Tutorial Instalação e Configuração Servidor de

Brasília, 20 de setembro de 2011

Tutorial Instalação e Configuração

Servidor de E-mail

Qmail Spamassasin Vpopmail Clamav

Roundcube SSL

i-Comunicação e Faros Educacional André Gonçalves Araujo

andre.araujo@icomunicacao.com.br

Vpopmail Clamav Roundcube SSL

Ambiente Teste

Sistema Operacional Debian Squeeze Hardware Máquina Virtual – Vmware Player HD: 20GB

Download dos pacotes necessários para a instalação e configuração de todo servidor.

Install Daemontools and ucspi-tcp

aptitude install ucspi-tcp daemontools daemontools-run

Install Courier packages

aptitude install courier-base courier-authdaemon courier-authlib courier-authlib-mysql courier-imap courier-imap-ssl courier-pop-ssl courier-pop courierpassd courier-maildrop gamin

You should accept all the default answers

Install needed compiler, tools and library

aptitude install cpp g++ gcc make automake wget telnet libtool patch patchutils logrotate dh-make-perl libltdl7 libcdb1 equivs expect openssl libssl-dev libgmp3-dev libgdbm-libgmp3-dev libpcre++-libgmp3-dev libpcre-ocaml libpcre-ocaml-libgmp3-dev

For security reason, it's a good idea to remove the compilers (cpp, g++, gcc and make) after your complete this guide

Install MySQL database and libraries

aptitude install mysql-common 5.1 mysql-client-5.1 mysql-server-core-5.1 libmysqlclient16 libmysqlclient-dev

Remember your root MySQL password (described as MySQL_root_password later in this guide)

Install Apache & PHP

aptitude install apache2 php5 php5-common libapache2-mod-php5 php5-mysql

Accept the default proposal about apache2-mpm-worker

Install antispam and antivirus

aptitude install spamassassin spamc pyzor razor clamav daemon clamav-docs

Install un-archiver tools

aptitude install arj unrar lha unzip bzip2 tar tnef

Install perl modules

aptitude install perl-suid spf-tools-perl libmailtools-perl cidr-lite-perl libnet-daemon-perl libtest-distribution-perl libmail-spf-perl libperl-dev

aptitude install format-perl parser-perl tagset-perl libhtml-tree-perl perl-doc libdate-manip-perl libio-string-perl libio-socket-ssl-perl libnet-ident-perl libsys-syslog-perl libencode-detect-perl

Vpopmail Clamav Roundcube SSL

aptitude install libnet-dns-perl libplrpc-perl libtimedate-perl libcompress-zlib-perl libdigest-hmac-perl libdigest-sha1-perl libparse-syslog-perl libmail-dkim-perl libcrypt-openssl-bignum-perl

Install debug / manipulation tools

Those last ones are not mandatory but are useful if you need to debug

aptitude install dnsutils whois findutils pciutils less net-tools tcpdump iptraf lsof dstat iotop htop mc locate

Para todo o procedimento de instalação estaremos trabalhando com todos os packages dentro do diretório /download.

mkdir /downloads cd /downloads

wget http://qmailrocks.thibs.com/downloads/debian-qmr.tar.gz tar zxvf debian-qmr.tar.gz

Criação de Grupos e Usuários

Após o download dos arquivos é necessário criar os usuários e grupos que irão realizar a operação do serviço de e-mail.

O Qmail é um conjunto de programas menores que trabalham em grupo para prover os serviços de envio e recebimento de e-mails. Para que todo esse processo seja realizado com segurança é de extrema importância que todos os arquivos e diretórios trabalhem com seus devidos donos e grupos.

É importante salientar que caso seja necessário reinstalar o servidor de e-mail realizando então o procedimento de backup e restore é necessário garantir que o UID e o GID (numéricos) dos usuários sejam mantidos. A relevância disto é que os programas são compilados com os UIDs e GIDs específicos informados neste tutorial.

Caso deseje mudar esses valores é necessários alterar a configuração courier-authlib. groupadd -g 161 nofiles

groupadd -g 162 qmail groupadd -g 163 qscand groupadd -g 89 vchkpw

useradd -u 161 -g nofiles -d /var/qmail/alias -s /sbin/nologin -p’*’ -c 'QMail alias user' alias useradd -u 162 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail daemon user' qmaild useradd -u 163 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail log user' qmaill

useradd -u 164 -g nofiles -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail password user' qmailp useradd -u 165 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail queue user' qmailq useradd -u 166 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail remote user' qmailr useradd -u 167 -g qmail -d /var/qmail -s /sbin/nologin -p’*’ -c 'QMail send user' qmails

useradd -u 89 -g vchkpw -d /home/vpopmail -s /sbin/nologin -p’*’ -c 'Vpopmail (virtual domains) user' vpopmail

Vpopmail Clamav Roundcube SSL

mkdir /var/qmail mkdir /usr/src/qmail mkdir -p /var/log/qmail/qmail-send mkdir -p /var/log/qmail/qmail-smtpd mkdir -p /var/log/qmail/qmail-smtpdssl chown -R qmaill:root /var/log/qmail chmod -R 750 /var/log/qmail

Instalação Qmail, ucspi-tcp e ucspi-ssl

Existe nos repositórios do Debian o package fonte do Qmail, entretanto o motivo pelo qual não iremos utilizar ele é simples, após instalado os arquivos são enviados para diversos locais diferentes o que acaba dificultando um pouco a documentação e entendimento da estrutura do Qmail.

