http://forums.gentoo.org/viewtopic-t-382072-start-0.html
That was written as an updated version of the guide originaly posted by Sabrex at
http://forums.gentoo.org/viewtopic-t-171499-start-0.html
Contributions posted by readers of both of those threads are included.
This guide uses some masked packages and some unofficial bugfixes. If you don't feel like being experimental you'll probably be better of using Mobiusproject's updated guide at
http://forums.gentoo.org/viewtopic-t-527246.html
There have been some ppl reporting bugs. Bugs are corrected in the guide as soon as someone find a solution. I server have now been running in production for 6 weeks without any significant problems.
Some advantages when using this guide over the old ones:
- Mails sent using smtp-auth are not scanned by spamassassin (faster sending)
- Webmailusers get accesss to a list of what the mailscanner have done with their mails
- Mail to accounts not on this server are rejected BEFORE it's passed trough the mailfilter
I've also got inspiration from another guides located at
http://gentoo-wiki.com/QmailRocksOnGentoo
and
http://gentoo-wiki.com/Qmail_Anti-Spam_Configuration
Please check the bug sumary at the bottom of the guide. (will be created when bugs are discovered)
Changelog
2007.02.17: posted link and edited installation notes for qms-loganalyzer
2007.02.18: posted link and edited installation notes for chkuser_pg smtp plugin
2007.02.21: step 4: fixed line to append to /etc/sudoers (using visudo)
2007.02.21: added this changelog
2007.02.27: new version of chkuser_pg
2007.02.27: removed status "pre-tested"
2007.03.08: added note regarding outbound mail from server when connection is filtered by ISP
2007.03.31: new version of chkuser_pg - fix the dot-issue
2007.04.04: added trick Stripe regarding doublebounce
2007.07.09: swaped two lines for razor-admin to avoid a warning
Packagelisting
Packages and USE flags used in this guide:
| Code: |
[b]emerge -pv netqmail vpopmail courier-imap pyzor razor dcc spamassassin clamav[/b] net-mail/queue-repair-0.9.0 13 kB net-mail/dot-forward-0.71-r2 0 kB sys-process/daemontools-0.76-r5 USE="-doc (-selinux) -static" 0 kB net-mail/cmd5checkpw-0.30 0 kB net-mail/checkpassword-0.90-r2 USE="-static" 0 kB [b]mail-mta/netqmail-1.05-r4[/b] USE="highvolume qmail-spp ssl -gencertdaily -mailwrapper -noauthcram -vanilla" 408 kB virtual/qmail-1.03 0 kB [b]net-mail/vpopmail-5.4.16[/b] USE="mysql -clearpasswd -ipalias" 442 kB net-libs/courier-authlib-0.58 USE="berkdb crypt gdbm ldap mysql pam -debug -postgres" 1,959 kB dev-libs/glib-2.12.4-r1 USE="hardened -debug -doc" 2,801 kB app-admin/gamin-0.1.7 USE="-debug -doc" 529 kB [b]net-mail/courier-imap-4.0.4[/b] USE="berkdb fam gdbm nls -debug -ipv6 (-selinux)" 3,082 kB [b]dev-python/pyzor-0.4.0-r2[/b] 40 kB virtual/perl-net-ping-2.31 0 kB dev-perl/Digest-Nilsimsa-0.06-r1 77 kB virtual/perl-Digest-MD5-2.36 0 kB virtual/perl-MIME-Base64-3.07 0 kB perl-core/digest-base-1.13 7 kB virtual/perl-digest-base-1.13 0 kB dev-perl/Digest-SHA1-2.11 37 kB dev-perl/Digest-HMAC-1.01-r1 13 kB dev-perl/Net-IP-1.24 25 kB dev-perl/Net-DNS-0.53-r1 USE="-ipv6" 