Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO install qmail, vpopmail, relay-ctrl, courier 03/15/05
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
endtransmission
n00b
n00b


Joined: 16 Nov 2003
Posts: 48

PostPosted: Sat Mar 19, 2005 1:24 am    Post subject: HOWTO install qmail, vpopmail, relay-ctrl, courier 03/15/05 Reply with quote

Hey all

After using THIS for the longest time and making tweak after tweak as time went on, I finally rewrote the howto on the Gentoo-wiki to reflect the current buildsi and thought I'd reproduce it here for the members of this community. It does not include virus and spam scanning yet, so if someone wants to chip in, man I'm all for it.

CLICK HERE FOR THE ORIGINALHOWTO

::::::::::::::::::::::::::::::::::::::::::: Original Follows :::::::::::::::::::::::::::::::::::::::::::::::::::

This howto has recently been updated (03/15/05) to reflect the following ebuilds. The previous howto had become so out of date as to now qualify as misleading - this was not due to neglect, just to the way of things. Software has evolved a little, and so must this. There is a real argument for stepping off the bleeding edge for a little bit, if only to acrue a solid, accurate body of documentation that remains applicable for longer than the time it takes to write it. That being said, I will shortly be hosting these ebuilds/source-code for download from my servers as soon as I can find the time so you too may follow these instructions and get qmail/vpopmail/courier-imap/relay-ctrl up with a minimum amount of hassle. Until then, best of luck.

This is a wiki and everyone can make changes and edits and yes thats a great thing but please, I beg you, for the good of everyone involved who might try and use this howto for help, before editing this please test your changes and be thorough in your documentation so this howto can remain viable and helpful for everyone.

Here we go. These are the supported ebuilds for this howto.

Code:
   QMAIL
   sys-apps/ucspi-tcp-0.88-r10
   net-mail/dot-forward-0.71-r1
   net-mail/cmd5checkpw-0.22-r1
   sys-process/daemontools-0.76-r4
   net-mail/queue-fix-1.4-r2
   net-mail/checkpassword-0.90-r1
   mail-mta/qmail-1.03-r15

   RELAY-CTRL
   net-mail/relay-ctrl-3.1.1-r2

   VPOPMAIL
   net-mail/vpopmail-5.4.6-r1

   COURIER-IMAP
   net-libs/courier-authlib-0.54 
   net-mail/courier-imap-4.0.1-r1

Now, lets get started.

== Ensure Proper USE Flags Are Set ==
Code:
# nano -w /etc/make.conf

add apache2, maildir, valias, vhosts, authdaemond and mysql as USE flags.

== Install QMAIL ==
First of all, make sure that you unmerge the other mail handlers that may be installed, such as ssmtp, sendmail, or postfix:
Code:
 # emerge -C ssmtp sendmail postfix
 # emerge /usr/portage/net-mail/qmail/qmail-1.03-r15.ebuild
 # ebuild /var/db/pkg/net-mail/qmail-1.03-r15/qmail-1.03-r15.ebuild config
   
 # ln -s /var/qmail/supervise/qmail-send /service/qmail-send
 # ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd
 
 # rc-update add svscan default
 # /etc/init.d/svscan start


== Install RELAY-CTRL ==
Using relay-ctrl is a simple and straightforward way to allow us to send email with email clients from anywhere.
Code:
 # emerge relay-ctrl
 # cd /etc/tcprules.d/
 # nano -w tcp.qmail-smtp

Delete your tcp.qmail-smtp file and copy this in its place - you only need to change the IP address in the first line to the internal IP address of your server.
Code:
 
################## START OF tcp.qmail-smtp #######################
#
# CHANGE THIS IP ADDRESS TO THE INTERNAL IP ADDRESS OF YOUR MAIL SERVER
192.168.31.50:allow,RELAYCLIENT="",RBLSMTPD=""
 
#-----------------------------------------------------------------
# DONT ALLOW THESE IPS TO SEND MAIL TO US :
# (Insert banned IP's here)
#
# These IP's pipe out heaps and heaps of spam
#
216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."
64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
 
#-----------------------------------------------------------------
# DON'T TOUCH THIS
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

#-----------------------------------------------------------------
# DON'T TOUCH THIS
:allow

# You must run the below command after editing this file and then restart the /etc/init.d/svscan service in
# order to activate the changes you make here today.
#
# tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb /etc/tcprules.d/.tcp.qmail-smtp.tmp < /etc/tcprules.d/tcp.qmail-smtp
#
############# END OF FILE #################

Change this 192.168.31.50 address to the internal IP address of your personal mail server.