Extraindo os fontes cd /usr/src/qmail

tar -zxvf /downloads/qmail-1.03.tar.gz

Patch it with John M. Simpson's combined patches (includes every patch which is part of netqmail-1.05 ... but also some others!)

cd /usr/src/qmail/qmail-1.03

Install Ezmlm-idx

Ezmlm-idx é uma lista de discussão, um add-on para Qmail. Após instalado o Qmailadmin, você verá que ezmlm-idx integra perfeitamente no Qmailadmin para proporcionar uma lista de discussão com uma interface de gerenciamento muito amigável das listas. Como um bônus adicionado, Vpopmail (que vamos instalar também) vai permitir controlar o que os usuários podem e não podem usar nas listas de discussão! Sua página na internet é esta aqui: http://www.ezmlm.org/ cd /downloads/ tar zxvfp ezmlm-idx-7.1.1.tar.gz cd /downloads/ezmlm-idx-7.1.1 ln -s /downloads/ezmlm-idx-7.1.1/lang/en_US/ /downloads/ezmlm-idx-7.1.1/lang/default make clean

make; make man ./ezmlm-test

Você deve ter receber mensagens como esta abaixo: ezmlm-make: OK

Using subdb plugin: std ezmlm-reject: OK ezmlm-[un|is]sub[n]: OK ezmlm-checksub: OK ezmlm-send: OK ezmlm-tstdig: OK ezmlm-weed: OK ezmlmrc contents: OK ezmlm-clean: OK ezmlm-store: OK

Vpopmail Clamav Roundcube SSL

ezmlm-return: OK ezmlm-warn (1/2): OK ezmlm-manage (1/2): OK ezmlm-request: OK ezmlm-split: OK ezmlm-gate: OK ezmlm-idx: OK ezmlm-get (index): OK ezmlm-get (get): OK ezmlm-get (thread): OK ezmlm-get (digest): OK ezmlm-manage (2/2): OK ezmlm-moderate: OK ezmlm-warn (2/2): OK ezmlm-archive: OK ezmlm-dispatch: OK dispatch editor: OK decode sender: OK

Verifying message header and body contents... flags and substs: OK

messages: OK subscribe probe: OK unsubscribe probe: OK subscribe: OK unsubscribe: OK moderated subscribe: OK moderated unsub: OK subscribe by mod: OK unsubscribe by mod: OK copylines: OK ezmlm-send: OK Cleaning up...

Edite o arquivo /downloads/ezmlm-idx-7.1.1/conf-ld e substitua a primeira linha por: cc -g -B /usr/lib/mysql/

senha para ezmlmuser (EZMLM_PASSWORD). mysql -pMySQL_root_password

CREATE DATABASE ezmlm;

GRANT ALL PRIVILEGES ON ezmlm.* TO ezmlmuser@localhost IDENTIFIED BY 'EZMLM_PASSWORD';

FLUSH PRIVILEGES; quit;

Vamos testar a conta criada:

mysql -uezmlmuser -pEZMLM_PASSWORD exit;

Você deve receber como resposta:

Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39

Server version: 5.0.51a-24+lenny4-log (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql>exit;

Instalando e testando o suporte ao mysql: cd /downloads/ezmlm-idx-7.1.1

make mysql

./ezmlm-test -s mysql -u ezmlmuser -p EZMLM_PASSWORD -h localhost Você deve receber uma resposta com esta:

ezmlm-make: OK

Using subdb plugin: mysql ezmlm-reject: OK

ezmlm-[un|is]sub[n]: OK ezmlm-checksub: OK ezmlm non-SQL: OK

Vpopmail Clamav Roundcube SSL

ezmlm SQL: OK

...

Finalizando a instalação. make install

Ezmlm-0.53 is a qmail-based mailing list manager written by Dan J. Bernstein (qmail's author) ; ezmlm-idx originated as an add-on to it. It now exists as a complete package on its own, but can still be considered essentially as an extension to ezmlm.

Instalação do Autorespond

Autoresponder faz exatamente o que você está pensando que ele faz. Gera respostas automáticas para as caixas de e-mail dos usuários.

cd /downloads/

tar zxvf autorespond-2.0.5.tar.gz cd /downloads/autorespond-2.0.5 make && make install

Vpopmail Clamav Roundcube SSL

Instalação do Vpopmail

Vpopmail é um dos principais componentes desta instalação. Vpopmail nos permite fazer hospedagem de correio virtuais domínio. Possui inumeras ferramentas e funcionalidades

compiladas que tornam o trabalho de administração mais agradável. Mesmo se você não quiser hospedar email de vários domínios, ainda recomendo instalar Vpopmail. Ele só faz o jogo de correio mais fácil. Além disso, esta instalação gira em torno dele, por isso, se você não instalá-lo você vai ter uma dor de cabeça.

