Qmail Howto
18.1) Post-installation and spam control
The installation covered above should filter out most of the spam out there. But it's not perfect. Spammers are so smart nowadays...they will do everything possible to pass their message and advertise their products/services you will never need. They will even fake their messages so good, that spamassassin will be unable to identify them as spam. So, what do we do with them? There is another solution, which for some users will be a pain, but it will definitely help you out a lot. If you remember, earlier in the guide I said that I would explain "badmailfrom" and "badrcptto" in more detail. Well, here we go :-)
These two files placed in /var/qmail/control directory are used by qmail to identify the bad guys. Sometimes the bad guys are from outside networks - those hungry spammers that just love to waste your mail traffic. In some cases, the bad guys are your own users! I've had some users before, who advertised their e-mails on the Internet and subscribed to gazillion newsletters. As soon as the mailbox is full, the server starts generating failure replies, adding to traffic and server load. And the sad thing is - even if you remove the damn user, e-mails will keep on coming and failure replies will be generated even more. So, how do we fight them?
The "badmailfrom" file is sort of your internal blacklist, in which you specify domains or individual e-mail addresses from which you are not willing to receive e-mails from. For example, if you don't want to receive e-mails from yahoo users, simply add "@yahoo.com" in a new line. If a particular yahoo mail user is bothering you, add his/her full e-mail address to "badmailfrom". The next time the user tries to send a message, your server will simply deny the message, before even processing it. Here is a good example of "badmailfrom" file:
@yahoo.com @mail.ru @hotmail.com devil@netscape.net president@whitehouse.gov
Here, we are denying all yahoo.com, mail.ru and hotmail.com users. Plus, we are denying messages from individual e-mail accounts - devil@netscape.net and president@whitehouse.gov :)
The "badrcptto" file will help you control your local "bad guys". Every account specified in "badrcptto" will no longer receive any e-mails. The sender will receive a delivery failure message "553 sorry, this recipient is in my badrecipientto list" after sending an e-mail to blacklisted local user. The "badrcptto" file is processed line by line, just like badmailfrom. So, if you need to block access to several users, type their e-mail addresses one per line.
There are some new tools appearing now on the Internet that help to better fight spam, but I haven't checked them out yet. If something good is released, I will definitely add it to this guide.
19) oMail-admin
oMail-admin is a great program written by Olivier Mueller. It allows you to manage virtual users on your system (create users and aliases, forwarding,
mailing lists, automated replies, etc.)
oMail-admin needs "vmailmgrd" daemon to run, which should already be up and running from the "runmail" script we've created before. Again, type ps ax to see if a process called unixserver exists.
This step assumes that an Apache server compiled with PHP is up and running. (If you haven't installed Apache yet, I would highly recommend my Apache guide which is available here). Place the oMail files into your htdocs directory, and edit your apache configuration (httpd.conf) as necessary. Open your browser and then type the URL for oMail-admin. Type your domain (yourserver.com) in "Email Address or Domain Name" box and the domain password that you entered during the "add_virt" command. Then, click "Login" and a new page with account management should come up. It is very easy to go from there - just read "Help" if you don't understand how it works.
20) Startup environment
Now we need to make sure that Qmail and all other extra stuff we've been installing so far starts up properly when the machine is rebooted.
You can do it in two ways - either by placing the lines below into your startup file (/etc/rc.d/rc.local):
# Qmail and other stuff /var/qmail/rc & /usr/local/bin/runmail /usr/lib/courier-imap/libexec/imapd.rc start
or putting qmail, courier and tcpserver startup scripts into your init.d directory. Don't forget to make those files executable and run automatically upon reboot:
mv qmail /etc/rc.d/init.d mv courier /etc/rc.d/init.d mv tcpserver /etc/rc.d/init.d chmod 755 /etc/rc.d/init.d/qmail chmod 755 /etc/rc.d/init.d/courier chmod 755 /etc/rc.d/init.d/tcpserver chkconfig --add qmail chkconfig --add courier chkconfig --add tcpserver chkconfig qmail on chkconfig courier on chkconfig tcpserver on
21) POP3S and SMTPS using stunnel
The way traditional POP3 and SMTP protocols work is so insecure that it's easily possible to sniff a login/password combination using simple network utilities. That leads to a security problem, which might result in a hacker stealing your users' mailbox accounts. Because we are dealing with virtual users who do not have access to shell, just because of the way the system works, it might not be a major security problem. At least we do not have to worry about hackers logging into a shell, stealing information and screwing up our box. However, it's always good to take precautions no matter how small the impact could be to your security. Normal sendmail installation, for example, authenticates through /etc/passwd. If a user is given both mail and shell access, just think what the end result might be. A hacker might sniff a login/pass combination for a mailbox and then successfully login into the system via shell, even if you have telnet disabled and only allow SSH access. Once a hacker has shell account, there are plenty of tools out there to gain root access. And you never know what's on hacker's mind when he/she hacks into your box. This is the major advantage of having a virtual user system. Even if a hacker steals login/pass combination for a mailbox account, the maximum he/she can do is overtake a mailbox. But again, you never know. What if a user on your system uses the same combination of login/password for both mail and shell access? Then basically, you're screwed.
This step will help you to fight the problem of plaintext login/password authentication with a mail server. I will show you how to configure POP3 and
SMTP via SSL.
To those who wonder how we're going to accomplish this task, let me give you some quick insight. We will have to install stunnel first. Stunnel is a universal SSL wrapper, which will allow us to secure POP3 and SMTP protocols through OpenSSL. Then, we are going to bind tcpserver to stunnel and add some more options to our runmail script created earlier. The whole process should take approximately 15 minutes, if we don't have any compilation problems. I will try to explain each step in as much detail as possible.
21.1) OpenSSL and Stunnel
Before installing stunnel, please make sure that you have a working version of OpenSSL installed on the system. Try to look for openssl binary by typing "whereis openssl" or "locate openssl" in shell. Possible locations of OpenSSL are: /usr/bin, /usr/local/bin and /usr/local/ssl/bin but a customized installation might have resulted in OpenSSL being somewhere else on the system. Once you find out where it is, type "openssl version" (add the real path in front as needed). If your version is older than 0.9.6j, I personally recommend to upgrade it or reinstall it, because of some security issues found in previous releases. If you have an old RPM release, get rid of it and install from source. The latest version of OpenSSL can be found from here.
Let's install stunnel now:
cd /usr/local/src/ tar zxf stunnel-3.26.tar.gz cd stunnel-3.26 CFLAGS="-I/usr/kerberos/include -L/usr/kerberos/lib" ./configure --with-pem-dir=/usr/local/etc make
After "make" is done compiling sources, an RSA key will be generated for you. All you have to do, is enter correct information. Here is a sample for arbuz.com:
Country Name (2 letter code) [PL]:UZ State or Province Name (full name) [Some-State]:Tashkent Locality Name (eg, city) []:Tashkent Organization Name (eg, company) [Stunnel Developers Ltd]:Arbuz.com Organizational Unit Name (eg, section) []:Arbuz.com Common Name (FQDN of your server) [localhost]:arbuz.com
Make sure that you type your mail hostname in "Common Name (FQDN of your server)" field. Now do the following:
cp stunnel.pem /usr/local/etc/ chmod 600 /usr/local/etc/stunnel.pem make install
21.2) Modifying the runmail script
The most important step in this process is how our script calls stunnel. Unfortunately, I couldn't find any information on the web that gives a working sample of stunnel called via tcpserver. After finding out more about stunnel and it's command options, I came up with a working script based on runmail you've seen above. Add it to your runmail script if you want to have all protocols (POP3, SMTP, POP3S and SMTPS) up and running for compatibility or whatever reasons. If you want to have POP3S and SMTPS only, remove everything after the first part (unixserver), then copy paste the following into the script:
exec softlimit -m 32000000 \ envdir /etc/relay-ctrl relay-ctrl-chdir \ tcpserver -v -H -R -l arbuz.com -x /etc/tcp.smtp.cdb \ -c200 -u0 -g0 0 465 \ stunnel -f -p /usr/local/etc/stunnel.pem \ -N smtps -l relay-ctrl-check -- relay-ctrl-check \ fixcrio qmail-smtpd 2>&1 \ | setuidgid qmaill \ multilog t n100 s1000000 /var/qmail/logs/smtps & \ exec softlimit -m 32000000 \ envdir /etc/relay-ctrl relay-ctrl-chdir \ tcpserver -v -H -R -l arbuz.com -x /etc/tcp.smtp.cdb \ -c200 -u0 -g0 0 995 \ stunnel -f -p /usr/local/etc/stunnel.pem \ -N pop3s -l qmail-popup -- qmail-popup localhost \ checkvpw relay-ctrl-allow qmail-pop3d Maildir 2>&1 \ | setuidgid qmaill \ multilog t n100 s1000000 /var/qmail/logs/pop3s &
Now go ahead and rerun runmail and test if POP3S and SMTPS really work. If you are running tcp wrappers, make sure you put "smtps: ALL: ALLOW" and "pop3s: ALL: ALLOW" into /etc/hosts.allow - otherwise all secure connections will be denied by your server.
If you get an error in log saying "SSL3_READ_BYTES:tlsv1 alert unknown ca" that means your mail client doesn't accept the SSL certificate created earlier. Note that the certificate we created is not trusted. This is because an authority like VeriSign or Thawte didn't sign it. I personally don't like paying a couple of hundred dollars for an SSL certificate, but if money is not an issue for you, you should generate your own SSL key, and send it to an authority to sign it. That way you can get rid of annoying warnings from mail clients. I had a couple of issues trying to send and receive mail with "The Bat" mail client. But I then figured out that my client didn't want to accept connections from/to an untrusted connection. So, after adding my certificate into the address book and into the trusted server list, I got rid of the "unknown ca" error. I also tested the connection on Outlook Express and everything seemed to work flawlessly (except that annoying "Internet Security Warning"). Note that POP3S and SMTPS sit on ports 995 and 465, respectively. So, make sure you specify the ports correctly while configuring your mail clients.
That's it! You are finally done! Congratulations :)
Related Resources:
1) Qmail Homepage
2) Untroubled.org by Bruce Guenter
3) Cr.yp.to by D.J. Bernstein
4) Courier Mail Server by Double Precision, Inc.
5) SpamAssassin.org
6) Qmail-Scanner by Jason Haar
Books:
1) qmail by John R. Levine (O'Reilly)
2) Qmail Quickstarter by Kyle Wheeler (Packt Publishing)
3) Qmail Handbook by Dave Sill (Apress)
Related posts:
10/31/2007 - 10:10
I have a problem with autoresponse. When it send’s the response, the sender address goes like this “”@domain.com . This way, it’s always flaged as relay, on my relay server.
Do you have any hint?
11/14/2007 - 02:40
Hi,
Really good site. Thanks for your valuable help. Do you have anything similar for postfix,mysql,dovecoat with webmail option. Since all these can be installed along with the O.S. and only need to integrate.
Rgds,
Saji Alexander.
11/28/2007 - 18:32
if you’re having problems making Courier for Fedora/Redhat with error /usr/include/stdio.h:385: error: syntax error before ‘&&’ token , you can find information here http://atmail.com/view_article.php?num=199
02/19/2010 - 02:45
That article no longer exists.
It has been replaced by: http://atmail.com/kb/?p=270
Just in case it disappears again, here it is:
———————-
Description: The standard Courier-IMAP 3.0.8 distribution will not build on stock Fedora/Redhat systems. Compilation fails while building the authlib library, usually with an error message like:
In file included from authstaticlistsearch.c:9:
/usr/include/stdio.h:385: error: syntax error before ‘&&’ token
A review of the stdio.h file shows that no ‘&&’ symbols appears on or near line 385.
Solution: The courier-imap/authlib directory contains a file named ‘debug.h’ to support the debugging of authentication attempts against the Courier IMAP server. This file contains a C preprocessor macro named ‘dprintf’ that conflicts with the ‘dprintf’ function defined in glibc’s ’stdio.h’. This conflict isn’t a problem so long as ‘#include ‘ appears before ‘#include “debug.h”‘ in the authlib source files. Unfortunately, this is not the case for files ‘authstaticlistsearch.c’, ‘authmoduser3.c’, ‘mod.h’, ‘authtest.c’, ‘debug.c’, and ‘authdaemon.c’.
To fix this problem, open these files in a text editor and move the ‘#include “debug.h”‘ line so that it is the last include directive. Make sure that you do not paste it into a ‘#if … #endif’ block. Once you have made these changes, the build process should succeed.
01/20/2008 - 15:07
I installed Your Qmail-modification a couple of years ago. Thanks for that! Now I would like to use your patch for bounce handling.
patch
03/04/2008 - 02:46
Hi,
how can we know a email is bounced or not ?? qmail handles smtp return codes ??
Thanks,
Satish.K
03/25/2008 - 03:46
/usr/local/bin/setuidgid qmaill “contrib/test_installation.sh -doit”
i stuck at that line and my fedora 8 give me :
/usr/local/bin/setuidgid qmaill “contrib/test_installation.sh -doit”
setuidgid: fatal: unable to run contrib/test_installation.sh -doit: file does not exist
AND also when i run : # /usr/local/bin/setuidgid qmaill \
“/var/qmail/bin/qmail-scanner-queue.pl” -g
perlscanner: generate new DB file
perlscanner: total of 9 entries.
my fedora 8 only reply : perlscanner: generate new DB file
**Please help me, it’s already 2 to 3 days since i tried to solve it but can’t…
04/30/2008 - 17:53
Hi Nasim. Thanks a lot for providing nice and very helpful instructions in plain english :-)
I’ve installed mail production server on Debian(4) using your guidlines.
Although I came across some problems after install, i.e. when I have created second virtual domain, mail server stopped recieving any messages at all(even though the first virtual domain was working on it’s own before). Is it something to do with Qmail-Scanner, where by one required to enter domains’ names before installing it(–local-domains “domain.one.com,domain.two.com”; page 5 of your instractions)?
Thanks a lot in advance if you can spare some time to answer this question.
Kind regards,
yuriy
05/01/2008 - 10:31
Yuriy, are you still receiving mail for the first domain that you had created before? Also, a little troubleshooting would definitely help. Try this:
1) Telnet to your server’s IP address port 25 by typing “telnet x.x.x.x 25″
2) Type “HELO test.com” or some other domain and press enter
3) Type “MAIL FROM:test@test.com” and press enter
4) Type “RCPT TO:test@yourdomain.com” and press enter
5) Type “DATA” and press enter
6) Type some garbage and then type “.” on a separate line. The server should respond “250 ok xxxxxxx qp xxxxx”.
7) Type “quit” on a separate line and see what output you get.
8) While doing all of the above check your qmail logs. Both the incoming tcp logs and your qmail logs.
9) After you are done with the telnet session, your logs should report what the problem is.
If your domain is not in one of the configuration files, you will get a descriptive error in the log. If there is any other problem, you should see it in the log as well.
If you can’t telnet to your server, then your tcpserver is having a problem and might need to be rebooted.
Hope the above helps.
Nasim
05/06/2008 - 07:36
i’m sorry..could you give me a module to make QMAIL in SLACKWARE 12, i have try to make it, but not suxess..please. for my homework
05/06/2008 - 11:11
Hi Nazim.
I can telnet to my server and do all steps you have listed alright. It’s just when I’m trying to set additional virtual domain it stops receiving emails(one can still send emails though) even to the first virtual domain. When I remove the second virtual domain it will start to receive emails but only after couple hours.I reckon that it’s Qmail-Scanner coursing this problem. I probably leave this issue to sort later on(I’m planning to install another test server but will keep in mind using more than one domain then).
I have couple more issues which require immediate attention and I was trying to sort them out but no luck so far.
1. I need to set our email server to give a 550 error for an invalid address. I have used Andrew Richards’ qmail-verify patch(http://free.acrconsulting.co.uk/email/qmail-verify.html). I can see qmail-verify daemon is running on our server but it’s not rejecting non-existing users(so it’s accepting anything with our domain). The problem could be that /home/email/[virtual_domain]/.qmail-default telling that anything coming with this domain is valid.
But because I’m using virtual domain .qmail-default pipes to /usr/local/bin/vdeliver.So vdeliver is deciding who is right users on our server. Andrew suggested to remove /home/email/[virtual_domain]/.qmail-default but when I did it email server stopped to receive emials. Do you know what parameters I need to pass to /usr/local/bin/vdeliver in /home/email/[virtual_domain]/.qmail-default so qmail-verify can properly filter email users?
2. Due to the increase in the number of ISP’s blocking port 25 for third party mailservers I need to set on mail server additional port to answer SMTP request. I was looking on google and found the following link http://www.skorpionweb.org/archives/2005/09/running_qmail_s.php.
So I followed the logic in this article and set separate tcpserver which listens to different port:
1) Created /var/qmail/rc2 :
#!/bin/sh
PATH=”/var/qmail/bin:/usr/local/bin”
export PATH
cd /
qmail-start ./Maildir | setuidgid qmaill \
multilog t n50 s1000000 \
/var/qmail/logs/qmail2 &
2) Created /usr/local/bin/runmail2:
exec softlimit -m 10000000 \
envdir /etc/relay-ctrl relay-ctrl-chdir \
tcpserver -v -H -R -l $HOSTNAME -x /etc/tcp.smtp.cdb -c200 -u5002 -g5000 0 587 qmail-smtpd 2>&1 &
3) Created /var/qmail/logs/qmail2 and chown it to qmaill:nofiles.
Now I can start separate tcpserver with port 587 and everything looks healthy with but when I change port 25 to 587 and try to send mail I have got an error “…The server may be unavailable or refusing connection…”
I wonder whether I need to set another instance of qmail-smtpd(may be qmail-smtpd2, just guessing here).
Thanks a lot again for your time and effort to keep this site going & helping folks like myself :-)
Kind regards, yuriy
05/24/2008 - 23:59
Hi Nazim,
Problem with setting second virtual domain was sorted out. It turned out that one needs to restart qmail server after adding another virtual domain.
Also I have sorted an issue with 550 error page(I have wrote about it in one of my previous posts).
With virtual domain .qmail-default file should exist for each user. So solution was pretty simple: copy original .qmail-default to .qmail-USERNAME in /home/email/yourdomain/ folder. Also my /etc/tcp.smtp looks like this:
127.:allow,RELAYCLIENT=”",RBLSMTPD=”",QMAILQUEUE=”/var/qmail/bin/qmail-queue”
:allow,QMAILQUEUE=”/var/qmail/bin/qmail-scanner-queue.pl”,VERIFY=”"
05/25/2008 - 02:29
Hi Nazim,
Sometimes I have an error when sending email(addresses which I used before or new):
An error occurred while sending mail.The mail server responded: sorry, that domain isn’t in my list of allowed rcpthosts(#5.7.1). Please check the message recipients and try again.
I thought that it something to do with timing out authentication so I have removed 900 from /etc/relay-ctrl/expiry(step 12->Installing Relay-CTRL; pagehttp://mansurovs.com/2002/12/20/qmail-howto/4) but I’m still getting this error.
I’ll appreciate if you could advice on what could be wrong, please.
Thanks a lot in advance,
yuriy
05/30/2008 - 10:10
Hi Nasim:
Have you tried to use CourierIMAP 4.3.1 (with AuthLib)?
I would appreciate your comments about it.
Thanks.
06/20/2008 - 19:22
This was helpful. Thank you.
06/29/2008 - 14:03
Nice tutorial. If anyone needs help, you can contact my via email on my website.
I could do it for free.
09/05/2008 - 16:04
> – Qmail Patches from http://mansurovs.com
Where is the patches, i find but…
10/03/2008 - 07:19
So what if I want a more minimalistic solution. Basically I have a mail server that only needs to serve one site, and primarily outgoing mail. So no fancy stuff needed like multiple users and auto-responders.
I would like to have a suite of admin tools, for instance, being able to manually send an email that’s been stuck in the queue and watching the remote mail server response, ideally have a php script parse this information.
Hours on Google have really only given me scripts for the end-user, none for really managing the admin part of qmail.
10/16/2008 - 23:09
Nice tutorial. This is only the patch that I haven’t encountered a problem.
I hope you can add a patch such as validrcptto. This is nice patch. However, I’m getting a hunk failed when I’m trying to patch it after patching all the patch on your tutorial. Probably, some code doesn’t conform to validrcptto patch. I’m not a C programmer so I’m getting a hard time fixing the problem. Please inform me via my email ntserafica@yahoo.com if you have the patch.
This could be a great gift this coming christmas :)
03/27/2009 - 22:20
can you have an instruction on how to get squirrelmail work together with your tutorial..
Thank in advanced
03/28/2009 - 01:50
I followed you through step 17.1 everything work fine but when I telnet to port 15 and 110 …these errors occur
===============================================
telnet 127.0.0.1 25
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
Escape character is ‘^]’.
220 tnway.com ESMTP
exit
502 unimplemented (#5.5.1)
quit
======================================================
telnet 127.0.0.1 110
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
Escape character is ‘^]’.
+OK
hello
-ERR authorization first
exit
-ERR authorization first
=============================================
What wrong with me ? I really need your help
Thank in advanced
03/28/2009 - 01:56
billyduc,
Just install Courier IMAP and you will be able to use Squirrelmail or any other web-based mail system. I personally use Horde http://www.horde.org/ and love the functionality.
Regarding your other issues with telnetting – the output seems to be normal and the services are responding. Did you try to send an email to your server through an external provider like gmail/yahoo? Did you try to use a client like Outlook to download emails through POP3/IMAP?
Nasim
03/30/2009 - 01:50
I use Evolution for email client.
I setup for “test” account to send and receive mail
When I clicked Send / Receive Button. It prompt me
Unable to connect to POP server myhost.mydomain.com.
Error Sending password : -ERR authorization failed
Please enter the POP password for test on host myhost.mydomain.com
I enter the password for test account……But the error window is open
Error While Fetching Mail
Unable to connect to POP server myhost.mydomain.com.
Error Sending password : Operation now in progress
05/05/2009 - 13:21
hey, i wrote a practical step-by-step how-to on qmail… please see the link: “http://119.15.153.9/qmail/qmail-install.html” , i hope some one will require it.
07/17/2009 - 11:06
Great howto, tnx!
08/19/2009 - 15:37
When I was trying to compile the qmail-autoresponder-0.97, it gave me the following error messages:
main.c: In function âexec_qmail_injectâ:
main.c:257: warning: missing sentinel in function call
./compile options.c
options.c:1:25: error: mysql/mysql.h: No such file or directory
make: *** [options.o] Error 1
I have the mysql installed. Please help.
Thank you
11/14/2009 - 15:09
I did “apt-get install libmysqlclient15-dev” and it solved the problem with options.c:1:25: error: mysql/mysql.h: No such file or directory
11/14/2009 - 15:13
Andreas, thank you for the input!
Whenever there is a problem with mysql.h not being found, you need to install the mysql client source files, just like you did.
01/02/2010 - 07:39
Hello,
I like to forward all bounced emails for all of my user accounts to a single account.
is there a qmail setting or patch that allows me to forwards all bounced emails of my user accounts to a single admin account?
Regards