116 kB virtual/perl-Time-HiRes-1.86 0 kB dev-perl/URI-1.35 93 kB [b]mail-filter/razor-2.82[/b] 77 kB [b]mail-filter/dcc-1.3.24[/b] USE="-ipv6 -rrdtool" 1,360 kB dev-perl/Compress-Raw-Zlib-2.001 201 kB virtual/perl-Scalar-List-Utils-1.18 0 kB dev-perl/IO-Compress-Base-2.001 87 kB dev-perl/IO-Compress-Zlib-2.001 128 kB dev-perl/Compress-Zlib-2.001 60 kB dev-perl/IO-Zlib-1.04 9 kB dev-libs/libassuan-0.6.10 251 kB dev-libs/pth-1.4.0 434 kB dev-libs/libksba-0.9.14 480 kB app-crypt/gnupg-1.4.6 USE="bzip2 curl ldap nls readline zlib -X -bindist -ecc -idea (-selinux) -smartcard -static -usb" LINGUAS="-ru" 3,075 kB app-crypt/gnupg-1.9.20-r3 USE="caps ldap nls -X -gpg2-experimental (-selinux) -smartcard" 1,767 kB virtual/perl-Test-Harness-2.56 0 kB dev-perl/IO-String-1.08 7 kB dev-perl/Archive-Tar-1.28 35 kB virtual/perl-PodParser-1.34 0 kB dev-perl/HTML-Tagset-3.10 7 kB dev-perl/HTML-Parser-3.48 USE="unicode" 80 kB virtual/perl-libnet-1.19 0 kB dev-perl/HTML-Tree-3.19.01 116 kB dev-perl/Crypt-SSLeay-0.51-r1 114 kB dev-perl/libwww-perl-5.803-r1 USE="ssl" 229 kB dev-perl/Net-SSLeay-1.25 75 kB dev-perl/IO-Socket-SSL-0.97 31 kB dev-perl/Convert-ASN1-0.19 60 kB dev-perl/Authen-SASL-2.09 25 kB dev-perl/XML-Parser-2.34 224 kB dev-perl/perl-ldap-0.33 USE="sasl ssl xml" 222 kB virtual/perl-DB_File-1.814 0 kB [b]mail-filter/spamassassin-3.1.3[/b] USE="berkdb ldap mysql qmail ssl -doc -ipv6 -postgres -sqlite -tools" 952 kB [b]app-antivirus/clamav-0.88.7[/b] USE="crypt -mailwrapper -milter (-selinux)" 9,287 kB [b]emerge qmail-scanner[/b] net-mail/ripmime-1.4.0.6 159 kB net-mail/tnef-1.3.4 1,603 kB [b]mail-filter/qmail-scanner-2.01[/b] USE="spamassassin" 318 kB [b]emerge ezmlm-idx-mysql-0.40-r2[/b] net-mail/ezmlm-idx-mysql-0.40-r2 [b]emerge qmailadmin squirrelmail[/b] net-mail/autorespond-2.0.4 dev-php/PEAR-PEAR-1.4.11 dev-php/PEAR-DB-1.7.6-r1 app-admin/webapp-config-1.50.15 net-mail/qmailadmin-1.2.10 USE="-maildrop" mail-client/squirrelmail-1.4.9a USE="crypt ldap mysql nls spell ssl vhosts -filter -postgres" |
Asumes these packages (or similar) are installed, configured and running:
| Code: |
apache-2.0.55-r1 php-5.1.2 mysql-5.0.19 |
Before you start it might be a good idea to run
| Code: |
| emerge sync |
Firewall configuration
Ports used:
DCC 6277 UDP
Pyzor 24441 TCP/UDP
Razor 2703 TCP
SMTP 25 TCP
POP3 110 TCP
POP3S 995 TCP
IMAP 143 TCP
IMAPS 993 TCP
HTTP 80 TCP
HTTPS 443 TCP
1) Ensure that the proper USE flags are set
| Code: |
> nano -w /etc/make.conf |
Compare your USE flags to those shown in the emerge -pv listings above.
+ipalias is useful if you're setting up the server without having an domain for it. Say you have another server running on the domain you're going to use, but don't want to set this server into production before it's well tested. If you have a (sub)domain for testing purposes you don't need to enable this. I have domain and testdomains, so I don't use this.
-ipv6 disables use of IPv6. It's been making problems for quite a few ppl. If you're not using IPv6, why have it enabled? As of 2005.1 ipv6 has been enabled by default in Gentoo. Disable to save yourself some problems.
