Brasília, 20 de setembro de 2011
Tutorial Instalação e Configuração
Servidor de E-mail
Qmail Spamassasin Vpopmail Clamav
Roundcube SSL
i-Comunicação e Faros Educacional André Gonçalves Araujo
andre.araujo@icomunicacao.com.br
Vpopmail Clamav Roundcube SSL
Ambiente TesteSistema Operacional Debian Squeeze Hardware Máquina Virtual – Vmware Player HD: 20GB
Download dos pacotes necessários para a instalação e configuração de todo servidor.
Install Daemontools and ucspi-tcp
aptitude install ucspi-tcp daemontools daemontools-run
Install Courier packages
aptitude install courier-base courier-authdaemon courier-authlib courier-authlib-mysql courier-imap courier-imap-ssl courier-pop-ssl courier-pop courierpassd courier-maildrop gamin
You should accept all the default answers
Install needed compiler, tools and library
aptitude install cpp g++ gcc make automake wget telnet libtool patch patchutils logrotate dh-make-perl libltdl7 libcdb1 equivs expect openssl libssl-dev libgmp3-dev libgdbm-libgmp3-dev libpcre++-libgmp3-dev libpcre-ocaml libpcre-ocaml-libgmp3-dev
For security reason, it's a good idea to remove the compilers (cpp, g++, gcc and make) after your complete this guide
Install MySQL database and libraries
aptitude install mysql-common 5.1 mysql-client-5.1 mysql-server-core-5.1 libmysqlclient16 libmysqlclient-dev
Remember your root MySQL password (described as MySQL_root_password later in this guide)
Install Apache & PHP
aptitude install apache2 php5 php5-common libapache2-mod-php5 php5-mysql
Accept the default proposal about apache2-mpm-worker
Install antispam and antivirus
aptitude install spamassassin spamc pyzor razor clamav daemon clamav-docs
Install un-archiver tools
aptitude install arj unrar lha unzip bzip2 tar tnef
Install perl modules
aptitude install perl-suid spf-tools-perl libmailtools-perl cidr-lite-perl libnet-daemon-perl libtest-distribution-perl libmail-spf-perl libperl-dev
aptitude install format-perl parser-perl tagset-perl libhtml-tree-perl perl-doc libdate-manip-perl libio-string-perl libio-socket-ssl-perl libnet-ident-perl libsys-syslog-perl libencode-detect-perl
Vpopmail Clamav Roundcube SSL
aptitude install libnet-dns-perl libplrpc-perl libtimedate-perl libcompress-zlib-perl libdigest-hmac-perl libdigest-sha1-perl libparse-syslog-perl libmail-dkim-perl libcrypt-openssl-bignum-perl
Install debug / manipulation tools
Those last ones are not mandatory but are useful if you need to debug
aptitude install dnsutils whois findutils pciutils less net-tools tcpdump iptraf lsof dstat iotop htop mc locate
Para todo o procedimento de instalação estaremos trabalhando com todos os packages dentro do diretório /download.
mkdir /downloads cd /downloads
wget http://qmailrocks.thibs.com/downloads/debian-qmr.tar.gz tar zxvf debian-qmr.tar.gz
Criação de Grupos e Usuários
Após o download dos arquivos é necessário criar os usuários e grupos que irão realizar a operação do serviço de e-mail.
O Qmail é um conjunto de programas menores que trabalham em grupo para prover os serviços de envio e recebimento de e-mails. Para que todo esse processo seja realizado com segurança é de extrema importância que todos os arquivos e diretórios trabalhem com seus devidos donos e grupos.
É importante salientar que caso seja necessário reinstalar o servidor de e-mail realizando então o procedimento de backup e restore é necessário garantir que o UID e o GID (numéricos) dos usuários sejam mantidos. A relevância disto é que os programas são compilados com os UIDs e GIDs específicos informados neste tutorial.
Caso deseje mudar esses valores é necessários alterar a configuração courier-authlib. groupadd -g 161 nofiles
groupadd -g 162 qmail groupadd -g 163 qscand groupadd -g 89 vchkpw
useradd -u 161 -g nofiles -d /var/qmail/alias -s /sbin/nologin -p’*’ -c 'QMail alias user' alias useradd -u 162 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail daemon user' qmaild useradd -u 163 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail log user' qmaill
useradd -u 164 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail password user' qmailp useradd -u 165 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail queue user' qmailq useradd -u 166 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail remote user' qmailr useradd -u 167 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail send user' qmails
useradd -u 89 -g vchkpw -d /home/vpopmail -s /sbin/nologin -p’*’ -c 'Vpopmail (virtual domains) user' vpopmail
Vpopmail Clamav Roundcube SSL
mkdir /var/qmail mkdir /usr/src/qmail mkdir -p /var/log/qmail/qmail-send mkdir -p /var/log/qmail/qmail-smtpd mkdir -p /var/log/qmail/qmail-smtpdssl chown -R qmaill:root /var/log/qmail chmod -R 750 /var/log/qmailInstalação Qmail, ucspi-tcp e ucspi-ssl
Existe nos repositórios do Debian o package fonte do Qmail, entretanto o motivo pelo qual não iremos utilizar ele é simples, após instalado os arquivos são enviados para diversos locais diferentes o que acaba dificultando um pouco a documentação e entendimento da estrutura do Qmail.
