servidor qmail spamassasin vpopmail clamav roundcube ssl

INFORMAÇÃO PUBLICIDADE LTDA - TECNOLOGIA DA INFORMAÇÃO

Brasília, 20 de setembro de 2011

Tutorial Instalação e Configuração

Servidor de E-mail

Qmail Spamassasin Vpopmail Clamav Roundcube SSL

i-Comunicação e Faros Educacional

André Gonçalves Araujo

[email protected]

Suporte a Redes de Computadores

mailto:[email protected]

Tutorial Instalação Qmail Spamassasin Vpopmail Clamav Roundcube SSL

Ambiente Teste

Sistema Operacional Debian Squeeze

Hardware Máquina Virtual – Vmware Player

HD: 20GB

MEM: 512


Pré Instalação

Download dos pacotes necessários para a instalação e configuração de todo servidor.

Install Daemontools and ucspi-tcp

aptitude install ucspi-tcp daemontools daemontools-run

Install Courier packages

aptitude install courier-base courier-authdaemon courier-authlib courier-authlib-

mysql courier-imap courier-imap-ssl courier-pop-ssl courier-pop courierpassd

courier-maildrop gamin

You should accept all the default answers

Install needed compiler, tools and library

aptitude install cpp g++ gcc make automake wget telnet libtool patch patchutils

logrotate dh-make-perl libltdl7 libcdb1 equivs expect openssl libssl-dev libgmp3-

dev libgdbm-dev libpcre++-dev libpcre-ocaml libpcre-ocaml-dev

For security reason, it's a good idea to remove the compilers (cpp, g++, gcc and make) after your complete this guide

Install MySQL database and libraries

aptitude install mysql-common mysql-server-5.1 mysql-client-5.1 mysql-server-

core-5.1 libmysqlclient16 libmysqlclient-dev

Remember your root MySQL password (described as MySQL_root_password later in this guide)

Install Apache & PHP

aptitude install apache2 php5 php5-common libapache2-mod-php5 php5-mysql

Accept the default proposal about apache2-mpm-worker

Install antispam and antivirus

aptitude install spamassassin spamc pyzor razor clamav clamav-daemon clamav-

docs

Install un-archiver tools

aptitude install arj unrar lha unzip bzip2 tar tnef

Install perl modules aptitude install perl-suid spf-tools-perl libmailtools-perl libnet-cidr-lite-perl libnet-

daemon-perl libtest-distribution-perl libmail-spf-perl libperl-dev

aptitude install libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-

tree-perl perl-doc libdate-manip-perl libio-string-perl libio-socket-ssl-perl libnet-

ident-perl libsys-syslog-perl libencode-detect-perl


aptitude install libnet-dns-perl libplrpc-perl libtimedate-perl libcompress-zlib-perl

libdigest-hmac-perl libdigest-sha1-perl libparse-syslog-perl libmail-dkim-perl

libcrypt-openssl-bignum-perl

Install debug / manipulation tools

Those last ones are not mandatory but are useful if you need to debug

aptitude install dnsutils whois findutils pciutils less net-tools tcpdump iptraf lsof

dstat iotop htop mc locate

Para todo o procedimento de instalação estaremos trabalhando com todos os packages dentro do

diretório /download.

mkdir /downloads

cd /downloads

wget http://qmailrocks.thibs.com/downloads/debian-qmr.tar.gz

tar zxvf debian-qmr.tar.gz

apt-get install libgamin0


Criação de Grupos e Usuários

Após o download dos arquivos é necessário criar os usuários e grupos que irão realizar a

operação do serviço de e-mail.

O Qmail é um conjunto de programas menores que trabalham em grupo para prover os serviços

de envio e recebimento de e-mails. Para que todo esse processo seja realizado com segurança é

de extrema importância que todos os arquivos e diretórios trabalhem com seus devidos donos e

grupos.

É importante salientar que caso seja necessário reinstalar o servidor de e-mail realizando então o

procedimento de backup e restore é necessário garantir que o UID e o GID (numéricos) dos

usuários sejam mantidos. A relevância disto é que os programas são compilados com os UIDs e

GIDs específicos informados neste tutorial.

Caso deseje mudar esses valores é necessários alterar a configuração courier-authlib.

groupadd -g 161 nofiles

groupadd -g 162 qmail

groupadd -g 163 qscand

groupadd -g 89 vchkpw

useradd -u 161 -g nofiles -d /var/qmail/alias -s /sbin/nologin -p’*’ -c 'QMail alias user' alias

useradd -u 162 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail daemon user' qmaild

useradd -u 163 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail log user' qmaill

useradd -u 164 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail password user' qmailp

useradd -u 165 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail queue user' qmailq

useradd -u 166 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail remote user' qmailr

useradd -u 167 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail send user' qmails

useradd -u 89 -g vchkpw -d /home/vpopmail -s /sbin/nologin -p’*’ -c 'Vpopmail (virtual domains)

user' vpopmail

useradd -u 168 -g qscand -d /bin/false -s /sbin/nologin -p’*’ -c 'Antivirus user' qscand


mkdir /var/qmail

mkdir /usr/src/qmail

mkdir -p /var/log/qmail/qmail-send

mkdir -p /var/log/qmail/qmail-smtpd

mkdir -p /var/log/qmail/qmail-smtpdssl

chown -R qmaill:root /var/log/qmail

chmod -R 750 /var/log/qmail

Instalação Qmail, ucspi-tcp e ucspi-ssl

Existe nos repositórios do Debian o package fonte do Qmail, entretanto o motivo pelo qual não

iremos utilizar ele é simples, após instalado os arquivos são enviados para diversos locais

diferentes o que acaba dificultando um pouco a documentação e entendimento da estrutura do

Qmail.

