qmail HowTo


REDHAT + QMAIL + OPENSSL + APACHE + PHP + MYSQL + VPOPMAIL (with MySQL
accounts) + COURIER-IMAP + SQUIRRELMAIL (with MySQL prefs/addrbook), QMAIL-SCANNER
+ CLAM ANTIVIRUS + SPAMASSASSIN

Original of this document is available at

http://www.pipeline.com.au/staff/mbowe/isp/webmail-server.htm


NAVIGATION LINKS

Jump straight to :


BEFORE YOU START

I would recommend you first learn qmail via
www.lifewithqmail.org.

Next do a bit of reading about vpopmail servers : Bill Shupp’s
Linux Qmail Toaster
, and also 
http://www.qmailrocks.org/

Once you have a good grip on all those concepts, come back and
read this doc to learn how you can add MySQL back-ends to vpopmail and
SquirrelMail  :-)

 


WHY USE MYSQL FOR THE VPOPMAIL AND SQUIRRELMAIL BACK-ENDS?

By having all the vpopmail account data stored it MySQL, it allows you to
easily write web based tools (eg in ASP or PHP) that can talk to the database
and then present easy-to-use interface for your support staff to manage the
user accounts. 
I have included some more info and examples on this
subject at the bottom of this doc

You can easily add additional columns to the vpopmail tables to store other
"per-user" information without affecting the operation of vpopmail

For a server with many user accounts, you would expect that MySQL would
give faster performance than disk based accounts. Particularly when you have a
large number of users in a given domain. (I haven’t personally done any
benchmarks on this, and I also have never seen anyone else run such a test,
but you would have to expect that a SQL based backend would scale better than
the file-based cdb backend that qmail/vpopmail uses by default)

If you have a very large number of accounts, vpopmail can be configured to
use MySQL replication and NFS to share the load over over multiple servers


ABOUT THESE NOTES

Follow these notes at your own risk…!

All the commands shown below have been run as root.

I have successfully used these notes to build many Redhat 7.2, 7.3 and 8.0
based servers. People have told me that Redhat 9.0 & Fedora will also work, but you have to be
aware of a few issues :

  • Most of the qmail software and associated utilities will not compile
    under RH9 or Fedora, due to conflicts with its new version of glibc. You can get
    patches to solve these problems from
    www.qmail.org
    . (Do a search for "errno"). The actual link for
    the patches is
    http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/
  • For packages using perl (eg Razor, SpamAssassin), you may need to add an
    "export LANG=en_US" to your scripts, or alternatively modify the "/etc/sysconfig/i18n"
    file.

REDHAT 7.2 / 7.3 / 8.0 NOTES

FIREWALL :

The ipchains or iptables firewalling software will usually be installed
during Redhat’s installation process.

For this server you will need to make sure you have opened access on at
least the following ports :

  • SMTP:TCP
  • HTTP.TCP
  • HTTPS:TCP
  • POP3:TCP
  • NTP:UDP

Note that we arent going to open the IMAP:TCP port, as we are not offering
IMAP services directly to our clients. We will be running an IMAP server, but
the only program talking to it will be the SquirrelMail software which is also
running on this same box.

On Redhat 7.2 / 7.3 (which uses ipchains by default)

You can examine/modify the ipchains config by working on the file :

	/etc/sysconfig/ipchains

If you make any changes to this file, you will need to restart the
ipchains software :

	/etc/rc.d/init.d/ipchains restart

On Redhat 8.0 (which uses iptables by default)

You can examine/modify the iptables config by working on the file :

	/etc/sysconfig/iptables

If you make any changes to this file, you will need to restart the
iptables software :

	/etc/rc.d/init.d/iptables restart

SETUP TIME SYNCHRONISATION :

Mail servers need to have their clocks set correctly. If you don’t have
their time sync’ed, you can experience strange problems.

Redhat comes with the ntpd package which is easy to setup

vi /etc/ntp.conf

look for the "# — OUR TIMESERVERS —–" section
and then put in the following lines :

restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery
server xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address of your (or your upstream’s) NTP
server

After making the changes, you will need to restart the ntpd service :

	/etc/rc.d/init.d/ntpd restart

Use the ntsysv program and make sure the ntpd service is enabled at bootup
time

SETUP DNS :

For our example, we setup an A record for hostname.yourdomain.com
Any domains that we are hosting mail for should have their primary MX pointing
to this host. We also created the following CNAME aliases for this host :
pop3, smtp, webmail

This allows our users to :

  • access SquirrelMail and qmailadmin via http://webmail.yourdomain.com
  • set their POP3 clients to pop3.yourdomain.com
    for their incoming mail, and smtp.yourdomain.com
    for their outgoing mail

IMPORTANT : Never configure a end-user’s software to reference the hostname
directly. Even though you might start out with just a single box doing all
your email functions, later on you might add other boxes to split the load
onto different machines (eg one to handle all the SMTP mail, the other doing
POP3/IMAP and another again doing WebMail). By setting your client to use the
aliased names, you can add extra boxes and then just update the DNS as appropriate. No
changes will be required on the client’s computer. Make sure you take my
advice now on this matter. You will thank me for this later!! :-)

CHECK YOUR SYSLOG CONFIG :

You may find that your mail server logs a lot of entries to the syslog. On
linux you need to be careful of this as there can be a big performance impact.
In particular you should check your /etc/syslog.conf and make sure there is a
"-" symbol in front of any files that will be busy eg "-/var/log/maillog". If
you have to add the file, then dont forget to "killall -HUP syslogd" so the
changes are picked up. Some
more info on this subject here

(OPTIONAL) UPDATE YOUR KERNEL :

RedHat regularly publishes updated versions of the Linux kernel to suit
their various RedHat distributions. To ensure that your server has best
performance and reliability, it is a good idea to regularly upgrade to the
latest available kernel.

RedHat have got some easy-to-follow instructions online :


MYSQL

www.mysql.com

We will be using MySQL to store all the domain and mailbox account
information for vpopmail. We are also going to use MySQL to store the
SquirrelMail user preferences and address books

Setup an account for the MySQL server to run under :

groupadd mysql
useradd -g mysql mysql

Go to their website and download the latest binaries to /usr/local/src.   In this example I have
used the file:

mysql-max-3.23.57-pc-linux-i686.tar.gz

(Note, MySQL v4 has recently been released as "stable", however I am yet to
personally do any vpopmail testing under this new version. I have used MySQL
v4 for other jobs, and have had reports from other people that it works fine
with vpopmail, so if you are keen you should be safe to give MySQL v4 a go
rather than v3)

Unzip / configure the binaries so they get installed to /usr/local/mysql

cd /usr/local
tar xzf /usr/local/src/mysql-max-3.23.57-pc-linux-i686.tar.gz
ln -s mysql-max-3.23.57-pc-linux-i686 mysql

Run the installation script that creates/verifies all the various system-use
tables etc

cd mysql
scripts/mysql_install_db
cd ..

Setup permissions on the MySQL dirs

chown -R root.mysql mysql-max-3.23.57-pc-linux-i686
chmod -R 640 mysql
chmod -R u+X,g+X mysql
chmod -R ug+x mysql/bin
chmod -R g+w mysql/data
chmod -R u+x mysql/scripts

Let the MySQL server know what amount of resources it is allowed to use

# choose an appropriate config file from the samples provided
cp /usr/local/mysql/support-files/my-medium.cnf /usr/local/mysql/data/my.cnf
# adjust the permissions on the file so that mysql daemon can read the contents
chgrp mysql /usr/local/mysql/data/my.cnf  

Fire up the server

cd /usr/local/mysql
bin/safe_mysqld --user=mysql &

At this point the mysql daemons should be running. A good way to verify
this is to use this command :

ps axf

If all is well, you should be able to see something like this :

1073 ? S 0:00 /bin/sh ./bin/safe_mysqld --datadir=/usr/local/mysql/data --pid-file=/usr/local/mysql/data/.pid
1117 ? S 0:00  \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/m
1125 ? S 0:00      \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/loc
1126 ? S 0:00          \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
1143 ? S 0:00          \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
1419 ? S 0:00          \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
1449 ? S 0:00          \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr
1471 ? S 0:00          \_ /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr

(If you received errors, look in the file /usr/local/mysql/data/hostname.err for
debugging info)

Next setup a password for the MySQL root user

/usr/local/mysql/bin/mysqladmin -u root password 'mysql-root-pwd'

Configure MySQL so it is running all the time from bootup onwards

cp /usr/local/mysql/support-files/mysql.server /etc/rc.d/init.d/mysql
chmod 744 /etc/rc.d/init.d/mysql
chkconfig --add mysql

Then I like to use the ntsysv program
to double-check that mysql is set to launch at boot time


OPENSSL

www.openssl.org

This package is optional. It is required if you want your Apache software to
have SSL support. We have used it because we want our WebMail interface to have
SSL functionality for the login screens. If you don’t want/need SSL support, you
could skip this section

Go to their website and download the latest source to /usr/local/src.   In this example I have
used the file:

openssl-0.9.7b.tar.gz

Compile source (installs to /usr/local/ssl)

cd /usr/local/src
tar xzf openssl-0.9.7b.tar.gz
chown -R root.root openssl-0.9.7b.tar.gz
cd openssl-0.9.7b
./config no-threads -fPIC
make
make install

Generate a private key (make a KEY file)

cd /usr/local/ssl
# generate an 1024-bit RSA private key
bin/openssl genrsa -out private/webmail.yourdomain.com.key 1024
# make sure the permissions on the private dir are tight
chown -R root.root private
chmod -R 600 private
chmod u+X private

Generate a certificate signing request (make a CSR file)

# fill in the X.509 prompts when they appear on the screen
# make sure you put the web site's name into the common name box eg webmail.yourdomain.com
bin/openssl req -new -key private/webmail.yourdomain.com.key -out certs/webmail.yourdomain.com.csr
Country Name (2 letter code) [AU]:AU 
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Pty Ltd
Organizational Unit Name (eg, section) []:Internet Services
Common Name (eg, your name or your server's hostname) []:webmail.yourdomain.com
Email Address []:postmaster@yourdomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yoursecretpasswd
An optional company name []:

Get the certificate signed (make a CRT file)

Get the certificate signed by one of the official signing authorities (eg
Thawte) :

Send the webmail.yourdomain.com.csr file to
a signing authority for processing…
When they have signed it, copy the signed certificate to /usr/local/ssl/certs/webmail.yourdomain.com.crt

Or alternately, here is how you can sign it yourself so you can do a bit of
testing! :

openssl x509 -req -days 30 -in certs/webmail.yourdomain.com.csr \
-out certs/webmail.yourdomain.com.crt \
-signkey private/webmail.yourdomain.com.key

A note for the future…. Eventually you will need to renew your certificate
:

If you get your certificate signed by eg Thawte, then after the certificate
period expires (typically 1 year), you will need to renew the certificate

If all the details for your server are still the same as on your original
signing request, then you do not have to submit them a new CSR file. They can
just ask them to "re-sign" your existing certificate with an updated expiry date. Before
proceeding with your renewal request, make sure you still have a copy of your
original private key, as the new certificate will require this file.

Alternatively, if any of the details for your server have changed, then you
will need to apply for a new certificate. To do this just follow the original
steps above that show how to create a certificate from scratch. (Thawte will
still only bill you the cheaper renewal rates..)