Once the qmail-smtp file has been edited, enter this long line below (unbroken) and hit enter...
Code:
 # tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb /etc/tcprules.d/.tcp.qmail-smtp.tmp < /etc/tcprules.d/tcp.qmail-smtp


and to finish up...
Code:
 # /etc/init.d/svscan restart


== Install VPOPMAIL ==
Code:
 # emerge /usr/portage/net-mail/vpopmail-5.4.6-r1.ebuild


First log into mysql as your mysql root user and pass like this.
Code:
 # mysql -u root -p
 password: (enter root password here)
   ---- you'll be inside mysql at this point ----
 > create database vpopmail;
 > use vpopmail;
 > grant select, insert, update, delete, create, drop on vpopmail.* to vpopmail@localhost identified by 'your password';
 > flush privileges;
 > quit

#### Do not replace the phrase 'your password' with your actual password in this instance. ####

Configure vpopmail's mysql user password
Code:
 # nano /etc/vpopmail.conf

(Change the password from 'secret' to your root password, and change the user to user root)

If you have problems with vpopmail not accepting mail properly, please ensure that /etc/vpopmail.conf is chmod 600 and owned by vpopmail:vpopmail

Code:
 # chown root:vpopmail /etc/vpopmail.conf
 # chmod 640 /etc/vpopmail.conf
 # chown root:vpopmail /var/vpopmail/bin/vchkpw
 # chmod 4711 /var/vpopmail/bin/vchkpw


Now you can add a domain from the commandline (NOT IN MYSQL) with the command
Code:
 # vadddomain blah.com


You can add a user at the commandline with the command
Code:
 # vadduser user@blah.com


Or delete a user
Code:
 # vdeluser user@blah.com


(You only have to do this if the vadddomain step below results in "command not found")
Code:
 # env-update && source /etc/profile


QUICK NOTE : In order to use vpopmail or qmailadmin Apache must run as user vpopmail:vpopmail. You will need to edit your /etc/apache2/conf/commonbapache.conf file to read / User vpopmail / Group vpopmail / and then restart apache with the command /etc/init.d/apache2 restart.

== Install Courier-IMAP as IMAP & POP3 Server ==

Code:
 # emerge net-libs/courier-authlib-0.54
 # emerge net-mail/courier-imap-4.0.1-r1


We'll configure courier-authlib first.
Code:
 # nano -w /etc/courier/authlib/authdaemonrc


Ensure these headings look exactly like this in the authdaemonrc file
Code:
   authmodulelist="authvchkpw"
   authmodulelistorig="authvchkpw"

Do not have-leave-put extras in there. Now onto configuring courier-imap.

Code:
 # nano -w /etc/courier-imap/imapd


Make sure the following entries are put in like this. They may or may not be right next to each other so look around for them in the conf file.
Code:
   IMAPDSTART=YES
   MAXPERIP=20
   MAILDIR=.maildir
   MAILDIRPATH=.maildir
   PRERUN="envdir /etc/relay-ctrl relay-ctrl-chdir"
   LOGINRUN="relay-ctrl-allow"


Repeat process for imapd-ssl, pop3d, pop3d-ssl files as well, except instead of IMAPDSTART you'll want to look for POP3DSTART or whatevers appropriate depending on the file.

Now lets add courier to our bootup scripts so it launches when we fire up Gentoo.

Code:
 # rc-update add courier-authlib default
 # rc-update add courier-imapd default
 # rc-update add courier-pop3d default
 # /etc/init.d/courier-imapd start
 # /etc/init.d/courier-pop3d start


Addendum: If you want to use SSL and TLS, you'll need to make SSL certs for them.

Code:
 # nano -w /etc/courier-imap/imapd.cnf


Fill out State, City, Organization name etc etc etc. For the Common Name (CN) of your server make sure
its mail.yourservername.com. Afterwards, run mkimapdcert (or mkpop3dcert), make the cert, then start
the service and add it to the startup services like before.

Code:
 # rc-update add courier-imapd-ssl default
 # rc-update add courier-pop3d-ssl default
 # /etc/init.d/courier-imapd-ssl start
 # /etc/init.d/courier-pop3d-ssl start


Last thing: once started, you can totally stop and start the whole courier suite by recycling
courier-authlib. Like this

Code:
 # /etc/init.d/courier-authlib restart


Alright, enough of this! On to business...

== Update the SMTPD Config to Allow SMTP-AUTH Using VPOPMAIL ==

I've tried alot of iterations on this but the easiest and most straight forward way is to completely delete the
contents of your /var/qmail/control/conf-smtpd file and just replace it with this. You need not replace or tweak this file at all after putting this in.

Code:
 

################## START OF /var/qmail/control/conf-smtp #######################
#
TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"
   
QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-chdir"
QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"
   
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
#
################## END OF /var/qmail/control/conf-smtp #######################


Final touches to bring this together
Code:
 svc -t /var/qmail/supervise/qmail-smtpd
chmod u+s /var/vpopmail/bin/vchkpw


The following step makes sending mail a lot faster under some circumstances, and I highly recommend that you do the following if you notice delays of 30 to 45 seconds sending mail:
Code:
 # nano -w /var/qmail/control/conf-common
TCPSERVER_OPTS="-H -R -l 0" (that's lower-case L followed by zero)


