Wednesday, May 13, 2009

Build mail server with strenght spam assassin rules

OS: CENTOS 5, CENTOS 5.1
ARCH: i386 [Notes for 64 bit will be added soon]

Objective of this document:
Few years ago, I was looking for a better alternative to sendmail. I came accross qmail. While looking for a guide, I stumbled upon qmailrocks.org guide. I simply loved the way it was arranged and how easy it was to follow. By the time of this writing I have setup countless mail servers on qmail using this (QMR) guide. However, for past couple of years, I am seeing that it is not being updated any more. The software provided by the qmailrocks.tar.gz package are now outdated. Newer software have few changes in their configuration. So I decided to follow the original QMR guide, but tried to use the latest software in each step from the original websites, respectively. And eventually I ended up with this howto. I hope it would be helpful to the qmail lovers all over the world.

Qmail Rocks Home page: http://www.qmailrocks.org . Most of this document is based on original QMR guide.


Here is what I have added in the original QMR guide:
- Installation of Perl Modules
- Antispam tools (Razor, DCC, RBL SMTPD , Grey listing)
- Qmail Mail MRTG graphs for SPAM and Viruses

Here is what I have removed from the QMR guide:
- qmail analog / reporting tools (in the last steps of original QMR guide), because they are no longer compatible with the latest version of qmailscanner.



Scenario:

The following howto / tutorial was created using a live deployment, still in production!
However, the IPs, hostnames and passwords are changed to protect privacy.

Hostname: www.example.com
IP: 192.168.0.200

Note on installation software directories:
Whatever is unzipped / untarred from the QMR package, will be in /downloads/qmailrocks directory.

Whatever new software I will download/use, will be placed in /downloads/qmailnew directory.

Step: Upgrade OS:

First of all it is absolutely necessary for you to upgrade your OS upto the latest version.


[root@www ~]# yum upgrade
Loading "installonlyn" plugin

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
kernel i686 2.6.18-53.1.14.el5 updates 13 M
Updating:
kernel-headers i386 2.6.18-53.1.14.el5 updates 786 k

Transaction Summary
=============================================================================
Install 1 Package(s)
Update 1 Package(s)
Remove 0 Package(s)


Total download size: 14 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): kernel-headers-2.6.18-53.1.14.el5.i386.rpm 786 kB 00:01
(2/2): kernel-2.6.18-53.1.14.el5.i686.rpm 13 MB 00:33
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: kernel ######################### [1/3]
Updating : kernel-headers ######################### [2/3]
Cleanup : kernel-headers ######################### [3/3]

Installed: kernel.i686 0:2.6.18-53.1.14.el5
Updated: kernel-headers.i386 0:2.6.18-53.1.14.el5
Complete!



After upgrading the kernel, it is better, to re-install grub / boot loader. I have experienced a few times that once the system is rebooted after a kernel upgrade, it doesn't come online. But this is a rare case. Still, there is no harm in re-installing grub to be on the safe side.


[root@www ~]# grub-install /dev/hda
Installation finished. No error reported.
This is the contents of the device map /boot/grub/device.map.
Check if this is correct or not. If any of the lines is incorrect,
fix it and re-run the script `grub-install'.

# this device map was generated by anaconda
(hd0) /dev/hda


Then do a "sync" and "reboot" the system.

[root@www ~]# sync

[root@www ~]# reboot

Step: SSH key based authentication
-----------------------------------

This is not directly related to qmail, but I always set this up, whenever I am setting up a new server. This SSH key based authentication, "greatly" enhances the security of the server.

I already have my keys generated on my home, which are being used on many servers. So I just need to copy my id_dsa.pub to the home directory of user kamran on the new server.

On my home computer:-

### WARNING: Use the following to generate keys ONLY if you don't have keys already. Make SURE to backup your current id_dsa and id_dsa.pub files before doing it.:-

#### ~]$ ssh-keygen -t dsa # generate keys ONLY if you don't have keys already. Make SURE to backup your current id_dsa and id_dsa.pub files before doing it.

~]$ scp .ssh/id_dsa.pub kamran@192.168.0.200This e-mail address is being protected from spambots, you need JavaScript enabled to view it :/home/kamran/


On my new qmail server:-

Log on as user kamran. And then:

~]$ ssh localhost # just a lazy way to create .ssh directories in /home/kamran ! # not needed if already exists.

I have this pub key arrived from my home computer on this server in /home/kamran. Copy it to the /home/kamran/.ssh/authorized_keys file.

~]$ cat id_dsa.pub >> .ssh/authorized_keys

~]$ chmod 600 .ssh/authorized_keys # Important. Otherwise SSH server will not let you use this file.

~]$ rm id_dsa.pub



Next, Login as root and setup SSH server to allow ONLY key based authentication. Tighten it a bit too. Disable RootLogin, and Password authentication.

vi /etc/ssh/sshd_config

Protocol 2
SyslogFacility AUTHPRIV
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no
ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

PermitRootLogin no
UsePAM yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding no
MaxStartups 5

Subsystem sftp /usr/libexec/openssh/sftp-server


Restart sshd service:-

service sshd restart


Step: Setup / verify name resolution and IP , etc:
---------------------------------------------------

cat /etc/hosts

127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.0.200 www.example.com www




cat /etc/resolv.conf

domain example.com
nameserver 72.51.32.92
nameserver 72.51.32.76
options rotate


cat /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=www.example.com
DOMAIN=example.com
GATEWAYDEV=eth0


cat /etc/sysconfig/network-scripts/ifcfg-eth0
#/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.200
NETMASK=255.255.255.0



Step: Install Software Prerequisites:
--------------------------------------

1. httpd, httpd-devel, apr
2. php, php-imap, php-mysql, php-gd, php-pear, php-zlib, php-mbstring, php-xml,
3. perl, perl-libwww-perl, perl-Digest-SHA1, perl-Digest-HMAC, perl-Net-DNS, perl-HTML-Tagset, perl-HTML-Parser
perl-Time-HiRes, perl-TimeDate, perl-suidperl, perl-DateManip
4. gcc, gcc-c++, libtool-ltdl, libtool-ltdl-devel
5. mysql-server, mysql-devel, postgresql-devel
6. openssl, openssl-devel, openldap-servers
7. wget
8. patch, patchutils
9. pcre-devel
10. gdbm-devel
11. db4, db4-devel
12. fam fam-devel gamin-devel
13. net-snmp + net-snmp-utils + net-snmp-libs
14. mrtg
15. spamassassin, expect, zlib-devel


yum -y install net-snmp net-snmp-utils net-snmp-libs mrtg \
httpd httpd-devel php php-imap php-mysql php-gd php-pear php-zlib php-mbstring php-xml \
gcc gcc-c++ gdbm-devel pcre-devel libtool-ltdl libtool-ltdl-devel \
mysql-server mysql-devel db4 db4-devel postgresql-devel \
openssl openssl-devel openldap-servers \
perl perl-libwww-perl perl-Digest-SHA1 perl-Digest-HMAC perl-Net-DNS perl-HTML-Tagset perl-HTML-Parser perl-Time-HiRes perl-TimeDate perl-suidperl perl-DateManip \
spamassassin expect zlib-devel \
fam fam-devel gamin-devel patch patchutils



Step: Install necessary perl modules:
-------------------------------------

You can run the following script from the QMR package to check existance / list of installed perl modules.

/downloads/qmailrocks/scripts/util/check_perlmods.script


The technique used in this script is:-

perldoc -l Time::HiRes


You can also use the following technique:-

First, are you sure that the module isn’t already on your system? Try:-

perl -MTime::HiRes -e 1




perl -MCPAN -e "install Bundle::CPAN"
perl -MCPAN -e "reload"

perl -MCPAN -e "install Digest::SHA1"
perl -MCPAN -e "install Digest::HMAC"
perl -MCPAN -e "install HTML::Tagset"
perl -MCPAN -e "install HTML::Parser"
perl -MCPAN -e "install Parse::Syslog"
perl -MCPAN -e "install Statistics::Distributions"
perl -MCPAN -e "install ClamAV::Client"
perl -MCPAN -e "install Mail::SpamAssassin"
perl -MCPAN -e "install Mail::SPF::Query"
perl -MCPAN -e "install IP::Country::Fast"
perl -MCPAN -e "install MIME::Base64"
perl -MCPAN -e "install Getopt::Long"
perl -MCPAN -e "install URI::Escape"
perl -MCPAN -e "install Mail::SPF"

perl -MCPAN -e "install IO::Zlib"
perl -MCPAN -e "install Test::Harness"
perl -MCPAN -e "install Test::Simple"
perl -MCPAN -e "install Mail::DKIM"
perl -MCPAN -e "install Mail::DomainKeys"
perl -MCPAN -e "install Crypt::OpenSSL::Bignum"
perl -MCPAN -e "install IO::Socket::INET6"
perl -MCPAN -e "install IO::Socket::SSL"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::DCC"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::Razor2"
perl -MCPAN -e "install Socket6"
perl -MCPAN -e "install Date::Manip"
perl -MCPAN -e "install DB_File"

perl -MCPAN -e "install Archive::Tar"
perl -MCPAN -e "install IO::Socket::INET6"
perl -MCPAN -e "install IO::Socket::SSL"
perl -MCPAN -e "install Net::Ident"



perl -MCPAN -e "install Time::HiRes" # problem (done manually)
perl -MCPAN -e "install Archive::Tar" # ------------------------> problem (done manually)
perl -MCPAN -e "install Net::Ident" # --------------------------> problem (done manually)
perl -MCPAN -e "install Razor2::Client::Agent" # will be installed with Razor software
perl -MCPAN -e "install File::Copy" # problem



If you are getting the following error in your CRON mails,

Subroutine main::AF_INET6 redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65.
at /usr/bin/mrtg line 97

OR,

if you get the same error while running "env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg", then install the following:-


mkdir /downloads/qmailnew


cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/J/JG/JGMYERS/Encode-Detect-1.00.tar.gz
tar xzf Encode-Detect-1.00.tar.gz
cd Encode-Detect-1.00
perl Makefile.PL && make && make install


cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/J/JH/JHI/Time-HiRes-1.9715.tar.gz
tar xzf Time-HiRes-1.9715.tar.gz
cd Time-HiRes-1.9715
perl Makefile.PL && make && make install


cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/O/OL/OLAF/Net-DNS-0.63.tar.gz
tar xzf Net-DNS-0.63.tar.gz
cd Net-DNS-0.63
perl Makefile.PL && make && make install


cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/J/JP/JPC/Net-Ident-1.20.tar.gz
tar xzf Net-Ident-1.20.tar.gz
cd Net-Ident-1.20
perl Makefile.PL && make && make install


cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/K/KA/KANE/Archive-Tar-1.38.tar.gz
tar xzf Archive-Tar-1.38.tar.gz
cd Archive-Tar-1.38
perl Makefile.PL && make && make install

cd /downloads/qmailnew
wget http://search.cpan.org/CPAN/authors/id/G/GO/GOZER/mod_perl-2.0.4.tar.gz
tar xzf mod_perl-2.0.4.tar.gz
cd mod_perl-2.0.4
perl Makefile.PL && make && make install



Specify apxs path by finding through:

rpm -ql httpd-devel | grep -i apxs
/usr/sbin/apxs



perl -MCPAN -e "install Razor2::Client::Agent" # will be installed with Razor software
perl -MCPAN -e "install File::Copy" # problem



perl-Time-HiRes may not get installed. Install that through CPAN/manually.




Step: Setup and harden Apache, Generate SSL certificate for apache:
-------------------------------------------------------------------

cd /etc/httpd/conf.d

mv manual.conf manual.conf.disabled
mv proxy_ajp.conf proxy_ajp.conf.disabled
mv python.conf python.conf.disabled
mv squid.conf squid.conf.disabled
mv welcome.conf welcome.conf.disabled


vi /etc/httpd/conf/httpd.conf

( Unload un-neccessary modules )

##LoadModule ldap_module modules/mod_ldap.so
##LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
##LoadModule dav_module modules/mod_dav.so
##LoadModule dav_fs_module modules/mod_dav_fs.so
##LoadModule speling_module modules/mod_speling.so
##LoadModule userdir_module modules/mod_userdir.so
##LoadModule proxy_module modules/mod_proxy.so
##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
##LoadModule proxy_http_module modules/mod_proxy_http.so
##LoadModule proxy_connect_module modules/mod_proxy_connect.so



User apache
Group apache

ServerAdmin webmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it

ServerName www.example.com:80
ServerSignature Off

UseCanonicalName Off

DocumentRoot "/var/www/html"

DirectoryIndex index.html index.php index.html.var

AccessFileName .htaccess


Order allow,deny
Deny from all



ServerSignature Off

# Comment out the following ( MUST )
## AddDefaultCharset UTF-8


AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5

AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8

AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis



## AddDefaultCharset UTF-8



NameVirtualHost *:80


ServerAdmin webmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
DocumentRoot /var/www/vhosts/example.com/httpdocs
ServerName www.example.com
ErrorLog /var/www/vhosts/example.com/logs/error_log
CustomLog /var/www/vhosts/example.com/logs/access_log common
# on the OS, you need:-
# mkdir /var/www/vhosts/example.com/{httpdocs,logs} -p
# chown apache:apache /var/www/vhosts/example.com -R
# useradd -g users -s /sbin/nologin -d /var/www/vhosts/example.com/ examplecom
# passwd examplecom
# chown examplecom:apache /var/www/vhosts/example.com/httpdocs -R
# chmod 0750 /var/www/vhosts/example.com
# chmod 2750 /var/www/vhosts/example.com/httpdocs




service httpd restart


Step: Transfer web content from your old server to new one [optional]:
----------------------------------------------------------------------

Time to transfer web content from old server to our new server.

Login to new example server, as root and go in the parent directory of the document root of example.com. In my case the document root is /var/www/vhosts/example.com/httpdocs. So I would go in /var/www/vhosts/example.com .

Start lftp from this new server's command prompt, and connect to remote old server.

Type mirror on the commmand prompt and press enter. Let the magic happen.


[root@www example.com]# lftp -u example www.oldserver.com
Password:

lftp example@www.oldserver.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :~> ls
drwxr-xr-x 5 example psacln 4096 Nov 12 14:30 anon_ftp
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 bin
drwxr-xr-x 3 example psacln 4096 Jul 22 2006 cgi-bin
drwxr-xr-x 2 example psacln 4096 Mar 29 15:08 conf
drwxr-xr-x 2 example psacln 4096 Jul 22 2006 error_docs
drwxr-xr-x 16 example psacln 4096 May 6 07:27 httpdocs
drwxr-xr-x 7 example psacln 4096 Nov 12 21:04 httpsdocs
drwxr-xr-x 2 example psacln 4096 Mar 29 15:08 pd
drwxr-xr-x 2 example psacln 4096 Jul 22 2006 private
dr-xr-xr-x 7 example psacln 4096 Nov 12 14:30 statistics
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 subdomains
drwxr-xr-x 2 example psacln 4096 Nov 12 14:30 web_users

lftp example@www.oldserver.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :/> mirror

...
`squid3.avi' at 51904512 (30%) 963.6K/s eta:2m [Receiving data]



Step: Setup Time Zone for new server:
-------------------------------------

Local Time

[root@www example.com]# cat /etc/localtime
TZif2UTCTZif2UTC
UTC0

[root@www example.com]# rm /etc/localtime
rm: remove regular file `/etc/localtime'? y

[root@www example.com]# ln -s /usr/share/zoneinfo/Asia/Karachi /etc/localtime

[root@www example.com]# cat /etc/localtime
FPLMTISTKARTPKSTPKTTZif2 ~ 2 t ? O 0< e =" ("> MX[hFT`
PKT-5


Step: Shutdown unnecessary services:
------------------------------------


service sendmail stop
chkconfig --level 35 sendmail off

service cups stop
chkconfig --level 35 cups off

nmap localhost

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
225/tcp open unknown
443/tcp open https

[root@www ~]# netstat -antp | grep 225
tcp 0 0 0.0.0.0:225 0.0.0.0:* LISTEN 1972/sbadm

[root@www ~]# chkconfig --level 35 sbadm off

[root@www ~]# service sbadm stop

[root@www ~]# nmap localhost

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https

[root@www ~]# netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:40147 0.0.0.0:* LISTEN 2131/perl
tcp 0 0 :::80 :::* LISTEN 1985/httpd
tcp 0 0 :::22 :::* LISTEN 1926/sshd
tcp 0 0 :::443 :::* LISTEN 1985/httpd


40147 is webmin . And I NEVER want it on my server.

[root@www ~]# /etc/rc.d/init.d/webmin stop
Stopping Webmin server in /usr/local/webmin-1.330

[root@www ~]# rm -fr /usr/local/webmin-1.330

[root@www ~]# netstat -antp | grep LISTEN
tcp 0 0 :::80 :::* LISTEN 1985/httpd
tcp 0 0 :::22 :::* LISTEN 1926/sshd
tcp 0 0 :::443 :::* LISTEN 1985/httpd


chkconfig --level 35 sendmail off
chkconfig --level 35 cups off
chkconfig --level 35 firstboot off
chkconfig --level 35 bluetooth off
chkconfig --level 35 ip6tables off
chkconfig --level 35 pcscd off
chkconfig --level 35 sbadm off
chkconfig --level 35 setroubleshoot off
chkconfig --level 35 webmin off



Step: Setup and Secure MySQL:
-----------------------------

chkconfig --level 35 mysqld on
service mysqld start

/usr/bin/mysqladmin -u root password 'secretpassword'

/usr/bin/mysqladmin -u root -h www.example.com password 'secretpassword'

mysql -u root -D mysql -p

mysql> select user,password from user;
+------+------------------+
| user | password |
+------+------------------+
| root | 09ac555e5b93c437 |
| root | 09ac555e5b93c437 |
| | |
| | |
+------+------------------+
4 rows in set (0.00 sec)


We need to delete these two lines with balnk user names to further tighten the security.


mysql> delete from user where user="";
Query OK, 2 rows affected (0.00 sec)

mysql> commit;
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)



Step: Setup FTP (VSFTPD) :


useradd -g users -s /sbin/nologin -d /var/www/vhosts/example.com/ examplecom
passwd examplecom


[root@www httpd]# vi /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
nopriv_user=nobody
ftpd_banner=Welcome to blah FTP service at example.com . You are being watched.
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


chkconfig --level 35 vsftpd on

[root@www conf.d]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]

[root@www conf.d]# ps aux | grep -i vsftpd
root 6459 0.0 0.0 5056 508 ? Ss 11:37 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root 6462 0.0 0.0 4096 584 pts/0 R+ 11:37 0:00 grep -i vsftpd


Step: Setup SNMP and MRTG:
--------------------------
yum -y install net-snmp net-snmp-utils net-snmp-libs


vi /etc/snmp/snmpd.conf

com2sec notConfigUser default secretsnmp
group notConfigGroup v1 notConfigUser
view roview included .1
access notConfigGroup "" any noauth exact roview rwview none
syslocation SomewhereinUS
syscontact Root <>
disk /
load 12 14 14
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat


service snmpd start
chkconfig --level 35 snmpd on


MRTG:
------

yum -y install mrtg


cfgmaker --global "Options[_]: growright, bits, unknaszero" --ifref=ip --ifdesc=descr --noreversedns --global "WorkDir: /var/www/mrtg" --output=/etc/mrtg/mrtg.cfg secretsnmp@localhost

indexmaker --output=/var/www/mrtg/index.html --title="www.example.com System Graphs" /etc/mrtg/mrtg.cfg


env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg


# vi /etc/httpd/conf.d/mrtg.conf

Alias /mrtg /var/www/mrtg


Order deny,allow
Allow from all



service httpd restart



Add additional graphs:

vi /etc/mrtg/mrtg.cfg
...
...

LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt, /usr/share/snmp/mibs/TCP_MIB.txt, /usr/share/snmp/mibs/HOST-RESOURCES-MIB.txt


Target[example_root]:dskPercent.1&dskPercent.1:secretsnmp@localhost
MaxBytes[example_root]: 100
Title[example_root]: DISK USAGE - /
PageTop[example_root]:

DISK Usage in % (/)


Unscaled[example_root]: ymwd
ShortLegend[example_root]: %
YLegend[example_root]: DISK Utilization
Legend1[example_root]: /:
Legend2[example_root]: /:
Legend3[example_root]:
Legend4[example_root]:
LegendI[example_root]: /:
LegendO[example_root]: /:
Options[example_root]: growright, unknaszero, gauge,nopercent




Target[example_loadavg]: laLoad.2&laLoad.3:secretsnmp@localhost
MaxBytes[example_loadavg]: 5000
Title[example_loadavg]: Load Average
PageTop[example_loadavg]:

Load Average


YLegend[example_loadavg]: Load Average
ShortLegend[example_loadavg]:
Legend1[example_loadavg]: Load average 5 min
Legend2[example_loadavg]: Load average 15 min
LegendI[example_loadavg]: 5min load avg
LegendO[example_loadavg]: 15min load avg
Options[example_loadavg]: nopercent,growright,noinfo,gauge, unknaszero




Target[example_cpusum]:ssCpuRawUser.0&ssCpuRawUser.0:secretsnmp@localhost + ssCpuRawSystem.0&ssCpuRawSystem.0:secretsnmp@localhost + ssCpuRawNice.0&ssCpuRawNice.0:secretsnmp@localhost
MaxBytes[example_cpusum]: 100
Title[example_cpusum]: CPU Usage % (User+System+Nice)
PageTop[example_cpusum]:

CPU Usage % (User+System+Nice)


ShortLegend[example_cpusum]: %
YLegend[example_cpusum]: CPU Usage
Legend1[example_cpusum]: CPU usage in %
Legend2[example_cpusum]:
Legend3[example_cpusum]:
Legend4[example_cpusum]:
LegendI[example_cpusum]: Active
LegendO[example_cpusum]:
Options[example_cpusum]: growright,nopercent, unknaszero




Target[example_memory]: memTotalReal.0&memAvailReal.0:secretsnmp@localhost
Options[example_memory]: nopercent,growright,gauge,noinfo, unknaszero
Title[example_memory]: Free Memory
PageTop[example_memory]:

Free Memory


MaxBytes[example_memory]: 2147483648
YLegend[example_memory]: bytes
ShortLegend[example_memory]: bytes
kMG[example_memory]: k,M
Legend1[example_memory]: Total Physical Memory
Legend2[example_memory]: Free Physical Memory
LegendI[example_memory]: Total Memory
LegendO[example_memory]: Free Memory


# Need to specify the download location of the mysql-load software.

Target[example_mysql]: `/usr/local/mrtg-mysql/mrtg-mysql-load -c /usr/local/mrtg-mysql/mysql-load.conf`
Options[example_mysql]: perminute, nopercent, integer, growright, unknaszero
MaxBytes[example_mysql]: 200
AbsMax[example_mysql]: 2000
Unscaled[example_mysql]: dwmy
Title[example_mysql]: MySQL load analysis
PageTop[example_mysql]:

MySQL load Analysis


ShortLegend[example_mysql]: q/m


Run index maker again:

indexmaker --output=/var/www/mrtg/index.html --title="www.example.com System Graphs" /etc/mrtg/mrtg.cfg


env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg


Step: Setup Webalizer :
----------------------

WEBALIZER

mv /etc/httpd/conf.d/webalizer.conf /etc/httpd/conf.d/webalizer.conf.orig

cat >> /etc/httpd/conf.d/webalizer.conf << EOF

Alias /usage /var/www/usage


Order deny,allow
Allow from all

EOF

service httpd restart



Step: Actual Qmail Mail Server setup:
--------------------------------------

Step: Create the necessary users and directories:
-------------------------------------------------
Note: In case you are going to setup multiple machines as Qmail servers in a cluster formation, you will need to create the users and groups with the "same" UIDs and GIDs . This will ensure correct functionality of the Qmail system when the mail directories are mounted on a central NFS mount, or over an ISCSI based IPSAN, etc. Doing so even on the single node setup also help in standardization, and is a good practice.

mkdir -p /var/qmail
mkdir -p /usr/src/qmail


groupadd -g 700 nofiles
useradd -u 701 -g nofiles -d /var/qmail/alias -s /sbin/nologin -p '*' alias
useradd -u 702 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmaild
useradd -u 703 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmaill
useradd -u 704 -g nofiles -d /var/qmail -s /sbin/nologin -p '*' qmailp
groupadd -g 701 qmail
useradd -u 705 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmailq
useradd -u 706 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmailr
useradd -u 707 -g qmail -d /var/qmail -s /sbin/nologin -p '*' qmails
groupadd -g 702 vchkpw
useradd -u 708 -g vchkpw -d /home/vpopmail -s /sbin/nologin -p '*' vpopmail


mkdir -p /package
chmod 1755 /package

mkdir -p /var/log/qmail/qmail-send
mkdir -p /var/log/qmail/qmail-smtpd
mkdir -p /var/log/qmail/qmail-pop3d

chown -R qmaill:root /var/log/qmail

chmod -R 750 /var/log/qmail

mkdir -p /var/qmail/supervise/qmail-smtpd/log
mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-pop3d/log

chmod +t /var/qmail/supervise/qmail-smtpd
chmod +t /var/qmail/supervise/qmail-send
chmod +t /var/qmail/supervise/qmail-pop3d


##########################################################################

From www.lifewithqmail.org :-

Note: The qmail bin directory must reside on a filesystem that allows the use of executable and setuid() files. Some OS distributions automatically mount /var with the nosuid or noexec options enabled. On such systems, either these options should be disabled or /var/qmail/bin should reside on another filesystem without these options enabled. The Create directories section describes how to use symbolic links to accomplish the latter. If /var is mounted nosuid, you'll probably see the following error message in the qmail-send logs:

delivery : deferral: Sorry,_message_has_wrong_owner._(#4.3.5)


###########################################################################



For ease of management, all software will be downloaded in /downloads/qmailrocks directory, so lets create that as well.

mkdir -p /downloads/qmailrocks
mkdir -p /downloads/qmailnew

Download the qmailrocks.tar.gz from www.qmailrocks.org in /downloads and untar it at the same location. This will create /downloads/qmailrocks and will have all the QMR files in it. This will help as a source of comparison of various software versions. Current stable release: 2.2.1 - 4/19/2006

cd /downloads/
wget http://www.qmailrocks.org/downloads/qmailrocks.tar.gz
tar xzf qmailrocks.tar.gz



####################################################

The official Qmail website (http://cr.yp.to/qmail.html) , has the same version available on it which is supplied by QMR. So we will use the ones provided by QMR.

cd /usr/src/qmail
tar xzf /downloads/qmailrocks/qmail-1.03.tar.gz
tar xzf /downloads/qmailrocks/ucspi-tcp-0.88.tar.gz


cd /package
tar xzf /downloads/qmailrocks/daemontools-0.76.tar.gz


# Set up conf-split and conf-spawn (Don't use the figure 255 in the line below):

echo 211 > /usr/src/qmail/qmail-1.03/conf-split
### echo 255 > /usr/src/qmail/qmail-1.03/conf-spawn ### Don't do it else the JMS patch will fail one Hunk. See below.


Step: Time to apply various patches to Qmail-1.03:
--------------------------------------------------
Get latest combined patch (version 7.05) by jms1 from http://qmail.jms1.net/patches/combined-details.shtml

cd /downloads/qmailnew
wget http://qmail.jms1.net/patches/qmail-1.03-jms1.7.05.patch

This patch already contains the FORCE_TLS patch, so no need to further patch the qmail for forcetls (as it is done in the QMR guide).

Note that this combined patch does not contain patch for tarpitting! And we don't need tarpitting as we are not using it.


Lets do the actual patching.

cd /usr/src/qmail/qmail-1.03/
patch < /downloads/qmailnew/qmail-1.03-jms1.7.05.patch


Note that one hunk will fail for conf-spawn, "IF" the value in it is 255, as setup by the original QMR guide. The hunk wanted to write 120 to conf-spawn whereas it already has 255. Note the value cannot be "more" than 255. And in some cases it cannot be more than 125.


[So I am forgiving this error at the moment and moving on. I do not think it is that serious.]

Sine I did not change the value and retained it as 120 in the conf-spawn, the hunk did not fail.



Step: Compile Qmail:
--------------------

Patching done. ( I am not going to use the tarpit patch) .

Let's do the actual compilation of Qmail now:

cd /usr/src/qmail/qmail-1.03

make clean
make man && make setup check


Alhumdulillah. Qmail compiled successfully.



Let's move on.

Run the config-fast script.

./config-fast www.example.com

[root@www qmail-1.03]# ./config-fast www.example.com
Your fully qualified host name is www.example.com.
Putting www.example.com into control/me...
Putting example.com into control/defaultdomain...
Putting example.com into control/plusdomain...
Putting www.example.com into control/locals...
Putting www.example.com into control/rcpthosts...
Now qmail will refuse to accept SMTP messages except to www.example.com.
Make sure to change rcpthosts if you add hosts to locals or virtualdomains!
[root@www qmail-1.03]#



#####################################################################################################
Important From: http://www.antagonism.org/qmr-faq.shtml

7.11 What is the difference between the locals and rcpthosts files in /var/qmail/control?

The locals file contains domains which reside locally on the machine. This means accounts listed in locals should have shell accounts on the machine. If you use vpopmail, your locals file should be empty but exist. This problem is prevalent in many qmailrocks installs as the instruction set wrongly instructs users to configure qmail using the "config-fast" shell script. Unless the user desires email accounts for his shell accounts the is not the correct method. The following commands correct this error.

If /var/qmail/control/locals exists, run the first command. If not, you may skip to the second command.
# rm -f /var/qmail/control/locals
# touch /var/qmail/control/locals
# chmod 644 /var/qmail/control/locals
# chown root.root /var/qmail/control/locals

The rcpthosts file contains the domains for which qmail-smtpd will accept email. The rcpthosts file should contain the domain names only. Do not put in email addresses, hostnames or IP addresses into this file.
######################################################################################################

Though I have read the note above and implemented on a few live servers. I do not agree with it. The reason is that if I do as advised above, in this note, then mails destined for root, postmaster, etc do not get delivered to the mailbox of postmaster. So we won't act upon this advice. I have only copied this text/note here, to warn you.



Step: Generate the certificate (QMR guide).

make cert

[root@www qmail-1.03]# make cert
-----
Country Name (2 letter code) [GB]:PK
State or Province Name (full name) [Berkshire]:Punjab
Locality Name (eg, city) [Newbury]:Islamabad
Organization Name (eg, company) [My Company Ltd]:example
Organizational Unit Name (eg, section) []:www
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []: webmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
chmod 640 /var/qmail/control/servercert.pem
chown qmaild.qmail /var/qmail/control/servercert.pem
ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
[root@www qmail-1.03]#


chown -R vpopmail:qmail /var/qmail/control/clientcert.pem /var/qmail/control/servercert.pem




Step: Build ucspi-tcp...

cd /usr/src/qmail/ucspi-tcp-0.88/


Before we build ucspi, we need to patch it for errno. This patch is included in the QMR package and also mentioned at www.lifewithqmail.org/lwq.html .

cd /usr/src/qmail/ucspi-tcp-0.88/
patch < /downloads/qmailrocks/patches/ucspi-tcp-0.88.errno.patch

make && make setup check



Now we build the daemontools....


Daemon tools also need to be patched for errno. This patch is included in the QMR package and also mentioned at http://www.lifewithqmail.org/lwq.html#install-daemontools .

cd /package/admin/daemontools-0.76/src
patch < /downloads/qmailrocks/patches/daemontools-0.76.errno.patch
cd /package/admin/daemontools-0.76

./package/install


You should be able to see svscanboot running:-

[root@www daemontools-0.76]# ps aux | grep svscan
root 26092 0.0 0.0 2424 1012 ? Ss 12:13 0:00 /bin/sh /command/svscanboot
root 26094 0.0 0.0 1664 340 ? S 12:13 0:00 svscan /service
root 26097 0.0 0.0 4100 584 pts/0 R+ 12:13 0:00 grep svscan




Step: EZMLM:
------------

You will need the mysql-devel package to be installed on the system before compiling this software.

yum install mysql-devel


The QMR package provides ezmlm-0.53-idx-0.41.tar.gz . The actual / raw version of this software is ezmlm-0.53 at http://cr.yp.to/ezmlm.html . However an extended version is at http://www.ezmlm.org/ .

At the time of this writing, The most recent stable version of ezmlm-idx is 6.0.1, and is available at the link: http://www.ezmlm.org/archive/6.0.1/ . (Even the most recent version in the older stable series is 0.444, which is "newer" than what QMR package provides.) .

There is a twist. the documentation from the 6.0.1 INSTALL file tells us to download the actual 0.53 (non-idx) version from http://cr.yp.to /ezmlm.html . Untar both 0.53 and 6.0.1 versions in two separate directories. Then copy / move evereything from 6.0.1 to 0.53 directory. Then patch the 0.53 code with the idx.patch file provided in 6.0.1 . Configure various files. And complile the 0.53 directory.

Lets downlaod both.

cd /downloads/qmailnew
wget http://cr.yp.to/software/ezmlm-0.53.tar.gz
## wget http://www.ezmlm.org/archive/5.1.2/ezmlm-idx-5.1.2.tar.gz
wget http://www.ezmlm.org/archive/6.0.1/ezmlm-idx-6.0.1.tar.gz
tar xzf ezmlm-0.53.tar.gz
tar xzf ezmlm-idx-6.0.1.tar.gz


cp -r /downloads/qmailnew/ezmlm-idx-6.0.1/* /downloads/qmailnew/ezmlm-0.53/ --reply=yes

cd /downloads/qmailnew/ezmlm-0.53

patch < idx.patch


Configure various config files:

vi conf-etc
/usr/local/etc/ezmlm


vi conf-bin
/usr/local/bin/ezmlm


vi conf-qmail
/var/qmail



Edit the conf-sub, and change the storage from standard file location to mysql.

vi conf-sub
mysql

Choose a subscription database support. Available supports are:
* std (Default) filesystem
* mysql MySQL database
* pgsql Postgres database


####################### Removed in 6.0.1 ########
vi sub_mysql/conf-sqlcc
-I/usr/include/mysql
#################################################


From the INSTALL.idx :-
5. RDBM Support.

MySQL:
If you want to compile ezmlm with MySQL support (http://www.mysql.com),
edit conf-cc (include files) and conf-ld (library paths) to reflect
your MySQL installation (see MySQL documentation). The package
should work with MySQL version 3.22 and up.


vi conf-cc
gcc -O -g -I/usr/include/mysql -I/usr/include/pgsql


vi conf-ld
cc -g -B /usr/lib/mysql/






OR

echo "/usr/local/etc/ezmlm" > conf-etc
echo "/usr/local/bin/ezmlm" > conf-bin
echo "/var/qmail" > conf-qmail
echo "mysql" > conf-sub




Time to compile.

make clean
make
make man
make mysql # new in 6.0.1
make setup


[root@www ezmlm-0.53]# ./ezmlm-test
...
Verifying message header and body contents...
ezmlm-make: fatal: unable to stat /downloads/qmailnew/ezmlm-0.53/lang/default: file does not exist
ezmlm-make failed
[root@www ezmlm-0.53]# vi conf-lang
[root@www ezmlm-0.53]# ls /downloads/qmailnew/ezmlm-0.53/lang/
ch_GB cs da de en_US es fr hu id it ja nl pl pt pt_BR ru sv
[root@www ezmlm-0.53]# ls /downloads/qmailnew/ezmlm-0.53/lang/en_US/
ezmlmrc mailinglist sed text
[root@www ezmlm-0.53]#

ln -s /downloads/qmailnew/ezmlm-0.53/lang/en_US /downloads/qmailnew/ezmlm-0.53/lang/default



You may want to create a ezmlm MySQL Database at this point.

mysql -u root -p
create database ezmlm;
grant all on ezmlm.* to ezmlm@localhost identified by 'mysecret';
flush privileges;



Now, Create ezmlm tables in the database: You must use the "-f" option with mysql, which will force mysql to continue even in case of failures.


./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f

You may get output as below:

[root@www ezmlm-0.53]# ./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f
ERROR 1051 (42S02) at line 6: Unknown table 'list'
ERROR 1051 (42S02) at line 7: Unknown table 'list_slog'
ERROR 1051 (42S02) at line 8: Unknown table 'list_digest'
ERROR 1051 (42S02) at line 9: Unknown table 'list_digest_slog'
ERROR 1051 (42S02) at line 10: Unknown table 'list_mod'
ERROR 1051 (42S02) at line 11: Unknown table 'list_mod_slog'
ERROR 1051 (42S02) at line 12: Unknown table 'list_allow'
ERROR 1051 (42S02) at line 13: Unknown table 'list_allow_slog'
ERROR 1051 (42S02) at line 14: Unknown table 'list_deny'
ERROR 1051 (42S02) at line 15: Unknown table 'list_deny_slog'
ERROR 1051 (42S02) at line 17: Unknown table 'list_cookie'
ERROR 1051 (42S02) at line 18: Unknown table 'list_mlog'
ERROR 1051 (42S02) at line 19: Unknown table 'list_digest_cookie'
ERROR 1051 (42S02) at line 20: Unknown table 'list_digest_mlog'
[root@www ezmlm-0.53]#

This is normal. These are just error messages returned when trying to DROP these tables. If you are paranoid, you may want to run this command again. This time it will not give any errors as the tables would not have been already created and will be dropped properly.

[root@www ezmlm-0.53]# ./ezmlm-mktab-mysql -d list | mysql -D ezmlm -u ezmlm -pmysecret -f
[root@www ezmlm-0.53]#


Now execute the test program again:

./ezmlm-test -l ezmlm -p mysecret -h localhost


A successful test should look like this:-

[root@www ezmlm-0.53]# ./ezmlm-test -s mysql -p mysecret -u ezmlm -d ezmlm -h localhost
ezmlm-make (1/2): OK
Using subdb plugin: mysql
ezmlm-reject: OK
ezmlm-[un|is]sub[n]: OK
ezmlm SQL: OK
ezmlm non-SQL: OK
ezmlm-send: OK
ezmlm-tstdig: OK
ezmlm-weed: OK
ezmlm-make (2/2): OK
ezmlm-clean: OK
ezmlm-store: OK
ezmlm-return: OK
ezmlm-warn (1/2): OK
ezmlm-manage (1/2): OK
ezmlm-request: OK
ezmlm-split: OK
ezmlm-gate: OK
ezmlm-idx: OK
ezmlm-get (index): OK
ezmlm-get (get): OK
ezmlm-get (thread): OK
ezmlm-get (digest): OK
ezmlm-manage (2/2): OK
ezmlm-moderate: OK
ezmlm-warn (2/2): OK
ezmlm-dispatch: OK
Verifying message header and body contents...
flags and substs: OK
subscribe probe: OK
unsubscribe probe: OK
subscribe: OK
unsubscribe: OK
copylines: OK
ezmlm-send: OK

[root@www ezmlm-0.53]#

Congradulations.



Step: AUTORESPONDER:
---------------------

autorespond-2.0.5.tar.gz is provided by the QMR package. This is the latest version on the net too. So let's follow it.

cd /downloads/qmailrocks

tar zxf autorespond-2.0.5.tar.gz

cd autorespond-2.0.5

make && make install



Step: Courier Mail Drop:-


Install Courier MailDrop:- (This step would come after VPOPmail, Qmailadmin and Vqadmin in QMR. But I want to do it before VPOPmail, so I can tell vpopmail to use it / enable it in vpopmail.)


Note: At one time, I thaught that I don't think we need maildrop at all! But when I removed it, it took away "reformime with" it. And Qmail-scaner stoped working without reformime. So we do need Courier Mail Drop.


Here is the ouput if I remove the maildrop rpm from the system and run the qmail-scanner (doit) script :

[root@www contrib]# ./test_installation.sh -doit

Sending standard test message - no viruses...
qmail-inject: fatal: qq temporary problem (#4.3.0)
Bad error. qmail-inject died
[root@www contrib]#


And I get the following in the /var/log/maillog :-

May 10 14:11:44 www X-Qmail-Scanner-2.04: [www.example.com121041070456210137] d_m: output spotted from /usr/bin/reformime -x/var/spool/qscan/tmp/www.example.com121041070456210137/ (sh: /usr/bin/reformime: No such file or directory
May 10 14:16:19 www X-Qmail-Scanner-2.04: [www.example.com121041097956210184] d_m: output spotted from /usr/bin/reformime -x/var/spool/qscan/tmp/www.example.com121041097956210184/ (sh: /usr/bin/reformime: No such file or directory



After re-isntalling maildrop, everything became fine again.



So, from the QMR site:
Part 7- Maildrop

Maildrop is a mail filtering agent which can be used to filter messages as they arrive on the server. You will probably notice, once this installation in complete, that you don't really use maildrop. However, it's a cool tool and it's worth having around if you ever decide to get crazy with filtering your imcoming mail. .....

----------
And here is from the Qmail-Scanner website:-

Requirements

* Netqmail 1.05 (or qmail-1.03 with patches)
...
...
* daemontools-0.76+
* reformime from Maildrop 1.3.8+

-------------

Lets install Courier MailDrop

# Make sure you have pcre-devel and gcc-c++ installed on the system.

yum install pcre-devel gcc-c++

Ideally, according to myself, this step should have come before vpopmail. Also, from the maildrop homepage:

http://www.courier-mta.org/maildrop/

maildrop is the mail filter/mail delivery agent that's used by the Courier Mail Server. You do not need to download maildrop from here if you already have Courier installed. This is a standalone build of the maildrop mail filter that can be used with other mail servers.

QMR provides maildrop-1.6.3.tar.gz . Where as the latest is: maildrop-2.0.4.tar.bz2 .

I will use maildrop-2.0.4 and will make an RPM out of the source file to install it.

cd /downloads/qmailnew

wget http://prdownloads.sourceforge.net/courier/maildrop-2.0.4.tar.bz2

tar xjf maildrop-2.0.4.tar.bz2

cd /downloads/qmailnew/maildrop-2.0.4


I have maildrop downloaded from the site and I updated it's specs file as :-

%configure --with-devel --enable-userdb --enable-maildirquota --enable-syslog=1 --enable-trusted-users='root mail daemon postmaster qmaild mmdf' --enable-restrict-trusted=0 --enable-maildrop-uid=root --enable-maildrop-gid=vchkpw


I then repackaged it as tar.bz2 and made an RPM out of it:

rm maildrop-2.0.4.tar.bz2

tar cjf maildrop-2.0.4.tar.bz2 maildrop-2.0.4

rpmbuild -ta maildrop-2.0.4.tar.bz2
...
...
...
Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/maildrop-2.0.4-1-buildroot
Wrote: /usr/src/redhat/SRPMS/maildrop-2.0.4-1.src.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-devel-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-man-2.0.4-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/maildrop-debuginfo-2.0.4-1.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.76157
+ umask 022
+ cd /usr/src/redhat/BUILD
+ cd maildrop-2.0.4
+ rm -rf /var/tmp/maildrop-2.0.4-1-buildroot
+ exit 0



Now install the latest RPM


rpm -ivh /usr/src/redhat/RPMS/i386/maildrop-2.0.4-1.i386.rpm
Preparing... ########################################### [100%]
1:maildrop ########################################### [100%]






Step: VPOPMAIL with MySQL support:
------------------------------------

vpopmail-5.4.13.tar.gz is supplied with QMR package.

Whereas version 5.4.25 is available on inter7's sourceforge page:
http://sourceforge.net/project/showfiles.php?group_id=85937

Lets download this new version:

cd /downloads/qmailnew
wget http://optusnet.dl.sourceforge.net/sourceforge/vpopmail/vpopmail-5.4.25.tar.gz


tar xzf vpopmail-5.4.25.tar.gz
cd /downloads/qmailnew/vpopmail-5.4.25


Let's do the preparation first. We already have created a user vpopmail and vchkpw earlier.

mkdir ~vpopmail/etc
chown vpopmail:vchkpw ~vpopmail/etc
echo "localhost|0|vpopmailuser|vpopmailpassword|vpopmail" > ~vpopmail/etc/vpopmail.mysql



Create vpopmail Database:

mysql -u root -p

CREATE DATABASE vpopmail;


GRANT all ON vpopmail.* TO vpopmailuser@localhost IDENTIFIED BY 'vpopmailpassword';

Flush privileges;
quit;




Try connecting:
mysql -u vpopmailuser -D vpopmail -pvpopmailpassword



cd /downloads/qmailnew/vpopmail-5.4.25

Note: QMR guide used the following switches for configuring vpopmail. Don't use them. Instead use the ones I have put below this line.

[QMR Guide = ./configure --enable-logging=p --enable-auth-module=mysql --disable-passwd --enable-clear-passwd \
--disable-many-domains --enable-auth-logging --enable-sql-logging --enable-valias --disable-mysql-limits]


------------------------
WARNING : DO NOT USE the --enable-maildrop switch in vpopmail otherwise you will not get any mails and will get the following "Unable to open mailbox" errors in the maillog:


May 9 20:04:07 www spamd[31043]: spamd: clean message (-1.4/5.0) for kamran@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711 in 1.3 seconds, 934 bytes.
May 9 20:04:07 www spamd[31043]: spamd: result: . -1 - ALL_TRUSTED scantime=1.3,size=934,user= kamran@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=54894,mid=<>,autolearn=unavailable,shortcircuit=no
May 9 20:04:07 www spamd[31040]: prefork: child states: II

May 9 20:04:07 www maildrop[19011]: Unable to open mailbox.

-----------------------

./configure --enable-logging=p --enable-auth-module=mysql --disable-clear-passwd --disable-many-domains \
--enable-sql-logging --enable-mysql-replication --enable-valias --enable-roaming-users \
--enable-spamassassin --enable-mysql-limits

...
...
config.status: creating Makefile
config.status: creating config.h
config.status: executing depfiles commands

vpopmail 5.4.25
Current settings
---------------------------------------

vpopmail directory = /home/vpopmail
domains directory = /home/vpopmail/domains
uid = 708
gid = 702
roaming users = ON --enable-roaming-users
tcpserver file = /home/vpopmail/etc/tcp.smtp
open_smtp file = /home/vpopmail/etc/open-smtp
rebuild tcpserver file = ON --enable-rebuild-tcpserver-file (default)
password learning = OFF --disable-learn-passwords (default)
md5 passwords = ON --enable-md5-passwords (default)
file locking = ON --enable-file-locking (default)
vdelivermail fsync = OFF --disable-file-sync (default)
make seekable = ON --enable-make-seekable (default)
clear passwd = OFF --disable-clear-passwd
user dir hashing = ON --enable-users-big-dir (default)
address extensions = OFF --disable-qmail-ext (default)
ip alias = OFF --disable-ip-alias-domains (default)
onchange script = OFF --disable-onchange-script (default)
auth module = mysql --enable-auth-module=mysql
mysql replication = ON --enable-mysql-replication
sql logging = ON --enable-sql-logging
mysql limits = ON --enable-mysql-limits
SQL valias table = ON --enable-valias
auth inc = -I/usr/include/mysql
auth lib = -L/usr/lib/mysql -lmysqlclient -lz -lm
system passwords = OFF --disable-passwd (default)
pop syslog = show failed attempts with clear text password --enable-logging=p
auth logging = ON --enable-auth-logging (default)
one domain per SQL table = --disable-many-domains
spamassassin = ON --enable-spamassassin
maildrop = OFF --disable-maildrop (default)




Now compile it:


make && make install-strip
...
...
/usr/bin/install -c -o vpopmail -m 711 -g vchkpw -s 'dotqmail2valias' '/home/vpopmail/bin/dotqmail2valias'
/usr/bin/install -c -o vpopmail -m 711 -g vchkpw -s 'vpopmaild' '/home/vpopmail/bin/vpopmaild'
make[3]: Leaving directory `/downloads/qmailnew/vpopmail-5.4.25'
make[2]: Leaving directory `/downloads/qmailnew/vpopmail-5.4.25'
make[1]: Leaving directory `/downloads/qmailnew/vpopmail-5.4.25'



Step: VQADMIN:
--------------
QMR package provides vqadmin-2.3.6.tar.gz . The homepage of vqadmin ( http://www.inter7.com/vqadmin/ ) provides us vqadmin-2.3.7.tar.gz . Lets use that.

cd /downloads/qmailnew/

wget http://www.inter7.com/vqadmin/vqadmin-2.3.7.tar.gz

tar xzf vqadmin-2.3.7.tar.gz

cd /downloads/qmailnew/vqadmin-2.3.7

mkdir /var/www/vqadmin
chown apache:apache /var/www/vqadmin -R


Note that --enable-html directory in the command below seems to be deprecated in newer versions of vqadmin (even in the one I am using, right now). This means it is not required to be mentioned to the configure script as it has no effect.


./configure --enable-cgibindir=/var/www/cgi-bin --enable-htmldir=/var/www/vqadmin

make && make install-strip


------------

Setup a .conf file in /etc/httpd/conf.d/ as vqadmin.conf

cat >> /etc/httpd/conf.d/vqadmin.conf << EOF

Alias /vqadmin /var/www/vqadmin


Order deny,allow
Allow from all

EOF

--------------------

--------------------


Edit the Apache config file and add the following :

vi /etc/httpd/conf/httpd.conf


Allow from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow


-------


Secure VQADMIN

cat >> /var/www/cgi-bin/vqadmin/.htaccess << EOF

AuthType Basic
# AuthUserFile will also be at a common place, such as /var/www/.htpasswd.vqadmin
AuthUserFile /var/www/.htpasswd.vqadmin
AuthName vQadmin
require valid-user
## satisfy any
EOF



chown apache:apache /var/www/cgi-bin/vqadmin/.htaccess

chmod 640 /var/www/cgi-bin/vqadmin/.htaccess # The QMR guide suggests 644 , which is too lax I think.

htpasswd -bc /var/www/.htpasswd.vqadmin admin vqadminpassword


chown apache:apache /var/www/.htpasswd.vqadmin # This step is not in QMR.

chmod 640 /var/www/.htpasswd.vqadmin


------------


service httpd restart


---------------------------------



Open the following link in web browser:
http://10.1.2.3/cgi-bin/vqadmin/vqadmin.cgi

If you see a white page with Vqadmin menu on it. Check your apache error log.


Apache error log:-

[Thu May 08 16:51:18 2008] [error] [client 203.82.59.56] File does not exist:
/var/www/vhosts/example.com/httpdocs/images,
referer: http://192.168.0.200/cgi-bin/vqadmin/vqadmin.cgi


The solution is :-

ln -s /var/www/html/images /var/www/vhosts/autogateway.com/httpdocs/

chown apache:apache /var/www/html -R

-------------

Add a domain "example.com" in vqadmin .

postmaster passowrd: postmasterpassword

Created Domain
Domain postmaster added


Step: QMAILADMIN:
------------------
QMR provides qmailadmin-1.2.9.tar.gz .
The is the latest on Inter 7 is 1.2.11.
The latest devel version is 1.2.12 .

cd /downloads/qmailnew/
wget http://internap.dl.sourceforge.net/sourceforge/qmailadmin/qmailadmin-1.2.12.tar.gz

tar xzf qmailadmin-1.2.12.tar.gz
cd /downloads/qmailnew/qmailadmin-1.2.12


----------------------------------------- [ optional ] -------------
mkdir /var/www/qmailadmin

cat >> /etc/httpd/conf.d/qmailadmin.conf << EOF

Alias /qmailadmin /var/www/qmailadmin


Order deny,allow
Allow from all

EOF


chown apache:apache /var/www/qmailadmin

service httpd restart

-------------------------------------------[ optional end ]---------------

./configure --enable-cgibindir=/var/www/cgi-bin --enable-htmldir=/var/www/qmailadmin --enable-imageurl=/qmailadmin/images/qmailadmin


./configure --enable-cgibindir=/var/www/cgi-bin --enable-htmldir=/var/www/qmailadmin \
--enable-imagedir=/var/www/qmailadmin/images --enable-imageurl=/qmailadmin/images \
--enable-modify-quota
...
...

qmailadmin 1.2.12
Current settings
---------------------------------------
cgi-bin dir = /var/www/cgi-bin
html dir = /var/www/qmailadmin
image dir = /var/www/qmailadmin/images
image URL = /qmailadmin/images
template dir = /usr/local/share/qmailadmin
qmail dir = /var/qmail
vpopmail dir = /home/vpopmail
autorespond dir = /usr/bin
ezmlm dir = /usr/local/bin/ezmlm
ezmlm idx = yes
mysql for ezmlm = yes
help = no
modify quota = no
domain autofill = no
modify spam check = no



make && make install-strip

----------------------------------------


Try loggin on to the URL:

http://192.168.0.200/cgi-bin/qmailadmin

, and try add a few users.

Email Account kamran@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it (Muhammad Kamran Azeem) added successfully

Alhumdulillah.



Note: Error: If you are seeing a blank page after you add a user in vqadmin, then read the note below:-

####################### NOTE : start #####################################

Blank page after adding a user.

[Tue Apr 01 05:00:42 2008] [error] [client 210.2.164.144] vmysql: can't read settings from /home/vpopmail/etc/vpopmail.mysql, referer: http://10.1.2.3/cgi-bin/qmailadmin
[Tue Apr 01 05:00:42 2008] [error] [client 210.2.164.144] Premature end of script headers: qmailadmin, referer: http://10.1.2.3/cgi-bin/qmailadmin


The file permissions of the file /home/vpopmail/etc/vpopmail.mysql are 640, to protect mysql root password from ordinary users. if I change it to 644, to allow apache to read this file, other ordinary users will also be able to look into this file.
May be I should add apache to the group vchkpw .

vi /etc/group
vchkpw:x:702:apache

Still the same problem . I need to investigate it further. At the moment. I am continuing with 644 to this file.

Still the same problem. I notice that :-


[root@www qmailadmin-1.2.12]# ls -l /home/
total 12
drwx------ 4 akhan users 4096 Mar 28 22:05 akhan
drwx------ 2 vmail vmail 4096 Mar 29 02:25 vmail
drwx------ 8 vpopmail vchkpw 4096 Apr 1 03:34 vpopmail



[root@www qmailadmin-1.2.12]# ls -l /var/www/cgi-bin/
total 160
-rwsr-sr-x 1 vpopmail vchkpw 151864 Apr 1 04:57 qmailadmin



Corrected. Basically I incorrectly setup the permission of the directory ~vpopmail/etc as 640. This stupid step of mine, resulted in inability of group vchpw to "change directory into" ~vpopmail/etc and read the vpopmail.mysql file.

Removed apache from the group memberdship of vchkpw from /etc/group.

vi /etc/group
vchkpw:x:702:

Email Account kamran@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it (Muhammad Kamran Azeem) added successfully

Alhumdulillah. The qmailadmin web interface seems to be behaving correctly.
####################################### NOTE : end #######################################3


Step: FINALIZING QMAIL:
-----------------------

The QMR guide suggests to run the following script:
# /downloads/qmailrocks/scripts/finalize/linux/finalize_linux.script

This script can be viewed online at:
http://www.qmailrocks.org/downloads/scripts/finalize/linux/finalize_linux.script

I will use the actual content of the script to get the tasks done manully.

# First Copy all supervise scripts to their proper locations.:

cp /downloads/qmailrocks/scripts/finalize/linux/pop3d_run /var/qmail/supervise/qmail-pop3d/run
cp /downloads/qmailrocks/scripts/finalize/linux/pop3d_log /var/qmail/supervise/qmail-pop3d/log/run
cp /downloads/qmailrocks/scripts/finalize/linux/smtpd_run /var/qmail/supervise/qmail-smtpd/run
cp /downloads/qmailrocks/scripts/finalize/linux/smtpd_log /var/qmail/supervise/qmail-smtpd/log/run
cp /downloads/qmailrocks/scripts/finalize/linux/send_run /var/qmail/supervise/qmail-send/run
cp /downloads/qmailrocks/scripts/finalize/linux/send_log /var/qmail/supervise/qmail-send/log/run


# Next: Copy rc and qmailctl scripts to proper locations:

cp /downloads/qmailrocks/scripts/finalize/rc /var/qmail/
cp /downloads/qmailrocks/scripts/finalize/qmailctl /var/qmail/bin/


# Setup needed permisions:

chmod 755 /var/qmail/rc /var/qmail/bin/qmailctl
chmod 751 /var/qmail/supervise/qmail-pop3d/run
chmod 751 /var/qmail/supervise/qmail-pop3d/log/run
chmod 751 /var/qmail/supervise/qmail-smtpd/run
chmod 751 /var/qmail/supervise/qmail-smtpd/log/run
chmod 751 /var/qmail/supervise/qmail-send/run
chmod 751 /var/qmail/supervise/qmail-send/log/run


# Setup default values to various control files:

echo ./Maildir > /var/qmail/control/defaultdelivery
echo 255 > /var/qmail/control/concurrencyremote
chmod 644 /var/qmail/control/concurrencyremote
echo 30 > /var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyincoming


# Create symbolic links:

ln -s /var/qmail/bin/qmailctl /usr/bin
ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /var/qmail/supervise/qmail-pop3d /service


--------------------

Next edit the run scripts and adjust a few values:

:%s/mail\.example\.com/www\.example\.com/g


vi /var/qmail/supervise/qmail-pop3d/run

Find "mail.example.com" and change it to your server's hostname. For example: wwww.example.com


vi /var/qmail/supervise/qmail-smtpd/run

Find "mail.example.com" and change it to your server's hostname. For example: www.example.com



Next:

qmailctl stop

echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp

qmailctl cdb




Now we create the common system aliases. These aliases are going to tell Qmail what to do with common server-generated mails.

echo postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it > /var/qmail/alias/.qmail-root
echo postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it > /var/qmail/alias/.qmail-postmaster
echo postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it > /var/qmail/alias/.qmail-mailer-daemon
ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous
chmod 644 /var/qmail/alias/.qmail*




REMOVE SENDMAIL, POSTFIX , EXIM from System:
--------------------------------------------

If you have not removed these pakages before, you can do it now.

service sendmail stop
service postfix stop
service exim stop
service dovecot stop


rpm -e sendmail --nodeps
rpm -e sendmail-cf --nodeps
rpm -e postfix --nodeps
rpm -e exim --nodeps


# Create artificial sendmail path:

rm -f /usr/lib/sendmail
rm -f /usr/sbin/sendmail

ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail


-----------------


START QMAIL:
------------
The QMR guide asks to run the following script:

# /downloads/qmailrocks/scripts/util/qmr_inst_check

The script is long and there is no advantage running it command by command/ manually. When you run the script, it will check for some key required files and folders and will also check permissions and owership settings on many key items. It a needed file does not exist or if the ownership/permissions settings are wrong on a key file, it will tell you and then make a suggestion as to how to correct the error. This script does NOT check the CONTENT or SYNTAX of your scripts, but only for the scripts' existence and their ownership/permissions settings. If you've screwed up the syntax of on the run scripts, this tool will not detect it.

Lets run it:

/downloads/qmailrocks/scripts/util/qmr_inst_check

[root@www qmailadmin-1.2.12]# /downloads/qmailrocks/scripts/util/qmr_inst_check
Congratulations, your Qmailrocks.org Qmail installation looks good!


[root@www qmailadmin-1.2.12]# qmailctl stat
/service/qmail-send: down 228 seconds, normally up
/service/qmail-send/log: down 228 seconds, normally up
/service/qmail-smtpd: down 228 seconds, normally up
/service/qmail-smtpd/log: down 228 seconds, normally up
/service/qmail-pop3d: down 228 seconds, normally up
/service/qmail-pop3d/log: down 228 seconds, normally up
messages in queue: 0
messages in queue but not yet preprocessed: 0





Step: COURIER IMAP + COURIERPASSD:
----------------------------------

Courier-imap is the preferred IMAP server to install because it has built in support the vchkpw mail user setup that Vpopmail utilizes. In short, Courier IMAP works with Vpopmail and virtual domains. In addition to installing Courier-imap, we're going to install Courierpassd. Courierpassd is a utility that allows users to change their mailbox passwords remotely.


# Must have gdbm-devel installed.

yum install gdbm-devel


We are going to use latest releases from http://www.courier-mta.org/download.php .
Courierpassd is available at: http://erresea.arda.homeunix.net/store/


QMR provides courier-authlib-0.55.tar.bz2 . Latest is courier-authlib-0.60.2.tar.bz2 .
Also QMR package provides courier-imap-4.0.2.tar.bz2 . Whereas the latest is courier-imap-4.3.1.tar.bz2 .
Also QMR provides courierpassd-1.1.0-RC1 , whereas latest is courierpassd-1.1.2.tar.gz .

I may also try Courier-Analog for SMTP,POP,IMAP traffic analysis. http://prdownloads.sourceforge.net/courier/courier-analog-0.15.tar.bz2

Lets see if these latest packages work or not. Otherwise we may have to revert to the ones provided by QMR.

cd /downloads/qmailnew

wget http://prdownloads.sourceforge.net/courier/courier-authlib-0.60.2.tar.bz2
wget http://prdownloads.sourceforge.net/courier/courier-imap-4.3.1.tar.bz2
wget http://www.arda.homeunix.net/store/courierpassd-1.1.2.tar.gz


I am going to build RPMs of these Courier-* files, after putting in the necessary config parameters. The RPM need to be built as ordinary user, say kamran.


--------------------------->>>>> See the WAM postfix discarded howto <<<<<<<<<<<< ----------------

Courier-authlib:-
------------------

This needs user kamran to be specified in visudo.

kamran ALL=NOPASSWD: ALL


[kamran@www qmailnew]$ cp /downloads/qmailnew/courier* /home/kamran/

cd /home/kamran

[kamran@www ~]$ tar xjf courier-authlib-0.60.2.tar.bz2
[kamran@www ~]$ cd courier-authlib-0.60.2



Added the following in the .spec file in the configure section.

--with-authvchkpw --without-authldap --disable-root-check --with-ssl --with-redhat

QMR suggests "--with-authchangepwdir=/usr/local/libexec/authlib" to be passed to the configure script. But I could not find it in courier-authlib-0.60.2


[kamran@www courier-authlib-0.60.2]$ vi courier-authlib.spec

%configure --with-authvchkpw --without-authldap --disable-root-check --with-ssl --with-redhat


[kamran@www courier-authlib-0.60.2]$ rm courier-authlib-0.60.2.tar.bz2

[kamran@www ~]$ tar cjf courier-authlib-0.60.2.tar.bz2 courier-authlib-0.60.2


sudo yum -y install libtool-ltdl-devel libtool-ltdl postgresql-devel expect



$ sudo rpmbuild -ta courier-authlib-0.60.2.tar.bz2

cd /usr/src/redhat/RPMS/i386/

$ sudo rpm -ivh courier-authlib-0.60.2-1.i386.rpm courier-authlib-devel-0.60.2-1.i386.rpm courier-authlib-mysql-0.60.2-1.i386.rpm



Time to compile/generate RPM for courier-imap as well. Pass the same arguments to its %configure section as well..

cd /home/kamran

tar xjf courier-imap-4.3.1.tar.bz2

cd courier-imap-4.3.1

vi courier-imap.spec

%configure \
--with-authvchkpw --without-authldap --disable-root-check --with-ssl \
--with-redhat \
%{?xflags: %{xflags}}

rm courier-imap-4.3.1.tar.bz2
tar cjf courier-imap-4.3.1.tar.bz2 courier-imap-4.3.0

sudo yum -y install openldap-servers

Note: You cannot build courier-imap as sudo. You will get the following error:

=============================
Do not run make check as root
=============================
make[2]: *** [check-am] Error 1
make[2]: Leaving directory `/usr/src/redhat/BUILD/courier-imap-4.3.1/imap'
make[1]: *** [check] Error 2
make[1]: Leaving directory `/usr/src/redhat/BUILD/courier-imap-4.3.1/imap'
make: *** [check-recursive] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.6589 (%build)


So we need to setup a RPM environment in the /home/kamran directory.

Time to setup environment for RPM Build as user akhan.

su - kamran # if you have not already done so

mkdir $HOME/rpm/{SOURCES,SPECS,BUILD,SRPMS,RPMS} -p
mkdir $HOME/rpm/RPMS/{i386,x86_64}
echo "%_topdir $HOME/rpm" >> $HOME/.rpmmacros


$ rpmbuild -ta courier-imap-4.3.1.tar.bz2


After the build process, the rpm packages can be found in $HOME/rpm/RPMS/i386 ($HOME/rpm/RPMS/x86_64 if you are on an x86_64 system):

Install courier-imap like this:

cd $HOME/rpm/RPMS/i386
sudo rpm -ivh courier-imap-4.3.1-1.i386.rpm

Preparing... ########################################### [100%]
1:courier-imap ########################################### [100%]


Exit from the user kamran's shell at this point.

exit.


--------

Run:-

/usr/lib/courier-imap/sbin/mkimapdcert


[root@www ~]# /usr/lib/courier-imap/sbin/mkimapdcert
/usr/lib/courier-imap/share/imapd.pem already exists.

------------

Edit /usr/lib/courier-imap/etc/imapd.cnf

change postmaser@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it an administrative email address postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it

vi /usr/lib/courier-imap/etc/imapd.cnf

-------------

vi /usr/lib/courier-imap/etc/imapd

Make sure that the following configuration exists: IMAPDSTART=YES


---------


vi /usr/lib/courier-imap/etc/imapd-ssl

Make sure that the following configuration exists: IMAPDSSLSTART=YES

Make sure that the following configuration exists: TLS_CERTFILE=/usr/lib/courier-imap/share/imapd.pem


################

IMAPDSSLSTART=YES

##NAME: IMAPDSTARTTLS:0
#
# Whether or not to implement IMAP STARTTLS extension instead:

IMAPDSTARTTLS=YES

##NAME: IMAP_TLS_REQUIRED:1
#
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS
# is issued).

IMAP_TLS_REQUIRED=0

####################

vi /etc/authlib/authdaemonrc

Around like 27, you should see the "authmodulelist" setting. Make sure that "authvchkpw" is the only module listed. Like so:

authmodulelist="authvchkpw"

Save and exit the file.

-------------


The init.d files would now already be in place, because of RPM installation we did.

[root@www ~]# ls /etc/init.d/courier-*
/etc/init.d/courier-authlib
/etc/init.d/courier-imap

Start the Authlib service

[root@www ~]# /etc/init.d/courier-authlib start
Starting Courier authentication services: authdaemond


chkconfig --level 35 courier-authlib on

You should see the authdaemond process, as shown below.

[root@www ~]# ps aux | grep auth
root 14081 0.0 0.0 1636 316 ? S 11:51 0:00 /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -start /usr/libexec/courier-authlib/authdaemond
root 14082 0.0 0.1 6716 1316 ? S 11:51 0:00 /usr/libexec/courier-authlib/authdaemond
root 14083 0.0 0.0 6716 360 ? S 11:51 0:00 /usr/libexec/courier-authlib/authdaemond
root 14084 0.0 0.0 6716 360 ? S 11:51 0:00 /usr/libexec/courier-authlib/authdaemond
root 14085 0.0 0.0 6716 360 ? S 11:51 0:00 /usr/libexec/courier-authlib/authdaemond
root 14086 0.0 0.0 6716 360 ? S 11:51 0:00 /usr/libexec/courier-authlib/authdaemond
root 14087 0.0 0.0 6716 360 ? S 11:51 0:00 /usr/libexec/courier-authlib/authdaemond
root 14111 0.0 0.0 4100 608 pts/1 R+ 11:51 0:00 grep auth
[root@www ~]#


And the following output in MAILLOG .

[root@www ~]# tail -f /var/log/maillog
May 9 11:05:21 www authdaemond: Installing libauthvchkpw
May 9 11:05:21 www authdaemond: Installation complete: authvchkpw
May 9 11:49:05 www authdaemond: stopping authdaemond children
May 9 11:49:05 www authdaemond: modules="authvchkpw", daemons=5
May 9 11:49:05 www authdaemond: Installing libauthvchkpw
May 9 11:49:05 www authdaemond: Installation complete: authvchkpw
May 9 11:51:09 www authdaemond: stopping authdaemond children
May 9 11:51:34 www authdaemond: modules="authvchkpw", daemons=5
May 9 11:51:34 www authdaemond: Installing libauthvchkpw
May 9 11:51:34 www authdaemond: Installation complete: authvchkpw



[root@www ~]# service courier-imap start
Starting Courier-IMAP server: imap imap-ssl pop3 generating-SSL-certificate... pop3-ssl
[root@www ~]#


[root@www ~]# ps aux | grep courier
0:00 /usr/sbin/courierlogger -pid=/var/run/imapd.pid -start -name=imapd /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
root 15218 0.0 0.0 1744 504 ? S 12:25 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
root 15224 0.0 0.0 1640 232 ? S 12:25 0:00 /usr/sbin/courierlogger -pid=/var/run/imapd-ssl.pid -start -name=imapd-ssl /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 993 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
root 15225 0.0 0.0 1748 508 ? S 12:25 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 993 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/bin/imapd Maildir
root 15230 0.0 0.0 1636 228 ? S 12:25 0:00 /usr/sbin/courierlogger -pid=/var/run/pop3d.pid -start -name=pop3d /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 15231 0.0 0.0 1744 504 ? S 12:25 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 110 /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 15245 0.0 0.0 1640 232 ? S 12:25 0:00 /usr/sbin/courierlogger -pid=/var/run/pop3d-ssl.pid -start -name=pop3d-ssl /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 15246 0.0 0.0 1748 508 ? S 12:25 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/bin/pop3d Maildir
root 15249 0.0 0.0 4096 584 pts/0 R+ 12:26 0:00 grep courier

-------------------------------

[root@www ~]# nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-09 12:28 PKT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1670 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
199/tcp open smux
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql



Alhumdulillah.

------------------------------------------------------


IMPORTANT:

QMAIL has it's own POP3 daemon. And this courier POP3 and POP3S WILL conflict with it. So disable POP3 and POP3S in Courier.



vi /usr/lib/courier-imap/etc/pop3d
...
POP3DSTART=NO


vi /usr/lib/courier-imap/etc/pop3d-ssl
...
POP3DSSLSTART=NO


[root@www contrib]# service courier-imap stop
Stopping Courier-IMAP server: imap imap-ssl pop3 pop3-ssl

[root@www contrib]# service courier-imap start
Starting Courier-IMAP server: imap imap-ssl


Or may be rename the files:

cd /usr/lib/courier-imap/etc/
mv pop3d pop3d.disabled
mv pop3d-ssl pop3d-ssl.disabled

[root@www qmail-scanner-2.04]# service courier-imap stop
Stopping Courier-IMAP server: imap imap-ssl pop3 pop3-ssl

[root@www qmail-scanner-2.04]# service courier-imap start
Starting Courier-IMAP server: imap imap-ssl


Step: COURIERPASSD:
--------------------

[root@www ~]# find / -name courierauthconfig
/home/akhan/rpm/BUILD/courier-authlib-0.60.2/courierauthconfig
/usr/bin/courierauthconfig

[root@www ~]# find / -name courierauth.h
/home/akhan/rpm/BUILD/courier-authlib-0.60.2/courierauth.h
/home/akhan/downloads/courier-authlib-0.60.2/courierauth.h
/usr/include/courierauth.h
/downloads/qmailrocks/courier-authlib-0.55/courierauth.h
[root@www ~]#


cd /downloads/qmailnew/courierpassd-1.1.2
./configure
make && make install


echo "courierpassd 106/tcp #for /etc/xinetd.d/courierpassd" >> /etc/services
echo "courierpassd 106/tcp #for /etc/xinetd.d/courierpassd" >> /usr/share/nmap/nmap-services


Add this to xinetd. You must have xinet rpm installed on the system.

cat >> /etc/xinetd.d/courierpassd << EOF
service courierpassd
{
port = 106
socket_type = stream
protocol = tcp
user = root
server = /usr/local/sbin/courierpassd
server_args = -s imap
wait = no
only_from = 127.0.0.1
instances = 4
disable = no
}
EOF


service xinetd restart



[root@www courierpassd-1.1.2]# nmap localhost

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
106/tcp open pop3pw ----------------------------> courierpassd
110/tcp open pop3
143/tcp open imap
199/tcp open snmp
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.233 seconds



Step: SQUIRRELMAIL:
-------------------

cd /downloads/qmailnew

wget http://nchc.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1.4.13.tar.bz2

cd /var/www

tar xjf /downloads/qmailnew/squirrelmail-1.4.13.tar.bz2

# Remove the symbolic link pointing to previous version:
rm -f webmail
ln -s squirrelmail-1.4.13 webmail
chown apache:apache squirrelmail-1.4.13 -R


cd webmail/config

./conf.pl

Organization Preferences

1. Organization Name : Example Company
4. Organization Title : example mail service, powered by SquirrelMail $version


Server Settings

General
-------
1. Domain : example.com

2. Invert Time : false
3. Sendmail or SMTP : SMTP

IMAP Settings
--------------
4. IMAP Server : localhost
5. IMAP Port : 143
6. Authentication type : login
7. Secure IMAP (TLS) : false
8. Server software : other
9. Delimiter : detect

SMTP Settings
-------------
4. SMTP Server : localhost
5. SMTP Port : 25
6. POP before SMTP : false
7. SMTP Authentication : none
8. Secure SMTP (TLS) : false
9. Header encryption key :


General Options
1. Data Directory : /var/www/webmail/data/
2. Attachment Directory : /var/www/webmail/attach/


Make sure that these two directories exist and have proper permissions.

ls -l /var/www/webmail
drwxrwxr-x 2 apache apache 4096 May 10 04:30 data

mkdir /var/www/webmail/{attach,data} -p
chown apache:apache /var/www/webmail/{attach,data} -R
chmod 733 /var/www/webmail/attach



cat >> /etc/httpd/conf.d/squirrelmail.conf << EOF
Alias /webmail /var/www/webmail
EOF

service httpd restart



Download the change_pass plugin:

cd /var/www/webmail/plugins


wget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fchange_pass-2.7a-1.4.x.tar.gz

tar xzf change_pass-2.7a-1.4.x.tar.gz

Added plugins using ./conf.pl program



Try changing passwords:

passwords are changed successfully.


This is what you should get in your /var/log/messages file, once you change password from Squirrelmail web interface:

Apr 1 09:55:48 www xinetd[26780]: START: courierpassd pid=26924 from=127.0.0.1
Apr 1 09:55:48 www xinetd[26780]: EXIT: courierpassd status=0 pid=26924 duration=0(sec)


Alhumdulillah !


-----------------


Extra decoding library

SquirrelMail decoding functions are used to display and convert messages encoded in different character sets. Extra decoding library provides support of some complex Eastern and Apple x-mac character sets.

cd /downloads/qmailnew

wget tar xjf squirrelmail-decode-1.2.tar.bz2


tar xjf squirrelmail-decode-1.2.tar.bz2


From the README.decode :-

/***************************************
* SquirrelMail Extra Decoding Library *
***************************************/

This package contains extra decoding functions. Functions are enabled by
copying .php files to SquirrelMail's functions/decode/ directory.

---------

Install these functions:-

[root@www squirrelmail-decode-1.2]# ./install
Please enter path to your SquirrelMail installation:/var/www/webmail

Extra decoding functions are installed.
[root@www squirrelmail-decode-1.2]#


------------

To make squirrel mail show the logged in Username with the "Sign Out" link on the top right of the web page, do the following:

Open / edit the file "page_header.php" in the /var/www/webmail/fucntions directory.

Find the line with the word "Sign Out" in it:-

displayInternalLink ('src/signout.php', _("Sign Out"), $frame_top);

And change it to :
displayInternalLink ('src/signout.php', _("Sign Out ".$username), $frame_top);


Then find the following line(s) / function definition in the same file:-


function displayPageHeader($color, $mailbox, $xtra='', $session=false) {

global $hide_sm_attributions, $frame_top,
$compose_new_win, $compose_width, $compose_height,
$attachemessages, $provider_name, $provider_uri,
$javascript_on, $default_use_mdn, $mdn_user_support,
$startMessage, $org_title;

and change that to

function displayPageHeader($color, $mailbox, $xtra='', $session=false) {

global $hide_sm_attributions, $frame_top,
$compose_new_win, $compose_width, $compose_height,
$attachemessages, $provider_name, $provider_uri,
$javascript_on, $default_use_mdn, $mdn_user_support,
$startMessage, $org_title, $username;

-------
Basically you just added a $username to the global line above.


Step: CLAMAV and SPAMASSASSIN:
--------------------------------

CLAMAV:
--------------



Note this part (CLAMAV) is deprecated. Please refer to this article, instead.

Download latest CLAMAV from http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/

By the time of this writing, 0.93-2 is latest.


cd /downloads/qmailnew/
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-0.93-2.i386.rpm
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-db-0.93-2.i386.rpm
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-server-0.93-2.i386.rpm
wget http://crash.fce.vutbr.cz/crash-hat/centos/5/clamav/clamav-devel-0.93-2.i386.rpm


rpm -ivh clamav-*


Create a user as qscand:


groupadd -g 710 qscand
useradd -u 710 -g 710 -c "Qmail-Scanner Account" -s /bin/false qscand



vi /etc/clamd.conf

# Lines shown below are default settings, unless specified otherwise.

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime yes
LogSyslog yes # ---------------------> default is NO. Change to YES.
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav # ----> This is changed in the newer (0.94-1) version, to /var/clamav.
LocalSocket /var/run/clamav/clamd.sock # --------> Disabled. Change to enabled/socket file name.
FixStaleSocket yes
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User qscand # ----------------------> Most important. Default clamav. Change to qscand.
AllowSupplementaryGroups yes
DetectBrokenExecutables yes
ScanMail yes
ArchiveMaxCompressionRatio 300
ArchiveBlockEncrypted yes
ArchiveBlockMax yes


vi /etc/freshclam.conf

DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/clamav/freshclam.log
PidFile /var/run/clamav/freshclam.pid
LogSyslog yes # -----------------------------------> change to yes
DatabaseOwner qscand # -------------------------> Most important. Default clamav. Change to qscand.
AllowSupplementaryGroups yes
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.us.clamav.net
DatabaseMirror database.clamav.net
Checks 24
NotifyClamd /etc/clamd.conf


vi /etc/logrotate.d/clamd
#
# Rotate Clam AV daemon log file
#

/var/log/clamav/clamd.log {
missingok
nocompress
create 640 qscand qscand
postrotate
/bin/kill -HUP `cat /var/run/clamav/clamd.pid 2> /dev/null` 2> /dev/null || true
endscript
}


vi /etc/logrotate.d/freshclam

#
# Rotate FreshClam daemon log file
#

/var/log/clamav/freshclam.log {
missingok
nocompress
create 640 qscand qscand
postrotate
/bin/kill -HUP `cat /var/run/clamav/freshclam.pid 2> /dev/null` 2> /dev/null || true
endscript
}


chown qscand:qscand /var/log/clamav -R
chown qscand:qscand /var/lib/clamav -R
chown qscand:qscand /var/run/clamav -R


service clamd restart
chkconfig --level 35 clamd on

service freshclam restart
chkconfig --level 35 freshclam on


########################################################################
Deprecated:-

FreshClam doesn't need to be called through cron any more:-

# crontab -e
# 25 2 * * * /usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log
#

Becaue, freshclam runs as daemon mode and checks the server once
everyday, itself. The following option can be used in /etc/init.d/freshclam
to set number of checks between 1 and 50

--checks=#n -c #n number of checks per day, 1 <= n <= 50
---------------------------------------------------------------------------

See the proof below:
May 10 15:10:02 www last message repeated 6 times
May 10 15:11:59 www freshclam[22467]: Received signal: wake up
May 10 15:11:59 www freshclam[22467]: ClamAV update process started at Sat May 10 15:11:59 2008
May 10 15:11:59 www freshclam[22467]: main.cvd is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)
May 10 15:12:00 www freshclam[22467]: Downloading daily-7077.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7078.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7079.cdiff [100%]
May 10 15:12:00 www freshclam[22467]: Downloading daily-7080.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: Downloading daily-7081.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: Downloading daily-7082.cdiff [100%]
May 10 15:12:01 www freshclam[22467]: daily.cld updated (version: 7082, sigs: 49709, f-level: 26, builder: ccordes)
May 10 15:12:01 www freshclam[22467]: Database updated (281543 signatures) from db.local.clamav.net (IP: 65.120.238.2)
May 10 15:12:01 www clamd[22412]: SelfCheck: Database modification detected. Forcing reload.
May 10 15:12:01 www clamd[22412]: Reading databases from /var/lib/clamav
May 10 15:12:01 www freshclam[22467]: Clamd successfully notified about the update.
May 10 15:12:01 www freshclam[22467]: --------------------------------------
May 10 15:12:05 www clamd[22412]: Database correctly reloaded (280776 signatures)



#########################################################################




SPAM ASSASSIN
----------------

QMR package refers to install perl-Mail-SpamAssassin , but that is not availble through yum. And the provided RPM is too old to be compatible with current spamassassin-3.1.9 . So I installed it through CPAN.

perl -MCPAN -e "install Mail::SpamAssassin"


groupadd -g 711 spamd
useradd -u 711 -g 711 -s /home/spamd spamd
# passwd -l spamd # not in QMR guide. I thought it should be implemented. But do we need it?


vi /etc/sysconfig/spamassassin

If the above file exists, replace its contents :

SPAMDOPTIONS="-d -c -m5 -H"

, with the following line. If the file does not exist, create it and add the following line:

SPAMDOPTIONS="-x -u spamd -H /home/spamd -d"


spamd Options explained
-c, --create-prefs Create user preferences files (we don't need it)
-x, --nouser-config Disable user config files
-d, --daemonize Daemonize
-m num, --max-children=num Allow maximum num children
-u username, --username=username Run as username
-g groupname, --groupname=groupname Run as groupname (should we use this too? )
-v, --vpopmail Enable vpopmail config (we "should" need it, but not using at the moment)
-x, --nouser-config Disable user config files
-H [dir], --helper-home-dir[=dir] Specify a different HOME directory



Save and exit from the file.



vi /etc/mail/spamassassin/local.cf

Add the following line...

required_hits 5

Save and exit from the file.


service spamassassin restart
chkconfig --level 35 spamassassin on






-------------------------------------------------------

The following modules are used by various .pre files. Make sure that they are also installed.

perl -MCPAN -e "install Mail::SpamAssassin::Plugin::RelayCountry"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::URIDNSBL"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::Hashcash"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::SPF"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::DCC"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::Pyzor"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::Razor2"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::SpamCop"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::AntiVirus"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::AWL"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::AutoLearnThreshold"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::WhiteListSubject"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::DomainKeys"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::MIMEHeader"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::ReplaceTags"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::DKIM"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::Check"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::HTTPSMismatch"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::URIDetail"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::Shortcircuit"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::Bayes"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::BodyEval"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::DNSEval"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::HTMLEval"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::HeaderEval"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::MIMEEval"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::RelayEval"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::URIEval"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::WLBLEval"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::VBounce"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::Rule2XSBody"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::ASN"
perl -MCPAN -e "install Mail::SpamAssassin::Plugin::ImageInfo"


-------------------------------------------------------



Created a new local.cf file from the link ( http://www.yrex.com/spam/spamconfig.php)


...
...
# ok_languages should be disabled.

# ok_languages en

# SpamAssassin 3.1 Note: Language checking has been moved to a plugin in version 3.1.
# This setting will not work unless your administrator has enabled the TextCat plugin
# in /etc/mail/spamassassin/v310.pre.


---------------------------------------------------

vi /etc/mail/spamassassin/init.pre
...
loadplugin Mail::SpamAssassin::Plugin::RelayCountry
...

--------------

vi /etc/mail/spamassassin/v310.pre
...

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AntiVirus
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::DomainKeys
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
...

----------------------

vi /etc/mail/spamassassin/v312.pre
...
loadplugin Mail::SpamAssassin::Plugin::DKIM

---------------

vi /etc/mail/spamassassin/v320.pre
...
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
loadplugin Mail::SpamAssassin::Plugin::ASN


Now, run sa-compile. But, sa-compile needs re2c .

Dowload re2c from:

http://re2c.org/


http://rpmseek.com/download/
http://apt.sw.be/packages/re2c/re2c-0.13.1-1.el4.rf.i386.rpm?hl=com&nid=92223

http://rpmseek.com/download/http://apt.sw.be/packages/re2c/re2c-0.13.1-1.el5.rf.i386.rpm?hl=com&nid=92223:589

cd /downloads/qmailnew
Use links to download this:
http://apt.sw.be/packages/re2c/re2c-0.13.1-1.el4.rf.i386.rpm

http://superb-west.dl.sourceforge.net/sourceforge/re2c/re2c-0.13.3-1.src.rpm


cd /downloads/qmailnew
wget http://superb-west.dl.sourceforge.net/sourceforge/re2c/re2c-0.13.3-1.src.rpm
rpmbuild --rebuild re2c-0.13.3-1.src.rpm


rpm -ivh /usr/src/redhat/RPMS/i386/re2c-0.13.3-1.i386.rpm

------------


Now Run sa-compile:

# sa-compile


Then, run sa-update:

sa-update -D


Restart spamassassin service.

service spamassassin restart



DCC howto:
----------
cd /downloads/qmailnew

wget http://www.rhyolite.com/anti-spam/dcc/source/dcc.tar.Z
tar xzf dcc.tar.Z
cd dcc-1.3.90/

./configure
make
make install


vi /etc/mail/spamassassin/local.cf

dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc

# dcc_dccifd_path, should be the path to dccifd socket, which will become available when dcc service is started.
dcc_dccifd_path /var/dcc/dccifd



vi /var/dcc/dcc_conf
. . .
DCCIFD_ENABLE=on
. . .


cp /var/dcc/libexec/rcDCC /etc/rc.d/init.d/dcc

chkconfig --level 35 dcc on
service dcc start

[root@www dcc-1.3.90]# ps aux | grep -i dcc
root 30623 0.0 0.0 2492 268 ? Ss 16:44 0:00 /var/dcc/libexec/dccifd -tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID
root 30624 0.1 0.6 28992 6844 ? Sl 16:44 0:00 /var/dcc/libexec/dccifd -tREP,20 -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID
root 30629 0.0 0.0 4100 580 pts/0 R+ 16:44 0:00 grep -i dcc


Enable the DCC plugin in spamassassin .pre files. Also enable other plugins. Disable pyzor and remove it's line from local.cf as well.



RAZOR:
------

Download Razor from: http://razor.sourceforge.net/

cd /downloads/qmailnew
wget http://optusnet.dl.sourceforge.net/sourceforge/razor/razor-agents-2.84.tar.bz2

tar xjf razor-agents-2.84.tar.bz2
cd razor-agents-2.84
perl Makefile.PL && make && make install


Added the following to local.cf file:

#vi /etc/mail/spamassassin/local.cf
#razor_config /etc/razor/razor-agent.conf

OR

echo "razor_config /etc/razor/razor-agent.conf" >> /etc/mail/spamassassin/local.cf

Then:
razor-admin -d -home=/etc/razor -create
razor-admin -d -home=/etc/razor -register


--------------------------

[root@www qmailnew]# service spamassassin restart
Stopping spamd: [ OK ]
Starting spamd: [ OK ]


Step: QMAILSCANNER:
--------------------

QMR package provides qmail-scanner-1.25.tgz. Latest is 2.04 from http://qmail-scanner.sourceforge.net/ .
QMR package provides qms-analog-0.4.2.tar.gz. Latest is from qms-analog-0.4.4 http://www.qms-analog.teel.ws . I don't think we need qms-analog. QmailScanner has a new reporting tool. From QMS website:

Reporting: in the contrib directory there's qs2mrtg.pl. A perl script for monitoring your syslog files for qmail-scanner records. It then graphs how Qmail-Scanner is processing your emails. It creates different graphs for incoming vs outgoing email, as well as the flow of spam and viruses.

We would also install TNEF (http://sourceforge.net/projects/tnef/) . As per the QMS site:-

Optional: Mark Simpson's TNEF unpacker. Can decode those annoying MS-TNEF MIME attachments that Microsoft mail servers just love to use. If you don't have this, there are several classes of email that Qmail-Scanner basically won't be able to extract attachments in. However, your AV might very well be able to handle them


yum install db4-devel

perl -MCPAN -e "install DB_File"


TNEF:-
------
cd /downloads/qmailnew
wget http://internap.dl.sourceforge.net/sourceforge/tnef/tnef-1.4.3.tar.gz
tar xzf tnef-1.4.3.tar.gz
cd /downloads/qmailnew/tnef-1.4.3
./configure && make && make install



Decided to install new version of QMS:-
---------------------------------------

cd /downloads/qmailnew

wget http://superb-west.dl.sourceforge.net/sourceforge/qmail-scanner/qmail-scanner-2.04.tgz
tar xzf qmail-scanner-2.04.tgz
cd /downloads/qmailnew/qmail-scanner-2.04


Create the following (new) file:-

(Don't use cat >> << EOF method to create this file)

vi qms-config
#!/bin/sh

## File: qms-config
##
## Purpose: Provide a file to save personal qmail-scanner configuration
## options. This file should be edited for your server and
## saved somewhere so that it survives qmail-scanner and
## qms-analog upgrades.
##

# Was the "install" option given?
if [ "$1" != "install" ]; then
INSTALL=
else
INSTALL="--install"
fi

# Qmail Scanner 2.02 configuration:

./configure --domain example.com \
--admin postmaster \
--local-domains "example.com,sufi-iqbal.net" \
--add-dscr-hdrs yes \
--ignore-eol-check yes \
--notify admin \
--redundant yes \
"$INSTALL"



Next:

chmod 755 qms-config

./qms-config

then

---------------------------
( Note QMS will get installed in /var/spool/qscan. NOT /var/spool/qmailscan)

./qms-config install



Testing suid nature of /usr/bin/perl...
Looks OK...
Hit RETURN to create initial directory structure under /var/spool/qscan,
and install qmail-scanner-queue.pl under /var/qmail/bin:
perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt
perlscanner: total of 12 entries.

Finished installation of initial directory structure for Qmail-Scanner
under /var/spool/qscan and qmail-scanner-queue.pl under /var/qmail/bin.

Finished. Please read README(.html) and then go over the script
(/var/qmail/bin/qmail-scanner-queue.pl) to check paths/etc.

"/var/qmail/bin/qmail-scanner-queue.pl -r" should return some well-known virus
definitions to show that the internal perlscanner component is working.

That's it!


****** FINAL TEST ******

Please log into an unpriviledged account and run
/var/qmail/bin/qmail-scanner-queue.pl -g

If you see the error "Can't do setuid", or "Permission denied", then
refer to the FAQ.

(e.g. "setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g")


That's it! To report success:

% (echo 'First M. Last'; cat SYSDEF)|mail jhaar-s4vstats@crom.trimble.co.nzThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
Replace First M. Last with your name.


-------------

ls -l /var/qmail/bin/qmail-scanner-queue.pl

-rwsr-sr-x 1 qscand qscand 111710 May 9 17:36 /var/qmail/bin/qmail-scanner-queue.pl


---------------
Let's do the test :

logon as user kamran:

# su - kamran
[kamran@www ~]$ /var/qmail/bin/qmail-scanner-queue.pl -g
perlscanner: generate new DB file from /var/spool/qscan/quarantine-events.txt
perlscanner: total of 12 entries.
[kamran@www ~]$

exit

Note: The path is changed for the Qmail Scanner spool files in the newest version, from "/var/spool/qmailscan", to "/var/spool/qscan" .


The test is passed. Alhumdulillah. Now run the following:-


setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z # also setup a cronjob to do this once a day.
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g # also setup a cronjob to do this once a day.


Set them up to run through cron as well:-

crontab -e
0 1 * * * /usr/local/bin/setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -z
0 1 * * * /usr/local/bin/setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g



chown -R qscand:qscand /var/spool/qscan # not /var/spool/qmailscan


vi /var/qmail/supervise/qmail-smtpd/run
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" ; export QMAILQUEUE
...
(change softlimit to 40000000)
...
...

Note: The limit 40000000 (40 MB) is (more than two years) old. And because of all the new requirements of latest version of the participating software, I needed to increase it to 60000000 (60 MB), otherwise my mails were not being dealt correctly by the Qmail Scanner. It is safe to increase this value.
--------

WAIT........ DISABLE POP3 AND POP3S in COURIER FIRST. QMAIL HAS IT'S OWN POP3 server.



Restart Qmail

qmailctl stop
sleep 5
qmailctl start
sleep 5
qmailctl stat


[root@www qmail-scanner-2.04]# qmailctl stat
/service/qmail-send: up (pid 7749) 5 seconds
/service/qmail-send/log: up (pid 7750) 5 seconds
/service/qmail-smtpd: up (pid 7753) 5 seconds
/service/qmail-smtpd/log: up (pid 7758) 5 seconds
/service/qmail-pop3d: up (pid 7767) 5 seconds
/service/qmail-pop3d/log: up (pid 7768) 5 seconds
messages in queue: 293
messages in queue but not yet preprocessed: 181




Now, try the test_installation.sh script in contrib directory.


cd /downloads/qmailnew/qmail-scanner-2.04/contrib


./test_installation.sh -doit

[root@www contrib]# ./test_installation.sh -doit

Sending standard test message - no viruses...
done!

Sending eicar test virus - should be caught by perlscanner module...
done!

Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)...

Sending bad spam message for anti-spam testing - In case you are using SpamAssassin...
Done!

Finished test. Now go and check Email sent to postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it




You should have 2 messages in the postmaster's mail box, one clean message and the other marked as *****SPAM***** ., and the following output in your maillog.


tail -f /var/log/maillog

May 9 17:53:34 www qmail-scanner[8149]: Clear:RC:1(127.0.0.1): 0.022018 313 postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it Qmail-Scanner_test_(1/4):_inoffensive_message <> orig-www.example.com12103376145628149:313 1210337614.8151-0.www.example.com:68
May 9 17:53:34 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37141
May 9 17:53:34 www spamd[31043]: spamd: processing message <> for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711
May 9 17:53:34 www qmail-scanner[8162]: Perlscan:EICAR_Test_Virus:RC:1(127.0.0.1): 0.027297 961 postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it Qmail-Scanner_viral_test_(2/4):_checking_perlscanner... <> 1210337614.8169-0.www.example.com:300 Eicar.com:69 orig-www.example.com12103376145628162:961
May 9 17:53:35 www qmail-scanner[8177]: CLAMDSCAN:Eicar-Test-Signature:RC:1(127.0.0.1): 0.016671 1236 postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it Qmail-Scanner_viral_test_(3/4):_checking_non-perlscanner_AV... <> sneaky.txt
May 9 17:53:35 www spamd[31044]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37143
May 9 17:53:35 www spamd[31044]: spamd: checking message (unknown) for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711
May 9 17:53:35 www spamd[31043]: spamd: clean message (0.0/5.0) for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711 in 0.7 seconds, 616 bytes.
May 9 17:53:35 www spamd[31043]: spamd: result: . 0 - UNPARSEABLE_RELAY scantime=0.7,size=616,user= postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37141,mid=<>,autolearn=ham,shortcircuit=no
May 9 17:53:35 www spamd[31040]: prefork: child states: IB
May 9 17:53:35 www maildrop[8167]: Unable to open mailbox.
May 9 17:53:36 www spamd[31044]: spamd: identified spam (1009.7/5.0) for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711 in 1.6 seconds, 1893 bytes.
May 9 17:53:36 www spamd[31044]: spamd: result: Y 1009 - DATE_IN_FUTURE_96_XX,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,MISSING_MID,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK scantime=1.6,size=1893,user= postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37143,mid=(unknown),autolearn=no,shortcircuit=no
May 9 17:53:37 www spamd[31040]: prefork: child states: II
May 9 17:53:37 www qmail-scanner[8186]: Clear:RC:1(127.0.0.1):SA:1(1009.7/5.0): 1.755721 1881 postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it Qmail-Scanner_anti-spam_test_(4/4):_checking_SpamAssassin_[if_present]_(There_yo <9ps291lhupy> orig-www.example.com12103376155628186:1881 1210337615.8188-0.www.example.com:818
May 9 17:53:37 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37147
May 9 17:53:37 www spamd[31043]: spamd: processing message <9ps291lhupy> for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711
May 9 17:53:38 www spamd[31043]: spamd: identified spam (1009.2/5.0) for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711 in 1.4 seconds, 2384 bytes.
May 9 17:53:38 www spamd[31043]: spamd: result: Y 1009 - AWL,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,INVALID_MSGID,MSGID_SHORT,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY scantime=1.4,size=2384,user= postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37147,mid=<9ps291lhupy>,autolearn=no,shortcircuit=no
May 9 17:53:38 www spamd[31040]: prefork: child states: II
May 9 17:53:38 www maildrop[8204]: Unable to open mailbox.
May 9 17:55:15 www spamd[31043]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43421
May 9 17:55:15 www spamd[31043]: spamd: processing message <> for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711
May 9 17:55:17 www spamd[31044]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43427
May 9 17:55:17 www spamd[31044]: spamd: processing message <9ps291lhupy> for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711
May 9 17:55:17 www spamd[31043]: spamd: clean message (0.0/5.0) for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711 in 1.3 seconds, 616 bytes.
May 9 17:55:17 www spamd[31043]: spamd: result: . 0 - UNPARSEABLE_RELAY scantime=1.3,size=616,user= postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43421,mid=<>,autolearn=unavailable,shortcircuit=no
May 9 17:55:17 www spamd[31040]: prefork: child states: IB
May 9 17:55:17 www maildrop[8590]: Unable to open mailbox.
May 9 17:55:18 www spamd[31044]: spamd: identified spam (1008.9/5.0) for postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it :711 in 1.5 seconds, 2384 bytes.
May 9 17:55:18 www spamd[31044]: spamd: result: Y 1008 - AWL,DK_POLICY_TESTING,EXCUSE_4,FORGED_YAHOO_RCVD,GTUBE,INVALID_MSGID,MSGID_SHORT,NORMAL_HTTP_TO_IP,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,UNPARSEABLE_RELAY scantime=1.5,size=2384,user= postmaster@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ,uid=711,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43427,mid=<9ps291lhupy>,autolearn=no,shortcircuit=no
May 9 17:55:18 www spamd[31040]: prefork: child states: II
May 9 17:55:18 www maildrop[8602]: Unable to open mailbox.


Note:
Any SMTP sessions that are dropped (due to network outages/etc) may lead to files lying around in /var/spool/qscan . Running "/var/qmail/bin/qmail-scanner-queue.pl -z", at least once daily, will ensure such files are deleted when they're over 30 hours old - make a cronjob to do that (see contrib/ for a logrotate script).

crontab -e
0 2 * * * /var/qmail/bin/qmail-scanner-queue.pl -z

--------------

You may want to change the file /etc/tcp.smtp , from :

127.:allow,RELAYCLIENT=""


, to:


# No Qmail-Scanner at all for mail from 127.0.0.1
127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"
# Use Qmail-Scanner without SpamAssassin on any mail from the local network
# [it triggers SpamAssassin via the presence of the RELAYCLIENT var]
# 10.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
#
# Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

--------------------

I have setup my /etc/tcp.smtp as follows:-

[root@www contrib]# vi /etc/tcp.smtp
# my users loggin on to the web interface may be uploading virus infeced files.
127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
# No Qmail-Scanner at all for mail from 127.0.0.1
## 127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"
# Use Qmail-Scanner without SpamAssassin on any mail from the local network
# [it triggers SpamAssassin via the presence of the RELAYCLIENT var]
# 10.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
#
# Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"



[root@www contrib]# qmailctl stop
Stopping qmail...

qmail-smtpd
qmail-send
qmail-pop3d


[root@www contrib]# qmailctl cdb
Reloaded /etc/tcp.smtp.


[root@www contrib]# qmailctl start
Starting qmail...

Starting qmail-send
Starting qmail-smtpd
Starting qmail-pop3d


[root@www contrib]# qmailctl stat
/service/qmail-send: up (pid 8801) 4 seconds
/service/qmail-send/log: up (pid 8808) 4 seconds
/service/qmail-smtpd: up (pid 8811) 4 seconds
/service/qmail-smtpd/log: up (pid 8816) 4 seconds
/service/qmail-pop3d: up (pid 8819) 4 seconds
/service/qmail-pop3d/log: up (pid 8820) 4 seconds
messages in queue: 263
messages in queue but not yet preprocessed: 0


Step: Install / configure qs2mrtg:
----------------------------------
Install qs2mrtg.pl from the contrib directory of the qmailscanner.

This is for drawing graphs in MRTG.



Step: QMAIL ANALOG:
-------------------

I could not get this to work with lastest QmailScanner. So It is useless to setup. Also it is not needed based on qs2mrtg.



Step: GREYLISTING and RBLSMTPD:
---------------------------------

Greylist software can be downloaded.

cd /downloads/qmailnew
wget http://oss.albawaba.com/files/cqgreylist-0.2.tar.gz
tar xzf cqgreylist-0.2.tar.gz
cd cqgreylist-0.2
mkdir /var/qmail/cqgreylist
chown vpopmail /var/qmail/cqgreylist


vi cqgreylist.c
. . .

/*
* Change anything you want here
*/
/* RFC 2821 specifies the timeout for recieving a command to at least 5 mins */
#define TIMEOUT 300
/* specify the greylisting time in which to not accept mail from a sender */
#define GREY_SECONDS 60

char* hostname = "www.example.com";
char* message = "You are greylisted. Try again.";
char* base_directory = "/var/qmail/cqgreylist/";

/*
* End of user editable parameters
*/


make
cp cqgreylist /var/qmail/bin/


crontab -e

. . .
23 * * * * /usr/bin/find /var/qmail/cqgreylist -mtime 1 -type f -exec rm -f {} \;

See next section (RBLSMTPD) to actually include GreyListing in Qmail run file.



RBLSMTPD:
---------

Edit the run script for qmail-smtpd:-

vi /var/qmail/supervise/qmail-smtpd/run

Text before editing:
. . .
exec /usr/local/bin/softlimit -m 40000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd www.example.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1


Text after editing:
-------------------
. . .
exec /usr/local/bin/softlimit -m 40000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
rblsmtpd \
-r sbl.spamhaus.org \
-r zen.spamhaus.org \
-r bl.spamcop.net \
-r list.dsbl.org \
/var/qmail/bin/cqgreylist \
/var/qmail/bin/qmail-smtpd www.example.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1


Restart Qmail service:

qmailctl stop
qmailctl cdb
qmailctl start
sleep 5
qmailctl stat

[root@www cqgreylist-0.2]# qmailctl stat
/service/qmail-send: up (pid 11184) 5 seconds
/service/qmail-send/log: up (pid 11191) 5 seconds
/service/qmail-smtpd: up (pid 11194) 5 seconds
/service/qmail-smtpd/log: up (pid 11199) 5 seconds
/service/qmail-pop3d: up (pid 11202) 5 seconds
/service/qmail-pop3d/log: up (pid 11203) 5 seconds
messages in queue: 21
messages in queue but not yet preprocessed: 0


ALHUMDULILLAH. MAIL SERVER SETUP COMPLETE.

======================================================


Step: QS2MRTG: [Not fully documented]. Coming soon.
---------------------------------------------------

Install qs2mrtg.pl from the contrib directory of the qmailscanner.

cp /downloads/qmailnew/qmail-scanner-2.04/contrib/qs2mrtg.pl /usr/local/bin/


This is for drawing graphs in MRTG.

[root@www contrib]# ./qs2mrtg.pl --syslog-file=/var/log/messages \
--offset-file=/var/log/qs2mrtg.offset \
--mrtg-output-dir=/var/www/mrtg/ --mailsrv-name=www.example.com




Step: SETUP FIREWALL:
---------------------
Create a new file /etc/firewall.sh

vi /etc/firewall.sh

#!/bin/bash

###################################################################################
# Author: Muhammad Kamran Azeem ( kamran@example.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it )
# Created: 20080410
# Last Updated: 20080410
# Implementation on this sevrer:20080509
# Proposed implementation: On stand alone webmail servers
###################################################################################
#
# Various tools:
# nmap -sU PUBLIChost # scans UDP ports
#
# The following reports total number of connections
# netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
#
#
#
###################################################################################



# User configurable parameters - START - #############################################
#
# The Public interface of this server towards Internet:-
PUBLICIF=eth0
#
# The Public IP of this server (on $PUBLICIF) visible/accessable from the Internet:-
PUBLICIP=192.168.0.200
#
# The full path to the iptables program:-
IPTABLES=/sbin/iptables
#
# User configurable parameters - END - ###############################################

############ Load Modules - Start #############
#
# Load FTP connection tracking module
modprobe ip_conntrack_ftp
#
############# Load Modules - End ##############

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -P INPUT ACCEPT

# ports list:
# 22/tcp - SSH
# 25/tcp - SMTP
# 80/tcp - HTTP
# 443/tcp - HTTPS
# 110/tcp - POP3
# 995/tcp - POP3S
# 143/tcp - IMAP
# 993/tcp - IMAPS
# 123/tcp - NTP
# 123/udp - NTP
# 199/tcp - SNMP
# 161/UDP - SNMP
# 3306/tcp - MySQL


# Setup default INPUT policy as DROP
$IPTABLES -P INPUT DROP


## allow packets coming from the machine
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# allow outgoing traffic
$IPTABLES -A OUTPUT -o $PUBLICIF -j ACCEPT


# Block spoofing

# $IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP

# OR more sophisticated / wide ranged method is below:-

# Add your IP range/IPs here,
# Yes I am sure that the last address has 16 bit subnet for a VALID reason
SPOOFLIST="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/3"
for ip in $SPOOFLIST
do
$IPTABLES -A INPUT -i $PUBLICIF -s $ip -j DROP
done


# Allow the following traffic only:-
$IPTABLES -A INPUT -i $PUBLICIF -p tcp -m multiport --dport 21,22,25,80,443,110,995,143,993 -j ACCEPT


# Hopefuly spamassassin, NTP, Razor, DNS, DCCIFD, etc will keep working properly,
# because of the following two rules.
$IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT


# Stop bad packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# NMAP FIN/URG/PSH
$IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# stop Xmas Tree type scanning
$IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# stop null scanning
$IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags ALL NONE -j DROP

# SYN/RST
$IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# SYN/FIN
$IPTABLES -A INPUT -i $PUBLICIF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP


# If the incoming SYN packets are not NEW, we need to DROP them:-
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Stop sync flood. Not using the following because it will result in VERY SLOW SERVER
# Incoming syn requests, which may be legitimate Web requests,
# coming from many web browsers / clients will get limited to 1 per second,
# WHICH, WE DON'T WANT.
# I suppose we CANNOT SYN Flood ?
# $IPTABLES -N SYNFLOOD
# $IPTABLES -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN
# $IPTABLES -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset
# $IPTABLES -A INPUT -p tcp -m state --state NEW -j SYNFLOOD



# Stop ping flood attack

# DROP ICMP packets size larger than (64 Data+8 Header)=72 bytes (Below 85 did not help me!):

iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 85: -j REJECT --reject-with icmp-host-prohibited

# Allow maximum one incoming ICMP packets per second
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


# End of Firewall script

exit 0


-------------


Create a new startup file /etc/init.d/firewall

vi /etc/init.d/firewall

# firewall Startup script for our personal firewall
#
# chkconfig: 01 99
# description: Our own custom built firewall setup
# processname: firewall

# Source function library.
. /etc/rc.d/init.d/functions

prog=/etc/firewall.sh
lockfile=/var/lock/subsys/firewall
RETVAL=0

start() {
echo -n $"Starting $prog: "
/bin/sh /etc/firewall.sh
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}


stop() {
echo -n $"Stopping $prog: "
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile}
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
/sbin/iptables -L
;;
restart)
stop
start
;;
*)
echo $"Usage: $prog {start|stop|status|restart}"
RETVAL=3
esac

exit $RETVAL


------------------------

chmod +x /etc/firewall.sh
chmod +x /etc/init.d/firewall

chkconfig --level 35 firewall on
service firewall start

=====================================================================

End of QMail Rocks Guide
Last Updated ( Thursday, 13 November 2008 21:15 )

1 comment: