| 導購 | 订阅 | 在线投稿
分享
 
 
 

LINUX下郵件服務器完全解決方案(英)

來源:互聯網  2008-05-31 00:09:53  評論

此文講述了在linux環境下架構基于qmail的郵件服務器的完全解決方案,按此說明建立的郵件系統支持pop3/imap/smtp認證,具有webmail及防病毒和反垃圾郵件等功能。采用的軟件都是基于開放源代碼,不用付任何費用即可使用。

王朝网络

REDHAT + QMAIL + OPENSSL + APACHE + PHP + MYSQL + VPOPMAIL (with MySQL accounts) + COURIER-IMAP + SQUIRRELMAIL (with MySQL prefs/addrbook), QMAIL-SCANNER + CLAM ANTIVIRUS + SPAMASSASSIN

Original of this document is available at http://www.pipeline.com.au/staff/mb...mail-server.htm

--------------------------------------------------------------------------------

NAVIGATION LINKS

Jump straight to :

MySQL

OpenSSL

Apache

qmail

vpopmail

qmailadmin

Courier-IMAP

SquirrelMail

Qmail-Scanner / Clam AntiVirus / SpamAssassin

Tips %26amp; Misc Notes

Some example web-based domain/mailbox navigation scripts

--------------------------------------------------------------------------------

BEFORE YOU START

I would recommend you first learn qmail via www.lifewithqmail.org, then learn about vpopmail toasters using Bill Shupp's Linux Qmail Toaster notes.

Jeremy Oddo has also written another good qmail toaster page.

Once you have a good grip on all those concepts, come back and read this doc to learn how you can add MySQL back-ends to vpopmail and SquirrelMail :-)

--------------------------------------------------------------------------------

WHY USE MYSQL FOR THE VPOPMAIL AND SQUIRRELMAIL BACK-ENDS?

By having all the vpopmail account data stored it MySQL, it allows you to easily write web based tools (eg in ASP or PHP) that can talk to the database and then present easy-to-use interface for your support staff to manage the user accounts. I have included some more info and examples on this subject at the bottom of this doc

You can easily add additional columns to the vpopmail tables to store other "per-user" information without affecting the operation of vpopmail

For a server with many user accounts, you would expect that MySQL would give faster performance than disk based accounts. Particularly when you have a large number of users in a given domain. (I haven't personally done any benchmarks on this, and I also have never seen anyone else run such a test, but you would have to expect that a SQL based backend would scale better than the file-based cdb backend that qmail/vpopmail uses by default)

If you have a very large number of accounts, vpopmail can be configured to use MySQL replication and NFS to share the load over over multiple servers

--------------------------------------------------------------------------------

ABOUT THESE NOTES

I have successfully used these notes to build many Redhat 7.2, 7.3 and 8.0 based servers.

People have told me that Redhat 9.0 %26amp; Fedora will also work, but you have to be aware of a few issues :

Most of the qmail software and associated utilities will not compile under RH9 or Fedora, due to conflicts with its new version of glibc. You can get patches to solve these problems from www.qmail.org. (Do a search for "errno")

For packages using perl (eg Razor, SpamAssassin), you may need to add an "export LANG=en_US" to your scripts, or alternatively modify the "/etc/sysconfig/i18n" file.

All the commands shown below have been run as root.

Follow these notes at your own risk...!

--------------------------------------------------------------------------------

REDHAT 7.2 / 7.3 / 8.0 NOTES

FIREWALL :

The ipchains or iptables firewalling software will usually be installed during Redhat's installation process.

For this server you will need to make sure you have opened access on at least the following ports :

SMTP:TCP

HTTP.TCP

HTTPS:TCP

POP3:TCP

NTP:UDP

Note that we arent going to open the IMAP:TCP port, as we are not offering IMAP services directly to our clients. We will be running an IMAP server, but the only program talking to it will be the SquirrelMail software which is also running on this same box.

On Redhat 7.2 / 7.3 (which uses ipchains by default)

You can examine/modify the ipchains config by working on the file :

/etc/sysconfig/ipchains

If you make any changes to this file, you will need to restart the ipchains software :

/etc/rc.d/init.d/ipchains restart

On Redhat 8.0 (which uses iptables by default)

You can examine/modify the iptables config by working on the file :

/etc/sysconfig/iptables

If you make any changes to this file, you will need to restart the iptables software :

/etc/rc.d/init.d/iptables restart

SETUP TIME SYNCHRONISATION :

Mail servers need to have their clocks set correctly. If you don't have their time sync'ed, you can experience strange problems.

Redhat comes with the ntpd package which is easy to setup

vi /etc/ntp.conf

look for the "# --- OUR TIMESERVERS -----" section

and then put in the following lines :

restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery

server xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address of your (or your upstream's) NTP server

After making the changes, you will need to restart the ntpd service :

/etc/rc.d/init.d/ntpd restart

Use the ntsysv program and make sure the ntpd service is enabled at bootup time

SETUP DNS :

For our example, we setup an A record for hostname.yourdomain.com. Any domains that we are hosting mail for should have their primary MX pointing to this host. We also created the following CNAME aliases for this host : pop3, smtp, webmail

This allows our users to :

access SquirrelMail and qmailadmin via http://webmail.yourdomain.com

set their POP3 clients to pop3.yourdomain.com for their incoming mail, and smtp.yourdomain.com for their outgoing mail

IMPORTANT : Never configure a end-user's software to reference the hostname directly. Even though you might start out with just a single box doing all your email functions, later on you might add other boxes to split the load onto different machines (eg one to handle all the SMTP mail, the other doing POP3/IMAP and another again doing WebMail). By setting your client to use the aliased names, you can add extra boxes and then just update the DNS as appropriate. No changes will be required on the client's computer. Make sure you take my advice now on this matter. You will thank me for this later!! :-)

(OPTIONAL) UPDATE YOUR KERNEL :

RedHat regularly publishes updated versions of the Linux kernel to suit their various RedHat distributions. To ensure that your server has best performance and reliability, it is a good idea to regularly upgrade to the latest available kernel.

RedHat have got some easy-to-follow instructions online :

RedHat 7.2 kernel upgrade guide

RedHat 7.3 kernel upgrade guide

RedHat 8.0 kernel upgrade guide

--------------------------------------------------------------------------------

MYSQL

www.mysql.com

We will be using MySQL to store all the domain and mailbox account information for vpopmail. We are also going to use MySQL to store the SquirrelMail user preferences and address books

Setup an account for the MySQL server to run under :

groupadd mysql

useradd -g mysql mysql

Go to their website and download the latest binaries to /usr/local/src. In this example I have used the file:

mysql-max-3.23.57-pc-linux-i686.tar.gz

(Note, MySQL v4 has recently been released as "stable", however I am yet to do any testing under this new version. I would recommend that you stay with v3.23 until the v4 series is more mature)

Unzip / configure the binaries so they get installed to /usr/local/mysql

cd /usr/local

tar xzf /usr/local/src/mysql-max-3.23.57-pc-linux-i686.tar.gz

ln -s mysql-max-3.23.57-pc-linux-i686 mysql

Run the installation script that creates/verifies all the various system-use tables etc

cd mysql

scripts/mysql_install_db

cd ..

Setup permissions on the MySQL dirs

chown -R root.mysql mysql-max-3.23.57-pc-linux-i686

chmod -R 640 mysql

chmod -R u+X,g+X mysql

chmod -R ug+x mysql/bin

chmod -R g+w mysql/data

chmod -R u+x mysql/scripts

Let the MySQL server know what amount of resources it is allowed to use

# choose an appropriate config file from the samples provided

cp /usr/local/mysql/support-files/my-medium.cnf /usr/local/mysql/data/my.cnf

# adjust the permissions on the file so that mysql daemon can read the contents

chgrp mysql /usr/local/mysql/data/my.cnf

Fire up the server

cd /usr/local/mysql

bin/safe_mysqld --user=mysql %26amp;

At this point the mysql daemons should be running. A good way to verify this is to use this command :

ps axf

If all is well, you should be able to see something like this :

1073 ? S 0:00 /bin/sh ./bin/safe_mysqld --datadir=/usr/local/mysql/data --pid-file=/usr/local/mysql/data/.pid

1117 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/m

1125 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/loc

1126 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr

1143 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr

1419 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr

1449 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr

1471 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr

(If you received errors, look in the file /usr/local/mysql/data/hostname.err for debugging info)

Next setup a password for the MySQL root user

/usr/local/mysql/bin/mysqladmin -u root password 'mysql-root-pwd'

Configure MySQL so it is running all the time from bootup onwards

cp /usr/local/mysql/support-files/mysql.server /etc/rc.d/init.d/mysql

chmod 744 /etc/rc.d/init.d/mysql

chkconfig --add mysql

Then I like to use the ntsysv program to double-check that mysql is set to launch at boot time

--------------------------------------------------------------------------------

OPENSSL

www.openssl.org

This package is optional. It is required if you want your Apache software to have SSL support. We have used it because we want our WebMail interface to have SSL functionality for the login screens. If you don't want/need SSL support, you could skip this section

Go to their website and download the latest source to /usr/local/src. In this example I have used the file:

openssl-0.9.7b.tar.gz

Compile source (installs to /usr/local/ssl)

cd /usr/local/src

tar xzf openssl-0.9.7b.tar.gz

chown -R root.root openssl-0.9.7b.tar.gz

cd openssl-0.9.7b

./config no-threads -fPIC

make

make install

Generate a private key (make a KEY file)

cd /usr/local/ssl

# generate an 1024-bit RSA private key

bin/openssl genrsa -out private/webmail.yourdomain.com.key 1024

# make sure the permissions on the private dir are tight

chown -R root.root private

chmod -R 600 private

chmod u+X private

Generate a certificate signing request (make a CSR file)

# fill in the X.509 prompts when they appear on the screen

# make sure you put the web site's name into the common name box eg webmail.yourdomain.com

bin/openssl req -new -key private/webmail.yourdomain.com.key -out certs/webmail.yourdomain.com.csr

Country Name (2 letter code) [AU]:AU

State or Province Name (full name) [Some-State]:Your State

Locality Name (eg, city) []:Your City

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Pty Ltd

Organizational Unit Name (eg, section) []:Internet Services

Common Name (eg, your name or your server's hostname) []:webmail.yourdomain.com

Email Address []

王朝网络
ostmaster@yourdomain.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:yoursecretpasswd

An optional company name []:

Get the certificate signed (make a CRT file)

Get the certificate signed by one of the official signing authorities (eg Thawte) :

Send the webmail.yourdomain.com.csr file to a signing authority for processing...

When they have signed it, copy the signed certificate to /usr/local/ssl/certs/webmail.yourdomain.com.crt

Or alternately, here is how you can sign it yourself so you can do a bit of testing! :

openssl x509 -req -days 30 -in certs/webmail.yourdomain.com.csr -out certs/webmail.yourdomain.com.crt -signkey private/webmail.yourdomain.com.key

A note for the future.... Eventually you will need to renew your certificate :

If you get your certificate signed by eg Thawte, then after the certificate period expires (typically 1 year), you will need to renew the certificate

If all the details for your server are still the same as on your original signing request, then you do not have to submit them a new CSR file. They can just ask them to "re-sign" your existing certificate with an updated expiry date. Before proceeding with your renewal request, make sure you still have a copy of your original private key, as the new certificate will require this file.

Alternatively, if any of the details for your server have changed, then you will need to apply for a new certificate. To do this just follow the original steps above that show how to create a certificate from scratch. (Thawte will still only bill you the cheaper renewal rates..)

Thawte will then send you an updated CRT, and all you do is save this over the top of your original CRT file (/usr/local/ssl/certs/webmail.yourdomain.com.crt), and then restart the apache server

--------------------------------------------------------------------------------

APACHE WEB SERVER (WITH MOD_SSL %26amp; PHP4 AS DSO MODULES)

http://httpd.apache.org

Text with green background is only required if you are building in support for mod_ssl

Uninstall apache if it is installed already

rpm -e --nodeps apache

Go to their website and download the latest source to /usr/local/src. In this example I have used the file:

apache_1.3.27.tar.gz

(Note, Apache v2 has recently been released as "stable", however I am yet to do any testing under this new version. I would recommend that you stay with v1.3 until the v2 series is more mature)

Extract the apache source

cd /usr/local/src

chown -R root.root apache_1.3.27.tar.gz

tar xzf apache_1.3.27.tar.gz

Create an account and group for the web server to run under

groupadd www

useradd -g www www

Merge in the mod_ssl source

www.modssl.org

mod_ssl provides SSL cryptography functionality for the Apache webserver

Go to their website and download the version of mod_ssl that matches your version of apache. Put the file into /usr/local/src. In this example I have used the file :

mod_ssl-2.8.14-1.3.27.tar.gz

Extract the source :

cd /usr/local/src

tar xzf mod_ssl-2.8.14-1.3.27.tar.gz

chown -R root.root mod_ssl-2.8.14-1.3.27.tar.gz

cd mod_ssl-2.8.14-1.3.27

And now use the configure script to patch the apache source tree

./configure --with-apache=../apache_1.3.27 --with-crt=/usr/local/ssl/certs/webmail.yourdomain.com.crt --with-key=/usr/local/ssl/private/webmail.yourdomain.com.key

Compile the apache source

cd /usr/local/src

cd apache_1.3.27

SSL_BASE=../openssl-0.9.7b ./configure --prefix=/usr/local/apache --enable-module=so --enable-module=rewrite --enable-shared=rewrite --enable-module=ssl --enable-shared=ssl --disable-rule=SSL_COMPAT --server-uid=www --server-gid=www

make

make install

Now add PHP scripting support

www.php.net

Go to their website and download the latest source to /usr/local/src. In this example I have used :

php-4.3.2.tar.gz

Extract the source

cd /usr/local/src

tar xzf php-4.3.2.tar.gz

chown -R root.root php-4.3.2.tar.gz

cd php-4.3.2

And now use the configure script to patch the Apache source tree

./configure --with-mysql=/usr/local/mysql --with-apxs=/usr/local/apache/bin/apxs

make

make install

Put the sample php.ini file into the required location

cp php.ini-dist /usr/local/lib/php.ini

Modify the /usr/local/lib/php.ini file and make sure it contains the following commands

max_execution_time=60

memory_limit=10M

post_max_size=8M

upload_max_filesize=8M

file_uploads=On

log_errors=On

error_log=/usr/local/apache/logs/php_error_log

Tighten the security on PHP dir

# Since we have installed PHP as a module, it will run in our chosen "www" context.

# We will now tighten up the permissions on the php directory to allow only root and www users access

chown -R root.www /usr/local/lib/php

chmod -R g-w,o-rwx /usr/local/lib/php

Edit the /usr/local/apache/conf/httpd.conf file

User www

Group www

ServerAdmin postmaster@yourdomain.com

ServerName webmail.yourdomain.com

# Following line should be present already as it would be inserted by the PHP make

# Make sure you move it outside of the IfDefineSSL section if the make (incorrectly) put it there

LoadModule php4_module libexec/libphp4.so

# uncomment (or add) the following line

AddType application/x-httpd-php .php

# Add the index.php into this line so apache will use this file as a default in addition to index.html

DirectoryIndex index.php index.html

# Go towards the end of the httpd.conf and look for the "SSL Virtual Host Context"

ServerName webmail.yourdomain.com

ServerAdmin postmaster@yourdomain.com

Tidy up the default Apache contents dir

rm -Rf /usr/local/apache/htdocs/*

rm -f /usr/local/apache/index.html.*

Tidy up the default Apache cgi-bin dir

rm -Rf /usr/local/apache/cgi-bin/*

Setup permissions on the Apache dirs

cd /usr/local

# make root.root own the entire Apache tree

chown -R root.root apache

# setup permissions on the apachedir.

# Because it is owned by root.root, we need to make sure the world permissions bits

# allow rx so that the www group in particular can get access to the apacheroot

chmod 755 apache

# now set the rest of the apacheroot to only allow root to rw. Everything else blocked

# we will selectively go and open permissions as needed

chmod -R 600 apache/*

# give owner (root) search/access permissions on all directories in the apacheroot

chmod -R u+X apache

cd apache

# bin dir contains binaries, so grant execute permissions to owner (root)

chmod -R u+x bin

# cgi-bin contains binaries. Allow either owner (root), or group (web server (www)) to execute these

chgrp -R www cgi-bin

chmod -R u+x,g+x cgi-bin

# the web server needs read access the icons dir

chgrp -R www icons

chmod -R g+rX icons

# Web server log files can be written by the service processes

# but the log files cannot be read or served as web content.

# Web server log files can be read only by administration processes

chgrp -R www logs

chmod g+wX logs

# public web files needs to be able to be read, but not written to by the web service processes

# Also the directories where public web content is stored must not be writable by web services processes

# Also public web content files can be written only by processes authorised for web server admin (only root in our case)

chgrp -R www htdocs

chmod -R g+rX htdocs

OPTIONAL : ADD MOD_GZIP SUPPORT

http://sourceforge.net/projects/mod-gzip/

mod_gzip is a module for Apache that allows you to compress outgoing content from an Apache web server on-the-fly. It uses the same compression as gzip and no plugins or extra software is needed by your browser to take advantage of this product. Reduction in size of up to 90% or more is possible.

Go to their website and download the latest source to /usr/local/src. In this example I have used :

mod_gzip-1.3.26.1a.tar

Unpack the sources

cd /usr/local/src

wget http://telia.dl.sourceforge.net/sou...p-1.3.26.1a.tgz

tar xzf mod_gzip-1.3.26.1a.tgz

chown -R root.root mod_gzip-1.3.26.1a

cd mod_gzip-1.3.26.1a

Compile

APXS=/usr/local/apache/bin/apxs make

APXS=/usr/local/apache/bin/apxs make install

Setup the mod_gzip config in the Apache's httpd.conf file

vi /usr/local/apache/conf/httpd.conf

# Add the following commands to the end of the httpd.conf file

LoadModule gzip_module libexec/mod_gzip.so

mod_gzip_on Yes

mod_gzip_temp_dir /tmp

mod_gzip_keep_workfiles No

mod_gzip_minimum_file_size 500

mod_gzip_maximum_file_size 5000000

mod_gzip_maximum_inmem_size 60000

mod_gzip_handle_methods GET

mod_gzip_item_include file "\.htm$"

mod_gzip_item_include file "\.html$"

mod_gzip_item_include file "\.txt$"

mod_gzip_item_include file "\.php$"

mod_gzip_item_include mime "text/*"

mod_gzip_item_include mime "httpd/unix-directory"

mod_gzip_item_include mime "application/x-httpd-php"

mod_gzip_item_exclude file "\.css$"

mod_gzip_item_exclude file "\.js$"

mod_gzip_item_exclude file "\.wml$"

mod_gzip_dechunk Yes

LogFormat "%h %l %u %t \"%r\" %s %b mod_gzip: %{mod_gzip_compression_ratio}npct." common_with_mod_gzip_info1

# CustomLog /usr/local/apache/logs/mod_gzip common_with_mod_gzip_info1

LogFormat "%h %l %u %t \"%V %r\" %s %b mod_gzip: %{mod_gzip_result}n In:%{mod_gzip_input_size}n Out:%{mod_gzip_output_size}n:%{mod_gzip_compression_ratio}npct." common_with_mod_gzip_info2

CustomLog /usr/local/apache/logs/mod_gzip common_with_mod_gzip_info2

mod_gzip_add_header_count Yes

CRANK IT UP!

Test your httpd.conf for valid syntax

/usr/local/apache/bin/apachectl configtest

Start the Apache server

# if you are using SSL :

/usr/local/apache/bin/apachectl startssl

# if you aren't using SSL

/usr/local/apache/bin/apachectl start

At this point the apache daemon should be running. A good way to verify this is to use this command :

ps axf

If all is well, you should be able to see something like this :

1210 ? S 0:00 /usr/local/apache/bin/httpd -DSSL

1274 ? S 0:03 \_ /usr/local/apache/bin/httpd -DSSL

1275 ? S 0:00 \_ /usr/local/apache/bin/httpd -DSSL

1276 ? S 0:02 \_ /usr/local/apache/bin/httpd -DSSL

1277 ? S 0:03 \_ /usr/local/apache/bin/httpd -DSSL

1278 ? S 0:01 \_ /usr/local/apache/bin/httpd -DSSL

If you got Apache to startup OK, then add the appropriate apachectl line to /etc/rc.d/rc.local

(or even better yet we could put an appropriate script into /etc/rc.d/init.d/

I will have to get around to writing such a script one day soon )

--------------------------------------------------------------------------------

QMAIL

I recommend that you follow the instruction guide at www.lifewithqmail.org

However, if you really want to see how we normally do it, here are the steps :

INSTALL UCSPI-TCP

cd /usr/local/src

wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz

wget http://www.qmail.org/ucspi-rss.diff

tar xzf ucspi-tcp-0.88.tar.gz

chown -R root.root ucspi-tcp-0.88

cd ucspi-tcp-0.88

# Patch rblsmtpd so that it can be used with all the newer RBL zones.

# This patch also lets you specify a custom error message to be returned to the sender.

patch -p0 rblsmtpd.c

# Modify rblsmtpd.c to increase the maximum size of the error text that is allowed

# to be returned to the sender from 200 to 500 chars.

# This allows you to create some nice and descriptive text to send to people who

# are being blocked by your RBL filters

vi rblsmtpd.c

go to line 166 and change it from

if (text.len 200) text.len = 200;

to

if (text.len 500) text.len = 500;

make

make setup check

INSTALL DAEMONTOOLS

cd /usr/local/src

wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz

mkdir -p /package

chmod 1755 /package

cd /package

tar xzfp /usr/local/src/daemontools-0.76.tar.gz

cd admin/daemontools-0.76

package/install

INSTALL QMAIL

Download the required files

cd /usr/local/src

wget http://cr.yp.to/software/qmail-1.03.tar.gz

wget http://www.ckdhr.com/ckd/qmail-103.patch

wget http://www.qmail.org/qmailqueue-patch

wget http://www.shupp.org/patches/qmail-maildir++.patch

wget ftp://ftp.pipeline.com.au/PipeInt/S...ltime.patch.txt

wget ftp://ftp.pipeline.com.au/pipeint/s...-size.patch.txt

wget ftp://ftp.pipeline.com.au/PipeInt/S...ch-20020129.txt

wget ftp://ftp.pipeline.com.au/PipeInt/S...compat.diff.txt

wget ftp://ftp.pipeline.com.au/pipeint/s...il/qmailctl.txt

Create the users and groups required for qmail

groupadd nofiles

useradd -g nofiles -d /var/qmail qmaild

useradd -g nofiles -d /var/qmail qmaill

useradd -g nofiles -d /var/qmail qmailp

useradd -g nofiles -d /var/qmail/alias alias

groupadd qmail

useradd -g qmail -d /var/qmail qmailq

useradd -g qmail -d /var/qmail qmailr

useradd -g qmail -d /var/qmail qmails

Unzip the sources, apply the required patches, compile

tar xzf qmail-1.03.tar.gz

cd qmail-1.03

# Apply patch that allows qmail to work with oversize DNS packets

patch -p1

# Apply the "qmailqueue" patch

# This patch gives you the required support for other popular addons like Qmail-Scanner

patch -p1

# Apply patch to make qmail-local and qmail-pop3d compatible with the maildir++ quota

# system that is used by vpopmail and courier-imap

patch

# Apply patch for local timestamps.

# This will make the emails headers be written in localtime rather than GMT

patch -p1

# Apply patch to limit the size of bounce messages generated by our server.

# The patch will limit the size of the bounce to be 50K,

# or you can override this by setting a different value in /var/qmail/control/bouncemaxbytes

patch

#

# Now add the qregex patch, which adds regexp support to qmail's badmailfrom,

# and also implements badmailto checking (again with regexp support)

patch

# Apply patch to add ESMTP SIZE support to qmail-smtpd

# This helps your server be able to reject excessively large messages "up front",

# rather than waiting for the whole message to arrive and then bouncing it because

# exceeded the /var/qmail/control/databytes setting.

# Nother that particular patch has been modified so it will apply cleanly in

# conjunction with the other patches I have supplied above. The original version

# of this patch would fail because it conflicted with the qregex patch.

patch

Edit qmail-smtpd.c and change the code on the straynewline function (around line 54) from 451 to 553

Without this you will get nasty loops forming when a remote servers sends you an message with invalid formatting. By default qmail will says something like "I am not going to accept that message at the moment, you can try again later". However in my experience the sending server will try sending the same message again a few seconds later, and this will go around and around in a loop for days on end - consuming valuable bandwidth and resources. By changing the error code to 553, it is making the error be permanent ie "I am not going to accept that message, don't try sending it again"

make setup check

./config

cd ..

Remove the sendmail package, and link in qmail's replacement utility

# If you are running redhat 8, you may first need to remove the postfix

# package, so that mail to someuser@hostname.yourdomain.com will work correctly :

rpm -e --nodeps postfix

# OK, now go ahead and remove the sendmail package

rpm -e --nodeps sendmail

# Link in qmail's replacement "sendmail-like" tools

ln -s /var/qmail/bin/sendmail /usr/lib

ln -s /var/qmail/bin/sendmail /usr/sbin

The qmailctl script contains all the various commands that will allow us to control our qmail daemons. Put it in with the other qmail binaries. Also link it into /usr/bin so it will be in our "path" for easy access

cp /usr/local/src/qmailctl.txt /var/qmail/bin/qmailctl

chmod 755 /var/qmail/bin/qmailctl

ln -s /var/qmail/bin/qmailctl /usr/bin

Setup the /etc/tcp.smtp file

This file controls who is allowed to send and/or relay mail on this server

An example configuration follows :

#------------------------------------------------------

# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS

#

# If you set 'allow', this means that our mail server will allow

# the specified IP range to make a TCP connection to our server

#

# If you set 'deny', this means that our mail server will not allow

# the specified IP range to make a TCP connection to our server

#

# If you set RELAYCLIENT="", this means that the listed IP range is

# allowed to relay mail through our server

#

# If you dont set RELAYCLIENT="", this means that the listed IP range

# will not be able to relay mail through our server

#

# If you set RBLSMTPD="", this means that the listed IP ranges will

# not be checked against any of the RBL databases

#

# If you set RBLSMTPD="some text here", this means that an RBL lookup

# wont be performed, but the mail will be rejected with the specified

# text as a 4xx temp error message

#

# If you set RBLSMTPD="-some text here", this means that an RBL lookup

# wont be performed, but the mail will be rejected with the specified

# text as a 5xx perm error message

#

# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup

# will be performed. If the lookup is successful, then RBLSMTPD will

# return your custom error message (as specified in the -r parameter

# in smtpd supervise script)

#

#-----------------------------------------------------

# HERE ARE THE RULES! :

#-----------------------------------------------------

# BYPASS OPEN RELAY CHECKING FOR THESE IPS :

#

# These IPs are ones that we have setup so that they arent RBL checked.

# We have done this because these particular servers are RBL listed,

# and for whatever reason they can't/won't fix their open relay problem,

# and we still want to be able to receive mail from them.

#

# reminder text goes here for this entry so we know the story...

111.111.111.111:allow,RBLSMTPD=""

# reminder text goes here for this entry so we know the story...

222.222.222.222:allow,RBLSMTPD=""

#

#-----------------------------------------------------------------

# DONT ALLOW THESE IPS TO SEND MAIL TO US :

#

# mailXX.offermail.net connecting regularly and sending invalid

# format messages causing exit with status 256 (bare linefeed normally)

# entry added 15/12/2001

# after looking at the mail coming from these servers it was found to be spam

216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."

#

# heaps of spam from replyto of *@freeamateurhotties.com dec2001

64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"

154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"

209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"

216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"

#

#-----------------------------------------------------------------

# ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER

#

# Local class-c's from our LAN are allowed to relay,

# and we wont bother doing any RBL checking.

123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""

123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""

#

# Connections from localhost are allowed to relay

# (because the WebMail server runs on localhost),

# and obviously there is no point trying to perform an RBL check.

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

#

#-----------------------------------------------------------------

# ALLOW EVERYONE ELSE TO SEND US MAIL

#

# Everyone else can make connections to our server,

# but not allowed to relay

# RBL lookups are performed

:allow

Setup the /etc/tcp.pop3 file

This file controls who is allowed to access the POP3 services on this server

An example configuration follows :

# Allow any client to connect to us via POP3

# If people are abusing POP3 such as denial-of-service on POP3,

# you can add their ips here to block them out

:allow

Now we have created our tcp.smtp and tcp.pop3 files, we need to compile them into the cdb database format that the tcpserver program can read

qmailctl cdb

Adjust various aspects of the qmail configuration to suite our tastes

# use postmaster@hostname.yourdomain.com as sender in bounce messages

# rather than the default MAILER-DAEMON@hostname.yourdomain.com

echo 'postmaster' /var/qmail/control/bouncefrom

# Define how to handle "double bounces".

# The server admin has two choices here, either to receive double bounces

# or to discard them. If your server doesn't handle a lot of mail then it

# wouldn't hurt to receive all double bounces for the admin's inspection.

# But if your server handles a lot of mail, then it is more likely that you

# are going to want to discard double-bounces, because you will end up with

# potentially thousands of these every day.

#

# If you want to keep double-bounces, use these commands to nominate what

# email address to send them through to (eg doublebounce@yourdomain.com) :

echo 'doublebounce' /var/qmail/control/doublebounceto

echo 'yourdomain.com' /var/qmail/control/doublebouncehost

# (dont forget that you will need to make sure you have created a mailbox

# to receive these mails. You could use qmailadmin to create a dedicated

# mailbox, or perhaps setup an alias on an existing mailbox)

#

# Or if you would prefer to silently discard any doublebounces,

# then use these commands instead

echo 'doublebounce' /var/qmail/control/doublebounceto

echo 'hostname.yourdomain.com' /var/qmail/control/doublebouncehost

echo '#' ~alias/.qmail-doublebounce

chmod 644 ~alias/.qmail-doublebounce

# set maximum message size to be 8Mb

echo '8000000' /var/qmail/control/databytes

# queue mail for up to 4 days

echo '345600' /var/qmail/control/queuelifetime

#

# Populate badmailto so that mail with invalid address formatting gets rejected

echo '# reject containing invalid characters, brackets or multiple @' /var/qmail/control/badmailto

echo '[!%#:\*\^]' /var/qmail/control/badmailto

echo '[\(\)]' /var/qmail/control/badmailto

echo '[\{\}]' /var/qmail/control/badmailto

echo '@.*@' /var/qmail/control/badmailto

# setup the default domain for use where an address does not have a domain specified

echo 'yourdomain.com' /var/qmail/control/defaultdomain

# Note, this following command is optional!

#

# If you want qmail to send all outbound mail via a particular mail server

# rather than to send it direct to the recipient's mail server, then this

# can be achieved with the smtproutes command.

#

# SEND ALL OUTBOUND MAIL VIA SMARTHOST

echo ':yoursmarthost.yourdomain.com' /var/qmail/control/smtproutes

# redirect any mail sent to root@hostname.yourdomain.com to 'postmaster@yourdomain.com

# redirect any mail sent to postmaster@hostname.yourdomain.com to 'postmaster@yourdomain.com

# redirect any mail sent to mailer-daemon@hostname.yourdomain.com to 'postmaster@yourdomain.com

echo 'postmaster@yourdomain.com' ~alias/.qmail-root

echo 'postmaster@yourdomain.com' ~alias/.qmail-postmaster

echo 'postmaster@yourdomain.com' ~alias/.qmail-mailer-daemon

chmod 644 ~alias/.qmail-*

Create / configure the various qmail run scripts :

ln -s /var/qmail/bin/qmailctl /etc/rc.d/init.d/qmail

ln -s ../init.d/qmail /etc/rc.d/rc0.d/K30qmail

ln -s ../init.d/qmail /etc/rc.d/rc1.d/K30qmail

ln -s ../init.d/qmail /etc/rc.d/rc2.d/S80qmail

ln -s ../init.d/qmail /etc/rc.d/rc3.d/S80qmail

ln -s ../init.d/qmail /etc/rc.d/rc4.d/S80qmail

ln -s ../init.d/qmail /etc/rc.d/rc5.d/S80qmail

ln -s ../init.d/qmail /etc/rc.d/rc6.d/K30qmail

mkdir -p /var/qmail/supervise/qmail-send/log

mkdir -p /var/qmail/supervise/qmail-smtpd/log

mkdir -p /var/qmail/supervise/qmail-pop3d/log

chmod +t /var/qmail/supervise/qmail-send

chmod +t /var/qmail/supervise/qmail-smtpd

chmod +t /var/qmail/supervise/qmail-pop3d

vi /var/qmail/supervise/qmail-send/run

#!/bin/sh

exec env - PATH="/var/qmail/bin:$PATH" qmail-start ./Maildir/

vi /var/qmail/supervise/qmail-send/log/run

#!/bin/sh

# Keep 30 logs of max 10Mb each

#

# They will get rotated when they reach 10Mb in size,

# or at midnight when our crontab script fires (whichever event comes 1st)

exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/send

vi /var/qmail/supervise/qmail-smtpd/run

#!/bin/sh

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

exec /usr/local/bin/softlimit -m 4000000 /usr/local/bin/tcpserver -H -l hostname.yourdomain.com -v -x /etc/tcp.smtp.cdb -c 20 -R -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /usr/local/bin/rblsmtpd -b -C -r 'relays.ordb.org:Your message was rejected because the mail server you use is configured to allow OPEN RELAY - More detailed information regarding this problem is available from http://www.ordb.org/lookup/?%IP% - Please forward this error through to your email server support staff for easy resolution.' -t 5 /var/qmail/bin/qmail-smtpd 2%26amp;1

# The line in orange should be used if you are running qmail on a computer

# that is on a LAN that is using fake ips/masquerading.

# It tells tcpserver not to bother trying to resolve ip addresses

# to names when writing the SMTP log files. Usually with fake ips,

# you cant resolve them to names, so it will make the SMTP services run

# really slowly if it is always trying to resolve these addresses.

# Alternatively, if you are eg an ISP and all your SMTP clients are

# connecting from real IPs with resolvable names, then you can omit

# the orange line and then then benefit from more readable logfiles.

vi /var/qmail/supervise/qmail-smtpd/log/run

#!/bin/sh

# Keep 30 logs of max 10Mb each

#

# They will get rotated when they reach 10Mb in size,

# or at midnight when our crontab script fires (whichever event comes 1st)

exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd

vi /var/qmail/supervise/qmail-pop3d/run

#!/bin/sh

exec /usr/local/bin/softlimit -m 4000000 /usr/local/bin/tcpserver -H -l hostname.yourdomain.com -v -x /etc/tcp.pop3.cdb -c 30 -R 0 pop3 /var/qmail/bin/qmail-popup hostname.yourdomain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2%26amp;1

# The line in orange should be used if you are running qmail on a computer

# that is on a LAN that is using fake ips/masquerading.

# It tells tcpserver not to bother trying to resolve ip addresses

# to names when writing the POP3 log files. Usually with fake ips,

# you cant resolve them to names, so it will make the POP3 services run

# really slowly if it is always trying to resolve these addresses.

# Alternatively, if you are eg an ISP and all your POP3 clients are

# connecting from real IPs with resolvable names, then you can omit

# the orange line and then then benefit from more readable logfiles.

vi /var/qmail/supervise/qmail-pop3d/log/run

#!/bin/sh

# Keep 30 logs of max 10Mb each

# They will get rotated when they reach 10Mb in size,

# or at midnight when our crontab script fires (whichever event comes 1st)

exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/pop3d

chmod 755 /var/qmail/supervise/qmail-send/run

chmod 755 /var/qmail/supervise/qmail-send/log/run

chmod 755 /var/qmail/supervise/qmail-smtpd/run

chmod 755 /var/qmail/supervise/qmail-smtpd/log/run

chmod 755 /var/qmail/supervise/qmail-pop3d/run

chmod 755 /var/qmail/supervise/qmail-pop3d/log/run

mkdir /var/log/qmail

mkdir /var/log/qmail/smtpd

mkdir /var/log/qmail/send

mkdir /var/log/qmail/pop3d

chown -R qmaill /var/log/qmail

crontab -e

# the following 3 lines rotate the qmail log files daily

0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log

0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log

0 0 * * * /usr/local/bin/svc -a /service/qmail-pop3d/log

ln -s /var/qmail/supervise/qmail-send /service

ln -s /var/qmail/supervise/qmail-smtpd /service

ln -s /var/qmail/supervise/qmail-pop3d /service

At this point the qmail daemons should be running. A good way to verify this is to use this command :

ps axf

If all is well, you should be able to see something like this :

1218 ? S 0:00 /bin/sh /command/svscanboot

1222 ? S 0:00 \_ svscan /service

1224 ? S 0:00 | \_ supervise qmail-send

1230 ? S 0:00 | | \_ qmail-send

1236 ? S 0:00 | | \_ qmail-lspawn ./Maildir/

1237 ? S 0:00 | | \_ qmail-rspawn

1238 ? S 0:00 | | \_ qmail-clean

1225 ? S 0:00 | \_ supervise log

1233 ? S 0:00 | | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/send

1226 ? S 0:00 | \_ supervise qmail-smtpd

1231 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 20 -R -u 504 -g 503 0 smtp /var/qmail/bin

1227 ? S 0:00 | \_ supervise log

1234 ? S 0:00 | | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd

1228 ? S 0:00 | \_ supervise qmail-pop3d

1232 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -x /etc/tcp.pop3.cdb -c 30 -H -R 0 110 /var/qmail/bin/qmail-popup

1229 ? S 0:00 | \_ supervise log

1235 ? S 0:00 | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/pop3d

1223 ? S 0:00 \_ readproctitle service errors: .......................................................................

Note the 3 qmail daemons : qmail-send, qmail-smtpd, qmail-pop3d, as well as their associated logging processes. If there is anything wrong with your install, an error message will generally be visible on the "readproctitle" line

You can control the qmail daemons by using the qmailctl program. You can just type that command without any parameters and it will display the available options eg start, stop, status, doqueue

--------------------------------------------------------------------------------

VPOPMAIL

Original Authors : http://www.inter7.com/vpopmail

Current Development location : https://sourceforge.net/projects/vpopmail

http://www.inter7.com/vpopmail (Original author's home page)

http://sourceforge.net/projects/vpopmail (The recent vpopmail development work is being done via Sourceforge)

Make the user accounts

# If you are using RH8.0, you will probably need to run this following command,

# because RH8.0 comes preconfigured with UID/GID 89 allocated to postfix

#

# userdel postfix

groupadd -g 89 vchkpw

useradd -g vchkpw -u 89 vpopmail

# We recommend you use the user and group id's of 89. The FreeBSD folks

# have reserved 89 for the group and 89 for the user for vpopmail. Feel

# free to have the OS assign the group/user id (for example, Solaris won't

# allow gid 89).

Download and unpack the source

cd /usr/local/src

wget http://osdn.dl.sourceforge.net/sour...il-5.4.0.tar.gz

tar xzf vpopmail-5.4.0.tar.gz

chown -R root.root vpopmail-5.4.0

cd vpopmail-5.4.0

Setup the MySQL support in the vpopmail sources

# Create the configuration file that vpopmail will use

# to setup the connection to the mysql database

#

# This example will tell vpopmail :

# * Log into the server running on localhost

# * Use the default mysql port

# (In fact if the server is localhost, and you don't specify a port number, then

# I believe the that communications are done via unix sockets rather than TCP/IP)

# * Login with username vpopmailuser

# * Login with password vpoppasswd

# * Use the database called vpopmail

#

echo "localhost|0|vpopmailuser|vpoppasswd|vpopmail" ~vpopmail/etc/vpopmail.mysql

chown vpopmail.vchkpw ~vpopmail/etc/vpopmail.mysql

chmod 640 ~vpopmail/etc/vpopmail.mysql

# log into MySQL as the MySQL root user

# and then create the database for vpopmail to use

# and then setup the appropriate permissions on this database

/usr/local/mysql/bin/mysql --password="mysql-root-pwd"

CREATE DATABASE vpopmail;

GRANT select,insert,update,delete,create,drop ON vpopmail.*

TO vpopmailuser@localhost IDENTIFIED BY 'vpoppasswd';

quit

Now, build the program

./configure -, , -disable-roaming-users --enable-logging=p --disable-passwd --enable-clear-passwd --disable-domain-quotas --enable-auth-module=mysql --disable-many-domains --enable-auth-logging --enable-mysql-logging --enable-valias --disable-mysql-limits

make

make install-strip

Notes :

The "--enable-mysql-limits" configuration option is new. I plan to update my guide to use this function at some point in the near future once I have done some testing etc of this functionality

Review the contents of the file is used to set the default limits for any domains / mailboxes in the vpopmail system. Make sure it contains reasonable defaults for your system.

vi ~vpopmail/etc/vlimits.default

# in particular set the default mailbox size to be something reasonable eg 20Mb

default_quota 20971520

Optionally, nominate a "default domain". Users in this domain can login to POP3 etc using just their username. Users from all other domains need to use their full email address as their login name.

echo "yourdomain.com" /home/vpopmail/etc/defaultdomain

Setup the quota warning message that is sent to users when they are at 90% quota

vi quotawarn.msg

From: SomeCompany Postmaster

Reply-To: postmaster@yourdomain.com

To: SomeCompany User:;

Subject: Mail quota warning

Mime-Version: 1.0

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: 7bit

Your mailbox on the server is now more than 90% full.

So that you can continue to receive mail,

you need to remove some messages from your mailbox.

If you require assistance with this,

please contact our support department :

email : support@yourdomain.com

Tel : xx xxxx xxxx

cp quotawarn.msg /home/vpopmail/domains/.quotawarn.msg

If you want, you can alter the standard message that gets sent to the sender in an overquota situation

echo "Message rejected. Not enough storage space in user's mailbox to accept message." /home/vpopmail/domains/.over-quota.msg

OK, vpopmail is now installed!

Some example vpopmail commands :

To add a domain :

/home/vpopmail/bin/vadddomain yourdomain.com yourpassword

# this creates the domain and makes a mailbox postmaster@yourdomain.com

To add a mailbox:

/home/vpopmail/bin/vadduser someone@yourdomain.com apassword

(Or you can do it via qmailadmin)

To remove a mailbox

/home/vpopmail/bin/vdeluser someone@yourdomain.com

(Or you can do it via qmailadmin)

To remove a domain :

/home/vpopmail/bin/vdeldomain yourdomain.com

To change a user's password

/home/vpopmail/bin/vpasswd someone@yourdomain.com newpassword

(Or you can do it via qmailadmin)

To lookup info about a user

/home/vpopmail/bin/vuserinfo someone@yourdomain.com

This gives you info such as name, crypted password, cleartext password, dir, quota, usage%, last auth.

It has a number of flags to let you see the individual fields, or you can see them all if you dont use any flags.

It also creates the maildirsize file in the users dir

Logging in via POP3

When your users are setting up their POP3 email clients (eg Outlook Express), they should use settings like this :

My incoming mail server is a POP3 server

Incoming mail server (POP3): pop3.yourdomain.com

Outgoing mail server (SMTP): smtp.yourdomain.com

POP3 account name : theirusername@yourdomain.com

Password: theirpassword

When you configured vpopmail, you had the opportunity to nominate a "default" domain. When users from the default domain authenticate, it is optional for them to add the @yourdomain.com onto the end of their username. If vpopmail sees that no domain has been specified by the user, then it will automatically perform the auth against the nominated default domain. If you are hosting multiple domains, then everyone who is NOT in the default domain MUST add their domain name onto the end of their username. (A small percentage of email programs eg Netscape Mail v4.7 do not permit the use of the @ symbol in account name. In this case you can use the % symbol instead of the @ symbol)

vpopmail roaming users :

With qmail, the typical way to control mail relaying is to put a list of rules into a file called tcp.smtp. The tcprules program is then used to compile this file into cdb database format with the output being stored in a file called tcp.smtp.cdb. The tcpserver program is configured (using the -x parameter) to read this file and thus know which SMTP clients are permitted to relay mail.

This type of configuration works well if there is a known range of IP addresses that are permitted to relay mail. eg the IP's on the qmail server's local LAN. However if the qmail server needs to provide outbound SMTP services for clients who may be connecting from any IP, you are going to run into problems. What is needed is some way to automate the process of granting users the ability to relay mail, without opening up access to all and sundry on the Internet.

vpopmail includes a solution for this problem. The solution is known as "roaming users" and is implemented with a technique known as "POP-before-SMTP". Once a client has successfully authenticated via POP3, vpopmail will add the client's IP to a list. vpopmail then merges this list with the contents of the tcp.smtp file and runs the tcprules program to compile a new version of the tcp.smtp.cdb file. Thus the client can now relay mail.

In addition to storing the client's IP address, vpopmail will also store the time of authentication. The postmaster uses a cronjob on the qmail server to periodically (eg once per hour) run the clearopensmtp program. This program scans through the list of roaming clients and removes any entries that exceed the nominated age (eg 3 hours). This ensures that the list of IPs does not grow out of bounds, and that the roaming IPs are closed within a reasonable timeframe after being opened.

Configuration options for vpopmail that relate to roaming users :

./configure --enable-roaming-users \

--enable-tcprules-prog=path \

--enable-tcpserver-file=path \

--enable-relay-clear-minutes=minutes

Notes :

qmail servers are typically built with the tcp.smtp files being located in the /etc directory. This is not usually suitable for vpopmail roaming users, since the /etc directory will (should) not have write permissions for the vpopmail user. Therefore it is not going to be possible for vpopmail to write out updated versions of the tcp.smtp.cdb file. For use with roaming users, it is recommended that the tcp.smtp files are stored in ~vpopmail/etc

If a POP user auths, and their IP already exists in the roaming IP list, the timestamp for the entry is updated, but the tcprules program is not run. There is no need to rebuild the tcp.smtp.cdb file as the IP address is already permitted to relay. Rebuilding the file will only waste disk and CPU time.

If the vpopmail server is using the default cdb authentication backend, then the list of roaming IPs will be stored in a file called ~vpopmail/etc/open-smtp. If the vpopmail server is using the MySQL backend, the roaming IPs will be stored in a database table called relay. The SQL backend will give better performance on a busy server. Either way though, you should be cautious about enabling roaming user functionality on a very busy server, as a large amount of disk and CPU will be used with the continual rebuilding of the tcp.smtp.cdb file. If the server is busy enough you could run into nasty file locking issues which will cause vpopmail password authentication to intermittently fail. If you absolutely must have POP-before-SMTP functionality on your busy server, then there are only two possible solutions that I can think of : 1) you could try putting the tcp.smtp files onto a RAM disk, or 2) use vpopmail's MySQL auth backend, plus use Matt Simerson's tcpserver patch that allows all of the tcp.smtp files to be stored in MySQL

Over time POP-before-SMTP seems to slowly becoming a less favored way of allowing roaming users to relay mail. SMTP-Auth appears to becoming the more preferred option, as it scales much more easily on a busy server. However for a small to medium sized server, POP-before-SMTP is still quite a workable option. If you would like investigate the use of SMTP-Auth take a look at this patch http://www.fehcom.de/qmail/smtpauth.html#PATCHES

--------------------------------------------------------------------------------

AUTORESPONDER

Current development location : http://www.sourceforge.net/projects/qmailadmin

This package is a prerequisite for qmailadmin

Download and unpack the source

cd /usr/local/src

wget http://osdn.dl.sourceforge.net/sour...nd-2.0.4.tar.gz

tar xzf autorespond-2.0.4.tar.gz

chown -R root.root autorespond-2.0.4

cd autorespond-2.0.4

Build the program

make

make install

EZMLM / EZMLM-IDX

This package is a prerequisite for qmailadmin

ezmlm is mailing list software written by the author of qmail

ezmlm-idx is patch that adds extra features to the standard ezmlm program.

EZMLM : http://cr.yp.to/ezmlm.html

EZMLM-IDX PATCH : http://www.ezmlm.org

(although I often find this site unresponsive, and so I use one of the mirrors instead like http://www.glasswings.com.au/ezmlm/)

Download and unpack the ezmlm sources

cd /usr/local/src

wget http://cr.yp.to/software/ezmlm-0.53.tar.gz

tar xzf ezmlm-0.53.tar.gz

chown -R root.root ezmlm-0.53

wget ftp://ftp.pipeline.com.au/PipeInt/S...idx-0.40.tar.gz

tar xzf ezmlm-idx-0.40.tar.gz

chown -R root.root ezmlm-idx-0.40

Merge the sources together

cp -R ezmlm-idx-0.40/* ezmlm-0.53/

# (you need to press y quite a few times to allow the patch files to overwrite the original files)

cd ezmlm-0.53

patch

Build the program

make

make man

make setup

QMAILADMIN

Original Authors : http://www.inter7.com/qmailadmin

Current Development location : https://sourceforge.net/projects/qmailadmin/

Description :

The domain postmaster can use this tool to view all the accounts on the domain as well as add/remove accounts, forwards, auto-responders etc.

Domains users can use this tool to modify their own user settings only. ie mailbox password, real name, forwards, vacations.

This tool does not let you create new domains.

Download and unpack the source

cd /usr/local/src

wget http://osdn.dl.sourceforge.net/sour...in-1.2.0.tar.gz

tar xzf qmailadmin-1.2.0.tar.gz

chown -R root.root qmailadmin-1.2.0

cd qmailadmin-1.2.0

(Optional) Make a small mod that affects the look of the qmailadmin login page

edit the lang/en file, and change record 112 "Username" rather than "User Account"

(We found our users knew what to type as their "Username", but didn't know what to type as a "User Account")

Build the program

./configure --enable-htmldir=/usr/local/apache/htdocs --enable-cgibindir=/usr/local/apache/cgi-bin --enable-maxusersperpage=12 --enable-maxaliasesperpage=12 --disable-modify-quota --disable-ezmlm-mysql --disable-help

# note, I chose to have 12 accounts per page in the config above,

# because this makes these particular screens fit nicely on my 1024*768 monitor

make

make install-strip

Test to see if it works

http://webmail.yourdomain.com/cgi-bin/qmailadmin

If you login a domain postmaster, then you should get the screens where you can view all and add/remove mailboxes, aliases, mailinglists etc on the domain. etc

If you login as a user, you can only access your own mailbox settings (eg password, forwards, vacation messages)

Setting limits :

You can setup limits on any domains where required by putting a .qmailadmin-limits file into the domain's virtual dir (/home/vpopmail/domains/yourdomain.com). Make sure vpopmail user has read permissions for this file.

Syntax of .qmailadmin-limits file is as follows :

maxpopaccounts X

maxforwards X

maxmailinglists X

maxautoresponders X

Set X to be the maximum desired number for that feature

Set X to be 0 if you want to disable that feature %26amp; menu item

There are also some other settings that can be specified in the .qmailadmin-limits file, refer to section 6 of the qmailadmin installation instructions (http://inter7.com/qmailadmin/install.txt) for more info

A bit of a long-winded misc note to myself :

(If you are setting up your vpopmail server for the first time, then this block of text has no relevance to you. You can skip straight past this waffle and go onto the next section...)

As of qmailadmin-1.0.21, you cant create "aliases" any more. What qmailadmin previously created as aliases, are now created as forwards. Aliases dump incoming mail for that aliased address directly into the recipient user's Maildir. The problem with this is it bypassed any further ".qmail" processing, meaning that you ran into problems if you were trying to setup some of the more fancy things (like per-user SpamAssassin configurations?). Using forwards bypasses this problem as the message will get re-injected back into the queue for delivery.

However this change does cause some problems for sites that already have existing aliases in use. The problem is that when you go into qmailadmin-1.0.21 and select the forwards screen, all the existing aliases and forwards for that domain are displayed.

Problem # 1 : For mail that is being redirected to a local account, you can't tell from this screen whether the user is getting alias or forward delivery. If you were trying to setup some tricky per-user stuff, then you are going to get variable results because some users may be configured as alias, and others are configured as forward, but you cant easily tell which is which from this screen

Problem # 2 : Up the top there is a count showing "[Used # / limit]". This count relates to the number of forwards in use and the maxforwards qmailadmin-limits setting. The count ignores any existing aliases. This could potentially cause confusion for domain postmasters as you will be looking at a screen full of accounts and if some of them have been previously setup as aliases then it is going to be hard to reconcile the reported count against the number of accounts displayed on the screen

What is needed is some sort of utility that will scan and find existing aliases and convert them over to the now-preferred forward syntax.... That would keep the delivery method consistent for all users, and would also eliminate any problems with the qmailadmin-limits code

Note: As of qmailadmin-1.0.25, there is a tool for converting existing aliases to forwards. Look in the contrib dir for the tools called alias2forward.pl

--------------------------------------------------------------------------------

COURIER IMAP

www.inter7.com/courierimap

Courier-IMAP is an IMAP server. Having an IMAP server is a prerequisite to be able run a IMAP-client WebMail system like SquirrelMail. Courier-IMAP is good choice because it has support for vpopmail authentication and maildir mailboxes.

Download and unpack the source

cd /usr/local/src

wget http://osdn.dl.sourceforge.net/sour...p-2.1.1.tar.bz2

bunzip2 courier-imap-2.1.1.tar.bz2

tar xf courier-imap-2.1.1.tar

chown -R root.root courier-imap-2.1.1

cd courier-imap-2.1.1

Build the program

./configure --prefix=/usr/local/courier-imap --disable-root-check --without-authpam --without-authldap --without-authpwd --without-authmysql --without-authpgsql --without-authshadow --without-authuserdb --without-authcustom --without-authcram --with-authdaemon --with-authvchkpw --with-ssl

# note, if you are building courier on redhat/fedora, you may have to add a

# --with-redhat

# to the list of configuration settings above

make

make install

make install-configure

The Courier-IMAP package includes 4 servers that can be individually enabled/disabled : IMAP, IMAP-SSL, POP3, POP3SSL. In this example, we are only using the IMAP server.

vi /usr/local/courier-imap/etc/imapd

MAXDAEMONS=40

MAXPERIP=40

AUTHMODULES="authdaemon"

IMAP_EMPTYTRASH=Trash:7,Sent:30

IMAPDSTART=YES

Configure Courier-IMAP so it is running all the time from bootup onwards

cp /usr/local/src/courier-imap-2.1.1/courier-imap.sysvinit /etc/rc.d/init.d/courier-imap

chmod 744 /etc/rc.d/init.d/courier-imap

chkconfig --add courier-imap

Then I like to use the ntsysv program to double-check that courier-imap is set to launch at boot time

If you aren't ready to reboot the server now, you can fire up Courier-IMAP in the mean time with this command :

/etc/rc.d/init.d/courier-imap start

At this point the courier-imap software should be running. A good way to verify this is to use this command :

ps axf

And if all is well, you should be able to see something like this :

24033 ? S 0:00 /usr/local/courier-imap/libexec/authlib/authdaemond.plain start

18973 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start

18974 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start

18975 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start

18976 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start

18977 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start

24043 ? S 0:00 /usr/local/courier-imap/libexec/couriertcpd -address=0 -stderrlogger=/usr/local/courier-imap/libexec/cour

24046 ? S 0:00 /usr/local/courier-imap/libexec/courierlogger imapd

--------------------------------------------------------------------------------

SQUIRRELMAIL

www.squirrelmail.org

the text with yellow background is specific to using MySQL backend. if you don't want to use MySQL backend, then just skip over these sections....

Go to the SquirrelMail download page, and save the latest source to /usr/local/src. In this example I have used :

squirrelmail-1.5.0.tar.gz

Download and unpack all the sources

cd /usr/local/apache/htdocs

tar xzf /usr/local/src/squirrelmail-1.5.0.tar.gz

chown -R root.www squirrelmail-1.5.0

chmod -R 750 squirrelmail-1.5.0

ln -s squirrelmail-1.5.0 squirrelmail

Create the required directory structure

mkdir /var/squirrelmail

# create the data dir. This is where users personal preferences are stored if not using MySQL backend

mkdir /var/squirrelmail/data

# create the attach dir. This is where temp files for emails in progress are store

mkdir /var/squirrelmail/attach

cd squirrelmail

cp data/default_pref /var/squirrelmail/data

chown -R root.www /var/squirrelmail

chmod -R 0770 /var/squirrelmail/data

chmod -R 0730 /var/squirrelmail/attach

SquirrelMail allows you to add your company logo to the login page. So whack a copy of your logo into the Apache images directory so it is available for SquirrelMail to use

cp /usr/local/src/yourcompanylogo-100.gif /usr/local/apache/htdocs/images

Configure SquirrelMail

cd config

perl conf.pl

D. SET PRE-DEFINED SETTINGS FOR SPECIFIC IMAP SERVERS

Choose Courier

1. ORGANIZATION PREFERENCES

1. Organization name : YourCompany

2. Organization Logo : /images/yourcompanylogo-100.gif

3. Org. Logo Height/Width : 100/100

4. Organization title : YourCompany WebMail (v$version)

7. Provider link : http://www.yourdomain.com

8. Provider name : YourCompany

2. SERVER SETTINGS

1. Domain : yourdomain.com

Press A to update IMAP settings

4. IMAP Server : localhost

5. IMAP Port : 143

6. Authentication type : login

7. Secure IMAP (TLS) : false

8. Server software : courier

9. Delimiter : .

Press B to update SMTP settings

4. SMTP Server : localhost

5. SMTP Port : 25

6. POP before SMTP : false

7. SMTP Authentication : none

8. Secure SMTP (TLS) : false

3. FOLDER DEFAULTS

9. List Special Folders First : false

15. Default Unseen Type : 2

4. GENERAL OPTIONS

1. Data directory : /var/squirrelmail/data

2. Attachment directory : /var/squirrelmail/attach

5. Usernames in lower case : true

8. Hide SM attributions : true

11. Allow server-side sorting : false

( Note, server-sorting is faster, but I personally find the sort results to be not as "intuitive"

compared with when you let SquirrelMail do the sorting. If you toggle this option on/off and compare

the resultant displays in SquirrelMail you will see what I mean. For example if you server-sort the

FROM column then the sort will be done senders email address, whereas if you let SquirrelMail do the

sort then column will be sorted on senders name. I would suggest you try toggling this

option on and off to make your own decision on which sorting method provides the better results.)

6. ADDRESS BOOKS

2. Use Javascript Address Book Search : True

9. DATABASE

1. DSN for address book : mysql://squirreluser:squirrelpassword@localhost/squirrelmail

3. DSN for preferences : mysql://squirreluser:squirrelpassword@localhost/squirrelmail

Now Save and quit the config program

Create the necessary database and tables in MySQL, so that SquirrelMail can store the address books and user preferences there :

cd /usr/local/mysql/bin

./mysql --password="mysql-root-pwd"

CREATE DATABASE squirrelmail;

GRANT select,insert,update,delete ON squirrelmail.*

TO squirreluser@localhost IDENTIFIED BY 'squirrelpassword';

USE squirrelmail;

CREATE TABLE address (

owner varchar(128) DEFAULT '' NOT NULL,

nickname varchar(16) DEFAULT '' NOT NULL,

firstname varchar(128) DEFAULT '' NOT NULL,

lastname varchar(128) DEFAULT '' NOT NULL,

email varchar(128) DEFAULT '' NOT NULL,

label varchar(255),

PRIMARY KEY (owner,nickname),

KEY firstname (firstname,lastname)

);

CREATE TABLE userprefs (

user varchar(128) DEFAULT '' NOT NULL,

prefkey varchar(64) DEFAULT '' NOT NULL,

prefval blob DEFAULT '' NOT NULL,

PRIMARY KEY (user,prefkey)

);

quit

You can define what default SquirrelMail settings that users will receive when they log in.

For MySQL backend

cd /usr/local/apache/htdocs/squirrelmail

# replace the default preferences definition in the db_prefs file

# with our own customised defaults.

# Open the file, scroll down and replace the existing "var $default"

# entry (on line 80) with our customised version shown below

vi functions/db_prefs.php

var $default = Array('chosen_theme' = '../themes/default_theme.php',

'show_html_default' = '1',

'language' = 'en_US',

'use_javascript_addr_book' = '1',

'left_size' = '140',

'left_refresh' = '3600',

'show_username' = '1',

'show_username_pos' = 'top',

'order1' = '1',

'order2' = '2',

'order3' = '3',

'order4' = '5',

'order5' = '4',

'order6' = '6');

Or, if you aren't running MySQL backend for SquirrelMail, you can adjust the default preferences like this :

vi /var/squirrelmail/data/default_pref :

show_html_default=1

language=en_US

use_javascript_addr_book=1

left_size=140

left_refresh=3600

show_username=1

show_username_pos=top

order1=1

order2=2

order3=3

order4=5

order5=4

order6=6

Setup periodic purging of the "attach" directory

When SquirrelMail users are composing a message that has attachment(s), the attachment is temporarily stored in the /var/squirrelmail/attach directory. When the user sends the message, the associated temp files will get deleted.

However sometimes the temp files do not get deleted (eg if the user closes their browser mid-compose?). Since the permissions on this directory are setup (as a security measure) to prevent the webserver from listing the files in this directory, there is no way for Apache/SquirrelMail to do a periodic scan/purge of old files.

So we are going to setup a daily crontab to clean up any attachments that get left hanging around

crontab -e

# delete any files that are more than 2 days old from the SquirrelMail attachment dir

0 0 * * * find /var/squirrelmail/attach/* -atime +2 -exec /bin/rm {} \;

Install the quota_usage plugin so users can see their mailbox quota usage

cd /usr/local/src

wget http://www.squirrelmail.org/plugins...sage-1.2.tar.gz

wget http://www.squirrelmail.org/plugins...lity-1.2.tar.gz

cd /usr/local/apache/htdocs/squirrelmail/plugins

tar xzf /usr/local/src/quota_usage-1.2.tar.gz

tar xzf /usr/local/src/compatibility-1.2.tar.gz

chown -R root.www quota_usage

chmod -R o-rx quota_usage

chown -R root.www compatibility

chmod -R o-rx compatibility

# qmailadmin and the other tools all classify a 1Mb as 1048576 bytes (1024 * 1024 )

# Fix up the quota_plugin so it works with the same units.

# Otherwise your quota would show as 20M in qmailadmin, and 21M in SquirrelMail :-/

vi quota_usage/functions.php

Go to line 37 and change the value 1000000 to 1048576

cd ../config

perl conf.pl

8. Plugins

choose quota_usage

choose compatibility

Optionally, Setup SSL mode at login time

cd /usr/local/src

wget http://www.squirrelmail.org/plugins....2-1.2.8.tar.gz

cd /usr/local/apache/htdocs/squirrelmail/plugins

tar xzf /usr/local/src/secure_login-1.0-1.2.8.tar.gz

chown -R root.www secure_login

chmod -R o-rx secure_login

cd ../config

perl conf.pl

8. Plugins, and choose secure_login

Optionally, modify SquirrelMail so that it will any failed login attempts to the syslog

modify squirrelmail/functions/imap_general.php

search for the line that has "Unknown user or password incorrect"

above this line add :

syslog(LOG_MAIL|LOG_NOTICE,"Squirrelmail login failed for Username : $username, Password : $password");

now failed SquirrelMail logins will be logged to /var/log/maillog :-)

We also added some code to squirrelmail/src/login.php to add a notes page to the login screen. We inserted this chunk just before the line that says "do_hook('login_bottom');

echo "

".

"".

"IMPORTANT NOTES REGARDING THE WEBMAIL SYSTEM

".

"AUTOMATIC MAIL DELETION

".

"The mail server will automatically delete mail from the

".

"following folders after the specified number of days :

".

"Trash Folder - 7 days, Sent Folder - 30 days".

"POP3 MAIL CLIENTS

".

"If you check your mail using a POP3 mail client (such as Outlook Express),

".

"it will download and delete the mail from your WebMail inbox.

".

"If you want to be able to download the mail using POP3 and also

".

"leave it on the server so you can see it with WebMail, you will need

".

"to adjust the settings in your POP3 client to tell it not to delete

".

"mail after downloading.

".

"For example, to configure this in Outlook Express you would go to

".

"Tools - Accounts - Mail - Properties - Advanced

".

"and then tick the box

'Leave a copy of message on server'".

"".

"

";

Now, another cosmetic change... : modify the squirrelmail/src/login.php and change the wording of "Name:" to "Email address:".

Next, we setup a default document in the web servers root, to redirect our customers through to the SquirrelMail login page. That way when people want to access the WebMail tool they can point their browser to "http://webmail.yourdomain.com" and they will get automatically redirected through to the SquirrelMail directory

vi /usr/local/apache/htdocs/index.html

Redirect to WebMail login screen...

Redirecting to the WebMail login screen...

Click here if you are not automatically redirected

--------------------------------------------------------------------------------

SPAM AND VIRUS CHECKING

OK, now you have a working mail server.. You have loaded all your users and they are giving the new system a good workout. Everything is running nice and smoothly. You sit back and think "my job is done!"

Until... users starting coming to you and saying... "Hey, this new mail server is really good... But how do I block out all these viruses and spam?"... Uh oh...!

Well, luckily the answer is relatively easy..... The qmail-scanner program lets us easily implement anti-spam and anti-virus. Installation instructions follow :

RAZOR V2

http://razor.sourceforge.net

If Razor is installed, SpamAssassin will automatically include it in the list of tests run. We found that Razor is quite accurate in identifying spam, and it only added small amount of extra CPU load on the server, so it is definitely worth installing.

Compile and install :

# install the pre-requisite modules for razor

perl -MCPAN -e shell

#(enter your way through all the questions. The only one you will likely have to answer is regarding your Continent/Country)

# tell the cpan shell to follow the dependency tree and automatically grab any required modules

o conf prerequisites_policy follow

# install the razor pre-requisites now

install Net::Ping Net:

王朝网络
NS Time::HiRes Test::More Digest::SHA1 Digest::Nilsimsa Digest::MD5 Digest::HMAC URI

# and while we are here, we will make sure we have all the SpamAssassin prerequisites installed as well

install ExtUtils::MakeMaker File::Spec Pod::Usage HTML::Parser DB_File Net:

王朝网络
NS

quit

# now install the actual razor software

tar xzf razor-agents-2.36.tar.gz

chown -R root.root razor-agents-2.36

cd razor-agents-2.36

perl Makefile.PL

wget ftp://ftp.pipeline.com.au/pipeint/S...azor2.patch.txt

patch -p0 -d lib/Razor2

make

make test

make install

cd ..

The Razor programs will now be installed in /usr/bin. In particular, SpamAssassin makes use of the program called : "razor-check"

Last job is to create the Razor configuration files (they get put into /etc/razor/) by using these commands :

razor-client

razor-admin -d -create -home=/etc/razor

SPAMASSASSIN

http://www.spamassassin.org

Description :

SpamAssassin is program that scans email messages using a set of rules, and then assigns a score. If the score is higher than your nominated limit, then the message will be tagged as spam.

Download and compile

wget http://www.spamassassin.org/release...sin-2.63.tar.gz

tar xzf Mail-SpamAssassin-2.63.tar.gz

chown -R root.root Mail-SpamAssassin-2.63

cd Mail-SpamAssassin-2.63

perl Makefile.PL

make

make install

"make install" creates the following main files :

/usr/bin/spamassassin

/usr/bin/spamc

/usr/bin/spamd

/usr/share/spamassassin/

/etc/mail/spamassassin/local.cf

Test to see if the installation was successful. (Watch the output from the script. Spamassassin will add headers to the message. In particular look for the "X-Spam-Status: " and see if it correctly tags the message with a Yes or No)

spamassassin -t

spamassassin -t

To improve security, modify the configuration of the spamd daemon so it runs under its own uid

Create a spamd user for the spamd process to run as

groupadd spamd

useradd -g spamd spamd

Modify / create the spamd configuration file

vi /etc/sysconfig/spamassassin

# Hint : if you want to enable SpamAssassin debugging

# (the debug output goes to /var/log/maillog) then use :

# SPAMDOPTIONS="-x -u spamd -H /home/spamd -d -D"

# Don't leave debugging turned on unnecessarily though,

# because it will slow down a busy server.

#

# Otherwise, for normal operation (debugging disabled) use :

SPAMDOPTIONS="-x -u spamd -H /home/spamd -d"

Configure the spamd daemon so it is running all the time from bootup onwards

cp spamd/redhat-rc-script.sh /etc/rc.d/init.d/spamd

chmod 700 /etc/rc.d/init.d/spamd

cd ..

chkconfig --add spamd

Then I like to use the ntsysv program to double-check that spamd is set to launch at boot time

Setup the SpamAssassin configuration

vi /etc/mail/spamassassin/local.cf

# Define the sensitivity level. Standard level is 5.

# After a lot of testing, we found that 10 was the best option.

# We found that anything lower produced too many false positives

required_hits 10

# Allow SpamAssassin to rewrite the subject line of any messages it classifies as spam

rewrite_subject 1

# This is the value that will prepended to the subject line of messages classified as spam

subject_tag [SPAM]

# Put spam analysis reports into to the headers of the message (rather than the body)

report_safe 0

# Spamassassin by default will try and run these following spam-detection utilities

# for every mail message. (You can read about them at http://www.spamassassin.org/dist/INSTALL)

# We don't want to waste any CPU cycles trying to run utilities that we don't have installed,

# so disable these tests for the moment .

use_dcc 0

use_pyzor 0

# enable razor2 checking

use_razor2 1

# Enable SpamAssassin's RBL checking features :

# Although we have already done some RBL filtering earier in qmail's rblsmtpd program,

# it is still recommended to turn on RBL checking in SpamAssassin, as it will run

# checks against a variety of different RBL sources, and the results will help

# tag spam more accurately

skip_rbl_checks 0

# If we haven't received a response from the RBL server in X seconds, then skip that test

rbl_timeout 3

# Now we want to alter some of the default scores for RBL hits

#

# By default the bl.spamcop.net RBL score is 0 (disabled).

# We will override this and give any hits a score of 3

# Info about this RBL is available from http://spamcop.net/fom-serve/cache/290.html

score RCVD_IN_BL_SPAMCOP_NET 3

# You can nominate any netblocks that you control, and contain mailservers that

# you trust. IE you control the mailservers in these netblocks so there is no

# need to be running RBL checks against these particular servers.

# In this example below we are allowing the class-c 123.123.123.0 to go without

# Spamassassin RBL checking

trusted_networks 123.123.123.

use_bayes 1

bayes_auto_learn 1

bayes_path /home/spamd/.spamassassin/bayes

If you wish to view all the possible configuration options, use this command :

perldoc Mail::SpamAssassin::Conf

OK, the SpamAssassin software is now fully installed!

Any mail that SpamAssassin classifies as spam will have [SPAM] added to the subject line. You should now probably setup some docs for your users showing them how they can use message filtering rules in their email client. You can see our message filtering guides here

If you aren't ready to reboot the server now, you can fire up spamd in the mean time with this command :

/etc/rc.d/init.d/spamd start

If all goes well you will see some output like this :

9721 ? S 0:01 /usr/bin/spamd -x -u spamd -H /home/spamd -d

(Note that spam filtering isn't actually operational on your server yet, you need to use the qmail-scanner program to feed mail through the SpamAssassin scripts)

ANTI-VIRUS

At my ISP, for the last few years we have used Trend Micro InterScan VirusWall for Linux, and we are happy with its performance and reliability

We tried "McAfee VirusScan Command Line Scanner for Linux" a while back but found it suffered from resource problems and often crashed while scanning mail

The open source Clam antivirus package is also very popular, so I will present installation instructions for it below :

Clam Anti-Virus

http://www.clamav.net

Clam antivirus can run in two different modes. Either as a normal command line scanner, or as a client/daemon pair.

When working as a command line scanner, you perform your scanning using the program "clamscan". If a complex program like a virus scanner is run repetitively (ie being launched for every email that passes through your system), it chews up a lot of CPU/disk resources. To get around this issue you can launch Clam as a daemon (clamd). This is where a copy of Clam is launched and stays active in the background. You then do your scanning using the clamdscan client, which is only small, thus making it fast to launch/run. The client sends commands to the daemon, and the daemon will take care of scanning the message and returning the results to the client. (The same technique is used by SpamAssassin where you can use the full spamassassin command line version, or the spamc/spamd client/daemon pair).

In a busy environment, there is no doubt that the client/daemon method is the best way to go, but unfortunately I can not recommend clamd this point, because it doesn't appear to be to be 100% stable. I tried it on the production server at my ISP and it initially seemed to go OK. However I have read reports on the Internet about clamd being unstable, and even the Clam README file makes mention of this problem. So for the moment, I would recommend you don't setup the clamd process, and just stick with the full clamscan scanner.

groupadd clamav

useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

wget http://flow.dl.sourceforge.net/sour...mav-0.65.tar.gz

tar xzf clamav-0.65.tar.gz

cd clamav-0.65

./configure

make

make install

Download latest updates

/usr/local/bin/freshclam -v

Schedule automatic downloading

touch /var/log/clam-update.log

chmod 600 /var/log/clam-update.log

chown clamav /var/log/clam-update.log

crontab -e

0 * * * * /usr/local/bin/freshclam --quiet -l /var/log/clam-update.log

QMAIL-SCANNER

http://qmail-scanner.sourceforge.net

Description :

Qmail-Scanner is an add-on that enables a qmail server to scan messages for certain characteristics. It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial (or open source) virus scanners. It also capable of blocking email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments).

Install the required supporting modules for Qmail-Scanner

TNEF unpacker

http://sourceforge.net/projects/tnef/

tar xzf tnef-1.2.3.tar.gz

cd tnef-1.2.3

./configure

make

make install

cd ..

ReformatMIME (from the Maildrop package)

http://download.sourceforge.net/courier/

bunzip2 maildrop-1.6.3.tar.bz2

tar xf maildrop-1.6.3.tar

cd maildrop-1.6.3

./configure

make

make install-strip

make install-man

cd ..

Download and unpack the qmail-scanner program

http://qmail-scanner.sourceforge.net

tar xzf qmail-scanner-1.20.tgz

cd qmail-scanner-1.20

Now at this point, I would recommend you spend some time reading the qmail-scanner documentation.

Next, create a user and group for the qmailscanner to run under

groupadd qscand

useradd -c "Qmail-Scanner Account" -g qscand -s /bin/false qscand

Configure Qmail-Scanner :

# Here are the settings we used at our site for configuring Qmail-Scanner :

#

# configure Qmail-Scanner to work in the following manner :

# - notify a nominated admin each time a virus is detected

# (in this case it will be virusadmin@yourdomain.com)

# - use the command line version of Clam AV for anti-virus scanning.

# I dont recommend clamdscan at this point as the client/daemon method still seems unstable.

# - enable support for spamc/spamd in "verbose" mode.

# Qmail-Scanner can run spamd in "fast" mode or "verbose" mode.

# You can read more about this at the Qmail-Scanner FAQ page.

# I would recommend that you use verbose mode as this allows you to get access to

# the full reporting/tagging features that SpamAssassin can provide. It costs you

# a fraction more CPU power, but provides a much greater range of features.

#

./configure --admin virusadmin --domain yourdomain.com --scanners clamscan,verbose_spamassassin --debug no --install

Follow the notes generated by the install script. ie run this command and make sure you receive any errors:

setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g

Edit the perscanner file which is used to block mail that contains particular strings. perlscanner is a tool that is included with qmail-scanner, and it is executed after all the other anti-virus scanners have run (eg clamscan). This system provides a good failsafe in case some new virus comes along that the virus-scanner cant detect yet. perlscanner is perfect for blocking those virus-prone attachments that have no legitimate purpose in email.

vi /var/spool/qmailscan/quarantine-attachments.txt

Uncomment the following lines :

.vbs 0 VBS files not allowed per Company security policy

.scr 0 SCR files not allowed per Company security policy

.wsh 0 WSH files not allowed per Company security policy

.hta 0 HTA files not allowed per Company security policy

.pif 0 PIF files not allowed per Company security policy

# rebuild the perlscanner database

setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g

Any SMTP sessions that are dropped (due to network outages/etc) may lead to files lying around in /var/spool/qmailscan . Running /var/qmail/bin/qmail-scanner-queue.pl -z at least once daily will ensure such files are deleted when they're over 30 hours old. We will make a cronjob to do that :

crontab -e

0 0 * * * /var/qmail/bin/qmail-scanner-queue.pl -z

Next, make sure that your qmail-smtpd script allocates sufficient resources to support the needs of Qmail-Scanner + Antivirus + SpamAssassin

vi /var/qmail/supervise/qmail-smtpd/run

Change the softlimit from 2000000 to something a fair bit larger. We use 15000000.

Now define what mail is to be sent through the Qmail-Scanner.

At our site, we have configured Qmail-Scanner to virusscan all messages (ie inbound and outbound mail). We did this by setting up our our /var/qmail/supervise/qmail-smtpd/run file like this :

#!/bin/sh

# when QMAILQUEUE is set, all mail will be sent to the nominated script

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

# softlimit needs to be set at something large such as 15000000

# to allow virusscanning software to run successfully

exec /usr/local/bin/softlimit -m 15000000 /usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 30 -R -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp ... and the rest of the file snipped ...However, if you don't want to virusscan all mail, you can selectively nominate which IP ranges should or shouldn't be checked by setting the QMAILQUEUE variable via your /etc/tcp.smtp file rather than inside the supervise/qmail-smtpd/run file. Refer to the Qmail-Scanner home page for setup examples.

QMAIL-SCANNER / SPAMASSASSIN NOTES :

How can I tell if SpamAssassin is working?

Each time SpamAssassin processes a message, it will log some information to /var/log/maillog (score, message size, time taken to process)

Not all mail gets passed through SpamAssassin

We have configured our supervise/qmail-smtpd/run script so that it runs Qmail-Scanner for every mail message. This means all incoming and outgoing mail will get virus-checked. However this doesn't necessarily mean that every message passing through Qmail-Scanner will also get sent through SpamAssassin.

Qmail-Scanner has been coded so that messages are only passed onto SpamAssassin if the RELAYCLIENT variable from tcp.smtp is not set. The idea behind this to reduce load on the system by not running SpamAssassin on mail originated by your users.

It is possible to force SpamAssassin checking for local users if you choose by setting QS_SPAMASSASSIN="on" for the appropriate entries in your tcp.smtp file

You can read more about this subject at the Qmail-Scanner FAQ page

Is it possible to configure per-user settings for SpamAssassin?

It depends on your configuration. We believe it will be possible to implement an interface so that vpopmail users can turn SpamAssassin checking on/off, and also set their own custom required_hits. We are hoping to store these settings as additional columns in the vpopmail MySQL database... Stay tuned and we will post more info as it comes to hand

Qmail-scanner's quarantine directory

Each virus infect mail message gets quarantines into the following directory :

/var/spool/qmailscan/quarantine/new

So you will need to periodically purge the files from that dir, or else your hard disk will eventually fill up!

--------------------------------------------------------------------------------

TIPS %26amp; MISC NOTES :

"ps axf" is your friend. Particularly useful for visualising how the supervise/qmail processes all fit together.

"ps axfu" is good for double checking what accounts that individual server processes are running under

--------------------------------------------------------------------------------

SOME EXAMPLE MAILBOX MANAGEMENT SCRIPTS :

Since all the information for your email domains and mailboxes are store in MySQL, it is easy to create scripts so your support staff can quickly navigate / view all this account information.

Our support staff's intranet site is a Windows 2000 machine running IIS5 with ASP. Here is a couple of example ASP scripts that I hacked together that show what can be achieved : vpopmail-asp-scripts.v120.zip.. No doubt it would be easy enough though to use these same techniques in PHP if you are running linux/apache for your intranet

The script "viewvlogs" allows you to view browse through the vpopmail "vlog" table in MySQL to look for people who have failed to auth successfully when trying to check mail.

The script "viewpop3" allows you to see a list of email domains hosted on your server. You can do things like view all users from a domain, or view an individual mailbox. The output will show useful things like clear passwords, mailbox size. Also there are buttons that will log you into qmailadmin or SquirrelMail as a given user using just a single mouse click

Some screenshots of viewpop3 script:

Main login screen

Login to a domain, View all mailboxes on a domain

Login to an email address, View details for email address

One final note, if you are running IIS, you need to download and install the MySQL Connector ODBC "Windows Driver Installer" files onto your server to allows these scripts to work.

此文講述了在linux環境下架構基于qmail的郵件服務器的完全解決方案,按此說明建立的郵件系統支持pop3/imap/smtp認證,具有webmail及防病毒和反垃圾郵件等功能。采用的軟件都是基于開放源代碼,不用付任何費用即可使用。[url=/bbs/detail_1734900.html][img]http://images.wangchao.net.cn/images/upload/images/lsdn/1212163792783.gif[/img][/url] REDHAT + QMAIL + OPENSSL + APACHE + PHP + MYSQL + VPOPMAIL (with MySQL accounts) + COURIER-IMAP + SQUIRRELMAIL (with MySQL prefs/addrbook), QMAIL-SCANNER + CLAM ANTIVIRUS + SPAMASSASSIN Original of this document is available at http://www.pipeline.com.au/staff/mb...mail-server.htm -------------------------------------------------------------------------------- NAVIGATION LINKS Jump straight to : MySQL OpenSSL Apache qmail vpopmail qmailadmin Courier-IMAP SquirrelMail Qmail-Scanner / Clam AntiVirus / SpamAssassin Tips %26amp; Misc Notes Some example web-based domain/mailbox navigation scripts -------------------------------------------------------------------------------- BEFORE YOU START I would recommend you first learn qmail via www.lifewithqmail.org, then learn about vpopmail toasters using Bill Shupp's Linux Qmail Toaster notes. Jeremy Oddo has also written another good qmail toaster page. Once you have a good grip on all those concepts, come back and read this doc to learn how you can add MySQL back-ends to vpopmail and SquirrelMail :-) -------------------------------------------------------------------------------- WHY USE MYSQL FOR THE VPOPMAIL AND SQUIRRELMAIL BACK-ENDS? By having all the vpopmail account data stored it MySQL, it allows you to easily write web based tools (eg in ASP or PHP) that can talk to the database and then present easy-to-use interface for your support staff to manage the user accounts. I have included some more info and examples on this subject at the bottom of this doc You can easily add additional columns to the vpopmail tables to store other "per-user" information without affecting the operation of vpopmail For a server with many user accounts, you would expect that MySQL would give faster performance than disk based accounts. Particularly when you have a large number of users in a given domain. (I haven't personally done any benchmarks on this, and I also have never seen anyone else run such a test, but you would have to expect that a SQL based backend would scale better than the file-based cdb backend that qmail/vpopmail uses by default) If you have a very large number of accounts, vpopmail can be configured to use MySQL replication and NFS to share the load over over multiple servers -------------------------------------------------------------------------------- ABOUT THESE NOTES I have successfully used these notes to build many Redhat 7.2, 7.3 and 8.0 based servers. People have told me that Redhat 9.0 %26amp; Fedora will also work, but you have to be aware of a few issues : Most of the qmail software and associated utilities will not compile under RH9 or Fedora, due to conflicts with its new version of glibc. You can get patches to solve these problems from www.qmail.org. (Do a search for "errno") For packages using perl (eg Razor, SpamAssassin), you may need to add an "export LANG=en_US" to your scripts, or alternatively modify the "/etc/sysconfig/i18n" file. All the commands shown below have been run as root. Follow these notes at your own risk...! -------------------------------------------------------------------------------- REDHAT 7.2 / 7.3 / 8.0 NOTES FIREWALL : The ipchains or iptables firewalling software will usually be installed during Redhat's installation process. For this server you will need to make sure you have opened access on at least the following ports : SMTP:TCP HTTP.TCP HTTPS:TCP POP3:TCP NTP:UDP Note that we arent going to open the IMAP:TCP port, as we are not offering IMAP services directly to our clients. We will be running an IMAP server, but the only program talking to it will be the SquirrelMail software which is also running on this same box. On Redhat 7.2 / 7.3 (which uses ipchains by default) You can examine/modify the ipchains config by working on the file : /etc/sysconfig/ipchains If you make any changes to this file, you will need to restart the ipchains software : /etc/rc.d/init.d/ipchains restart On Redhat 8.0 (which uses iptables by default) You can examine/modify the iptables config by working on the file : /etc/sysconfig/iptables If you make any changes to this file, you will need to restart the iptables software : /etc/rc.d/init.d/iptables restart SETUP TIME SYNCHRONISATION : Mail servers need to have their clocks set correctly. If you don't have their time sync'ed, you can experience strange problems. Redhat comes with the ntpd package which is easy to setup vi /etc/ntp.conf look for the "# --- OUR TIMESERVERS -----" section and then put in the following lines : restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery server xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the IP address of your (or your upstream's) NTP server After making the changes, you will need to restart the ntpd service : /etc/rc.d/init.d/ntpd restart Use the ntsysv program and make sure the ntpd service is enabled at bootup time SETUP DNS : For our example, we setup an A record for hostname.yourdomain.com. Any domains that we are hosting mail for should have their primary MX pointing to this host. We also created the following CNAME aliases for this host : pop3, smtp, webmail This allows our users to : access SquirrelMail and qmailadmin via http://webmail.yourdomain.com set their POP3 clients to pop3.yourdomain.com for their incoming mail, and smtp.yourdomain.com for their outgoing mail IMPORTANT : Never configure a end-user's software to reference the hostname directly. Even though you might start out with just a single box doing all your email functions, later on you might add other boxes to split the load onto different machines (eg one to handle all the SMTP mail, the other doing POP3/IMAP and another again doing WebMail). By setting your client to use the aliased names, you can add extra boxes and then just update the DNS as appropriate. No changes will be required on the client's computer. Make sure you take my advice now on this matter. You will thank me for this later!! :-) (OPTIONAL) UPDATE YOUR KERNEL : RedHat regularly publishes updated versions of the Linux kernel to suit their various RedHat distributions. To ensure that your server has best performance and reliability, it is a good idea to regularly upgrade to the latest available kernel. RedHat have got some easy-to-follow instructions online : RedHat 7.2 kernel upgrade guide RedHat 7.3 kernel upgrade guide RedHat 8.0 kernel upgrade guide -------------------------------------------------------------------------------- MYSQL www.mysql.com We will be using MySQL to store all the domain and mailbox account information for vpopmail. We are also going to use MySQL to store the SquirrelMail user preferences and address books Setup an account for the MySQL server to run under : groupadd mysql useradd -g mysql mysql Go to their website and download the latest binaries to /usr/local/src. In this example I have used the file: mysql-max-3.23.57-pc-linux-i686.tar.gz (Note, MySQL v4 has recently been released as "stable", however I am yet to do any testing under this new version. I would recommend that you stay with v3.23 until the v4 series is more mature) Unzip / configure the binaries so they get installed to /usr/local/mysql cd /usr/local tar xzf /usr/local/src/mysql-max-3.23.57-pc-linux-i686.tar.gz ln -s mysql-max-3.23.57-pc-linux-i686 mysql Run the installation script that creates/verifies all the various system-use tables etc cd mysql scripts/mysql_install_db cd .. Setup permissions on the MySQL dirs chown -R root.mysql mysql-max-3.23.57-pc-linux-i686 chmod -R 640 mysql chmod -R u+X,g+X mysql chmod -R ug+x mysql/bin chmod -R g+w mysql/data chmod -R u+x mysql/scripts Let the MySQL server know what amount of resources it is allowed to use # choose an appropriate config file from the samples provided cp /usr/local/mysql/support-files/my-medium.cnf /usr/local/mysql/data/my.cnf # adjust the permissions on the file so that mysql daemon can read the contents chgrp mysql /usr/local/mysql/data/my.cnf Fire up the server cd /usr/local/mysql bin/safe_mysqld --user=mysql %26amp; At this point the mysql daemons should be running. A good way to verify this is to use this command : ps axf If all is well, you should be able to see something like this : 1073 ? S 0:00 /bin/sh ./bin/safe_mysqld --datadir=/usr/local/mysql/data --pid-file=/usr/local/mysql/data/.pid 1117 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/m 1125 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/loc 1126 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr 1143 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr 1419 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr 1449 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr 1471 ? S 0:00 \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr (If you received errors, look in the file /usr/local/mysql/data/hostname.err for debugging info) Next setup a password for the MySQL root user /usr/local/mysql/bin/mysqladmin -u root password 'mysql-root-pwd' Configure MySQL so it is running all the time from bootup onwards cp /usr/local/mysql/support-files/mysql.server /etc/rc.d/init.d/mysql chmod 744 /etc/rc.d/init.d/mysql chkconfig --add mysql Then I like to use the ntsysv program to double-check that mysql is set to launch at boot time -------------------------------------------------------------------------------- OPENSSL www.openssl.org This package is optional. It is required if you want your Apache software to have SSL support. We have used it because we want our WebMail interface to have SSL functionality for the login screens. If you don't want/need SSL support, you could skip this section Go to their website and download the latest source to /usr/local/src. In this example I have used the file: openssl-0.9.7b.tar.gz Compile source (installs to /usr/local/ssl) cd /usr/local/src tar xzf openssl-0.9.7b.tar.gz chown -R root.root openssl-0.9.7b.tar.gz cd openssl-0.9.7b ./config no-threads -fPIC make make install Generate a private key (make a KEY file) cd /usr/local/ssl # generate an 1024-bit RSA private key bin/openssl genrsa -out private/webmail.yourdomain.com.key 1024 # make sure the permissions on the private dir are tight chown -R root.root private chmod -R 600 private chmod u+X private Generate a certificate signing request (make a CSR file) # fill in the X.509 prompts when they appear on the screen # make sure you put the web site's name into the common name box eg webmail.yourdomain.com bin/openssl req -new -key private/webmail.yourdomain.com.key -out certs/webmail.yourdomain.com.csr Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:Your State Locality Name (eg, city) []:Your City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Pty Ltd Organizational Unit Name (eg, section) []:Internet Services Common Name (eg, your name or your server's hostname) []:webmail.yourdomain.com Email Address [][url=/bbs/detail_1734900.html][img]http://images.wangchao.net.cn/images/upload/images/lsdn/1212163792845.gif[/img][/url]ostmaster@yourdomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:yoursecretpasswd An optional company name []: Get the certificate signed (make a CRT file) Get the certificate signed by one of the official signing authorities (eg Thawte) : Send the webmail.yourdomain.com.csr file to a signing authority for processing... When they have signed it, copy the signed certificate to /usr/local/ssl/certs/webmail.yourdomain.com.crt Or alternately, here is how you can sign it yourself so you can do a bit of testing! : openssl x509 -req -days 30 -in certs/webmail.yourdomain.com.csr -out certs/webmail.yourdomain.com.crt -signkey private/webmail.yourdomain.com.key A note for the future.... Eventually you will need to renew your certificate : If you get your certificate signed by eg Thawte, then after the certificate period expires (typically 1 year), you will need to renew the certificate If all the details for your server are still the same as on your original signing request, then you do not have to submit them a new CSR file. They can just ask them to "re-sign" your existing certificate with an updated expiry date. Before proceeding with your renewal request, make sure you still have a copy of your original private key, as the new certificate will require this file. Alternatively, if any of the details for your server have changed, then you will need to apply for a new certificate. To do this just follow the original steps above that show how to create a certificate from scratch. (Thawte will still only bill you the cheaper renewal rates..) Thawte will then send you an updated CRT, and all you do is save this over the top of your original CRT file (/usr/local/ssl/certs/webmail.yourdomain.com.crt), and then restart the apache server -------------------------------------------------------------------------------- APACHE WEB SERVER (WITH MOD_SSL %26amp; PHP4 AS DSO MODULES) http://httpd.apache.org Text with green background is only required if you are building in support for mod_ssl Uninstall apache if it is installed already rpm -e --nodeps apache Go to their website and download the latest source to /usr/local/src. In this example I have used the file: apache_1.3.27.tar.gz (Note, Apache v2 has recently been released as "stable", however I am yet to do any testing under this new version. I would recommend that you stay with v1.3 until the v2 series is more mature) Extract the apache source cd /usr/local/src chown -R root.root apache_1.3.27.tar.gz tar xzf apache_1.3.27.tar.gz Create an account and group for the web server to run under groupadd www useradd -g www www Merge in the mod_ssl source www.modssl.org mod_ssl provides SSL cryptography functionality for the Apache webserver Go to their website and download the version of mod_ssl that matches your version of apache. Put the file into /usr/local/src. In this example I have used the file : mod_ssl-2.8.14-1.3.27.tar.gz Extract the source : cd /usr/local/src tar xzf mod_ssl-2.8.14-1.3.27.tar.gz chown -R root.root mod_ssl-2.8.14-1.3.27.tar.gz cd mod_ssl-2.8.14-1.3.27 And now use the configure script to patch the apache source tree ./configure --with-apache=../apache_1.3.27 --with-crt=/usr/local/ssl/certs/webmail.yourdomain.com.crt --with-key=/usr/local/ssl/private/webmail.yourdomain.com.key Compile the apache source cd /usr/local/src cd apache_1.3.27 SSL_BASE=../openssl-0.9.7b ./configure --prefix=/usr/local/apache --enable-module=so --enable-module=rewrite --enable-shared=rewrite --enable-module=ssl --enable-shared=ssl --disable-rule=SSL_COMPAT --server-uid=www --server-gid=www make make install Now add PHP scripting support www.php.net Go to their website and download the latest source to /usr/local/src. In this example I have used : php-4.3.2.tar.gz Extract the source cd /usr/local/src tar xzf php-4.3.2.tar.gz chown -R root.root php-4.3.2.tar.gz cd php-4.3.2 And now use the configure script to patch the Apache source tree ./configure --with-mysql=/usr/local/mysql --with-apxs=/usr/local/apache/bin/apxs make make install Put the sample php.ini file into the required location cp php.ini-dist /usr/local/lib/php.ini Modify the /usr/local/lib/php.ini file and make sure it contains the following commands max_execution_time=60 memory_limit=10M post_max_size=8M upload_max_filesize=8M file_uploads=On log_errors=On error_log=/usr/local/apache/logs/php_error_log Tighten the security on PHP dir # Since we have installed PHP as a module, it will run in our chosen "www" context. # We will now tighten up the permissions on the php directory to allow only root and www users access chown -R root.www /usr/local/lib/php chmod -R g-w,o-rwx /usr/local/lib/php Edit the /usr/local/apache/conf/httpd.conf file User www Group www ServerAdmin postmaster@yourdomain.com ServerName webmail.yourdomain.com # Following line should be present already as it would be inserted by the PHP make # Make sure you move it outside of the IfDefineSSL section if the make (incorrectly) put it there LoadModule php4_module libexec/libphp4.so # uncomment (or add) the following line AddType application/x-httpd-php .php # Add the index.php into this line so apache will use this file as a default in addition to index.html DirectoryIndex index.php index.html # Go towards the end of the httpd.conf and look for the "SSL Virtual Host Context" ServerName webmail.yourdomain.com ServerAdmin postmaster@yourdomain.com Tidy up the default Apache contents dir rm -Rf /usr/local/apache/htdocs/* rm -f /usr/local/apache/index.html.* Tidy up the default Apache cgi-bin dir rm -Rf /usr/local/apache/cgi-bin/* Setup permissions on the Apache dirs cd /usr/local # make root.root own the entire Apache tree chown -R root.root apache # setup permissions on the apachedir. # Because it is owned by root.root, we need to make sure the world permissions bits # allow rx so that the www group in particular can get access to the apacheroot chmod 755 apache # now set the rest of the apacheroot to only allow root to rw. Everything else blocked # we will selectively go and open permissions as needed chmod -R 600 apache/* # give owner (root) search/access permissions on all directories in the apacheroot chmod -R u+X apache cd apache # bin dir contains binaries, so grant execute permissions to owner (root) chmod -R u+x bin # cgi-bin contains binaries. Allow either owner (root), or group (web server (www)) to execute these chgrp -R www cgi-bin chmod -R u+x,g+x cgi-bin # the web server needs read access the icons dir chgrp -R www icons chmod -R g+rX icons # Web server log files can be written by the service processes # but the log files cannot be read or served as web content. # Web server log files can be read only by administration processes chgrp -R www logs chmod g+wX logs # public web files needs to be able to be read, but not written to by the web service processes # Also the directories where public web content is stored must not be writable by web services processes # Also public web content files can be written only by processes authorised for web server admin (only root in our case) chgrp -R www htdocs chmod -R g+rX htdocs OPTIONAL : ADD MOD_GZIP SUPPORT http://sourceforge.net/projects/mod-gzip/ mod_gzip is a module for Apache that allows you to compress outgoing content from an Apache web server on-the-fly. It uses the same compression as gzip and no plugins or extra software is needed by your browser to take advantage of this product. Reduction in size of up to 90% or more is possible. Go to their website and download the latest source to /usr/local/src. In this example I have used : mod_gzip-1.3.26.1a.tar Unpack the sources cd /usr/local/src wget http://telia.dl.sourceforge.net/sou...p-1.3.26.1a.tgz tar xzf mod_gzip-1.3.26.1a.tgz chown -R root.root mod_gzip-1.3.26.1a cd mod_gzip-1.3.26.1a Compile APXS=/usr/local/apache/bin/apxs make APXS=/usr/local/apache/bin/apxs make install Setup the mod_gzip config in the Apache's httpd.conf file vi /usr/local/apache/conf/httpd.conf # Add the following commands to the end of the httpd.conf file LoadModule gzip_module libexec/mod_gzip.so mod_gzip_on Yes mod_gzip_temp_dir /tmp mod_gzip_keep_workfiles No mod_gzip_minimum_file_size 500 mod_gzip_maximum_file_size 5000000 mod_gzip_maximum_inmem_size 60000 mod_gzip_handle_methods GET mod_gzip_item_include file "\.htm$" mod_gzip_item_include file "\.html$" mod_gzip_item_include file "\.txt$" mod_gzip_item_include file "\.php$" mod_gzip_item_include mime "text/*" mod_gzip_item_include mime "httpd/unix-directory" mod_gzip_item_include mime "application/x-httpd-php" mod_gzip_item_exclude file "\.css$" mod_gzip_item_exclude file "\.js$" mod_gzip_item_exclude file "\.wml$" mod_gzip_dechunk Yes LogFormat "%h %l %u %t \"%r\" %s %b mod_gzip: %{mod_gzip_compression_ratio}npct." common_with_mod_gzip_info1 # CustomLog /usr/local/apache/logs/mod_gzip common_with_mod_gzip_info1 LogFormat "%h %l %u %t \"%V %r\" %s %b mod_gzip: %{mod_gzip_result}n In:%{mod_gzip_input_size}n Out:%{mod_gzip_output_size}n:%{mod_gzip_compression_ratio}npct." common_with_mod_gzip_info2 CustomLog /usr/local/apache/logs/mod_gzip common_with_mod_gzip_info2 mod_gzip_add_header_count Yes CRANK IT UP! Test your httpd.conf for valid syntax /usr/local/apache/bin/apachectl configtest Start the Apache server # if you are using SSL : /usr/local/apache/bin/apachectl startssl # if you aren't using SSL /usr/local/apache/bin/apachectl start At this point the apache daemon should be running. A good way to verify this is to use this command : ps axf If all is well, you should be able to see something like this : 1210 ? S 0:00 /usr/local/apache/bin/httpd -DSSL 1274 ? S 0:03 \_ /usr/local/apache/bin/httpd -DSSL 1275 ? S 0:00 \_ /usr/local/apache/bin/httpd -DSSL 1276 ? S 0:02 \_ /usr/local/apache/bin/httpd -DSSL 1277 ? S 0:03 \_ /usr/local/apache/bin/httpd -DSSL 1278 ? S 0:01 \_ /usr/local/apache/bin/httpd -DSSL If you got Apache to startup OK, then add the appropriate apachectl line to /etc/rc.d/rc.local (or even better yet we could put an appropriate script into /etc/rc.d/init.d/ I will have to get around to writing such a script one day soon ) -------------------------------------------------------------------------------- QMAIL I recommend that you follow the instruction guide at www.lifewithqmail.org However, if you really want to see how we normally do it, here are the steps : INSTALL UCSPI-TCP cd /usr/local/src wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz wget http://www.qmail.org/ucspi-rss.diff tar xzf ucspi-tcp-0.88.tar.gz chown -R root.root ucspi-tcp-0.88 cd ucspi-tcp-0.88 # Patch rblsmtpd so that it can be used with all the newer RBL zones. # This patch also lets you specify a custom error message to be returned to the sender. patch -p0 rblsmtpd.c # Modify rblsmtpd.c to increase the maximum size of the error text that is allowed # to be returned to the sender from 200 to 500 chars. # This allows you to create some nice and descriptive text to send to people who # are being blocked by your RBL filters vi rblsmtpd.c go to line 166 and change it from if (text.len 200) text.len = 200; to if (text.len 500) text.len = 500; make make setup check INSTALL DAEMONTOOLS cd /usr/local/src wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz mkdir -p /package chmod 1755 /package cd /package tar xzfp /usr/local/src/daemontools-0.76.tar.gz cd admin/daemontools-0.76 package/install INSTALL QMAIL Download the required files cd /usr/local/src wget http://cr.yp.to/software/qmail-1.03.tar.gz wget http://www.ckdhr.com/ckd/qmail-103.patch wget http://www.qmail.org/qmailqueue-patch wget http://www.shupp.org/patches/qmail-maildir++.patch wget ftp://ftp.pipeline.com.au/PipeInt/S...ltime.patch.txt wget ftp://ftp.pipeline.com.au/pipeint/s...-size.patch.txt wget ftp://ftp.pipeline.com.au/PipeInt/S...ch-20020129.txt wget ftp://ftp.pipeline.com.au/PipeInt/S...compat.diff.txt wget ftp://ftp.pipeline.com.au/pipeint/s...il/qmailctl.txt Create the users and groups required for qmail groupadd nofiles useradd -g nofiles -d /var/qmail qmaild useradd -g nofiles -d /var/qmail qmaill useradd -g nofiles -d /var/qmail qmailp useradd -g nofiles -d /var/qmail/alias alias groupadd qmail useradd -g qmail -d /var/qmail qmailq useradd -g qmail -d /var/qmail qmailr useradd -g qmail -d /var/qmail qmails Unzip the sources, apply the required patches, compile tar xzf qmail-1.03.tar.gz cd qmail-1.03 # Apply patch that allows qmail to work with oversize DNS packets patch -p1 # Apply the "qmailqueue" patch # This patch gives you the required support for other popular addons like Qmail-Scanner patch -p1 # Apply patch to make qmail-local and qmail-pop3d compatible with the maildir++ quota # system that is used by vpopmail and courier-imap patch # Apply patch for local timestamps. # This will make the emails headers be written in localtime rather than GMT patch -p1 # Apply patch to limit the size of bounce messages generated by our server. # The patch will limit the size of the bounce to be 50K, # or you can override this by setting a different value in /var/qmail/control/bouncemaxbytes patch # # Now add the qregex patch, which adds regexp support to qmail's badmailfrom, # and also implements badmailto checking (again with regexp support) patch # Apply patch to add ESMTP SIZE support to qmail-smtpd # This helps your server be able to reject excessively large messages "up front", # rather than waiting for the whole message to arrive and then bouncing it because # exceeded the /var/qmail/control/databytes setting. # Nother that particular patch has been modified so it will apply cleanly in # conjunction with the other patches I have supplied above. The original version # of this patch would fail because it conflicted with the qregex patch. patch Edit qmail-smtpd.c and change the code on the straynewline function (around line 54) from 451 to 553 Without this you will get nasty loops forming when a remote servers sends you an message with invalid formatting. By default qmail will says something like "I am not going to accept that message at the moment, you can try again later". However in my experience the sending server will try sending the same message again a few seconds later, and this will go around and around in a loop for days on end - consuming valuable bandwidth and resources. By changing the error code to 553, it is making the error be permanent ie "I am not going to accept that message, don't try sending it again" make setup check ./config cd .. Remove the sendmail package, and link in qmail's replacement utility # If you are running redhat 8, you may first need to remove the postfix # package, so that mail to someuser@hostname.yourdomain.com will work correctly : rpm -e --nodeps postfix # OK, now go ahead and remove the sendmail package rpm -e --nodeps sendmail # Link in qmail's replacement "sendmail-like" tools ln -s /var/qmail/bin/sendmail /usr/lib ln -s /var/qmail/bin/sendmail /usr/sbin The qmailctl script contains all the various commands that will allow us to control our qmail daemons. Put it in with the other qmail binaries. Also link it into /usr/bin so it will be in our "path" for easy access cp /usr/local/src/qmailctl.txt /var/qmail/bin/qmailctl chmod 755 /var/qmail/bin/qmailctl ln -s /var/qmail/bin/qmailctl /usr/bin Setup the /etc/tcp.smtp file This file controls who is allowed to send and/or relay mail on this server An example configuration follows : #------------------------------------------------------ # DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS # # If you set 'allow', this means that our mail server will allow # the specified IP range to make a TCP connection to our server # # If you set 'deny', this means that our mail server will not allow # the specified IP range to make a TCP connection to our server # # If you set RELAYCLIENT="", this means that the listed IP range is # allowed to relay mail through our server # # If you dont set RELAYCLIENT="", this means that the listed IP range # will not be able to relay mail through our server # # If you set RBLSMTPD="", this means that the listed IP ranges will # not be checked against any of the RBL databases # # If you set RBLSMTPD="some text here", this means that an RBL lookup # wont be performed, but the mail will be rejected with the specified # text as a 4xx temp error message # # If you set RBLSMTPD="-some text here", this means that an RBL lookup # wont be performed, but the mail will be rejected with the specified # text as a 5xx perm error message # # If you do not set RBLSMTPD="" or ="some text", then an RBL lookup # will be performed. If the lookup is successful, then RBLSMTPD will # return your custom error message (as specified in the -r parameter # in smtpd supervise script) # #----------------------------------------------------- # HERE ARE THE RULES! : #----------------------------------------------------- # BYPASS OPEN RELAY CHECKING FOR THESE IPS : # # These IPs are ones that we have setup so that they arent RBL checked. # We have done this because these particular servers are RBL listed, # and for whatever reason they can't/won't fix their open relay problem, # and we still want to be able to receive mail from them. # # reminder text goes here for this entry so we know the story... 111.111.111.111:allow,RBLSMTPD="" # reminder text goes here for this entry so we know the story... 222.222.222.222:allow,RBLSMTPD="" # #----------------------------------------------------------------- # DONT ALLOW THESE IPS TO SEND MAIL TO US : # # mailXX.offermail.net connecting regularly and sending invalid # format messages causing exit with status 256 (bare linefeed normally) # entry added 15/12/2001 # after looking at the mail coming from these servers it was found to be spam 216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned." # # heaps of spam from replyto of *@freeamateurhotties.com dec2001 64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com" 154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com" 209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com" 216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com" # #----------------------------------------------------------------- # ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER # # Local class-c's from our LAN are allowed to relay, # and we wont bother doing any RBL checking. 123.123.123.:allow,RELAYCLIENT="",RBLSMTPD="" 123.111.111.:allow,RELAYCLIENT="",RBLSMTPD="" # # Connections from localhost are allowed to relay # (because the WebMail server runs on localhost), # and obviously there is no point trying to perform an RBL check. 127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="" # #----------------------------------------------------------------- # ALLOW EVERYONE ELSE TO SEND US MAIL # # Everyone else can make connections to our server, # but not allowed to relay # RBL lookups are performed :allow Setup the /etc/tcp.pop3 file This file controls who is allowed to access the POP3 services on this server An example configuration follows : # Allow any client to connect to us via POP3 # If people are abusing POP3 such as denial-of-service on POP3, # you can add their ips here to block them out :allow Now we have created our tcp.smtp and tcp.pop3 files, we need to compile them into the cdb database format that the tcpserver program can read qmailctl cdb Adjust various aspects of the qmail configuration to suite our tastes # use postmaster@hostname.yourdomain.com as sender in bounce messages # rather than the default MAILER-DAEMON@hostname.yourdomain.com echo 'postmaster' /var/qmail/control/bouncefrom # Define how to handle "double bounces". # The server admin has two choices here, either to receive double bounces # or to discard them. If your server doesn't handle a lot of mail then it # wouldn't hurt to receive all double bounces for the admin's inspection. # But if your server handles a lot of mail, then it is more likely that you # are going to want to discard double-bounces, because you will end up with # potentially thousands of these every day. # # If you want to keep double-bounces, use these commands to nominate what # email address to send them through to (eg doublebounce@yourdomain.com) : echo 'doublebounce' /var/qmail/control/doublebounceto echo 'yourdomain.com' /var/qmail/control/doublebouncehost # (dont forget that you will need to make sure you have created a mailbox # to receive these mails. You could use qmailadmin to create a dedicated # mailbox, or perhaps setup an alias on an existing mailbox) # # Or if you would prefer to silently discard any doublebounces, # then use these commands instead echo 'doublebounce' /var/qmail/control/doublebounceto echo 'hostname.yourdomain.com' /var/qmail/control/doublebouncehost echo '#' ~alias/.qmail-doublebounce chmod 644 ~alias/.qmail-doublebounce # set maximum message size to be 8Mb echo '8000000' /var/qmail/control/databytes # queue mail for up to 4 days echo '345600' /var/qmail/control/queuelifetime # # Populate badmailto so that mail with invalid address formatting gets rejected echo '# reject containing invalid characters, brackets or multiple @' /var/qmail/control/badmailto echo '[!%#:\*\^]' /var/qmail/control/badmailto echo '[\(\)]' /var/qmail/control/badmailto echo '[\{\}]' /var/qmail/control/badmailto echo '@.*@' /var/qmail/control/badmailto # setup the default domain for use where an address does not have a domain specified echo 'yourdomain.com' /var/qmail/control/defaultdomain # Note, this following command is optional! # # If you want qmail to send all outbound mail via a particular mail server # rather than to send it direct to the recipient's mail server, then this # can be achieved with the smtproutes command. # # SEND ALL OUTBOUND MAIL VIA SMARTHOST echo ':yoursmarthost.yourdomain.com' /var/qmail/control/smtproutes # redirect any mail sent to root@hostname.yourdomain.com to 'postmaster@yourdomain.com # redirect any mail sent to postmaster@hostname.yourdomain.com to 'postmaster@yourdomain.com # redirect any mail sent to mailer-daemon@hostname.yourdomain.com to 'postmaster@yourdomain.com echo 'postmaster@yourdomain.com' ~alias/.qmail-root echo 'postmaster@yourdomain.com' ~alias/.qmail-postmaster echo 'postmaster@yourdomain.com' ~alias/.qmail-mailer-daemon chmod 644 ~alias/.qmail-* Create / configure the various qmail run scripts : ln -s /var/qmail/bin/qmailctl /etc/rc.d/init.d/qmail ln -s ../init.d/qmail /etc/rc.d/rc0.d/K30qmail ln -s ../init.d/qmail /etc/rc.d/rc1.d/K30qmail ln -s ../init.d/qmail /etc/rc.d/rc2.d/S80qmail ln -s ../init.d/qmail /etc/rc.d/rc3.d/S80qmail ln -s ../init.d/qmail /etc/rc.d/rc4.d/S80qmail ln -s ../init.d/qmail /etc/rc.d/rc5.d/S80qmail ln -s ../init.d/qmail /etc/rc.d/rc6.d/K30qmail mkdir -p /var/qmail/supervise/qmail-send/log mkdir -p /var/qmail/supervise/qmail-smtpd/log mkdir -p /var/qmail/supervise/qmail-pop3d/log chmod +t /var/qmail/supervise/qmail-send chmod +t /var/qmail/supervise/qmail-smtpd chmod +t /var/qmail/supervise/qmail-pop3d vi /var/qmail/supervise/qmail-send/run #!/bin/sh exec env - PATH="/var/qmail/bin:$PATH" qmail-start ./Maildir/ vi /var/qmail/supervise/qmail-send/log/run #!/bin/sh # Keep 30 logs of max 10Mb each # # They will get rotated when they reach 10Mb in size, # or at midnight when our crontab script fires (whichever event comes 1st) exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/send vi /var/qmail/supervise/qmail-smtpd/run #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` exec /usr/local/bin/softlimit -m 4000000 /usr/local/bin/tcpserver -H -l hostname.yourdomain.com -v -x /etc/tcp.smtp.cdb -c 20 -R -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /usr/local/bin/rblsmtpd -b -C -r 'relays.ordb.org:Your message was rejected because the mail server you use is configured to allow OPEN RELAY - More detailed information regarding this problem is available from http://www.ordb.org/lookup/?%IP% - Please forward this error through to your email server support staff for easy resolution.' -t 5 /var/qmail/bin/qmail-smtpd 2%26amp;1 # The line in orange should be used if you are running qmail on a computer # that is on a LAN that is using fake ips/masquerading. # It tells tcpserver not to bother trying to resolve ip addresses # to names when writing the SMTP log files. Usually with fake ips, # you cant resolve them to names, so it will make the SMTP services run # really slowly if it is always trying to resolve these addresses. # Alternatively, if you are eg an ISP and all your SMTP clients are # connecting from real IPs with resolvable names, then you can omit # the orange line and then then benefit from more readable logfiles. vi /var/qmail/supervise/qmail-smtpd/log/run #!/bin/sh # Keep 30 logs of max 10Mb each # # They will get rotated when they reach 10Mb in size, # or at midnight when our crontab script fires (whichever event comes 1st) exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd vi /var/qmail/supervise/qmail-pop3d/run #!/bin/sh exec /usr/local/bin/softlimit -m 4000000 /usr/local/bin/tcpserver -H -l hostname.yourdomain.com -v -x /etc/tcp.pop3.cdb -c 30 -R 0 pop3 /var/qmail/bin/qmail-popup hostname.yourdomain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2%26amp;1 # The line in orange should be used if you are running qmail on a computer # that is on a LAN that is using fake ips/masquerading. # It tells tcpserver not to bother trying to resolve ip addresses # to names when writing the POP3 log files. Usually with fake ips, # you cant resolve them to names, so it will make the POP3 services run # really slowly if it is always trying to resolve these addresses. # Alternatively, if you are eg an ISP and all your POP3 clients are # connecting from real IPs with resolvable names, then you can omit # the orange line and then then benefit from more readable logfiles. vi /var/qmail/supervise/qmail-pop3d/log/run #!/bin/sh # Keep 30 logs of max 10Mb each # They will get rotated when they reach 10Mb in size, # or at midnight when our crontab script fires (whichever event comes 1st) exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/pop3d chmod 755 /var/qmail/supervise/qmail-send/run chmod 755 /var/qmail/supervise/qmail-send/log/run chmod 755 /var/qmail/supervise/qmail-smtpd/run chmod 755 /var/qmail/supervise/qmail-smtpd/log/run chmod 755 /var/qmail/supervise/qmail-pop3d/run chmod 755 /var/qmail/supervise/qmail-pop3d/log/run mkdir /var/log/qmail mkdir /var/log/qmail/smtpd mkdir /var/log/qmail/send mkdir /var/log/qmail/pop3d chown -R qmaill /var/log/qmail crontab -e # the following 3 lines rotate the qmail log files daily 0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log 0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log 0 0 * * * /usr/local/bin/svc -a /service/qmail-pop3d/log ln -s /var/qmail/supervise/qmail-send /service ln -s /var/qmail/supervise/qmail-smtpd /service ln -s /var/qmail/supervise/qmail-pop3d /service At this point the qmail daemons should be running. A good way to verify this is to use this command : ps axf If all is well, you should be able to see something like this : 1218 ? S 0:00 /bin/sh /command/svscanboot 1222 ? S 0:00 \_ svscan /service 1224 ? S 0:00 | \_ supervise qmail-send 1230 ? S 0:00 | | \_ qmail-send 1236 ? S 0:00 | | \_ qmail-lspawn ./Maildir/ 1237 ? S 0:00 | | \_ qmail-rspawn 1238 ? S 0:00 | | \_ qmail-clean 1225 ? S 0:00 | \_ supervise log 1233 ? S 0:00 | | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/send 1226 ? S 0:00 | \_ supervise qmail-smtpd 1231 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 20 -R -u 504 -g 503 0 smtp /var/qmail/bin 1227 ? S 0:00 | \_ supervise log 1234 ? S 0:00 | | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd 1228 ? S 0:00 | \_ supervise qmail-pop3d 1232 ? S 0:00 | | \_ /usr/local/bin/tcpserver -v -x /etc/tcp.pop3.cdb -c 30 -H -R 0 110 /var/qmail/bin/qmail-popup 1229 ? S 0:00 | \_ supervise log 1235 ? S 0:00 | \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/pop3d 1223 ? S 0:00 \_ readproctitle service errors: ....................................................................... Note the 3 qmail daemons : qmail-send, qmail-smtpd, qmail-pop3d, as well as their associated logging processes. If there is anything wrong with your install, an error message will generally be visible on the "readproctitle" line You can control the qmail daemons by using the qmailctl program. You can just type that command without any parameters and it will display the available options eg start, stop, status, doqueue -------------------------------------------------------------------------------- VPOPMAIL Original Authors : http://www.inter7.com/vpopmail Current Development location : https://sourceforge.net/projects/vpopmail http://www.inter7.com/vpopmail (Original author's home page) http://sourceforge.net/projects/vpopmail (The recent vpopmail development work is being done via Sourceforge) Make the user accounts # If you are using RH8.0, you will probably need to run this following command, # because RH8.0 comes preconfigured with UID/GID 89 allocated to postfix # # userdel postfix groupadd -g 89 vchkpw useradd -g vchkpw -u 89 vpopmail # We recommend you use the user and group id's of 89. The FreeBSD folks # have reserved 89 for the group and 89 for the user for vpopmail. Feel # free to have the OS assign the group/user id (for example, Solaris won't # allow gid 89). Download and unpack the source cd /usr/local/src wget http://osdn.dl.sourceforge.net/sour...il-5.4.0.tar.gz tar xzf vpopmail-5.4.0.tar.gz chown -R root.root vpopmail-5.4.0 cd vpopmail-5.4.0 Setup the MySQL support in the vpopmail sources # Create the configuration file that vpopmail will use # to setup the connection to the mysql database # # This example will tell vpopmail : # * Log into the server running on localhost # * Use the default mysql port # (In fact if the server is localhost, and you don't specify a port number, then # I believe the that communications are done via unix sockets rather than TCP/IP) # * Login with username vpopmailuser # * Login with password vpoppasswd # * Use the database called vpopmail # echo "localhost|0|vpopmailuser|vpoppasswd|vpopmail" ~vpopmail/etc/vpopmail.mysql chown vpopmail.vchkpw ~vpopmail/etc/vpopmail.mysql chmod 640 ~vpopmail/etc/vpopmail.mysql # log into MySQL as the MySQL root user # and then create the database for vpopmail to use # and then setup the appropriate permissions on this database /usr/local/mysql/bin/mysql --password="mysql-root-pwd" CREATE DATABASE vpopmail; GRANT select,insert,update,delete,create,drop ON vpopmail.* TO vpopmailuser@localhost IDENTIFIED BY 'vpoppasswd'; quit Now, build the program ./configure -, , -disable-roaming-users --enable-logging=p --disable-passwd --enable-clear-passwd --disable-domain-quotas --enable-auth-module=mysql --disable-many-domains --enable-auth-logging --enable-mysql-logging --enable-valias --disable-mysql-limits make make install-strip Notes : The "--enable-mysql-limits" configuration option is new. I plan to update my guide to use this function at some point in the near future once I have done some testing etc of this functionality Review the contents of the file is used to set the default limits for any domains / mailboxes in the vpopmail system. Make sure it contains reasonable defaults for your system. vi ~vpopmail/etc/vlimits.default # in particular set the default mailbox size to be something reasonable eg 20Mb default_quota 20971520 Optionally, nominate a "default domain". Users in this domain can login to POP3 etc using just their username. Users from all other domains need to use their full email address as their login name. echo "yourdomain.com" /home/vpopmail/etc/defaultdomain Setup the quota warning message that is sent to users when they are at 90% quota vi quotawarn.msg From: SomeCompany Postmaster Reply-To: postmaster@yourdomain.com To: SomeCompany User:; Subject: Mail quota warning Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Your mailbox on the server is now more than 90% full. So that you can continue to receive mail, you need to remove some messages from your mailbox. If you require assistance with this, please contact our support department : email : support@yourdomain.com Tel : xx xxxx xxxx cp quotawarn.msg /home/vpopmail/domains/.quotawarn.msg If you want, you can alter the standard message that gets sent to the sender in an overquota situation echo "Message rejected. Not enough storage space in user's mailbox to accept message." /home/vpopmail/domains/.over-quota.msg OK, vpopmail is now installed! Some example vpopmail commands : To add a domain : /home/vpopmail/bin/vadddomain yourdomain.com yourpassword # this creates the domain and makes a mailbox postmaster@yourdomain.com To add a mailbox: /home/vpopmail/bin/vadduser someone@yourdomain.com apassword (Or you can do it via qmailadmin) To remove a mailbox /home/vpopmail/bin/vdeluser someone@yourdomain.com (Or you can do it via qmailadmin) To remove a domain : /home/vpopmail/bin/vdeldomain yourdomain.com To change a user's password /home/vpopmail/bin/vpasswd someone@yourdomain.com newpassword (Or you can do it via qmailadmin) To lookup info about a user /home/vpopmail/bin/vuserinfo someone@yourdomain.com This gives you info such as name, crypted password, cleartext password, dir, quota, usage%, last auth. It has a number of flags to let you see the individual fields, or you can see them all if you dont use any flags. It also creates the maildirsize file in the users dir Logging in via POP3 When your users are setting up their POP3 email clients (eg Outlook Express), they should use settings like this : My incoming mail server is a POP3 server Incoming mail server (POP3): pop3.yourdomain.com Outgoing mail server (SMTP): smtp.yourdomain.com POP3 account name : theirusername@yourdomain.com Password: theirpassword When you configured vpopmail, you had the opportunity to nominate a "default" domain. When users from the default domain authenticate, it is optional for them to add the @yourdomain.com onto the end of their username. If vpopmail sees that no domain has been specified by the user, then it will automatically perform the auth against the nominated default domain. If you are hosting multiple domains, then everyone who is NOT in the default domain MUST add their domain name onto the end of their username. (A small percentage of email programs eg Netscape Mail v4.7 do not permit the use of the @ symbol in account name. In this case you can use the % symbol instead of the @ symbol) vpopmail roaming users : With qmail, the typical way to control mail relaying is to put a list of rules into a file called tcp.smtp. The tcprules program is then used to compile this file into cdb database format with the output being stored in a file called tcp.smtp.cdb. The tcpserver program is configured (using the -x parameter) to read this file and thus know which SMTP clients are permitted to relay mail. This type of configuration works well if there is a known range of IP addresses that are permitted to relay mail. eg the IP's on the qmail server's local LAN. However if the qmail server needs to provide outbound SMTP services for clients who may be connecting from any IP, you are going to run into problems. What is needed is some way to automate the process of granting users the ability to relay mail, without opening up access to all and sundry on the Internet. vpopmail includes a solution for this problem. The solution is known as "roaming users" and is implemented with a technique known as "POP-before-SMTP". Once a client has successfully authenticated via POP3, vpopmail will add the client's IP to a list. vpopmail then merges this list with the contents of the tcp.smtp file and runs the tcprules program to compile a new version of the tcp.smtp.cdb file. Thus the client can now relay mail. In addition to storing the client's IP address, vpopmail will also store the time of authentication. The postmaster uses a cronjob on the qmail server to periodically (eg once per hour) run the clearopensmtp program. This program scans through the list of roaming clients and removes any entries that exceed the nominated age (eg 3 hours). This ensures that the list of IPs does not grow out of bounds, and that the roaming IPs are closed within a reasonable timeframe after being opened. Configuration options for vpopmail that relate to roaming users : ./configure --enable-roaming-users \ --enable-tcprules-prog=path \ --enable-tcpserver-file=path \ --enable-relay-clear-minutes=minutes Notes : qmail servers are typically built with the tcp.smtp files being located in the /etc directory. This is not usually suitable for vpopmail roaming users, since the /etc directory will (should) not have write permissions for the vpopmail user. Therefore it is not going to be possible for vpopmail to write out updated versions of the tcp.smtp.cdb file. For use with roaming users, it is recommended that the tcp.smtp files are stored in ~vpopmail/etc If a POP user auths, and their IP already exists in the roaming IP list, the timestamp for the entry is updated, but the tcprules program is not run. There is no need to rebuild the tcp.smtp.cdb file as the IP address is already permitted to relay. Rebuilding the file will only waste disk and CPU time. If the vpopmail server is using the default cdb authentication backend, then the list of roaming IPs will be stored in a file called ~vpopmail/etc/open-smtp. If the vpopmail server is using the MySQL backend, the roaming IPs will be stored in a database table called relay. The SQL backend will give better performance on a busy server. Either way though, you should be cautious about enabling roaming user functionality on a very busy server, as a large amount of disk and CPU will be used with the continual rebuilding of the tcp.smtp.cdb file. If the server is busy enough you could run into nasty file locking issues which will cause vpopmail password authentication to intermittently fail. If you absolutely must have POP-before-SMTP functionality on your busy server, then there are only two possible solutions that I can think of : 1) you could try putting the tcp.smtp files onto a RAM disk, or 2) use vpopmail's MySQL auth backend, plus use Matt Simerson's tcpserver patch that allows all of the tcp.smtp files to be stored in MySQL Over time POP-before-SMTP seems to slowly becoming a less favored way of allowing roaming users to relay mail. SMTP-Auth appears to becoming the more preferred option, as it scales much more easily on a busy server. However for a small to medium sized server, POP-before-SMTP is still quite a workable option. If you would like investigate the use of SMTP-Auth take a look at this patch http://www.fehcom.de/qmail/smtpauth.html#PATCHES -------------------------------------------------------------------------------- AUTORESPONDER Current development location : http://www.sourceforge.net/projects/qmailadmin This package is a prerequisite for qmailadmin Download and unpack the source cd /usr/local/src wget http://osdn.dl.sourceforge.net/sour...nd-2.0.4.tar.gz tar xzf autorespond-2.0.4.tar.gz chown -R root.root autorespond-2.0.4 cd autorespond-2.0.4 Build the program make make install EZMLM / EZMLM-IDX This package is a prerequisite for qmailadmin ezmlm is mailing list software written by the author of qmail ezmlm-idx is patch that adds extra features to the standard ezmlm program. EZMLM : http://cr.yp.to/ezmlm.html EZMLM-IDX PATCH : http://www.ezmlm.org (although I often find this site unresponsive, and so I use one of the mirrors instead like http://www.glasswings.com.au/ezmlm/) Download and unpack the ezmlm sources cd /usr/local/src wget http://cr.yp.to/software/ezmlm-0.53.tar.gz tar xzf ezmlm-0.53.tar.gz chown -R root.root ezmlm-0.53 wget ftp://ftp.pipeline.com.au/PipeInt/S...idx-0.40.tar.gz tar xzf ezmlm-idx-0.40.tar.gz chown -R root.root ezmlm-idx-0.40 Merge the sources together cp -R ezmlm-idx-0.40/* ezmlm-0.53/ # (you need to press y quite a few times to allow the patch files to overwrite the original files) cd ezmlm-0.53 patch Build the program make make man make setup QMAILADMIN Original Authors : http://www.inter7.com/qmailadmin Current Development location : https://sourceforge.net/projects/qmailadmin/ Description : The domain postmaster can use this tool to view all the accounts on the domain as well as add/remove accounts, forwards, auto-responders etc. Domains users can use this tool to modify their own user settings only. ie mailbox password, real name, forwards, vacations. This tool does not let you create new domains. Download and unpack the source cd /usr/local/src wget http://osdn.dl.sourceforge.net/sour...in-1.2.0.tar.gz tar xzf qmailadmin-1.2.0.tar.gz chown -R root.root qmailadmin-1.2.0 cd qmailadmin-1.2.0 (Optional) Make a small mod that affects the look of the qmailadmin login page edit the lang/en file, and change record 112 "Username" rather than "User Account" (We found our users knew what to type as their "Username", but didn't know what to type as a "User Account") Build the program ./configure --enable-htmldir=/usr/local/apache/htdocs --enable-cgibindir=/usr/local/apache/cgi-bin --enable-maxusersperpage=12 --enable-maxaliasesperpage=12 --disable-modify-quota --disable-ezmlm-mysql --disable-help # note, I chose to have 12 accounts per page in the config above, # because this makes these particular screens fit nicely on my 1024*768 monitor make make install-strip Test to see if it works http://webmail.yourdomain.com/cgi-bin/qmailadmin If you login a domain postmaster, then you should get the screens where you can view all and add/remove mailboxes, aliases, mailinglists etc on the domain. etc If you login as a user, you can only access your own mailbox settings (eg password, forwards, vacation messages) Setting limits : You can setup limits on any domains where required by putting a .qmailadmin-limits file into the domain's virtual dir (/home/vpopmail/domains/yourdomain.com). Make sure vpopmail user has read permissions for this file. Syntax of .qmailadmin-limits file is as follows : maxpopaccounts X maxforwards X maxmailinglists X maxautoresponders X Set X to be the maximum desired number for that feature Set X to be 0 if you want to disable that feature %26amp; menu item There are also some other settings that can be specified in the .qmailadmin-limits file, refer to section 6 of the qmailadmin installation instructions (http://inter7.com/qmailadmin/install.txt) for more info A bit of a long-winded misc note to myself : (If you are setting up your vpopmail server for the first time, then this block of text has no relevance to you. You can skip straight past this waffle and go onto the next section...) As of qmailadmin-1.0.21, you cant create "aliases" any more. What qmailadmin previously created as aliases, are now created as forwards. Aliases dump incoming mail for that aliased address directly into the recipient user's Maildir. The problem with this is it bypassed any further ".qmail" processing, meaning that you ran into problems if you were trying to setup some of the more fancy things (like per-user SpamAssassin configurations?). Using forwards bypasses this problem as the message will get re-injected back into the queue for delivery. However this change does cause some problems for sites that already have existing aliases in use. The problem is that when you go into qmailadmin-1.0.21 and select the forwards screen, all the existing aliases and forwards for that domain are displayed. Problem # 1 : For mail that is being redirected to a local account, you can't tell from this screen whether the user is getting alias or forward delivery. If you were trying to setup some tricky per-user stuff, then you are going to get variable results because some users may be configured as alias, and others are configured as forward, but you cant easily tell which is which from this screen Problem # 2 : Up the top there is a count showing "[Used # / limit]". This count relates to the number of forwards in use and the maxforwards qmailadmin-limits setting. The count ignores any existing aliases. This could potentially cause confusion for domain postmasters as you will be looking at a screen full of accounts and if some of them have been previously setup as aliases then it is going to be hard to reconcile the reported count against the number of accounts displayed on the screen What is needed is some sort of utility that will scan and find existing aliases and convert them over to the now-preferred forward syntax.... That would keep the delivery method consistent for all users, and would also eliminate any problems with the qmailadmin-limits code Note: As of qmailadmin-1.0.25, there is a tool for converting existing aliases to forwards. Look in the contrib dir for the tools called alias2forward.pl -------------------------------------------------------------------------------- COURIER IMAP www.inter7.com/courierimap Courier-IMAP is an IMAP server. Having an IMAP server is a prerequisite to be able run a IMAP-client WebMail system like SquirrelMail. Courier-IMAP is good choice because it has support for vpopmail authentication and maildir mailboxes. Download and unpack the source cd /usr/local/src wget http://osdn.dl.sourceforge.net/sour...p-2.1.1.tar.bz2 bunzip2 courier-imap-2.1.1.tar.bz2 tar xf courier-imap-2.1.1.tar chown -R root.root courier-imap-2.1.1 cd courier-imap-2.1.1 Build the program ./configure --prefix=/usr/local/courier-imap --disable-root-check --without-authpam --without-authldap --without-authpwd --without-authmysql --without-authpgsql --without-authshadow --without-authuserdb --without-authcustom --without-authcram --with-authdaemon --with-authvchkpw --with-ssl # note, if you are building courier on redhat/fedora, you may have to add a # --with-redhat # to the list of configuration settings above make make install make install-configure The Courier-IMAP package includes 4 servers that can be individually enabled/disabled : IMAP, IMAP-SSL, POP3, POP3SSL. In this example, we are only using the IMAP server. vi /usr/local/courier-imap/etc/imapd MAXDAEMONS=40 MAXPERIP=40 AUTHMODULES="authdaemon" IMAP_EMPTYTRASH=Trash:7,Sent:30 IMAPDSTART=YES Configure Courier-IMAP so it is running all the time from bootup onwards cp /usr/local/src/courier-imap-2.1.1/courier-imap.sysvinit /etc/rc.d/init.d/courier-imap chmod 744 /etc/rc.d/init.d/courier-imap chkconfig --add courier-imap Then I like to use the ntsysv program to double-check that courier-imap is set to launch at boot time If you aren't ready to reboot the server now, you can fire up Courier-IMAP in the mean time with this command : /etc/rc.d/init.d/courier-imap start At this point the courier-imap software should be running. A good way to verify this is to use this command : ps axf And if all is well, you should be able to see something like this : 24033 ? S 0:00 /usr/local/courier-imap/libexec/authlib/authdaemond.plain start 18973 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start 18974 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start 18975 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start 18976 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start 18977 ? S 0:00 \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start 24043 ? S 0:00 /usr/local/courier-imap/libexec/couriertcpd -address=0 -stderrlogger=/usr/local/courier-imap/libexec/cour 24046 ? S 0:00 /usr/local/courier-imap/libexec/courierlogger imapd -------------------------------------------------------------------------------- SQUIRRELMAIL www.squirrelmail.org the text with yellow background is specific to using MySQL backend. if you don't want to use MySQL backend, then just skip over these sections.... Go to the SquirrelMail download page, and save the latest source to /usr/local/src. In this example I have used : squirrelmail-1.5.0.tar.gz Download and unpack all the sources cd /usr/local/apache/htdocs tar xzf /usr/local/src/squirrelmail-1.5.0.tar.gz chown -R root.www squirrelmail-1.5.0 chmod -R 750 squirrelmail-1.5.0 ln -s squirrelmail-1.5.0 squirrelmail Create the required directory structure mkdir /var/squirrelmail # create the data dir. This is where users personal preferences are stored if not using MySQL backend mkdir /var/squirrelmail/data # create the attach dir. This is where temp files for emails in progress are store mkdir /var/squirrelmail/attach cd squirrelmail cp data/default_pref /var/squirrelmail/data chown -R root.www /var/squirrelmail chmod -R 0770 /var/squirrelmail/data chmod -R 0730 /var/squirrelmail/attach SquirrelMail allows you to add your company logo to the login page. So whack a copy of your logo into the Apache images directory so it is available for SquirrelMail to use cp /usr/local/src/yourcompanylogo-100.gif /usr/local/apache/htdocs/images Configure SquirrelMail cd config perl conf.pl D. SET PRE-DEFINED SETTINGS FOR SPECIFIC IMAP SERVERS Choose Courier 1. ORGANIZATION PREFERENCES 1. Organization name : YourCompany 2. Organization Logo : /images/yourcompanylogo-100.gif 3. Org. Logo Height/Width : 100/100 4. Organization title : YourCompany WebMail (v$version) 7. Provider link : http://www.yourdomain.com 8. Provider name : YourCompany 2. SERVER SETTINGS 1. Domain : yourdomain.com Press A to update IMAP settings 4. IMAP Server : localhost 5. IMAP Port : 143 6. Authentication type : login 7. Secure IMAP (TLS) : false 8. Server software : courier 9. Delimiter : . Press B to update SMTP settings 4. SMTP Server : localhost 5. SMTP Port : 25 6. POP before SMTP : false 7. SMTP Authentication : none 8. Secure SMTP (TLS) : false 3. FOLDER DEFAULTS 9. List Special Folders First : false 15. Default Unseen Type : 2 4. GENERAL OPTIONS 1. Data directory : /var/squirrelmail/data 2. Attachment directory : /var/squirrelmail/attach 5. Usernames in lower case : true 8. Hide SM attributions : true 11. Allow server-side sorting : false ( Note, server-sorting is faster, but I personally find the sort results to be not as "intuitive" compared with when you let SquirrelMail do the sorting. If you toggle this option on/off and compare the resultant displays in SquirrelMail you will see what I mean. For example if you server-sort the FROM column then the sort will be done senders email address, whereas if you let SquirrelMail do the sort then column will be sorted on senders name. I would suggest you try toggling this option on and off to make your own decision on which sorting method provides the better results.) 6. ADDRESS BOOKS 2. Use Javascript Address Book Search : True 9. DATABASE 1. DSN for address book : mysql://squirreluser:squirrelpassword@localhost/squirrelmail 3. DSN for preferences : mysql://squirreluser:squirrelpassword@localhost/squirrelmail Now Save and quit the config program Create the necessary database and tables in MySQL, so that SquirrelMail can store the address books and user preferences there : cd /usr/local/mysql/bin ./mysql --password="mysql-root-pwd" CREATE DATABASE squirrelmail; GRANT select,insert,update,delete ON squirrelmail.* TO squirreluser@localhost IDENTIFIED BY 'squirrelpassword'; USE squirrelmail; CREATE TABLE address ( owner varchar(128) DEFAULT '' NOT NULL, nickname varchar(16) DEFAULT '' NOT NULL, firstname varchar(128) DEFAULT '' NOT NULL, lastname varchar(128) DEFAULT '' NOT NULL, email varchar(128) DEFAULT '' NOT NULL, label varchar(255), PRIMARY KEY (owner,nickname), KEY firstname (firstname,lastname) ); CREATE TABLE userprefs ( user varchar(128) DEFAULT '' NOT NULL, prefkey varchar(64) DEFAULT '' NOT NULL, prefval blob DEFAULT '' NOT NULL, PRIMARY KEY (user,prefkey) ); quit You can define what default SquirrelMail settings that users will receive when they log in. For MySQL backend cd /usr/local/apache/htdocs/squirrelmail # replace the default preferences definition in the db_prefs file # with our own customised defaults. # Open the file, scroll down and replace the existing "var $default" # entry (on line 80) with our customised version shown below vi functions/db_prefs.php var $default = Array('chosen_theme' = '../themes/default_theme.php', 'show_html_default' = '1', 'language' = 'en_US', 'use_javascript_addr_book' = '1', 'left_size' = '140', 'left_refresh' = '3600', 'show_username' = '1', 'show_username_pos' = 'top', 'order1' = '1', 'order2' = '2', 'order3' = '3', 'order4' = '5', 'order5' = '4', 'order6' = '6'); Or, if you aren't running MySQL backend for SquirrelMail, you can adjust the default preferences like this : vi /var/squirrelmail/data/default_pref : show_html_default=1 language=en_US use_javascript_addr_book=1 left_size=140 left_refresh=3600 show_username=1 show_username_pos=top order1=1 order2=2 order3=3 order4=5 order5=4 order6=6 Setup periodic purging of the "attach" directory When SquirrelMail users are composing a message that has attachment(s), the attachment is temporarily stored in the /var/squirrelmail/attach directory. When the user sends the message, the associated temp files will get deleted. However sometimes the temp files do not get deleted (eg if the user closes their browser mid-compose?). Since the permissions on this directory are setup (as a security measure) to prevent the webserver from listing the files in this directory, there is no way for Apache/SquirrelMail to do a periodic scan/purge of old files. So we are going to setup a daily crontab to clean up any attachments that get left hanging around crontab -e # delete any files that are more than 2 days old from the SquirrelMail attachment dir 0 0 * * * find /var/squirrelmail/attach/* -atime +2 -exec /bin/rm {} \; Install the quota_usage plugin so users can see their mailbox quota usage cd /usr/local/src wget http://www.squirrelmail.org/plugins...sage-1.2.tar.gz wget http://www.squirrelmail.org/plugins...lity-1.2.tar.gz cd /usr/local/apache/htdocs/squirrelmail/plugins tar xzf /usr/local/src/quota_usage-1.2.tar.gz tar xzf /usr/local/src/compatibility-1.2.tar.gz chown -R root.www quota_usage chmod -R o-rx quota_usage chown -R root.www compatibility chmod -R o-rx compatibility # qmailadmin and the other tools all classify a 1Mb as 1048576 bytes (1024 * 1024 ) # Fix up the quota_plugin so it works with the same units. # Otherwise your quota would show as 20M in qmailadmin, and 21M in SquirrelMail :-/ vi quota_usage/functions.php Go to line 37 and change the value 1000000 to 1048576 cd ../config perl conf.pl 8. Plugins choose quota_usage choose compatibility Optionally, Setup SSL mode at login time cd /usr/local/src wget http://www.squirrelmail.org/plugins....2-1.2.8.tar.gz cd /usr/local/apache/htdocs/squirrelmail/plugins tar xzf /usr/local/src/secure_login-1.0-1.2.8.tar.gz chown -R root.www secure_login chmod -R o-rx secure_login cd ../config perl conf.pl 8. Plugins, and choose secure_login Optionally, modify SquirrelMail so that it will any failed login attempts to the syslog modify squirrelmail/functions/imap_general.php search for the line that has "Unknown user or password incorrect" above this line add : syslog(LOG_MAIL|LOG_NOTICE,"Squirrelmail login failed for Username : $username, Password : $password"); now failed SquirrelMail logins will be logged to /var/log/maillog :-) We also added some code to squirrelmail/src/login.php to add a notes page to the login screen. We inserted this chunk just before the line that says "do_hook('login_bottom'); echo " ". "". "IMPORTANT NOTES REGARDING THE WEBMAIL SYSTEM ". "AUTOMATIC MAIL DELETION ". "The mail server will automatically delete mail from the ". "following folders after the specified number of days : ". "Trash Folder - 7 days, Sent Folder - 30 days". "POP3 MAIL CLIENTS ". "If you check your mail using a POP3 mail client (such as Outlook Express), ". "it will download and delete the mail from your WebMail inbox. ". "If you want to be able to download the mail using POP3 and also ". "leave it on the server so you can see it with WebMail, you will need ". "to adjust the settings in your POP3 client to tell it not to delete ". "mail after downloading. ". "For example, to configure this in Outlook Express you would go to ". "Tools - Accounts - Mail - Properties - Advanced ". "and then tick the box 'Leave a copy of message on server'". "". " "; Now, another cosmetic change... : modify the squirrelmail/src/login.php and change the wording of "Name:" to "Email address:". Next, we setup a default document in the web servers root, to redirect our customers through to the SquirrelMail login page. That way when people want to access the WebMail tool they can point their browser to "http://webmail.yourdomain.com" and they will get automatically redirected through to the SquirrelMail directory vi /usr/local/apache/htdocs/index.html Redirect to WebMail login screen... Redirecting to the WebMail login screen... Click here if you are not automatically redirected -------------------------------------------------------------------------------- SPAM AND VIRUS CHECKING OK, now you have a working mail server.. You have loaded all your users and they are giving the new system a good workout. Everything is running nice and smoothly. You sit back and think "my job is done!" Until... users starting coming to you and saying... "Hey, this new mail server is really good... But how do I block out all these viruses and spam?"... Uh oh...! Well, luckily the answer is relatively easy..... The qmail-scanner program lets us easily implement anti-spam and anti-virus. Installation instructions follow : RAZOR V2 http://razor.sourceforge.net If Razor is installed, SpamAssassin will automatically include it in the list of tests run. We found that Razor is quite accurate in identifying spam, and it only added small amount of extra CPU load on the server, so it is definitely worth installing. Compile and install : # install the pre-requisite modules for razor perl -MCPAN -e shell #(enter your way through all the questions. The only one you will likely have to answer is regarding your Continent/Country) # tell the cpan shell to follow the dependency tree and automatically grab any required modules o conf prerequisites_policy follow # install the razor pre-requisites now install Net::Ping Net:[url=/bbs/detail_1734900.html][img]http://images.wangchao.net.cn/images/upload/images/lsdn/1212163792908.gif[/img][/url]NS Time::HiRes Test::More Digest::SHA1 Digest::Nilsimsa Digest::MD5 Digest::HMAC URI # and while we are here, we will make sure we have all the SpamAssassin prerequisites installed as well install ExtUtils::MakeMaker File::Spec Pod::Usage HTML::Parser DB_File Net:[url=/bbs/detail_1734900.html][img]http://images.wangchao.net.cn/images/upload/images/lsdn/1212163792939.gif[/img][/url]NS quit # now install the actual razor software tar xzf razor-agents-2.36.tar.gz chown -R root.root razor-agents-2.36 cd razor-agents-2.36 perl Makefile.PL wget ftp://ftp.pipeline.com.au/pipeint/S...azor2.patch.txt patch -p0 -d lib/Razor2 make make test make install cd .. The Razor programs will now be installed in /usr/bin. In particular, SpamAssassin makes use of the program called : "razor-check" Last job is to create the Razor configuration files (they get put into /etc/razor/) by using these commands : razor-client razor-admin -d -create -home=/etc/razor SPAMASSASSIN http://www.spamassassin.org Description : SpamAssassin is program that scans email messages using a set of rules, and then assigns a score. If the score is higher than your nominated limit, then the message will be tagged as spam. Download and compile wget http://www.spamassassin.org/release...sin-2.63.tar.gz tar xzf Mail-SpamAssassin-2.63.tar.gz chown -R root.root Mail-SpamAssassin-2.63 cd Mail-SpamAssassin-2.63 perl Makefile.PL make make install "make install" creates the following main files : /usr/bin/spamassassin /usr/bin/spamc /usr/bin/spamd /usr/share/spamassassin/ /etc/mail/spamassassin/local.cf Test to see if the installation was successful. (Watch the output from the script. Spamassassin will add headers to the message. In particular look for the "X-Spam-Status: " and see if it correctly tags the message with a Yes or No) spamassassin -t spamassassin -t To improve security, modify the configuration of the spamd daemon so it runs under its own uid Create a spamd user for the spamd process to run as groupadd spamd useradd -g spamd spamd Modify / create the spamd configuration file vi /etc/sysconfig/spamassassin # Hint : if you want to enable SpamAssassin debugging # (the debug output goes to /var/log/maillog) then use : # SPAMDOPTIONS="-x -u spamd -H /home/spamd -d -D" # Don't leave debugging turned on unnecessarily though, # because it will slow down a busy server. # # Otherwise, for normal operation (debugging disabled) use : SPAMDOPTIONS="-x -u spamd -H /home/spamd -d" Configure the spamd daemon so it is running all the time from bootup onwards cp spamd/redhat-rc-script.sh /etc/rc.d/init.d/spamd chmod 700 /etc/rc.d/init.d/spamd cd .. chkconfig --add spamd Then I like to use the ntsysv program to double-check that spamd is set to launch at boot time Setup the SpamAssassin configuration vi /etc/mail/spamassassin/local.cf # Define the sensitivity level. Standard level is 5. # After a lot of testing, we found that 10 was the best option. # We found that anything lower produced too many false positives required_hits 10 # Allow SpamAssassin to rewrite the subject line of any messages it classifies as spam rewrite_subject 1 # This is the value that will prepended to the subject line of messages classified as spam subject_tag [SPAM] # Put spam analysis reports into to the headers of the message (rather than the body) report_safe 0 # Spamassassin by default will try and run these following spam-detection utilities # for every mail message. (You can read about them at http://www.spamassassin.org/dist/INSTALL) # We don't want to waste any CPU cycles trying to run utilities that we don't have installed, # so disable these tests for the moment . use_dcc 0 use_pyzor 0 # enable razor2 checking use_razor2 1 # Enable SpamAssassin's RBL checking features : # Although we have already done some RBL filtering earier in qmail's rblsmtpd program, # it is still recommended to turn on RBL checking in SpamAssassin, as it will run # checks against a variety of different RBL sources, and the results will help # tag spam more accurately skip_rbl_checks 0 # If we haven't received a response from the RBL server in X seconds, then skip that test rbl_timeout 3 # Now we want to alter some of the default scores for RBL hits # # By default the bl.spamcop.net RBL score is 0 (disabled). # We will override this and give any hits a score of 3 # Info about this RBL is available from http://spamcop.net/fom-serve/cache/290.html score RCVD_IN_BL_SPAMCOP_NET 3 # You can nominate any netblocks that you control, and contain mailservers that # you trust. IE you control the mailservers in these netblocks so there is no # need to be running RBL checks against these particular servers. # In this example below we are allowing the class-c 123.123.123.0 to go without # Spamassassin RBL checking trusted_networks 123.123.123. use_bayes 1 bayes_auto_learn 1 bayes_path /home/spamd/.spamassassin/bayes If you wish to view all the possible configuration options, use this command : perldoc Mail::SpamAssassin::Conf OK, the SpamAssassin software is now fully installed! Any mail that SpamAssassin classifies as spam will have [SPAM] added to the subject line. You should now probably setup some docs for your users showing them how they can use message filtering rules in their email client. You can see our message filtering guides here If you aren't ready to reboot the server now, you can fire up spamd in the mean time with this command : /etc/rc.d/init.d/spamd start If all goes well you will see some output like this : 9721 ? S 0:01 /usr/bin/spamd -x -u spamd -H /home/spamd -d (Note that spam filtering isn't actually operational on your server yet, you need to use the qmail-scanner program to feed mail through the SpamAssassin scripts) ANTI-VIRUS At my ISP, for the last few years we have used Trend Micro InterScan VirusWall for Linux, and we are happy with its performance and reliability We tried "McAfee VirusScan Command Line Scanner for Linux" a while back but found it suffered from resource problems and often crashed while scanning mail The open source Clam antivirus package is also very popular, so I will present installation instructions for it below : Clam Anti-Virus http://www.clamav.net Clam antivirus can run in two different modes. Either as a normal command line scanner, or as a client/daemon pair. When working as a command line scanner, you perform your scanning using the program "clamscan". If a complex program like a virus scanner is run repetitively (ie being launched for every email that passes through your system), it chews up a lot of CPU/disk resources. To get around this issue you can launch Clam as a daemon (clamd). This is where a copy of Clam is launched and stays active in the background. You then do your scanning using the clamdscan client, which is only small, thus making it fast to launch/run. The client sends commands to the daemon, and the daemon will take care of scanning the message and returning the results to the client. (The same technique is used by SpamAssassin where you can use the full spamassassin command line version, or the spamc/spamd client/daemon pair). In a busy environment, there is no doubt that the client/daemon method is the best way to go, but unfortunately I can not recommend clamd this point, because it doesn't appear to be to be 100% stable. I tried it on the production server at my ISP and it initially seemed to go OK. However I have read reports on the Internet about clamd being unstable, and even the Clam README file makes mention of this problem. So for the moment, I would recommend you don't setup the clamd process, and just stick with the full clamscan scanner. groupadd clamav useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav wget http://flow.dl.sourceforge.net/sour...mav-0.65.tar.gz tar xzf clamav-0.65.tar.gz cd clamav-0.65 ./configure make make install Download latest updates /usr/local/bin/freshclam -v Schedule automatic downloading touch /var/log/clam-update.log chmod 600 /var/log/clam-update.log chown clamav /var/log/clam-update.log crontab -e 0 * * * * /usr/local/bin/freshclam --quiet -l /var/log/clam-update.log QMAIL-SCANNER http://qmail-scanner.sourceforge.net Description : Qmail-Scanner is an add-on that enables a qmail server to scan messages for certain characteristics. It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial (or open source) virus scanners. It also capable of blocking email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments). Install the required supporting modules for Qmail-Scanner TNEF unpacker http://sourceforge.net/projects/tnef/ tar xzf tnef-1.2.3.tar.gz cd tnef-1.2.3 ./configure make make install cd .. ReformatMIME (from the Maildrop package) http://download.sourceforge.net/courier/ bunzip2 maildrop-1.6.3.tar.bz2 tar xf maildrop-1.6.3.tar cd maildrop-1.6.3 ./configure make make install-strip make install-man cd .. Download and unpack the qmail-scanner program http://qmail-scanner.sourceforge.net tar xzf qmail-scanner-1.20.tgz cd qmail-scanner-1.20 Now at this point, I would recommend you spend some time reading the qmail-scanner documentation. Next, create a user and group for the qmailscanner to run under groupadd qscand useradd -c "Qmail-Scanner Account" -g qscand -s /bin/false qscand Configure Qmail-Scanner : # Here are the settings we used at our site for configuring Qmail-Scanner : # # configure Qmail-Scanner to work in the following manner : # - notify a nominated admin each time a virus is detected # (in this case it will be virusadmin@yourdomain.com) # - use the command line version of Clam AV for anti-virus scanning. # I dont recommend clamdscan at this point as the client/daemon method still seems unstable. # - enable support for spamc/spamd in "verbose" mode. # Qmail-Scanner can run spamd in "fast" mode or "verbose" mode. # You can read more about this at the Qmail-Scanner FAQ page. # I would recommend that you use verbose mode as this allows you to get access to # the full reporting/tagging features that SpamAssassin can provide. It costs you # a fraction more CPU power, but provides a much greater range of features. # ./configure --admin virusadmin --domain yourdomain.com --scanners clamscan,verbose_spamassassin --debug no --install Follow the notes generated by the install script. ie run this command and make sure you receive any errors: setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g Edit the perscanner file which is used to block mail that contains particular strings. perlscanner is a tool that is included with qmail-scanner, and it is executed after all the other anti-virus scanners have run (eg clamscan). This system provides a good failsafe in case some new virus comes along that the virus-scanner cant detect yet. perlscanner is perfect for blocking those virus-prone attachments that have no legitimate purpose in email. vi /var/spool/qmailscan/quarantine-attachments.txt Uncomment the following lines : .vbs 0 VBS files not allowed per Company security policy .scr 0 SCR files not allowed per Company security policy .wsh 0 WSH files not allowed per Company security policy .hta 0 HTA files not allowed per Company security policy .pif 0 PIF files not allowed per Company security policy # rebuild the perlscanner database setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g Any SMTP sessions that are dropped (due to network outages/etc) may lead to files lying around in /var/spool/qmailscan . Running /var/qmail/bin/qmail-scanner-queue.pl -z at least once daily will ensure such files are deleted when they're over 30 hours old. We will make a cronjob to do that : crontab -e 0 0 * * * /var/qmail/bin/qmail-scanner-queue.pl -z Next, make sure that your qmail-smtpd script allocates sufficient resources to support the needs of Qmail-Scanner + Antivirus + SpamAssassin vi /var/qmail/supervise/qmail-smtpd/run Change the softlimit from 2000000 to something a fair bit larger. We use 15000000. Now define what mail is to be sent through the Qmail-Scanner. At our site, we have configured Qmail-Scanner to virusscan all messages (ie inbound and outbound mail). We did this by setting up our our /var/qmail/supervise/qmail-smtpd/run file like this : #!/bin/sh # when QMAILQUEUE is set, all mail will be sent to the nominated script QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` # softlimit needs to be set at something large such as 15000000 # to allow virusscanning software to run successfully exec /usr/local/bin/softlimit -m 15000000 /usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 30 -R -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp ... and the rest of the file snipped ...However, if you don't want to virusscan all mail, you can selectively nominate which IP ranges should or shouldn't be checked by setting the QMAILQUEUE variable via your /etc/tcp.smtp file rather than inside the supervise/qmail-smtpd/run file. Refer to the Qmail-Scanner home page for setup examples. QMAIL-SCANNER / SPAMASSASSIN NOTES : How can I tell if SpamAssassin is working? Each time SpamAssassin processes a message, it will log some information to /var/log/maillog (score, message size, time taken to process) Not all mail gets passed through SpamAssassin We have configured our supervise/qmail-smtpd/run script so that it runs Qmail-Scanner for every mail message. This means all incoming and outgoing mail will get virus-checked. However this doesn't necessarily mean that every message passing through Qmail-Scanner will also get sent through SpamAssassin. Qmail-Scanner has been coded so that messages are only passed onto SpamAssassin if the RELAYCLIENT variable from tcp.smtp is not set. The idea behind this to reduce load on the system by not running SpamAssassin on mail originated by your users. It is possible to force SpamAssassin checking for local users if you choose by setting QS_SPAMASSASSIN="on" for the appropriate entries in your tcp.smtp file You can read more about this subject at the Qmail-Scanner FAQ page Is it possible to configure per-user settings for SpamAssassin? It depends on your configuration. We believe it will be possible to implement an interface so that vpopmail users can turn SpamAssassin checking on/off, and also set their own custom required_hits. We are hoping to store these settings as additional columns in the vpopmail MySQL database... Stay tuned and we will post more info as it comes to hand Qmail-scanner's quarantine directory Each virus infect mail message gets quarantines into the following directory : /var/spool/qmailscan/quarantine/new So you will need to periodically purge the files from that dir, or else your hard disk will eventually fill up! -------------------------------------------------------------------------------- TIPS %26amp; MISC NOTES : "ps axf" is your friend. Particularly useful for visualising how the supervise/qmail processes all fit together. "ps axfu" is good for double checking what accounts that individual server processes are running under -------------------------------------------------------------------------------- SOME EXAMPLE MAILBOX MANAGEMENT SCRIPTS : Since all the information for your email domains and mailboxes are store in MySQL, it is easy to create scripts so your support staff can quickly navigate / view all this account information. Our support staff's intranet site is a Windows 2000 machine running IIS5 with ASP. Here is a couple of example ASP scripts that I hacked together that show what can be achieved : vpopmail-asp-scripts.v120.zip.. No doubt it would be easy enough though to use these same techniques in PHP if you are running linux/apache for your intranet The script "viewvlogs" allows you to view browse through the vpopmail "vlog" table in MySQL to look for people who have failed to auth successfully when trying to check mail. The script "viewpop3" allows you to see a list of email domains hosted on your server. You can do things like view all users from a domain, or view an individual mailbox. The output will show useful things like clear passwords, mailbox size. Also there are buttons that will log you into qmailadmin or SquirrelMail as a given user using just a single mouse click Some screenshots of viewpop3 script: Main login screen Login to a domain, View all mailboxes on a domain Login to an email address, View details for email address One final note, if you are running IIS, you need to download and install the MySQL Connector ODBC "Windows Driver Installer" files onto your server to allows these scripts to work.
󰈣󰈤
王朝萬家燈火計劃
期待原創作者加盟
 
 
 
>>返回首頁<<
 
 
 
 
 熱帖排行
 
王朝網路微信公眾號
微信掃碼關註本站公眾號 wangchaonetcn
 
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有