+ssl if you want SSL support
+fam According to the Courier-imap documentation Famd will use less resources than the similar function buildt into Courier.
qmail-spp required to make the chkuser qmail patch run
2)Installing qmail
| Code: |
> emerge -pv netqmail |
You might see something blocking for the instalation of netqmail. Unemerge them:
| Code: |
> emerge -C (append name of blocking package(s) here!) |
Patch qmail for only_auth_after_tls
I could have made a diff file for this, but I will assume there will be a new ebuild out, and I don't feel like keeping the diff updated at all times.
Make sure you have PORTDIR_OVERLAY=/usr/local/portage in your /etc/make.conf
| Code: |
> mkdir -p /usr/local/portage/mail-mta/netqmail > cp -a /usr/portage/mail-mta/netqmail/* /usr/local/portage/mail-mta/netqmail/ > cd /usr/local/portage/mail-mta/netqmail > nano -w netqmail-1.05-r4.ebuild Append " notlsbeforeauth" to the line starting with "IUSE=" Find the line if [[ -n "${QMAIL_PATCH_DIR}" && -d "${QMAIL_PATCH_DIR}" ]] insert these lines [b]before[/b] that line: if use ssl; then epatch ${FILESDIR}/qmail-smtpd-tlsbeforeauth.patch fi Find the line use ssl && append-flags -DTLS insert these lines [b]after[/b] that line: if use ssl; then if ! use notlsbeforeauth; then einfo "Enabling STARTTLS before SMTP AUTH" append-flags -DTLS_BEFORE_AUTH else einfo "Disabling STARTTLS before SMTP AUTH" fi fi > cd files > wget http://bugs.gentoo.org/attachment.cgi?id=89342 > mv attachment.cgi\?id\=89342 qmail-smtpd-tlsbeforeauth.patch > ebuild /usr/local/portage/mail-mta/netqmail/netqmail-1.05-r4.ebuild digest > emerge -pv netqmail |
This should return
mail-mta/netqmail-1.05-r4 USE="highvolume qmail-spp ssl -gencertdaily -mailwrapper -noauthcram -notlsbeforeauth% -vanilla" 0 kB [1]
Make sure you get the -notlsbeforeauth% flag and the [1] at the end. If you don't get this emerge is not using the ebuild from the overlay directory.
| Code: |
> emerge netqmail |
3) Install most stuff in one go
| Code: |
> emerge vpopmail courier-imap pyzor razor dcc spamassassin clamav |
4) Install the chkuser patch
emerge app-admin/sudo if you don't have it installed
Setup sudo:
| Code: |
> visudo Append this line: qmaild ALL=(vpopmail) NOPASSWD: /var/qmail/plugins/chkuser_pg/vpopchk.sh |
Download and unpack the plugin https://sourceforge.net/projects/vpop-chkuser-pg
Unpack to /var/qmail/plugins/
| Code: |
> nano -w /var/qmail/control/smtpplugins add this line after the [rcpt]: plugins/chkuser_pg/rcptchk-pg.sh |
5) Configure qmail
| Code: |
> nano -w /var/qmail/control/servercert.cnf Modify to whatever suits your needs and save/exit > emerge --config netqmail Press [enter] to continue whenever it asks you to modify /var/qmail/control/servercert.cnf. You've done that. |
Setup/start smtp service
| Code: |
> ln -s /var/qmail/supervise/qmail-send /service/qmail-send > ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd > rc-update add svscan default > /etc/init.d/svscan start |
Make mails to root, postmaster, mailer-daemon@localhost go somewhere
| Code: |
echo some_mail@some_domain > /var/qmail/alias/.qmail-root echo some_mail@some_domain > /var/qmail/alias/.qmail-postmaster echo some_mail@some_domain > /var/qmail/alias/.qmail-mailer-daemon ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous chmod 644 /var/qmail/alias/.qmail* |
6) Setup vpopmail
Create the vpopmail database.
| Code: |
Login to the mysql server (as a user with permissions to create databases and add users) mysql> create database vpopmail; mysql> grant select, insert, update, delete, create, drop on vpopmail.* to vpopmail@localhost identified by 'your vpopmail password'; mysql> flush privileges; mysql> quit |
Choose a vpopmail password that is not used anywhere else. The password has to be saved in cleartext! You'll never need to remember it after you're done with the instalation.
If your mysql server is not running on localhost, change the vpopmail@hostname accordingly.