Thawte will then send you an updated CRT, and all you do is save this over
the top of your original CRT file (/usr/local/ssl/certs/webmail.yourdomain.com.crt), and
then restart the apache server


APACHE WEB SERVER (WITH MOD_SSL & PHP4 AS DSO MODULES)

http://httpd.apache.org

Text with green background is only
required if you are building in support for mod_ssl

Uninstall apache if it is installed already

rpm -e --nodeps apache

Go to their website and download the latest source to /usr/local/src.   In this example I have
used the file:

apache_1.3.27.tar.gz

(Note, Apache v2 has recently been released as "stable", however I am yet to
do any testing under this new version. I would recommend that you stay with v1.3
until the v2 series is more mature)

Extract the apache source

cd /usr/local/src
tar xzf apache_1.3.27.tar.gz
chown -R root.root apache_1.3.27

Create an account  and group for the web server to run under

groupadd www
useradd -g www www 

Merge in the mod_ssl source


www.modssl.org

mod_ssl provides SSL cryptography functionality for the Apache webserver

Go to their website and download
the version of mod_ssl that matches your version of apache. Put
the file into /usr/local/src. In this example I have used the file :

mod_ssl-2.8.14-1.3.27.tar.gz

Extract the source :

cd /usr/local/src
tar xzf mod_ssl-2.8.14-1.3.27.tar.gz
chown -R root.root mod_ssl-2.8.14-1.3.27.tar.gz
cd mod_ssl-2.8.14-1.3.27

And now use the configure script to
patch the apache source tree

./configure \
  --with-apache=../apache_1.3.27 \
  --with-crt=/usr/local/ssl/certs/webmail.yourdomain.com.crt \
  --with-key=/usr/local/ssl/private/webmail.yourdomain.com.key

Compile the apache source

cd /usr/local/src
cd apache_1.3.27
SSL_BASE=../openssl-0.9.7b \
./configure \
  --prefix=/usr/local/apache \
  --enable-module=so \
  --enable-module=rewrite \
  --enable-shared=rewrite \
  --enable-module=ssl \
  --enable-shared=ssl \
  --disable-rule=SSL_COMPAT \
  --server-uid=www \
  --server-gid=www 
make
make install

Now add  PHP scripting support

www.php.net

Go to their website and download the latest source to /usr/local/src. In
this example I have used :

php-4.3.11.tar.gz

Extract the source

cd /usr/local/src
tar xzf php-4.3.11.tar.gz
chown -R root.root php-4.3.11
cd php-4.3.11

And now use the configure script to patch the Apache source tree

./configure \
  --with-mysql=/usr/local/mysql \
  --with-apxs=/usr/local/apache/bin/apxs
make
make install

Put the sample php.ini file into the required location

cp php.ini-dist /usr/local/lib/php.ini

Modify the /usr/local/lib/php.ini file and make sure it
contains the following commands

max_execution_time=60
memory_limit=10M
post_max_size=8M
upload_max_filesize=8M
file_uploads=On
log_errors=On
error_log=/usr/local/apache/logs/php_error_log

Tighten the security on PHP dir

# Since we have installed PHP as a module, it will run in our chosen "www" context.
# We will now tighten up the permissions on the php directory to allow only root and www users access
chown -R root.www /usr/local/lib/php
chmod -R g-w,o-rwx /usr/local/lib/php 

Edit the /usr/local/apache/conf/httpd.conf file

User www
Group www
ServerAdmin postmaster@yourdomain.com
ServerName  webmail.yourdomain.com
# Following line should be present already as it would be inserted by the PHP make
# Make sure you move it outside of the IfDefineSSL section if the make (incorrectly) put it there
LoadModule php4_module libexec/libphp4.so
# uncomment (or add) the following line
AddType application/x-httpd-php .php
# Add the index.php into this line so apache will use this file as a default in addition to index.html
DirectoryIndex index.php index.html
# Go towards the end of the httpd.conf and look for the "SSL Virtual Host Context"
ServerName webmail.yourdomain.com
ServerAdmin postmaster@yourdomain.com

Tidy up the default Apache contents dir

rm -Rf /usr/local/apache/htdocs/*
rm -f /usr/local/apache/index.html.*

Tidy up the default Apache cgi-bin dir

rm -Rf /usr/local/apache/cgi-bin/*

Setup permissions on the Apache dirs

cd /usr/local

# make root.root own the entire Apache tree
chown -R root.root apache

# setup permissions on the apachedir.
# Because it is owned by root.root, we need to make sure the world permissions bits
# allow rx so that the www group in particular can get access to the apacheroot
chmod 755 apache

# now set the rest of the apacheroot to only allow root to rw. Everything else blocked
# we will selectively go and open permissions as needed
chmod -R 600 apache/*

# give owner (root) search/access permissions on all directories in the apacheroot
chmod -R u+X apache

cd apache

# bin dir contains binaries, so grant execute permissions to owner (root)
chmod -R u+x bin

# cgi-bin contains binaries. Allow either owner (root), or group (web server (www)) to execute these
chgrp -R www cgi-bin
chmod -R u+x,g+x cgi-bin

# the web server needs read access the icons dir
chgrp -R www icons
chmod -R g+rX icons

# Web server log files can be written by the service processes
# but the log files cannot be read or served as web content.
# Web server log files can be read only by administration processes 
chgrp -R www logs
chmod g+wX logs


# public web files needs to be able to be read, but not written to by the web service processes
# Also the directories where public web content is stored must not be writable by web services processes
# Also public web content files can be written only by processes authorised for web server admin (only root in our case)
chgrp -R www htdocs
chmod -R g+rX htdocs

OPTIONAL : ADD MOD_GZIP SUPPORT


http://sourceforge.net/projects/mod-gzip/

mod_gzip is a module for Apache that allows you to compress
outgoing content from an Apache web server on-the-fly. It uses the same
compression as gzip and no plugins or extra software is needed by your browser
to take advantage of this product. Reduction in size of up to 90% or more is
possible.

Go to their website and download the latest source to /usr/local/src.
In this example I have used :

mod_gzip-1.3.26.1a.tar

Unpack the sources

cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/mod-gzip/mod_gzip-1.3.26.1a.tgz
tar xzf mod_gzip-1.3.26.1a.tgz
chown -R root.root mod_gzip-1.3.26.1a
cd mod_gzip-1.3.26.1a

Compile

APXS=/usr/local/apache/bin/apxs make
APXS=/usr/local/apache/bin/apxs make install

Setup the mod_gzip config in the Apache’s httpd.conf file

vi /usr/local/apache/conf/httpd.conf
# Add the following commands to the httpd.conf file. 
# ( Insert them before all the SSL config options )

LoadModule gzip_module libexec/mod_gzip.so
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_temp_dir /tmp
mod_gzip_keep_workfiles No
mod_gzip_minimum_file_size 500
mod_gzip_maximum_file_size 5000000
mod_gzip_maximum_inmem_size 60000
mod_gzip_handle_methods GET
mod_gzip_item_include file "\.htm$"
mod_gzip_item_include file "\.html$"
mod_gzip_item_include file "\.txt$"
mod_gzip_item_include file "\.php$"

mod_gzip_item_include mime "text/*"
mod_gzip_item_include mime "httpd/unix-directory"
mod_gzip_item_include mime "application/x-httpd-php"

mod_gzip_item_exclude file "\.css$"
mod_gzip_item_exclude file "\.js$"
mod_gzip_item_exclude file "\.wml$"

mod_gzip_dechunk Yes

LogFormat "%h %l %u %t \"%r\" %>s %b mod_gzip:\
 %{mod_gzip_compression_ratio}npct." common_with_mod_gzip_info1
# CustomLog /usr/local/apache/logs/mod_gzip common_with_mod_gzip_info1
LogFormat "%h %l %u %t \"%V %r\" %>s %b mod_gzip: \
%{mod_gzip_result}n In:%{mod_gzip_input_size}n Out:%{mod_gzip_output_size}n:% \
{mod_gzip_compression_ratio}npct." common_with_mod_gzip_info2
CustomLog /usr/local/apache/logs/mod_gzip common_with_mod_gzip_info2
mod_gzip_add_header_count Yes
</IfModule>
# and then put this command inside the <VirtualHost _default_:443> section
# since it isnt possible to successfully gzip SSL pages
mod_gzip_on No

CRANK IT UP!

Test your httpd.conf for valid syntax

/usr/local/apache/bin/apachectl configtest

Try starting the Apache server

# if you are using SSL :

/usr/local/apache/bin/apachectl startssl
# if you aren't using SSL

/usr/local/apache/bin/apachectl start

At this point the apache daemon should be running. A good way to verify
this is to use this command :

ps axf

If all is well, you should be able to see something like this :

1210 ? S 0:00 /usr/local/apache/bin/httpd -DSSL
1274 ? S 0:03  \_ /usr/local/apache/bin/httpd -DSSL
1275 ? S 0:00  \_ /usr/local/apache/bin/httpd -DSSL
1276 ? S 0:02  \_ /usr/local/apache/bin/httpd -DSSL
1277 ? S 0:03  \_ /usr/local/apache/bin/httpd -DSSL
1278 ? S 0:01  \_ /usr/local/apache/bin/httpd -DSSL

If that all
looks good, then now we need to configure a startup script for apache, so it
launches every time at bootup

vi /etc/rc.d/init.d/httpd

#!/bin/sh
#
# Startup script for the Apache Web Server
#
# chkconfig: 345 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid


# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case "$1" in
  start)
	echo -n "Starting httpd: "
	daemon /usr/local/apache/bin/httpd -DSSL
	echo
	touch /var/lock/subsys/httpd
  ;;
  stop)
	echo -n "Shutting down http: "
	killproc httpd


	echo
	rm -f /var/lock/subsys/httpd
	rm -f /var/run/httpd.pid
  ;;
  status)
	status httpd
  ;;
  restart)
	$0 stop
	$0 start
  ;;
  reload)
	echo -n "Reloading httpd: "
	killproc httpd -HUP
	echo
  ;;
  *)
	echo "Usage: $0 {start|stop|restart|reload|status}"
	exit 1
esac

exit 0

Setup permissions etc for the startup script

chown root.root /etc/rc.d/init.d/httpd
chmod 744 /etc/rc.d/init.d/httpd
chkconfig --add httpd

Then I like to use the ntsysv program
to double-check that httpd is set to launch at boot time


QMAIL

I recommend that you follow the instruction guide at
www.lifewithqmail.org

 

However, if you really want to see how we normally do it, here
are the steps :

INSTALL UCSPI-TCP

cd /usr/local/src
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz 
wget http://www.qmail.org/ucspi-rss.diff 
tar xzf ucspi-tcp-0.88.tar.gz
chown -R root.root ucspi-tcp-0.88
cd ucspi-tcp-0.88
# Patch rblsmtpd so that it can be used with all the newer RBL zones.
# This patch also lets you specify a custom error message to be returned to the sender.
patch -p0 rblsmtpd.c < ../ucspi-rss.diff
# Modify rblsmtpd.c to increase the maximum size of the error text that is allowed
# to be returned to the sender from 200 to 500 chars.
# This allows you to create some nice and descriptive text to send to people who 
# are being blocked by your RBL filters
vi rblsmtpd.c

go to line 166 and change it from

if (text.len > 200) text.len = 200;

to

if (text.len > 500) text.len = 500;
make
make setup check

INSTALL DAEMONTOOLS

cd /usr/local/src
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz 
mkdir -p /package
chmod 1755 /package
cd /package
tar xzfp /usr/local/src/daemontools-0.76.tar.gz
cd admin/daemontools-0.76 
package/install

INSTALL QMAIL

Download the required files

cd /usr/local/src
wget http://cr.yp.to/software/qmail-1.03.tar.gz
wget http://www.ckdhr.com/ckd/qmail-103.patch 
wget http://www.qmail.org/qmailqueue-patch 
wget http://www.shupp.org/patches/qmail-maildir++.patch 
wget ftp://ftp.pipeline.com.au/PipeInt/Sources/Linux/WebMail/qmail-date-localtime.patch.txt 
wget ftp://ftp.pipeline.com.au/pipeint/sources/linux/WebMail/qmail-limit-bounce-size.patch.txt
wget ftp://ftp.pipeline.com.au/PipeInt/Sources/Linux/WebMail/qregex.patch-20020129.txt
wget ftp://ftp.pipeline.com.au/PipeInt/Sources/Linux/WebMail/qmail-smtpd-esmtp-size_qregex-compat.diff.txt
wget ftp://ftp.pipeline.com.au/pipeint/sources/linux/WebMail/qmailctl.txt

Create the users and groups required for qmail

groupadd nofiles
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
useradd -g nofiles -d /var/qmail/alias alias
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails

Unzip the sources, apply the required patches, compile

tar xzf qmail-1.03.tar.gz
cd qmail-1.03
# Apply patch that allows qmail to work with oversize DNS packets
patch -p1 < ../qmail-103.patch
# Apply the "qmailqueue" patch
# This patch gives you the required support for other popular addons like Qmail-Scanner
patch -p1 < ../qmailqueue-patch
# Apply patch to make qmail-local and qmail-pop3d compatible with the maildir++ quota
# system that is used by vpopmail and courier-imap
patch < ../qmail-maildir++.patch
# Apply patch for local timestamps.
# This will make the emails headers be written in localtime rather than GMT
patch -p1 < ../qmail-date-localtime.patch.txt
# Apply patch to limit the size of bounce messages generated by our server.
# The patch will limit the size of the bounce to be 50K,
# or you can override this by setting a different value in /var/qmail/control/bouncemaxbytes 
patch < ../qmail-limit-bounce-size.patch.txt
# Now add the qregex patch, which adds regexp support to qmail's badmailfrom,
# and also implements badmailto checking (again with regexp support)
patch < ../qregex.patch-20020129.txt
# Apply patch to add ESMTP SIZE support to qmail-smtpd
# This helps your server be able to reject excessively large messages "up front",
# rather than waiting for the whole message to arrive and then bouncing it because 
# exceeded the /var/qmail/control/databytes setting.
# Nother that particular patch has been modified so it will apply cleanly in 
# conjunction with the other patches I have supplied above. The original version 
# of this patch would fail because it conflicted with the qregex patch.
patch < ../qmail-smtpd-esmtp-size_qregex-compat.diff.txt

Edit qmail-smtpd.c and change the code on the straynewline function (around
line 54) from 451 to 553
Without this you will get nasty loops forming when a remote servers sends you
an message with invalid formatting. By default qmail will says something like 
"I am not going to accept that message at the moment, you can try again
later". However in my experience the sending server will try sending the same
message again a few seconds later, and this will go around and around in a
loop for days on end – consuming valuable bandwidth and resources. By changing
the error code to 553, it is making the error be permanent ie "I am not going
to accept that message, don’t try sending it again"

make setup check
./config
cd ..

Remove the sendmail package, and link in qmail’s replacement utility

# If you are running redhat 8, you may first need to remove the postfix
# package, so that mail to someuser@hostname.yourdomain.com will work correctly :
rpm -e --nodeps postfix
# OK, now go ahead and remove the sendmail package
rpm -e --nodeps sendmail
# Link in qmail's replacement "sendmail-like" tools 
ln -s /var/qmail/bin/sendmail /usr/lib
ln -s /var/qmail/bin/sendmail /usr/sbin

The qmailctl script contains all the various commands that will allow us to
control our qmail daemons. Put it in with the other qmail binaries. Also link
it into /usr/bin so it will be in our "path" for easy access

cp /usr/local/src/qmailctl.txt /var/qmail/bin/qmailctl
chmod 755 /var/qmail/bin/qmailctl
ln -s /var/qmail/bin/qmailctl /usr/bin

Setup the /etc/tcp.smtp file
This file controls who is allowed to send and/or relay mail on this server
An example configuration follows :

#------------------------------------------------------
# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS
#
# If you set 'allow', this means that our mail server will allow
# the specified IP range to make a TCP connection to our server
#
# If you set 'deny', this means that our mail server will not allow
# the specified IP range to make a TCP connection to our server
#
# If you set RELAYCLIENT="", this means that the listed IP range is 
# allowed to relay mail through our server
#
# If you dont set RELAYCLIENT="", this means that the listed IP range
# will not be able to relay mail through our server
#
# If you set RBLSMTPD="", this means that the listed IP ranges will
# not be checked against any of the RBL databases
#
# If you set RBLSMTPD="some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 4xx temp error message
#
# If you set RBLSMTPD="-some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 5xx perm error message
#
# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup
# will be performed. If the lookup is successful, then RBLSMTPD will
# return your custom error message (as specified in the -r parameter
# in smtpd supervise script)
#
#-----------------------------------------------------
# HERE ARE THE RULES! :
#-----------------------------------------------------
# BYPASS OPEN RELAY CHECKING FOR THESE IPS :
#
# These IPs are ones that we have setup so that they arent RBL checked.
# We have done this because these particular servers are RBL listed,
# and for whatever reason they can't/won't fix their open relay problem,
# and we still want to be able to receive mail from them.
# 
# reminder text goes here for this entry so we know the story...
111.111.111.111:allow,RBLSMTPD=""
# reminder text goes here for this entry so we know the story...
222.222.222.222:allow,RBLSMTPD=""
#
#-----------------------------------------------------------------
# DONT ALLOW THESE IPS TO SEND MAIL TO US :
#
# mailXX.offermail.net connecting regularly and sending invalid
# format messages causing exit with status 256 (bare linefeed normally)
# entry added 15/12/2001
# after looking at the mail coming from these servers it was found to be spam
216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."
#
# heaps of spam from replyto of *@freeamateurhotties.com dec2001
64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#
#-----------------------------------------------------------------
# ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER
#
# Local class-c's from our LAN are allowed to relay,
# and we wont bother doing any RBL checking.
123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""
123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""
#
# Connections from localhost are allowed to relay 
# (because the WebMail server runs on localhost),
# and obviously there is no point trying to perform an RBL check.
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""
#
#-----------------------------------------------------------------
# ALLOW EVERYONE ELSE TO SEND US MAIL
#
# Everyone else can make connections to our server,
# but not allowed to relay
# RBL lookups are performed
:allow

Setup the /etc/tcp.pop3  file
This file controls who is allowed to access the POP3 services on this server
An example configuration follows :

# Allow any client to connect to us via POP3
# If people are abusing POP3 such as denial-of-service on POP3, 
# you can add their ips here to block them out
:allow

Now we have created our tcp.smtp and tcp.pop3 files, we need to compile
them into the cdb database format that the tcpserver program can read

qmailctl cdb

Adjust various aspects of the qmail configuration to suite our tastes :

# use postmaster@hostname.yourdomain.com as sender in bounce messages
# rather than the default MAILER-DAEMON@hostname.yourdomain.com
echo 'postmaster' > /var/qmail/control/bouncefrom
# Define how to handle "double bounces".
# The server admin has two choices here, either to receive double bounces
# or to discard them. If your server doesn't handle a lot of mail then it 
# wouldn't hurt to receive all double bounces for the admin's inspection.
# But if your server handles a lot of mail, then it is more likely that you 
# are going to want to discard double-bounces, because you will end up with
# potentially thousands of these every day.
#
# If you want to keep double-bounces, use these commands to nominate what 
# email address to send them through to (eg doublebounce@yourdomain.com) :
echo 'doublebounce' > /var/qmail/control/doublebounceto
echo 'yourdomain.com' > /var/qmail/control/doublebouncehost
# (dont forget that you will need to make sure you have created a mailbox
# to receive these mails. You could use qmailadmin to create a dedicated
# mailbox, or perhaps setup an alias on an existing mailbox)
#
# Or if you would prefer to silently discard any doublebounces,
# then use these commands instead
echo 'doublebounce' > /var/qmail/control/doublebounceto
echo 'hostname.yourdomain.com' > /var/qmail/control/doublebouncehost
echo '#' > ~alias/.qmail-doublebounce
chmod 644 ~alias/.qmail-doublebounce
# set maximum message size to be 8Mb
echo '8000000' > /var/qmail/control/databytes
# queue mail for up to 4 days
echo '345600' > /var/qmail/control/queuelifetime
# Populate badmailto so that mail with invalid address formatting gets rejected
echo '# reject containing invalid characters, brackets or multiple @' > /var/qmail/control/badmailto
echo '[!%#:\*\^]' >> /var/qmail/control/badmailto
echo '[\(\)]'         >> /var/qmail/control/badmailto
echo '[\{\}]'         >> /var/qmail/control/badmailto
echo '@.*@'           >> /var/qmail/control/badmailto
# setup the default domain for use where an address does not have a domain specified
echo 'yourdomain.com' > /var/qmail/control/defaultdomain
# Note, this following command is optional!
#
# If you want qmail to send all outbound mail via a particular mail server
# rather than to send it direct to the recipient's mail server, then this
# can be achieved with the smtproutes command.
#
# SEND ALL OUTBOUND MAIL VIA SMARTHOST
echo ':yoursmarthost.yourdomain.com' > /var/qmail/control/smtproutes
# redirect any mail sent to root@hostname.yourdomain.com to 'postmaster@yourdomain.com
# redirect any mail sent to postmaster@hostname.yourdomain.com to 'postmaster@yourdomain.com
# redirect any mail sent to mailer-daemon@hostname.yourdomain.com to 'postmaster@yourdomain.com
echo 'postmaster@yourdomain.com' > ~alias/.qmail-root
echo 'postmaster@yourdomain.com' > ~alias/.qmail-postmaster
echo 'postmaster@yourdomain.com' > ~alias/.qmail-mailer-daemon
chmod 644 ~alias/.qmail-*

Create / configure the various qmail run scripts :

cd /etc/rc.d/init.d
ln -s /var/qmail/bin/qmailctl /etc/rc.d/init.d/qmail
ln -s ../init.d/qmail /etc/rc.d/rc0.d/K30qmail
ln -s ../init.d/qmail /etc/rc.d/rc1.d/K30qmail
ln -s ../init.d/qmail /etc/rc.d/rc2.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc3.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc4.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc5.d/S80qmail
ln -s ../init.d/qmail /etc/rc.d/rc6.d/K30qmail
mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log
mkdir -p /var/qmail/supervise/qmail-pop3d/log
chmod +t /var/qmail/supervise/qmail-send
chmod +t /var/qmail/supervise/qmail-smtpd
chmod +t /var/qmail/supervise/qmail-pop3d
vi /var/qmail/supervise/qmail-send/run
#!/bin/sh
exec env - PATH="/var/qmail/bin:$PATH" qmail-start ./Maildir/
vi /var/qmail/supervise/qmail-send/log/run
#!/bin/sh
# Keep 30 logs of max 10Mb each
#
# They will get rotated when they reach 10Mb in size, 
# or at midnight when our crontab script fires (whichever event comes 1st)
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/send
vi /var/qmail/supervise/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`

exec /usr/local/bin/softlimit -m 4000000 \
/usr/local/bin/tcpserver \
  -H -l hostname.yourdomain.com \
  -v -x /etc/tcp.smtp.cdb \
  -c 20 -R -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd -b -C \
  -r 'list.dsbl.org:Your message was rejected because the message was sent from a server \
 listed in DSBL - More information regarding this problem is available at \
http://dsbl.org/listing?%IP% - Please forward this error to your email server support staff for \
resolution.' \
  -r 'sbl-xbl.spamhaus.org:Your message was rejected because the message was sent from a server \
listed in the Spamhaus RBL - More information regarding this problems is available at \
http://www.spamhaus.org/query/bl?ip=%IP% - Please forward this error to your email \
server support staff for resolution.' \
  -t 5 \
/var/qmail/bin/qmail-smtpd 2>&1
# The line in orange should be used if you are running qmail on a computer
# that is on a LAN that is using fake ips/masquerading.
# It tells tcpserver not to bother trying to resolve ip addresses 
# to names when writing the SMTP log files. Usually with fake ips,
# you cant resolve them to names, so it will make the SMTP services run 
# really slowly if it is always trying to resolve these addresses.
# Alternatively, if you are eg an ISP and all your SMTP clients are 
# connecting from real IPs with resolvable names, then you can omit 
# the orange line and then then benefit from more readable logfiles.
vi /var/qmail/supervise/qmail-smtpd/log/run
#!/bin/sh
# Keep 30 logs of max 10Mb each
#
# They will get rotated when they reach 10Mb in size, 
# or at midnight when our crontab script fires (whichever event comes 1st)
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd
vi /var/qmail/supervise/qmail-pop3d/run
#!/bin/sh
exec /usr/local/bin/softlimit -m 6000000 \
/usr/local/bin/tcpserver \
  -H -l hostname.yourdomain.com \
  -v -x /etc/tcp.pop3.cdb -c 30 -R 0 pop3 \
/var/qmail/bin/qmail-popup hostname.yourdomain.com \
/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 2>&1
# The line in orange should be used if you are running qmail on a computer
# that is on a LAN that is using fake ips/masquerading.
# It tells tcpserver not to bother trying to resolve ip addresses 
# to names when writing the POP3 log files. Usually with fake ips,
# you cant resolve them to names, so it will make the POP3 services run 
# really slowly if it is always trying to resolve these addresses.
# Alternatively, if you are eg an ISP and all your POP3 clients are 
# connecting from real IPs with resolvable names, then you can omit 
# the orange line and then then benefit from more readable logfiles.
vi /var/qmail/supervise/qmail-pop3d/log/run
#!/bin/sh
# Keep 30 logs of max 10Mb each
# They will get rotated when they reach 10Mb in size, 
# or at midnight when our crontab script fires (whichever event comes 1st)
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/pop3d
chmod 755 /var/qmail/supervise/qmail-send/run
chmod 755 /var/qmail/supervise/qmail-send/log/run
chmod 755 /var/qmail/supervise/qmail-smtpd/run
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run
chmod 755 /var/qmail/supervise/qmail-pop3d/run
chmod 755 /var/qmail/supervise/qmail-pop3d/log/run
mkdir /var/log/qmail
mkdir /var/log/qmail/smtpd
mkdir /var/log/qmail/send
mkdir /var/log/qmail/pop3d
chown -R qmaill /var/log/qmail
crontab -e
# the following 3 lines rotate the qmail log files daily
0 0 * * * /usr/local/bin/svc -a /service/qmail-smtpd/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-send/log
0 0 * * * /usr/local/bin/svc -a /service/qmail-pop3d/log
ln -s /var/qmail/supervise/qmail-send /service
ln -s /var/qmail/supervise/qmail-smtpd /service
ln -s /var/qmail/supervise/qmail-pop3d /service

At this point the qmail daemons should be running. A good way to verify
this is to use this command :

ps axf

If all is well, you should be able to see something like this :

1218 ? S 0:00 /bin/sh /command/svscanboot
1222 ? S 0:00  \_ svscan /service
1224 ? S 0:00  |   \_ supervise qmail-send
1230 ? S 0:00  |   |   \_ qmail-send
1236 ? S 0:00  |   |   \_ qmail-lspawn ./Maildir/
1237 ? S 0:00  |   |   \_ qmail-rspawn
1238 ? S 0:00  |   |   \_ qmail-clean
1225 ? S 0:00  |   \_ supervise log
1233 ? S 0:00  |   |   \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/send
1226 ? S 0:00  |   \_ supervise qmail-smtpd
1231 ? S 0:00  |   |   \_ /usr/local/bin/tcpserver -v -x /etc/tcp.smtp.cdb -c 20 -R -u 504 -g 503 0 smtp /var/qmail/bin
1227 ? S 0:00  |   \_ supervise log
1234 ? S 0:00  |   |   \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd
1228 ? S 0:00  |   \_ supervise qmail-pop3d
1232 ? S 0:00  |   |   \_ /usr/local/bin/tcpserver -v -x /etc/tcp.pop3.cdb -c 30 -H -R 0 110 /var/qmail/bin/qmail-popup
1229 ? S 0:00  |   \_ supervise log
1235 ? S 0:00  |       \_ /usr/local/bin/multilog t s10000000 n30 /var/log/qmail/pop3d
1223 ? S 0:00  \_ readproctitle service errors: .......................................................................

Note the 3 qmail daemons : qmail-send, qmail-smtpd,
qmail-pop3d
, as well as their associated logging processes. If there is
anything wrong with your install, an error message will generally be visible
on the "readproctitle" line

You can control the qmail daemons by using the
qmailctl program. You can just type
that command without any parameters and it will display the available options
eg start, stop, status, doqueue


VPOPMAIL


https://sourceforge.net/projects/vpopmail

Make the user accounts

# If you are using RH8.0, you will probably need to run this following command,
# because RH8.0 comes preconfigured with UID/GID 89 allocated to postfix
#
# userdel postfix
groupadd -g 89 vchkpw
useradd -g vchkpw -u 89 -d /home/vpopmail vpopmail
# We recommend you use the user and group id's of 89. The FreeBSD folks
# have reserved 89 for the group and 89 for the user for vpopmail. Feel
# free to have the OS assign the group/user id (for example, Solaris won't 
# allow gid 89).

Download and unpack the source

cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/vpopmail/vpopmail-5.4.10.tar.gz
tar xzf vpopmail-5.4.10.tar.gz
chown -R root.root vpopmail-5.4.10
cd vpopmail-5.4.10

Setup the MySQL support in the vpopmail sources

# Create the configuration file that vpopmail will use
# to setup the connection to the mysql database
#
# This example will tell vpopmail :
#   * Log into the server running on localhost
#   * Use the default mysql port 
#       (In fact if the server is localhost, and you don't specify a port number, then 
#        I believe the that communications are done via unix sockets rather than TCP/IP)
#   * Login with username vpopmailuser
#   * Login with password vpoppasswd
#   * Use the database called vpopmail
#
mkdir ~vpopmail/etc
chown vpopmail.vchkpw ~vpopmail/etc
echo "localhost|0|vpopmailuser|vpoppasswd|vpopmail" > ~vpopmail/etc/vpopmail.mysql
chown vpopmail.vchkpw ~vpopmail/etc/vpopmail.mysql
chmod 640 ~vpopmail/etc/vpopmail.mysql
# log into MySQL as the MySQL root user
# and then create the database for vpopmail to use
# and then setup the appropriate permissions on this database
/usr/local/mysql/bin/mysql --password="mysql-root-pwd"
CREATE DATABASE vpopmail;
GRANT select,insert,update,delete,create,drop ON vpopmail.*
TO vpopmailuser@localhost IDENTIFIED BY 'vpoppasswd';
quit

Now, build the program 

./configure \
  --disable-roaming-users \
  --enable-logging=p \
  --disable-passwd \
  --enable-clear-passwd \
  --disable-domain-quotas \
  --enable-auth-module=mysql \
  --enable-auth-logging \
  --enable-sql-logging \
\
  --enable-valias \
  --disable-mysql-limits 
  
<-- We aren't building roaming user support in this example
<-- Log POP3 authentication errors including the failed password (to syslog)
<-- Don't include /etc/passwd support. Our box doesn't have any "real" users, only vpopmail users
<-- Enable storing passwords in clear-text. Makes your support staff's life much easier!
<-- Domain quotas allow you to limit the amount of storage a particular domain can use. \
This code is buggy though and is not recommended for use.
<-- Store all the user and domain information in MySQL rather than using disk-based "cdb" files
<-- Maintain a lastauth table in MySQL (shows when / how a user last accessed their email)
<-- Maintain the vlog table in MySQL (shows failed authentication requests).
    The verbosity of the logging will mirror what was chosen in the --enable-logging parameter.
<-- Store aliases and autoresponder settings in MySQL rather than .qmail-xxxx files on the disk. 
<-- Use disk-based ".qmailadmin-limits" files rather than storing this data in MySQL.
make
make install-strip

Notes :

The   "–enable-mysql-limits" configuration option
is fairly new. I plan to update my guide to use this function at some point
in the near future once I have done some testing etc of this functionality

I used
to recommend the –disable-many-domains switch – which tells vpopmail to
create one MySQL table per email domain. When I first started building vpopmail servers, I found this to be the most logical way, having each domain in its own table. However there has been some discussion about this config option on the vpopmail mailing lists, and it sound like this option may be removed at some point in the future.  If you have a lot of domains on your server, having each domain in its own table can hurt performance.
I now agree that –enable-many-domains (which is the default) is probably the better choice

Review the contents of the file is used to set the default limits for any domains /
mailboxes in the vpopmail system. Make sure it contains reasonable defaults for
your system.

vi ~vpopmail/etc/vlimits.default
# in particular set the default mailbox size to be something reasonable eg 20Mb
default_quota 20971520

Optionally, nominate a "default domain". Users in this domain can login to
POP3 etc using just their username. Users from all other domains need to use
their full email address as their login name.

echo "yourdomain.com" > /home/vpopmail/etc/defaultdomain

Setup the quota warning message that is sent to users when they are at 90%
quota

vi quotawarn.msg
From: SomeCompany Postmaster <postmaster@yourdomain.com>
Reply-To: postmaster@yourdomain.com
To: SomeCompany User:;
Subject: Mail quota warning
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Your mailbox on the server is now more than 90% full.

So that you can continue to receive mail,
you need to remove some messages from your mailbox.

If you require assistance with this,
please contact our support department :

  email : support@yourdomain.com
  Tel   : xx xxxx xxxx
cp quotawarn.msg /home/vpopmail/domains/.quotawarn.msg

If you want, you can alter the standard message that gets sent to the sender in an overquota situation

echo "Message rejected. Not enough storage space in user's mailbox to accept message." > /home/vpopmail/domains/.over-quota.msg

OK, vpopmail is now installed!

Some example vpopmail commands :

To add a domain :

/home/vpopmail/bin/vadddomain yourdomain.com yourpassword
# this creates the domain and makes a mailbox postmaster@yourdomain.com

To add a mailbox:

/home/vpopmail/bin/vadduser someone@yourdomain.com apassword

(Or you can do it via qmailadmin)

To remove a mailbox

/home/vpopmail/bin/vdeluser someone@yourdomain.com

(Or you can do it via qmailadmin)

To remove a domain :

/home/vpopmail/bin/vdeldomain yourdomain.com

To change a user’s password

/home/vpopmail/bin/vpasswd someone@yourdomain.com newpassword

(Or you can do it via qmailadmin)

To lookup info about a user

/home/vpopmail/bin/vuserinfo someone@yourdomain.com

This gives you info such as name, crypted password, cleartext password,
dir, quota, usage%, last auth.
It has a number of flags to let you see the individual fields, or you can see
them all if you dont use any flags.

It also creates the maildirsize file in the users dir

Logging in via POP3

When your users are setting up their POP3 email clients (eg Outlook Express),
they should use settings like this :

My incoming mail server is a POP3 server
Incoming mail server (POP3): pop3.yourdomain.com
Outgoing mail server (SMTP): smtp.yourdomain.com
POP3 account name : theirusername@yourdomain.com
Password: theirpassword

When you configured vpopmail, you had the opportunity to nominate a "default"
domain. When users from the default domain authenticate, it is optional for them
to add the @yourdomain.com onto the end of their
username. If vpopmail sees that no domain has been specified by the user, then it will
automatically perform the auth against the nominated default domain. If you are
hosting multiple domains, then everyone who is NOT in the default domain MUST
add their domain name onto the end of their username. (A small percentage of
email programs eg Netscape Mail v4.7 do not permit the use of the @ symbol in
account name. In this case you can use the % symbol instead of the @ symbol)

vpopmail roaming users

With qmail, the typical way to control mail relaying is to put a list of
rules into a file called tcp.smtp. The
tcprules program is then
used to compile this file into cdb database
format
with the output being stored in a file called tcp.smtp.cdb. The
tcpserver program is
configured (using the -x parameter) to read this file and thus know which SMTP
clients are permitted to relay mail.

This type of configuration works well if there is a known range of IP
addresses that are permitted to relay mail. eg the IP’s on the qmail server’s
local LAN. However if the qmail server needs to provide outbound SMTP services
for clients who may be connecting from any IP, you are going to run into
problems. What is needed is some way to automate the process of granting users
the ability to relay mail, without opening up access to all and sundry on the
Internet.

vpopmail includes a solution for this problem. The solution is known as
"roaming users" and is typically implemented with a technique known as
"POP-before-SMTP". Once a client has successfully authenticated via POP3, vpopmail will add the client’s IP to a list. vpopmail then merges this list
with the contents of the tcp.smtp file and runs the tcprules program to
compile a new version of the tcp.smtp.cdb file. Thus the client can now relay
mail.

In addition to storing the client’s IP address, vpopmail will also store
the time of authentication. The postmaster uses a cronjob on the qmail server
to periodically (eg once per hour) run the clearopensmtp program. This program
scans through the list of roaming clients and removes any entries that exceed
the nominated age (eg 3 hours). This ensures that the list of IPs does not
grow out of bounds, and that the roaming IPs are closed within a reasonable
timeframe after being opened.

configure options for vpopmail that relate to roaming users :

./configure \
  --enable-roaming-users \              <- enable roaming users functionality
  --enable-tcprules-prog=path \         <- defaults to /usr/local/bin/tcprules
  --enable-tcpserver-file=path \        <- defaults to /home/vpopmail/etc/tcp.smtp
  --enable-relay-clear-minutes=minutes  <- defaults to 180

Example /var/qmail/supervise/qmail-smtpd/run file :

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
exec /usr/local/bin/softlimit -m 2000000 \
  /usr/local/bin/tcpserver -v -x /home/vpopmail/etc/tcp.smtp.cdb -c 40 -R \
  -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
  /usr/local/bin/rblsmtpd -b -C -r list.dsbl.org \
  -t 5 \
  /var/qmail/bin/qmail-smtpd 2>&1

Notes :

qmail servers are typically built with the tcp.smtp files being located
in the /etc directory. This is not usually suitable for vpopmail roaming
users, since the /etc directory will (should) not have write permissions for
the vpopmail user. Therefore it is not going to be possible for vpopmail to
write out updated versions of the tcp.smtp.cdb file. For use with roaming
users, it is recommended that the tcp.smtp files are stored in ~vpopmail/etc

If a user auths, and their IP already exists in the roaming IP list,
the timestamp for the entry is updated, but the tcprules program is not run.
There is no need to rebuild the tcp.smtp.cdb file as the IP address is
already permitted to relay. Rebuilding the file will only waste disk and CPU
time.

If the vpopmail server is using the default cdb authentication backend,
then the list of roaming IPs will be stored in a file called ~vpopmail/etc/open-smtp.
If the vpopmail server is using the MySQL backend, the roaming IPs will be
stored in a database table called relay. The SQL backend will give better
performance on a busy server. Either way though, you should be cautious about
enabling roaming user functionality on a very busy server, as a large amount
of disk and CPU will be used with the continual rebuilding of the tcp.smtp.cdb file. If the server is busy enough you could run into nasty
file locking issues which will cause vpopmail password authentication to
intermittently fail. If you absolutely must have POP-before-SMTP
functionality on your busy server, then there are only two possible
solutions that I can think of  : 1) you could try putting the tcp.smtp
files onto a RAM disk, or 2) use vpopmail’s MySQL auth backend plus use
Matt Simerson’s tcpserver patch that
allows all of the tcp.smtp files to be stored in MySQL

For POP-before-SMTP to work, the POP3 daemon will need to run under the
tcpserver program. This is because vpopmail uses tcpserver’s TCPREMOTEIP
environment variable to work out what IP address the POP3 user is connecting
from.

Over time POP-before-SMTP is becoming a less favored way of
allowing roaming users to relay mail. SMTP-Auth appears to becoming the more
preferred option, as it scales much more easily on a busy server. However
for a small to medium sized server, POP-before-SMTP is still quite a
workable option. If you would like investigate the use of SMTP-Auth take a
look at this patch

http://www.fehcom.de/qmail/smtpauth.html#PATCHES

IMAP-before-SMTP is possible when using Courier-IMAP v3.x. However it
only works when configured "–with-authvchkpw
–without-authdaemon". When running –without-authdaemon, Courier-IMAP’s
authvchkpw code is able to make use of vpopmail’s roaming user functions to
allow IMAP-before-SMTP functionality. IMAP-before-SMTP
is not possible when Courier-IMAP has been complied –with-authdaemon,
because in this mode the user’s IP address is not made available to the authvchkpw code (via the TCPREMOTEIP env var). Also note that in Courier-IMAP
v4.x and later, –without-authdaemon functionality is no longer available
thus preventing IMAP-before-SMTP from working.


AUTORESPONDER

Current development location :

http://www.sourceforge.net/projects/qmailadmin

This package is a prerequisite for qmailadmin.

Download and unpack the source

cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/qmailadmin/autorespond-2.0.4.tar.gz 
tar xzf autorespond-2.0.4.tar.gz
chown -R root.root autorespond-2.0.4
cd autorespond-2.0.4

Build the program

make
make install

Notes :

Qmailadmin uses the autorespond program for both autoresponse ("mail robot"
in qmailadmin-speak), and vacation response duties. However this is pretty
badly FUBAR. Reason being is the autorespond.c is written to do duties as an
autoresponse program only. "Out of the box" it doesn’t behave correctly when
doing vacation response duties. The code inside the program can be easily
tweaked to work correctly as a vacation responder, but this will break the
autoresponder functionality. Unfortunately the settings are mutually
exclusive. In my opinion the correct solution is to create two variations of
this program, autorespond.c and vacation.c, install them both, and then tweak
qmailadmin to call the right binary for the right job. I have opened

a bug report on the qmailadmin sourceforge site
to try and get this
problem sorted out. If you read back through the qmailadmin and vpopmail
archives, you will see the the autoresponder stuff is an ongoing saga :-(

ps. Inter7 have got a modified version of the autorespond program,
which I believe has been coded to work correctly as a vacation responder http://inter7.com/devel/autorespond-2.0.5.tar.gz

 

EZMLM / EZMLM-IDX

This package is a prerequisite for qmailadmin

ezmlm is mailing list software written by the author of qmail
ezmlm-idx is patch that adds extra features to the standard ezmlm program.

EZMLM : http://cr.yp.to/ezmlm.html

EZMLM-IDX PATCH : http://www.ezmlm.org 

(although I often find this site unresponsive, and so I use one of the mirrors
instead like
http://www.glasswings.com.au/ezmlm/
)

Download and unpack the ezmlm sources

cd /usr/local/src
wget http://cr.yp.to/software/ezmlm-0.53.tar.gz
tar xzf ezmlm-0.53.tar.gz
chown -R root.root ezmlm-0.53 
wget ftp://ftp.pipeline.com.au/PipeInt/Sources/Linux/WebMail/ezmlm-idx-0.40.tar.gz 
tar xzf ezmlm-idx-0.40.tar.gz
chown -R root.root ezmlm-idx-0.40 

Merge the sources together

cp -R ezmlm-idx-0.40/* ezmlm-0.53/
# (you need to press y quite a few times to allow the patch files to overwrite the original files)
cd ezmlm-0.53
patch < idx.patch

Build the program

make
make man
make setup

QMAILADMIN

Original Authors :
http://www.inter7.com/qmailadmin

Current Development location  :

https://sourceforge.net/projects/qmailadmin/

Description :

The domain postmaster can use this tool to view all the accounts on
the domain as well as add/remove accounts, forwards, auto-responders etc.

Domains users can use this tool to modify their own user settings
only. ie mailbox password, real name, forwards, vacations.

This tool does not let you create new domains.

Download and unpack the source

cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/qmailadmin/qmailadmin-1.2.9.tar.gz
tar xzf qmailadmin-1.2.9.tar.gz
chown -R root.root qmailadmin-1.2.9
cd qmailadmin-1.2.9

(Optional) Make a small mod that affects the look of the qmailadmin login
page

edit the lang/en file, and change record 112 "Username" rather than "User
Account"
(We found our users knew what to type as their "Username", but didn’t know
what to type as a "User Account")

Build the program

./configure \
  --enable-htmldir=/usr/local/apache/htdocs \
  --enable-cgibindir=/usr/local/apache/cgi-bin \
  --enable-maxusersperpage=12 \
  --enable-maxaliasesperpage=12 \
  --disable-modify-quota \
  --disable-ezmlm-mysql \
  --disable-help
# note, I chose to have 12 accounts per page in the config above,
# because this makes these particular screens fit nicely on my 1024*768 monitor
make
make install-strip

Test to see if it works

http://webmail.yourdomain.com/cgi-bin/qmailadmin

If you login a domain postmaster, then you should get the screens where you
can view all and add/remove mailboxes, aliases, mailinglists etc on the
domain. etc

If you login as a user, you can only access your own mailbox settings (eg
password, forwards, vacation messages)

Setting limits :

You can setup limits on any domains where required by putting a .qmailadmin-limits
file into the domain’s virtual dir (/home/vpopmail/domains/yourdomain.com). Make sure vpopmail user has read
permissions for this file.

Syntax of .qmailadmin-limits file is as follows :

maxpopaccounts X
maxforwards X
maxmailinglists X
maxautoresponders X

Set X to be the maximum desired number for that feature
Set X to be 0 if you want to disable that feature & menu item

There are also some other settings that can be specified in the .qmailadmin-limits
file, refer to section 6 of the qmailadmin installation instructions (http://inter7.com/qmailadmin/install.txt)
for more info

A bit of a long-winded misc note to myself
:

(If you are setting up your vpopmail server for the first time, then this
block of text has no relevance to you. You can skip straight past this waffle
and go onto
the next section…)

As of qmailadmin-1.0.21, you cant create "aliases" any more. What qmailadmin
previously created as aliases, are now created as forwards. Aliases dump
incoming mail for that aliased address directly into the recipient user’s
Maildir. The problem with this is it bypassed any further ".qmail" processing,
meaning that you ran into problems if you were trying to setup some of the more
fancy things (like per-user SpamAssassin configurations?). Using forwards
bypasses this problem as the message will get re-injected back into the queue
for delivery.

However this change does cause some problems for sites that already have
existing aliases in use. The problem is that when you go into qmailadmin-1.0.21
and select the forwards screen, all the existing aliases and forwards for that
domain are displayed.

Problem # 1 : For mail that is being redirected to a local account, you can’t
tell from this screen whether the user is getting alias or forward delivery. If
you were trying to setup some tricky per-user stuff, then you are going to get
variable results because some users may be configured as alias, and others are
configured as forward, but you cant easily tell which is which from this screen

Problem # 2 : Up the top there is a count showing "[Used # / limit]". This
count relates to the number of forwards in use and the maxforwards qmailadmin-limits
setting. The count ignores any existing aliases. This could potentially cause
confusion for domain postmasters as you will be looking at a screen full of
accounts and if some of them have been previously setup as aliases then it is
going to be hard to reconcile the reported count against the number of accounts
displayed on the screen

What is needed is some sort of utility that will scan and find existing
aliases and convert them over to the now-preferred forward syntax…. That would
keep the delivery method consistent for all users, and would also eliminate any
problems with the qmailadmin-limits code

Note: As of qmailadmin-1.0.25, there
is a tool for converting existing aliases to forwards. Look in the contrib dir
for the tools called alias2forward.pl

valias processing :

qmailadmin v1.2.1 and later store aliases and autoresponders in valias table
if vpopmail was compiled with –enable-valias. If you are upgrading from a
previous version of QmailAdmin and used the –enable-valias option when building
vpopmail, be sure to download vpopmail 5.4.1 or later and use the
dotqmail2valias program to convert .qmail-alias files to valias table entries.


COURIER IMAP

http://www.courier-mta.org/imap/

Courier-IMAP is an IMAP server. Having an IMAP server is a prerequisite to be
able run a IMAP-client WebMail system like SquirrelMail. Courier-IMAP is good
choice because it has support for vpopmail authentication and maildir mailboxes.

Download and unpack the authentication library

cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/courier/courier-authlib-0.58.tar.bz2
bunzip2 courier-authlib-0.58.tar.bz2
tar xf courier-authlib-0.58.tar
chown -R root.root courier-authlib-0.58
cd courier-authlib-0.58

Build the authentication library

./configure \
  --prefix=/usr/local/courier-authlib \
  --without-authpam \
  --without-authldap \
  --without-authpwd \
  --without-authmysql \
  --without-authpgsql \
  --without-authshadow \
  --without-authuserdb \
  --without-authcustom \
  --without-authcram \
  --without-authpipe \
  --with-authdaemon \
  --with-authvchkpw 
# note, if you are running redhat/fedora, you may have to add a 
#   --with-redhat
# to the list of configuration settings above
make
make install
make install-configure

Review the settings for the authentication library

vi /usr/local/courier-authlib/etc/authlib/authdaemonrc

authmodulelist="authvchkpw"
<-- Authenticate via vpopmail

Configure the authentication library so it is running all the time from bootup onwards

cp courier-authlib.sysvinit /etc/rc.d/init.d/courier-authlib
chmod 744 /etc/rc.d/init.d/courier-authlib
chkconfig --add courier-authlib

Then I like to use the ntsysv program
to double-check that courier-authlib is set to launch at boot time

If you aren’t ready to reboot the server now, you can fire up the
authentication libraries in the mean time with this command :

/etc/rc.d/init.d/courier-authlib start 

At this point the courier-authlib software should be running. A good way to verify
this is to use this command :

ps axf

And if all is well, you should be able to see something like this :

23689 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger -pid=/usr/local/courier-authlib/var/spool/
23690 ? S 0:00  \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23702 ? S 0:00      \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23703 ? S 0:00      \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23704 ? S 0:00      \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23705 ? S 0:00      \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond
23706 ? S 0:00      \_ /usr/local/courier-authlib/libexec/courier-authlib/authdaemond

FAM + Courier-IMAP on Redhat
7.3 doesnt seem very stable. On old Linux platforms, I would recommend you
remove FAM before trying to install Courier-IMAP ( By the way, the
alternative/replacement package GAMIN seems to works OK with Courier-IMAP on
newer platforms like FC4/FC5/CentOS43)

rpm -e fam fam-devel

Download and unpack the courier-IMAP source

cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/courier/courier-imap-4.1.1.tar.bz2
bunzip2 courier-imap-4.1.1.tar.bz2
tar xf courier-imap-4.1.1.tar
chown -R root.root courier-imap-4.1.1
cd courier-imap-4.1.1

Build the program

COURIERAUTHCONFIG=/usr/local/courier-authlib/bin/courierauthconfig \
CPPFLAGS=-I/usr/local/courier-authlib/include \
./configure \
  --prefix=/usr/local/courier-imap \
  --disable-root-check \
  --with-ssl
# note, if you are running redhat/fedora, you may have to add a 
#   --with-redhat
# to the list of configuration settings above
make
make install
make install-configure

The Courier-IMAP package includes 4 servers that can be individually
enabled/disabled : IMAP, IMAP-SSL, POP3, POP3SSL. In this example, we are only
using the IMAP server.

vi /usr/local/courier-imap/etc/imapd

MAXDAEMONS=40
MAXPERIP=40
IMAP_EMPTYTRASH=Trash:7,Sent:30
IMAPDSTART=YES
<-- Max number of IMAP daemons
<-- All connections will be coming from single IP (SquirrelMail on localhost)
<-- Enable automatic purging of mail from these folders
<-- allow our init.d script (below) to boot up the imapd

Configure Courier-IMAP so it is running all the time from bootup onwards

cp courier-imap.sysvinit /etc/rc.d/init.d/courier-imap
chmod 744 /etc/rc.d/init.d/courier-imap
chkconfig --add courier-imap

Then I like to use the ntsysv program
to double-check that courier-imap is set to launch at boot time

If you aren’t ready to reboot the server now, you can fire up Courier-IMAP
in the mean time with this command :

/etc/rc.d/init.d/courier-imap start 

At this point the Courier-IMAP software should be running. A good way to verify
this is to use this command :

ps axf

And if all is well, you should be able to see something like this :

1030 ? S 0:02 /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1031 ? S 1:00  \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1032 ? S 0:59  \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1033 ? S 1:01  \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1035 ? S 1:02  \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
1036 ? S 1:02  \_ /usr/local/courier-imap/libexec/authlib/authdaemond.plain start
17566 ? S 0:00 /usr/local/courier-imap/libexec/couriertcpd -address=0 -stderrlogger=/usr/local/courier-
17569 ? S 0:00 /usr/local/courier-authlib/sbin/courierlogger imapd

SQWEBMAIL

SqWebMail is a webmail program written by the authors of Courier-Authlib/Courier-IMAP.
Most webmail packages use POP3 or IMAP, but SqWebMail is a bit different –
it accesses the Maildirs directly.

I wouldn’t really recommend SqWebMail ( you are better off using the
Squirrelmail instructions below). But I regularly see people asking how to
install SqWebMail, so I am going to add some notes here to show what the
required steps would be if you chose to use this package instead of Courier-IMAP
/ Squirrelmail. I wont go into a heap of detail, but here are the steps you
would need to follow

Note, to run SqWebMail, you still need to have Courer-Authlib installed
as per the instructions above, but you don’t have to install Courier-IMAP.
You can run Courier-IMAP if you want, it wont interfere with SqWebMail.

mkdir -p /usr/local/apache/htdocs/images/sqwebmail
echo '#!/bin/sh' > /usr/local/bin/sqwebmail-banner.sh
echo '##' >> /usr/local/bin/sqwebmail-banner.sh
echo '## This progam is called by sqwebmail for each [#B#] tag in the html templates' >> /usr/local/bin/sqwebmail-banner.sh
echo '## The ARGV[0] will be the name of the html template that launched the call' >> /usr/local/bin/sqwebmail-banner.sh
echo '##' >> /usr/local/bin/sqwebmail-banner.sh
echo 'echo "<center>YourISP support - call xxxx xxxx</center>"' >> /usr/local/bin/sqwebmail-banner.sh
chmod 755 /usr/local/bin/sqwebmail-banner.sh
cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/courier/sqwebmail-5.1.1.tar.bz2
tar xjf sqwebmail-5.1.1.tar.bz2
chown -R root.root sqwebmail-5.1.1
cd sqwebmail-5.1.1
COURIERAUTHCONFIG=/usr/local/courier-authlib/bin/courierauthconfig \
CPPFLAGS=-I/usr/local/courier-authlib/include \
./configure \
  --prefix=/usr/local/sqwebmail \
  --disable-autorenamesent \
  --enable-cgibindir=/usr/local/apache/cgi-bin/ \
  --enable-imagedir=/usr/local/apache/htdocs/images/sqwebmail/ \
  --enable-imageurl=/images/sqwebmail \
  --with-maxformargsize=17500000 \
  --with-maxmsgsize=18000000 \
  --enable-bannerprog=/usr/local/bin/sqwebmail-banner.sh
# If you get a pcre error during sqwebmail configure, you will probably need to do this :
# cd /usr/local/src

# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-6.4.tar.gz 
# tar xzf pcre-6.4.tar.gz
# chown -R root.root pcre-6.4
# cd pcre-6.4
# ./configure
# make
# make install
make
make install
make install-configure
echo "yourdomain.com" > /usr/local/sqwebmail/etc/hostname
# Add a line like this to your httpd.conf, to workaround MSIE bugs
BrowserMatch "MSIE" nokeepalive downgrade-1.0 force-response-1.0
crontab -e
# Purge sqwebmail cache files once per hour
0 * * * * /usr/local/sqwebmail/share/sqwebmail/cleancache.pl
vi /etc/rc.d/rc.local
/usr/local/sqwebmail/libexec/sqwebmaild.rc start

To access SqWebMail, the URL would be
http://webmail.yourdomain.com/cgi-bin/sqwebmail

To customise look/feel, you can modify the HTML files in /usr/local/sqwebmail/share/sqwebmail/html/en,
and also the css file /usr/local/apache/htdocs/images/sqwebmail


SQUIRRELMAIL

www.squirrelmail.org

the text with yellow background is specific to using MySQL backend. if you
don’t want to use MySQL backend, then just skip over these sections….

Go to the SquirrelMail
download page
, and save the latest source to /usr/local/src. In this example
I have used :

squirrelmail-1.4.4.tar.gz

Download and unpack all the sources

cd /usr/local/apache/htdocs
tar xzf /usr/local/src/squirrelmail-1.4.4.tar.gz
chown -R root.www squirrelmail-1.4.4
chmod -R 750 squirrelmail-1.4.4
ln -s squirrelmail-1.4.4 squirrelmail

Create the required directory structure

mkdir /var/squirrelmail
# create the data dir. This is where users personal preferences are stored if not using MySQL backend
mkdir /var/squirrelmail/data
# create the attach dir. This is where temp files for emails in progress are store
mkdir /var/squirrelmail/attach
cd squirrelmail
cp data/default_pref /var/squirrelmail/data
chown -R root.www /var/squirrelmail
chmod -R 0770 /var/squirrelmail/data
chmod -R 0730 /var/squirrelmail/attach

SquirrelMail allows you to add your company logo to the login page. So
whack a copy of your logo into the Apache images directory so it is available
for SquirrelMail to use

cp /usr/local/src/yourcompanylogo-100.gif /usr/local/apache/htdocs/images

Configure SquirrelMail

cd config
perl conf.pl
D. SET PRE-DEFINED SETTINGS FOR SPECIFIC IMAP SERVERS
  Choose Courier
1. ORGANIZATION PREFERENCES
  1.  Organization name            : YourCompany WebMail
  2.  Organization Logo            : /images/yourcompanylogo-100.gif
  3.  Org. Logo Height/Width       : 100/100
  4.  Organization title           : YourCompany WebMail (v$version)
  7.  Provider link                : http://www.yourdomain.com
  8.  Provider name                : YourCompany
2. SERVER SETTINGS
  1.  Domain                       : yourdomain.com
3. FOLDER DEFAULTS
  15. Default Unseen Type          : 2
4. GENERAL OPTIONS
  1.  Data directory               : /var/squirrelmail/data
  2.  Attachment directory         : /var/squirrelmail/attach
  5.  Usernames in lower case      : true
  7.  Hide SM attributions         : true
  11. Allow server-side sorting    : false
  ( Note, server-sorting is faster, but I personally find the sort results to be not as "intuitive"
   compared with when you let SquirrelMail do the sorting. If you toggle this option on/off and compare 
   the resultant displays in SquirrelMail you will see what I mean. For example if you server-sort the
   FROM column then the sort will be done senders email address, whereas if you let SquirrelMail do the
   sort then column will be sorted on senders name. I would suggest you try toggling this 
   option on and off to make your own decision on which sorting method provides the better results.)
6. ADDRESS BOOKS
  2. Use Javascript Address Book Search : True
9. DATABASE
  1.  DSN for address book : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
  3.  DSN for preferences  : mysql://squirreluser:squirrelpassword@localhost/squirrelmail
Now Save and quit the config program

 

Create the necessary database and tables in MySQL,
so that SquirrelMail can store the address books and user preferences there
:

cd /usr/local/mysql/bin
./mysql --password="mysql-root-pwd"
CREATE DATABASE squirrelmail;
GRANT select,insert,update,delete ON squirrelmail.*
TO squirreluser@localhost IDENTIFIED BY 'squirrelpassword';
USE squirrelmail;
CREATE TABLE address (
  owner varchar(128) DEFAULT '' NOT NULL,
  nickname varchar(16) DEFAULT '' NOT NULL,
  firstname varchar(128) DEFAULT '' NOT NULL,
  lastname varchar(128) DEFAULT '' NOT NULL,
  email varchar(128) DEFAULT '' NOT NULL,
  label varchar(255),
  PRIMARY KEY (owner,nickname),
  KEY firstname (firstname,lastname)
);
CREATE TABLE userprefs (
  user varchar(128) DEFAULT '' NOT NULL,
  prefkey varchar(64) DEFAULT '' NOT NULL,
  prefval blob DEFAULT '' NOT NULL,
  PRIMARY KEY (user,prefkey)
);
quit

 

You can define what default SquirrelMail settings that users will receive
when they log in.

For MySQL backend

cd /usr/local/apache/htdocs/squirrelmail
# replace the default preferences definition in the db_prefs file
# with our own customised defaults.
# Open the file, scroll down and replace the existing "var $default"
# entry (on line 102) with our customised version shown below
vi functions/db_prefs.php
var $default = Array('chosen_theme' => '../themes/default_theme.php',
  'show_html_default' => '1',
  'language' => 'en_US',
  'use_javascript_addr_book' => '1',
  'left_size' => '140',
  'left_refresh' => '3600',
  'show_username' => '1',
  'show_username_pos' => 'top',
  'order1' => '1',
  'order2' => '2',
  'order3' => '3',
  'order4' => '5',
  'order5' => '4',
  'order6' => '6');

Or, if you aren’t running MySQL backend for SquirrelMail, you can adjust
the default preferences like this :

vi /var/squirrelmail/data/default_pref :

show_html_default=1
language=en_US
use_javascript_addr_book=1
left_size=140
left_refresh=3600
show_username=1
show_username_pos=top
order1=1
order2=2
order3=3
order4=5
order5=4
order6=6

 

Setup periodic purging of the "attach" directory

When SquirrelMail users are composing a message that has attachment(s), the
attachment is temporarily stored in the /var/squirrelmail/attach directory. 
When the user sends the message, the associated temp files will get deleted.

However sometimes the temp files do not get deleted (eg if the user closes
their browser mid-compose?).  Since the permissions on this directory are
setup (as a security measure) to prevent the webserver from listing the files
in this directory, there is no way for Apache/SquirrelMail to do a periodic
scan/purge of old files.

So we are going to setup a daily crontab to clean up any attachments that
get left hanging around

crontab -e
# delete any files that are more than 2 days old from the SquirrelMail attachment dir
0 0 * * * find /var/squirrelmail/attach/* -atime +2 -exec /bin/rm {} \; 

Install the quota_usage plugin so users can see their mailbox quota usage

cd /usr/local/src
wget http://www.squirrelmail.org/plugins/quota_usage-1.2.tar.gz 
wget http://www.squirrelmail.org/plugins/compatibility-1.3.tar.gz 
cd /usr/local/apache/htdocs/squirrelmail/plugins
tar xzf /usr/local/src/quota_usage-1.2.tar.gz 
cp quota_usage/config.php.sample quota_usage/config.php
chown -R root.www quota_usage
chmod -R o-rx quota_usage
# qmailadmin and the other tools all classify a 1Mb as 1048576 bytes (1024 * 1024 )
# Fix up the quota_plugin so it works with the same units.
# Otherwise your quota would show as 20M in qmailadmin, and 21M in SquirrelMail  :-/
vi quota_usage/functions.php 
Go to line 43 and change the value 1000000 to 1048576
tar xzf /usr/local/src/compatibility-1.3.tar.gz 
chown -R root.www compatibility
chmod -R o-rx compatibility
cd ../config
perl conf.pl
8. Plugins
      choose quota_usage
      choose compatibility

Optionally, Setup SSL mode at login
time

cd /usr/local/src
wget http://www.squirrelmail.org/plugins/secure_login-1.2-1.2.8.tar.gz 
cd /usr/local/apache/htdocs/squirrelmail/plugins
tar xzf /usr/local/src/secure_login-1.2-1.2.8.tar.gz 
cp secure_login/config.php.sample secure_login/config.php
chown -R root.www secure_login
chmod -R o-rx secure_login
cd ../config
perl conf.pl
8. Plugins, and choose secure_login
 

Optionally, modify SquirrelMail so that it will any failed login attempts to
the syslog

modify squirrelmail/functions/imap_general.php

search for the line that has "Unknown user or password incorrect"
above this line add :

syslog(LOG_MAIL|LOG_NOTICE,"Squirrelmail login failed for Username : $username, Password : $password");

now failed SquirrelMail logins will be logged to /var/log/maillog 
:-)

 

We also added some code to squirrelmail/src/login.php to add a notes page to
the login screen. We inserted this chunk just before the line that says "do_hook(‘login_bottom’);

echo "<BR><CENTER>".
"<TABLE BORDER=1 WIDTH=75%><TR><TD ALIGN=CENTER><FONT FACE=Arial SIZE=2>".
"<P><B><FONT SIZE=3>IMPORTANT NOTES REGARDING THE WEBMAIL SYSTEM</FONT></B></P>".
"<P><B>AUTOMATIC MAIL DELETION</B></P>".
"<P>The mail server will automatically delete mail from the<BR> ".
"following folders after the specified number of days :<br>".
"Trash Folder - 7 days, Sent Folder - 30 days".
"<P><B>POP3 MAIL CLIENTS</B></P>".
"<P>If you check your mail using a POP3 mail client (such as Outlook Express),<BR> ".
"it will download and delete the mail from your WebMail inbox.</P>".
"<P>If you want to be able to download the mail using POP3 and also<BR> ".
"leave it on the server so you can see it with WebMail, you will need<BR> ".
"to adjust the settings in your POP3 client to tell it not to delete<BR> ".
"mail after downloading.</P>".
"<P>For example, to configure this in Outlook Express you would go to<br> ".
"<i>Tools -> Accounts -> Mail -> Properties -> Advanced</i><BR> ".
"and then tick the box<BR><i>'Leave a copy of message on server'</i><P>".
"</FONT>".
"</TD><TR></TABLE></CENTER>";

 

Now, another cosmetic change… : modify the squirrelmail/src/login.php and
change the wording of "Name:" to "Email address:".

 

Next, we setup a default document in the web servers root, to redirect our
customers through to the SquirrelMail login page. That way when people want to
access the WebMail tool they can point their browser to "http://webmail.yourdomain.com" and they will get automatically
redirected through to the SquirrelMail directory

vi /usr/local/apache/htdocs/index.html
<HTML>
<HEAD>
<TITLE>Redirect to WebMail login screen...</TITLE>
<META HTTP-EQUIV="refresh" CONTENT="1; url=http://webmail.yourdomain.com/squirrelmail/">
</HEAD>
<BODY>
Redirecting to the WebMail login screen...<br>
<a href=squirrelmail/>Click here if you are not automatically redirected</a>
</BODY>
</HTML>

SPAM AND VIRUS CHECKING

OK, now you have a working mail server.. You have loaded all your users and
they are giving the new system a good workout. Everything is running nice and
smoothly. You sit back and think "my job is done!"

Until… users starting coming to you and saying… "Hey, this new mail
server is really good… But how do I block out all these viruses and spam?"…
Uh oh…!

Well, luckily the answer is relatively easy….. The qmail-scanner program
lets us easily implement anti-spam and anti-virus. Installation instructions
follow :

 

OPTIONAL : RAZOR V2

http://razor.sourceforge.net

If Razor is installed, SpamAssassin will automatically include it in the list
of tests run. We found that Razor is quite accurate in identifying spam, and it
only added small amount of extra CPU load on the server, so it is definitely
worth installing. Note though,
that I believe the licensing of Razor states that it isn’t free for commercial
use – so you should probably check the docs before deciding whether you wish to
enable this function or not

Compile and install :

# install the pre-requisite modules for razor
perl -MCPAN -e shell 
#(enter your way through all the questions. The only one you will likely have to answer is regarding your Continent/Country)
# tell the cpan shell to follow the dependency tree and automatically grab any required modules
o conf prerequisites_policy follow
# make sure you have some of the basic tools needed to get the CPAN downloads working smoothly
install LWP MD5 
# install the razor pre-requisites now
install Net::Ping Net::DNS Time::HiRes Digest::SHA1 Getopt::Long File::Copy Digest::Nilsimsa URI::Escape 
quit
# now install the actual razor software
wget http://optusnet.dl.sourceforge.net/sourceforge/razor/razor-agents-2.77.tar.bz2
bunzip2 razor-agents-2.77.tar.bz2
tar xf razor-agents-2.77.tar
chown -R root.root razor-agents-2.77 
cd razor-agents-2.77
perl Makefile.PL
make
make test
make install
cd ..

The Razor programs will now be installed in /usr/bin. In particular,
SpamAssassin makes use of the program called : "razor-check"

Last job is to create the Razor configuration files (they get put into
/etc/razor/) by using these commands :

razor-admin -d -create -home=/etc/razor

If your server is going to
be busy, then I would recommend you edit the razor config file and turn down
the debugging level a bit :

vi /etc/razor/razor-agent.conf
debuglevel=1

SPAMASSASSIN 

http://www.spamassassin.org

Description :

SpamAssassin is program that scans email messages using a set of rules, and
then assigns a score. If the score is higher than your nominated limit, then
the message will be tagged as spam.

# install the pre-requisite modules for spamassassin
perl -MCPAN -e shell 
# tell the cpan shell to follow the dependency tree and automatically grab any required modules
o conf prerequisites_policy follow
# make sure we have all the SpamAssassin prerequisites installed
install Digest::SHA1 HTML::Parser Storable MIME::Base64 DB_File Net::DNS Net::SMTP Mail::SPF::Query IP::Country::Fast BerkeleyDB 
exit

Download and compile

wget http://apache.mirror.pacific.net.au/spamassassin/source/Mail-SpamAssassin-3.1.2.tar.gz
tar xzf Mail-SpamAssassin-3.1.2.tar.gz
chown -R root.root Mail-SpamAssassin-3.1.2
cd Mail-SpamAssassin-3.1.2
perl Makefile.PL
make
make install
cd ..

"make install" creates the following main files :

/usr/bin/spamassassin            <- This is the command-line version of the SpamAssassin program
/usr/bin/spamc                   <- Daemonised SpamAssassin client
/usr/bin/spamd                   <- Daemonised SpamAssassin server
/usr/share/spamassassin/         <- The SpamAssassin logic/filter files live here
/etc/mail/spamassassin/local.cf  <- sitewide configuration settings

Test to see if the installation was successful. (Watch the output from the
script. SpamAssassin will add headers to the message. In particular look for the
"X-Spam-Status: " and see if it correctly tags the message with a Yes or No)

spamassassin -t < sample-nonspam.txt 
spamassassin -t < sample-spam.txt 

To improve security, modify the configuration of the spamd daemon so it runs
under its own uid

Create a spamd user for the spamd process to run as

groupadd spamd
useradd -g spamd spamd

Modify / create the spamd configuration file

vi /etc/sysconfig/spamassassin
# Hint : if you want to enable SpamAssassin debugging 
# (the debug output goes to /var/log/maillog) then use : 
# SPAMDOPTIONS="-x -u spamd -H /home/spamd -d -D"
# Don't leave debugging turned on unnecessarily though, 
# because it will slow down a busy server.
#
# Otherwise, for normal operation (debugging disabled) use following combo :
# -x means not to look for any per-user preferences ( since all our users are virtual)
# -u means to run as userid spamd
# -H tells the addon apps like .razor to store all their files into eg /home/spamd/.razor
# -d tells spamd to run as a daemon
SPAMDOPTIONS="-x -u spamd -H /home/spamd -d"

Configure the spamd daemon so it is running all the time from bootup onwards

cp spamd/redhat-rc-script.sh /etc/rc.d/init.d/spamd
chmod 700 /etc/rc.d/init.d/spamd
cd ..
chkconfig --add spamd

Then I like to use the ntsysv program
to double-check that spamd is set to launch at boot time

Setup the SpamAssassin configuration

vi /etc/mail/spamassassin/local.cf 
# Define the sensitivity level. 
required_score 5
# Allow SpamAssassin to rewrite the subject line of any messages it classifies as spam
# This is the value that will prepended to the subject line of messages classified as spam
rewrite_header Subject [SPAM]
# Put spam analysis reports into to the headers of the message (rather than the body)
report_safe 0
# Enable SpamAssassin's RBL checking features :
# Although we have already done some RBL filtering earier in qmail's rblsmtpd program,
# it is still recommended to turn on RBL checking in SpamAssassin, as it will run
# checks against a variety of different RBL sources, and the results will help
# tag spam more accurately
skip_rbl_checks 0
# If we haven't received a response from the RBL server in X seconds, then skip that test
rbl_timeout 3
# You can nominate any netblocks that you control, and contain mailservers that 
# you trust. IE you control the mailservers in these netblocks so there is no
# need to be running RBL checks against these particular servers.
# You should include all the netblocks used by email clients on your local lan.
# Also make sure you include any netblocks that host your mail servers.
trusted_networks 127.0.0.1
trusted_networks 123.123.123.0/24
# Enable auto-learning
use_bayes 1
bayes_auto_learn 1
# we are going to run a single global bayes db for all users ( rather than a db per user)
bayes_path /home/spamd/.spamassassin/bayes
# Enable auto-whitelisting
use_auto_whitelist 1

Just to make sure the bayes database directory will be setup correctly :

mkdir /home/spamd/.spamassassin
chown -R spamd.spamd /home/spamd/.spamassassin

If you wish to view all the possible configuration options, use this
command :

perldoc Mail::SpamAssassin::Conf

Enable the razor functions

vi /etc/mail/spamassassin/v310.pre
#uncomment the following line :
loadplugin Mail::SpamAssassin::Plugin::Razor2

OK, the SpamAssassin software is now fully installed!

Any mail that SpamAssassin classifies as spam will have [SPAM] added to the
subject line.  You should now probably setup some docs for your users
showing them how they can use message filtering rules in their email client. You
can see our message filtering guides
here

If you aren’t ready to reboot the server now, you can fire up spamd in the
mean time with this command :

/etc/rc.d/init.d/spamd start 

If all goes well you will see some output like this :

9721 ? S 0:01 /usr/bin/spamd -x -u spamd -H /home/spamd -d

(Note that spam filtering isn’t actually operational on your server yet, you
need to use the qmail-scanner program to feed mail through the SpamAssassin
scripts)

 

CLAM ANTI-VIRUS

http://www.clamav.net

Clam antivirus can run in two different modes. Either as a normal
command line scanner, or as a client/daemon pair.

When working as a command line scanner, you perform your scanning using
the program "clamscan". If a complex program like a virus scanner is run
repetitively (ie being launched for every email that passes through your
system), it chews up a lot of CPU/disk resources. To get around this
issue you can launch Clam as a daemon (clamd). This is where a copy of
Clam is launched and stays active in the background. You then do your
scanning using the clamdscan client, which is only small, thus
making it fast to launch/run. The client sends commands to the daemon,
and the daemon will take care of scanning the message and returning the
results to the client. (The same technique is used by SpamAssassin where
you can use the full spamassassin command line version, or the spamc/spamd
client/daemon pair).

In a busy environment, there is no doubt that the client/daemon method
is the best way to go

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.tar.gz
tar xzf clamav-0.88.tar.gz
chown -R root.root clamav-0.88
cd clamav-0.88
./configure
make
make install

Customise the clamd configuration file

vi /usr/local/etc/clamd.conf
# make sure you comment out the "example" line
LogSyslog
FixStaleSocket
User clamav

Configure clamd so it is running all the time from bootup onwards

cp contrib/init/RedHat/clamd /etc/rc.d/init.d/
chmod 744 /etc/rc.d/init.d/clamd
chkconfig --add clamd

Then I like to use the ntsysv program
to double-check that clamd is set to launch at boot time

If you aren’t ready to reboot the server now, you can fire up clamd
in the mean time with this command :

/etc/rc.d/init.d/clamd start 

At this point the clamd software should be running. A good way to verify
this is to use this command :

ps axf

And if all is well, you should be able to see something like this :

18144 ? S 0:00 /usr/local/sbin/clamd

Setup the freshclam configuration file

vi /usr/local/etc/freshclam.conf
# make sure you comment out the "example" line
LogSyslog
DatabaseOwner clamav
DatabaseMirror db.au.clamav.net  (where "au" matches your country code)
NotifyClamd

Configure freshclam to start on boot

vi /etc/rc.d/rc.local
/usr/local/bin/freshclam -d 

Launch freshclam now

/usr/local/bin/freshclam -d 

At this point the freshclam software should be running. A good way to verify
this is to use this command :

ps axf

And if all is well, you should be able to see something like this :

18144 ? S 0:00 /usr/local/sbin/clamd
 

QMAIL-SCANNER


http://qmail-scanner.sourceforge.net

Description :

Qmail-Scanner is an add-on that enables a qmail server to scan
messages for certain characteristics. It is typically used for its anti-virus
protection functions, in which case it is used in conjunction with commercial
(or open source) virus scanners. It also capable of blocking email that
contains specific strings in particular headers, or particular attachment
filenames or types (e.g. *.VBS attachments).

Install the required supporting modules for Qmail-Scanner

TNEF unpacker

http://sourceforge.net/projects/tnef/
cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/tnef/tnef-1.3.4.tar.gz
tar xzf tnef-1.3.4.tar.gz
chown -R root.root tnef-1.3.4
cd tnef-1.3.4
./configure
make
make install
cd ..

ReformatMIME (from the Maildrop package)

http://sourceforge.net/projects/courier  
cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/courier/maildrop-2.0.1.tar.bz2
bunzip2 maildrop-2.0.1.tar.bz2
tar xf maildrop-2.0.1.tar
chown -R root.root maildrop-2.0.1.tar
cd maildrop-2.0.1
./configure
make
make install-strip
make install-man
cd ..

A "Qmail-Scanner ST
patch
" has been released by Salvatore Toribio, which greatly extends the
functionality of qmail-scanner. The patch adds extra features to help deal with
spam (such as dropping messages that exceed a certain SpamAssassin score). We
are going to use this patch, as it makes qmail-scanner much more useful.

cd /usr/local/src
# Grab the qmail-scanner source
wget http://optusnet.dl.sourceforge.net/sourceforge/qmail-scanner/qmail-scanner-1.25.tgz
tar xzf qmail-scanner-1.25.tgz 
chown -R root.root qmail-scanner-1.25
# Grab and apply the qmail-scanner-st patch
wget http://toribio.apollinare.org/qmail-scanner/download/q-s-1.25st-20050406.patch.gz
gunzip q-s-1.25st-20050406.patch.gz
patch -p0 < q-s-1.25st-20050406.patch
cd qmail-scanner-1.25

Now at this point, I would recommend you spend some time reading the
qmail-scanner documentation.
And once you have read that, take a look at the
qmail-scanner-st patch
doco

Next, create a user and group for the qmailscanner to run under

groupadd qscand 
useradd -c "Qmail-Scanner Account" -g qscand -s /bin/false qscand

For qmailscanner to work correctly with clamav, you need to adjust clamav to
run under the qscand username

vi /usr/local/etc/clamd.conf
# look for the line that says "User clamav" and replace with
User qscand
/etc/rc.d/init.d/clamd restart

Configure Qmail-Scanner :

# Here are the settings we used at our site for configuring Qmail-Scanner :
#
# configure Qmail-Scanner to work in the following manner :
#   - notify a nominated admin each time a virus is detected
#     (in this case it will be virusadmin@yourdomain.com)
#   - use the client/server version of Clam AV for anti-virus scanning.
#   - enable support for spamc/spamd in "verbose" mode. 
#     Qmail-Scanner can run spamd in "fast" mode or "verbose" mode.
#     You can read more about this at the Qmail-Scanner FAQ page.
#     I would recommend that you use verbose mode as this allows you to get access to 
#     the full reporting/tagging features that SpamAssassin can provide. It costs you
#     a fraction more CPU power, but provides a much greater range of features.
#   - Use a medium level of sensitivity when blocking mail due to broken MIME formatting
#
#   THE COMMANDS HIGHLIGHTED IN BLUE BELOW ARE FROM THE QMAIL-SCANNER-ST PATCH
#   - sa-delete sets the point that spam mail is autodeleted.
#     sa-delete is a relative value to the SpamAssassin required_hits.
#     so in our case, the spam will be deleted at a score of 10
./configure \
  --admin virusadmin \
  --domain yourdomain.com \
  --admin-fromname "yourdomain.com Postmaster" \
  --local-domains "yourdomain.com" \
  --scanners clamdscan,verbose_spamassassin \
  --fix-mime 1 \
  --debug no \
  --sa-delete 5 \
  --sa-reject yes \
  --install

Note : If the install fails with an error like this :

Redhat hosts need to have perl-suidperl installed to get setuid support

Then you will need to do something like this (this example for Redhat
7.3) :

cd /usr/local/src
wget http://redhat.pacific.net.au/redhat/redhat-7.3-en/os/i386/RedHat/RPMS/perl-suidperl-5.6.1-34.99.6.i386.rpm
rpm -ivh perl-suidperl-5.6.1-34.99.6.i386.rpm 

Edit the perscanner file which is used to block mail that contains
particular strings. perlscanner is a tool that is included with qmail-scanner,
and it is executed after all the other anti-virus scanners have run (eg
clamscan). This system provides a good failsafe in case some new virus comes
along that the virus-scanner cant detect yet. perlscanner is perfect for
blocking those virus-prone attachments that have no legitimate purpose in
email.

vi /var/spool/qscan/quarantine-events.txt

Uncomment the following lines :

.lnk SIZE=-1 LNK files not allowed per Company security policy
.wsh SIZE=-1 WSH files not allowed per Company security policy
.vbs SIZE=-1 VBS files not allowed per Company security policy
.scr SIZE=-1 SCR files not allowed per Company security policy
.hta SIZE=-1 HTA files not allowed per Company security policy
.pif SIZE=-1 PIF files not allowed per Company security policy
.cpl SIZE=-1 CPL files not allowed per Company security policy
# rebuild the perlscanner database
setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g

Any SMTP sessions that are dropped (due to network outages/etc) may lead to
files lying around in /var/spool/qmailscan . Running /var/qmail/bin/qmail-scanner-queue.pl
-z at least once daily will ensure such files are deleted when they’re over 30
hours old. We will make a cronjob to do that :

crontab -e
0 0 * * * /var/qmail/bin/qmail-scanner-queue.pl -z

Now define what mail is to be sent through the Qmail-Scanner, also make sure that your qmail-smtpd script allocates sufficient resources to
support the needs of Qmail-Scanner + Antivirus + SpamAssassin. At our site, we have configured Qmail-Scanner to virusscan all messages (ie inbound and outbound mail). We did this by setting up our our
/var/qmail/supervise/qmail-smtpd/run
file like this :

vi /var/qmail/supervise/qmail-smtpd/run
#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the nominated script
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`

# softlimit needs to be set at something large such as 15000000 
# to allow virusscanning software to run successfully
exec /usr/local/bin/softlimit -m 15000000 \
 /usr/local/bin/tcpserver \
  -v -x /etc/tcp.smtp.cdb \
  -c 20 -R -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
... and the rest of the file snipped ...

Restart the qmail-smtpd service :

svc -d /service/qmail-smtpd
svc -u /service/qmail-smtpd

However, if you don’t want to virusscan all mail, you can selectively nominate
which IP ranges should or shouldn’t be checked by setting the QMAILQUEUE variable
via your /etc/tcp.smtp file rather than inside the supervise/qmail-smtpd/run
file. Refer to the Qmail-Scanner home page for setup examples.

QMAIL-SCANNER / SPAMASSASSIN NOTES :

How can I tell if SpamAssassin is working?

Each time SpamAssassin processes a message, it will log some information
to /var/log/maillog (score, message size, time taken to process)

Not all mail gets passed through SpamAssassin

We have configured our supervise/qmail-smtpd/run
script so that it runs Qmail-Scanner for every mail message. This means all
incoming and outgoing mail will get virus-checked. However this doesn’t
necessarily mean that every message passing through Qmail-Scanner will also
get sent through SpamAssassin.

Qmail-Scanner has been coded so that messages are only passed onto
SpamAssassin if the RELAYCLIENT variable from tcp.smtp is not set. The
idea behind this to reduce load on the system by not running SpamAssassin on mail
originated by your users.

It is possible to force SpamAssassin checking for local users if you
choose by setting QS_SPAMASSASSIN="on" for the appropriate entries
in your tcp.smtp file

You can read more about this subject at the
Qmail-Scanner FAQ
page

Is it possible to configure per-user settings for SpamAssassin?

It depends on your configuration. We believe it will be possible to
implement an interface so that vpopmail users can turn SpamAssassin checking
on/off, and also set their own custom required_hits. We are hoping to store
these settings as additional columns in the vpopmail MySQL database… Stay
tuned and we will post more info as it comes to hand

Can I make it so that all
the spam get sent to my a SPAM or TRASH folder?

Yes, have a look at this example,
or take a look at the $smaildir option in the qmail-scanner-st patch

Qmail-scanner’s quarantine directory

Each virus infect mail message gets quarantines into the following
directory :

/var/spool/qmailscan/quarantine/new

So you will need to periodically purge the files from that dir, or else
your hard disk will eventually fill up!

eg setup a crontab entry like this :

0 * * * * find /var/spool/qmailscan/quarantine/new -type f -mtime +30 -exec rm '{}' \;

TIPS & MISC NOTES :

"ps axf" is your friend. Particularly useful for visualising how the
supervise/qmail processes all fit together.
"ps axfu" is good for double checking what accounts that individual server
processes are running under


SOME EXAMPLE MAILBOX MANAGEMENT SCRIPTS
:

Since all the information for your email domains and mailboxes are store in
MySQL, it is easy to create scripts so your support staff can quickly navigate /
view all this account information.

Our support staff’s intranet site is a Windows 2000 machine running IIS5 with
ASP. Here is a couple of example ASP scripts that I hacked together that show
what can be achieved :

vpopmail-asp-scripts.v120.zip
.. No doubt it would be easy enough though to
use these same techniques in PHP if you are running linux/apache for your
intranet

The script "viewvlogs" allows you to view browse through the vpopmail "vlog"
table in MySQL to look for people who have failed to auth successfully when
trying to check mail.

The script "viewpop3" allows you to see a list of email domains hosted on
your server. You can do things like view all users from a domain, or view an
individual mailbox. The output will show useful things like clear passwords,
mailbox size. Also there are buttons that will log you into qmailadmin or
SquirrelMail as a given user using just a single mouse click

Some screenshots of viewpop3 script:

Main login screen
Login to a
domain
, View all
mailboxes on a domain

Login to an
email address
,
View details for email address

One final note, if you are running IIS, you need to download and install the
MySQL Connector
ODBC "Windows Driver Installer"
files onto your server to allows these
ASP scripts to work.

 

On a related subject, have you ever wanted to be able to create mailboxes
"on-the-fly" via a webpage or similar?
Well if you are running the MySQL
back-end, then you are in luck! It is possible to use an INSERT command to
create the new user in the MySQL. When the user 1st POP/IMAP’s into their
account, or when they first receive a message, their mailbox will automatically
be created on the hard disk of the mail server. I have an example showing how I
create mailboxes on-the-fly from an IIS server using an ASP script
asp-vpopmail-passwd-entries.txt.
( And here is another link that shows how you can
generate suitably
encrypted passwords using PHP
). And there is some more spirited discussion
on this subject here

http://www.mail-archive.com/qmailadmin@inter7.com/msg03509.html


TODO :

  • Use netqmail-1.05
  • Update to MySQL v4.x
  • Use Fedora rather than Redhat

Other misc ramblings :

I sold the ISP that I used to own to a larger national provider, and now "I
work for them". At this larger company we use
Postfix
(and amavisd/spamassassin/clamd)
rather than qmail (and qmail-scanner/spamd/clamd). After learning Postfix I can
confidently say that it is a much superior MTA to qmail. However even the most
pro-Postfix staff are amazed at the ease of use of the vpopmail/qmail system.
Although Postfix also has virtual mailbox support, there is no easy-to-use
package like vpopmail for driving this system. Since I now spend my days working
with Postfix, my development of this webpage has slowed somewhat. Hopefully I
will be able to find the time to keep this page fairly up to date  :-)  
I
have published a Postfix server guide



I have an Amazon wish list

A big thank you to these people who have sent me a gift :

  • Dave Richardson
  • Ken Winke
  • Joseph Schmitt II
  • Oban Lambie
  • Andrew Seely
  • Marco Varanda
  • Raymond Luong
  • Mansung Nojima
  • Charlie
  • Andrew Harteveldt
  • Nick Strupp
  • Carol Blevins

Back to Michael’s ISP Links page

Last updated :
13-Jul-2006

Please send me your feedback!


ChangeLog :

13th June 2006 :

  • Updated the SpamAssassin v3.1.2
  • For safety sake, added a mkdir/chown for /home/spamd/.spamassassin dir
    (Thanks to Steven Looi for the tip)
  • Updated to Courier-IMAP v4.1.1
  • Added a note about FAM to the Courier-IMAP section.

19th March 2006 :

29th March 2006 :

  • Added info about autorespond-2.0.5
  • Updated to Courier-Authlib v0.58
  • Updated to Courier-IMAP v4.1.0
  • Updated to SqWebMail v5.1.1
  • Updated to SpamAssassin v3.1.1
  • Updated to ClamAV 0.88
  • Have been madly working on Postfix/MySQL guide. Should be ready for
    publication soon. So far its a 140Kb, 2875-line monster html doc!

7th November 2005

  • Updated to SpamAssassin v3.1.0
  • Updated qmail-scanner, and added qmail-scanner-st patch

27th Sep 2005

  • Upgraded to vpopmail-5.4.10, qmailadmin-1.2.9, Courier-Authlib-0.57,
    Courier-IMAP-4.0.6, ClamAV-0.87
  • Added some SqWebMail installation notes
  • Added a note on SpamAssassin 3.1
  • Added Carol Blevins to the list of people who have sent me a gift :-)

15th Sep 2005

  • Increased the POP3d softlimit from 4000000 to 6000000, after James Ecker
    reported to me that 4000000 wasn’t sufficient when using Fedora/MySQL 4.1

1st Sep 2005

  • Added a ChangeLog  :-)
  • Updated SpamAssassin hyperlink from v303 to v304
  • Added a hyperlink for Razor download
  • Added note to see if anyone would be interested to see my Postfix
    equivalent to this guide

Leave a Reply

You must be logged in to post a comment.