Extraindo os fontes cd /usr/src/qmail
tar -zxvf /downloads/qmail-1.03.tar.gz
Patch it with John M. Simpson's combined patches (includes every patch which is part of netqmail-1.05 ... but also some others!)
cd /usr/src/qmail/qmail-1.03
Install Ezmlm-idx
Ezmlm-idx é uma lista de discussão, um add-on para Qmail. Após instalado o Qmailadmin, você verá que ezmlm-idx integra perfeitamente no Qmailadmin para proporcionar uma lista de discussão com uma interface de gerenciamento muito amigável das listas. Como um bônus adicionado, Vpopmail (que vamos instalar também) vai permitir controlar o que os usuários podem e não podem usar nas listas de discussão! Sua página na internet é esta aqui: http://www.ezmlm.org/ cd /downloads/ tar zxvfp ezmlm-idx-7.1.1.tar.gz cd /downloads/ezmlm-idx-7.1.1 ln -s /downloads/ezmlm-idx-7.1.1/lang/en_US/ /downloads/ezmlm-idx-7.1.1/lang/default make clean
make; make man ./ezmlm-test
Você deve ter receber mensagens como esta abaixo: ezmlm-make: OK
Using subdb plugin: std ezmlm-reject: OK ezmlm-[un|is]sub[n]: OK ezmlm-checksub: OK ezmlm-send: OK ezmlm-tstdig: OK ezmlm-weed: OK ezmlmrc contents: OK ezmlm-clean: OK ezmlm-store: OK
Vpopmail Clamav Roundcube SSL
ezmlm-return: OK ezmlm-warn (1/2): OK ezmlm-manage (1/2): OK ezmlm-request: OK ezmlm-split: OK ezmlm-gate: OK ezmlm-idx: OK ezmlm-get (index): OK ezmlm-get (get): OK ezmlm-get (thread): OK ezmlm-get (digest): OK ezmlm-manage (2/2): OK ezmlm-moderate: OK ezmlm-warn (2/2): OK ezmlm-archive: OK ezmlm-dispatch: OK dispatch editor: OK decode sender: OKVerifying message header and body contents... flags and substs: OK
messages: OK subscribe probe: OK unsubscribe probe: OK subscribe: OK unsubscribe: OK moderated subscribe: OK moderated unsub: OK subscribe by mod: OK unsubscribe by mod: OK copylines: OK ezmlm-send: OK Cleaning up...
Edite o arquivo /downloads/ezmlm-idx-7.1.1/conf-ld e substitua a primeira linha por: cc -g -B /usr/lib/mysql/
senha para ezmlmuser (EZMLM_PASSWORD). mysql -pMySQL_root_password
CREATE DATABASE ezmlm;
GRANT ALL PRIVILEGES ON ezmlm.* TO ezmlmuser@localhost IDENTIFIED BY 'EZMLM_PASSWORD';
FLUSH PRIVILEGES; quit;
Vamos testar a conta criada:
mysql -uezmlmuser -pEZMLM_PASSWORD exit;
Você deve receber como resposta:
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39
Server version: 5.0.51a-24+lenny4-log (Debian)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql>exit;
Instalando e testando o suporte ao mysql: cd /downloads/ezmlm-idx-7.1.1
make mysql
./ezmlm-test -s mysql -u ezmlmuser -p EZMLM_PASSWORD -h localhost Você deve receber uma resposta com esta:
ezmlm-make: OK
Using subdb plugin: mysql ezmlm-reject: OK
ezmlm-[un|is]sub[n]: OK ezmlm-checksub: OK ezmlm non-SQL: OK
Vpopmail Clamav Roundcube SSL
ezmlm SQL: OK...
Finalizando a instalação. make install
Ezmlm-0.53 is a qmail-based mailing list manager written by Dan J. Bernstein (qmail's author) ; ezmlm-idx originated as an add-on to it. It now exists as a complete package on its own, but can still be considered essentially as an extension to ezmlm.
Instalação do Autorespond
Autoresponder faz exatamente o que você está pensando que ele faz. Gera respostas automáticas para as caixas de e-mail dos usuários.
cd /downloads/
tar zxvf autorespond-2.0.5.tar.gz cd /downloads/autorespond-2.0.5 make && make install
Vpopmail Clamav Roundcube SSL
Instalação do Vpopmail
Vpopmail é um dos principais componentes desta instalação. Vpopmail nos permite fazer hospedagem de correio virtuais domínio. Possui inumeras ferramentas e funcionalidades
compiladas que tornam o trabalho de administração mais agradável. Mesmo se você não quiser hospedar email de vários domínios, ainda recomendo instalar Vpopmail. Ele só faz o jogo de correio mais fácil. Além disso, esta instalação gira em torno dele, por isso, se você não instalá-lo você vai ter uma dor de cabeça.
Criando a base de dados
A MySQL_root_password deve ser a senha escolhida no passo 3 e deve a senha para popmailuser deve ser diferente da senha de root(VPOPMAIL_PASSWORD).
mysql -pMySQL_root_password CREATE DATABASE vpopmail;
GRANT select,insert,update,delete,create,drop ON vpopmail.* TO vpopmailuser@localhost IDENTIFIED BY 'VPOPMAIL_PASSWORD';
FLUSH PRIVILEGES; quit;
Testando a conta criada:
mysql -uvpopmailuser -pVPOPMAIL_PASSWORD Você deve ter uma resposta como esta:
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39
Server version: 5.0.51a-24+lenny4-log (Debian)
mysql>exit;
Preparando a instalação mkdir -p /home/vpopmail/etc
chown -R vpopmail:vchkpw /home/vpopmail chmod 770 /home/vpopmail
cd /home/vpopmail/etc
echo "localhost|0|vpopmailuser|VPOPMAIL_PASSWORD|vpopmail" > ~vpopmail/etc/vpopmail.mysql
chown vpopmail:vchkpw ~vpopmail/etc/vpopmail.mysql chmod 640 ~vpopmail/etc/vpopmail.mysql Compilando cd /downloads/ tar zxvf vpopmail-5.4.33.tar.gz cd /downloads/vpopmail-5.4.33 ./configure \ --enable-qmaildir=/var/qmail/ \ --enable-qmail-newu=/var/qmail/bin/qmail-newu \ --enable-qmail-inject=/var/qmail/bin/qmail-inject \ --enable-qmail-newmrh=/var/qmail/bin/qmail-newmrh \ --enable-tcprules-prog=/usr/bin/tcprules \ --enable-tcpserver-file=/etc/tcp.smtp \ --enable-clear-passwd \ --enable-many-domains \ --enable-valias \ --enable-qmail-ext \ --enable-logging=p \ --enable-auth-logging \
Vpopmail Clamav Roundcube SSL
--enable-sql-logging \ --enable-auth-module=mysql \ --enable-incdir=/usr/include/mysql \ --enable-libdir=/usr/lib/ \ --disable-mysql-limits \ --disable-passwd make && make install-stripA modificação deste arquivo é necessária para evitar problemas de falha de segmentação em alguns casos.
cat > ~vpopmail/etc/vusagec.conf << __EOF__ Server:
Disable = True; __EOF__
Instalação Qmailadmin
Qmailadmin é uma ferramenta que provê uma interface web para a administração do Qmail. Diferentemente do que é dito nos tutoriais, ele não possui uma interface amigável, entretanto com ele é possível realizar diversas operações como criação de contas de e-mail, aliases, encaminhamentos, e-mail robô e listas de e-mail.
cd /downloads/
tar zxvf qmailadmin-1.2.16.tar.gz cd /downloads/qmailadmin-1.2.16
./configure enablecgibindir=/var/www/mail/cgibin/ enablehtmldir=/var/www/mail/cgibin/ --enable-imageurl=../../images --enable-imagedir=/var/www/mail/images --enable-domain-autofill --enable-ezmlmdir=/usr/local/bin/ezmlm --enable-autorespond=/usr/bin/autorespond make && make install-strip
cd /var/www/mail/images rm middleleft1.png
wget http://mailadmin.thibs.com/images/middleleft1.png Testaremos ao interface web mais tarde.
Vpopmail Clamav Roundcube SSL
Habilitando as ferramentas web
Nas etapas anteriores instalamos duas ferramentas de administração para o servidor de e-mail, agora vamos habilitar elas.
Primeiramente é necessário criar uma entrada no servidor DNS (CNAME ou registro A). Para este ambiente foi criado o domínio mailadmin.intranet.ico apontando para o servidor virtual. Pode ser qualquer nome, menos o hostname do servidor.
Então criamos o virtual host no apache apontando para o domínio registrado.
No arquivo /etc/apache2/sites-available/mailadmin.intranet.ico temos os seguintes registros: --- <VirtualHost *:80> ServerAdmin andre@intranet.ico DocumentRoot /var/www/mail ServerName mailadmin.intranet.ico ErrorLog /var/log/apache2/mailadmin.intranet.ico-error.log
CustomLog /var/log/apache2/mailadmin.intranet.ico-access.log common <Directory /var/www/mail/cgi-bin/>
Options ExecCGI FollowSymLinks -Indexes ForceType cgi-script
AllowOverride All Order allow,deny Allow from all </Directory>
Options ExecCGI -Indexes AllowOverride All Order deny,allow </Directory> <Directory /var/www/mail/qmailadmin/> Options -Indexes Order allow,deny Allow from all </Directory>
<Directory /var/www/mail/cgi-bin/images/> ForceType Off
Options -Indexes Order allow,deny Allow from all </Directory>
<Directory /var/www/mail/images/qmailadmin/> ForceType Off
Options -Indexes Order allow,deny Allow from all </Directory>
<Directory /var/www/mail/images/vqadmin/> ForceType Off
Options -Indexes Order allow,deny Allow from all </Directory> </VirtualHost> ---
a2ensite mailadmin.intranet.ico /etc/init.d/apache2 reload
Vpopmail Clamav Roundcube SSL
Coloque o seguinte endereço no browser http://mailadmin.intranet.ico/cgi-bin/qmailadmin para testar qmailadmin.
Remove installed MTA
Exim is the default installed MTA on Debian. Stop and remove Exim
/etc/init.d/exim4 stop
dpkg --ignore-depends=exim4 -r exim4
dpkg --ignore-depends=exim4-daemon-light -r exim4-daemon-light If you are using sendmail or postfix :
dpkg --purge --ignore-depends=postfix postfix
dpkg --purge sendmail sendmail-base sendmail-bin sendmail-cf Install a pseudo MTA to avoid problem within Debian system dpkg -i /downloads/deb-packages/mta-local_1.0_all.deb Create Symilnk to use Qmail instead of the default MTA rm -f /usr/lib/sendmail
rm -f /usr/sbin/sendmail
ln -s /var/qmail/bin/sendmail /usr/lib/sendmail ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
Configure Qmail
It's time to configure Qmail ...
Copy the script to its proper locations
cp /downloads/scripts/qmailctl /var/qmail/bin/qmailctl (View the script qmailctl) Adapt script permission
chmod 755 /var/qmail/bin/qmailctl
The script /var/qmail/rc (View here) is no longer used.
In original qmailrocks installation guide, it was used in script send_run replaced by service-send-run (from John M.Simpson) in this guide.
Create needed symlinks
ln -s /var/qmail/bin/qmailctl /usr/bin
Set Maildir as default mailbox type (./Mailbox for mbox type) echo ./Maildir > /var/qmail/control/defaultdelivery
Set some configuration (You can find more on
http://www.lifewithqmail.com/lwq.html#configuration) echo 255 > /var/qmail/control/concurrencyremote echo 30 > /var/qmail/control/concurrencyincoming echo 30 > /var/qmail/control/timeoutsmtpd
Vpopmail Clamav Roundcube SSL
echo postmaster@yourdomain.tld > /var/qmail/control/bouncefrom echo yourdomain.tld > /var/qmail/control/doublebouncehostecho postmaster > /var/qmail/control/doublebounceto cd /var/qmail/control/
chmod 644 bouncefrom doublebouncehost doublebounceto concurrencyremote concurrencyincoming spfbehavior
Set maximum message size to be 8Mb
echo '8000000' > /var/qmail/control/databytes Allows localhost to send mails
echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp qmailctl cdb
If you use backup MX servers or if this server is acting as smart host for others, I advice you to add execute command :
echo 'OTHER-SERVER-IP:allow,RELAYCLIENT="",QS_SPAMASSASSIN="1"' >> /etc/tcp.smtp qmailctl cdb
If you want to learn other available options, take a look on this sample. Create mail aliases
echo some_address > /var/qmail/alias/.qmail-root
echo some_address > /var/qmail/alias/.qmail-postmaster echo some_address > /var/qmail/alias/.qmail-mailer-daemon
Where some_address is the system user or email address you want these addresses aliased to chmod 644 /var/qmail/alias/.qmail*
Final configuration
cd /usr/src/qmail/qmail-1.03 ./config-fast YOUR_SERVER_NAME
Configure Daemontools
Daemontools is a collection of Unix tools for managing services. Its home page is here: http://cr.yp.to/daemontools.html
If you don't want to read about it, just remember that it allows to automatically restart a crashing service (but it allows a lot of other things and I really advice you to read about it...)
It has already been installed with a Debian package
In this guide version, we'll use it only to manage the processes qmail-smtpd, qmail-send and qmail-smtpdssl. I however plan to manage other services in a next release.
Create the needed directories with appropriates permissions mkdir -p /var/qmail/supervise/qmail-smtpd/log
mkdir -p /var/qmail/supervise/qmail-send/log mkdir -p /var/qmail/supervise/qmail-smtpdssl/log cd /var/qmail/supervise
chmod +t qmail-smtpd qmail-send qmail-smtpdssl Copy the scripts to their proper locations
(service-qmail-send-run,send_log,service-qmail-smtpd-run,smtpd_log,service-qmail-smtpdssl-run,smtpdssl_log) cp /downloads/scripts/service-qmail-send-run /var/qmail/supervise/qmail-send/run cp /downloads/scripts/send_log /var/qmail/supervise/qmail-send/log/run cp /downloads/scripts/service-qmail-smtpd-run /var/qmail/supervise/qmail-smtpd/run cp /downloads/scripts/smtpd_log /var/qmail/supervise/qmail-smtpd/log/run
Vpopmail Clamav Roundcube SSL
cp /downloads/scripts/service-qmail-smtpdssl-run /var/qmail/supervise/qmail-smtpdssl/run cp /downloads/scripts/smtpdssl_log /var/qmail/supervise/qmail-smtpdssl/log/run Adapt permissions chmod 751 /var/qmail/supervise/qmail-smtpd/run chmod 751 /var/qmail/supervise/qmail-smtpd/log/run chmod 751 /var/qmail/supervise/qmail-send/run chmod 751 /var/qmail/supervise/qmail-send/log/run chmod 751 /var/qmail/supervise/qmail-smtpdssl/run chmod 751 /var/qmail/supervise/qmail-smtpdssl/log/run Create symlinks in /etc/service directoryln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-smtpdssl /etc/service
Create a symlink from Debian convention to standard convention ln -s /etc/service /service
Configure spamassassin
Spamassassin is the antispam system we 'll use
Edit /etc/default/spamassassin to change the following options : ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u vpopmail -v -x -i -m 5 -c -H -s mail"
Edit /etc/spamassassin/local.cf to change the following options : Uncomment following lines
required_score 5.0 use_bayes 1
bayes_auto_learn 1 Add following lines use_razor2 1 skip_rbl_checks 1 use_dcc 1
use_pyzor 1
razor_config /etc/razor/razor-agent.conf
OPTIONAL : If you want to report spam with the Vipul's Razor spam-reporting system razor-admin -d -home=/etc/razor -create
Vpopmail Clamav Roundcube SSL
Uncomment this in /etc/spamassassin/v310.preloadplugin Mail::SpamAssassin::Plugin::DCC
Uncomment this in /etc/spamassassin/v320.pre loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody Install IP::Country::Fast perl package (deb)
dpkg -i /downloads/deb-packages/libip-country-perl_2.27-1_all.deb Uncomment this in /etc/spamassassin/init.pre
loadplugin Mail::SpamAssassin::Plugin::RelayCountry Create a compiled version of some ruleset
sa-compile
Test configuration and start the service /usr/bin/spamassassin -D --lint
Configure clamav
Clamav is the antivirus system we 'll use dpkg-reconfigure clamav-base
Change clamav user/group to qscand and keep all of the other default settings (Group - Owner) dpkg-reconfigure clamav-freshclam
Choose daemon + your location + default answers
chown -R qscand:clamav /var/log/clamav /var/lib/clamav /var/run/clamav chown qscand:qscand /etc/clamav/freshclam.conf
chmod 600 /etc/clamav/freshclam.conf ln -s /var/log/clamav /var/log/qmail/clamav
Edit /etc/clamav/freshclam.conf to change the DatabaseOwner option : DatabaseOwner qscand
Change both /etc/logrotate.d/clamav-freshclam and /etc/logrotate.d/clamav-daemon to create the log file with correct identity :
create 640 qscand qscand Restart the services
/etc/init.d/clamav-daemon restart /etc/init.d/clamav-freshclam restart
Vpopmail Clamav Roundcube SSL
Configure courier and courier-authlib
Adapt automatically generated SSL certificate
During package installation, all the needed courier packages have been installed.
Nevertheless, the generated SSL certificates probably do not match your needs. We 'll simply re-generate it.
Edit the files /etc/courier/imapd.cnf and /etc/courier/pop3d.cnf to match your settings : [ req_dn ]
C=BE
ST=Brussels L=Brussels
O=Courier Mail Server OU=POP3/IMAP SSL key CN=Your FQDN server
emailAddress=Your e-mail adress
Re-generate certificates with correct information and with validity time of 10 years rm -f /usr/lib/courier/*.pem
rm -f /etc/courier/*.pem
sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkimapdcert sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkpop3dcert dpkg-reconfigure courier-imap-ssl
ln -s /usr/lib/courier/pop3d.pem /etc/courier/pop3d.pem ln -s /usr/lib/courier/imapd.pem /etc/courier/imapd.pem
Configure courier-authlib
Courier-authlib is the authentification library used by all the courier components.
We 'll use the MySQL database used by vpopmail (which already contains the authentification info) instead of vchkpw method used in previous QMR guide (because it's no longer
implemented/supported since version 0.60)
Please remember the settings used in step 4, you 'll need to use it again.
As courier-authlib and courier-authlib-mysql have been installed with Debian packages, we only have to configure it
Edit /etc/courier/authdaemonrc and change line 27 to match the following : authmodulelist="authmysql"
Edit /etc/courier/authmysqlrc and adapt variables to match the following (Put the password chosen in step 4)
MYSQL_SERVER localhost
MYSQL_USERNAME vpopmailuser
MYSQL_PASSWORD VPOPMAIL_PASSWORD MYSQL_DATABASE vpopmail
MYSQL_SELECT_CLAUSE SELECT CONCAT(pw_name, '@', pw_domain) AS username, \
pw_passwd AS cryptpw, \ pw_clear_passwd AS clearpw, \ '89' AS uid, \ '89' AS gid, \ pw_dir AS home, \ '' AS maildir, \
Vpopmail Clamav Roundcube SSL
pw_shell AS quota, \ pw_gecos AS fullname, \ 'disablewebmail=0,disablepop3=0,disableimap=0' AS options \ FROM vpopmail \ WHERE \ pw_name = '$(local_part)' \ AND \ pw_domain = '$(domain)'; \Eventually replace 89 by the alternate UID:GID chosen in Part 1 Restart the service to take those modifications into account /etc/init.d/courier-authdaemon restart
Install qmail-scanner
qmail-scanner is an alternate queuing system for qmail.
Qmail-scanner is going to allow us to integrate Clam Antivirus and SpamAssassin into our qmail server's mail queue. Once qmail-scanner is installed, there will be a master script that is filled with configuration options that help you to tailor the functionality of Clam Antivirus and SpamAssassin to your needs.