Edit vpopmail.conf.
| Code: |
> nano -w /etc/vpopmail.conf Modify these lines - insert you vpopmail password: # Read-only DB localhost|0|vpopmail|your vpopmail password|vpopmail # Write DB localhost|0|vpopmail|your vpopmail password|vpopmail |
save/exit
Make sure the vpopmail.conf is readable for the vpopmail user. Default is ownership = root:vpopmail with 640 permissions
7) Configure imap and pop3 server
Make courier use vpop for authentication
| Code: |
> nano -w /etc/courier/authlib/authdaemonrc edit the line authmodulelist=.. to read: authmodulelist="authvchkpw" |
save/exit
Thunderbird defaults to having 5 imap connections for caching purposes, but courier-imap only allows 4 connections per ip. This can cause some errors in thunderbird (possible data loss). Its easier to just allow 5 connections per ip rather than have everyone change thunderbird, so:
Modify /etc/courier-imap/imapd Code:
| Code: |
> nano /etc/courier-imap/imapd edit: MAXPERIP=5 |
Create certificates
| Code: |
> nano -w /etc/courier-imap/imapd.cnf Edit according to your server/location/domain |
save/exit
| Code: |
> nano -w /etc/courier-imap/pop3d.cnf Edit according to your server/location/domain |
save/exit
Generate certificates:
| Code: |
(only if you're going to run imap-ssl server) > mkimapdcert (only if you're going to run pop3-ssl server) > mkpop3dcert |
Start the servers (all or just some of them)
| Code: |
for x in courier-imapd courier-pop3d courier-imapd-ssl courier-pop3d-ssl; do /etc/init.d/$x start && rc-update add $x default ; done |
I'm running all 4 servers. Users may decide if they want imap or pop3. A firewall makes sure that the non-ssl servers is unavailable for users located outside the local network.
8) update the smtpd config to allow smtp-auth using vpopmail
| Code: |
> nano -w /var/qmail/control/conf-smtpd Make the file look like this: QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw" [[ -n "${QMAIL_SMTP_CHECKPASSWORD}" ]] && { [[ -z "${QMAIL_SMTP_POST}" ]] && QMAIL_SMTP_POST=/bin/true QMAIL_SMTP_POST="${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}" } |
save/exit
Prepare for qmailfilter
| Code: |
> nano -w /var/qmail/control/conf-common Modify the SOFTLIMIT to: SOFTLIMIT_OPTS="-m 32000000" |
save/exit
The following step makes sending mail a lot faster under some circumstances, and I highly recommend that you do the following if you notice delays of 30 to 45 seconds sending mail:
| Code: |
> nano -w /var/qmail/control/conf-common TCPSERVER_OPTS="-H -l 0" (that's lower-case L followed by zero) |
save/exit
Route all outgoing smtp connections trough your ISP's smtp server. (Some spamfilters requires this to accept the mails passed through the smtp-server.)
| Code: |
echo ":smtp.ISP.NET" > /var/qmail/control/smtproutes |
Reload smtp config
| Code: |
> svc -t /var/qmail/supervise/qmail-smtpd |
9) Configure spam filter and database clients
Configure Razor
(Replace the email and password with whatever suites you)
| Code: |
> razor-admin --home=/etc/mail/spamassassin/.razor -discover > razor-admin --home=/etc/mail/spamassassin/.razor -create > razor-admin --home=/etc/mail/spamassassin/.razor --user=postmaster@domain.com -pass=ThePassword -register > echo razorhome = /etc/mail/spamassassin/.razor >> /etc/mail/spamassassin/.razor/razor-agent.conf |
Configure Pyzor
| Code: |
> pyzor --homedir /etc/mail/spamassassin/.pyzor discover |
SpamAssassin
| Code: |
> nano -w /etc/conf.d/spamd Modify: SPAMD_OPTS="-x -H /etc/mail/spamassassin/" |
save/exit
| Code: |
> mkdir /var/run/spamd/ > chown vpopmail:vpopmail /var/run/spamd/ |
Enable plugins for spamassassin:
Uncomment the line:
| Code: |
> nano /etc/mail/spamassassin/v310.pre loadplugin Mail::SpamAssassin::Plugin::DCC |
Verify the Pyzor and Razor2 plugins are not commented out
save and exit
Uncomment the lines:
| Code: |
> nano /etc/mail/spamassassin/init.pre loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::SPF |
save and exit
| Code: |
> nano -w /etc/spamassassin/local.cf required_score 4 rewrite_header Subject *****SPAM***** #report_safe 1 # The sender IP adresses considered safe trusted_networks 192.168. dns_available yes use_bayes 1 bayes_path /etc/mail/spamassassin/bayes bayes_file_mode 0770 bayes_auto_learn 1 bayes_learn_during_report 1 bayes_use_hapaxes 1 bayes_auto_learn_threshold_nonspam 0.2 bayes_auto_learn_threshold_spam 10.00 bayes_ignore_header X-Bogosity bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status # Set file-locking method (flock is not safe over NFS, but is faster) lock_method flock |
Remember to modify the "trusted_networks" line to fit the IP's you trust.