Criando a base de dados

A MySQL_root_password deve ser a senha escolhida no passo 3 e deve a senha para popmailuser deve ser diferente da senha de root(VPOPMAIL_PASSWORD).

mysql -pMySQL_root_password CREATE DATABASE vpopmail;

GRANT select,insert,update,delete,create,drop ON vpopmail.* TO vpopmailuser@localhost IDENTIFIED BY 'VPOPMAIL_PASSWORD';

FLUSH PRIVILEGES; quit;

Testando a conta criada:

mysql -uvpopmailuser -pVPOPMAIL_PASSWORD Você deve ter uma resposta como esta:

Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39

Server version: 5.0.51a-24+lenny4-log (Debian)

mysql>exit;

Preparando a instalação mkdir -p /home/vpopmail/etc

chown -R vpopmail:vchkpw /home/vpopmail chmod 770 /home/vpopmail

cd /home/vpopmail/etc

echo "localhost|0|vpopmailuser|VPOPMAIL_PASSWORD|vpopmail" > ~vpopmail/etc/vpopmail.mysql

chown vpopmail:vchkpw ~vpopmail/etc/vpopmail.mysql chmod 640 ~vpopmail/etc/vpopmail.mysql Compilando cd /downloads/ tar zxvf vpopmail-5.4.33.tar.gz cd /downloads/vpopmail-5.4.33 ./configure \ --enable-qmaildir=/var/qmail/ \ --enable-qmail-newu=/var/qmail/bin/qmail-newu \ --enable-qmail-inject=/var/qmail/bin/qmail-inject \ --enable-qmail-newmrh=/var/qmail/bin/qmail-newmrh \ --enable-tcprules-prog=/usr/bin/tcprules \ --enable-tcpserver-file=/etc/tcp.smtp \ --enable-clear-passwd \ --enable-many-domains \ --enable-valias \ --enable-qmail-ext \ --enable-logging=p \ --enable-auth-logging \

Vpopmail Clamav Roundcube SSL

--enable-sql-logging \ --enable-auth-module=mysql \ --enable-incdir=/usr/include/mysql \ --enable-libdir=/usr/lib/ \ --disable-mysql-limits \ --disable-passwd make && make install-strip

A modificação deste arquivo é necessária para evitar problemas de falha de segmentação em alguns casos.

cat > ~vpopmail/etc/vusagec.conf << __EOF__ Server:

Disable = True; __EOF__

Instalação Qmailadmin

Qmailadmin é uma ferramenta que provê uma interface web para a administração do Qmail. Diferentemente do que é dito nos tutoriais, ele não possui uma interface amigável, entretanto com ele é possível realizar diversas operações como criação de contas de e-mail, aliases, encaminhamentos, e-mail robô e listas de e-mail.

cd /downloads/

tar zxvf qmailadmin-1.2.16.tar.gz cd /downloads/qmailadmin-1.2.16

./configure enablecgibindir=/var/www/mail/cgibin/ enablehtmldir=/var/www/mail/cgibin/ --enable-imageurl=../../images --enable-imagedir=/var/www/mail/images --enable-domain-autofill --enable-ezmlmdir=/usr/local/bin/ezmlm --enable-autorespond=/usr/bin/autorespond make && make install-strip

cd /var/www/mail/images rm middleleft1.png

wget http://mailadmin.thibs.com/images/middleleft1.png Testaremos ao interface web mais tarde.

Vpopmail Clamav Roundcube SSL

Habilitando as ferramentas web

Nas etapas anteriores instalamos duas ferramentas de administração para o servidor de e-mail, agora vamos habilitar elas.

Primeiramente é necessário criar uma entrada no servidor DNS (CNAME ou registro A). Para este ambiente foi criado o domínio mailadmin.intranet.ico apontando para o servidor virtual. Pode ser qualquer nome, menos o hostname do servidor.

Então criamos o virtual host no apache apontando para o domínio registrado.

No arquivo /etc/apache2/sites-available/mailadmin.intranet.ico temos os seguintes registros: --- <VirtualHost *:80> ServerAdmin andre@intranet.ico DocumentRoot /var/www/mail ServerName mailadmin.intranet.ico ErrorLog /var/log/apache2/mailadmin.intranet.ico-error.log

CustomLog /var/log/apache2/mailadmin.intranet.ico-access.log common <Directory /var/www/mail/cgi-bin/>

Options ExecCGI FollowSymLinks -Indexes ForceType cgi-script

AllowOverride All Order allow,deny Allow from all </Directory>

Options ExecCGI -Indexes AllowOverride All Order deny,allow </Directory> <Directory /var/www/mail/qmailadmin/> Options -Indexes Order allow,deny Allow from all </Directory>

<Directory /var/www/mail/cgi-bin/images/> ForceType Off

Options -Indexes Order allow,deny Allow from all </Directory>

<Directory /var/www/mail/images/qmailadmin/> ForceType Off

Options -Indexes Order allow,deny Allow from all </Directory>

<Directory /var/www/mail/images/vqadmin/> ForceType Off

Options -Indexes Order allow,deny Allow from all </Directory> </VirtualHost> ---

a2ensite mailadmin.intranet.ico /etc/init.d/apache2 reload

Vpopmail Clamav Roundcube SSL

Coloque o seguinte endereço no browser http://mailadmin.intranet.ico/cgi-bin/qmailadmin para testar qmailadmin.

Remove installed MTA

Exim is the default installed MTA on Debian. Stop and remove Exim

/etc/init.d/exim4 stop

dpkg --ignore-depends=exim4 -r exim4

dpkg --ignore-depends=exim4-daemon-light -r exim4-daemon-light If you are using sendmail or postfix :

dpkg --purge --ignore-depends=postfix postfix

dpkg --purge sendmail sendmail-base sendmail-bin sendmail-cf Install a pseudo MTA to avoid problem within Debian system dpkg -i /downloads/deb-packages/mta-local_1.0_all.deb Create Symilnk to use Qmail instead of the default MTA rm -f /usr/lib/sendmail

rm -f /usr/sbin/sendmail

ln -s /var/qmail/bin/sendmail /usr/lib/sendmail ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail

Configure Qmail

It's time to configure Qmail ...

Copy the script to its proper locations

cp /downloads/scripts/qmailctl /var/qmail/bin/qmailctl (View the script qmailctl) Adapt script permission

chmod 755 /var/qmail/bin/qmailctl

The script /var/qmail/rc (View here) is no longer used.

In original qmailrocks installation guide, it was used in script send_run replaced by service-send-run (from John M.Simpson) in this guide.

Create needed symlinks

ln -s /var/qmail/bin/qmailctl /usr/bin

Set Maildir as default mailbox type (./Mailbox for mbox type) echo ./Maildir > /var/qmail/control/defaultdelivery

Set some configuration (You can find more on

http://www.lifewithqmail.com/lwq.html#configuration) echo 255 > /var/qmail/control/concurrencyremote echo 30 > /var/qmail/control/concurrencyincoming echo 30 > /var/qmail/control/timeoutsmtpd

Vpopmail Clamav Roundcube SSL

echo postmaster@yourdomain.tld > /var/qmail/control/bouncefrom echo yourdomain.tld > /var/qmail/control/doublebouncehost

echo postmaster > /var/qmail/control/doublebounceto cd /var/qmail/control/

chmod 644 bouncefrom doublebouncehost doublebounceto concurrencyremote concurrencyincoming spfbehavior

Set maximum message size to be 8Mb

echo '8000000' > /var/qmail/control/databytes Allows localhost to send mails

echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp qmailctl cdb

If you use backup MX servers or if this server is acting as smart host for others, I advice you to add execute command :

echo 'OTHER-SERVER-IP:allow,RELAYCLIENT="",QS_SPAMASSASSIN="1"' >> /etc/tcp.smtp qmailctl cdb

If you want to learn other available options, take a look on this sample. Create mail aliases

echo some_address > /var/qmail/alias/.qmail-root

echo some_address > /var/qmail/alias/.qmail-postmaster echo some_address > /var/qmail/alias/.qmail-mailer-daemon

Where some_address is the system user or email address you want these addresses aliased to chmod 644 /var/qmail/alias/.qmail*

Final configuration

cd /usr/src/qmail/qmail-1.03 ./config-fast YOUR_SERVER_NAME

Configure Daemontools

Daemontools is a collection of Unix tools for managing services. Its home page is here: http://cr.yp.to/daemontools.html

If you don't want to read about it, just remember that it allows to automatically restart a crashing service (but it allows a lot of other things and I really advice you to read about it...)

It has already been installed with a Debian package

In this guide version, we'll use it only to manage the processes qmail-smtpd, qmail-send and qmail-smtpdssl. I however plan to manage other services in a next release.

Create the needed directories with appropriates permissions mkdir -p /var/qmail/supervise/qmail-smtpd/log

mkdir -p /var/qmail/supervise/qmail-send/log mkdir -p /var/qmail/supervise/qmail-smtpdssl/log cd /var/qmail/supervise

chmod +t qmail-smtpd qmail-send qmail-smtpdssl Copy the scripts to their proper locations

(service-qmail-send-run,send_log,service-qmail-smtpd-run,smtpd_log,service-qmail-smtpdssl-run,smtpdssl_log) cp /downloads/scripts/service-qmail-send-run /var/qmail/supervise/qmail-send/run cp /downloads/scripts/send_log /var/qmail/supervise/qmail-send/log/run cp /downloads/scripts/service-qmail-smtpd-run /var/qmail/supervise/qmail-smtpd/run cp /downloads/scripts/smtpd_log /var/qmail/supervise/qmail-smtpd/log/run

Vpopmail Clamav Roundcube SSL

cp /downloads/scripts/service-qmail-smtpdssl-run /var/qmail/supervise/qmail-smtpdssl/run cp /downloads/scripts/smtpdssl_log /var/qmail/supervise/qmail-smtpdssl/log/run Adapt permissions chmod 751 /var/qmail/supervise/qmail-smtpd/run chmod 751 /var/qmail/supervise/qmail-smtpd/log/run chmod 751 /var/qmail/supervise/qmail-send/run chmod 751 /var/qmail/supervise/qmail-send/log/run chmod 751 /var/qmail/supervise/qmail-smtpdssl/run chmod 751 /var/qmail/supervise/qmail-smtpdssl/log/run Create symlinks in /etc/service directory

ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-smtpdssl /etc/service

Create a symlink from Debian convention to standard convention ln -s /etc/service /service

Configure spamassassin

Spamassassin is the antispam system we 'll use

Edit /etc/default/spamassassin to change the following options : ENABLED=1

OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u vpopmail -v -x -i -m 5 -c -H -s mail"

