Chinaunix首页 | 论坛 | 博客
  • 博客访问: 5376596
  • 博文数量: 1144
  • 博客积分: 11974
  • 博客等级: 上将
  • 技术积分: 12312
  • 用 户 组: 普通用户
  • 注册时间: 2005-04-13 20:06
文章存档

2017年(2)

2016年(14)

2015年(10)

2014年(28)

2013年(23)

2012年(29)

2011年(53)

2010年(86)

2009年(83)

2008年(43)

2007年(153)

2006年(575)

2005年(45)

分类: LINUX

2006-11-22 11:43:55

Server Software/Mail Server/SMTP
From ServerWiki
<  | 
Jump to: , 
Contents
[]
[]
SMTP

The first thing to set up is the SMTP service. Qmail will handle this. Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts. As of October 2001, qmail is the second most common SMTP server on the Internet, and has by far the fastest growth of any SMTP server. It was written by Dr. []

Qmail is: (mostly quoted from DJB)

  • Secure: Security isn’t just a goal, but an absolute requirement. Mail delivery is critical for users; it cannot be turned off, so it must be completely secure. (This is why I started writing qmail: I was sick of the security holes in sendmail and other MTAs.) Only two minor bugs have been found in qmail since version 1.0, and there is an as yet unclaimed $500 prize for the first person to publish a verifiable security hole in the latest version of the software. This prize has been offered since 1997. Fourteen security holes were discovered in sendmail in 1996 and 1997. 
  • Reliable: qmail’s straight-paper-path philosophy guarantees that a message, once accepted into the system, will never be lost. qmail also optionally supports maildir, a new, super-reliable user mailbox format. Maildirs, unlike mbox files and mh folders, won’t be corrupted if the system crashes during delivery. Even better, not only can a user safely read his mail over NFS, but any number of NFS clients can deliver mail to him at the same time. 
  • Efficient: On a Pentium under BSD/OS, qmail can easily sustain 200000 local messages per day—that’s separate messages injected and delivered to mailboxes in a real test! Although remote deliveries are inherently limited by the slowness of DNS and SMTP, qmail overlaps 20 simultaneous deliveries by default, so it zooms quickly through mailing lists. (This is why I finished qmail: I had to get a big mailing list set up.) 
  • Simple: qmail is vastly smaller than any other Internet MTA. Some reasons why: (1) Other MTAs have separate forwarding, aliasing, and mailing list mechanisms. qmail has one simple forwarding mechanism that lets users handle their own mailing lists. (2) Other MTAs offer a spectrum of delivery modes, from fast+unsafe to slow+queued. qmail-send is instantly triggered by new items in the queue, so the qmail system has just one delivery mode: fast+queued. (3) Other MTAs include, in effect, a specialized version of inetd that watches the load average. qmail’s design inherently limits the machine load, so qmail-smtpd can safely run from your system’s inetd. 
In our setup Qmail has some prerequisites, we’ll take care of those first. 

 
[]
Software
Download these packages to /usr/local/src/smtp 





http://software.nerdworks.org/mail_server/smtp/custom.patch









[]
Ucspi-tcp
We’ll start off with ucspi-tcp. Tcpserver and tcpclient are easy-to-use command-line tools for building TCP client-server applications. 
Features: 
  • tcpserver waits for incoming connections and, for each connection, runs a program of your choice. Your program receives environment variables showing the local and remote host names, IP addresses, and port numbers. 
  • tcpserver offers a concurrency limit to protect you from running out of processes and memory. When you are handling 40 (by default) simultaneous connections, tcpserver smoothly defers acceptance of new connections. 
  • tcpserver also provides TCP access control features, similar to tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules are compiled into a hashed format with cdb, so it can easily deal with thousands of different hosts. 
  • This package includes a recordio tool that monitors all the input and output of a server. 
  • tcpclient makes a TCP connection and runs a program of your choice. It sets up the same environment variables as tcpserver. 
  • This package includes several sample clients built on top of tcpclient: who@, date@, finger@, http@, tcpcat, and mconnect. 
  • tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program Interface, using the TCP protocol. UCSPI tools are available for several different networks. 
ucspi-tcp is a good replacement for inetd. 
More info about ucspi-tcp at . 
This package contains the original source code, the standard patches and a script to set it all up correctly. The the maximum length of error messages is increased from 200 to 500 characters. This allows you to create some nice and descriptive text to send to people who are being blocked by your RBL filters. 
# cd /usr/local/src/smtp
# tar jxf ucspi-tcp-0.88-with_patches.tar.bz2 
# cd ucspi-tcp-0.88-with_patches/ 
# sh setup.sh
# cd ..
[]
Daemontools
Next one out is daemontools, also available from . Daemontools is a collection of tools for managing UNIX services. daemontools is a collection of tools for managing UNIX services. 
supervise monitors a service. It starts the service and restarts the service if it dies. Setting up a new service is easy: all supervise needs is a directory with a run script that runs the service. 
multilog saves error messages to one or more logs. It optionally timestamps each line and, for each log, includes or excludes lines matching specified patterns. It automatically rotates logs to limit the amount of disk space used. If the disk fills up, it pauses and tries again, without losing any data. 
Daemontools is a weird set of tools when it comes to installation, it requires to be installed in /package. See  for more info. 
This package contains the original source code, the standard patches and a script to set it all up correctly. 
# cd /usr/local/src/smtp
# tar jxf daemontools-0.76-with_patches.tar.bz2
# cd daemontools-0.76-with_patches/
# sh setup.sh
# cd ..
Wait a couple of seconds and verify that svscan has started and is running. Then: 
# ps -auxw | grep svscan
[]
Syncdir
[] provides an alternate implementation for open, link, rename, and unlink that executes a fsync on any modified directories. It is required to compile qmail against this library to make the qmail-queue safe for most Linux filesystems (ext2, ext3, Reiserfs, XFS, and more). Syncdir was written by []. 
# cd /usr/local/src/smtp
# tar zxf syncdir-1.0.tar.gz 
# cd syncdir-1.0 
# make 
# make install
# cd ..
[]
Qmail - Part 1
A few notes about the qmail-toaster-0.8.3.patch: This patch of patches includes these popular patches: 
  • smtp-auth Erwin Hoffmann's SMTP-AUTH (0.5.7) 
  • tls/ssl support for qmail-smtpd. Frederik Vermulen's TLS patch (20060104) 
  • spf 
  • qmail-queue (to allow for virus scanners) 
  • maildir++ patch 
  • support oversize dns packets (not necessary if you use dnscache) 
  • chkuser (check for local vpopmail users, envelope syntax. requires vpopmail to be previously installed) 
  • spam throttle 
  • qregex (regular expression matching in badmailfrom and badmailto) 
  • big concurrency (set the spawn limit above 255) 
This patch will advertise TLS to clients, so don’t forget to run make cert (this command is included in the toaster docs). Otherwise, clients that use TLS by default (like Netscape Messenger) will not work with qmail-smtpd. Also, qmail-remote will try to do TLS with other smtp servers and fail if there is no certificate. To do SMTP-AUTH, you need to run qmail-smtpd as user vpopmail, group vchkpw if you plan on using this with vpopmail (the certificates are chowned vpopmail for this reason). 
Qmail requires a set of user accounts to be available, so we will set up these first. 
# mkdir /var/qmail 
# groupadd nofiles 
# useradd -g nofiles -d /var/qmail/alias alias 
# useradd -g nofiles -d /var/qmail qmaild 
# useradd -g nofiles -d /var/qmail qmaill 
# useradd -g nofiles -d /var/qmail qmailp 
# groupadd qmail 
# useradd -g qmail -d /var/qmail qmailq 
# useradd -g qmail -d /var/qmail qmailr 
# useradd -g qmail -d /var/qmail qmails 
Make and set up qmail temporarily. We will have to wait until Vpopmail is installed before we apply the patches. Then recompile qmail. 
Exchange host.domain.tld with the fully qualified host name of your server. I.e. mail.test.com 
# cd /usr/local/src/smtp
# tar zxf netqmail-1.05.tar.gz
# cd netqmail-1.05/
# ./collate.sh 
# cd netqmail-1.05/
# make
# make setup check
# ./config-fast host.domain.tld
# cd ../..
NOTE! When upgrading or rekompiling qmail, do *NOT* run the ./config-fast command, it will overwrite your config files. 
Now we will install Vpopmail, and then come back to do the rest of the qmail installation. Some of the next steps depends on Vpopmail being installed. 
[]
Vpopmail
Quote from the README  Vpopmail is a set of programs for creating and managing multiple virtual domains on a qmail server. 
It is geared toward ease of use for system administrators as well as security and efficency. With the associated command line programs, system administrators never need touch any of the underlying qmail files and processes. All details are automatically handled. 

 
Features include 
  • Support for 1 to 23 million virtual email domains using a "grow as it goes" balenced directory tree. 
  • Support for 1 to 23 million email users per domain using the same balenced tree structure. 
  • Automates all qmail configurations into handy and scriptable command line programs and documented API library calls. 
  • Automates Unix user/group/other permissioning of directories and files. 
  • Supports authenticated relay control of your qmail smtp server. 
  • Virtual email file/directories can be assigned to any user/group or do the default vpopmail/vchkpw 89/89. 
  • Does not require email user accounts in /etc/passwd 
  • Supports name or IP based virtual domains 
  • Optionally automates support for: 
    • Storing clear text passwords to help tech support workers 
    • Record last authentication and automates deletion of stale accounts. 
    • Storing alias/forwards in mysql or oracle 
  • Configurable logging based on real world admin's comments and requirements. 
  • Support for MySQL, Oracle, PostgreSQL, /etc/passwd, /etc/shadow, LDAP, Sybase, and default cdb authentication storage. 
  • Delivers directly to Maildir for use with qmail-pop3d, .qmail files or any other Maildir program. 
  • No need to have hundreds of .qmail files for virtual domains. Each domain gets it's own directory under vpopmail user with a separate password file for each domain. 
  • Documented C library for all vpopmail features and transactions. 
 
In this guide we will install with MySQL support. Read more about this at  
Check if UID and GID 89 is available, then add group vchkpw and user vpopmail. 
# grep 89 /etc/passwd 
# grep 89 /etc/group
# groupadd -g 89 vchkpw 
# useradd -g vchkpw -u 89 -d /var/vpopmail vpopmail
Time to configure and install Vpopmail with MySQL support. Exchange 'your-vpopmail-password' 
# cd /usr/local/src/smtp
# tar zxf vpopmail-5.4.16.tar.gz 
# cd vpopmail-5.4.16
# mkdir /var/vpopmail/etc
# echo 'localhost|0|vpopmail|your-vpopmail-password|vpopmail' > /var/vpopmail/etc/vpopmail.mysql 
# chown -R vpopmail.vchkpw /var/vpopmail 
# chmod 640 /var/vpopmail/etc/vpopmail.mysql
Log into Mysql as the Mysql root user and then create the database for vpopmail to use and then setup the appropriate permissions on this database. 
# mysql --password="mysql-root-passwd" 
 
mysql> CREATE DATABASE vpopmail; 
mysql> GRANT select,insert,update,delete,create,drop ON vpopmail.* 
    -> TO vpopmail@localhost IDENTIFIED BY 'your-vpopmail-password'; 
> quit 
Run configure, make and install Vpopmail. 
Some of the options are default, but is included for clarity. You do not need to allow support for roaming users, better use smtp-auth instead. It may be best to disable auth-logging as webmail clients are doing a lot of auth, however IMAPproxy helps a lot on this. 
# ./configure \ 
> --disable-roaming-users \
> --enable-tcpserver-file=/var/vpopmail/etc/tcp.smtp.cdb \
> --enable-logging=e \
> --enable-qmail-ext \
> --disable-ip-alias-domains \
> --disable-passwd \
> --enable-clear-passwd \
> --disable-domain-quotas \
> --enable-auth-module=mysql \
> --enable-sql-logging \
> --disable-many-domains \
> --disable-mysql-limits \
> --enable-valias

# make 
# make install-strip
Now is the right time yo set up reasonable defaults for your system. 
Vpopmail can set certain limits for domains. These limits are stored in the file .qmailadmin-limits, in the domain’s directory (i.e. ~vpopmail/domains/test.com/.qmailadmin-limits).
If .qmailadmin-limits does not exist for a domain (or there is no entry for them in the limits table), then ~vpopmail/etc/vlimits.default is used. ~vpopmail/etc/vlimits.default *must* be present, and is installed with vpopmail automatically. You may edit it, but do not remove it.
Items that can be limited include:
  • Default Quota for new users (default_quota, in bytes) 
  • Default Maximum Message Count Quota for new users (default_maxmsgcount) 
  • Disable POP Access (disable_pop) 
  • Disable IMAP Access (disable_imap) 
  • Disable Dialup Access (disable_dialup) 
  • Disable Password Changing (disable_password_changing) 
  • Disable External Relay/Roaming Users (disable_external_relay) 
  • Disable SMTP AUTHORIZATION (disable_smtp) 
  • Disable SqWebMail Access (disable_webmail) 
Here is a sample .qmailadmin-limits file: 
# .qmailadmin-limits file. 
# Default limits file for users on a single domain. 
# maximums for each account type, -1 = unlimited 
maxpopaccounts -1 
maxaliases -1 
maxforwards -1 
maxautoresponders -1 
maxmailinglists -1 
# Default quota for newly created users (in bytes). 
# Example shows a user with a 1000MB quota and a limit of 100000 messages. 
# 
# 20MB = 20971520 
# 50MB = 52428800 
# 100Mb = 104857600 
# 200MB = 209715200 
# 500MB = 524288000 
# 1000MB = 1048576000 
# 
default_quota 1048576000
default_maxmsgcount 100000
# Uncomment the following lines to disable certain features 
#disable_pop 
#disable_imap 
#disable_dialup 
#disable_password_changing 
#disable_external_relay 
#disable_smtp 
#disable_webmail 
# 
# End. 
/var/vpopmail/etc/vlimits.default sets defaults for all domains. Adjust domain quota and domain max message count if you like to. Also adjust quota for new users and their max message count. Optionally, nominate a "default domain". Users in this domain can login to using just their username. Users from all other domains need to use their full email address as their login name. 
# echo 'yourdomain.com' > /var/vpopmail/etc/defaultdomain
Make the vpopmail libraries available to others: 
echo '/var/vpopmail/lib' >> /etc/ld.so.conf
ldconfig
[]
Qmail - Part 2
Now we can do the rest of the qmail installation. 
# cd /usr/local/src/smtp/netqmail-1.05/netqmail-1.05/
Edit conf-ld and append -lsyncdir and -lmysqlclient to the first line in this file make use of the syncdir library. 
# mv conf-ld conf-ld.bak
# cat conf-ld.bak | sed -e 's/cc -s/gcc -s -lsyncdir -lmysqlclient/' > conf-ld
# rm conf-ld.bak
Now can apply some more patches to qmail, namely Bill Shupp's toaster patch, the custom.patch, the greylisting patch, the ucspitls patch and make qmail again. 
Before you do this you probably want to edit the greylisting patch.
By default the greylisting patch will delay inbound mail from email addresses not currently whitelisted for 55 minutes. For me this is far too long. Tests show that a delay of just one minute still is 99% as effective. Please see the greylisting []. I find a delay of 2 minutes acceptable.
Change line 210 from looking like tihs: 
+#define DEFAULT_BLOCK_EXPIRE  55   /* minutes until email is accepted */
To look like this: 
+#define DEFAULT_BLOCK_EXPIRE  2   /* minutes until email is accepted */
If you later on wish to change the BLOCK_EXPIRE value, it can be set via an environment variable. Read the top of the patch. 
Then fix a library path. On line 53 and 54, exchange /usr/lib/libmysqlclient.a with /usr/lib/mysql/libmysqlclient.a. 
The ucspitls patch will add TLS capability to qmail-popup. This patch is derived from Scott Gifford's ucspitls patch found at . 
Finally, the patching: 
# bunzip2 -c ../../qmail-toaster-0.8.2.patch.bz2 | patch -p0
# patch -p0 <../../custom.patch
# patch -p0 <../../greylisting-20060105.patch
# patch -p2 <../../netqmail-1.05-ucspitls-pop-0.3.patch
After patching qmail/netqmail, you will need to setup the MySQL database for greylisting. You probably want to change the mysql database/auth info. You'll need to do so in dbdef.sql AND local_scan.c. Do not worry about the 192.168 subnet mentioned on line 68. We'll take care of that later. 
Uncomment line 8 and 9. Change the last part of line 9 in dbdef.sql from looking like this: 
identified by 'milter';
To look like this with your-own-relaydelay-password: 
indentified by 'your-own-relaydelay-password';
Also remove the word tables on line 9. 
Change line 20 in local_scan.c from looking like this: 
#define DEFAULT_MYSQLPASS "milter"
To look like this with the your-own-relaydelay-password: 
#define DEFAULT_MYSQLPASS "your-own-relaydelay-password"
chmod 700 dbdef.sql local_scan.c 
When you are done you can set up the database by simply issuing: 
# mysql --password=mysql-root-password < dbdef.sql
Edit line 5 in Makefile. Exchange /home/ with /var/. 
Edit line 1580 in Makefile to look like this: 
      tls.o ssl_timeoutio.o -lmysqlclient -L/usr/lib/openssl -lssl -lcrypto \
Edit line 1677 in Makefile to look like this: 
      constmap.o tls.o ssl_timeoutio.o ndelay.a -lmysqlclient -L/usr/lib/openssl -lssl -lcrypto \
Edit conf-cc. Exchange home with var and /usr/local/ssl/include with /usr/include/openssl. 
Edit qmail-smtpd.c. Delete the line #define CRAM_MD5. 
This should not be neccesary but it won't compile without: 
# cp fork.h2 fork.h
Now we can make the final version of qmail. 
# make clean
# make
# make setup check
Enabling the envelope check. This setting causes qmail-smtpd to reject messages where the domain portion of the envelope sender is not a valid domain (i.e. it has an MX record.) When combined with a mechanism to make certain domain names appear to not exist, it can make for an effective way to reduce the amount of spam received by rejecting messages which claim to be from certain domain names. 
To use this check, create the file '/var/qmail/control/mfcheck which contains "1" (or any non-zero number) to enable the check, or "0" to disable it (the default is disabled.) You can also create an environment variable MFCHECK which contains either "1" or "0", and this number will override the control file. 
# echo 1 > /var/qmail/control/mfcheck
Make the mfcheck persistent after reboot: 
# echo 'echo 1 > /var/qmail/control/mfcheck' >> /etc/rc.d/rc.local
Make the TLS certificate for qmail-smtpd 
# vi Makefile-cert.mk
Edit days to 3650 
# make cert
This will add servercert.pem to /var/qmail/control, and clientcert.pem as a link to servercert.pem. Also, make sure you run make tmprsadh, and setup the cron job for update_tmprsadh (per the TLS instructions) so that you don’t saturate your CPU with temp key generations. Periodical replacement can be done by crontab: 
# make tmprsadh
The files dh512.pem and dh1024.pem will be added to /var/qmail/control 
# cp update_tmprsadh /var/qmail/bin
Add this line to root’s crontab. 
# echo '01 01 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1' >> /var/spool/cron/crontabs/root
Create the /var/qmail/rc script 

 

#!/bin/sh
# Log to stdout
# Using /var/qmail/control/defaultdelivery from qmail-local
# to deliver messages by default.
exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"
# End

Make the script executable.
# chmod 755 /var/qmail/rc
Define the delivery format. Read more about this in INSTALL.maildir in the qmail source. 
# echo './Maildir' > /var/qmail/control/defaultdelivery
# echo '20' > /var/qmail/control/concurrencyincoming
Arrange for a way to control qmail. 
# cd ../../
# chmod 755 qmailctl
# cp qmailctl /var/qmail/bin/
# ln -s /var/qmail/bin/qmailctl /usr/sbin/
A similar script is also available from  and . 
Make folders for the supervise scripts. The supervise scripts are used by daemontools to run services. 
# mkdir -p /etc/supervised/qmail-send/log 
# mkdir -p /etc/supervised/qmail-smtpd/log
After you are done setting up the directories you will need to create all of the controlling scripts. 
Edit /etc/supervised/qmail-send/run : 

 

#!/bin/sh 
exec /var/qmail/rc
# End

 
Edit /etc/supervised/qmail-send/log/run: 

 

#!/bin/sh 
exec /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t s10000000 /var/log/qmail/send
# End 

Edit /etc/supervised/qmail-smtpd/run:

 

#!/bin/sh 
SMTPUID=`id -u vpopmail`
SMTPGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
# Environment variable for greylisting BLOCK_EXPIRE=1  

if [ -z "$SMTPUID" -o -z "$SMTPGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
    echo SMTPUID, SMTPGID, MAXSMTPD or LOCAL is unset in 
    echo /etc/supervise/qmail-smtpd/run 
    exit 1
fi
# 
if [ ! -f /var/qmail/control/rcpthosts ]; then
    echo "No /var/qmail/control/rcpthosts!" 
    echo "Refusing to start SMTP listener because it'll create an open relay" 
    exit 1
fi
# 
exec /usr/local/bin/softlimit -m 40000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" \
-x /var/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$SMTPUID" -g "$SMTPGID" 0 smtp \
/var/qmail/bin/qmail-smtpd \
/usr/local/bin/rblsmtpd -r relays.ordb.org -r bl.spamcop.net -r sbl-xbl.spamhaus.org -r dul.dnsbl.sorbs.net \
/var/vpopmail/bin/vchkpw /bin/true 2>&1
# End 

You may exchange or add more RBL's to rblsmtpd. Have a look at this page about using RBL's , and and for some comparison. Watch out for using non-free lists without subscribing to it first.
Edit /etc/supervised/qmail-smtpd/log/run: 

 

#!/bin/sh 
exec /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpd
# End

When you have taken care of all of the scripts, the last steps are to chmod the scripts, do some cleaning up, make the log directories and make daemontools aware of the new services.
# (cd /etc/supervised; find . -name run -exec chmod 755 {} \;) 
# (cd /etc/supervised; find . -name "*~" -exec rm {} \;)
# mkdir -p /var/log/qmail/smtpd 
# mkdir /var/log/qmail/send 
# chown -R qmaill /var/log/qmail
# ln -s /etc/supervised/qmail-send /service 
# ln -s /etc/supervised/qmail-smtpd /service 
# ln -s /var/qmail/bin/sendmail /usr/lib/
# ln -s /var/qmail/bin/sendmail /usr/sbin/
# /var/qmail/bin/qmailctl stop
Control realying. Read more about selective relaying here  and here . 
# echo '127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""' >/var/vpopmail/etc/tcp.smtp
# echo '192.168.:allow,RELAYCLIENT="",RBLSMTPD=""' >>/var/vpopmail/etc/tcp.smtp
# echo ':allow' >>/var/vpopmail/etc/tcp.smtp 
 
Edit /var/vpopmail/etc/tcp.smtp: I found this one at  
#------------------------------------------------------
# DESCRIPTION OF THE RULES TO REMIND ME OF HOW THIS FILE WORKS
#
# If you set 'allow', this means that our mail server will allow
# the specified IP range to make a TCP connection to our server
#
# If you set 'deny', this means that our mail server will not allow
# the specified IP range to make a TCP connection to our server
#
# If you set RELAYCLIENT="", this means that the listed IP range is 
# allowed to relay mail through our server
#
# If you dont set RELAYCLIENT="", this means that the listed IP range
# will not be able to relay mail through our server
#
# If you set RBLSMTPD="", this means that the listed IP ranges will
# not be checked against any of the RBL databases
#
# If you set RBLSMTPD="some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 4xx temp error message
#
# If you set RBLSMTPD="-some text here", this means that an RBL lookup
# wont be performed, but the mail will be rejected with the specified
# text as a 5xx perm error message
#
# If you do not set RBLSMTPD="" or ="some text", then an RBL lookup
# will be performed. If the lookup is successful, then RBLSMTPD will
# return your custom error message (as specified in the -r parameter
# in smtpd supervise script)
#
#-----------------------------------------------------
# HERE ARE THE RULES! :
#-----------------------------------------------------
# BYPASS OPEN RELAY CHECKING FOR THESE IPS :
#
# These IPs are ones that we have setup so that they arent RBL checked.
# We have done this because these particular servers are RBL listed,
# and for whatever reason they can't/won't fix their open relay problem,
# and we still want to be able to receive mail from them.
# 
# reminder text goes here for this entry so we know the story...
#111.111.111.111:allow,RBLSMTPD=""
# reminder text goes here for this entry so we know the story...
#222.222.222.222:allow,RBLSMTPD=""
#
#-----------------------------------------------------------------
# DONT ALLOW THESE IPS TO SEND MAIL TO US :
#
# mailXX.offermail.net connecting regularly and sending invalid
# format messages causing exit with status 256 (bare linefeed normally)
# entry added 15/12/2001
# after looking at the mail coming from these servers it was found to be spam
#216.242.75.100-116:allow,RBLSMTPD="-Connections from this IP have been banned."
#
# heaps of spam from replyto of *@freeamateurhotties.com dec2001
#64.228.127.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#154.20.94.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#209.151.132.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#216.18.85.:allow,RBLSMTPD="-Connections refused due to spam from freeamateurhotties.com"
#
#-----------------------------------------------------------------
# ALLOW THESE IPS TO RELAY MAIL THROUGH OUR SERVER
#
# Local class-c's from our LAN are allowed to relay,
# and we wont bother doing any RBL checking.
#123.123.123.:allow,RELAYCLIENT="",RBLSMTPD=""
#123.111.111.:allow,RELAYCLIENT="",RBLSMTPD=""
#
# Connections from localhost are allowed to relay 
# (because the WebMail server runs on localhost),
# and obviously there is no point trying to perform an RBL check.
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""
#
#-----------------------------------------------------------------
# ALLOW EVERYONE ELSE TO SEND US MAIL
#
# Everyone else can make connections to our server,
# but not allowed to relay
# RBL lookups are performed
:allow
Compile tcp.smtp to tcp.smtp.cdb 
# qmailctl cdb
Create system aliases so qmail knows where to forward mail. 
Use postmaster@hostname.yourdomain.com as sender in bounce messages rather than the default MAILER-DAEMON@hostname.yourdomain.com 
# echo 'postmaster' > /var/qmail/control/bouncefrom
Define how to handle "double bounces". The server admin has two choices here, either to receive double bounces or to discard them. If your server doesn't handle a lot of mail then it wouldn't hurt to receive all double bounces for the admin's inspection. But if your server handles a lot of mail, then it is more likely that you are going to want to discard double-bounces, because you will end up with potentially thousands of these every day. 
If you want to keep double-bounces, use these commands to nominate what email address to send them through to (eg doublebounce@yourdomain.com) : 
# echo 'doublebounce' > /var/qmail/control/doublebounceto
# echo 'yourdomain.com' > /var/qmail/control/doublebouncehost
Dont forget that you will need to make sure you have created a mailbox to receive these mails. You could use qmailadmin to create a dedicated mailbox, or perhaps setup an alias on an existing mailbox. 
Or if you would prefer to silently discard any doublebounces, then use these commands instead: 
# echo 'doublebounce' > /var/qmail/control/doublebounceto
# echo 'hostname.yourdomain.com' > /var/qmail/control/doublebouncehost
# echo '#' > ~alias/.qmail-doublebounce
# chmod 644 ~alias/.qmail-doublebounce
Set maximum message size to be 8Mb. This is highly optional. I do not set any limit. 
# echo '8000000' > /var/qmail/control/databytes
Populate badmailto so that mail with invalid address formatting gets rejected. 
# echo '# Reject mail containing invalid characters, brackets or multiple @' > /var/qmail/control/badmailto
# echo '[!%#:\*\^]' >> /var/qmail/control/badmailto
# echo '[\(\)]'         >> /var/qmail/control/badmailto
# echo '[\{\}]'         >> /var/qmail/control/badmailto
# echo '@.*@'           >> /var/qmail/control/badmailto
Set up the default domain for use where an address does not have a domain specified. 
# echo 'yourdomain.com' > /var/qmail/control/defaultdomain
Note, this following command is optional and important. Your choise depends on your ISP and Internet connection. 
As a method to stop unwanted mail, many mail servers (including this one) uses realtime blacklists (RBL's) to determine from whom they will accept mail. Some of these blacklists contain subnets of DULs (Dial-up User Lists) because dial-up users don't usually have their own SMTP mail server. These DULs may contain the subnets of IP-addresses given to ADSL and broadband subscribers of your ISP. This means that if your IP-address is in one of these lists, chanses are that mail from your server will be rejected. Luckily most ISPs have a SMTP server that you can relay outbound mail through, and thereby avoid the problem. 
If you want qmail to send all outbound mail via a particular mail server rather than to send it direct to the recipient's mail server, then this can be achieved with the smtproutes command. 
# echo ':yoursmarthost.yourdomain.com' > /var/qmail/control/smtproutes
Redirect any mail sent to root@yourdomain.com to 'me@yourdomain.com Redirect any mail sent to postmaster@yourdomain.com to 'me@yourdomain.com Redirect any mail sent to mailer-daemon@yourdomain.com to 'me@yourdomain.com Redirect any mail sent to abuse@yourdomain.com to 'me@yourdomain.com 
Exchange "me@yourdoain.com" with your own address. 
# echo 'me@yourdomain.com' > ~alias/.qmail-root
# echo 'me@yourdomain.com' > ~alias/.qmail-postmaster
# echo 'me@yourdomain.com' > ~alias/.qmail-mailer-daemon
# echo 'me@yourdomain.com' > ~alias/.qmail-abuse
# chmod 644 ~alias/.qmail-*
Now we should be able to start qmail. 
# qmailctl start
Verify that qmail is running 
# qmailctl stat
If not ok, run: 
# ps -efl | grep "service error" | grep -v grep
Do some tests as described in these qmail source files: TEST.delivery and TEST.receive 
[]
Greylisting Database Maintenance
By default the greylisting mechanism do not clean out expired entries in the database, and the relaytofrom table may benefit from being optimized regularly. Two cron jobs will take care of cleaning and optimizing the database. 
You should edit both of the greylisting-*.sh scripts, and set the same usename and password as in dbdef.sql. 
# chmod 700 greylisting-delete-expired.sh greylisting-optimize.sh
# cp greylisting-delete-expired.sh /etc/cron.hourly/
# cp greylisting-optimize.sh /etc/cron.daily/
The scripts look like this: 
grylisting-delete-expired.sh 

 

#!/bin/sh

# You should probably run this hourly

MYSQLHOST="localhost"
MYSQLUSER="milter"
MYSQLPASS="milter"
MYSQLDB="relaydelay"

mysql -h $MYSQLHOST -u $MYSQLUSER -p$MYSQLPASS $MYSQLDB -e \
"delete FROM  relaytofrom WHERE origin_type = \"AUTO\" and ( unix_timestamp(  )- unix_timestamp( record_expires )  >0 )"

greylisting-optimize.sh

 

#!/bin/sh

# You should probably run this daily

MYSQLHOST="localhost"
MYSQLUSER="milter"
MYSQLPASS="milter"
MYSQLDB="relaydelay"

mysql -h $MYSQLHOST -u $MYSQLUSER -p$MYSQLPASS $MYSQLDB -e "OPTIMIZE TABLE relaytofrom"

 
Some mail servers need to be whitelisted for various reasons. See  
The  script takes care of whitelisting the entries in the file above. The whitelist_ip.txt file is dynamic, but it dosent change very often. Edit the greylisting-whitelist.sh script and change the database username/password to be the same as in dbdef.sql AND local_scan.c. Then: 
# chmod 700 greylisting-whitelist.sh
# mv greylisting-whitelist.sh /etc/cron.daily/
See the bottom of greylist-stuff-mysql.sql.txt found at  and 
for reporting of stopped mail.
TODO: Make a reporting script, and put it in the monitoring section.
[]
qmail-notify
qmail notify is a program to notify senders of email about email that for some reason has been held in the qmail queue. qmail-notify was written by Bruce Guenter. 
# tar zxf qmail-notify-0.93.tar.gz
# cd qmail-notify-0.93/
# make
# ./installer
Configuration: 
The simple usage is to put qmail-notify into an hourly cron job. For more details on the options, run qmail-notify -h. 
To use an alternate response message, save the message to a file and specify the path to the file with the -f option. The file must contain three instances of %s. The first is replaced with the server's hostname; the second is replaced with the notification delay (controlled by the -t option); the third is replaced with the message lifetime (controled by the qmail control/queuelifetime file). 
Make a cron job for qmail-notify. 
# echo '50 * * * * /usr/local/bin/qmail-notify 1> /dev/null' >> /var/spool/cron/crontabs/root
[]
Update $PATH
/var/qmail/bin, and /var/vpopmail/bin should be added to roots $PATH in /etc/profile. Just add the two new paths to the $PATH variable in /etc/profile. The PATH line for the root user should look something like this PATH=/usr/local/sbin:/usr/sbin:/sbin:/var/qmail/bin:/var/vpopmail/bin:$PATH. 
Also update the MANPATH in /etc/profile to include /var/qmail/man. 
Thats it for the SMTP service. Monitoring, reporting and logging options for the SMTP service is in the monitoring section. 
Next out is secure SMTP. 
[]
SMTPDS
This is an optional section for setting up an SSL enabled SMTP service. 
Put the shell script qmail-stunnel-wrapper in /var/qmail/bin/. The qmail-stunnel-wrapper script was written by Japheth Cleaver. 
Set up the new qmail-smtpds service. 
# cp qmail-stunnel-wrapper /var/qmail/bin/
# mkdir -p /etc/supervised/qmail-smtpds/log
Create the controlling scripts. 
Edit /etc/supervised/qmail-smtpds/run: 

 

#!/bin/sh 
SMTPUID=`id -u vpopmail`
SMTPGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
# Environment variable for greylisting BLOCK_EXPIRE=1  

if [ -z "$SMTPUID" -o -z "$SMTPGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ] then
    echo SMTPUID, SMTPGID, MAXSMTPD or LOCAL is unset in 
    echo /etc/supervise/qmail-smtpds/run 
    exit 1
fi
# 
if [ ! -f /var/qmail/control/rcpthosts ] then
    echo "No /var/qmail/control/rcpthosts!" 
    echo "Refusing to start SMTP-SSL listener because it'll create an open relay" 
    exit 1
fi
# 
exec /usr/local/bin/softlimit -m 40000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" \
-x /var/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$SMTPUID" -g "$SMTPGID" 0 465 \
/var/qmail/bin/qmail-stunnel-wrapper.sh \
/var/qmail/control/servercert.pem \
/var/qmail/bin/qmail-smtpd \
/usr/local/bin/rblsmtpd -r relays.ordb.org -r bl.spamcop.net -r sbl-xbl.spamhaus.org -r dul.dnsbl.sorbs.net \
/var/vpopmail/bin/vchkpw /bin/true 2>&1
# End 

Edit /etc/supervised/qmail-smtpds/log/run:

 

#!/bin/sh 
exec /usr/local/bin/setuidgid qmaill \
/usr/local/bin/multilog t s10000000 n30 /var/log/qmail/smtpds
# End

then execute the following commands to finish up.
# chmod 755 /etc/supervised/qmail-smtpds/run
# chmod 755 /etc/supervised/qmail-smtpds/log/run
# mkdir -p /var/log/qmail/smtpds
# chown qmaill /var/log/qmail/smtpds
# ln -s /etc/supervised/qmail-smtpds /service 
[]
Testing the qmail installation
The inst_check script expects to find a supervise directory in /var/qmail, so lets create a link before vi run the script. the script also expects to find tcp.smtp in /etc/. Just ignore the error message about tcp.smtp. 
# ln -s /etc/supervise/ /var/qmail/
# ./inst_check
[]
Testing SMTP
If you run into trouble with these tests, please check your logs, and /var/vpopmail/etc/tcp.smtp. 
Replace vaild-address@somewhere.com vith a vaild address you can check. 
First add a domain and a user just for testing. 
# vadddomain test.com
# vadduser test@test.com
I am using the password 'testpass' for the test account. 
Now use telnet to communicate with qmail-smtpd. Text in blue are responses from qmail-smtpd. 
Test 1. Allow relaying from localhost. 

 
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 host.domain.tld ESMTP
ehlo example.com
250-host.domain.tld
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
mail from: 
250 ok
rcpt to: 
250 ok
data
354 go ahead
From: noone 
To: valid-address 
Subject: Testing SMTP relaying from localhost

Test-text
.
250 ok 1149190475 qp 3089
quit
221 host.domain.tld
Connection closed by foreign host.
#

Test 2. Allow others to send mail to valid users.
First comment the 127 -line in /var/vpopmail/etc/tcp.smtp, and run qmailctl cdb. This is to stop the allowed relaying from localhost. Then: 

 
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 host.domain.tld ESMTP
ehlo example.com
250-host.domain.tld
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
mail from: 
250 ok
rcpt to: 
250 ok
data
354 go ahead
From: vaild-address 
To: test 
Subject: Testing SMTP to valid user

Test-text
.
250 ok 1149194426 qp 3151
quit
221 host.domain.tld
Connection closed by foreign host.
#

Test 3. Disallow others to send mail to invalid users.
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 host.domain.tld ESMTP
ehlo example.com
250-host.domain.tld
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
mail from: 
250 ok
rcpt to: 
511 sorry, no mailbox here by that name (#5.1.1 - chkuser)
quit
221 host.domain.tld
Connection closed by foreign host.
#

Test 4. Disallow relaying when no RELAYCLIENT="" (127 still commented in tcp.smtp).

 
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 host.domain.tld ESMTP
ehlo example.com
250-host.domain.tld
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
mail from: 
250 ok
rcpt to: 
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)
quit
221 host.domain.tld
Connection closed by foreign host.
#

 
Test 5. Allow relaying even if no RELAYCLIENT="", after connected user is authenticated. 
First you have to base64 encode the username and password. Here is one way to do it: 
# printf '\000test\@test.com\000testpass' | mimencode
AHRlc3RAdGVzdC5jb20AdGVzdHBhc3M=
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 host.domain.tld ESMTP
ehlo example.com
250-host.domain.tld
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
AUTH PLAIN AHRlc3RAdGVzdC5jb20AdGVzdHBhc3M=
235 ok, go ahead (#2.0.0)
mail from: 
250 ok
rcpt to: 
250 ok
data
354 go ahead
From: vaild-address 
To: test 
Subject: Testing SMTP relaying after auth

Test-text
.
250 ok 1149195891 qp 3220
quit
221 host.domain.tld
Connection closed by foreign host.
#

Test 6. Failed authenticateion
First create base64 encoding of auth request with false password: 
# printf '\000test@test.com\000falsepass' | mimencode
AHRlc3RAdGVzdC5jb20AZmFsc2VwYXNz
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 host.domain.tld ESMTP
ehlo example.com
250-host.domain.tld
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
AUTH PLAIN AHRlc3RAdGVzdC5jb20AZmFsc2VwYXNz
535 authentication failed (#5.7.1)
quit
221 host.domain.tld
Connection closed by foreign host.

Test 7. Testing TLS
Issue the following command to check that TLS is working. You should see the certificate exchange, and then the complete banner as in the tests above. The ehlo command will be sent by openssl. Try sending a message to a valid user. 
# openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25
If you have set up the smtpds service, test it with the following command. 
# openssl s_client -crlf -connect 1.2.3.4:465
You should see the certificate exchange, and then the first part of the banner. The ehlo command will not be sent by openssl. Try sending a message. 
Now read the TEST.deliver and TEST.receive files in the qmail source. 
If you have trouble with any supervised service, try to run it manually: cd /service/trouble-service/; svc -d .; ./run. stop it with CTRL-D. 
Also check for service errors by doing a ps aux | grep readproctitle 

Now it is time to set up .
阅读(10008) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~