Also, if you're sharing spamassassin files over NFS, disable "lock_method flock"
save/exit
Start spamd
| Code: |
> /etc/init.d/spamd start > rc-update add spamd default |
Build Spamassassin database
| Code: |
> sa-learn --sync |
10) Configure Clamav
| Code: |
> nano -w /etc/freshclam.conf add: UpdateLogFile /var/log/clamav/freshclam.log update DatabaseMirror to a mirror close to your server |
save/exit
| Code: |
> nano -w /etc/clamd.conf add: LogFile /var/log/clamav/clamd.log |
save/exit
Start clamav
| Code: |
> /etc/init.d/clamd start > rc-update add clamd default |
11) install qmail-scanner
Make sure spamassassin and clamav is running while emerging qmail-scanner.
| Code: |
> echo "=mail-filter/qmail-scanner-2.01 ~x86" >> /etc/portage/package.keywords > emerge qmail-scanner |
Scroll back about 100-150 lines... look for two things:
1) The lines printed in bold below:
| Quote: |
Searching ..................................... ============================================================== The following binaries and scanners were found on your system: ============================================================== mimeunpacker=/usr/bin/ripmime[b] Content/Virus Scanners installed on your System max-scan-size=100000000 [b]clamdscan=/usr/bin/clamdscan (which means clamscan won't be used as clamdscan is better) fast_spamassassin=/usr/bin/spamc -t 30 |
If those lines are not there you've missed something in the installation of clamav, spamassassin or ripmime. Look for any handy debug messages and go back to redo whatever needed.
2) "access denied", "permission denied" or "no such file"
There might be a reason why qmail-scanner-2.01.ebuild is ~masked.
I ran into access denied errors or missing file errors at a few places. You might do so as well. So: (if you don't get access denied errors or missing file errors, don't do this step!)
| Code: |
> mkdir -p /var/spool/qscan/quarantine/viruses/tmp /var/spool/qscan/quarantine/viruses/cur /var/spool/qscan/quarantine/viruses/new > mkdir -p /var/spool/qscan/quarantine/spam/tmp /var/spool/qscan/quarantine/spam/cur /var/spool/qscan/quarantine/spam/new > mkdir -p /var/spool/qscan/quarantine/policy/tmp /var/spool/qscan/quarantine/policy/cur /var/spool/qscan/quarantine/policy/new > mkdir -p /var/spool/qscan/working/tmp /var/spool/qscan/working/cur /var/spool/qscan/working/new > mkdir -p /var/spool/qscan/archive/tmp /var/spool/qscan/archive/cur /var/spool/qscan/archive/new > chown -R qscand:qscand /var/spool/qscan/ FEATURES="keepwork keeptemp" emerge qmail-scanner cp /var/tmp/portage/mail-filter/qmail-scanner-2.01/work/qmail-scanner-2.01/quarantine-events.txt /var/spool/qscan/ chown -R qscand:qscand /var/spool/qscan/ setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z |
Reconfigure SpamAssassin
| Code: |
> /etc/init.d/spamd stop > nano -w /etc/conf.d/spamd Modify: SPAMD_OPTS="-m 5 -u qscand -x -H /etc/mail/spamassassin/" PIDFILE="/var/run/spamd/spamd.pid" |
save/exit
| Code: |
> mkdir /var/run/spamd > chown qscand:qscand /var/run/spamd > chown -R qscand:qscand /etc/mail/spamassassin |
Start spamd
| Code: |
> /etc/init.d/spamd start |
Reconfigure Clamd
| Code: |
> nano -w /etc/clamd.conf Modify: User qscand |
save/exit
| Code: |
> nano -w /etc/freshclam.conf Modify: DatabaseOwner qscand |
save/exit
| Code: |
> chown -R qscand:qscand /var/lib/clamav > chown -R qscand:qscand /var/run/clamav > chown -R qscand:qscand /var/log/clamav > /etc/init.d/clamd start |
Activate qmail-scanner
| Code: |
> nano -w /etc/tcprules.d/tcp.qmail-smtp Make sure there are lines like this: #IPs allowed to relay - don't scan with qmail-scanner ## localhost 127.0.0.:allow,RELAYCLIENT="",RBLSMTPD="" ## Local network 192.168.2.:allow,RELAYCLIENT="",RBLSMTPD="" ## server public IP 123.123.123.123:allow,RELAYCLIENT="",RBLSMTPD="" # Don't relay from other IPs. Scan with qmail-scanner :allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" # Note: As of qmail-scanner 1.20 we use a wrapper - not qmail-scanner-queue.pl |
save/exit
update the cdb
| Code: |
> cd /etc/tcprules.d/ > tcprules tcp.qmail-smtp.cdb tcp.qmail-smtp.tmp < tcp.qmail-smtp > svc -t /var/qmail/supervise/qmail-smtpd |
12) Create domain(s)
The first domain to add should be the primary domain of the server.
| Code: |
> /var/vpopmail/bin/vadddomain domain.net postmasterpassword |
Repeat for all virtual domains.
Give the correct HELO. (See note regarding domain registration.)
| Code: |
echo host.domain.net > /var/qmail/control/me |
Set defaultdomain
| Code: |
echo defaultdomain.net > /var/qmail/control/defaultdomain |
If you want your users username@defaultdomain.net to be able to log in using just username as the username (not username@domain.net) do this:
| Code: |
echo "defaultdomain.net" > ~vpopmail/etc/defaultdomain |
If you have a (sub)domain for testing add it as a aliasdomain.
| Code: |
> /var/vpopmail/bin/vaddaliasdomain domain.net test.domain.net |
13) Install ezmlm-idx-mysql
First try to install it the regular way:
| Code: |
> emerge ezmlm-idx-mysql |
If it fails
... with an error like this: http://bugs.gentoo.org/show_bug.cgi?id=152636
Get the patched ebuild for ezmlm-idx-mysql-0.40-r2
(if you don't have layman installed run "emerge layman" now)
| Code: |
> layman -f -o http://jaba.mbnet.fi/portage/layman-jmf.xml -a jaba > echo "source /usr/portage/local/layman/make.conf" >> /etc/make.conf > env-update && source /etc/profile > emerge ezmlm-idx-mysql |
14) Install qmailadmin and squirrelmail
| Code: |
> emerge qmailadmin squirrelmail |
Set up apache for separate alias configs (same kind as used by default for vhosts)
| Code: |
> echo "Include /etc/apache2/alias/*.conf" >> /configs/etc/apache2/httpd.conf > mkdir /etc/apache2/alias |
set up qmailadmin for apache vhosts:
| Code: |
> echo "Alias /qmailadmin/ /var/www/localhost/htdocs/qmailadmin/" > /etc/apache2/alias/01_alias_qmailadmin.conf |
set up squirrelmail for apache vhosts:
| Code: |
> echo "Alias /mail/ /usr/share/webapps/squirrelmail/1.4.9a/htdocs/" > /etc/apache2/alias/02_alias_squirrelmail.conf |
(I think this is better than using webapp-config as it gets installed for all vhosts. Also it works when the /user/share and /var/www are not in the same partition. And finally there is only need for one configuration.)
Get useful squirrelmail plugins:
| Code: |
> cd /usr/share/webapps/squirrelmail/1.4.9a/htdocs/plugins > wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Faddress_add-2.1-1.4.0.tar.gz > wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fabook_import_export-1.0-1.4.4.tar.gz > wget http://squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fbookmarks-2.0.3-1.4.1.tar.gz > tar -xvzf abook_import_export-1.0-1.4.4.tar.gz > tar -xvzf address_add-2.1-1.4.0.tar.gz > tar -xvzf bookmarks-2.0.3-1.4.1.tar.gz > rm *.gz |
Additional qmailscanner log analyser plugin for squirrelmail.
This plugin provides a link in squirrelmail where the users may see what have happened to their mails. They'll see a table of mails passing through the qmailscanner and a status {delivered | error | spam [spamlevel | deleted | quarantined] | virus detected | ...}.
At my previous server the users claimed that some mails sent to them never got to their mailbox because of too strict spamfilter. With this plugin they can check if the mail ever reached the smtp server. The log the user will see is filtered to include only mails to/from his account (including alias adresses).
Concider this plugin experimental. It's been running with qmail-scanner-1.16 and 1.25 on a production server without causing any trouble for about 2 years. Still there have been bugs that I've corrected while writing this guide. Turns out that QMS 2.01 is logging slightly different from what QMS 1.25 did, so I'm not sure if this still works with QMS 1.25 after all the changes.
log in as root to your mysql server
| Code: |
mysql> create database qmslog; mysql> grant select, insert, update, delete, create on qmslog.* to qms_loganal@localhost identified by "your_read/write_password"; mysql> grant select on qmslog.* to qms_logview@localhost identified by "your_read_only_password"; mysql> flush privileges; |
If you don't have lsof installed:
| Code: |
> emerge lsof |
Download the plugin... https://sourceforge.net/projects/qms-loganalyzer/
Read the README (included in the .tar.bz2) file for installation. Should be quite straight forward for gentoo user.
Configure squirrelmail
| Code: |
> cd /usr/share/webapps/squirrelmail/1.4.9a/htdocs/plugins > nano -w secure_login/config.php set $remain_in_https_if_logged_in_using_https = 1 > cd /usr/share/webapps/squirrelmail/1.4.5/htdocs/config > perl conf.pl |
Press D to load the Courier-imap template.
Walk through the config menu to set up to your needs.
Make sure to load the compability and secure_login plugins.
I'm enabeling the following plugins:
| Quote: |
1. secure_login 2. bookmarks 3. delete_move_next 4. compatibility 5. qmslog 6. address_add 7. abook_take 8. calendar 9. abook_import_export |
As users inboxes grow, the webmail will become slow. To fix this make sure to enable "Allow server thread sort" and "Allow server-side sort" under General Options. (Wonder why these are off by default. Any security risk?)
Might be convenient to set General Options -> Data Dir = some dir that you include with your daily backup
Add a domain append button to the loginpage. This button appends the hostname of the apache virtual host that is used in the request for the page.
| Code: |
> nano -w /usr/share/webapps/squirrelmail/1.4.9a/htdocs/src/login.php Replace the "," with a "." at the end of this line (ca line 163): addInput($username_form_name, $loginname_value). Insert the following line after the line mentioned above: addInputField("button", "pgbt", "@$pg_virtualdomain", " onclick=\"$username_form_name.value+='@".$pg_virtualdomain."';\""), Find the line $custom_css = 'none'; Insert the following two lines after that line: $pg_virtualdomain = substr($_SERVER['SERVER_NAME'], strrpos(substr($_SERVER['SERVER_NAME'],0,strrpos($_SERVER['SERVER_NAME'], ".")), ".")); if($pg_virtualdomain{0} == ".") { $pg_virtualdomain = substr($pg_virtualdomain,1); } |
15) Check Qmail controlfiles
Make sure the files in /var/qmail/control got updated. If they are not updated something is wrog. Probably it's related to mysql permissions.
| Code: |
These files should contain your primary domain: defaultdomain, locals, me This should contain all domains and aliasdomains on separate lines: rcpthosts This should contain all domains and aliasdomains on the form of domain.net:domain.net : virtualdomains |
16) Installing wapmail interface
will come
17) Client setup
For SMTP client setup: All clients outside your local network need to enable TLS (encryption) and SMTP-auth. For username use the full email-adress. There is a bug with Outlook (and express) XP using TLS. No workaround is known. Use another clientprogram! (I love Opera - now it's even free!)