Edit /etc/spamassassin/local.cf to change the following options : Uncomment following lines

required_score 5.0 use_bayes 1

bayes_auto_learn 1 Add following lines use_razor2 1 skip_rbl_checks 1 use_dcc 1

use_pyzor 1

razor_config /etc/razor/razor-agent.conf

OPTIONAL : If you want to report spam with the Vipul's Razor spam-reporting system razor-admin -d -home=/etc/razor -create

Vpopmail Clamav Roundcube SSL

Uncomment this in /etc/spamassassin/v310.pre

loadplugin Mail::SpamAssassin::Plugin::DCC

Uncomment this in /etc/spamassassin/v320.pre loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody Install IP::Country::Fast perl package (deb)

dpkg -i /downloads/deb-packages/libip-country-perl_2.27-1_all.deb Uncomment this in /etc/spamassassin/init.pre

loadplugin Mail::SpamAssassin::Plugin::RelayCountry Create a compiled version of some ruleset

sa-compile

Test configuration and start the service /usr/bin/spamassassin -D --lint

Configure clamav

Clamav is the antivirus system we 'll use dpkg-reconfigure clamav-base

Change clamav user/group to qscand and keep all of the other default settings (Group - Owner) dpkg-reconfigure clamav-freshclam

Choose daemon + your location + default answers

chown -R qscand:clamav /var/log/clamav /var/lib/clamav /var/run/clamav chown qscand:qscand /etc/clamav/freshclam.conf

chmod 600 /etc/clamav/freshclam.conf ln -s /var/log/clamav /var/log/qmail/clamav

Edit /etc/clamav/freshclam.conf to change the DatabaseOwner option : DatabaseOwner qscand

Change both /etc/logrotate.d/clamav-freshclam and /etc/logrotate.d/clamav-daemon to create the log file with correct identity :

create 640 qscand qscand Restart the services

/etc/init.d/clamav-daemon restart /etc/init.d/clamav-freshclam restart

Vpopmail Clamav Roundcube SSL

Configure courier and courier-authlib

Adapt automatically generated SSL certificate

During package installation, all the needed courier packages have been installed.

Nevertheless, the generated SSL certificates probably do not match your needs. We 'll simply re-generate it.

Edit the files /etc/courier/imapd.cnf and /etc/courier/pop3d.cnf to match your settings : [ req_dn ]

C=BE

ST=Brussels L=Brussels

O=Courier Mail Server OU=POP3/IMAP SSL key CN=Your FQDN server

emailAddress=Your e-mail adress

Re-generate certificates with correct information and with validity time of 10 years rm -f /usr/lib/courier/*.pem

rm -f /etc/courier/*.pem

sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkimapdcert sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkpop3dcert dpkg-reconfigure courier-imap-ssl

ln -s /usr/lib/courier/pop3d.pem /etc/courier/pop3d.pem ln -s /usr/lib/courier/imapd.pem /etc/courier/imapd.pem

Configure courier-authlib

Courier-authlib is the authentification library used by all the courier components.

We 'll use the MySQL database used by vpopmail (which already contains the authentification info) instead of vchkpw method used in previous QMR guide (because it's no longer

implemented/supported since version 0.60)

Please remember the settings used in step 4, you 'll need to use it again.

As courier-authlib and courier-authlib-mysql have been installed with Debian packages, we only have to configure it

Edit /etc/courier/authdaemonrc and change line 27 to match the following : authmodulelist="authmysql"

Edit /etc/courier/authmysqlrc and adapt variables to match the following (Put the password chosen in step 4)

MYSQL_SERVER localhost

MYSQL_USERNAME vpopmailuser

MYSQL_PASSWORD VPOPMAIL_PASSWORD MYSQL_DATABASE vpopmail

MYSQL_SELECT_CLAUSE SELECT CONCAT(pw_name, '@', pw_domain) AS username, \

pw_passwd AS cryptpw, \ pw_clear_passwd AS clearpw, \ '89' AS uid, \ '89' AS gid, \ pw_dir AS home, \ '' AS maildir, \

Vpopmail Clamav Roundcube SSL

pw_shell AS quota, \ pw_gecos AS fullname, \ 'disablewebmail=0,disablepop3=0,disableimap=0' AS options \ FROM vpopmail \ WHERE \ pw_name = '$(local_part)' \ AND \ pw_domain = '$(domain)'; \

Eventually replace 89 by the alternate UID:GID chosen in Part 1 Restart the service to take those modifications into account /etc/init.d/courier-authdaemon restart

Install qmail-scanner

qmail-scanner is an alternate queuing system for qmail.

Qmail-scanner is going to allow us to integrate Clam Antivirus and SpamAssassin into our qmail server's mail queue. Once qmail-scanner is installed, there will be a master script that is filled with configuration options that help you to tailor the functionality of Clam Antivirus and SpamAssassin to your needs.

