:) /usr/bin/qmailctl restart >/dev/null 2>&1 EOF ### Sections 25+ are for log analysis 25. Install qmailanalog Unpack the qmailanalog source (available from djb's cr.yp.to site) ## Edit error.h. Replace "etern int errno;' with "#include ". % make % make setup check 26. Install tai64nfrac (http://www.eyrie.org/~eagle/software/tai64nfrac/) Unpack the tai64nfrac source. % make % make install 27. Install newanalyze / newanalyse Must install ksh and tai64nfrac for newanalyze to work. Unpack the newanalyze source. Edit conf-sendlog and change "/var/log/qmail-send" to "/var/log/qmail" Edit conf-smtpdlog and change "/var/log/qmail-smtpd" to "/var/log/qmail/smtpd" % ./install 28. Configure log analysis Use the "findmail" program to find messages. #### PROBLEMS CURRENTLY EHLO response does not include AUTH line, though auth appears to be working (with /bin/checkpassword) using PLAIN and LOGIN. *** Fixed by editing /var/qmail/ssl/env and adding SMTPAUTH="" to permit LOGIN and PLAIN authtypes. might better belong in the /var/qmail/supervise/qmail-smtpd/run file.