Extraindo os fontes

cd /usr/src/qmail

tar -zxvf /downloads/qmail-1.03.tar.gz

Patch it with John M. Simpson's combined patches (includes every patch which is part of

netqmail-1.05 ... but also some others!)

cd /usr/src/qmail/qmail-1.03

patch < /downloads/patches/qmail-1.03-jms1-7.10.patch

http://qmail.jms1.net/patches/combined-details.shtml


Install Ezmlm-idx

Ezmlm-idx é uma lista de discussão, um add-on para Qmail. Após instalado o Qmailadmin, você

verá que ezmlm-idx integra perfeitamente no Qmailadmin para proporcionar uma lista de

discussão com uma interface de gerenciamento muito amigável das listas. Como um bônus

adicionado, Vpopmail (que vamos instalar também) vai permitir controlar o que os usuários

podem e não podem usar nas listas de discussão! Sua página na internet é esta aqui:

http://www.ezmlm.org/

cd /downloads/

tar zxvfp ezmlm-idx-7.1.1.tar.gz

cd /downloads/ezmlm-idx-7.1.1

ln -s /downloads/ezmlm-idx-7.1.1/lang/en_US/ /downloads/ezmlm-idx-7.1.1/lang/default

make clean

make; make man

./ezmlm-test

Você deve ter receber mensagens como esta abaixo:

ezmlm-make: OK

Using subdb plugin: std

ezmlm-reject: OK

ezmlm-[un|is]sub[n]: OK

ezmlm-checksub: OK

ezmlm-send: OK

ezmlm-tstdig: OK

ezmlm-weed: OK

ezmlmrc contents: OK

ezmlm-clean: OK

ezmlm-store: OK

http://www.ezmlm.org/


ezmlm-return: OK

ezmlm-warn (1/2): OK

ezmlm-manage (1/2): OK

ezmlm-request: OK

ezmlm-split: OK

ezmlm-gate: OK

ezmlm-idx: OK

ezmlm-get (index): OK

ezmlm-get (get): OK

ezmlm-get (thread): OK

ezmlm-get (digest): OK

ezmlm-manage (2/2): OK

ezmlm-moderate: OK

ezmlm-warn (2/2): OK

ezmlm-archive: OK

ezmlm-dispatch: OK

dispatch editor: OK

decode sender: OK

Verifying message header and body contents...

flags and substs: OK

messages: OK

subscribe probe: OK

unsubscribe probe: OK

subscribe: OK

unsubscribe: OK

moderated subscribe: OK

moderated unsub: OK

subscribe by mod: OK

unsubscribe by mod: OK

copylines: OK

ezmlm-send: OK

Cleaning up...

Edite o arquivo /downloads/ezmlm-idx-7.1.1/conf-ld e substitua a primeira linha por:

cc -g -B /usr/lib/mysql/

Criando a base de dados


A senha de root do Mysql deve ser a que configuramos no passo 3. Ela não deve ser a mesma

senha para ezmlmuser (EZMLM_PASSWORD).

mysql -pMySQL_root_password

CREATE DATABASE ezmlm;

GRANT ALL PRIVILEGES ON ezmlm.* TO ezmlmuser@localhost IDENTIFIED BY

'EZMLM_PASSWORD';

FLUSH PRIVILEGES;

quit;

Vamos testar a conta criada:

mysql -uezmlmuser -pEZMLM_PASSWORD

exit;

Você deve receber como resposta:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 39

Server version: 5.0.51a-24+lenny4-log (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>exit;

Instalando e testando o suporte ao mysql:

cd /downloads/ezmlm-idx-7.1.1

make mysql

./ezmlm-test -s mysql -u ezmlmuser -p EZMLM_PASSWORD -h localhost

Você deve receber uma resposta com esta:

ezmlm-make: OK

Using subdb plugin: mysql

ezmlm-reject: OK

ezmlm-[un|is]sub[n]: OK

ezmlm-checksub: OK

ezmlm non-SQL: OK


ezmlm SQL: OK

...

Finalizando a instalação.

make install

Ezmlm-0.53 is a qmail-based mailing list manager written by Dan J. Bernstein (qmail's author) ;

ezmlm-idx originated as an add-on to it. It now exists as a complete package on its own, but can

still be considered essentially as an extension to ezmlm.


Instalação do Autorespond

Autoresponder faz exatamente o que você está pensando que ele faz. Gera respostas automáticas

para as caixas de e-mail dos usuários.

cd /downloads/

tar zxvf autorespond-2.0.5.tar.gz

cd /downloads/autorespond-2.0.5

make && make install


Instalação do Vpopmail

Vpopmail é um dos principais componentes desta instalação. Vpopmail nos permite fazer

hospedagem de correio virtuais domínio. Possui inumeras ferramentas e funcionalidades

compiladas que tornam o trabalho de administração mais agradável. Mesmo se você não quiser

hospedar email de vários domínios, ainda recomendo instalar Vpopmail. Ele só faz o jogo de

correio mais fácil. Além disso, esta instalação gira em torno dele, por isso, se você não instalá-lo

você vai ter uma dor de cabeça.

Criando a base de dados

A MySQL_root_password deve ser a senha escolhida no passo 3 e deve a senha para popmailuser

deve ser diferente da senha de root(VPOPMAIL_PASSWORD).