We have patched qmail source to support it on step 2 and we have implemented it on step 10. It's now time to install it ;-)
cd /downloads/
tar zxvf q-s-2.08st-20100626.tgz cd /downloads/qmail-scanner-2.08st
./configure --admin postmaster --domain your_domain --local-domains "your_domain" saquarantine 5 ignoreeolcheck yes adddscrhdrs yes notify psender,admin sareport yes --fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0
./configure --admin postmaster --domain your_domain --local-domains "your_domain" saquarantine 5 ignoreeolcheck yes adddscrhdrs yes notify psender,admin sareport yes --fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0 --install 1 ln -s /var/spool/qscan /var/log/qmail/qscan
Let's test it ... First swich to a non-privilegied user account su - non-privilegied_user_account
/var/qmail/bin/qmail-scanner-queue.pl -g You should have an answer like this:
Vpopmail Clamav Roundcube SSL
perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt perlscanner: total of 35 entries.
Switch back to root account: exit
Add it in the logrotation system
cp /downloads/qmail-scanner-2.08st/contrib/logrotate.qmail-scanner /etc/logrotate.d/qmail-scanner chmod 644 /etc/logrotate.d/qmail-scanner Launch qmail qmailctl start qmailctl stat
You should see something like that:
/service/qmail-send: up (pid 17762) 63 seconds /service/qmail-send/log: up (pid 17763) 63 seconds /service/qmail-smtpd: up (pid 18500) 63 seconds /service/qmail-smtpd/log: up (pid 17767) 63 seconds /service/qmail-smtpdssl: up (pid 18496) 63 seconds /service/qmail-smtpdssl/log: up (pid 17773) 63 seconds messages in queue: 0
messages in queue but not yet preprocessed: 0
If you notice than some service stays at 1 second, check the corresponding log to debug it tail /var/log/qmail/qmail-send/current
tail /var/log/qmail/qmail-smtpd/current tail /var/log/qmail/qmail-smtpdssl/current
chmod 755 test_installation.sh ./test_installation.sh -doit
You should have an answer like this
Sending standard test message - no viruses... 1/4 done!
Sending eicar test virus - should be caught by perlscanner module... 2/4 done!
Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)... 3/4
done!
Sending bad spam message for anti-spam testing - In case you are using SpamAssassin... 4/4 If you have enabled $sa_quarantine, $sa_delete or $sa_reject the
spam-message wont't arrive to the recipients. But if you have enabled (good idea!) 'minidebug' or 'debug' you should check
/var/spool/qscan/qmail-queue.log (or where ever you have the log).
Done!
Finished test. Now go and check Email sent to postmaster@domain.tld and/or the log.. OPTIONAL : You can receive daily statistics
echo '/var/spool/qscan/log-report.sh /var/spool/qscan/qmail-queue.log |mail YOUR E-MAIL ADDRESS' > /etc/cron.daily/qmailscanner-report
Vpopmail Clamav Roundcube SSL
Install roundcubemail webmail interface
cd /downloads/
tar zxvfp roundcubemail-0.5.3.tar.gz
chown -R root:root /downloads/roundcubemail-0.5.3 mv /downloads/roundcubemail-0.5.3 /var/www/mail/
ln -s /var/www/mail/roundcubemail-0.5.3/ /var/www/mail/webmail ln -s /var/www/mail/webmail/logs /var/log/webmail
chmod 777 /var/www/mail/webmail/logs/ chmod 777 /var/www/mail/webmail/temp/ Create the needed Database.
The used MySQL_root_password should be the password chosen on pre-step 3. It's should not be the same as the password for roundcubemail (ROUNDCUBEMAILPASSWORD).
It's not a typo, the MySQL_root_password should really be just aside the -p mysql -pMySQL_root_password
CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */; GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY
'ROUNDCUBEMAILPASSWORD'; quit;
Test your the account you have just created
mysql -uroundcube -pROUNDCUBEMAILPASSWORD exit;
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39
Server version: 5.0.51a-24+lenny4-log (Debian)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer. Let's configure it
cd /var/www/mail/webmail
mysql -uroundcube -pROUNDCUBEMAILPASSWORD roundcubemail < SQL/mysql.initial.sql cp /var/www/mail/webmail/config/db.inc.php.dist /var/www/mail/webmail/config/db.inc.php cp /var/www/mail/webmail/config/main.inc.php.dist /var/www/mail/webmail/config/main.inc.php Edit the file /var/www/mail/webmail/config/main.inc.php and change the following : $rcmail_config['default_host'] = 'localhost';
Edit the file /var/www/mail/webmail/config/db.inc.php and change the following : $rcmail_config['db_dsnw'] =
'mysql://roundcube:ROUNDCUBEMAILPASSWORD@localhost/roundcubemail'; OPTIONAL : You can specify other parameters through webinterface
Point your browser on http://mailadmin.intranet.ico/webmail/installer/ and follow the instructions
You can add some packages for optionnals features : aptitude install php5-gd php5-mcrypt php5-intl /etc/init.d/apache2 restart
Just a little cleaning ... and use it ! cd /var/www/mail/webmail
rm -rf installer/ CHANGELOG INSTALL LICENSE README UPGRADING
Vpopmail Clamav Roundcube SSL
Your server is functionnal now !Test Qmail functionalities
We first check if the server listen to the right ports netstat -tupan |grep LISTEN
You should have at least the bold ones :
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2218/mysqld tcp 0 0 0.0.0.0:783 0.0.0.0:* LISTEN 2302/spamd.pid tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1901/portmap tcp 0 0 0.0.0.0:49168 0.0.0.0:* LISTEN 1912/rpc.statd tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 3063/sslserver tcp 0 0 127.0.0.1:1013 0.0.0.0:* LISTEN 2957/famd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2141/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3056/tcpserver tcp6 0 0 :::993 :::* LISTEN 2924/couriertcpd tcp6 0 0 :::995 :::* LISTEN 2942/couriertcpd tcp6 0 0 :::110 :::* LISTEN 2930/couriertcpd tcp6 0 0 :::143 :::* LISTEN 2911/couriertcpd tcp6 0 0 :::80 :::* LISTEN 2999/apache2
In this case, Qmail should now be able to send and receives e-mails.