Notes
Note: Some anti-virus / firewall software block outbund connections to port 25 if they are unable to analyze the datastream. Hence encryptet SMTP may require you to disable this functionality in those programs or put the server on another port.
Note: Some ISP's block connections to port 25 on any server but their own smtp. To get around this put your smtp server on another port.
One way to put the server on another port may be this:
| Code: |
| iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25000 -j DNAT --to-destination 123.123.123.123:25 |
where 25000 is the port you want the server on. 123.123.123.123 is the servers IP.
Note: If you can't send mail from you server to anywhere else than local network you might have a problem with your ISP. Some ISP's block outbound smtp connections to anywhere but their own smtp server. This means you'll need to relay mail trough their server
| Code: |
| echo ":smtp.ISP.NET" > /var/qmail/control/smtproutes |
POP3/IMAP client setup: If you do like me - block port 110 and 143 from outside your localnet with a firewall then clients on the outside need to enable SSL and use port 993 for IMAP-SSL and port 995 for POP3-SSL. Clientes on the local network may use ports 110/143 without SSL enabled. Use the full email-address as username.
Unverified tricks from readers
Here I'll put a collection of good ideas, hints and tricks posted by readers. I have not tried these myself.
| stripe wrote: | ||||
Should be clean first line instead. This will prevent to queue the doublebounces at all. If you enter "#" sign, Qmail will queue the bounces to #@defaultdomain.tld. |
To solve problems with bayes not learning:
| krull wrote: | ||
I donno if this helps, I just added a universal path for bayes in spamassassin's local.cf so far it seems to work:
|
| Mindstab wrote: | ||
Um, a possible update for the doc. They worked well, but I found I had to
To get everything working right Otherwise all my servers log messages were being bounced Also, I found that if any domains were in qmail/control/locals qmail tried to use local delivery for users ther to their /home dirs instead of using vpopmail |
========================================
I'm aware tcprules.d are deprecated. However I don't see any reason why relay-ctrl would be any better. I have no bad experience with any of them, but relay-ctrl requires more installation and more configuration I'm think there is more stuff that can go wrong with it. The only extra functionality I find in relay-ctrl is IMAP before SMTP authentication. As all mailclients my users use supports SMTP-auth I don't see any reason for relay-ctrl, and stick to the well know tcprules. (More config = more settings to keep track on with every future update)
========================================
I'm not exactly sure about the TCPSERVER_OPTS in conf-common. What I know is that the -R is set by default in conf-smtpd, and I've left it alone there. The -x, -c, -u and -g will be set by the rest of the conf-common file.
The original guide by Sabrex used -H, -R (again) and -l 0. The -p and -v are default.
From what I understand from http://www.rootr.net/man/man/tcpserver/1 the -H and -R will shorten initial delays when sending mail. How much they shorten depends on your DNS connection. If you run a local DNS server you'll probably not notice much difference.
========================================
A common mistake when setting up domains is to point the MX-record to the IP adress of the server. This works, but some spamfilters will think all mail from such domain is spam. The way to setup DNS is the following:
Register an A-record pointing to the IP-adress of the server. This should be the same host.domainname.tld as you used when installing the OS. (A:server1.mydomain.net -> IP:123.123.123.123)
Then you need a C-name pointing to the A-record that your users may use when refering to the server. (Say C:mail.mydomain.net -> A:server1.mydomain.net).
Then you create a MX record that my point to eighter the A-record (MX:mydomain.net -> A:server1.mydomain.net) or the C-name (MX:mydomain.net -> C:mail.mydomain.net).
When you set up another domain you somehow need to point the MX to the A-record of the first domain. Eighter direct or indirect:
MX:otherdomain.net -> A:server1.mydomain.net
MX:otherdomain.net -> C:mail.mydomain.net -> A:server1.mydomain.net
MX:otherdomain.net -> C:mail.otherdomain.net -> C:mail.mydomain.net -> A:server1.mydomain.net
Point is: The A-record the MX finally resolves to should equal the HELO respons from your SMTP server (/var/qmail/control/me), which again should equal the hostname.domainname of the server (/etc/hostname or /etc/conf.d/hostname and /etc/dnsdomainname or /etc/conf.d/domainname)
출처 : http://forums.gentoo.org/viewtopic-t-539101.html
comment