== Install Spam Database Clients ==

- snip -

I have mercilessly edited the following spam/virus scanning instructions out for -again- being out of touch with the times. I am personally going to workshop this in the next 30 days (today is March 12th) and will update this howto to reflect these new versions. Heck you couldn't even get ebuilds for the versions this was previously written for. That being said, if you get everything going this far and want to get on this before I do, please feel free. Functionality we're trying to reestablish from the original version of this how to includes

Qmail Scanner
F-prot
ClamAV
SpamAssassin
Pyzor
Razor
DCC

== Install Squirrel Mail ==

Code:
 # emerge squirrelmail
 # cd /var/www/localhost/htdocs
 # mv squirrelmail mail
 # cd mail
 # ./configure

Go forth and setup squirrelmail. Make sure the mail/data and mail/plugins directories are owned by
vpopmail:vpopmail

Theres are some great plugins for squirrelmail including one for qmailadmin and another for virtual hosting. I encourage you to take a look and shop around a bit at http://squirrelmail.org for more details.

== Install QMAIL Admin ==

Code:
 # emerge /usr/portage/net-mail/ezmlm-idx-mysql/ezmlm-idx-mysql-0.40-r2.ebuild
 # emerge /usr/portage/net-mail/autorespond/autorespond-2.0.4.ebuild
 # emerge /usr/portage/net-mail/qmailadmin/qmailadmin-1.2.0_rc2-r1.ebuild


You can access qmailadmin from [http://www.youdomain.com/cgi-bin/qmailadmin here]. If the image files are not showing, you'll have to copy the qmailadmin images to wherever apache is trying to access them from. You can find out where by checking your /var/log/apache2/error_log. Note that this version still does not use valias to maintain forward/alias info, and you'll need to install 1.2.1 from source for that to work.



== Troubleshooting ==

Forthcoming.


Last edited by endtransmission on Sat Mar 19, 2005 11:15 pm; edited 3 times in total
Back to top
View user's profile Send private message
endtransmission
n00b
n00b


Joined: 16 Nov 2003
Posts: 48

PostPosted: Sat Mar 19, 2005 9:42 am    Post subject: Reply with quote

well I guess no news is good news.
Back to top
View user's profile Send private message
Freelance
n00b
n00b


Joined: 12 Mar 2005
Posts: 18

PostPosted: Sat Mar 19, 2005 9:57 am    Post subject: Reply with quote

I am currently giving another shot at this , this time using your guide :)

I had pretty much everything covered but your section for vpopmail-imap is what i needed.

More feed back after compilation :)
Back to top
View user's profile Send private message
Strowi
l33t
l33t


Joined: 19 Aug 2003
Posts: 655
Location: Bonn

PostPosted: Sat Mar 19, 2005 2:55 pm    Post subject: Reply with quote

hi,

thx for updating!
ATM i'm giving qmail another shot (the older howto never really worked for me).

Looks like you have a little typo in the "Install Qmail" -Section. The Version-numbers don't match:

"# ebuild /var/db/pkg/net-mail/qmail-1.03-r13/qmail-1.03-r15.ebuild config"
ebuild /var/db/pkg/mail-mta/qmail-1.03-r13/qmail-1.03-r13.ebuild config

UPDATE1:
1. "ebuild /var/db/pkg/net-mail/qmail-1.03-r13/qmail-1.03-r13.ebuild config" should be
"ebuild /var/db/pkg/mail-mta/qmail-1.03-r13/qmail-1.03-r13.ebuild config"
2. I don't have a tcp.qmail-smtp to delete; and what about the /etc/tcp.* files?


i'll edit this post later to reflect my experience with this one.
_________________
--
Linux & such ...
http://blog.hasnoname.de
Back to top
View user's profile Send private message
petterg
Guru
Guru


Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway

PostPosted: Sat Mar 19, 2005 7:36 pm    Post subject: Reply with quote

Note there is a bug in courier-authlib-0.5*.ebuild for compiling authvchkpw (vpopmail authentication)
Read this to fix:
https://bugs.gentoo.org/show_bug.cgi?id=85794

Edit: Corrected link


Last edited by petterg on Sun Mar 20, 2005 10:25 am; edited 1 time in total
Back to top
View user's profile Send private message
endtransmission
n00b
n00b


Joined: 16 Nov 2003
Posts: 48

PostPosted: Sat Mar 19, 2005 8:02 pm    Post subject: Reply with quote

Strowi wrote:
hi,

thx for updating!
ATM i'm giving qmail another shot (the older howto never really worked for me).

Looks like you have a little typo in the "Install Qmail" -Section. The Version-numbers don't match:

"# ebuild /var/db/pkg/net-mail/qmail-1.03-r13/qmail-1.03-r15.ebuild config"
ebuild /var/db/pkg/mail-mta/qmail-1.03-r13/qmail-1.03-r13.ebuild config

UPDATE1:
1. "ebuild /var/db/pkg/net-mail/qmail-1.03-r13/qmail-1.03-r13.ebuild config" should be
"ebuild /var/db/pkg/mail-mta/qmail-1.03-r13/qmail-1.03-r13.ebuild config"
2. I don't have a tcp.qmail-smtp to delete; and what about the /etc/tcp.* files?


i'll edit this post later to reflect my experience with this one.