Receiving e-mails
telnet localhost 25
Connected to localhost. Escape character is '^]'.
220 servername.localdomain.tld ESMTP mail from: <testmail@test.com> 250 ok
rcpt to: <nospam@test.com> 250 ok
data
354 go ahead
From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a stupid SMTP test
Just a test ! .
250 ok 1279384489 qp 3711 quit
221 servername.localdomain.tld Connection closed by foreign host.
This demonstrate a successful SMTP connection ! For our tests, we need to create a dummy account /home/vpopmail/bin/vadddomain test.com brol /home/vpopmail/bin/vadduser test@test.com brol2 qmailctl reload
We also can create a real account
/home/vpopmail/bin/vadddomain your_real_domain.tld your_postmaster_password
/home/vpopmail/bin/vadduser an_account@your_real_domain.tld your_account_password qmailctl reload
You can of course do the same thing via vqadmin and qmailadmin web interfaces "brol" is a belgian idiom that means "something useless"
Vpopmail Clamav Roundcube SSL
You can send a test mail to an_account@your_real_domain.tld from you regular mail client. We 'll retrieve it in the next step but if you don't receive a NDR, it's probably already OK
Sending e-mail through an authentificate connection : Testing TLS
telnet localhost 25
You should have an answer like this: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 servername.domain.tld ESMTP ehlo localhost 250-servername.domain.tld 250-STARTTLS 250-SIZE 0 250-PIPELINING 250 8BITMIME starttls 220 ready for tls quit quit
In the above SMTP session, I have higlighted the important aspects in DARK RED. After you give the server the initial "ehlo localhost" command, you should get a response back that lists "250-STARTTLS", signaling that the server is in fact equipped for TLS functionality. Then, after you issue the "starttls" command, you should get the :"220 ready for tls" response if the server is able to successfully start the TLS session.
If you happen to get an error that states "454 TLS not available: missing RSA private key (#4.3.0)" after you issue the "starttls" command, you will want to check 2 things:
1. Verify that the cert actually exists at /var/qmail/control/servercert.pem. If it's not there, go back to step 2 and repeat the cert creation step.
2. Verify that the cert is owned by vpopmail:qmail. If it's not, then make it so like this :
chown vpopmail:qmail /var/qmail/control/servercert.pem
Now we have verified that the server supports the STARTTLS command, we can use openssl s_client to connect.
This command is equivalent to the previous sequence until the "220 ready for tls" message depth=0
/C=BE/ST=Brussels/L=Brussels/O=DOMAIN.TLD/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld
verify error:num=18:self signed certificate verify return:1 depth=0 /C=BE/ST=Brussels/L=Brussels/O=THIBS.COM/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld verify return:1 250 8BITMIME ehlo testing 250-fqdn
250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-SIZE 0 250-PIPELINING 250 8BITMIME auth login 334 VXNlcm5hbWU6 dGVzdEB0ZXN0LmNvbQ== 334 UGFzc3dvcmQ6 YnJvbDI= 235 ok, go ahead (#2.0.0) mail from: <testmail@test.com> 250 ok
rcpt to: <nospam@test.com> 250 ok
data
354 go ahead
From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a simple SMTP TLS test Just a TLS test !
.
Vpopmail Clamav Roundcube SSL
quit221 servername.localdomain.tld Connection closed by foreign host.
As you've probably noticed, the login and password are encoded ( "dGVzdEB0ZXN0LmNvbQ==" stands for "test@test.com" and "YnJvbDI=" stands for "brol2")! You can encode yourself with the script base64
perl /downloads/scripts/base64
Press Enter to exit.
Input you string: test@test.com
Base64 encode is : dGVzdEB0ZXN0LmNvbQ== Input you string: brol2
Base64 encode is : YnJvbDI=
Input you string: ^C (means press CTRL+C)
Test SMTP-SSL
openssl s_client -crlf -connect localhost:465 -quiet
It's nearly the same test. In this case, we use an SSL server where we connect to a different port number. We have to establish an SSL connection before the SMTP conversation even starts : depth=0
/C=BE/ST=Brussels/L=Brussels/O=DOMAIN.TLD/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld
verify error:num=18:self signed certificate verify return:1 depth=0 /C=BE/ST=Brussels/L=Brussels/O=THIBS.COM/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld verify return:1 auth login 334 VXNlcm5hbWU6 dGVzdEB0ZXN0LmNvbQ== 334 UGFzc3dvcmQ6 YnJvbDI= 235 ok, go ahead (#2.0.0) mail from: <testmail@test.com> 250 ok
250 ok data
354 go ahead
From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a simple SMTP-SSL test Just a SMTP-SSL test !
.
250 ok 1279384489 qp 3711 quit
221 servername.localdomain.tld Connection closed by foreign host.
Test authentification
Now we should be able to authenticate through POP3, POP3-SSL, IMAP, IMAP-SSL
Test courier-authlib
I suppose you still have the dummy account created when we've tested qmail Check first if the created account is still there (without testing the authentification) /home/vpopmail/bin/vuserinfo test@test.com
You should have an answer like this: name: test
passwd: $1$E6ZeM1cj$B6/2kgZgjtycVtHteTPOC1 clear passwd: brol2
comment/gecos: test uid: 0
gid: 0 flags: 0 gecos: test
Vpopmail Clamav Roundcube SSL
dir: /home/vpopmail/domains/0/test.com/testquota: NOQUOTA usage: NOQUOTA
account created: Thu Jul 15 16:02:29 2010 last auth: Never logged in
If the account do no exist, please create it by following instructions on the test qmail page Test now the authentification process
/usr/sbin/authtest postmaster@test.com brol /usr/sbin/authtest test@test.com brol2 You should have an answer like this:
Authenticated: test@test.com (uid 89, gid 89)
Home Directory: /home/vpopmail/domains/test.com/test Maildir: (none)
Quota: (none)
Encrypted Password: $1$Atj/HMvq$UBXjgO0sGl2Jy22b0Du0 Cleartext Password: brol2
Options: disablewebmail=0,disablepop3=0,disableimap=0 This is the sign authlib is working well!
HINT : Most of the authentification problems here are due to white space before or after login/password in /etc/courier/authmysqlrc configured in previous step
Test POP3 service
Let's test your new server's POP3 service... telnet localhost 110
You should see something like this: Trying 127.0.0.1...
Connected to localhost.localdomain. Escape character is '^]'.
+OK Hello there. user test@test.com
pass bril
-ERR Login failed. pass brol2
+OK logged in. quit
+OK Bye-bye.
This is the sign of a successfull POP connection to the server!
Test POP3-SSL service
Let's test your new server's POP3-SSL service... openssl s_client -connect localhost:995 -quiet You should see something like this:
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
verify return:1 +OK Hello there. user test@test.com +OK Password required. pass brol2
+OK logged in. quit
+OK Bye-bye.
Test IMAP service
Let's test your new server's IMAP service... telnet localhost 143
Vpopmail Clamav Roundcube SSL
Trying 127.0.0.1...Connected to localhost.localdomain. Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information.
a login test@test.com brol2 a OK LOGIN Ok.
a logout
* BYE Courier-IMAP server shutting down a OK LOGOUT completed
This is the sign of a successfull IMAP connection to the server! Hint: The "a" that you see before the login commands is required.
Test IMAPS service
Let's test your new server's IMAP-SSL service... openssl s_client -connect localhost:993 -quiet You should see something like this:
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com
verify return:1
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
a login test@test.com brol2 a OK LOGIN Ok.
a logout
* BYE Courier-IMAP server shutting down a OK LOGOUT completed
Delete the test acccount
/home/vpopmail/bin/vdeluser test@test.com /home/vpopmail/bin/vdeldomain test.com
--- /// --- Compiling fails with:
> make[2]: Entering directory `/home/graf/packages/BUILD/vmailmgr-0.97/authenticate'
> g++ DHAVE_CONFIG_H I. I. I.. I../lib g O2 fnortti fnoexceptions -Wall -c checkvpw.cc
> checkvpw.cc: In function 'char* strcasestr(const char*, const char*)':
> checkvpw.cc:108: error: new declaration 'char* strcasestr(const char*, const char*)'
> /usr/include/string.h:367: error: ambiguates old declaration 'const char* strcasestr(const char*,
const char*)'
> make[2]: *** [checkvpw.o] Error 1
> make[2]: Leaving directory `/home/graf/packages/BUILD/vmailmgr-0.97/authenticate'
The reason is strcasestr() which is defined in checkvpw.cc, but also exists in glibc. This didn't hurt until now, because both were declared the same way, but now in glibc 2.10 the declaration changed slightly: strcasestr() returns "const char *" instead of "char *", and this results in the above error.
The easy fix is to delete strcasestr() from checkvpw.cc, this is what the attached patch does. A check for strcasestr() in configure on the current system would probably better.
--
Bernhard Graf
--- authenticate/checkvpw.cc +++ authenticate/checkvpw.cc @@ -105,15 +105,6 @@
return new auth_data(name, pass, stamp); }
-char* strcasestr(const char* haystack, const char* needle) -{
- for(size_t hlength = strlen(haystack), nlength = strlen(needle); - hlength >= nlength; hlength--, haystack++)
- if(!strncasecmp(haystack, needle, nlength)) - return (char*)haystack;
- return 0; -}
-
unsigned find_maildir(int argc, const char* args[]) {
Vpopmail Clamav Roundcube SSL
Fontes
http://www.superscript.com/ucspi-ssl/install.html http://qmailrocks.thibs.com/