We have patched qmail source to support it on step 2 and we have implemented it on step 10. It's now time to install it ;-)

cd /downloads/

tar zxvf q-s-2.08st-20100626.tgz cd /downloads/qmail-scanner-2.08st

./configure --admin postmaster --domain your_domain --local-domains "your_domain" saquarantine 5 ignoreeolcheck yes adddscrhdrs yes notify psender,admin sareport yes --fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0

./configure --admin postmaster --domain your_domain --local-domains "your_domain" saquarantine 5 ignoreeolcheck yes adddscrhdrs yes notify psender,admin sareport yes --fix-mime 1 --unzip 1 --archive 0 --silent-viruses auto --redundant no --log-crypto 0 --install 1 ln -s /var/spool/qscan /var/log/qmail/qscan

Let's test it ... First swich to a non-privilegied user account su - non-privilegied_user_account

/var/qmail/bin/qmail-scanner-queue.pl -g You should have an answer like this:

Vpopmail Clamav Roundcube SSL

perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt perlscanner: total of 35 entries.

Switch back to root account: exit

Add it in the logrotation system

cp /downloads/qmail-scanner-2.08st/contrib/logrotate.qmail-scanner /etc/logrotate.d/qmail-scanner chmod 644 /etc/logrotate.d/qmail-scanner Launch qmail qmailctl start qmailctl stat

You should see something like that:

/service/qmail-send: up (pid 17762) 63 seconds /service/qmail-send/log: up (pid 17763) 63 seconds /service/qmail-smtpd: up (pid 18500) 63 seconds /service/qmail-smtpd/log: up (pid 17767) 63 seconds /service/qmail-smtpdssl: up (pid 18496) 63 seconds /service/qmail-smtpdssl/log: up (pid 17773) 63 seconds messages in queue: 0

messages in queue but not yet preprocessed: 0

If you notice than some service stays at 1 second, check the corresponding log to debug it tail /var/log/qmail/qmail-send/current

tail /var/log/qmail/qmail-smtpd/current tail /var/log/qmail/qmail-smtpdssl/current

chmod 755 test_installation.sh ./test_installation.sh -doit

You should have an answer like this

Sending standard test message - no viruses... 1/4 done!

Sending eicar test virus - should be caught by perlscanner module... 2/4 done!

Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)... 3/4

done!

Sending bad spam message for anti-spam testing - In case you are using SpamAssassin... 4/4 If you have enabled $sa_quarantine, $sa_delete or $sa_reject the

spam-message wont't arrive to the recipients. But if you have enabled (good idea!) 'minidebug' or 'debug' you should check

/var/spool/qscan/qmail-queue.log (or where ever you have the log).

Done!

Finished test. Now go and check Email sent to postmaster@domain.tld and/or the log.. OPTIONAL : You can receive daily statistics

echo '/var/spool/qscan/log-report.sh /var/spool/qscan/qmail-queue.log |mail YOUR E-MAIL ADDRESS' > /etc/cron.daily/qmailscanner-report

Vpopmail Clamav Roundcube SSL

Install roundcubemail webmail interface

cd /downloads/

tar zxvfp roundcubemail-0.5.3.tar.gz

chown -R root:root /downloads/roundcubemail-0.5.3 mv /downloads/roundcubemail-0.5.3 /var/www/mail/

ln -s /var/www/mail/roundcubemail-0.5.3/ /var/www/mail/webmail ln -s /var/www/mail/webmail/logs /var/log/webmail

chmod 777 /var/www/mail/webmail/logs/ chmod 777 /var/www/mail/webmail/temp/ Create the needed Database.

The used MySQL_root_password should be the password chosen on pre-step 3. It's should not be the same as the password for roundcubemail (ROUNDCUBEMAILPASSWORD).

It's not a typo, the MySQL_root_password should really be just aside the -p mysql -pMySQL_root_password

CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */; GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost IDENTIFIED BY

'ROUNDCUBEMAILPASSWORD'; quit;

Test your the account you have just created

mysql -uroundcube -pROUNDCUBEMAILPASSWORD exit;

Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39

Server version: 5.0.51a-24+lenny4-log (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer. Let's configure it

cd /var/www/mail/webmail

mysql -uroundcube -pROUNDCUBEMAILPASSWORD roundcubemail < SQL/mysql.initial.sql cp /var/www/mail/webmail/config/db.inc.php.dist /var/www/mail/webmail/config/db.inc.php cp /var/www/mail/webmail/config/main.inc.php.dist /var/www/mail/webmail/config/main.inc.php Edit the file /var/www/mail/webmail/config/main.inc.php and change the following : $rcmail_config['default_host'] = 'localhost';

Edit the file /var/www/mail/webmail/config/db.inc.php and change the following : $rcmail_config['db_dsnw'] =

'mysql://roundcube:ROUNDCUBEMAILPASSWORD@localhost/roundcubemail'; OPTIONAL : You can specify other parameters through webinterface

Point your browser on http://mailadmin.intranet.ico/webmail/installer/ and follow the instructions

You can add some packages for optionnals features : aptitude install php5-gd php5-mcrypt php5-intl /etc/init.d/apache2 restart

Just a little cleaning ... and use it ! cd /var/www/mail/webmail

rm -rf installer/ CHANGELOG INSTALL LICENSE README UPGRADING

Vpopmail Clamav Roundcube SSL

Your server is functionnal now !

Test Qmail functionalities

We first check if the server listen to the right ports netstat -tupan |grep LISTEN

You should have at least the bold ones :

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2218/mysqld tcp 0 0 0.0.0.0:783 0.0.0.0:* LISTEN 2302/spamd.pid tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1901/portmap tcp 0 0 0.0.0.0:49168 0.0.0.0:* LISTEN 1912/rpc.statd tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 3063/sslserver tcp 0 0 127.0.0.1:1013 0.0.0.0:* LISTEN 2957/famd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2141/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 3056/tcpserver tcp6 0 0 :::993 :::* LISTEN 2924/couriertcpd tcp6 0 0 :::995 :::* LISTEN 2942/couriertcpd tcp6 0 0 :::110 :::* LISTEN 2930/couriertcpd tcp6 0 0 :::143 :::* LISTEN 2911/couriertcpd tcp6 0 0 :::80 :::* LISTEN 2999/apache2

In this case, Qmail should now be able to send and receives e-mails.

Receiving e-mails

telnet localhost 25

Connected to localhost. Escape character is '^]'.

220 servername.localdomain.tld ESMTP mail from: <testmail@test.com> 250 ok

rcpt to: <nospam@test.com> 250 ok

data

354 go ahead

From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a stupid SMTP test

Just a test ! .

250 ok 1279384489 qp 3711 quit

221 servername.localdomain.tld Connection closed by foreign host.

This demonstrate a successful SMTP connection ! For our tests, we need to create a dummy account /home/vpopmail/bin/vadddomain test.com brol /home/vpopmail/bin/vadduser test@test.com brol2 qmailctl reload

We also can create a real account

/home/vpopmail/bin/vadddomain your_real_domain.tld your_postmaster_password

/home/vpopmail/bin/vadduser an_account@your_real_domain.tld your_account_password qmailctl reload

You can of course do the same thing via vqadmin and qmailadmin web interfaces "brol" is a belgian idiom that means "something useless"

Vpopmail Clamav Roundcube SSL

You can send a test mail to an_account@your_real_domain.tld from you regular mail client. We 'll retrieve it in the next step but if you don't receive a NDR, it's probably already OK

Sending e-mail through an authentificate connection : Testing TLS

telnet localhost 25

You should have an answer like this: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 servername.domain.tld ESMTP ehlo localhost 250-servername.domain.tld 250-STARTTLS 250-SIZE 0 250-PIPELINING 250 8BITMIME starttls 220 ready for tls quit quit

In the above SMTP session, I have higlighted the important aspects in DARK RED. After you give the server the initial "ehlo localhost" command, you should get a response back that lists "250-STARTTLS", signaling that the server is in fact equipped for TLS functionality. Then, after you issue the "starttls" command, you should get the :"220 ready for tls" response if the server is able to successfully start the TLS session.

If you happen to get an error that states "454 TLS not available: missing RSA private key (#4.3.0)" after you issue the "starttls" command, you will want to check 2 things:

1. Verify that the cert actually exists at /var/qmail/control/servercert.pem. If it's not there, go back to step 2 and repeat the cert creation step.

2. Verify that the cert is owned by vpopmail:qmail. If it's not, then make it so like this :

chown vpopmail:qmail /var/qmail/control/servercert.pem

Now we have verified that the server supports the STARTTLS command, we can use openssl s_client to connect.

This command is equivalent to the previous sequence until the "220 ready for tls" message depth=0

/C=BE/ST=Brussels/L=Brussels/O=DOMAIN.TLD/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld

verify error:num=18:self signed certificate verify return:1 depth=0 /C=BE/ST=Brussels/L=Brussels/O=THIBS.COM/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld verify return:1 250 8BITMIME ehlo testing 250-fqdn

250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-SIZE 0 250-PIPELINING 250 8BITMIME auth login 334 VXNlcm5hbWU6 dGVzdEB0ZXN0LmNvbQ== 334 UGFzc3dvcmQ6 YnJvbDI= 235 ok, go ahead (#2.0.0) mail from: <testmail@test.com> 250 ok

rcpt to: <nospam@test.com> 250 ok

data

354 go ahead

From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a simple SMTP TLS test Just a TLS test !

.

Vpopmail Clamav Roundcube SSL

quit

221 servername.localdomain.tld Connection closed by foreign host.

As you've probably noticed, the login and password are encoded ( "dGVzdEB0ZXN0LmNvbQ==" stands for "test@test.com" and "YnJvbDI=" stands for "brol2")! You can encode yourself with the script base64

perl /downloads/scripts/base64

Press Enter to exit.

Input you string: test@test.com

Base64 encode is : dGVzdEB0ZXN0LmNvbQ== Input you string: brol2

Base64 encode is : YnJvbDI=

Input you string: ^C (means press CTRL+C)

Test SMTP-SSL

openssl s_client -crlf -connect localhost:465 -quiet

It's nearly the same test. In this case, we use an SSL server where we connect to a different port number. We have to establish an SSL connection before the SMTP conversation even starts : depth=0

/C=BE/ST=Brussels/L=Brussels/O=DOMAIN.TLD/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld

verify error:num=18:self signed certificate verify return:1 depth=0 /C=BE/ST=Brussels/L=Brussels/O=THIBS.COM/OU=ICT/CN=fqdn/emailAddress=your@e-mail.tld verify return:1 auth login 334 VXNlcm5hbWU6 dGVzdEB0ZXN0LmNvbQ== 334 UGFzc3dvcmQ6 YnJvbDI= 235 ok, go ahead (#2.0.0) mail from: <testmail@test.com> 250 ok

250 ok data

354 go ahead

From: Test_sender <testmail@test.com> To: Test_receiver <nospam@test.com> Subject: Just a simple SMTP-SSL test Just a SMTP-SSL test !

.

250 ok 1279384489 qp 3711 quit

221 servername.localdomain.tld Connection closed by foreign host.

Test authentification

Now we should be able to authenticate through POP3, POP3-SSL, IMAP, IMAP-SSL

Test courier-authlib

I suppose you still have the dummy account created when we've tested qmail Check first if the created account is still there (without testing the authentification) /home/vpopmail/bin/vuserinfo test@test.com

You should have an answer like this: name: test

passwd: $1$E6ZeM1cj$B6/2kgZgjtycVtHteTPOC1 clear passwd: brol2

comment/gecos: test uid: 0

gid: 0 flags: 0 gecos: test

Vpopmail Clamav Roundcube SSL

dir: /home/vpopmail/domains/0/test.com/test

quota: NOQUOTA usage: NOQUOTA

account created: Thu Jul 15 16:02:29 2010 last auth: Never logged in

If the account do no exist, please create it by following instructions on the test qmail page Test now the authentification process

/usr/sbin/authtest postmaster@test.com brol /usr/sbin/authtest test@test.com brol2 You should have an answer like this:

Authenticated: test@test.com (uid 89, gid 89)

Home Directory: /home/vpopmail/domains/test.com/test Maildir: (none)

Quota: (none)

Encrypted Password: $1$Atj/HMvq$UBXjgO0sGl2Jy22b0Du0 Cleartext Password: brol2

Options: disablewebmail=0,disablepop3=0,disableimap=0 This is the sign authlib is working well!

HINT : Most of the authentification problems here are due to white space before or after login/password in /etc/courier/authmysqlrc configured in previous step

Test POP3 service

Let's test your new server's POP3 service... telnet localhost 110

You should see something like this: Trying 127.0.0.1...

Connected to localhost.localdomain. Escape character is '^]'.

+OK Hello there. user test@test.com

pass bril

-ERR Login failed. pass brol2

+OK logged in. quit

+OK Bye-bye.

This is the sign of a successfull POP connection to the server!

Test POP3-SSL service

Let's test your new server's POP3-SSL service... openssl s_client -connect localhost:995 -quiet You should see something like this:

depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com

verify error:num=18:self signed certificate verify return:1

depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com

verify return:1 +OK Hello there. user test@test.com +OK Password required. pass brol2

+OK logged in. quit

+OK Bye-bye.

Test IMAP service

Let's test your new server's IMAP service... telnet localhost 143

Vpopmail Clamav Roundcube SSL

Trying 127.0.0.1...

Connected to localhost.localdomain. Escape character is '^]'.

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information.

a login test@test.com brol2 a OK LOGIN Ok.

a logout

* BYE Courier-IMAP server shutting down a OK LOGOUT completed

This is the sign of a successfull IMAP connection to the server! Hint: The "a" that you see before the login commands is required.

Test IMAPS service

Let's test your new server's IMAP-SSL service... openssl s_client -connect localhost:993 -quiet You should see something like this:

depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com

verify error:num=18:self signed certificate verify return:1

depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com

verify return:1

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.

a login test@test.com brol2 a OK LOGIN Ok.

a logout

* BYE Courier-IMAP server shutting down a OK LOGOUT completed

Delete the test acccount

/home/vpopmail/bin/vdeluser test@test.com /home/vpopmail/bin/vdeldomain test.com

--- /// --- Compiling fails with:

> make[2]: Entering directory `/home/graf/packages/BUILD/vmailmgr-0.97/authenticate'

> g++ DHAVE_CONFIG_H I. I. I.. I../lib g O2 fnortti fnoexceptions -Wall -c checkvpw.cc

> checkvpw.cc: In function 'char* strcasestr(const char*, const char*)':

> checkvpw.cc:108: error: new declaration 'char* strcasestr(const char*, const char*)'

> /usr/include/string.h:367: error: ambiguates old declaration 'const char* strcasestr(const char*,

const char*)'

> make[2]: *** [checkvpw.o] Error 1

> make[2]: Leaving directory `/home/graf/packages/BUILD/vmailmgr-0.97/authenticate'

The reason is strcasestr() which is defined in checkvpw.cc, but also exists in glibc. This didn't hurt until now, because both were declared the same way, but now in glibc 2.10 the declaration changed slightly: strcasestr() returns "const char *" instead of "char *", and this results in the above error.

The easy fix is to delete strcasestr() from checkvpw.cc, this is what the attached patch does. A check for strcasestr() in configure on the current system would probably better.

--

Bernhard Graf

--- authenticate/checkvpw.cc +++ authenticate/checkvpw.cc @@ -105,15 +105,6 @@

return new auth_data(name, pass, stamp); }

-char* strcasestr(const char* haystack, const char* needle) -{

- for(size_t hlength = strlen(haystack), nlength = strlen(needle); - hlength >= nlength; hlength--, haystack++)

- if(!strncasecmp(haystack, needle, nlength)) - return (char*)haystack;

- return 0; -}

-

unsigned find_maildir(int argc, const char* args[]) {

Vpopmail Clamav Roundcube SSL

Fontes

http://www.superscript.com/ucspi-ssl/install.html http://qmailrocks.thibs.com/