If you installed relay-ctrl then it should have installed or moved those files into /etc/tcprules.d/*. Are you sure you're in the proper directory?
Thanks for the typo hit. Has been corrected to reflect r15, the version I've installed.
Back to top
View user's profile Send private message
endtransmission
n00b
n00b


Joined: 16 Nov 2003
Posts: 48

PostPosted: Sat Mar 19, 2005 8:06 pm    Post subject: Reply with quote

petterg wrote:
Note there is a bug in courier-authlib-0.5*.ebuild for compiling authvchkpw (vpopmail authentication)
Read this to fix:
https://bugs.gentoo.org/show_bug.cgi?id=85391


Hunh. Good to know. This howto makes allowances for that so users who are using this need not jump through those hoops if they don't want to. Glad to see active development still going on though. Just proves that this howto will have to be rewritten again eventually as things continue to evolve.
Back to top
View user's profile Send private message
Strowi
l33t
l33t


Joined: 19 Aug 2003
Posts: 655
Location: Bonn

PostPosted: Sun Mar 20, 2005 2:10 am    Post subject: Reply with quote

hi,

looks like the /etc/tcprules.d/* files didn't appear because i emerged qmail -r13 instead of -r15 before emerging relay-ctrl. Also i think it would be good to mention that -r15 ist marked ~x86 atm.

@petterg: thx for that tip about authvchkpw! i almost gave up logging in with squirrelmail. But the solution on your link didn't work, because i couldn't find the path within the ebuild. However.. this thread worked for me.

And.. does anyone know if/how it is possible to merge a var/vpopmail/domain/* and a local /home/* account and make squirrelmail work with that solution? I tried linking ~/.maildir to /var/vpopmail/domain/user/.maildir but that gives an access-error. Apparently users cant access files owned by vpopmail..
_________________
--
Linux & such ...
http://blog.hasnoname.de
Back to top
View user's profile Send private message
endtransmission
n00b
n00b


Joined: 16 Nov 2003
Posts: 48

PostPosted: Sun Mar 20, 2005 3:26 am    Post subject: Reply with quote

Strowi wrote:
hi,

looks like the /etc/tcprules.d/* files didn't appear because i emerged qmail -r13 instead of -r15 before emerging relay-ctrl. Also i think it would be good to mention that -r15 ist marked ~x86 atm.


ah, fair enough. Will get to it here within the hour.

Strowi wrote:
@petterg: thx for that tip about authvchkpw! i almost gave up logging in with squirrelmail. But the solution on your link didn't work, because i couldn't find the path within the ebuild. However.. this thread worked for me.


just curiously, did you know that after you implement a vpopmail setup, all your login names will have to include the entire email address from now on? so your login name is no longer simply login but login@domain.com.

Strowi wrote:
And.. does anyone know if/how it is possible to merge a var/vpopmail/domain/* and a local /home/* account and make squirrelmail work with that solution? I tried linking ~/.maildir to /var/vpopmail/domain/user/.maildir but that gives an access-error. Apparently users cant access files owned by vpopmail..


I think I understand what you're asking but it doesn't make sense to me why you'd want to do it that way. In actual answer to your question though, no I don't know how to do it. It seems to me the strength of vpopmail is the ability to create virtual accounts without actually having to create them real system accounts - so if an email acct gets hacked, no biggie, theres still no risk to the system. Vpopmail keeps all the users mail files inside its own /var/vpopmail/domains/domain.com/username/.maildir - why are you trying to force vpopmail into stuffing their mail into individual shell accounts? Is this something Pine requires maybe?

I'm rather scattered tonight. Will make more sense tomorrow.
(right.... :) )
Back to top
View user's profile Send private message
petterg
Guru
Guru


Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway

PostPosted: Sun Mar 20, 2005 10:25 am    Post subject: Reply with quote

Sorry guys, I posted link to the wrong bug!
The correct vpopmail bug link is https://bugs.gentoo.org/show_bug.cgi?id=85794
as Strowi pointed out.
Back to top
View user's profile Send private message
petterg
Guru
Guru


Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway

PostPosted: Sun Mar 20, 2005 11:55 am    Post subject: Reply with quote

There are a few things in this guide that I would like to point out, some things I don't agree with, and a couple of things that make huge security holes.

1:
Before emerging qmail, make sure the 'notlsbeforeauth' use flag is DISABLED. And that the SSL use flag is ENABLED. (This makes sure that passwords for smtp-auth gets encrypted. - This works for qmail-1.03-r15 only.)

2:
Relay-ctrl why would anyone need it if they use SMTP-auth? My advice: just skip installing it.

3:
For the tcp.qmail-smtp file:
The line 192.168.31.50:allow,RELAYCLIENT="",RBLSMTPD="", where 192.168.31.50 is the server internal ip of the server. You may repeat this line for all trusted ip adresses - ip's to computers that are alowed to relay mail through the smtp server without authentication. Say your internal network is 192.168.31.*. Then you may allow all computers at the internal network by using the line 192.168.31.:allow,RELAYCLIENT="",RBLSMTPD="".
Note the dot after 31!