CREATE DATABASE vpopmail;

GRANT select,insert,update,delete,create,drop ON vpopmail.* TO vpopmailuser@localhost

IDENTIFIED BY 'VPOPMAIL_PASSWORD';

FLUSH PRIVILEGES;

quit;

Testando a conta criada:

mysql -uvpopmailuser -pVPOPMAIL_PASSWORD

Você deve ter uma resposta como esta:






mysql>exit;

Preparando a instalação

mkdir -p /home/vpopmail/etc

chown -R vpopmail:vchkpw /home/vpopmail

chmod 770 /home/vpopmail

cd /home/vpopmail/etc

echo "localhost|0|vpopmailuser|VPOPMAIL_PASSWORD|vpopmail" >

~vpopmail/etc/vpopmail.mysql

chown vpopmail:vchkpw ~vpopmail/etc/vpopmail.mysql

chmod 640 ~vpopmail/etc/vpopmail.mysql

Compilando

cd /downloads/

tar zxvf vpopmail-5.4.33.tar.gz

cd /downloads/vpopmail-5.4.33

./configure \

--enable-qmaildir=/var/qmail/ \

--enable-qmail-newu=/var/qmail/bin/qmail-newu \

--enable-qmail-inject=/var/qmail/bin/qmail-inject \

--enable-qmail-newmrh=/var/qmail/bin/qmail-newmrh \

--enable-tcprules-prog=/usr/bin/tcprules \

--enable-tcpserver-file=/etc/tcp.smtp \

--enable-clear-passwd \

--enable-many-domains \

--enable-valias \

--enable-qmail-ext \

--enable-logging=p \

--enable-auth-logging \


--enable-sql-logging \

--enable-auth-module=mysql \

--enable-incdir=/usr/include/mysql \

--enable-libdir=/usr/lib/ \

--disable-mysql-limits \

--disable-passwd

make && make install-strip

A modificação deste arquivo é necessária para evitar problemas de falha de segmentação em

alguns casos.

cat > ~vpopmail/etc/vusagec.conf << __EOF__

Server:

Disable = True;

__EOF__


Instalação Qmailadmin

Qmailadmin é uma ferramenta que provê uma interface web para a administração do Qmail.

Diferentemente do que é dito nos tutoriais, ele não possui uma interface amigável, entretanto

com ele é possível realizar diversas operações como criação de contas de e-mail, aliases,

encaminhamentos, e-mail robô e listas de e-mail.

cd /downloads/

tar zxvf qmailadmin-1.2.16.tar.gz

cd /downloads/qmailadmin-1.2.16

./configure --enable-cgibindir=/var/www/mail/cgi-bin/ --enable-htmldir=/var/www/mail/cgi-bin/ -

-enable-imageurl=../../images --enable-imagedir=/var/www/mail/images --enable-domain-

autofill --enable-ezmlmdir=/usr/local/bin/ezmlm --enable-autorespond=/usr/bin/autorespond

make && make install-strip

cd /var/www/mail/images

rm middleleft1.png

wget http://mailadmin.thibs.com/images/middleleft1.png

Testaremos ao interface web mais tarde.


Habilitando as ferramentas web

Nas etapas anteriores instalamos duas ferramentas de administração para o servidor de e-mail,

agora vamos habilitar elas.

Primeiramente é necessário criar uma entrada no servidor DNS (CNAME ou registro A). Para este

ambiente foi criado o domínio mailadmin.intranet.ico apontando para o servidor virtual. Pode ser

qualquer nome, menos o hostname do servidor.

Então criamos o virtual host no apache apontando para o domínio registrado.

No arquivo /etc/apache2/sites-available/mailadmin.intranet.ico temos os seguintes registros:

------------

<VirtualHost *:80>

ServerAdmin [email protected]

DocumentRoot /var/www/mail

ServerName mailadmin.intranet.ico

ErrorLog /var/log/apache2/mailadmin.intranet.ico-error.log

CustomLog /var/log/apache2/mailadmin.intranet.ico-access.log common

<Directory /var/www/mail/cgi-bin/>

Options ExecCGI FollowSymLinks -Indexes

ForceType cgi-script

AllowOverride All

Order allow,deny

Allow from all

</Directory>

<Directory /var/www/mail/cgi-bin/vqadmin/>


deny from all

Options ExecCGI -Indexes

AllowOverride All

Order deny,allow

</Directory>

<Directory /var/www/mail/qmailadmin/>

Options -Indexes

Order allow,deny

Allow from all

</Directory>

<Directory /var/www/mail/cgi-bin/images/>

ForceType Off

Options -Indexes

Order allow,deny

Allow from all

</Directory>

<Directory /var/www/mail/images/qmailadmin/>

ForceType Off

Options -Indexes

Order allow,deny

Allow from all

</Directory>

<Directory /var/www/mail/images/vqadmin/>

ForceType Off

Options -Indexes

Order allow,deny

Allow from all

</Directory>

</VirtualHost>

------------

a2ensite mailadmin.intranet.ico

/etc/init.d/apache2 reload

E finalmente vamos testar as interfaces web.


Coloque o seguinte endereço no browser http://mailadmin.intranet.ico/cgi-bin/qmailadmin

para testar qmailadmin.

Remove installed MTA

Exim is the default installed MTA on Debian.

Stop and remove Exim

/etc/init.d/exim4 stop

dpkg --ignore-depends=exim4 -r exim4

dpkg --ignore-depends=exim4-daemon-light -r exim4-daemon-light

If you are using sendmail or postfix :

dpkg --purge --ignore-depends=postfix postfix

dpkg --purge sendmail sendmail-base sendmail-bin sendmail-cf

Install a pseudo MTA to avoid problem within Debian system

dpkg -i /downloads/deb-packages/mta-local_1.0_all.deb

Create Symilnk to use Qmail instead of the default MTA

rm -f /usr/lib/sendmail

rm -f /usr/sbin/sendmail

ln -s /var/qmail/bin/sendmail /usr/lib/sendmail

ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail


Configure Qmail

It's time to configure Qmail ...

Copy the script to its proper locations

cp /downloads/scripts/qmailctl /var/qmail/bin/qmailctl (View the script qmailctl)

Adapt script permission

chmod 755 /var/qmail/bin/qmailctl

The script /var/qmail/rc (View here) is no longer used.

In original qmailrocks installation guide, it was used in script send_run replaced by service-send-

run (from John M.Simpson) in this guide.

Create needed symlinks

ln -s /var/qmail/bin/qmailctl /usr/bin

Set Maildir as default mailbox type (./Mailbox for mbox type)

echo ./Maildir > /var/qmail/control/defaultdelivery

Set some configuration (You can find more on

http://www.lifewithqmail.com/lwq.html#configuration)

echo 255 > /var/qmail/control/concurrencyremote

echo 30 > /var/qmail/control/concurrencyincoming

echo 30 > /var/qmail/control/timeoutsmtpd

echo 3 > /var/qmail/control/spfbehavior

http://qmailrocks.thibs.com/downloads/scripts/qmailctl

http://qmailrocks.thibs.com/downloads/scripts/rc

http://www.qmailrocks.org/downloads/scripts/finalize/linux/send_run

http://qmailrocks.thibs.com/downloads/scripts/service-qmail-send-run


http://www.lifewithqmail.com/lwq.html#configuration


echo [email protected] > /var/qmail/control/bouncefrom

echo yourdomain.tld > /var/qmail/control/doublebouncehost

echo postmaster > /var/qmail/control/doublebounceto

cd /var/qmail/control/

chmod 644 bouncefrom doublebouncehost doublebounceto concurrencyremote

concurrencyincoming spfbehavior

Set maximum message size to be 8Mb

echo '8000000' > /var/qmail/control/databytes

Allows localhost to send mails

echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp

qmailctl cdb

If you use backup MX servers or if this server is acting as smart host for others, I advice you to

add execute command :

echo 'OTHER-SERVER-IP:allow,RELAYCLIENT="",QS_SPAMASSASSIN="1"' >> /etc/tcp.smtp

qmailctl cdb

If you want to learn other available options, take a look on this sample.

Create mail aliases

echo some_address > /var/qmail/alias/.qmail-root

echo some_address > /var/qmail/alias/.qmail-postmaster

echo some_address > /var/qmail/alias/.qmail-mailer-daemon

Where some_address is the system user or email address you want these addresses aliased to

chmod 644 /var/qmail/alias/.qmail*

Final configuration

cd /usr/src/qmail/qmail-1.03

./config-fast YOUR_SERVER_NAME

Edit /var/qmail/control/locals and remove YOUR_SERVER_NAME

http://qmailrocks.thibs.com/downloads/scripts/tcp.smtp


Configure Daemontools

Daemontools is a collection of Unix tools for managing services. Its home page is here:

http://cr.yp.to/daemontools.html

If you don't want to read about it, just remember that it allows to automatically restart a crashing

service (but it allows a lot of other things and I really advice you to read about it...)

It has already been installed with a Debian package

In this guide version, we'll use it only to manage the processes qmail-smtpd, qmail-send and

qmail-smtpdssl. I however plan to manage other services in a next release.

Create the needed directories with appropriates permissions

mkdir -p /var/qmail/supervise/qmail-smtpd/log

mkdir -p /var/qmail/supervise/qmail-send/log

mkdir -p /var/qmail/supervise/qmail-smtpdssl/log

cd /var/qmail/supervise

chmod +t qmail-smtpd qmail-send qmail-smtpdssl

Copy the scripts to their proper locations

(service-qmail-send-run,send_log,service-qmail-smtpd-run,smtpd_log,service-qmail-smtpdssl-

run,smtpdssl_log)

cp /downloads/scripts/service-qmail-send-run /var/qmail/supervise/qmail-send/run

cp /downloads/scripts/send_log /var/qmail/supervise/qmail-send/log/run

cp /downloads/scripts/service-qmail-smtpd-run /var/qmail/supervise/qmail-smtpd/run

cp /downloads/scripts/smtpd_log /var/qmail/supervise/qmail-smtpd/log/run

http://cr.yp.to/daemontools.html


http://qmailrocks.thibs.com/downloads/scripts/send_log

http://qmailrocks.thibs.com/downloads/scripts/service-qmail-smtpd-run

http://qmailrocks.thibs.com/downloads/scripts/smtpd_log

http://qmailrocks.thibs.com/downloads/scripts/service-qmail-smtpdssl-run

http://qmailrocks.thibs.com/downloads/scripts/service-qmail-smtpdssl-run

http://qmailrocks.thibs.com/downloads/scripts/smtpdssl_log


cp /downloads/scripts/service-qmail-smtpdssl-run /var/qmail/supervise/qmail-smtpdssl/run

cp /downloads/scripts/smtpdssl_log /var/qmail/supervise/qmail-smtpdssl/log/run

Adapt permissions

chmod 751 /var/qmail/supervise/qmail-smtpd/run

chmod 751 /var/qmail/supervise/qmail-smtpd/log/run

chmod 751 /var/qmail/supervise/qmail-send/run

chmod 751 /var/qmail/supervise/qmail-send/log/run

chmod 751 /var/qmail/supervise/qmail-smtpdssl/run

chmod 751 /var/qmail/supervise/qmail-smtpdssl/log/run

Create symlinks in /etc/service directory

ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd

/var/qmail/supervise/qmail-smtpdssl /etc/service

Create a symlink from Debian convention to standard convention

ln -s /etc/service /service


Configure spamassassin

Spamassassin is the antispam system we 'll use

Edit /etc/default/spamassassin to change the following options :

ENABLED=1

OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u vpopmail -v -x -i -m 5 -c -H -s

mail"

Edit /etc/spamassassin/local.cf to change the following options :

Uncomment following lines

required_score 5.0

use_bayes 1

bayes_auto_learn 1

Add following lines

use_razor2 1

skip_rbl_checks 1

use_dcc 1

use_pyzor 1

razor_config /etc/razor/razor-agent.conf

OPTIONAL : If you want to report spam with the Vipul's Razor spam-reporting system

razor-admin -d -home=/etc/razor -create

razor-admin -d -home=/etc/razor -register


Uncomment this in /etc/spamassassin/v310.pre

loadplugin Mail::SpamAssassin::Plugin::DCC

Uncomment this in /etc/spamassassin/v320.pre

loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody

Install IP::Country::Fast perl package (deb)

dpkg -i /downloads/deb-packages/libip-country-perl_2.27-1_all.deb

Uncomment this in /etc/spamassassin/init.pre

loadplugin Mail::SpamAssassin::Plugin::RelayCountry

Create a compiled version of some ruleset

sa-compile

Test configuration and start the service

/usr/bin/spamassassin -D --lint

/etc/init.d/spamassassin start

http://qmailrocks.thibs.com/downloads/deb-packages/libip-country-perl_2.27-1_all.deb


Configure clamav

Clamav is the antivirus system we 'll use

dpkg-reconfigure clamav-base

Change clamav user/group to qscand and keep all of the other default settings (Group - Owner)

dpkg-reconfigure clamav-freshclam

Choose daemon + your location + default answers

chown -R qscand:clamav /var/log/clamav /var/lib/clamav /var/run/clamav

chown qscand:qscand /etc/clamav/freshclam.conf

chmod 600 /etc/clamav/freshclam.conf

ln -s /var/log/clamav /var/log/qmail/clamav

Edit /etc/clamav/freshclam.conf to change the DatabaseOwner option :

DatabaseOwner qscand

Change both /etc/logrotate.d/clamav-freshclam and /etc/logrotate.d/clamav-daemon to

create the log file with correct identity :

create 640 qscand qscand

Restart the services

/etc/init.d/clamav-daemon restart

/etc/init.d/clamav-freshclam restart

http://qmailrocks.thibs.com/images/clamav-config1.jpg

http://qmailrocks.thibs.com/images/clamav-config2.jpg


Configure courier and courier-authlib

Adapt automatically generated SSL certificate

During package installation, all the needed courier packages have been installed.

Nevertheless, the generated SSL certificates probably do not match your needs. We 'll simply re-

generate it.

Edit the files /etc/courier/imapd.cnf and /etc/courier/pop3d.cnf to match your settings :

[ req_dn ]

C=BE

ST=Brussels

L=Brussels

O=Courier Mail Server

OU=POP3/IMAP SSL key

CN=Your FQDN server

emailAddress=Your e-mail adress

Re-generate certificates with correct information and with validity time of 10 years

rm -f /usr/lib/courier/*.pem

rm -f /etc/courier/*.pem

sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkimapdcert

sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkpop3dcert

dpkg-reconfigure courier-imap-ssl

http://qmailrocks.thibs.com/package-install.php#courier


dpkg-reconfigure courier-pop-ssl

ln -s /usr/lib/courier/pop3d.pem /etc/courier/pop3d.pem

ln -s /usr/lib/courier/imapd.pem /etc/courier/imapd.pem

Configure courier-authlib

Courier-authlib is the authentification library used by all the courier components.

We 'll use the MySQL database used by vpopmail (which already contains the authentification

info) instead of vchkpw method used in previous QMR guide (because it's no longer

implemented/supported since version 0.60)

Please remember the settings used in step 4, you 'll need to use it again.

As courier-authlib and courier-authlib-mysql have been installed with Debian packages, we only

have to configure it

Edit /etc/courier/authdaemonrc and change line 27 to match the following :

authmodulelist="authmysql"

Edit /etc/courier/authmysqlrc and adapt variables to match the following (Put the password

chosen in step 4)

MYSQL_SERVER localhost

MYSQL_USERNAME vpopmailuser

MYSQL_PASSWORD VPOPMAIL_PASSWORD

MYSQL_DATABASE vpopmail

MYSQL_SELECT_CLAUSE SELECT CONCAT(pw_name, '@', pw_domain) AS username, \

pw_passwd AS cryptpw, \

pw_clear_passwd AS clearpw, \

'89' AS uid, \

'89' AS gid, \

pw_dir AS home, \

'' AS maildir, \

http://qmailrocks.thibs.com/vpopmail.php

http://qmailrocks.thibs.com/vpopmail.php


pw_shell AS quota, \

pw_gecos AS fullname, \

'disablewebmail=0,disablepop3=0,disableimap=0' AS options \

FROM vpopmail \

WHERE \

pw_name = '$(local_part)' \

AND \

pw_domain = '$(domain)'; \

Eventually replace 89 by the alternate UID:GID chosen in Part 1

Restart the service to take those modifications into account

/etc/init.d/courier-authdaemon restart

http://qmailrocks.thibs.com/create-users-groups.php


Install qmail-scanner

qmail-scanner is an alternate queuing system for qmail.

Qmail-scanner is going to allow us to integrate Clam Antivirus and SpamAssassin into our qmail

server's mail queue. Once qmail-scanner is installed, there will be a master script that is filled

with configuration options that help you to tailor the functionality of Clam Antivirus and

SpamAssassin to your needs.

We have patched qmail source to support it on step 2 and we have implemented it on step 10.

It's now time to install it ;-)

cd /downloads/

tar zxvf q-s-2.08st-20100626.tgz

cd /downloads/qmail-scanner-2.08st

./configure --admin postmaster --domain your_domain --local-domains "your_domain" --sa-

quarantine 5 --ignore-eol-check yes --add-dscr-hdrs yes --notify psender,admin --sa-report yes -

-fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0

./configure --admin postmaster --domain your_domain --local-domains "your_domain" --sa-

quarantine 5 --ignore-eol-check yes --add-dscr-hdrs yes --notify psender,admin --sa-report yes -

-fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0 --install 1

ln -s /var/spool/qscan /var/log/qmail/qscan

Let's test it ... First swich to a non-privilegied user account

su - non-privilegied_user_account

/var/qmail/bin/qmail-scanner-queue.pl -g

You should have an answer like this:

http://qmailrocks.thibs.com/qmail-ucspi.php

http://qmailrocks.thibs.com/daemontools.php


perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt

perlscanner: total of 35 entries.

Switch back to root account:

exit

Add it in the logrotation system

cp /downloads/qmail-scanner-2.08st/contrib/logrotate.qmail-scanner /etc/logrotate.d/qmail-

scanner

chmod 644 /etc/logrotate.d/qmail-scanner

Launch qmail

qmailctl start

qmailctl stat

You should see something like that:

/service/qmail-send: up (pid 17762) 63 seconds

/service/qmail-send/log: up (pid 17763) 63 seconds

/service/qmail-smtpd: up (pid 18500) 63 seconds

/service/qmail-smtpd/log: up (pid 17767) 63 seconds

/service/qmail-smtpdssl: up (pid 18496) 63 seconds

/service/qmail-smtpdssl/log: up (pid 17773) 63 seconds

messages in queue: 0

messages in queue but not yet preprocessed: 0

If you notice than some service stays at 1 second, check the corresponding log to debug it

tail /var/log/qmail/qmail-send/current

tail /var/log/qmail/qmail-smtpd/current

tail /var/log/qmail/qmail-smtpdssl/current

Test combinaison of qmail-scanner, spamassassin and clamav


cd /downloads/qmail-scanner-2.08st/contrib

chmod 755 test_installation.sh

./test_installation.sh -doit

You should have an answer like this

Sending standard test message - no viruses... 1/4

done!

Sending eicar test virus - should be caught by perlscanner module... 2/4

done!

Sending eicar test virus with altered filename - should only be caught by commercial anti-virus

modules (if you have any)... 3/4

done!

Sending bad spam message for anti-spam testing - In case you are using SpamAssassin... 4/4

If you have enabled $sa_quarantine, $sa_delete or $sa_reject the

spam-message wont't arrive to the recipients. But if you have enabled

(good idea!) 'minidebug' or 'debug' you should check

/var/spool/qscan/qmail-queue.log (or where ever you have the log).

Done!

Finished test. Now go and check Email sent to [email protected] and/or the log..

OPTIONAL : You can receive daily statistics

echo '/var/spool/qscan/log-report.sh /var/spool/qscan/qmail-queue.log |mail YOUR E-MAIL

ADDRESS' > /etc/cron.daily/qmailscanner-report

chmod 755 /etc/cron.daily/qmailscanner-report


Install roundcubemail webmail interface

cd /downloads/

tar zxvfp roundcubemail-0.5.3.tar.gz

chown -R root:root /downloads/roundcubemail-0.5.3

mv /downloads/roundcubemail-0.5.3 /var/www/mail/

ln -s /var/www/mail/roundcubemail-0.5.3/ /var/www/mail/webmail

ln -s /var/www/mail/webmail/logs /var/log/webmail

chmod 777 /var/www/mail/webmail/logs/

chmod 777 /var/www/mail/webmail/temp/

Create the needed Database.

The used MySQL_root_password should be the password chosen on pre-step 3. It's should not be

the same as the password for roundcubemail (ROUNDCUBEMAILPASSWORD).

It's not a typo, the MySQL_root_password should really be just aside the -p


CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;

GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY

'ROUNDCUBEMAILPASSWORD';

quit;

Test your the account you have just created

mysql -uroundcube -pROUNDCUBEMAILPASSWORD

exit;

http://qmailrocks.thibs.com/package-install.php


You should have such response





Let's configure it

cd /var/www/mail/webmail

mysql -uroundcube -pROUNDCUBEMAILPASSWORD roundcubemail < SQL/mysql.initial.sql

cp /var/www/mail/webmail/config/db.inc.php.dist /var/www/mail/webmail/config/db.inc.php

cp /var/www/mail/webmail/config/main.inc.php.dist /var/www/mail/webmail/config/main.inc.php

Edit the file /var/www/mail/webmail/config/main.inc.php and change the following :

$rcmail_config['default_host'] = 'localhost';

Edit the file /var/www/mail/webmail/config/db.inc.php and change the following :

$rcmail_config['db_dsnw'] =

'mysql://roundcube:ROUNDCUBEMAILPASSWORD@localhost/roundcubemail';

OPTIONAL : You can specify other parameters through webinterface

Point your browser on http://mailadmin.intranet.ico/webmail/installer/ and follow the

instructions

You can add some packages for optionnals features :

aptitude install php5-gd php5-mcrypt php5-intl

/etc/init.d/apache2 restart

Just a little cleaning ... and use it !

cd /var/www/mail/webmail

rm -rf installer/ CHANGELOG INSTALL LICENSE README UPGRADING

Point your browser on http://mailadmin.intranet.ico/webmail/ ... and use it!


Your server is functionnal now !

Test Qmail functionalities

We first check if the server listen to the right ports

netstat -tupan |grep LISTEN

You should have at least the bold ones :

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2218/mysqld

tcp 0 0 0.0.0.0:783 0.0.0.0:* LISTEN 2302/spamd.pid

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1901/portmap

tcp 0 0 0.0.0.0:49168 0.0.0.0:* LISTEN 1912/rpc.statd

tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 3063/sslserver

tcp 0 0 127.0.0.1:1013 0.0.0.0:* LISTEN 2957/famd

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2141/sshd

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3056/tcpserver

tcp6 0 0 :::993 :::* LISTEN 2924/couriertcpd




tcp6 0 0 :::80 :::* LISTEN 2999/apache2

In this case, Qmail should now be able to send and receives e-mails.

Receiving e-mails

telnet localhost 25

You should have an answer like this :


Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 servername.localdomain.tld ESMTP

mail from: <[email protected]>

250 ok

rcpt to: <[email protected]>

250 ok

data

354 go ahead

From: Test_sender <[email protected]>

To: Test_receiver <[email protected]>

Subject: Just a stupid SMTP test

Just a test !

.

250 ok 1279384489 qp 3711

quit

221 servername.localdomain.tld

Connection closed by foreign host.

This demonstrate a successful SMTP connection !

For our tests, we need to create a dummy account

/home/vpopmail/bin/vadddomain test.com brol

/home/vpopmail/bin/vadduser [email protected] brol2

qmailctl reload

We also can create a real account

/home/vpopmail/bin/vadddomain your_real_domain.tld your_postmaster_password

/home/vpopmail/bin/vadduser an_account@your_real_domain.tld your_account_password

qmailctl reload

You can of course do the same thing via vqadmin and qmailadmin web interfaces

"brol" is a belgian idiom that means "something useless"


You can send a test mail to an_account@your_real_domain.tld from you regular mail client. We 'll

retrieve it in the next step but if you don't receive a NDR, it's probably already OK

Sending e-mail through an authentificate connection : Testing TLS

telnet localhost 25


Trying 127.0.0.1...

Connected to localhost.


220 servername.domain.tld ESMTP

ehlo localhost

250-servername.domain.tld

250-STARTTLS

250-SIZE 0

250-PIPELINING

250 8BITMIME

starttls

220 ready for tls

quit

quit

In the above SMTP session, I have higlighted the important aspects in DARK RED. After you give

the server the initial "ehlo localhost" command, you should get a response back that lists "250-

STARTTLS", signaling that the server is in fact equipped for TLS functionality. Then, after you

issue the "starttls" command, you should get the :"220 ready for tls" response if the server is

able to successfully start the TLS session.

If you happen to get an error that states "454 TLS not available: missing RSA private key

(#4.3.0)" after you issue the "starttls" command, you will want to check 2 things:

1. Verify that the cert actually exists at /var/qmail/control/servercert.pem. If it's not there,

go back to step 2 and repeat the cert creation step.

2. Verify that the cert is owned by vpopmail:qmail. If it's not, then make it so like this :

chown vpopmail:qmail /var/qmail/control/servercert.pem

Now we have verified that the server supports the STARTTLS command, we can use openssl

s_client to connect.

http://qmailrocks.thibs.com/qmail-ucspi.php#certificate-for-tls


openssl s_client -starttls smtp -crlf -connect localhost:25 -quiet

This command is equivalent to the previous sequence until the "220 ready for tls" message

depth=0

/C=BE/ST=Brussels/L=Brussels/O=DOMAIN.TLD/OU=ICT/CN=fqdn/emailAddress=your@e-

mail.tld

verify error:num=18:self signed certificate

verify return:1

depth=0

/C=BE/ST=Brussels/L=Brussels/O=THIBS.COM/OU=ICT/CN=fqdn/[email protected]

verify return:1

250 8BITMIME

ehlo testing

250-fqdn

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-SIZE 0

250-PIPELINING

250 8BITMIME

auth login

334 VXNlcm5hbWU6

dGVzdEB0ZXN0LmNvbQ==

334 UGFzc3dvcmQ6

YnJvbDI=

235 ok, go ahead (#2.0.0)


250 ok


250 ok

data

354 go ahead



Subject: Just a simple SMTP TLS test

Just a TLS test !

.

250 ok 1279384489 qp 3711


quit



As you've probably noticed, the login and password are encoded ( "dGVzdEB0ZXN0LmNvbQ=="

stands for "[email protected]" and "YnJvbDI=" stands for "brol2")! You can encode yourself with the

script base64

perl /downloads/scripts/base64

Press Enter to exit.

Input you string: [email protected]

Base64 encode is : dGVzdEB0ZXN0LmNvbQ==

Input you string: brol2

Base64 encode is : YnJvbDI=

Input you string: ^C (means press CTRL+C)

Test SMTP-SSL

openssl s_client -crlf -connect localhost:465 -quiet

It's nearly the same test. In this case, we use an SSL server where we connect to a different port

number. We have to establish an SSL connection before the SMTP conversation even starts :

depth=0

/C=BE/ST=Brussels/L=Brussels/O=DOMAIN.TLD/OU=ICT/CN=fqdn/emailAddress=your@e-

mail.tld


verify return:1

depth=0

/C=BE/ST=Brussels/L=Brussels/O=THIBS.COM/OU=ICT/CN=fqdn/[email protected]

verify return:1

auth login

334 VXNlcm5hbWU6

dGVzdEB0ZXN0LmNvbQ==

334 UGFzc3dvcmQ6

YnJvbDI=

235 ok, go ahead (#2.0.0)


250 ok

http://qmailrocks.thibs.com/downloads/scripts/base64



250 ok

data

354 go ahead



Subject: Just a simple SMTP-SSL test

Just a SMTP-SSL test !

.

250 ok 1279384489 qp 3711

quit



Test authentification

Now we should be able to authenticate through POP3, POP3-SSL, IMAP, IMAP-SSL

Test courier-authlib

I suppose you still have the dummy account created when we've tested qmail

Check first if the created account is still there (without testing the authentification)

/home/vpopmail/bin/vuserinfo [email protected]


name: test

passwd: $1$E6ZeM1cj$B6/2kgZgjtycVtHteTPOC1

clear passwd: brol2

comment/gecos: test

uid: 0

gid: 0

flags: 0

gecos: test

limits: No user limits set.

http://qmailrocks.thibs.com/test-qmail.php


dir: /home/vpopmail/domains/0/test.com/test

quota: NOQUOTA

usage: NOQUOTA

account created: Thu Jul 15 16:02:29 2010

last auth: Never logged in

If the account do no exist, please create it by following instructions on the test qmail page

Test now the authentification process

/usr/sbin/authtest [email protected] brol

/usr/sbin/authtest [email protected] brol2


Authenticated: [email protected] (uid 89, gid 89)

Home Directory: /home/vpopmail/domains/test.com/test

Maildir: (none)

Quota: (none)

Encrypted Password: $1$Atj/HMvq$UBXjgO0sGl2Jy22b0Du0

Cleartext Password: brol2

Options: disablewebmail=0,disablepop3=0,disableimap=0

This is the sign authlib is working well!

HINT : Most of the authentification problems here are due to white space before or after

login/password in /etc/courier/authmysqlrc configured in previous step

Test POP3 service

Let's test your new server's POP3 service...

telnet localhost 110

You should see something like this:

Trying 127.0.0.1...

Connected to localhost.localdomain.


+OK Hello there.

user [email protected]

http://qmailrocks.thibs.com/test-qmail.php#create_dummy_account

http://qmailrocks.thibs.com/configure-courier.php


+OK Password required.

pass bril

-ERR Login failed.

pass brol2

+OK logged in.

quit

+OK Bye-bye.

This is the sign of a successfull POP connection to the server!

Test POP3-SSL service

Let's test your new server's POP3-SSL service...

openssl s_client -connect localhost:995 -quiet


depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3

SSL key/CN=localhost/[email protected]


verify return:1

depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3


verify return:1

+OK Hello there.

user [email protected]

+OK Password required.

pass brol2

+OK logged in.

quit

+OK Bye-bye.

Test IMAP service

Let's test your new server's IMAP service...

telnet localhost 143



Trying 127.0.0.1...

Connected to localhost.localdomain.


* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT

THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready.

Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information.

a login [email protected] brol2

a OK LOGIN Ok.

a logout

* BYE Courier-IMAP server shutting down

a OK LOGOUT completed

This is the sign of a successfull IMAP connection to the server!

Hint: The "a" that you see before the login commands is required.

Test IMAPS service

Let's test your new server's IMAP-SSL service...

openssl s_client -connect localhost:993 -quiet


depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP



verify return:1

depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP


verify return:1

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT

THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready.

Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.

a login [email protected] brol2

a OK LOGIN Ok.

a logout

* BYE Courier-IMAP server shutting down

a OK LOGOUT completed


This is the sign of a successfull IMAPS connection to the server!

Delete the test acccount

/home/vpopmail/bin/vdeluser [email protected]

/home/vpopmail/bin/vdeldomain test.com

------------------------------------------ /// -----------------------------------------------

Compiling fails with:

> make[2]: Entering directory `/home/graf/packages/BUILD/vmailmgr-

0.97/authenticate'

> g++ -DHAVE_CONFIG_H -I. -I. -I.. -I../lib -g -O2 -fno-rtti -fno-exceptions -

Wall -c checkvpw.cc

> checkvpw.cc: In function 'char* strcasestr(const char*, const char*)':

> checkvpw.cc:108: error: new declaration 'char* strcasestr(const char*, const

char*)'

> /usr/include/string.h:367: error: ambiguates old declaration 'const char*

strcasestr(const char*,

const char*)'

> make[2]: *** [checkvpw.o] Error 1

> make[2]: Leaving directory `/home/graf/packages/BUILD/vmailmgr-

0.97/authenticate'

The reason is strcasestr() which is defined in checkvpw.cc, but also

exists in glibc. This didn't hurt until now, because both were declared

the same way, but now in glibc 2.10 the declaration changed slightly:

strcasestr() returns "const char *" instead of "char *", and this

results in the above error.

The easy fix is to delete strcasestr() from checkvpw.cc, this is what

the attached patch does. A check for strcasestr() in configure on the

current system would probably better.

--

Bernhard Graf

--- authenticate/checkvpw.cc

+++ authenticate/checkvpw.cc

@@ -105,15 +105,6 @@

return new auth_data(name, pass, stamp);

}

-char* strcasestr(const char* haystack, const char* needle)

-{

- for(size_t hlength = strlen(haystack), nlength = strlen(needle);

- hlength >= nlength; hlength--, haystack++)

- if(!strncasecmp(haystack, needle, nlength))

- return (char*)haystack;

- return 0;

-}

-

unsigned find_maildir(int argc, const char* args[])

{

for(int arg = 0; arg < argc; arg++) {


Fontes

http://www.superscript.com/ucspi-ssl/install.html

http://qmailrocks.thibs.com/

http://www.superscript.com/ucspi-ssl/install.html

http://qmailrocks.thibs.com/

servidor qmail spamassasin vpopmail clamav roundcube ssl

Documents