4:
In mysql:
grant select, insert, update, delete, create, drop on vpopmail.* to vpopmail@localhost identified by 'your password';
Make sure the password is a password you've not used (or going to use) anywhere else! The reason is that you'll need to store this password in cleartext in the next step! Make sure you manage to remember it (or write it down) for 5 minutes. After you've finished #5 you'll never need this password again.
Test that you new mysqluser/password works
Code:
# mysql -uvpopmail -p vpopmail
Enter password:

Enter the password. If you get an Access denied error you've done something wrong in the mysql part.
If you get
Code:
mysql>

you're fit to go.

5:
endtransmission wrote:
Configure vpopmail's mysql user password
Code:
 # nano /etc/vpopmail.conf

(Change the password from 'secret' to your root password, and change the user to user root)


NO NO NO!!!!!
DO NEVER STORE YOUR ROOT PASSWORD IN CLEARTEXT - ANYWHERE!!

That was the whole point of the grant-line in mysql - you create a user that has limited access. The user you created in mysql got the username 'vpopmail' and the whatever password you chose. Also you created a database called vpopmail. The vpopmail.conf should look like
Code:

# host|port|user|password|database
localhost|0|vpopmail|whatever_password|vpopmail
localhost|0|vpopmail|whatever_password|vpopmail

Yes, the line has to be entered twice. (Assume you use the same user for read as for write)
Replace "whatever_password" with the password you entered on the grant-line in mysql.
Save the file, forget the password, throw away the note with the password you've forgotten... You'll never need it again.

6:
endtransmission wrote:

If you have problems with vpopmail not accepting mail properly, please ensure that /etc/vpopmail.conf is chmod 600 and owned by vpopmail:vpopmail

Code:
 # chown root:vpopmail /etc/vpopmail.conf
 # chmod 640 /etc/vpopmail.conf


No. If you have problems with vpopmail not accepting mail properly, please ensure that vpopmail is running as vpopmail:vpopmail! Make sure the primary group of user vpopmail is vpopmail.

7:
endtransmission wrote:

QUICK NOTE : In order to use vpopmail or qmailadmin Apache must run as user vpopmail:vpopmail. You will need to edit your /etc/apache2/conf/commonbapache.conf file to read / User vpopmail / Group vpopmail / and then restart apache with the command /etc/init.d/apache2 restart.

NO! Do not run apache as vpopmail, or any other user. If you do run apache as vpopmail, any user who has access to put serverside scripts (cgi / php files) on your webserver will also get access to read, delete, edit, publish any mail on your mailserver, and even be able to change your users passwords, reconfigure the server, create an open relay.... Do you need any more arguments for not to do that?
This does not affect squirrelmail (which is using local imap server) or qmailadmin (which is using cgi-bin wrapper) at all.

8:
If you're not using relay-ctrl you should leave the PRERUN and LOGINRUN lines at their default value when editing the config files for courier-imap.

9: The same goes for QMAIL_TCPSERVER_PRE and QMAIL_SMTP_PRE in /var/qmail/control/conf-smtp

10:
Why install the masked package qmailadmin-1.2.0_rc2-r1 when qmailadmin-1.2.1 is unmasked? (and was been unmasked since May 2004)

For those who are waitng for this guide to include viruscheck and spamfilter... take a look at Sabrex guide - a bit outdated, but still good: https://forums.gentoo.org/viewtopic-t-171499-highlight-.html


When it comes to installing ClamAV be avare the 0.81, 0.82 and 0.83 does not detect NetSky D virus. The 0.80 does. However all versions prior to 0.81 has some kind of bug that can make the clamd die. For the 12 past months I've used clamav on 2 of my servers, it still hasn't died.
Back to top
View user's profile Send private message
endtransmission
n00b
n00b


Joined: 16 Nov 2003
Posts: 48

PostPosted: Sun Mar 20, 2005 7:56 pm    Post subject: Reply with quote

Great. Thanks for that. Will throw your changes up on the bench box to test and then edit this appropriately.
Back to top
View user's profile Send private message
syn_ack
n00b
n00b


Joined: 26 Jan 2004
Posts: 31

PostPosted: Sun Mar 20, 2005 9:57 pm    Post subject: Reply with quote

petterg wrote:
There are a few things in this guide that I would like to point out, some things I don't agree with, and a couple of things that make huge security holes.


Thanks for your posting. This is going to help out quite a bit in my initial install. Knowing the info that you've posted in advance is going to help save on tons of unneeded frustration. Much appreciated.


petterg wrote:

1:
Before emerging qmail, make sure the 'notlsbeforeauth' use flag is DISABLED. And that the SSL use flag is ENABLED. (This makes sure that passwords for smtp-auth gets encrypted. - This works for qmail-1.03-r15 only.)


Interesting. Ok. Question. Sorry to be so detailed but I figure it's all about details so please bare with me. Right now I have a domainname that I just registered and host through Noip.com. Because I have a dynamic ip through Comcast I use two mail features/services through Noip.com as well as their dyndns client (noip-updater) so that I can run an MTA using an Alternate smtp port. To do this I had to setup "mydomainname.com" dns record to point/list noip.com's Mail Exchangers.

Mail Services:
Mail Reflector service:
For mail being sent to mydomainname.com from out on the internet, mail is routed to Noip.com's MX's which in turn then relays the mail to mail.mydomainnam.com on an alternate port to get around Comcast blocking port 25 traffic. I'll get this part of the Qmail configuration figured out with some more reading. Unsure of what relay rules I would need in this situation and how to change to an alternate port. Homework for me.

This is where my question comes in.

AlternatePort SMTP service:
For me to send mail out I relay all mail to noip.com's mx. To do this they require that I use SMTP-Authentication. This is what they've said they require:
Quote:

******************************************
"To send, your mail client must support SMTP Authentication. Consult
your mail client's documentation to set up.

Use the following settings:

Outgoing SMTP Server: smtp-auth.no-ip.com
Port Number: 3325
Username: yourdomain.com@noip-smtp yourpassword
******************************************


So please correct me if I'm wrong but if I've read the qmail doc's correclty and from what you said above I would need to do the following in /var/qmail/control/smtproutes
Code:

# perl -e 'use MIME::Base64;print encode_base64($ARGV[0])' mydomainname.com@noip-smtp
bXlkb21haW5uYW1lLmNvbUBub2lwLXNtdHA=
# perl -e 'use MIME::Base64;print encode_base64($ARGV[0])' mypassword
bXlwYXNzd29yZA==

/var/qmail/control/smtproutes adjusted with the base64 encoding.
Code:

:smtp-auth.no-ip.com:3325 bXlkb21haW5uYW1lLmNvbUBub2lwLXNtdHA= bXlwYXNzd29yZA==


......or do I just put my username and password in clear text in the smtproutes control file and qmail automagically encrypts it for me? From what I here you saying, is that this is done in the r15 release but not in the stable r13 release of Qmail. Thanks for any help or suggestions. I just want to make sure I'm understanding this correctly . I'm assuming I'm doing this correctly because the stable r13 Qmail build doesn't supply a 'notlsbeforeauth' USE flag. Only 'ssl' and 'selinux'. My current USE flags are '-X -ipv6 apache2 gtk mmx mysql maildir nls ssl'. I hope those are correct. Thanks again.


Last edited by syn_ack on Sun Mar 20, 2005 10:00 pm; edited 1 time in total
Back to top
View user's profile Send private message
petterg
Guru
Guru


Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway

PostPosted: Sun Mar 20, 2005 9:58 pm    Post subject: Reply with quote

Thread starter has some huge personal problems with people suggesting changes / alternatives / improvements to his private thread. I'll post the PM he sent me as a warning to anyone who consider to post anything into this thread:

endtransmission-pm wrote:
coulda pm'd me or emailed me with that and I'd of happily adjusted the howto, asshole.


(At least he acts like a grownup when posting in the forums.)
Back to top
View user's profile Send private message
endtransmission
n00b
n00b


Joined: 16 Nov 2003
Posts: 48

PostPosted: Sun Mar 20, 2005 11:05 pm    Post subject: Reply with quote

Listen mate, theres a tactful way to do things and then theres your way. I have no problem adjusting documentation or howtos, nor do I have any problem taking criticism, however strong. But this was an asshole way to go about it.

Yeah, that was a pretty rough PM I sent you. Dunno how you're gonna recover from that one.

I encourage you to sit down and rewrite the whole thing with current information and detail out the howto for people coming from ground zero. If this is what it takes to drag knowledge and solid documentation out of the woodwork, so be it. This isn't a dare. I have no doubt you can do it. I'm saying go ahead and do it.

This isn't a personal battle man. Leave your baggage at home.


Last edited by endtransmission on Sun Mar 20, 2005 11:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
Strowi
l33t
l33t


Joined: 19 Aug 2003
Posts: 655
Location: Bonn

PostPosted: Sun Mar 20, 2005 11:07 pm    Post subject: Reply with quote

hi,

i don't know what your problem is, petterg was right in all 10 points. And i couldn't find anything offensive or so in his post...
Nonetheless thanks for your efforts!

Now Back to topic!
hail me! I finally got it working, our home-server now receives, checks (spam/virus) and sends mail.;)
Now i need to find out how to realize a pop3-fetcher with qmail (not squirrelmail since i want it to run always, not only when logging in to squirrelmail).

here is a sample-header from a received mail:
Code:

Return-Path: <strowi at gmx.de>
Delivered-To: strowi at xxx.dyndns.org
Received: (qmail 6493 invoked by uid 210); 20 Mar 2005 23:06:57 +0100
Received: from 213.165.64.20 by Yggdrasill (envelope-from <strowi at gmx.de>, uid 201) with qmail-scanner-1.25st
     (f-prot: 4.5.4/3.16.6. spamassassin: 3.0.2. perlscan: 1.25st.
     Clear:RC:0(213.165.64.20):SA:0(1.6/5.0):.
     Processed in 11.319872 secs); 20 Mar 2005 22:06:57 -0000
X-Spam-Status: No, hits=1.6 required=5.0
X-Spam-Level: +
Received: from unknown (HELO mail.gmx.net) (213.165.64.20)
     by 0 with SMTP; 20 Mar 2005 23:06:43 +0100
Received: (qmail invoked by alias); 20 Mar 2005 22:07:02 -0000
Received: from ip-address.netcologne.de (EHLO sleipnir) [ip-address]
     by mail.gmx.net (mp022) with SMTP; 20 Mar 2005 23:07:02 +0100
X-Authenticated: #746518
Received: from localhost [127.0.0.1]
     by sleipnir (192.168.xxx.xxx) (userid 1)
     with ESMTP (Classic Hamster Version 2.0 Build 2.0.6.0) ; Sun, 20 Mar 2005 23:06:49 +0100
From: Roman v. Gemmeren <strowi at gmx.de>
To: strowi at xxx.dyndns.org
Subject:
Date: Sun, 20 Mar 2005 23:06:49 +0100
Message-ID: <rusr31hsn42tdnhq4hbtk76h2me1t6mv67@4ax.com>
X-Mailer: Forte Agent 2.0/32.652
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Posting-Agent: Hamster/2.0.6.0
Return-Path: <strowi at gmx.de>
X-Y-GMX-Trusted: 0


But i've also got some more notes:

1. Courier-authlib 0.5* bug (the one from above)

it should've been emerged as dependency of courier-imap,
but since there is a bug in courier-authlib-0.5*.ebuild regarding "authvchkpw" we need to reemerge it:

- mkdir /PATH_TO_PORTAGE_LOCAL/net-libs/courier-authlib
- cd /PATH_TO_PORTAGE_LOCAL/net-libs/courier-authlib
- cp /usr/portage-net-libs/courier-authlib/courier-authlib-0.53.ebuild .
- nano -w courier-authlib-0.53.ebuild
- change
Code:

if [ has_version 'net-mail/vpopmail' ]; then
   myconf="${myconf} --with-authvchkpw --without-authmysql --without-authpgsql"
   use mysql && ewarn "vpopmail found. authmysql will not be built."
  use postgres && ewarn "vpopmail found. authpgsql will not be built."
else

to
Code:

if has_version 'net-mail/vpopmail'; then
   myconf="${myconf} --with-authvchkpw --without-authmysql --without-authpgsql"
  use mysql && ewarn "vpopmail found. authmysql will not be built."
  use postgres && ewarn "vpopmail found. authpgsql will not be built."
else


- ebuild courier-authlib-0.53.ebuild digest
- emerge courier-authlib
- check the following settings in /etc/courier/authlib/authdaemonrc

Code:

authmodulelist="authvchkpw"
authmodulelistorig="authvchkpw"


/etc/init.d/courier-authlib restart

2. qmail-scanner-queue.pl
when setting up tcprules like in the first post, add this to /var/qmail/control/conf-common:
Code:

export QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue"

(note the missing ".pl"! this is now using the wrapper-class)

3. spam + virus filters
mostly like sabrex's howto, BUT:
Code:

> nano -w /etc/conf.d/spamd.conf
  SPAMD_OPTS="-d -u vpopmail -v -x -c --siteconfigpath=/etc/mail/spamassassin/local.cf"
> rc-update add spamd default
> /etc/init.d/spamd start


4. Then install qmail-scanner.

ok, this has become a little tricky since perl doesn't allow setuid anymore (for some reason; check google), the easiest way is to reemerge perl:

Code:

> echo "dev-lang/perl perlsuid" > /etc/portage/package.use
> emerge perl


now before emerging qmail-scanner make sure that spamd is running, otherwise it won't work.
During emerge qmail-scanner watch for the scanning-process if it finds spamd...

[code]
> echo "mail-mta/qmail-scanner spamassassin" > /etc/portage/package.use
> emerge maildrop
> emerge qmail-scanner
[code]
_________________
--
Linux & such ...
http://blog.hasnoname.de
Back to top
View user's profile Send private message
Xeper
n00b
n00b


Joined: 03 Jun 2003
Posts: 17
Location: Duisburg/Germany

PostPosted: Fri Mar 25, 2005 8:26 pm    Post subject: Reply with quote

Hi guys,

I've big problem to change from the old-style to relay-ctrl (on an existing installation) - I followed the tutorial so far.
I always get these error messages provided by grsec when I restart svscan (with relay-ctrl stuff):

Quote:

grsec: From 80.141.245.239: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 by /usr/bin/relay-ctrl-chdir[relay-ctrl-chdi:11140] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/supervise[supervise:6624] uid/euid:0/0 gid/egid:0/0
grsec: From 80.141.245.239: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 by /usr/bin/relay-ctrl-chdir[relay-ctrl-chdi:21852] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/supervise[supervise:27700] uid/euid:0/0 gid/egid:0/0


I dont get it - no clue what the problem might be :cry:
Maybe someone ran into this trouble, too.
Here something about my configuration:

mail-mta/qmail: [ I] 1.03-r13 (0)
net-mail/courier-imap: [ I] 4.0.1 (0)
net-mail/relay-ctrl: [ I] 3.1.1-r2 (0)
net-mail/vpopmail: [ I] 5.4.6-r1 (0)

When someone needs more information, just say so -Im happy for every hint
thanks.
Back to top
View user's profile Send private message
Strowi
l33t
l33t


Joined: 19 Aug 2003
Posts: 655
Location: Bonn

PostPosted: Sat Mar 26, 2005 12:07 pm    Post subject: Reply with quote

hi Xeper,

i would suggest using relay-control the "old way" like described in step 8 of the old thread ( https://forums.gentoo.org/viewtopic.php?t=171499&highlight=qmailscanner ).
You really don't need relay-ctrl.

BTW in the meantime i heard, that qmail was unmaintained (well, i would say dead) for ~6 years. Yesterday i tried the postfix Howto and had a working mta (sending & receiving with SMTP-Auth, SASL/SSL/TLS, Imap in less than an hour).
Today i'm going for the spamfiltering and pop3/imap-Fetcher.;)
_________________
--
Linux & such ...
http://blog.hasnoname.de
Back to top
View user's profile Send private message
rshadow
Apprentice
Apprentice


Joined: 28 Nov 2003
Posts: 176

PostPosted: Sat Mar 26, 2005 5:30 pm    Post subject: Reply with quote

perhaps you could post a link to the HOWTO you used.. the last one I used involved using cyrus-sasl .. which was a disaster. The only thing that comes close to the hatred I have for the .NET is cyrus-sasl.
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Sun Jul 10, 2005 5:38 pm    Post subject: Reply with quote

Nice HOWTO. It would be great if someone could edit the old one(s) and put a link here. I wasted a lot of time going through obsolete directions. Also, how does this relate to the qmail/vpopmail Virtual Mail Hosting System Guide?

One thing that is kind of lacking is the qmail-scanner instructions and caveats. Did you ever make it to the workshop? ;-)

Specifically, qmail-scanner has to be installed *after* the virus and spam tools, clamd and spamd have to be running during the qmail-scanner emerge, and /var/{log,run}/clamav has to be owned by qscand, and ClamAV has to be configured to run as qscand.
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
leosgb
Apprentice
Apprentice


Joined: 07 Mar 2006
Posts: 272
Location: Rio de Janeiro, Brazil

PostPosted: Fri May 05, 2006 5:33 am    Post subject: login problems Reply with quote

Following the directions on this thread I finally got my server to accept connections on ports 995 and 110 correctly from thunderbird. But now I have a problem: I cant actually login! I had qmail-pop3d running and I managed to use it for a couple days until I found out I could use courier and have an SSL pretection so I decided to give it a try. The problem is that since then I cant log in anymore. I could w/ qmail-pop3d but not w/ courier pop3d not courier pop3d-ssl. Does anyone have any idea why? Is there any information I need to post here to help? Thanks!

netstat -nap:
tcp 0 0 :::993 :::* LISTEN 14067/couriertcpd
tcp 0 0 :::995 :::* LISTEN 14227/couriertcpd
tcp 0 0 :::110 :::* LISTEN 14147/couriertcpd
tcp 0 0 :::143 :::* LISTEN 13987/couriertcpd

iptables -L -n:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:145
Back to top
View user's profile Send private message
petterg
Guru
Guru


Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway

PostPosted: Sun May 07, 2006 12:08 am    Post subject: Re: login problems Reply with quote

leosgb wrote:
Following the directions on this thread I finally got my server to accept connections on ports 995 and 110 correctly from thunderbird. But now I have a problem: I cant actually login! I had qmail-pop3d running and I managed to use it for a couple days until I found out I could use courier and have an SSL pretection so I decided to give it a try. The problem is that since then I cant log in anymore. I could w/ qmail-pop3d but not w/ courier pop3d not courier pop3d-ssl. Does anyone have any idea why? Is there any information I need to post here to help? Thanks!


A year and a half ago I tested imap-ssl with thunderbird. I concluded that the ssl implementation in thunberbid was quite buggy. Maybe you've found the same problem in pop3-ssl?
(I'm assuming you've set up thunderbird to use one of the authentication methodes courier accepts.)
Back to top
View user's profile Send private message
leosgb
Apprentice
Apprentice


Joined: 07 Mar 2006
Posts: 272
Location: Rio de Janeiro, Brazil

PostPosted: Sun May 07, 2006 12:57 am    Post subject: Reply with quote

That is a good question. How can I know what are the acceptable methods for authentication? I have this same problem from Outlook Express so maybe that is not the issue but it is always good to check. Thanks for the suggestion!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum